Symfony@4.1.0 Security Vulnerabilities and Issues — Symfony@4.1.0 CVE List

Lucene search

SensiolabsSymfony4.1.0

10 matches found

CVE•added 2019/05/16 10:29 p.m.•1283 views

CVE-2019-10910

In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, when service ids allow user input, this could allow for SQL Injection and remote code execution. This is related to symfony/dependency-injection.

9.8CVSS9.8AI score0.17606EPSS

CVE•added 2019/05/16 10:29 p.m.•519 views

CVE-2019-10913

In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, HTTP Methods provided as verbs or using the override header may be treated as trusted input, but they are not validated, possibly causing SQL injection or XSS. This is related to symfony/htt...

9.8CVSS9.7AI score0.00257EPSS

CVE•added 2018/08/03 5:29 p.m.•374 views

CVE-2018-14773

An issue was discovered in Http Foundation in Symfony 2.7.0 through 2.7.48, 2.8.0 through 2.8.43, 3.3.0 through 3.3.17, 3.4.0 through 3.4.13, 4.0.0 through 4.0.13, and 4.1.0 through 4.1.2. It arises from support for a (legacy) IIS header that lets users override the path in the request URL via the ...

6.5CVSS6.5AI score0.03169EPSS

CVE•added 2019/05/16 10:29 p.m.•194 views

CVE-2019-10912

In Symfony before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, it is possible to cache objects that may contain bad user input. On serialization or unserialization, this could result in the deletion of files that the current user has access to. This is related to symfony/ca...

7.1CVSS6.7AI score0.01157EPSS

CVE•added 2019/05/16 10:29 p.m.•170 views

CVE-2019-10909

In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, validation messages are not escaped, which can lead to XSS when user input is included. This is related to symfony/framework-bundle.

5.4CVSS6.9AI score0.00516EPSS

CVE•added 2019/05/16 10:29 p.m.•113 views

CVE-2019-10911

In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, a vulnerability would allow an attacker to authenticate as a privileged user on sites with user registration and remember me login functionality enabled. This is related to symfony/security.

7.5CVSS8.2AI score0.00302EPSS

CVE•added 2021/11/24 7:15 p.m.•90 views

CVE-2021-41270

Symfony/Serializer handles serializing and deserializing data structures for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Symfony versions 4.1.0 before 4.4.35 and versions 5.0.0 before 5.3.12 are vulnerable to CSV injection, also known as formula i...

6.5CVSS6.5AI score0.00871EPSS

CVE•added 2018/12/18 10:29 p.m.•80 views

CVE-2018-19789

An issue was discovered in Symfony 2.7.x before 2.7.50, 2.8.x before 2.8.49, 3.x before 3.4.20, 4.0.x before 4.0.15, 4.1.x before 4.1.9, and 4.2.x before 4.2.1. When using the scalar type hint string in a setter method (e.g. setName(string $name)) of a class that's the data_class of a form, and whe...

5.3CVSS5.9AI score0.00921EPSS

CVE•added 2018/12/18 10:29 p.m.•70 views

CVE-2018-19790

An open redirect was discovered in Symfony 2.7.x before 2.7.50, 2.8.x before 2.8.49, 3.x before 3.4.20, 4.0.x before 4.0.15, 4.1.x before 4.1.9 and 4.2.x before 4.2.1. By using backslashes in the _failure_path input field of login forms, an attacker can work around the redirection target restrictio...

6.1CVSS6.2AI score0.00474EPSS

CVE•added 2018/08/03 5:29 p.m.•59 views

CVE-2018-14774

An issue was discovered in HttpKernel in Symfony 2.7.0 through 2.7.48, 2.8.0 through 2.8.43, 3.3.0 through 3.3.17, 3.4.0 through 3.4.13, 4.0.0 through 4.0.13, and 4.1.0 through 4.1.2. When using HttpCache, the values of the X-Forwarded-Host headers are implicitly set as trusted while this should be...

7.2CVSS6.6AI score0.00153EPSS