VulnerableCode Package Details - pkg:composer/symfony/framework-bundle@6.0.3

Search for packages

Vulnerability	Summary	Fixed by
VCID-tgmn-cwth-ukcu Aliases: CVE-2022-23601 GHSA-vvmr-8829-6whx	CSRF token missing in Symfony Description ----------- The Symfony form component provides a CSRF protection mechanism by using a random token injected in the form and using the session to store and control the token submitted by the user. When using the FrameworkBundle, this protection can be enabled or disabled with the configuration. If the configuration is not specified, by default, the mechanism is enabled as long as the session is enabled. In a recent change in the way the configuration is loaded, the default behavior has been dropped and, as a result, the CSRF protection is not enabled in form when not explicitly enabled, which makes the application sensible to CSRF attacks. Resolution ---------- Symfony restored the default configuration to enable the CSRF protection by default. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/f0ffb775febdf07e57117aabadac96fa37857f50) for branch 5.3. Credits ------- We would like to thank Catalin Dan and David Lochner for reporting the issue and Jérémy Derussé for fixing the issue.	6.0.4 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-tgmn-cwth-ukcu
Aliases:
CVE-2022-23601
GHSA-vvmr-8829-6whx

CSRF token missing in Symfony Description ----------- The Symfony form component provides a CSRF protection mechanism by using a random token injected in the form and using the session to store and control the token submitted by the user. When using the FrameworkBundle, this protection can be enabled or disabled with the configuration. If the configuration is not specified, by default, the mechanism is enabled as long as the session is enabled. In a recent change in the way the configuration is loaded, the default behavior has been dropped and, as a result, the CSRF protection is not enabled in form when not explicitly enabled, which makes the application sensible to CSRF attacks. Resolution ---------- Symfony restored the default configuration to enable the CSRF protection by default. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/f0ffb775febdf07e57117aabadac96fa37857f50) for branch 5.3. Credits ------- We would like to thank Catalin Dan and David Lochner for reporting the issue and Jérémy Derussé for fixing the issue.

6.0.4
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2025-07-03T18:09:57.791834+00:00	GitLab Importer	Affected by	VCID-tgmn-cwth-ukcu	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/framework-bundle/CVE-2022-23601.yml	37.0.0
2025-07-01T18:12:30.275632+00:00	GitLab Importer	Affected by	VCID-tgmn-cwth-ukcu	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/framework-bundle/CVE-2022-23601.yml	36.1.3
2025-07-01T14:31:03.485613+00:00	GHSA Importer	Affected by	VCID-tgmn-cwth-ukcu	https://github.com/advisories/GHSA-vvmr-8829-6whx	36.1.3
2025-07-01T12:24:15.591162+00:00	GithubOSV Importer	Affected by	VCID-tgmn-cwth-ukcu	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-vvmr-8829-6whx/GHSA-vvmr-8829-6whx.json	36.1.3