Search for packages
purl | pkg:composer/symfony/security@2.4.0 |
Vulnerability | Summary | Fixed by |
---|---|---|
VCID-3f55-bpmb-xbf5
Aliases: CVE-2016-4423 GHSA-whgv-8cg3-7hcm |
Symphony Denial of Service Via Overlong Usernames The attemptAuthentication function in `Component/Security/Http/Firewall/UsernamePasswordFormAuthenticationListener.php` in Symfony before 2.3.41, 2.7.x before 2.7.13, 2.8.x before 2.8.6, and 3.0.x before 3.0.6 does not limit the length of a username stored in a session, which allows remote attackers to cause a denial of service (session storage consumption) via a series of authentication attempts with long, non-existent usernames. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
VCID-7d3h-pw7z-rkct
Aliases: CVE-2016-1902 GHSA-jjx5-fq5g-8xpc |
Symfony Cryptographic Vulnerability The nextBytes function in the SecureRandom class in Symfony before 2.3.37, 2.6.x before 2.6.13, and 2.7.x before 2.7.9 does not properly generate random numbers when used with PHP 5.x without the paragonie/random_compat library and the openssl_random_pseudo_bytes function fails, which makes it easier for attackers to defeat cryptographic protection mechanisms via unspecified vectors. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
VCID-ap6u-129r-9kcg
Aliases: CVE-2015-8124 GHSA-j5jh-hpr4-h332 |
Symfony Session Fixation Vulnerability A session fixation vulnerability within the "Remember Me" login feature allows an attacker to impersonate the victim towards the web application if the session id value was previously known to the attacker. This issue has been fixed in Symfony 2.3.35, 2.6.12, and 2.7.7. Note that no fixes are provided for Symfony 2.4 and 2.5 as they are not maintained anymore. Symfony 2.8 and 3.0 haven't been released yet and the fix will be included in their first stable releases. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
VCID-m81q-5z8a-4khm
Aliases: CVE-2015-8125 GHSA-g97c-jfx6-xvxh |
Symfony Vulnerable to Timing Attack Symfony 2.3.x before 2.3.35, 2.6.x before 2.6.12, and 2.7.x before 2.7.7 might allow remote attackers to have unspecified impact via a timing attack involving the (1) `Symfony/Component/Security/Http/RememberMe/PersistentTokenBasedRememberMeServices` or (2) `Symfony/Component/Security/Http/Firewall/DigestAuthenticationListener` class in the Symfony Security Component, or (3) legacy CSRF implementation from the `Symfony/Component/Form/Extension/Csrf/CsrfProvider/DefaultCsrfProvider` class in the Symfony Form component. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
Vulnerability | Summary | Aliases |
---|---|---|
This package is not known to fix vulnerabilities. |
Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
---|---|---|---|---|---|
2025-07-01T18:10:13.228148+00:00 | GitLab Importer | Affected by | VCID-3f55-bpmb-xbf5 | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/security/CVE-2016-4423.yml | 36.1.3 |
2025-07-01T18:10:13.167232+00:00 | GitLab Importer | Affected by | VCID-7d3h-pw7z-rkct | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/security/CVE-2016-1902.yml | 36.1.3 |
2025-07-01T18:10:08.578751+00:00 | GitLab Importer | Affected by | VCID-ap6u-129r-9kcg | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/security/CVE-2015-8124.yml | 36.1.3 |
2025-07-01T18:10:08.499367+00:00 | GitLab Importer | Affected by | VCID-m81q-5z8a-4khm | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/security/CVE-2015-8125.yml | 36.1.3 |