VulnerableCode Package Details - pkg:composer/symfony/security-http@2.7.38

Search for packages

Vulnerability	Summary	Fixed by
VCID-52b6-bavg-suf2 Aliases: CVE-2018-19790 GHSA-89r2-5g34-2g47	Symfony Open Redirect An open redirect was discovered in Symfony 2.7.x before 2.7.50, 2.8.x before 2.8.49, 3.x before 3.4.20, 4.0.x before 4.0.15, 4.1.x before 4.1.9 and 4.2.x before 4.2.1. By using backslashes in the `_failure_path` input field of login forms, an attacker can work around the redirection target restrictions and effectively redirect the user to any domain after login.	2.7.50 Affected by 0 other vulnerabilities. 2.8.49 Affected by 0 other vulnerabilities. 3.4.20 Affected by 0 other vulnerabilities. 4.0.15 Affected by 0 other vulnerabilities. 4.1.9 Affected by 0 other vulnerabilities. 4.2.1 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-52b6-bavg-suf2
Aliases:
CVE-2018-19790
GHSA-89r2-5g34-2g47

Symfony Open Redirect An open redirect was discovered in Symfony 2.7.x before 2.7.50, 2.8.x before 2.8.49, 3.x before 3.4.20, 4.0.x before 4.0.15, 4.1.x before 4.1.9 and 4.2.x before 4.2.1. By using backslashes in the `_failure_path` input field of login forms, an attacker can work around the redirection target restrictions and effectively redirect the user to any domain after login.

2.7.50
Affected by 0 other vulnerabilities.

2.8.49
Affected by 0 other vulnerabilities.

3.4.20
Affected by 0 other vulnerabilities.

4.0.15
Affected by 0 other vulnerabilities.

4.1.9
Affected by 0 other vulnerabilities.

4.2.1
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-ktnk-qrwf-t3dt	Symfony Open Redirect An issue was discovered in Symfony 2.7.x before 2.7.38, 2.8.x before 2.8.31, 3.2.x before 3.2.14, and 3.3.x before 3.3.13. `DefaultAuthenticationSuccessHandler` or `DefaultAuthenticationFailureHandler` takes the content of the `_target_path` parameter and generates a redirect response, but no check is performed on the path, which could be an absolute URL to an external domain. This Open redirect vulnerability can be exploited for example to mount effective phishing attacks.	CVE-2017-16652 GHSA-r7p7-qr7p-2rrf

Vulnerability

Summary

Aliases

VCID-ktnk-qrwf-t3dt

Symfony Open Redirect An issue was discovered in Symfony 2.7.x before 2.7.38, 2.8.x before 2.8.31, 3.2.x before 3.2.14, and 3.3.x before 3.3.13. `DefaultAuthenticationSuccessHandler` or `DefaultAuthenticationFailureHandler` takes the content of the `_target_path` parameter and generates a redirect response, but no check is performed on the path, which could be an absolute URL to an external domain. This Open redirect vulnerability can be exploited for example to mount effective phishing attacks.

CVE-2017-16652
GHSA-r7p7-qr7p-2rrf

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2025-07-01T18:11:22.351316+00:00	GitLab Importer	Affected by	VCID-52b6-bavg-suf2	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/security-http/CVE-2018-19790.yml	36.1.3
2025-07-01T18:10:57.872312+00:00	GitLab Importer	Fixing	VCID-ktnk-qrwf-t3dt	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/security-http/CVE-2017-16652.yml	36.1.3
2025-07-01T12:29:57.515325+00:00	GithubOSV Importer	Fixing	VCID-ktnk-qrwf-t3dt	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-r7p7-qr7p-2rrf/GHSA-r7p7-qr7p-2rrf.json	36.1.3