Symfony - Authentication Bypass

Symfony 2.3.19 through 2.3.28, 2.4.9 through 2.4.10, 2.5.4 through 2.5.11, and 2.6.0 through 2.6.7, when ESI or SSI support enabled, does not check if the controller attribute is set, which allows remote attackers to bypass URL signing and security rules by including 1 no hash or 2 an invalid has...

Cross-site Request Forgery (CSRF)

Sensiolabs/connect is vulnerable to Cross-Site Request Forgery CSRF. The vulnerability is due to the absence of a state parameter in OAuth requests, which exposes applications to CSRF attacks during the OAuth authentication flow...

sensiolabs/connect has a Cross-Site Request Forgery Vulnerability

Versions of sensiolabs/connect prior to 4.2.3 are affected by a Cross-Site Request Forgery CSRF vulnerability due to the absence of the state parameter in OAuth requests. The lack of proper state parameter handling exposes applications to CSRF attacks during the OAuth authentication flow...

GHSA-6WQP-7G94-F69J sensiolabs/connect has a Cross-Site Request Forgery Vulnerability

Versions of sensiolabs/connect prior to 4.2.3 are affected by a Cross-Site Request Forgery CSRF vulnerability due to the absence of the state parameter in OAuth requests. The lack of proper state parameter handling exposes applications to CSRF attacks during the OAuth authentication flow...

Symfony 4.4.x < 4.4.7, 5.0.x < 5.0.7 Multiple Vulnerabilities

Symfony is prone to multiple vulnerabilities. Copyright C 2020 Greenbone Networks GmbH SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation;...

Symfony 3.4.0 <= 3.4.34, 4.2.0 <= 4.2.11 and 4.3.0 <= 4.3.7 RCE Vulnerability

Symfony is prone to a remote code execution RCE vulnerability. SPDX-FileCopyrightText: 2019 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only if description...

Symfony 4.2.x < 4.2.12, 4.3.x < 4.3.8 Multiple Vulnerabilities

Symfony is prone to multiple vulnerabilities. Copyright C 2019 Greenbone Networks GmbH, https://www.greenbone.net SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the...

Symfony CVE-2019-18889 Multiple Remote Code Execution Vulnerabilities

Description Symfony is prone to multiple remote code-execution vulnerabilities. Successfully exploiting these issues may result in the execution of arbitrary code in the context of the affected application. Failed exploit attempts will likely result in denial-of-service conditions. Symfony versio...

Symfony Authentication Bypass Vulnerability (Jul 2017)

Symfony is prone to an authentication bypass vulnerability. SPDX-FileCopyrightText: 2019 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:sensiolabs:symfony"; ...

Symfony 2.8.x < 2.8.50, 3.x < 3.4.26, 4.x < 4.1.12, 4.2.x < 4.2.7 File Deletion Vulnerability

This host runs Symfony and is prone to a file deletion vulnerability. Copyright C 2019 Greenbone Networks GmbH, https://www.greenbone.net SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public...

Sensiolabs Symfony 2.8.x < 2.8.37, 3.3.x < 3.3.17, 3.4.x < 3.4.7 and 4.0.x < 4.0.7 Authentication Bypass Vulnerability

This host runs Symfony and is prone to an authentication bypass vulnerability. SPDX-FileCopyrightText: 2018 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only if description...

Symfony <= 2.7.37, 2.8.x <= 2.8.30, 3.x <= 3.2.13 and 3.3.x <= 3.3.12 Multiple Vulnerabilities

Symfony is prone to multiple vulnerabilities. SPDX-FileCopyrightText: 2018 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:sensiolabs:symfony"; ifdescription...

Sensiolabs Symfony End of Life (EOL) Detection

Sensiolabs Symfony on the remote host has reached the End of Life EOL and should not be used anymore. SPDX-FileCopyrightText: 2018 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier:...

Sensiolabs Symfony <= 2.7.48, 2.8.* <= 2.8.43, 3.* <= 3.3.17, 3.4.* <= 3.4.13, 4.0.* <= 4.0.13 and 4.1.* <= 4.1.2 Multiple Vulnerabilities

This host runs Symfony and is prone to multiple vulnerabilities. SPDX-FileCopyrightText: 2018 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only if description...

Sensiolabs Symfony Detection (Linux/Unix SSH Login)

SSH login-based detection of a Sensiolabs Symfony. SPDX-FileCopyrightText: 2018 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Sensiolabs Symfony Detection (HTTP)

HTTP based detection of Sensiolabs Symfony. SPDX-FileCopyrightText: 2018 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Sensiolabs Symfony Detection Consolidation

Consolidation of Sensiolabs Symfony detections. SPDX-FileCopyrightText: 2018 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

CVE-2018-12040

Reflected Cross-site scripting XSS vulnerability in the web profiler in SensioLabs Symfony 3.3.6 allows remote attackers to inject arbitrary web script or HTML via the "file" parameter, aka an profiler/open?file= URI. NOTE: The vendor states "The XSS ... is in the web profiler, a tool that should...

CVE-2018-12040

Reflected Cross-site scripting XSS vulnerability in the web profiler in SensioLabs Symfony 3.3.6 allows remote attackers to inject arbitrary web script or HTML via the "file" parameter, aka an profiler/open?file= URI. NOTE: The vendor states "The XSS ... is in the web profiler, a tool that should...

CVE-2018-12040

CVE-2018-12040 reports a reflected XSS vulnerability in SensioLabs Symfony 3.3.6's Web Profiler, exploitable via the file parameter in _profiler/open?file=. The issue is documented across multiple feeds (NVD/OSV) and is described as a vulnerability in the web profiler that should not be deployed ...