Lucene search
K

15 matches found

OSV
OSV
β€’added 2024/11/06 7:52 p.m.β€’12 views

GHSA-JJXQ-FF2G-95VH Twig has unguarded calls to `__isset()` and to array-accesses when the sandbox is enabled

Description In a sandbox, and attacker can access attributes of Array-like objects as they were not checked by the security policy. They are now checked via the property policy and the isset method is now called after the security check. This is a BC break. Resolution The sandbox mode now ensures...

2.2CVSS3.4AI score0.00414EPSS
Exploits0References6
OSV
OSV
β€’added 2024/11/06 3:22 p.m.β€’9 views

GHSA-QQ5C-677P-737Q Symfony vulnerable to command execution hijack on Windows with Process class

Description On Windows, when an executable file named cmd.exe is located in the current working directory it will be called by the Process class when preparing command arguments, leading to possible hijacking. Resolution The Process class now uses the absolute path to cmd.exe. The patch for this...

8.6CVSS3.5AI score0.0043EPSS
Exploits0References7
Github Security Blog
Github Security Blog
β€’added 2024/11/06 3:22 p.m.β€’54 views

Symfony vulnerable to command execution hijack on Windows with Process class

Description On Windows, when an executable file named cmd.exe is located in the current working directory it will be called by the Process class when preparing command arguments, leading to possible hijacking. Resolution The Process class now uses the absolute path to cmd.exe. The patch for this...

9.8CVSS3.5AI score0.0043EPSS
Exploits0References7Affected Software2
OSV
OSV
β€’added 2024/11/06 3:16 p.m.β€’11 views

GHSA-9C3X-R3WP-MGXM Symfony allows internal address and port enumeration by NoPrivateNetworkHttpClient

Description When using the NoPrivateNetworkHttpClient, some internal information is still leaking during host resolution, which leads to possible IP/port enumeration. Resolution The NoPrivateNetworkHttpClient now filters blocked IPs earlier to prevent such leaks. The fisrt patch for this issue is...

3.1CVSS3.7AI score0.00481EPSS
Exploits0References7
OSV
OSV
β€’added 2023/11/12 3:53 p.m.β€’19 views

GHSA-72X2-5C85-6WMR Symfony potential Cross-site Scripting in WebhookController

Description The error message in WebhookController returns unescaped user-submitted input. Resolution WebhookController now doesn't return any user-submitted input in its response. The patch for this issue is available here for branch 6.3. Credits We would like to thank Maxime Aknin for reporting...

6.1CVSS6AI score0.00568EPSS
Exploits0References6
Github Security Blog
Github Security Blog
β€’added 2023/11/12 3:53 p.m.β€’31 views

Symfony potential Cross-site Scripting in WebhookController

Description The error message in WebhookController returns unescaped user-submitted input. Resolution WebhookController now doesn't return any user-submitted input in its response. The patch for this issue is available here for branch 6.3. Credits We would like to thank Maxime Aknin for reporting...

6.1CVSS7AI score0.00568EPSS
Exploits0References6Affected Software2
Symfony
Symfony
β€’added 2023/11/10 12:0 a.m.β€’58 views

CVE-2023-46734: Potential XSS vulnerabilities in CodeExtension filters

Affected versions Symfony versions =2.0.0,4.4.51, =5.0.0,5.4.31, and =6.0.0,6.3.8 of the Symfony Twig Bridge are affected by this security issue. The issue has been fixed in Symfony 4.4.51, 5.4.31, 6.3.8. All other versions are not maintained anymore. Description Some filters in the CodeExtension...

6.1CVSS6AI score0.00682EPSS
Exploits0
OSV
OSV
β€’added 2023/02/01 6:48 p.m.β€’32 views

GHSA-H7VF-5WRV-9FHV Symfony storing cookie headers in HttpCache

Description ----------- The Symfony HTTP cache system acts as a reverse proxy: it caches HTTP responses including headers and returns them to clients. In a recent AbstractSessionListener change, the response might now contain a Set-Cookie header. If the Symfony HTTP cache system is enabled, this...

5.9CVSS6.7AI score0.00753EPSS
Exploits0References8
Symfony
Symfony
β€’added 2019/11/13 12:0 a.m.β€’21 views

CVE-2019-11325: Fix escaping of strings in VarExporter

Affected versions Symfony 4.2.0 to 4.2.11 and 4.3.0 to 4.3.7 versions of the Symfony VarExporter component are affected by this security issue. The issue has been fixed in Symfony 4.2.12 and 4.3.8. Description Some strings were not properly escaped when being dumped by the VarExporter component...

9.8CVSS9.3AI score0.03354EPSS
Exploits0
Tenable Nessus
Tenable Nessus
β€’added 2019/04/29 12:0 a.m.β€’33 views

Fedora 28 : php-symfony (2019-3ee6a7adf2)

Version 2.8.50 2019-04-17 - security cve-2019-10910 DI Check service IDs are valid nicolas-grekas - security cve-2019-10909 FrameworkBundleForm Fix XSS issues in the form theme of the PHP templating engine stof - security cve-2019-10912 PHPUnit Bridge Prevent destructors with side-effects from...

9.8CVSS7.7AI score0.05491EPSS
Exploits1References2
Symfony
Symfony
β€’added 2019/04/17 12:0 a.m.β€’53 views

CVE-2019-10913: Reject invalid HTTP method overrides

Affected versions Symfony 2.7.0 to 2.7.50, 2.8.0 to 2.8.49, 3.4.0 to 3.4.25, 4.1.0 to 4.1.11 and 4.2.0 to 4.2.6 versions of the Symfony HttpFoundation component are affected by this security issue. The issue has been fixed in Symfony 2.7.51, 2.8.50, 3.4.26, 4.1.12 and 4.2.7. Note that no fixes ar...

9.8CVSS9.2AI score0.01854EPSS
Exploits0
Symfony
Symfony
β€’added 2019/04/17 12:0 a.m.β€’72 views

CVE-2019-10912: Prevent destructors with side-effects from being unserialized

Affected versions Symfony 2.8.0 to 2.8.49, 3.4.0 to 3.4.25, 4.1.0 to 4.1.11 and 4.2.0 to 4.2.6 versions of the Symfony Cache component are affected by this security issue. The issue has been fixed in Symfony 2.8.50, 3.4.26, 4.1.12 and 4.2.7. Note that no fixes are provided for Symfony 3.0, 3.1,...

7.1CVSS6.8AI score0.02302EPSS
Exploits0
Symfony
Symfony
β€’added 2019/04/17 12:0 a.m.β€’65 views

CVE-2019-10910: Check service IDs are valid

Affected versions Symfony 2.7.0 to 2.7.50, 2.8.0 to 2.8.49, 3.4.0 to 3.4.25, 4.1.0 to 4.1.11 and 4.2.0 to 4.2.6 versions of the Symfony Dependency Injection component are affected by this security issue. The issue has been fixed in Symfony 2.7.51, 2.8.50, 3.4.26, 4.1.12 and 4.2.7. Note that no...

9.8CVSS9.7AI score0.05491EPSS
Exploits1
Symfony
Symfony
β€’added 2018/12/06 12:0 a.m.β€’61 views

CVE-2018-19789: Disclosure of uploaded files full path

Affected versions Symfony 2.7.0 to 2.7.49, 2.8.0 to 2.8.48, 3.0.0 to 3.4.19, 4.0.0 to 4.0.14, 4.1.0 to 4.1.8 and 4.2.0 versions of the Symfony Form component are affected by this security issue. The issue has been fixed in Symfony 2.7.50, 2.8.49, 3.4.20, 4.0.15, 4.1.9 and 4.2.1. Note that no fixe...

5.3CVSS6AI score0.03589EPSS
Exploits0
Symfony
Symfony
β€’added 2018/05/25 12:0 a.m.β€’64 views

CVE-2018-11386: Denial of service when using PDOSessionHandler

Affected versions Symfony 2.7.0 to 2.7.47, 2.8.0 to 2.8.40, 3.3.0 to 3.3.16, 3.4.0 to 3.4.10, and 4.0.0 to 4.0.10 versions of the Symfony http-foundation component are affected by this security issue. The issue has been fixed in Symfony 2.7.48, 2.8.41, 3.3.17, 3.4.11, and 4.0.11. 4.1.0 has also...

5.9CVSS6.6AI score0.01607EPSS
Exploits0
Rows per page
Query Builder