VulnerableCode Package Details - pkg:composer/symfony/serializer@6.3.4

Search for packages

Vulnerability	Summary	Fixed by
VCID-6ty5-u59k-pbhh Aliases: CVE-2023-46735 GHSA-72x2-5c85-6wmr	Symfony potential Cross-site Scripting in WebhookController ### Description The error message in WebhookController returns unescaped user-submitted input. ### Resolution WebhookController now doesn't return any user-submitted input in its response. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/8128c302430394f639e818a7103b3f6815d8d962) for branch 6.3. ### Credits We would like to thank Maxime Aknin for reporting the issue and to Nicolas Grekas for providing the fix.	6.3.8 Affected by 0 other vulnerabilities.
VCID-te8y-b96w-1fcj Aliases: CVE-2023-46733 GHSA-m2wj-r6g3-fxfx	Symfony possible session fixation vulnerability ### Description SessionStrategyListener does not always migrate the session after a successful login. It only migrate the session when the logged-in user identifier changes. In some use cases, the user identifier doesn't change between the verification phase and the successful login, while the token itself changes from one type (partially-authenticated) to another (fully-authenticated). When this happens, the session id should be regenerated to prevent possible session fixations. ### Resolution Symfony now checks the type of the token in addition to the user identifier before deciding whether the session id should be regenerated. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/dc356499d5ceb86f7cf2b4c7f032eca97061ed74) for branch 5.4. ### Credits We would like to thank Robert Meijers for reporting the issue and providing the fix.	6.3.8 Affected by 0 other vulnerabilities.
VCID-xv9e-a7qq-63a1 Aliases: CVE-2023-46734 GHSA-q847-2q57-wmr3	Symfony potential Cross-site Scripting vulnerabilities in CodeExtension filters ### Description Some Twig filters in CodeExtension use "is_safe=html" but don't actually ensure their input is safe. ### Resolution Symfony now escapes the output of the affected filters. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/9da9a145ce57e4585031ad4bee37c497353eec7c) for branch 4.4. ### Credits We would like to thank Pierre Rudloff for reporting the issue and to Nicolas Grekas for providing the fix.	6.3.8 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-6ty5-u59k-pbhh
Aliases:
CVE-2023-46735
GHSA-72x2-5c85-6wmr

Symfony potential Cross-site Scripting in WebhookController ### Description The error message in WebhookController returns unescaped user-submitted input. ### Resolution WebhookController now doesn't return any user-submitted input in its response. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/8128c302430394f639e818a7103b3f6815d8d962) for branch 6.3. ### Credits We would like to thank Maxime Aknin for reporting the issue and to Nicolas Grekas for providing the fix.

6.3.8
Affected by 0 other vulnerabilities.

VCID-te8y-b96w-1fcj
Aliases:
CVE-2023-46733
GHSA-m2wj-r6g3-fxfx

Symfony possible session fixation vulnerability ### Description SessionStrategyListener does not always migrate the session after a successful login. It only migrate the session when the logged-in user identifier changes. In some use cases, the user identifier doesn't change between the verification phase and the successful login, while the token itself changes from one type (partially-authenticated) to another (fully-authenticated). When this happens, the session id should be regenerated to prevent possible session fixations. ### Resolution Symfony now checks the type of the token in addition to the user identifier before deciding whether the session id should be regenerated. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/dc356499d5ceb86f7cf2b4c7f032eca97061ed74) for branch 5.4. ### Credits We would like to thank Robert Meijers for reporting the issue and providing the fix.

6.3.8
Affected by 0 other vulnerabilities.

VCID-xv9e-a7qq-63a1
Aliases:
CVE-2023-46734
GHSA-q847-2q57-wmr3

Symfony potential Cross-site Scripting vulnerabilities in CodeExtension filters ### Description Some Twig filters in CodeExtension use "is_safe=html" but don't actually ensure their input is safe. ### Resolution Symfony now escapes the output of the affected filters. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/9da9a145ce57e4585031ad4bee37c497353eec7c) for branch 4.4. ### Credits We would like to thank Pierre Rudloff for reporting the issue and to Nicolas Grekas for providing the fix.

6.3.8
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2025-07-03T18:53:04.184074+00:00	GitLab Importer	Affected by	VCID-te8y-b96w-1fcj	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/serializer/CVE-2023-46733.yml	37.0.0
2025-07-03T18:53:03.820300+00:00	GitLab Importer	Affected by	VCID-xv9e-a7qq-63a1	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/serializer/CVE-2023-46734.yml	37.0.0
2025-07-03T18:52:59.216331+00:00	GitLab Importer	Affected by	VCID-6ty5-u59k-pbhh	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/serializer/CVE-2023-46735.yml	37.0.0