VulnerableCode Package Details - pkg:composer/symfony/security-http@2.4.0

Search for packages

Vulnerability	Summary	Fixed by
VCID-ap6u-129r-9kcg Aliases: CVE-2015-8124 GHSA-j5jh-hpr4-h332	Symfony Session Fixation Vulnerability A session fixation vulnerability within the "Remember Me" login feature allows an attacker to impersonate the victim towards the web application if the session id value was previously known to the attacker. This issue has been fixed in Symfony 2.3.35, 2.6.12, and 2.7.7. Note that no fixes are provided for Symfony 2.4 and 2.5 as they are not maintained anymore. Symfony 2.8 and 3.0 haven't been released yet and the fix will be included in their first stable releases.	2.6.12 Affected by 0 other vulnerabilities. 2.7.7 Affected by 0 other vulnerabilities.
VCID-m81q-5z8a-4khm Aliases: CVE-2015-8125 GHSA-g97c-jfx6-xvxh	Symfony Vulnerable to Timing Attack Symfony 2.3.x before 2.3.35, 2.6.x before 2.6.12, and 2.7.x before 2.7.7 might allow remote attackers to have unspecified impact via a timing attack involving the (1) `Symfony/Component/Security/Http/RememberMe/PersistentTokenBasedRememberMeServices` or (2) `Symfony/Component/Security/Http/Firewall/DigestAuthenticationListener` class in the Symfony Security Component, or (3) legacy CSRF implementation from the `Symfony/Component/Form/Extension/Csrf/CsrfProvider/DefaultCsrfProvider` class in the Symfony Form component.	2.6.12 Affected by 0 other vulnerabilities. 2.7.7 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-ap6u-129r-9kcg
Aliases:
CVE-2015-8124
GHSA-j5jh-hpr4-h332

Symfony Session Fixation Vulnerability A session fixation vulnerability within the "Remember Me" login feature allows an attacker to impersonate the victim towards the web application if the session id value was previously known to the attacker. This issue has been fixed in Symfony 2.3.35, 2.6.12, and 2.7.7. Note that no fixes are provided for Symfony 2.4 and 2.5 as they are not maintained anymore. Symfony 2.8 and 3.0 haven't been released yet and the fix will be included in their first stable releases.

2.6.12
Affected by 0 other vulnerabilities.

2.7.7
Affected by 0 other vulnerabilities.

VCID-m81q-5z8a-4khm
Aliases:
CVE-2015-8125
GHSA-g97c-jfx6-xvxh

Symfony Vulnerable to Timing Attack Symfony 2.3.x before 2.3.35, 2.6.x before 2.6.12, and 2.7.x before 2.7.7 might allow remote attackers to have unspecified impact via a timing attack involving the (1) `Symfony/Component/Security/Http/RememberMe/PersistentTokenBasedRememberMeServices` or (2) `Symfony/Component/Security/Http/Firewall/DigestAuthenticationListener` class in the Symfony Security Component, or (3) legacy CSRF implementation from the `Symfony/Component/Form/Extension/Csrf/CsrfProvider/DefaultCsrfProvider` class in the Symfony Form component.

2.6.12
Affected by 0 other vulnerabilities.

2.7.7
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2025-07-01T18:10:08.473222+00:00	GitLab Importer	Affected by	VCID-ap6u-129r-9kcg	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/security-http/CVE-2015-8124.yml	36.1.3
2025-07-01T18:10:08.380051+00:00	GitLab Importer	Affected by	VCID-m81q-5z8a-4khm	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/security-http/CVE-2015-8125.yml	36.1.3

2025-07-01T18:10:08.473222+00:00

GitLab Importer

Affected by

VCID-ap6u-129r-9kcg

https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/security-http/CVE-2015-8124.yml

36.1.3

2025-07-01T18:10:08.380051+00:00

GitLab Importer

Affected by

VCID-m81q-5z8a-4khm

https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/security-http/CVE-2015-8125.yml

36.1.3

Next non-vulnerable version	2.6.12
Latest non-vulnerable version	7.1.8
Risk