Search for packages
| purl | pkg:composer/symfony/security@2.7.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-7d3h-pw7z-rkct
Aliases: CVE-2016-1902 GHSA-jjx5-fq5g-8xpc |
Symfony Cryptographic Vulnerability The nextBytes function in the SecureRandom class in Symfony before 2.3.37, 2.6.x before 2.6.13, and 2.7.x before 2.7.9 does not properly generate random numbers when used with PHP 5.x without the paragonie/random_compat library and the openssl_random_pseudo_bytes function fails, which makes it easier for attackers to defeat cryptographic protection mechanisms via unspecified vectors. |
Affected by 0 other vulnerabilities. |
|
VCID-9x61-7xns-b7h1
Aliases: CVE-2019-10911 GHSA-cchx-mfrc-fwqr |
Improper authentication in Symfony In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, a vulnerability would allow an attacker to authenticate as a privileged user on sites with user registration and remember me login functionality enabled. This is related to symfony/security. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-ap6u-129r-9kcg
Aliases: CVE-2015-8124 GHSA-j5jh-hpr4-h332 |
Symfony Session Fixation Vulnerability A session fixation vulnerability within the "Remember Me" login feature allows an attacker to impersonate the victim towards the web application if the session id value was previously known to the attacker. This issue has been fixed in Symfony 2.3.35, 2.6.12, and 2.7.7. Note that no fixes are provided for Symfony 2.4 and 2.5 as they are not maintained anymore. Symfony 2.8 and 3.0 haven't been released yet and the fix will be included in their first stable releases. |
Affected by 0 other vulnerabilities. |
|
VCID-ktnk-qrwf-t3dt
Aliases: CVE-2017-16652 GHSA-r7p7-qr7p-2rrf |
Symfony Open Redirect An issue was discovered in Symfony 2.7.x before 2.7.38, 2.8.x before 2.8.31, 3.2.x before 3.2.14, and 3.3.x before 3.3.13. `DefaultAuthenticationSuccessHandler` or `DefaultAuthenticationFailureHandler` takes the content of the `_target_path` parameter and generates a redirect response, but no check is performed on the path, which could be an absolute URL to an external domain. This Open redirect vulnerability can be exploited for example to mount effective phishing attacks. |
Affected by 1 other vulnerability. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-m81q-5z8a-4khm
Aliases: CVE-2015-8125 GHSA-g97c-jfx6-xvxh |
Symfony Vulnerable to Timing Attack Symfony 2.3.x before 2.3.35, 2.6.x before 2.6.12, and 2.7.x before 2.7.7 might allow remote attackers to have unspecified impact via a timing attack involving the (1) `Symfony/Component/Security/Http/RememberMe/PersistentTokenBasedRememberMeServices` or (2) `Symfony/Component/Security/Http/Firewall/DigestAuthenticationListener` class in the Symfony Security Component, or (3) legacy CSRF implementation from the `Symfony/Component/Form/Extension/Csrf/CsrfProvider/DefaultCsrfProvider` class in the Symfony Form component. |
Affected by 0 other vulnerabilities. |
|
VCID-wdzq-fpju-2uf5
Aliases: CVE-2017-16653 GHSA-92x6-h2gr-8gxq |
Symfony CSRF Vulnerability An issue was discovered in Symfony before 2.7.38, 2.8.31, 3.2.14, 3.3.13, 3.4-BETA5, and 4.0-BETA5. The current implementation of CSRF protection in Symfony (Version >=2) does not use different tokens for HTTP and HTTPS; therefore the token is subject to MITM attacks on HTTP and can then be used in an HTTPS context to do CSRF attacks. |
Affected by 1 other vulnerability. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||