Code injection in the way Symfony implements translation caching in FrameworkBundle

When investigating issue 11093, Jeremy Derussé found a serious code injection issue in the way Symfony implements translation caching in FrameworkBundle. - Your Symfony application is vulnerable if you meet the following conditions: - You are using the Symfony translation system from...

GHSA-WFV7-5X33-V22H Code injection in the way Symfony implements translation caching in FrameworkBundle

When investigating issue 11093, Jeremy Derussé found a serious code injection issue in the way Symfony implements translation caching in FrameworkBundle. - Your Symfony application is vulnerable if you meet the following conditions: - You are using the Symfony translation system from...

CSRF token missing in Symfony

Description ----------- The Symfony form component provides a CSRF protection mechanism by using a random token injected in the form and using the session to store and control the token submitted by the user. When using the FrameworkBundle, this protection can be enabled or disabled with the...

Sensio Labs Symfony 跨站请求伪造漏洞

Sensio Labs Symfony is a free French Sensio Labs , based on the MVC architecture of the PHP development framework . The framework provides commonly used functional components and tools that can be used to quickly create complex web programs. A cross-site request forgery vulnerability exists in...

Fedora 32 : php-symfony4 (2020-16eb328853)

Version 4.4.13 2020-09-02 - security CVE-2020-15094 Remove headers with internal meaning from HttpClient responses mpdude - bug 38024 Console Fix undefined index for inconsistent command name definition chalasr - bug 38023 DI fix inlining of non-shared services nicolas-grekas - bug 38020...

Fedora 30 : php-symfony (2019-0ef4149687)

Version 2.8.50 2019-04-17 - security cve-2019-10910 DI Check service IDs are valid nicolas-grekas - security cve-2019-10909 FrameworkBundleForm Fix XSS issues in the form theme of the PHP templating engine stof - security cve-2019-10912 PHPUnit Bridge Prevent destructors with side-effects from...

Fedora 30 : php-symfony4 (2019-f5d6a7ce74)

Version 4.2.7 2019-04-17 - bug 31107 Routing fix trailing slash redirection with non-greedy trailing vars nicolas-grekas - bug 31108 FrameworkBundle decorate the ValidatorBuilder's translator with LegacyTranslatorProxy nicolas-grekas - bug 31121 HttpKernel Fix get session when the request stack i...

Fedora 29 : php-symfony (2019-f8db687840)

Version 2.8.50 2019-04-17 - security cve-2019-10910 DI Check service IDs are valid nicolas-grekas - security cve-2019-10909 FrameworkBundleForm Fix XSS issues in the form theme of the PHP templating engine stof - security cve-2019-10912 PHPUnit Bridge Prevent destructors with side-effects from...

Fedora 28 : php-symfony (2019-3ee6a7adf2)

Version 2.8.50 2019-04-17 - security cve-2019-10910 DI Check service IDs are valid nicolas-grekas - security cve-2019-10909 FrameworkBundleForm Fix XSS issues in the form theme of the PHP templating engine stof - security cve-2019-10912 PHPUnit Bridge Prevent destructors with side-effects from...

Fedora 27 : php-symfony4 (2018-7f43cbdb69)

4.0.14 2018-08-01 - security cve-2018-14774 HttpKernel fix trusted headers management in HttpCache and InlineFragmentRenderer nicolas-grekas - security cve-2018-14773 HttpFoundation Remove support for legacy and risky HTTP headers nicolas-grekas - bug 28003 HttpKernel Fixes invalid REMOTEADDR in...

Fedora 23 : php-symfony (2016-f36247d441)

Version 2.7.13 2016-05-09 - security 18733 limited the maximum length of a submitted username fabpot - bug 18730 FrameworkBundle prevent calling get for servicecontainer service xabbuh - bug 18709 DependencyInjection top-level anonymous services must be public xabbuh - bug 18692 add Event...

Fedora 24 : php-symfony (2016-224edc14dd)

Version 2.7.13 2016-05-09 - security 18733 limited the maximum length of a submitted username fabpot - bug 18730 FrameworkBundle prevent calling get for servicecontainer service xabbuh - bug 18709 DependencyInjection top-level anonymous services must be public xabbuh - bug 18692 add Event...

Fedora 22 : php-symfony (2016-4ad874e6c2)

Version 2.7.13 2016-05-09 - security 18733 limited the maximum length of a submitted username fabpot - bug 18730 FrameworkBundle prevent calling get for servicecontainer service xabbuh - bug 18709 DependencyInjection top-level anonymous services must be public xabbuh - bug 18692 add Event...

Fedora 21 : php-symfony-2.5.4-1.fc21 (2014-10239)

2.5.4 2014-09-03 - security 11832 CVE-2014-6072 fabpot - security 11831 CVE-2014-5245 stof - security 11830 CVE-2014-4931 aitboudad, Jeremy Derusse - security 11829 CVE-2014-6061 damz, fabpot - security 11828 CVE-2014-5244 nicolas-grekas, larowlan - bug 10197 FrameworkBundle PhpExtractor bugfix a...

Code injection in the way Symfony implements translation caching in FrameworkBundle

More info at https://symfony.com/blog/security-releases-cve-2014-4931-symfony-2-3-18-2-4-8-and-2-5-2-released...

Security releases (CVE-2014-4931): Symfony 2.3.18, 2.4.8, and 2.5.2 released

Symfony 2.3.18, 2.4.8, and 2.5.2 have just been released; they contain a security fix for the Translator class provided by FrameworkBundle CVE-2014-4931. Note The Symfony versions released today also contain a server-side mitigation for a JSONP vulnerability as described in CVE-2014-4671. You can...