Search for packages
Package details: pkg:composer/symfony/security-http@5.3.11
purl pkg:composer/symfony/security-http@5.3.11
Next non-vulnerable version 7.1.8
Latest non-vulnerable version 7.2.0-BETA1
Risk 4.0
Vulnerabilities affecting this package (5)
Vulnerability Summary Fixed by
VCID-hm1q-8mjy-47ek
Aliases:
CVE-2024-36611
GHSA-7q22-x757-cmgc
Withdrawn Advisory: Symfony http-security has authentication bypass ## Withdrawn Advisory This advisory has been withdrawn because the report is not part of a valid vulnerability. This link is maintained to preserve external references. For more information, see advisory-database/pull/5046. ## Original Description In Symfony, a security vulnerability was identified in the FormLoginAuthenticator component, where it failed to adequately handle cases where the username or password field of a login request is empty. This flaw could lead to various security risks, including improper authentication logic handling or denial of service.
7.1.0
Affected by 1 other vulnerability.
VCID-q9nm-2b34-yked
Aliases:
CVE-2021-41267
GHSA-q3j3-w37x-hq2q
Webcache Poisoning in symfony/http-kernel Description ----------- When a Symfony application is running behind a proxy or a load-balancer, you can tell Symfony to look for the `X-Forwarded-*` HTTP headers. HTTP headers that are not part of the "trusted_headers" allowed list are ignored and protect you from "Cache poisoning" attacks. In Symfony 5.2, we've added support for the `X-Forwarded-Prefix` header, but this header was accessible in sub-requests, even if it was not part of the "trusted_headers" allowed list. An attacker could leverage this opportunity to forge requests containing a `X-Forwarded-Prefix` HTTP header, leading to a web cache poisoning issue. Resolution ---------- Symfony now ensures that the `X-Forwarded-Prefix` HTTP header is not forwarded to sub-requests when it is not trusted. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/95dcf51682029e89450aee86267e3d553aa7c487) for branch 5.3. Credits ------- We would like to thank Soner Sayakci for reporting the issue and Jérémy Derussé for fixing the issue.
5.4.0-BETA1
Affected by 3 other vulnerabilities.
5.4.0
Affected by 3 other vulnerabilities.
VCID-wuph-bc4e-8ba3
Aliases:
CVE-2021-41268
GHSA-qw36-p97w-vcqr
Cookie persistence after password changes in symfony/security-bundle Description ----------- Since the rework of the Remember me cookie in Symfony 5.3, the cookie is not invalidated anymore when the user changes its password. Attackers can therefore maintain their access to the account even if the password is changed as long as they have had the chance to login once and get a valid remember me cookie. Resolution ---------- Symfony now makes the password part of the signature by default. In that way, when the password changes then the cookie is not valid anymore. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/36a808b857cd3240244f4b224452fb1e70dc6dfc) for branch 5.3. Credits ------- We would like to thank Thibaut Decherit for reporting the issue and Wouter J for fixing the issue.
5.4.0-BETA1
Affected by 3 other vulnerabilities.
5.4.0
Affected by 3 other vulnerabilities.
VCID-xv9e-a7qq-63a1
Aliases:
CVE-2023-46734
GHSA-q847-2q57-wmr3
Symfony potential Cross-site Scripting vulnerabilities in CodeExtension filters ### Description Some Twig filters in CodeExtension use "is_safe=html" but don't actually ensure their input is safe. ### Resolution Symfony now escapes the output of the affected filters. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/9da9a145ce57e4585031ad4bee37c497353eec7c) for branch 4.4. ### Credits We would like to thank Pierre Rudloff for reporting the issue and to Nicolas Grekas for providing the fix.
5.4.31
Affected by 2 other vulnerabilities.
6.3.8
Affected by 2 other vulnerabilities.
VCID-yx9b-d7ax-kyax
Aliases:
CVE-2024-51996
GHSA-cg23-qf8f-62rr
Symfony has an Authentication Bypass via RememberMe ### Description When consuming a persisted remember-me cookie, Symfony does not check if the username persisted in the database matches the username attached with the cookie, leading to authentication bypass. ### Resolution The `PersistentRememberMeHandler` class now ensures the submitted username is the cookie owner. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/81354d392c5f0b7a52bcbd729d6f82501e94135a) for branch 5.4. ### Credits We would like to thank Moritz Rauch - Pentryx AG for reporting the issue and Jérémy Derussé for providing the fix.
5.4.47
Affected by 1 other vulnerability.
6.4.15
Affected by 1 other vulnerability.
7.1.8
Affected by 0 other vulnerabilities.
7.2.0-BETA1
Affected by 0 other vulnerabilities.
Vulnerabilities fixed by this package (0)
Vulnerability Summary Aliases
This package is not known to fix vulnerabilities.

Date Actor Action Vulnerability Source VulnerableCode Version
2025-07-03T19:16:32.130839+00:00 GitLab Importer Affected by VCID-hm1q-8mjy-47ek https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/security-http/CVE-2024-36611.yml 37.0.0
2025-07-03T19:15:38.377189+00:00 GitLab Importer Affected by VCID-yx9b-d7ax-kyax https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/security-http/CVE-2024-51996.yml 37.0.0
2025-07-03T18:53:05.676527+00:00 GitLab Importer Affected by VCID-xv9e-a7qq-63a1 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/security-http/CVE-2023-46734.yml 37.0.0
2025-07-03T18:07:18.306166+00:00 GitLab Importer Affected by VCID-wuph-bc4e-8ba3 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/security-http/CVE-2021-41268.yml 37.0.0
2025-07-03T18:07:16.469514+00:00 GitLab Importer Affected by VCID-q9nm-2b34-yked https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/security-http/CVE-2021-41267.yml 37.0.0