Search for packages
Package details: pkg:composer/symfony/security@2.4.0
purl pkg:composer/symfony/security@2.4.0
Next non-vulnerable version 2.6.12
Latest non-vulnerable version 5.3.12
Risk
Vulnerabilities affecting this package (4)
Vulnerability Summary Fixed by
VCID-3f55-bpmb-xbf5
Aliases:
CVE-2016-4423
GHSA-whgv-8cg3-7hcm
Symphony Denial of Service Via Overlong Usernames The attemptAuthentication function in `Component/Security/Http/Firewall/UsernamePasswordFormAuthenticationListener.php` in Symfony before 2.3.41, 2.7.x before 2.7.13, 2.8.x before 2.8.6, and 3.0.x before 3.0.6 does not limit the length of a username stored in a session, which allows remote attackers to cause a denial of service (session storage consumption) via a series of authentication attempts with long, non-existent usernames.
2.7.13
Affected by 0 other vulnerabilities.
2.8.6
Affected by 0 other vulnerabilities.
3.0.6
Affected by 0 other vulnerabilities.
VCID-7d3h-pw7z-rkct
Aliases:
CVE-2016-1902
GHSA-jjx5-fq5g-8xpc
Symfony Cryptographic Vulnerability The nextBytes function in the SecureRandom class in Symfony before 2.3.37, 2.6.x before 2.6.13, and 2.7.x before 2.7.9 does not properly generate random numbers when used with PHP 5.x without the paragonie/random_compat library and the openssl_random_pseudo_bytes function fails, which makes it easier for attackers to defeat cryptographic protection mechanisms via unspecified vectors.
2.6.13
Affected by 0 other vulnerabilities.
2.7.9
Affected by 0 other vulnerabilities.
VCID-ap6u-129r-9kcg
Aliases:
CVE-2015-8124
GHSA-j5jh-hpr4-h332
Symfony Session Fixation Vulnerability A session fixation vulnerability within the "Remember Me" login feature allows an attacker to impersonate the victim towards the web application if the session id value was previously known to the attacker. This issue has been fixed in Symfony 2.3.35, 2.6.12, and 2.7.7. Note that no fixes are provided for Symfony 2.4 and 2.5 as they are not maintained anymore. Symfony 2.8 and 3.0 haven't been released yet and the fix will be included in their first stable releases.
2.6.12
Affected by 0 other vulnerabilities.
2.7.7
Affected by 0 other vulnerabilities.
VCID-m81q-5z8a-4khm
Aliases:
CVE-2015-8125
GHSA-g97c-jfx6-xvxh
Symfony Vulnerable to Timing Attack Symfony 2.3.x before 2.3.35, 2.6.x before 2.6.12, and 2.7.x before 2.7.7 might allow remote attackers to have unspecified impact via a timing attack involving the (1) `Symfony/Component/Security/Http/RememberMe/PersistentTokenBasedRememberMeServices` or (2) `Symfony/Component/Security/Http/Firewall/DigestAuthenticationListener` class in the Symfony Security Component, or (3) legacy CSRF implementation from the `Symfony/Component/Form/Extension/Csrf/CsrfProvider/DefaultCsrfProvider` class in the Symfony Form component.
2.6.12
Affected by 0 other vulnerabilities.
2.7.7
Affected by 0 other vulnerabilities.
Vulnerabilities fixed by this package (0)
Vulnerability Summary Aliases
This package is not known to fix vulnerabilities.

Date Actor Action Vulnerability Source VulnerableCode Version
2025-07-01T18:10:13.228148+00:00 GitLab Importer Affected by VCID-3f55-bpmb-xbf5 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/security/CVE-2016-4423.yml 36.1.3
2025-07-01T18:10:13.167232+00:00 GitLab Importer Affected by VCID-7d3h-pw7z-rkct https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/security/CVE-2016-1902.yml 36.1.3
2025-07-01T18:10:08.578751+00:00 GitLab Importer Affected by VCID-ap6u-129r-9kcg https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/security/CVE-2015-8124.yml 36.1.3
2025-07-01T18:10:08.499367+00:00 GitLab Importer Affected by VCID-m81q-5z8a-4khm https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/security/CVE-2015-8125.yml 36.1.3