CVE-2015-8124: Session Fixation in the "Remember Me" Login Feature

Affected Versions Symfony 2.3.0 to 2.3.34, 2.6.0 - 2.6.11, 2.7.0 - 2.7.6 versions of the Security component are affected by this security issue. This issue has been fixed in Symfony 2.3.35, 2.6.12, and 2.7.7. Note that no fixes are provided for Symfony 2.4 and 2.5 as they are not maintained...

CVE-2019-11325: Fix escaping of strings in VarExporter

Affected versions Symfony 4.2.0 to 4.2.11 and 4.3.0 to 4.3.7 versions of the Symfony VarExporter component are affected by this security issue. The issue has been fixed in Symfony 4.2.12 and 4.3.8. Description Some strings were not properly escaped when being dumped by the VarExporter component...

Twig: Sandbox Information Disclosure

Affected versions Twig 1.0.0 to 1.37.1 and 2.0.0 to 2.6.2 are affected by this security issue. The issue has been fixed in Twig 1.38.0 and 2.7.0. Description This vulnerability affects the sandbox mode of Twig. If you are not using the sandbox, your code is not affected. Twig allows the evaluatio...

CVE-2017-11365: Empty passwords validation issue

Affected versions Symfony 2.7.30, 2.7.31, 2.8.23, 2.8.24, 3.2.10, 3.2.11, 3.3.3, and 3.3.4 versions of the Symfony Security component are affected by this security issue. The issue has been fixed in Symfony 2.7.32, 2.8.25, 3.2.12, and 3.3.5. Description When fixing issue 23319 with 23341, we...

Security Release: Symfony 2.0.6

Symfony 2.0.6 has just been released. It addresses a security vulnerability in the EntityUserProvider as provided in the Doctrine bridge. If you let your users update their login/username from a form, and if you are using Doctrine as a user provider, then you are vulnerable and you should upgrade...

symfony 1.0.13 is out

symfony 1.0.13 has been released to fix an important bug in the tag helper. Strings were incorrectly escaped due to the change r7900 the 1.0.12 release. The missing regression test has now been added and the bug is fixed. The 1.1 branche has also been updated. Here is the changelog : r8176: Fixes...

symfony 1.0.12 is (finally) out !

After two months and more than 30 tickets closed, the 1.0.12 comes with spring. As it fixes an important security issue and windows plugins problems, we do strongly advise you to update your projects. Here is the changelog : r8019: sfWebRequest handles multi-dimensional file input fields backport...

Security Release: Symfony 2.0.11 released

Symfony 2.0.11 has just been released and it contains a security vulnerability fix for the Serializer Component. If you are using the Serializer component, you should upgrade as soon as possible. The security vulnerability has been reported this morning by Sense of Security: "The XMLEncoder...

symfony 1.1.4 released: Security fix

In accordance with our security policy, we are releasing today symfony 1.1.4 to fix a security issue that has been reported by a symfony user earlier today. This post contains the description of the vulnerability and the description of the changes we have made to fix it. The affected symfony...

Security Release: symfony 1.4.18 released

symfony 1.4.18 has just been released. Read the post carefully as this version fixes a security vulnerability. Dmitri Groutso contacted us a couple of days ago about a possible security issue in the session code: "The regenerate method as implemented by database backed session classes do not...

Security release: Symfony 2.0.22 and 2.1.7 released

Symfony 2.0.22 and Symfony 2.1.7 have just been released and they both contain security fixes for the YAML component CVE-2013-1348 and CVE-2013-1397. CVE-2013-1348: Ability to enable/disable PHP parsing in Yaml::parse Affected versions All 2.0.X versions of the YAML component are affected by this...

symfony 1.0.5 released (security fix)

I've just released symfony 1.0.5. If you use the symfony built-in phpmailer and you do if you use the -sendMail method in your actions, you must upgrade to this release or apply the following patch: http://trac.symfony-project.com/trac/changeset/4380?format=diff&new=4380. PHPMailer has a remote...

symfony 1.3.5 and 1.4.5

The symfony core team is happy to announce the immediate availability of symfony versions 1.3.5 and 1.4.5. Read on for the details. Security Fix A vulnerability was discovered in Doctrine and Propel form classes that allowed a user to update a record other than the one presented in the form. The...

symfony 1.2.6: Security fix

In accordance with our security policy, we are releasing today symfony 1.2.6 to fix a security issue that has been spotted by the symfony core team. This post contains the description of the vulnerability and the description of the changes we have made to fix it. The affected symfony versions are...

Security Release: Symfony 2.0.17 released

Symfony 2.0.17 has just been released. This release contains several security fixes related to the way XML is handled, and as such, we recommend everyone to upgrade. These issues have been reported by Pádraic Brady from the Zend Framework team; I would like to thank him for the very detailed repo...

symfony 1.0.16 is out

symfony 1.0.16 is out and fixes an important security breach. This is the shortest changelog one may find between two releases: a one line file. r8922: fixed yml validator file can be overriden by a remote attacker 1617 The issue is described in ticket 1617. An attacker could bypass the validatio...

symfony 1.3.10 and 1.4.10: security releases

The core team would like to announce the immediate availability of symfony 1.3.10 and 1.4.10. These are security releases in response to Doctrine's security release over the weekend. We recommend everyone update immediately. From the Doctrine blog: Because of a SQL injection possibility we urge...

Security Release: symfony 1.3.6 and 1.4.6

New releases for symfony 1.3 and 1.4 have been packaged sooner than expected to address a security vulnerability reported yesterday. It is strongly recommended that all applications running symfony 1.3 and 1.4 upgrade to this latest release immediately. The Security Fix One of the enhancements...

symfony 1.3.2 and 1.4.2

We have just released the latest stable versions of symfony: 1.3.2 and 1.4.2. These releases include numerous bug fixes and one security fix. The bundled version of Propel has also been updated to version 1.4.1. We recommend all 1.3.x and 1.4.x projects upgrade to these latest releases immediatel...

CVE-2023-41336: symfony/ux-autocomplete Prevent injection of invalid entity ids for "autocomplete" fields

Affected Versions Versions 2.11.1 are of the symfony/ux-autocomplete package are affected by this security issue. Description Under certain circumstances, an attacker could successfully submit an entity id for an EntityType that is not part of the valid choices. Affected applications are any that...

Security release: Symfony 2.0.19 and 2.1.4

I've just released Symfony 2.0.19 and 2.1.4. Both releases contain a security fix. Damien Tournoud, from the Drupal security team, contacted us two days ago about a security issue in the Request::getClientIp method when the trust proxy mode is enabled Request::trustProxyData. An application is...

Security Release: 1.2.12, 1.3.3 and 1.4.3

A SQL injection vulnerability in the Doctrine admin generator was reported earlier today which has been addressed in these 1.2.12, 1.3.3 and 1.4.3 security releases. This vulnerability was limited to the Doctrine admin generator and did not affect the Propel admin generator or any other aspect of...

CVE-2020-5275: All "access_control" rules are required when a firewall uses the unanimous strategy

Affected versions Symfony 4.4.0 to 4.4.6 and 5.0.0 to 5.0.6 versions of the Symfony ErrorHandler component are affected by this security issue. The issue has been fixed in Symfony 4.4.7 and 5.0.7. Description On Symfony before 4.4.0, when a Firewall checks an access control rule using the unanimo...

CVE-2018-11407: Unauthorized access on a misconfigured LDAP server when using an empty password

Affected versions Symfony 2.8.0 to 2.8.36, 3.3.0 to 3.3.16, 3.4.0 to 3.4.6, and 4.0.0 to 4.0.6 versions of the Symfony LDAP component are affected by this security issue. The issue has been fixed in Symfony 2.8.37, 3.3.17, 3.4.7, and 4.0.7. 4.1.0 has also been fixed before its final release. Note...

CVE-2016-2403: Unauthorized access on a misconfigured Ldap server when using an empty password

Affected versions Symfony 2.8.0 to 2.8.5 and 3.0.0 to 3.0.5 versions of the Symfony Security component are affected by this security issue. The issue has been fixed in Symfony 2.8.6 and 3.0.6. Description The bind operation of LDAP, as described in RFC 4513, provides a method which allows for...

CVE-2015-8125: Potential Remote Timing Attack Vulnerability in Security Remember-Me Service

Affected Versions Symfony 2.3.0 to 2.3.34, 2.6.0 - 2.6.11, 2.7.0 - 2.7.6 versions of the Security component are affected by this security issue. This issue has been fixed in Symfony 2.3.35, 2.6.12, and 2.7.7. Note that no fixes are provided for Symfony 2.4 and 2.5 as they are not maintained...