symfony/symfony Security Advisories (63)
-
[MEDIUM] CVE-2023-46735: Potential XSS in WebhookController
PKSA-5sj7-3knj-mp52 CVE-2023-46735 GHSA-72x2-5c85-6wmr
Affected version: >=6.3.0,<6.3.8
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] CVE-2023-46734: Potential XSS vulnerabilities in CodeExtension filters
PKSA-y38q-cfj7-gm5p CVE-2023-46734 GHSA-q847-2q57-wmr3
Affected version: >=2.0.0,<2.1.0|>=2.1.0,<2.2.0|>=2.2.0,<2.3.0|>=2.3.0,<2.4.0|>=2.4.0,<2.5.0|>=2.5.0,<2.6.0|>=2.6.0,<2.7.0|>=2.7.0,<2.8.0|>=2.8.0,<3.0.0|>=3.0.0,<3.1.0|>=3.1.0,<3.2.0|>=3.2.0,<3.3.0|>=3.3.0,<3.4.0|>=3.4.0,<4.0.0|>=4.0.0,<4.1.0|>=4.1.0,<4.2.0|>=4.2.0,<4.3.0|>=4.3.0,<4.4.0|>=4.4.0,<4.4.51|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.31|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.3.8
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] CVE-2023-46733: Potential XSS in WebhookController
PKSA-ctzb-t2qg-1z4x CVE-2023-46733 GHSA-m2wj-r6g3-fxfx
Affected version: >=5.4.0,<5.4.31|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.3.8
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] CVE-2022-24895: Possible CSRF token fixation
PKSA-53qn-v9cx-yn6c CVE-2022-24895 GHSA-3gv2-29qc-v67m
Affected version: >=2.0.0,<2.1.0|>=2.1.0,<2.2.0|>=2.2.0,<2.3.0|>=2.3.0,<2.4.0|>=2.4.0,<2.5.0|>=2.5.0,<2.6.0|>=2.6.0,<2.7.0|>=2.7.0,<2.8.0|>=2.8.0,<3.0.0|>=3.0.0,<3.1.0|>=3.1.0,<3.2.0|>=3.2.0,<3.3.0|>=3.3.0,<3.4.0|>=3.4.0,<4.0.0|>=4.0.0,<4.1.0|>=4.1.0,<4.2.0|>=4.2.0,<4.3.0|>=4.3.0,<4.4.0|>=4.4.0,<4.4.50|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.20|>=6.0.0,<6.0.20|>=6.1.0,<6.1.12|>=6.2.0,<6.2.6
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] CVE-2022-24894: Prevent storing cookie headers in HttpCache
PKSA-x3kp-hpzz-4th3 CVE-2022-24894 GHSA-h7vf-5wrv-9fhv
Affected version: >=2.0.0,<2.1.0|>=2.1.0,<2.2.0|>=2.2.0,<2.3.0|>=2.3.0,<2.4.0|>=2.4.0,<2.5.0|>=2.5.0,<2.6.0|>=2.6.0,<2.7.0|>=2.7.0,<2.8.0|>=2.8.0,<3.0.0|>=3.0.0,<3.1.0|>=3.1.0,<3.2.0|>=3.2.0,<3.3.0|>=3.3.0,<3.4.0|>=3.4.0,<4.0.0|>=4.0.0,<4.1.0|>=4.1.0,<4.2.0|>=4.2.0,<4.3.0|>=4.3.0,<4.4.0|>=4.4.0,<4.4.50|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.20|>=6.0.0,<6.0.20|>=6.1.0,<6.1.12|>=6.2.0,<6.2.6
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[HIGH] Symfony Host Header Injection
PKSA-6jwc-s2ck-4fyz CVE-2018-14774 GHSA-66p6-7p29-55p9
Affected version: >=4.1.0,<=4.1.2|>=4.0.0,<=4.0.13|>=3.4.0,<=3.4.13|>=3.3.0,<=3.3.17|>=2.8.0,<=2.8.43|>=2.7.0,<=2.7.48
Reported by:
GitHub -
[HIGH] CVE-2022-23601: CSRF token missing in forms
PKSA-hs3m-xyq3-pnj7 CVE-2022-23601 GHSA-vvmr-8829-6whx
Affected version: >=5.3.14,<5.3.15|>=5.4.3,<5.4.4|>=6.0.3,<6.0.4
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] CVE-2021-41270: Prevent CSV Injection via formulas
PKSA-t1qj-5z4b-g31v CVE-2021-41270 GHSA-2xhg-w2g5-w95x
Affected version: >=4.1.0,<4.2.0|>=4.2.0,<4.3.0|>=4.3.0,<4.4.0|>=4.4.0,<4.4.35|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.3.12
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] CVE-2021-41268: Remember me cookie persistance after password changes
PKSA-wchw-45cr-1ddn CVE-2021-41268 GHSA-qw36-p97w-vcqr
Affected version: >=5.3.0,<5.3.12
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] CVE-2021-41267: Webcache Poisoning via X-Forwarded-Prefix and sub-request
PKSA-2dmf-r1fg-t642 CVE-2021-41267 GHSA-q3j3-w37x-hq2q
Affected version: >=5.2.0,<5.3.0|>=5.3.0,<5.3.12
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] CVE-2021-32693: Authentication granted to all firewalls instead of just one
PKSA-z8x3-bp9m-qp6s CVE-2021-32693 GHSA-rfcf-m67m-jcrq
Affected version: >=5.3.0,<5.3.2
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] CVE-2021-21424: Prevent user enumeration via response content in authentication mechanisms
PKSA-hq66-h9fz-xgjz CVE-2021-21424 GHSA-5pv8-ppvj-4h68
Affected version: >=2.8.0,<3.0.0|>=3.0.0,<3.1.0|>=3.1.0,<3.2.0|>=3.2.0,<3.3.0|>=3.3.0,<3.4.0|>=3.4.0,<3.4.49|>=4.0.0,<4.1.0|>=4.1.0,<4.2.0|>=4.2.0,<4.3.0|>=4.3.0,<4.4.0|>=4.4.0,<4.4.24|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.2.9
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[HIGH] CVE-2020-15094: Prevent RCE when calling untrusted remote with CachingHttpClient
PKSA-6pwr-137g-8814 CVE-2020-15094 GHSA-754h-5r27-7x3r
Affected version: >=4.3.0,<4.4.0|>=4.4.0,<4.4.13|>=5.0.0,<5.1.0|>=5.1.0,<5.1.5
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[HIGH] CVE-2020-5275: All rules set in "access_control" are required when the firewall is configured with the unanimous strategy
PKSA-wq3f-5n85-pkzw CVE-2020-5275 GHSA-g4m9-5hpf-hx72
Affected version: >=4.4.0,<4.4.7|>=5.0.0,<5.0.7
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] CVE-2020-5274: Fix Exception message escaping rendered by ErrorHandler
PKSA-jb88-5twc-8n28 CVE-2020-5274 GHSA-m884-279h-32v2
Affected version: >=4.4.0,<4.4.4|>=5.0.0,<5.0.4
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[LOW] CVE-2020-5255: Prevent cache poisoning via a Response Content-Type header
PKSA-5vcz-b73r-4b7v CVE-2020-5255 GHSA-mcx4-f5f5-4859
Affected version: >=4.4.0,<4.4.7|>=5.0.0,<5.0.7
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[CRITICAL] CVE-2019-18889: Forbid serializing AbstractAdapter and TagAwareAdapter instances
PKSA-466j-t9tp-6p9g CVE-2019-18889 GHSA-79gr-58r3-pwm3
Affected version: >=3.1.0,<3.2.0|>=3.2.0,<3.3.0|>=3.3.0,<3.4.0|>=3.4.0,<3.4.35|>=4.0.0,<4.1.0|>=4.1.0,<4.2.0|>=4.2.0,<4.2.12|>=4.3.0,<4.3.8
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[CRITICAL] CVE-2019-11325: Fix escaping of strings in VarExporter
PKSA-3wg8-7y1s-53jj CVE-2019-11325 GHSA-w4rc-rx25-8m86
Affected version: >=4.2.0,<4.2.12|>=4.3.0,<4.3.8
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] CVE-2019-18886: Prevent user enumeration using switch user functionality
PKSA-gtv2-2115-2srw CVE-2019-18886 GHSA-4vpc-5jx4-cfqg
Affected version: >=4.1.0,<4.2.0|>=4.2.0,<4.2.12|>=4.3.0,<4.3.8
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[HIGH] CVE-2019-18887: Use constant time comparison in UriSigner
PKSA-2c18-zmpb-j18r CVE-2019-18887 GHSA-q8hg-pf8v-cxrv
Affected version: >=2.2.0,<2.3.0|>=2.3.0,<2.4.0|>=2.4.0,<2.5.0|>=2.5.0,<2.6.0|>=2.6.0,<2.7.0|>=2.7.0,<2.8.0|>=2.8.0,<2.8.52|>=3.0.0,<3.1.0|>=3.1.0,<3.2.0|>=3.2.0,<3.3.0|>=3.3.0,<3.4.0|>=3.4.0,<3.4.35|>=4.0.0,<4.1.0|>=4.1.0,<4.2.0|>=4.2.0,<4.2.12|>=4.3.0,<4.3.8
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[HIGH] CVE-2019-18888: Prevent argument injection in a MimeTypeGuesser
PKSA-7c17-cdm2-nd4n CVE-2019-18888 GHSA-xhh6-956q-4q69
Affected version: >=2.0.0,<2.1.0|>=2.1.0,<2.2.0|>=2.2.0,<2.3.0|>=2.3.0,<2.4.0|>=2.4.0,<2.5.0|>=2.5.0,<2.6.0|>=2.6.0,<2.7.0|>=2.7.0,<2.8.0|>=2.8.0,<2.8.52|>=3.0.0,<3.1.0|>=3.1.0,<3.2.0|>=3.2.0,<3.3.0|>=3.3.0,<3.4.0|>=3.4.0,<3.4.35|>=4.0.0,<4.1.0|>=4.1.0,<4.2.0|>=4.2.0,<4.2.12|>=4.3.0,<4.3.8
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[CRITICAL] CVE-2019-10910: Check service IDs are valid
PKSA-wzwb-pd6v-vngj CVE-2019-10910 GHSA-pgwj-prpq-jpc2
Affected version: >=2.7.0,<2.7.51|>=2.8.0,<2.8.50|>=3.0.0,<3.1.0|>=3.1.0,<3.2.0|>=3.2.0,<3.3.0|>=3.3.0,<3.4.0|>=3.4.0,<3.4.26|>=4.0.0,<4.1.0|>=4.1.0,<4.1.12|>=4.2.0,<4.2.7
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] CVE-2019-10909: Escape validation messages in the PHP templating engine
PKSA-m1rn-sznw-gwbr CVE-2019-10909 GHSA-g996-q5r8-w7g2
Affected version: >=2.7.0,<2.7.51|>=2.8.0,<2.8.50|>=3.0.0,<3.1.0|>=3.1.0,<3.2.0|>=3.2.0,<3.3.0|>=3.3.0,<3.4.0|>=3.4.0,<3.4.26|>=4.0.0,<4.1.0|>=4.1.0,<4.1.12|>=4.2.0,<4.2.7
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[HIGH] CVE-2019-10912: Prevent destructors with side-effects from being unserialized
PKSA-mh8w-p7pd-ryq7 CVE-2019-10912 GHSA-w2fr-65vp-mxw3
Affected version: >=2.8.0,<2.8.50|>=3.0.0,<3.1.0|>=3.1.0,<3.2.0|>=3.2.0,<3.3.0|>=3.3.0,<3.4.0|>=3.4.0,<3.4.26|>=4.0.0,<4.1.0|>=4.1.0,<4.1.12|>=4.2.0,<4.2.7
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[HIGH] CVE-2019-10911: Add a separator in the remember me cookie hash
PKSA-6kxq-3xc4-hmkm CVE-2019-10911 GHSA-cchx-mfrc-fwqr
Affected version: >=2.7.0,<2.7.51|>=2.8.0,<2.8.50|>=3.0.0,<3.1.0|>=3.1.0,<3.2.0|>=3.2.0,<3.3.0|>=3.3.0,<3.4.0|>=3.4.0,<3.4.26|>=4.0.0,<4.1.0|>=4.1.0,<4.1.12|>=4.2.0,<4.2.7
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[CRITICAL] CVE-2019-10913: Reject invalid HTTP method overrides
PKSA-knvs-fy6n-bhp7 CVE-2019-10913 GHSA-x92h-wmg2-6hp7
Affected version: >=2.7.0,<2.7.51|>=2.8.0,<2.8.50|>=3.0.0,<3.1.0|>=3.1.0,<3.2.0|>=3.2.0,<3.3.0|>=3.3.0,<3.4.0|>=3.4.0,<3.4.26|>=4.0.0,<4.1.0|>=4.1.0,<4.1.12|>=4.2.0,<4.2.7
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] CVE-2018-19790: Open Redirect Vulnerability on login
PKSA-zd86-wd6f-tb9n CVE-2018-19790 GHSA-89r2-5g34-2g47
Affected version: >=2.7.38,<2.7.50|>=2.8.0,<2.8.49|>=3.0.0,<3.1.0|>=3.1.0,<3.2.0|>=3.2.0,<3.3.0|>=3.3.0,<3.4.0|>=3.4.0,<3.4.20|>=4.0.0,<4.0.15|>=4.1.0,<4.1.9|>=4.2.0,<4.2.1
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] CVE-2018-19789: Temporary uploaded file path disclosure
PKSA-zc56-fpqy-7zct CVE-2018-19789 GHSA-x3cf-w64x-4cp2
Affected version: >=2.7.38,<2.7.50|>=2.8.0,<2.8.49|>=3.0.0,<3.1.0|>=3.1.0,<3.2.0|>=3.2.0,<3.3.0|>=3.3.0,<3.4.0|>=3.4.0,<3.4.20|>=4.0.0,<4.0.15|>=4.1.0,<4.1.9|>=4.2.0,<4.2.1
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] CVE-2018-14773: Remove support for legacy and risky HTTP headers
PKSA-vh39-74ft-ywr6 CVE-2018-14773 GHSA-8wgj-6wx8-h5hq
Affected version: >=2.0.0,<2.1.0|>=2.1.0,<2.2.0|>=2.2.0,<2.3.0|>=2.3.0,<2.4.0|>=2.4.0,<2.5.0|>=2.5.0,<2.6.0|>=2.6.0,<2.7.0|>=2.7.0,<2.7.49|>=2.8.0,<2.8.44|>=3.0.0,<3.1.0|>=3.1.0,<3.2.0|>=3.2.0,<3.3.0|>=3.3.0,<3.3.18|>=3.4.0,<3.4.14|>=4.0.0,<4.0.14|>=4.1.0,<4.1.3
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[CRITICAL] CVE-2018-11407: Unauthorized access on a misconfigured LDAP server when using an empty password
PKSA-sdqz-ygpm-k46x CVE-2018-11407 GHSA-35c5-28pg-2qg4
Affected version: >=2.8.0,<2.8.37|>=3.0.0,<3.1.0|>=3.1.0,<3.2.0|>=3.2.0,<3.3.0|>=3.3.0,<3.3.17|>=3.4.0,<3.4.7|>=4.0.0,<4.0.7
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[HIGH] CVE-2018-11406: CSRF Token Fixation
PKSA-f442-tkzt-592s CVE-2018-11406 GHSA-g4g7-q726-v5hg
Affected version: >=2.0.0,<2.1.0|>=2.1.0,<2.2.0|>=2.2.0,<2.3.0|>=2.3.0,<2.4.0|>=2.4.0,<2.5.0|>=2.5.0,<2.6.0|>=2.6.0,<2.7.0|>=2.7.0,<2.7.48|>=2.8.0,<2.8.41|>=3.0.0,<3.1.0|>=3.1.0,<3.2.0|>=3.2.0,<3.3.0|>=3.3.0,<3.3.17|>=3.4.0,<3.4.11|>=4.0.0,<4.0.11
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] CVE-2018-11408: Open redirect vulnerability on security handlers
PKSA-pm7f-56fm-h5jv CVE-2018-11408 GHSA-7hwc-2cq4-6x2w
Affected version: >=2.7.38,<2.7.48|>=2.8.0,<2.8.41|>=3.0.0,<3.1.0|>=3.1.0,<3.2.0|>=3.2.0,<3.3.0|>=3.3.0,<3.3.17|>=3.4.0,<3.4.11|>=4.0.0,<4.0.11
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] CVE-2018-11386: Denial of service when using PDOSessionHandler
PKSA-pzzd-51qv-shqy CVE-2018-11386 GHSA-r2rq-3h56-fqm4
Affected version: >=2.0.0,<2.1.0|>=2.1.0,<2.2.0|>=2.2.0,<2.3.0|>=2.3.0,<2.4.0|>=2.4.0,<2.5.0|>=2.5.0,<2.6.0|>=2.6.0,<2.7.0|>=2.7.0,<2.7.48|>=2.8.0,<2.8.41|>=3.0.0,<3.1.0|>=3.1.0,<3.2.0|>=3.2.0,<3.3.0|>=3.3.0,<3.3.17|>=3.4.0,<3.4.11|>=4.0.0,<4.0.11
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[HIGH] CVE-2018-11385: Session Fixation Issue for Guard Authentication
PKSA-zzvm-fw3r-ytm8 CVE-2018-11385 GHSA-g4rg-rw65-8hfg
Affected version: >=2.0.0,<2.1.0|>=2.1.0,<2.2.0|>=2.2.0,<2.3.0|>=2.3.0,<2.4.0|>=2.4.0,<2.5.0|>=2.5.0,<2.6.0|>=2.6.0,<2.7.0|>=2.7.0,<2.7.48|>=2.8.0,<2.8.41|>=3.0.0,<3.1.0|>=3.1.0,<3.2.0|>=3.2.0,<3.3.0|>=3.3.0,<3.3.17|>=3.4.0,<3.4.11|>=4.0.0,<4.0.11
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[HIGH] CVE-2017-16654: Intl bundle readers breaking out of paths
PKSA-ctbg-pk51-wtfd CVE-2017-16654 GHSA-c49r-8gj6-768r
Affected version: >=2.7.0,<2.7.38|>=2.8.0,<2.8.31|>=3.0.0,<3.1.0|>=3.1.0,<3.2.0|>=3.2.0,<3.2.14|>=3.3.0,<3.3.13
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] CVE-2017-16790: Ensure that submitted data are uploaded files
PKSA-xfbc-21d1-8fcz CVE-2017-16790 GHSA-cqqh-94r6-wjrg
Affected version: >=2.7.0,<2.7.38|>=2.8.0,<2.8.31|>=3.0.0,<3.1.0|>=3.1.0,<3.2.0|>=3.2.0,<3.2.14|>=3.3.0,<3.3.13
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] CVE-2017-16652: Open redirect vulnerability on security handlers
PKSA-4dtn-jshh-1cr5 CVE-2017-16652 GHSA-r7p7-qr7p-2rrf
Affected version: >=2.7.0,<2.7.38|>=2.8.0,<2.8.31|>=3.0.0,<3.1.0|>=3.1.0,<3.2.0|>=3.2.0,<3.2.14|>=3.3.0,<3.3.13
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] CVE-2017-16653: CSRF protection does not use different tokens for HTTP and HTTPS
PKSA-rkth-yxdd-hgf2 CVE-2017-16653 GHSA-92x6-h2gr-8gxq
Affected version: >=2.7.0,<2.7.38|>=2.8.0,<2.8.31|>=3.0.0,<3.1.0|>=3.1.0,<3.2.0|>=3.2.0,<3.2.14|>=3.3.0,<3.3.13
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[CRITICAL] CVE-2017-11365: Empty passwords validation issue
PKSA-45fk-t1xv-3cxm CVE-2017-11365 GHSA-q87v-q8fw-gmj5
Affected version: >=2.7.30,<2.7.32|>=2.8.23,<2.8.25|>=3.2.10,<3.2.12|>=3.3.3,<3.3.5
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[CRITICAL] CVE-2016-2403: Unauthorized access on a misconfigured Ldap server when using an empty password
PKSA-z6t7-9z7m-qs76 CVE-2016-2403 GHSA-wvj5-r78r-hhfq
Affected version: >=2.8.0,<2.8.6|>=3.0.0,<3.0.6
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[HIGH] CVE-2016-4423: Large username storage in session
PKSA-7myt-9b1h-tpzj CVE-2016-4423 GHSA-whgv-8cg3-7hcm
Affected version: >=2.3.0,<2.3.41|>=2.4.0,<2.5.0|>=2.5.0,<2.6.0|>=2.6.0,<2.7.0|>=2.7.0,<2.7.13|>=2.8.0,<2.8.6|>=3.0.0,<3.0.6
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[HIGH] CVE-2016-1902: SecureRandom's fallback not secure when OpenSSL fails
PKSA-dc8v-9qff-bx8y CVE-2016-1902 GHSA-jjx5-fq5g-8xpc
Affected version: >=2.3.0,<2.3.37|>=2.4.0,<2.5.0|>=2.5.0,<2.6.0|>=2.6.0,<2.6.13|>=2.7.0,<2.7.9
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[HIGH] CVE-2015-8125: Potential Remote Timing Attack Vulnerability in Security Remember-Me Service
PKSA-x6by-dh6n-pzrc CVE-2015-8125 GHSA-g97c-jfx6-xvxh
Affected version: >=2.3.0,<2.3.35|>=2.4.0,<2.5.0|>=2.5.0,<2.6.0|>=2.6.0,<2.6.12|>=2.7.0,<2.7.7
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[LOW] CVE-2015-8124: Session Fixation in the "Remember Me" Login Feature
PKSA-3kww-vzpv-5xn6 CVE-2015-8124 GHSA-j5jh-hpr4-h332
Affected version: >=2.3.0,<2.3.35|>=2.4.0,<2.5.0|>=2.5.0,<2.6.0|>=2.6.0,<2.6.12|>=2.7.0,<2.7.7
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] CVE-2015-4050: ESI unauthorized access
PKSA-yp79-c7wz-1ygz CVE-2015-4050 GHSA-qmqw-mpqp-mr54
Affected version: >=2.3.19,<2.3.29|>=2.4.9,<2.5.0|>=2.5.4,<2.5.12|>=2.6.0,<2.6.8
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] Esi Code Injection
PKSA-vpvj-b7j9-94sm CVE-2015-2308 GHSA-5c58-w9xc-qcj9
Affected version: >=2.0.0,<2.1.0|>=2.1.0,<2.2.0|>=2.2.0,<2.3.0|>=2.3.0,<2.3.27|>=2.4.0,<2.5.0|>=2.5.0,<2.5.11|>=2.6.0,<2.6.6
Reported by:
GitHub, FriendsOfPHP/security-advisories -
Unsafe methods in the Request class
PKSA-34xp-pdgg-w7tn CVE-2015-2309
Affected version: >=2.0.0,<2.1.0|>=2.1.0,<2.2.0|>=2.2.0,<2.3.0|>=2.3.0,<2.3.27|>=2.4.0,<2.5.0|>=2.5.0,<2.5.11|>=2.6.0,<2.6.6
Reported by:
FriendsOfPHP/security-advisories -
CSRF vulnerability in the Web Profiler
PKSA-v7yj-yq6g-yszs CVE-2014-6072
Affected version: >=2.0.0,<2.1.0|>=2.1.0,<2.2.0|>=2.2.0,<2.3.0|>=2.3.0,<2.3.19|>=2.4.0,<2.4.9|>=2.5.0,<2.5.4
Reported by:
FriendsOfPHP/security-advisories -
Direct access of ESI URLs behind a trusted proxy
PKSA-1twh-mycd-p72h CVE-2014-5245
Affected version: >=2.0.0,<2.1.0|>=2.1.0,<2.2.0|>=2.2.0,<2.3.0|>=2.3.0,<2.3.19|>=2.4.0,<2.4.9|>=2.5.0,<2.5.4
Reported by:
FriendsOfPHP/security-advisories -
Security issue when parsing the Authorization header
PKSA-hy7b-fsc8-fztz CVE-2014-6061
Affected version: >=2.0.0,<2.1.0|>=2.1.0,<2.2.0|>=2.2.0,<2.3.0|>=2.3.0,<2.3.19|>=2.4.0,<2.4.9|>=2.5.0,<2.5.4
Reported by:
FriendsOfPHP/security-advisories -
Denial of service with a malicious HTTP Host header
PKSA-nvg8-cqm4-3ng3 CVE-2014-5244
Affected version: >=2.0.0,<2.1.0|>=2.1.0,<2.2.0|>=2.2.0,<2.3.0|>=2.3.0,<2.3.19|>=2.4.0,<2.4.9|>=2.5.0,<2.5.4
Reported by:
FriendsOfPHP/security-advisories -
Code injection in the way Symfony implements translation caching in FrameworkBundle
PKSA-yjtb-frqz-q7xt CVE-2014-4931
Affected version: >=2.0.0,<2.1.0|>=2.1.0,<2.2.0|>=2.2.0,<2.3.0|>=2.3.0,<2.3.19|>=2.4.0,<2.4.9|>=2.5.0,<2.5.4
Reported by:
FriendsOfPHP/security-advisories -
[MEDIUM] Possible DOS attack with long user-submitted passwords
PKSA-ctj8-t257-k4y8 CVE-2013-5958 GHSA-cr49-fx2v-9p57
Affected version: >=2.0.0,<2.0.25|>=2.1.0,<2.1.13|>=2.2.0,<2.2.9|>=2.3.0,<2.3.6
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] Request::getHost() poisoning
PKSA-jqr2-4r5d-hkhp CVE-2013-4752 GHSA-22pv-7v9j-hqxp
Affected version: >=2.0.0,<2.0.24|>=2.1.0,<2.1.12|>=2.2.0,<2.2.5|>=2.3.0,<2.3.3
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[HIGH] Validation metadata serialization and loss of information
PKSA-s5ck-wzp6-nx8m CVE-2013-4751 GHSA-q8j7-fjh7-25v5
Affected version: >=2.0.0,<2.0.24|>=2.1.0,<2.1.12|>=2.2.0,<2.2.5|>=2.3.0,<2.3.3
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[HIGH] Ability to enable/disable object support in YAML parsing and dumping
PKSA-t2pc-z7zq-cy53 CVE-2013-1397 GHSA-7w53-hfpw-rg3g
Affected version: >=2.0.0,<2.0.22|>=2.1.0,<2.1.7
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[HIGH] Ability to enable/disable PHP parsing in Yaml::parse()
PKSA-b422-2y6k-kbzn CVE-2013-1348 GHSA-2r5h-6r7v-5m7c
Affected version: >=2.0.0,<2.0.22
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] Code execution vulnerability via the "internal" routes
PKSA-t64c-jyz9-v3bf CVE-2012-6432 GHSA-89cp-fvcc-hxh7
Affected version: >=2.0.0,<2.0.20|>=2.1.0,<2.1.5
Reported by:
GitHub, FriendsOfPHP/security-advisories -
Request::getClientIp() when the trust proxy mode is enabled
Affected version: >=2.0.0,<2.0.19|>=2.1.0,<2.1.4
Reported by:
FriendsOfPHP/security-advisories -
Security fixes related to the way XML is handled
Affected version: >=2.0.0,<2.0.17
Reported by:
FriendsOfPHP/security-advisories -
[MEDIUM] Routes behind a firewall are accessible even when not logged in
PKSA-ttwb-p278-dqw6 CVE-2012-6431 GHSA-83c3-qx27-2rwr
Affected version: >=2.0.0,<2.0.19
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[LOW] XML decoding attack vector through external entities
PKSA-44g2-whft-1n99 GHSA-g2qj-pmxm-9f8f
Affected version: >=2.0.0,<2.0.11
Reported by:
GitHub, FriendsOfPHP/security-advisories -
Vulnerability in the EntityUserProvider as provided in the Doctrine bridge
Affected version: >=2.0.0,<2.0.6
Reported by:
FriendsOfPHP/security-advisories