Symfony Security Vulnerabilities and Issues — Symfony CVE List

Lucene search

SensiolabsSymfony

9 matches found

CVE•added 2018/06/13 4:29 p.m.•281 views

CVE-2018-11386

An issue was discovered in the HttpFoundation component in Symfony 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11. The PDOSessionHandler class allows storing sessions on a PDO connection. Under some configurations and with a well-crafted ...

5.9CVSS6.2AI score0.01086EPSS

CVE•added 2019/05/16 10:29 p.m.•165 views

CVE-2019-10909

In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, validation messages are not escaped, which can lead to XSS when user input is included. This is related to symfony/framework-bundle.

5.4CVSS6.9AI score0.00752EPSS

CVE•added 2021/05/13 4:15 p.m.•103 views

CVE-2021-21424

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The ability to enumerate users was possible without relevant permissions due to different handling depending on whether the user existed or not when attempting to use the switch users functionality. We...

5.3CVSS5.5AI score0.00207EPSS

CVE•added 2020/03/30 8:15 p.m.•99 views

CVE-2020-5274

In Symfony before versions 5.0.5 and 4.4.5, some properties of the Exception were not properly escaped when the ErrorHandler rendered it stacktrace. In addition, the stacktrace were displayed even in a non-debug configuration. The ErrorHandler now escape alls properties of the exception, and the st...

5.5CVSS4.7AI score0.00267EPSS

CVE•added 2019/11/21 6:15 p.m.•84 views

CVE-2019-18886

An issue was discovered in Symfony 4.2.0 to 4.2.11 and 4.3.0 to 4.3.7. The ability to enumerate users was possible due to different handling depending on whether the user existed when making unauthorized attempts to use the switch users functionality. This is related to symfony/security.

5.3CVSS5.2AI score0.01546EPSS

CVE•added 2018/12/18 10:29 p.m.•78 views

CVE-2018-19789

An issue was discovered in Symfony 2.7.x before 2.7.50, 2.8.x before 2.8.49, 3.x before 3.4.20, 4.0.x before 4.0.15, 4.1.x before 4.1.9, and 4.2.x before 4.2.1. When using the scalar type hint string in a setter method (e.g. setName(string $name)) of a class that's the data_class of a form, and whe...

5.3CVSS5.9AI score0.00921EPSS

CVE•added 2018/08/06 9:29 p.m.•77 views

CVE-2017-16653

An issue was discovered in Symfony before 2.7.38, 2.8.31, 3.2.14, 3.3.13, 3.4-BETA5, and 4.0-BETA5. The current implementation of CSRF protection in Symfony (Version >=2) does not use different tokens for HTTP and HTTPS; therefore the token is subject to MITM attacks on HTTP and can then be used...

5.9CVSS5.8AI score0.00343EPSS

CVE•added 2014/12/27 6:59 p.m.•49 views

CVE-2013-5958

The Security component in Symfony 2.0.x before 2.0.25, 2.1.x before 2.1.13, 2.2.x before 2.2.9, and 2.3.x before 2.3.6 allows remote attackers to cause a denial of service (CPU consumption) via a long password that triggers an expensive hash computation, as demonstrated by a PBKDF2 computation, a s...

5CVSS6.6AI score0.00474EPSS

CVE•added 2012/12/18 1:55 a.m.•45 views

CVE-2012-5574

lib/form/sfForm.class.php in Symfony CMS before 1.4.20 allows remote attackers to read arbitrary files via a crafted upload request.

5CVSS6.4AI score0.0055EPSS