Search for packages
| purl | pkg:composer/symfony/security@2.0.5 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1jny-ned3-cbgs
Aliases: CVE-2018-11385 GHSA-g4rg-rw65-8hfg |
Symfony Session Fixation Vulnerability An issue was discovered in the Security component in Symfony 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11. A session fixation vulnerability within the "Guard" login feature may allow an attacker to impersonate a victim towards the web application if the session id value was previously known to the attacker. |
Affected by 4 other vulnerabilities. Affected by 3 other vulnerabilities. Affected by 6 other vulnerabilities. Affected by 3 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-7gbe-9xtx-2bdr
Aliases: CVE-2013-5958 GHSA-cr49-fx2v-9p57 |
Symfony Denial of Service Via Long Password Hashing The Security component in Symfony 2.0.x before 2.0.25, 2.1.x before 2.1.13, 2.2.x before 2.2.9, and 2.3.x before 2.3.6 allows remote attackers to cause a denial of service (CPU consumption) via a long password that triggers an expensive hash computation, as demonstrated by a PBKDF2 computation, a similar issue to CVE-2013-5750. |
Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. Affected by 6 other vulnerabilities. |
|
VCID-9kvc-6wbe-1fdf
Aliases: CVE-2018-11406 GHSA-g4g7-q726-v5hg |
Symfony CSRF Token Fixation An issue was discovered in the Security component in Symfony 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11. By default, a user's session is invalidated when the user is logged out. This behavior can be disabled through the invalidate_session option. In this case, CSRF tokens were not erased during logout which allowed for CSRF token fixation. |
Affected by 4 other vulnerabilities. Affected by 3 other vulnerabilities. Affected by 6 other vulnerabilities. Affected by 3 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-tyxz-bxm5-puc2
Aliases: CVE-2012-6431 GHSA-83c3-qx27-2rwr |
Symfony Allows URI Restrictions Bypass Via Double-Encoded String On the Symfony 2.0.x version, there's a security issue that allows access to routes protected by a firewall even when the user is not logged in. Both the Routing component and the Security component uses the path returned by `getPathInfo()` to match a Request. The `getPathInfo()` returns a decoded path, but the Routing component (`Symfony\Component\Routing\Matcher\UrlMatcher`) decodes the path a second time; whereas the Security component, `Symfony\Component\HttpFoundation\RequestMatcher`, does not. This difference causes Symfony 2.0 to be vulnerable to double encoding attacks. |
Affected by 3 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2025-07-03T17:27:21.050141+00:00 | GitLab Importer | Affected by | VCID-1jny-ned3-cbgs | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/security/CVE-2018-11385.yml | 37.0.0 |
| 2025-07-03T17:27:20.074611+00:00 | GitLab Importer | Affected by | VCID-9kvc-6wbe-1fdf | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/security/CVE-2018-11406.yml | 37.0.0 |
| 2025-07-03T17:13:08.350278+00:00 | GitLab Importer | Affected by | VCID-7gbe-9xtx-2bdr | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/security/CVE-2013-5958.yml | 37.0.0 |
| 2025-07-03T17:11:58.597028+00:00 | GitLab Importer | Affected by | VCID-tyxz-bxm5-puc2 | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/security/CVE-2012-6431.yml | 37.0.0 |