VulnerableCode Package Details - pkg:composer/symfony/symfony@4.3.8

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-718a-9ndd-syex	Argument injection in a MimeTypeGuesser in Symfony An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. If an application passes unvalidated user input as the file for which MIME type validation should occur, then arbitrary arguments are passed to the underlying file command. This is related to symfony/http-foundation (and symfony/mime in 4.3.x).	CVE-2019-18888 GHSA-xhh6-956q-4q69
VCID-cejg-3hqv-kbfd	User enumeration leak using switch user functionality in Symfony An issue was discovered in Symfony 4.2.0 to 4.2.11 and 4.3.0 to 4.3.7. The ability to enumerate users was possible due to different handling depending on whether the user existed when making unauthorized attempts to use the switch users functionality. This is related to symfony/security.	CVE-2019-18886 GHSA-4vpc-5jx4-cfqg
VCID-qr3v-jkjd-qfb1	Symfony Unsafe Cache Serialization Could Enable RCE An issue was discovered in Symfony 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. Serializing certain cache adapter interfaces could result in remote code injection. This is related to symfony/cache.	CVE-2019-18889 GHSA-79gr-58r3-pwm3
VCID-s3ep-tgah-aud1	Symfony Http-Kernel has non-constant time comparison in UriSigner When checking the signature of an URI (an ESI fragment URL for instance), the URISigner did not used a constant time string comparison function, resulting in a potential remote timing attack vulnerability.	CVE-2019-18887 GHSA-q8hg-pf8v-cxrv
VCID-xckj-7eww-e3g4	Improper Input Validation in Symfony An issue was discovered in Symfony before 4.2.12 and 4.3.x before 4.3.8. The VarExport component incorrectly escapes strings, allowing some specially crafted ones to escalate to execution of arbitrary PHP code. This is related to symfony/var-exporter.	CVE-2019-11325 GHSA-w4rc-rx25-8m86

Vulnerability

Summary

Aliases

VCID-718a-9ndd-syex

Argument injection in a MimeTypeGuesser in Symfony An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. If an application passes unvalidated user input as the file for which MIME type validation should occur, then arbitrary arguments are passed to the underlying file command. This is related to symfony/http-foundation (and symfony/mime in 4.3.x).

CVE-2019-18888
GHSA-xhh6-956q-4q69

VCID-cejg-3hqv-kbfd

User enumeration leak using switch user functionality in Symfony An issue was discovered in Symfony 4.2.0 to 4.2.11 and 4.3.0 to 4.3.7. The ability to enumerate users was possible due to different handling depending on whether the user existed when making unauthorized attempts to use the switch users functionality. This is related to symfony/security.

CVE-2019-18886
GHSA-4vpc-5jx4-cfqg

VCID-qr3v-jkjd-qfb1

Symfony Unsafe Cache Serialization Could Enable RCE An issue was discovered in Symfony 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. Serializing certain cache adapter interfaces could result in remote code injection. This is related to symfony/cache.

CVE-2019-18889
GHSA-79gr-58r3-pwm3

VCID-s3ep-tgah-aud1

Symfony Http-Kernel has non-constant time comparison in UriSigner When checking the signature of an URI (an ESI fragment URL for instance), the URISigner did not used a constant time string comparison function, resulting in a potential remote timing attack vulnerability.

CVE-2019-18887
GHSA-q8hg-pf8v-cxrv

VCID-xckj-7eww-e3g4

Improper Input Validation in Symfony An issue was discovered in Symfony before 4.2.12 and 4.3.x before 4.3.8. The VarExport component incorrectly escapes strings, allowing some specially crafted ones to escalate to execution of arbitrary PHP code. This is related to symfony/var-exporter.

CVE-2019-11325
GHSA-w4rc-rx25-8m86

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2025-07-01T14:31:32.384138+00:00	GHSA Importer	Fixing	VCID-s3ep-tgah-aud1	https://github.com/advisories/GHSA-q8hg-pf8v-cxrv	36.1.3
2025-07-01T14:30:03.738840+00:00	GHSA Importer	Fixing	VCID-xckj-7eww-e3g4	https://github.com/advisories/GHSA-w4rc-rx25-8m86	36.1.3
2025-07-01T14:29:59.050020+00:00	GHSA Importer	Fixing	VCID-cejg-3hqv-kbfd	https://github.com/advisories/GHSA-4vpc-5jx4-cfqg	36.1.3
2025-07-01T14:29:58.893999+00:00	GHSA Importer	Fixing	VCID-718a-9ndd-syex	https://github.com/advisories/GHSA-xhh6-956q-4q69	36.1.3
2025-07-01T14:29:58.691566+00:00	GHSA Importer	Fixing	VCID-qr3v-jkjd-qfb1	https://github.com/advisories/GHSA-79gr-58r3-pwm3	36.1.3
2025-07-01T12:24:49.996446+00:00	GithubOSV Importer	Fixing	VCID-s3ep-tgah-aud1	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-q8hg-pf8v-cxrv/GHSA-q8hg-pf8v-cxrv.json	36.1.3
2025-07-01T12:21:55.934764+00:00	GithubOSV Importer	Fixing	VCID-718a-9ndd-syex	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/12/GHSA-xhh6-956q-4q69/GHSA-xhh6-956q-4q69.json	36.1.3
2025-07-01T12:21:54.469151+00:00	GithubOSV Importer	Fixing	VCID-qr3v-jkjd-qfb1	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/12/GHSA-79gr-58r3-pwm3/GHSA-79gr-58r3-pwm3.json	36.1.3
2025-07-01T12:21:54.098888+00:00	GithubOSV Importer	Fixing	VCID-cejg-3hqv-kbfd	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/12/GHSA-4vpc-5jx4-cfqg/GHSA-4vpc-5jx4-cfqg.json	36.1.3
2025-07-01T12:16:59.074053+00:00	GithubOSV Importer	Fixing	VCID-xckj-7eww-e3g4	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/02/GHSA-w4rc-rx25-8m86/GHSA-w4rc-rx25-8m86.json	36.1.3