VulnerableCode Package Details - pkg:composer/symfony/security-http@5.4.44

Search for packages

Vulnerability	Summary	Fixed by
VCID-hm1q-8mjy-47ek Aliases: CVE-2024-36611 GHSA-7q22-x757-cmgc	Withdrawn Advisory: Symfony http-security has authentication bypass ## Withdrawn Advisory This advisory has been withdrawn because the report is not part of a valid vulnerability. This link is maintained to preserve external references. For more information, see advisory-database/pull/5046. ## Original Description In Symfony, a security vulnerability was identified in the FormLoginAuthenticator component, where it failed to adequately handle cases where the username or password field of a login request is empty. This flaw could lead to various security risks, including improper authentication logic handling or denial of service.	7.1.0 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-yx9b-d7ax-kyax Aliases: CVE-2024-51996 GHSA-cg23-qf8f-62rr	Symfony has an Authentication Bypass via RememberMe ### Description When consuming a persisted remember-me cookie, Symfony does not check if the username persisted in the database matches the username attached with the cookie, leading to authentication bypass. ### Resolution The `PersistentRememberMeHandler` class now ensures the submitted username is the cookie owner. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/81354d392c5f0b7a52bcbd729d6f82501e94135a) for branch 5.4. ### Credits We would like to thank Moritz Rauch - Pentryx AG for reporting the issue and Jérémy Derussé for providing the fix.	5.4.47 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 6.4.15 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 7.1.8 Affected by 0 other vulnerabilities. 7.2.0-BETA1 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-hm1q-8mjy-47ek
Aliases:
CVE-2024-36611
GHSA-7q22-x757-cmgc

Withdrawn Advisory: Symfony http-security has authentication bypass ## Withdrawn Advisory This advisory has been withdrawn because the report is not part of a valid vulnerability. This link is maintained to preserve external references. For more information, see advisory-database/pull/5046. ## Original Description In Symfony, a security vulnerability was identified in the FormLoginAuthenticator component, where it failed to adequately handle cases where the username or password field of a login request is empty. This flaw could lead to various security risks, including improper authentication logic handling or denial of service.

7.1.0
Affected by 1 other vulnerability.

VCID-yx9b-d7ax-kyax
Aliases:
CVE-2024-51996
GHSA-cg23-qf8f-62rr

Symfony has an Authentication Bypass via RememberMe ### Description When consuming a persisted remember-me cookie, Symfony does not check if the username persisted in the database matches the username attached with the cookie, leading to authentication bypass. ### Resolution The `PersistentRememberMeHandler` class now ensures the submitted username is the cookie owner. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/81354d392c5f0b7a52bcbd729d6f82501e94135a) for branch 5.4. ### Credits We would like to thank Moritz Rauch - Pentryx AG for reporting the issue and Jérémy Derussé for providing the fix.

5.4.47
Affected by 1 other vulnerability.

6.4.15
Affected by 1 other vulnerability.

7.1.8
Affected by 0 other vulnerabilities.

7.2.0-BETA1
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2025-07-03T19:16:32.219803+00:00	GitLab Importer	Affected by	VCID-hm1q-8mjy-47ek	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/security-http/CVE-2024-36611.yml	37.0.0
2025-07-03T19:15:38.466216+00:00	GitLab Importer	Affected by	VCID-yx9b-d7ax-kyax	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/security-http/CVE-2024-51996.yml	37.0.0

2025-07-03T19:16:32.219803+00:00

GitLab Importer

Affected by

VCID-hm1q-8mjy-47ek

https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/security-http/CVE-2024-36611.yml

37.0.0

2025-07-03T19:15:38.466216+00:00

GitLab Importer

Affected by

VCID-yx9b-d7ax-kyax

https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/security-http/CVE-2024-51996.yml

37.0.0

Next non-vulnerable version	7.1.8
Latest non-vulnerable version	7.2.0-BETA1
Risk	4.0