symfony/symfony Licenses and Vulnerabilities

symfony/symfony Vulnerabilities

Sort by

CVE (Latest)

CVE (Latest)
CVE (Oldest)
CVSS Score (Highest)
CVSS Score (Lowest)

CVE	CVSS Score	CWE(s)	EPSS Score	EPSS %	Impacted Versions
CVE-2013-4751	High 8.1	CWE-20, CWE-221	0.00187	0.56267	v2.0.9–v2.3.2 2.0.4–2.0.7
CVE-2013-4752	Medium 6.1	CWE-79, CWE-74	0.00563	0.776	v2.0.9–v2.3.2 2.0.4–2.0.7
CVE-2013-5958	Medium 5	CWE-400, CWE-399	0.0021	0.58607	v2.0.9–v2.3.5 2.0.4–2.0.7
CVE-2014-4931	Medium 5.6	CWE-94	None	None	v2.0.9–v2.5.3 2.0.4–2.2.x-dev
CVE-2014-5244	Medium 5.3	CWE-400	None	None	v2.0.9–v2.5.3 2.0.4–2.2.x-dev
CVE-2014-6061	Low 3.7	CWE-592	None	None	v2.3.0–v2.5.3
CVE-2015-2308	Medium 6.8	CWE-94	0.00465	0.7519	v2.0.9–v2.6.5 2.0.4–2.4.x-dev
CVE-2015-2309	Medium 6.5	CWE-300	None	None	v2.0.9–v2.6.5 2.0.4–2.4.x-dev
CVE-2015-8124	Medium 6.8	CWE-384	0.01537	0.86765	v2.3.0–v2.7.6 2.4.x-dev
CVE-2015-8125	High 7.5	CWE-208	0.01121	0.84363	v2.3.0–v2.7.6 2.4.x-dev–2.5.x-dev
CVE-2015-8766	Medium 6.1	CWE-79	0.00224	0.6025	v2.0.9–v2.6.3 dev-5.4-eol-prtemplate 2.0.4–2.5.x-dev
CVE-2016-1902	High 7.5	CWE-330, CWE-310	0.00169	0.54087	v2.3.0–v2.7.8 2.4.x-dev–2.5.x-dev
CVE-2016-4423	High 7.5	CWE-400, CWE-399	0.00909	0.82554	v3.0.0–v3.0.5 v2.3.0–v2.8.5 2.4.x-dev–2.6.x-dev
CVE-2017-18343	Medium 6.1	CWE-79	0.00096	0.41361	v3.0.0–v3.3.5 v2.0.9–v2.8.25 dev-5.4-eol-prtemplate 3.0.x-dev–3.1.x-dev 2.0.4–2.6.x-dev
CVE-2018-11385	High 8.1	CWE-384	0.00514	0.76511	v4.0.0–v4.0.10 v3.0.0–v3.4.10 v2.0.9–v2.8.40 3.0.x-dev–3.2.x-dev 2.0.4–2.6.x-dev
CVE-2018-12040	Medium 6.1	CWE-79	0.00125	0.47531	v4.0.0–v4.1.0-BETA3 v3.0.0–v3.4.49 v2.0.9–v2.8.52 dev-5.4-eol-prtemplate 4.0.x-dev 3.0.x-dev–3.4.x-dev 2.0.4–2.8.x-dev
CVE-2018-12043	Medium 6.1	CWE-79	0.00062	0.28638	v2.0.9–v2.7.6 dev-5.4-eol-prtemplate 2.0.4–2.6.x-dev
CVE-2018-14773	Medium 6.5		0.77988	0.98458	v4.0.0–v4.1.2 v3.0.0–v3.4.13 v2.0.9–v2.8.43 3.0.x-dev–3.3.x-dev 2.0.4–2.7.x-dev
CVE-2018-14774	High 7.2	CWE-20	0.00072	0.33396	v4.0.0–v4.1.1 v3.3.0–v3.4.13 v2.0.9–v2.8.43 dev-5.4-eol-prtemplate 2.0.4–2.6.x-dev
CVE-2019-18887	High 8.1	CWE-203	0.0125	0.85272	v4.0.0–v4.3.7 v3.0.0–v3.4.34 v2.2.0–v2.8.51 4.0.x-dev–4.1.x-dev 3.0.x-dev–3.3.x-dev 2.2.x-dev–2.7.x-dev
CVE-2019-18888	High 7.5	CWE-88, CWE-20	0.00706	0.80165	v4.0.0–v4.3.7 v3.0.0–v3.4.34 v2.0.9–v2.8.51 4.0.x-dev–4.1.x-dev 3.0.x-dev–3.3.x-dev 2.0.4–2.7.x-dev
CVE-2022-24894	High 8.8	CWE-285	0.00212	0.5872	v6.0.0–v6.2.5 v5.0.0–v5.4.19 v4.0.0–v4.4.49 v3.0.0–v3.4.49 v2.0.9–v2.8.52 5.0.x-dev–5.3.x-dev 4.0.x-dev–4.3.x-dev 3.0.x-dev–3.4.x-dev 2.0.4–2.8.x-dev
CVE-2022-24895	High 8.8	CWE-384, CWE-613	0.00234	0.61018	v6.0.0–v6.2.5 v5.0.0–v5.4.19 v4.0.0–v4.4.49 v3.0.0–v3.4.49 v2.0.9–v2.8.52 5.0.x-dev–5.3.x-dev 4.0.x-dev–4.3.x-dev 3.0.x-dev–3.4.x-dev 2.0.4–2.8.x-dev
CVE-2023-46734	Medium 6.1	CWE-79	0.00084	0.37682	v6.0.0–v6.3.7 v5.0.0–v5.4.30 v4.0.0–v4.4.50 v3.0.0–v3.4.49 v2.0.9–v2.8.52 6.0.x-dev–6.2.x-dev 5.0.x-dev–5.3.x-dev 4.0.x-dev–4.3.x-dev 3.0.x-dev–3.4.x-dev 2.0.4–2.8.x-dev
CVE-2024-50343	Low 3.1	CWE-20	0.00043	0.10859	v7.0.0–v7.1.3 v6.0.0–v6.4.10 v5.0.0–v5.4.42 v4.0.0–v4.4.51 v3.0.0–v3.4.49 v2.0.9–v2.8.52 dev-5.4-eol-prtemplate 7.0.x-dev 6.0.x-dev–6.3.x-dev 5.0.x-dev–5.3.x-dev 4.0.x-dev–4.4.x-dev 3.0.x-dev–3.4.x-dev 2.0.4–2.8.x-dev
CVE-2024-50345	Low 3.1	CWE-601	0.00061	0.27398	v7.0.0–v7.1.6 v6.0.0–v6.4.13 v5.0.0–v5.4.45 v4.0.0–v4.4.51 v3.0.0–v3.4.49 v2.0.9–v2.8.52 dev-5.4-eol-prtemplate 7.0.x-dev 6.0.x-dev–6.3.x-dev 5.0.x-dev–5.3.x-dev 4.0.x-dev–4.4.x-dev 3.0.x-dev–3.4.x-dev 2.0.4–2.8.x-dev
CVE-2024-51736	Unknown	CWE-77	0.00043	0.10859	v7.0.0–v7.1.6 v6.0.0–v6.4.13 v5.0.0–v5.4.45 v4.0.0–v4.4.51 v3.0.0–v3.4.49 v2.0.9–v2.8.52 dev-5.4-eol-prtemplate 7.0.x-dev 6.0.x-dev–6.3.x-dev 5.0.x-dev–5.3.x-dev 4.0.x-dev–4.4.x-dev 3.0.x-dev–3.4.x-dev 2.0.4–2.8.x-dev
CVE-2014-5245	Low 3.7	CWE-200	None	None	v2.0.9–v2.5.3 2.0.4–2.0.x-dev
CVE-2014-6072	Medium 6.3	CWE-352	None	None	v2.0.9–v2.5.3 2.0.4–2.0.x-dev
CVE-2013-1397	High 7.5	CWE-94	0.00651	0.7932	v2.0.9–v2.1.6 2.0.4–2.0.7
CVE-2012-6432	Medium 6.8	CWE-264, CWE-94	0.00388	0.72891	v2.0.9–v2.1.4 2.0.4–2.0.7
CVE-2012-6431	Medium 6.4	CWE-264, CWE-200	0.00256	0.64524	v2.0.9–v2.0.19 2.0.4–2.0.7
CVE-2013-1348	High 7.5	CWE-94	0.00651	0.7932	v2.0.9–v2.0.21 2.0.4–2.0.7
CVE-2015-4050	Medium 4.3	CWE-284	0.00633	0.78948	v2.3.19–v2.6.7 2.4.x-dev
CVE-2017-16652	Medium 6.1	CWE-601	0.00075	0.34607	v3.0.0–v3.3.12 v2.7.0–v2.8.30 3.0.x-dev–3.1.x-dev
CVE-2017-16653	Medium 5.9	CWE-352, CWE-254	0.00079	0.36182	v3.0.0–v3.3.12 v2.7.0–v2.8.30 3.0.x-dev–3.1.x-dev
CVE-2017-16654	High 7.5	CWE-22	0.00139	0.49982	v3.0.0–v3.3.12 v2.7.0–v2.8.30 3.0.x-dev–3.1.x-dev
CVE-2017-16790	Medium 6.5	CWE-20, CWE-200	0.00048	0.19518	v3.0.0–v3.3.12 v2.7.0–v2.8.30 3.0.x-dev–3.1.x-dev
CVE-2018-11386	Medium 5.9	CWE-613	0.00483	0.75645	v4.0.0–v4.0.10 v3.3.0–v3.4.10 v2.7.0–v2.8.40
CVE-2018-11406	High 8.8	CWE-352	0.00344	0.71276	v4.0.0–v4.0.10 v3.0.0–v3.4.10 v2.7.0–v2.8.40 3.0.x-dev–3.2.x-dev
CVE-2018-11408	Medium 6.1	CWE-601	0.00378	0.72563	v4.0.0–v4.0.10 v3.3.0–v3.4.10 v2.7.0–v2.8.40
CVE-2018-19789	Medium 5.3	CWE-434	0.0059	0.78094	v4.0.0–v4.2.0 v3.0.0–v3.4.19 v2.7.0–v2.8.48 3.0.x-dev–3.3.x-dev
CVE-2019-10909	Medium 5.4	CWE-79	0.00086	0.38251	v4.0.0–v4.2.6 v3.0.0–v3.4.25 v2.7.0–v2.8.49 4.0.x-dev 3.0.x-dev–3.3.x-dev
CVE-2019-10910	High 9.8	CWE-89	0.0261	0.9	v4.0.0–v4.2.6 v3.0.0–v3.4.25 v2.7.0–v2.8.49 4.0.x-dev 3.0.x-dev–3.3.x-dev
CVE-2019-10911	High 7.5	CWE-287, CWE-200	0.00272	0.67516	v4.0.0–v4.2.6 v3.0.0–v3.4.25 v2.7.0–v2.8.49 4.0.x-dev 3.0.x-dev–3.3.x-dev
CVE-2019-10913	High 9.8	CWE-79, CWE-89	0.00159	0.5286	v4.0.0–v4.2.6 v3.0.0–v3.4.25 v2.7.0–v2.8.49 4.0.x-dev 3.0.x-dev–3.3.x-dev
CVE-2018-11407	High 9.8	CWE-287	0.0054	0.77118	v4.0.0–v4.0.6 v3.0.0–v3.4.6 v2.8.0–v2.8.36 3.0.x-dev–3.2.x-dev
CVE-2018-19790	Medium 6.1	CWE-601	0.0041	0.73547	v4.0.0–v4.2.0 v3.0.0–v3.4.19 v2.7.38–v2.8.48 3.0.x-dev–3.3.x-dev
CVE-2019-10912	High 7.1	CWE-502	0.00253	0.64287	v4.0.0–v4.2.6 v3.0.0–v3.4.25 v2.8.0–v2.8.49 4.0.x-dev 3.0.x-dev–3.3.x-dev
CVE-2021-21424	Medium 5.3	CWE-203, CWE-200	0.00128	0.47995	v5.0.0–v5.2.7 v4.0.0–v4.4.22 v3.0.0–v3.4.47 v2.8.0–v2.8.52 5.0.x-dev–5.1.x-dev 4.0.x-dev–4.3.x-dev 3.0.x-dev–3.3.x-dev 2.8.x-dev
CVE-2019-18889	High 9.8	CWE-94	0.00551	0.77347	v4.0.0–v4.3.7 v3.1.0–v3.4.34 4.0.x-dev–4.1.x-dev 3.1.x-dev–3.3.x-dev
CVE-2016-2403	High 9.8	CWE-287, CWE-284	0.00482	0.756	v3.0.0–v3.0.5 v2.8.0–v2.8.5
CVE-2017-11365	High 9.8	CWE-284	0.00225	0.60319	v3.2.10–v3.3.4 v2.7.30–v2.8.24
CVE-2019-18886	Medium 5.3	CWE-203, CWE-200	0.00229	0.60628	v4.1.0–v4.3.7 4.1.x-dev
CVE-2021-41270	Medium 6.5	CWE-1236	0.00125	0.47519	v5.0.0–v5.3.11 v4.1.0–v4.4.34 5.0.x-dev–5.2.x-dev 4.1.x-dev–4.3.x-dev
CVE-2019-11325	High 9.8	CWE-116	0.01029	0.83651	v4.2.0–v4.3.7
CVE-2020-15094	High 8	CWE-212	0.00785	0.81263	v5.0.0–v5.1.4 v4.3.0–v4.4.12 5.0.x-dev 4.3.x-dev
CVE-2024-50342	Low 3.1	CWE-200	0.00043	0.10859	v7.0.0–v7.1.6 v6.0.0–v6.4.13 v5.0.0–v5.4.45 v4.3.0–v4.4.51 7.0.x-dev 6.0.x-dev–6.3.x-dev 5.0.x-dev–5.3.x-dev 4.3.x-dev–4.4.x-dev
CVE-2020-5255	Low 2.6	CWE-435, CWE-20	0.00087	0.38681	v5.0.0–v5.0.6 v4.4.0–v4.4.6
CVE-2020-5275	High 7.6	CWE-285, CWE-863	0.00096	0.4132	v5.0.0–v5.0.6 v4.4.0–v4.4.6
CVE-2020-5274	Medium 4.6	CWE-209	0.00058	0.26256	v5.0.0–v5.0.3 v4.4.0–v4.4.3
CVE-2021-41268	Medium 6.5	CWE-384	0.00133	0.48999	v5.3.0–v5.3.11
CVE-2021-41267	Medium 6.5	CWE-444	0.00126	0.47742	v5.2.0–v5.3.11 5.2.x-dev
CVE-2024-50340	High 7.3	CWE-74	0.00054	0.24623	v7.0.0–v7.1.6 v6.0.0–v6.4.13 v5.3.0–v5.4.45 7.0.x-dev 6.0.x-dev–6.3.x-dev 5.3.x-dev
CVE-2024-51996	High 7.5	CWE-287, CWE-289	0.00043	0.10859	v7.0.0–v7.1.7 v6.0.0–v6.4.14 v5.3.0–v5.4.46 7.0.x-dev 6.0.x-dev–6.3.x-dev 5.3.x-dev
CVE-2021-32693	Medium 6.8	CWE-287	0.00193	0.56966	v5.3.0–v5.3.1
CVE-2024-50341	Low 3.1	CWE-287	0.00043	0.10859	v7.0.0–v7.1.2 v6.2.0–v6.4.9 6.2.x-dev–6.3.x-dev
CVE-2023-46733	Medium 6.5	CWE-384	0.00122	0.46976	v6.2.7–v6.3.7 v5.4.21–v5.4.30 6.2.x-dev
CVE-2023-46735	Medium 6.1	CWE-79	0.00068	0.31806	v6.3.0–v6.3.7
CVE-2022-23601	High 8.8	CWE-352	0.00098	0.41833	v6.0.3 v5.3.14–v5.4.3

symfony/symfony Vulnerability Remediation Guidance

CVE	Description	Full list of Impacted Versions	Fix
CVE-2024-51996	Symphony process is a module for the Symphony PHP framework which executes commands in sub-processes. When consuming a persisted remember-me cookie, Symfony does not check if the username persisted in the database matches the username attached with the cookie, leading to authentication bypass. This vulnerability is fixed in 5.4.47, 6.4.15, and 7.1.8.	v5.3.6, v5.3.5, v5.3.3, v5.3.2, v5.3.0, v5.3.4, v5.3.1, v5.3.10 (Show all)	Minor → v5.4.47
CVE-2024-51736	Symphony process is a module for the Symphony PHP framework which executes commands in sub-processes. On Windows, when an executable file named `cmd.exe` is located in the current working directory it will be called by the `Process` class when preparing command arguments, leading to possible hijacking. This issue has been addressed in release versions 5.4.46, 6.4.14, and 7.1.7. Users are advised to upgrade. There are no known workarounds for this vulnerability.	v2.3.0, v2.2.3, v2.3.5, v2.3.12, v2.5.2, v2.1.12, v2.1.2, v2.0.16 (Show all)	Major → v5.4.47
CVE-2024-50345	symfony/http-foundation is a module for the Symphony PHP framework which defines an object-oriented layer for the HTTP specification. The `Request` class, does not parse URI with special characters the same way browsers do. As a result, an attacker can trick a validator relying on the `Request` class to redirect users to another domain. The `Request::create` methods now assert the URI does not contain invalid characters as defined by https://url.spec.whatwg.org/. This issue has been patched in versions 5.4.46, 6.4.14, and 7.1.7. Users are advised to upgrade. There are no known workarounds for this vulnerability.	v2.3.0, v2.2.3, v2.3.5, v2.3.12, v2.5.2, v2.1.12, v2.1.2, v2.0.16 (Show all)	Major → v5.4.47
CVE-2024-50343	symfony/validator is a module for the Symphony PHP framework which provides tools to validate values. It is possible to trick a `Validator` configured with a regular expression using the `$` metacharacters, with an input ending with `\n`. Symfony as of versions 5.4.43, 6.4.11, and 7.1.4 now uses the `D` regex modifier to match the entire input. Users are advised to upgrade. There are no known workarounds for this vulnerability.	v2.3.0, v2.2.3, v2.3.5, v2.3.12, v2.5.2, v2.1.12, v2.1.2, v2.0.16 (Show all)	Major → v5.4.47
CVE-2024-50342	symfony/http-client is a module for the Symphony PHP framework which provides powerful methods to fetch HTTP resources synchronously or asynchronously. When using the `NoPrivateNetworkHttpClient`, some internal information is still leaking during host resolution, which leads to possible IP/port enumeration. As of versions 5.4.46, 6.4.14, and 7.1.7 the `NoPrivateNetworkHttpClient` now filters blocked IPs earlier to prevent such leaks. All users are advised to upgrade. There are no known workarounds for this vulnerability.	v4.3.7, v4.3.4, v4.3.3, v4.3.5, v4.3.2, v4.3.1, v4.3.0, v4.3.6 (Show all)	Major → v5.4.47
CVE-2024-50341	symfony/security-bundle is a module for the Symphony PHP framework which provides a tight integration of the Security component into the Symfony full-stack framework. The custom `user_checker` defined on a firewall is not called when Login Programmaticaly with the `Security::login` method, leading to unwanted login. As of versions 6.4.10, 7.0.10 and 7.1.3 the `Security::login` method now ensure to call the configured `user_checker`. All users are advised to upgrade. There are no known workarounds for this vulnerability.	v6.2.1, v7.1.2, v7.0.9, v6.4.9, v7.1.1, v7.0.8, v6.4.8, v6.4.3 (Show all)	Minor → v6.4.15
CVE-2024-50340	symfony/runtime is a module for the Symphony PHP framework which enables decoupling PHP applications from global state. When the `register_argv_argc` php directive is set to `on` , and users call any URL with a special crafted query string, they are able to change the environment or debug mode used by the kernel when handling the request. As of versions 5.4.46, 6.4.14, and 7.1.7 the `SymfonyRuntime` now ignores the `argv` values for non-SAPI PHP runtimes. All users are advised to upgrade. There are no known workarounds for this vulnerability.	v5.3.6, v5.3.5, v5.3.3, v5.3.2, v5.3.0, v5.3.4, v5.3.1, v5.3.10 (Show all)	Minor → v5.4.47
CVE-2023-46735	Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Starting in version 6.0.0 and prior to version 6.3.8, the error message in `WebhookController` returns unescaped user-submitted input. As of version 6.3.8, `WebhookController` now doesn't return any user-submitted input in its response.	v6.3.7, v6.3.6, v6.3.5, v6.3.4, v6.3.3, v6.3.2, v6.3.1, v6.3.0	Minor → v6.4.15
CVE-2023-46734	Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Starting in versions 2.0.0, 5.0.0, and 6.0.0 and prior to versions 4.4.51, 5.4.31, and 6.3.8, some Twig filters in CodeExtension use `is_safe=html` but don't actually ensure their input is safe. As of versions 4.4.51, 5.4.31, and 6.3.8, Symfony now escapes the output of the affected filters.	v2.3.0, v2.2.3, v2.3.5, v2.3.12, v2.5.2, v2.1.12, v2.1.2, v2.0.16 (Show all)	Major → v5.4.47
CVE-2023-46733	Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Starting in versions 5.4.21 and 6.2.7 and prior to versions 5.4.31 and 6.3.8, `SessionStrategyListener` does not migrate the session after every successful login. It does so only in case the logged in user changes by means of checking the user identifier. In some use cases, the user identifier doesn't change between the verification phase and the successful login, while the token itself changes from one type (partially-authenticated) to another (fully-authenticated). When this happens, the session id should be regenerated to prevent possible session fixations, which is not the case at the moment. As of versions 5.4.31 and 6.3.8, Symfony now checks the type of the token in addition to the user identifier before deciding whether the session id should be regenerated.	v6.3.0-BETA1, v6.3.7, v6.3.6, v6.3.5, v6.3.4, v6.3.3, v6.2.14, v6.2.13 (Show all)	Minor → v6.4.15
CVE-2022-24895	Symfony is a PHP framework for web and console applications and a set of reusable PHP components. When authenticating users Symfony by default regenerates the session ID upon login, but preserves the rest of session attributes. Because this does not clear CSRF tokens upon login, this might enables same-site attackers to bypass the CSRF protection mechanism by performing an attack similar to a session-fixation. This issue has been fixed in the 4.4 branch.	v2.3.0, v2.2.3, v2.3.5, v2.3.12, v2.5.2, v2.1.12, v2.1.2, v2.0.16 (Show all)	Major → v5.4.47
CVE-2022-24894	Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The Symfony HTTP cache system, acts as a reverse proxy: It caches entire responses (including headers) and returns them to the clients. In a recent change in the `AbstractSessionListener`, the response might contain a `Set-Cookie` header. If the Symfony HTTP cache system is enabled, this response might bill stored and return to the next clients. An attacker can use this vulnerability to retrieve the victim's session. This issue has been patched and is available for branch 4.4.	v2.3.0, v2.2.3, v2.3.5, v2.3.12, v2.5.2, v2.1.12, v2.1.2, v2.0.16 (Show all)	Major → v5.4.47
CVE-2022-23601	Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The Symfony form component provides a CSRF protection mechanism by using a random token injected in the form and using the session to store and control the token submitted by the user. When using the FrameworkBundle, this protection can be enabled or disabled with the configuration. If the configuration is not specified, by default, the mechanism is enabled as long as the session is enabled. In a recent change in the way the configuration is loaded, the default behavior has been dropped and, as a result, the CSRF protection is not enabled in form when not explicitly enabled, which makes the application sensible to CSRF attacks. This issue has been resolved in the patch versions listed and users are advised to update. There are no known workarounds for this issue.	v6.0.3, v5.3.14, v5.4.3	Minor → v6.4.15
CVE-2021-41270	Symfony/Serializer handles serializing and deserializing data structures for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Symfony versions 4.1.0 before 4.4.35 and versions 5.0.0 before 5.3.12 are vulnerable to CSV injection, also known as formula injection. In Symfony 4.1, maintainers added the opt-in `csv_escape_formulas` option in the `CsvEncoder`, to prefix all cells starting with `=`, `+`, `-` or `@` with a tab `\t`. Since then, OWASP added 2 chars in that list: Tab (0x09) and Carriage return (0x0D). This makes the previous prefix char (Tab `\t`) part of the vulnerable characters, and OWASP suggests using the single quote `'` for prefixing the value. Starting with versions 4.4.34 and 5.3.12, Symfony now follows the OWASP recommendations and uses the single quote `'` to prefix formulas and add the prefix to cells starting by `\t`, `\r` as well as `=`, `+`, `-` and `@`.	v4.1.8, v4.2.3, v4.1.7, v4.1.9, v4.2.0, v4.2.4, v4.1.6, v4.1.3 (Show all)	Major → v5.4.47
CVE-2021-41268	Symfony/SecurityBundle is the security system for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Since the rework of the Remember me cookie in version 5.3.0, the cookie is not invalidated when the user changes their password. Attackers can therefore maintain their access to the account even if the password is changed as long as they have had the chance to login once and get a valid remember me cookie. Starting with version 5.3.12, Symfony makes the password part of the signature by default. In that way, when the password changes, then the cookie is not valid anymore.	v5.3.6, v5.3.5, v5.3.3, v5.3.2, v5.3.0, v5.3.4, v5.3.1, v5.3.10 , v5.3.9, v5.3.11, v5.3.7, v5.3.8 (Show all)	Minor → v5.4.47
CVE-2021-41267	Symfony/Http-Kernel is the HTTP kernel component for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Headers that are not part of the "trusted_headers" allowed list are ignored and protect users from "Cache poisoning" attacks. In Symfony 5.2, maintainers added support for the `X-Forwarded-Prefix` headers, but this header was accessible in SubRequest, even if it was not part of the "trusted_headers" allowed list. An attacker could leverage this opportunity to forge requests containing a `X-Forwarded-Prefix` header, leading to a web cache poisoning issue. Versions 5.3.12 and later have a patch to ensure that the `X-Forwarded-Prefix` header is not forwarded to subrequests when it is not trusted.	v5.3.6, v5.2.10, v5.3.5, v5.3.3, v5.2.7, v5.2.1, v5.3.0-BETA3, v5.3.0-RC1 (Show all)	Minor → v5.4.47
CVE-2021-32693	Symfony is a PHP framework for web and console applications and a set of reusable PHP components. A vulnerability related to firewall authentication is in Symfony starting with version 5.3.0 and prior to 5.3.2. When an application defines multiple firewalls, the token authenticated by one of the firewalls was available for all other firewalls. This could be abused when the application defines different providers for each part of the application, in such a situation, a user authenticated on a part of the application could be considered authenticated on the rest of the application. Starting in version 5.3.2, a patch ensures that the authenticated token is only available for the firewall that generates it.	v5.3.0, v5.3.1	Minor → v5.4.47
CVE-2021-21424	Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The ability to enumerate users was possible without relevant permissions due to different handling depending on whether the user existed or not when attempting to use the switch users functionality. We now ensure that 403s are returned whether the user exists or not if a user cannot switch to a user or if the user does not exist. The patch for this issue is available for branch 3.4.	v2.8.26, v3.2.6, v3.3.6, v2.8.4, v2.8.7, v3.0.0, v3.2.1, v3.0.6 (Show all)	Major → v5.4.47
CVE-2020-5275	In symfony/security-http before versions 4.4.7 and 5.0.7, when a `Firewall` checks access control rule, it iterate overs each rule's attributes and stops as soon as the accessDecisionManager decides to grant access on the attribute, preventing the check of next attributes that should have been take into account in an unanimous strategy. The accessDecisionManager is now called with all attributes at once, allowing the unanimous strategy being applied on each attribute. This issue is patched in versions 4.4.7 and 5.0.7.	v4.4.6, v4.4.5, v4.4.0, v5.0.6, v4.4.1, v5.0.5, v5.0.4, v5.0.3 (Show all)	Major → v5.4.47
CVE-2020-5274	In Symfony before versions 5.0.5 and 4.4.5, some properties of the Exception were not properly escaped when the `ErrorHandler` rendered it stacktrace. In addition, the stacktrace were displayed even in a non-debug configuration. The ErrorHandler now escape alls properties of the exception, and the stacktrace is only display in debug configuration. This issue is patched in symfony/http-foundation versions 4.4.5 and 5.0.5	v4.4.0, v4.4.1, v5.0.3, v5.0.2, v4.4.3, v5.0.1, v4.4.2, v5.0.0	Major → v5.4.47
CVE-2020-5255	In Symfony before versions 4.4.7 and 5.0.7, when a `Response` does not contain a `Content-Type` header, affected versions of Symfony can fallback to the format defined in the `Accept` header of the request, leading to a possible mismatch between the response's content and `Content-Type` header. When the response is cached, this can prevent the use of the website by other users. This has been patched in versions 4.4.7 and 5.0.7.	v4.4.6, v4.4.5, v4.4.0, v5.0.6, v4.4.1, v5.0.5, v5.0.4, v5.0.3 (Show all)	Major → v5.4.47
CVE-2020-15094	In Symfony before versions 4.4.13 and 5.1.5, the CachingHttpClient class from the HttpClient Symfony component relies on the HttpCache class to handle requests. HttpCache uses internal headers like X-Body-Eval and X-Body-File to control the restoration of cached responses. The class was initially written with surrogate caching and ESI support in mind (all HTTP calls come from a trusted backend in that scenario). But when used by CachingHttpClient and if an attacker can control the response for a request being made by the CachingHttpClient, remote code execution is possible. This has been fixed in versions 4.4.13 and 5.1.5.	v4.3.7, v4.3.4, v4.3.3, v4.3.5, v4.3.2, v4.3.1, v4.3.0, v4.3.6 (Show all)	Major → v5.4.47
CVE-2019-18889	An issue was discovered in Symfony 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. Serializing certain cache adapter interfaces could result in remote code injection. This is related to symfony/cache.	v3.2.6, v3.3.6, v3.2.1, v3.1.1, v3.1.4, v3.1.7, v3.1.10, v3.2.0-RC1 (Show all)	Major → v5.4.47
CVE-2019-18888	An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. If an application passes unvalidated user input as the file for which MIME type validation should occur, then arbitrary arguments are passed to the underlying file command. This is related to symfony/http-foundation (and symfony/mime in 4.3.x).	v2.3.0, v2.2.3, v2.3.5, v2.3.12, v2.5.2, v2.1.12, v2.1.2, v2.0.16 (Show all)	Major → v5.4.47
CVE-2019-18887	An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. The UriSigner was subject to timing attacks. This is related to symfony/http-kernel.	v2.3.0, v2.2.3, v2.3.5, v2.3.12, v2.5.2, v2.4.6, v2.4.1, v2.3.9 (Show all)	Major → v5.4.47
CVE-2019-18886	An issue was discovered in Symfony 4.2.0 to 4.2.11 and 4.3.0 to 4.3.7. The ability to enumerate users was possible due to different handling depending on whether the user existed when making unauthorized attempts to use the switch users functionality. This is related to symfony/security.	v4.1.8, v4.2.3, v4.1.7, v4.1.9, v4.2.0, v4.2.4, v4.1.6, v4.1.3 (Show all)	Major → v5.4.47
CVE-2019-11325	An issue was discovered in Symfony before 4.2.12 and 4.3.x before 4.3.8. The VarExport component incorrectly escapes strings, allowing some specially crafted ones to escalate to execution of arbitrary PHP code. This is related to symfony/var-exporter.	v4.2.3, v4.2.0, v4.2.4, v4.2.6, v4.2.1, v4.2.5, v4.2.2, v4.3.7 (Show all)	Major → v5.4.47
CVE-2019-10913	In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, HTTP Methods provided as verbs or using the override header may be treated as trusted input, but they are not validated, possibly causing SQL injection or XSS. This is related to symfony/http-foundation.	v2.7.1, v2.7.6, v2.7.2, v2.7.5, v2.7.3, v2.7.4, v2.7.0, v2.8.26 (Show all)	Major → v5.4.47
CVE-2019-10912	In Symfony before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, it is possible to cache objects that may contain bad user input. On serialization or unserialization, this could result in the deletion of files that the current user has access to. This is related to symfony/cache and symfony/phpunit-bridge.	v2.8.26, v3.2.6, v3.3.6, v2.8.4, v2.8.7, v3.0.0, v3.2.1, v3.0.6 (Show all)	Major → v5.4.47
CVE-2019-10911	In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, a vulnerability would allow an attacker to authenticate as a privileged user on sites with user registration and remember me login functionality enabled. This is related to symfony/security.	v2.7.1, v2.7.6, v2.7.2, v2.7.5, v2.7.3, v2.7.4, v2.7.0, v2.8.26 (Show all)	Major → v5.4.47
CVE-2019-10910	In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, when service ids allow user input, this could allow for SQL Injection and remote code execution. This is related to symfony/dependency-injection.	v2.7.1, v2.7.6, v2.7.2, v2.7.5, v2.7.3, v2.7.4, v2.7.0, v2.8.26 (Show all)	Major → v5.4.47
CVE-2019-10909	In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, validation messages are not escaped, which can lead to XSS when user input is included. This is related to symfony/framework-bundle.	v2.7.1, v2.7.6, v2.7.2, v2.7.5, v2.7.3, v2.7.4, v2.7.0, v2.8.26 (Show all)	Major → v5.4.47
CVE-2018-19790	An open redirect was discovered in Symfony 2.7.x before 2.7.50, 2.8.x before 2.8.49, 3.x before 3.4.20, 4.0.x before 4.0.15, 4.1.x before 4.1.9 and 4.2.x before 4.2.1. By using backslashes in the `_failure_path` input field of login forms, an attacker can work around the redirection target restrictions and effectively redirect the user to any domain after login.	v2.8.26, v3.2.6, v3.3.6, v2.8.4, v2.8.7, v3.0.0, v3.2.1, v3.0.6 (Show all)	Major → v5.4.47
CVE-2018-19789	An issue was discovered in Symfony 2.7.x before 2.7.50, 2.8.x before 2.8.49, 3.x before 3.4.20, 4.0.x before 4.0.15, 4.1.x before 4.1.9, and 4.2.x before 4.2.1. When using the scalar type hint `string` in a setter method (e.g. `setName(string $name)`) of a class that's the `data_class` of a form, and when a file upload is submitted to the corresponding field instead of a normal text input, then `UploadedFile::__toString()` is called which will then return and disclose the path of the uploaded file. If combined with a local file inclusion issue in certain circumstances this could escalate it to a Remote Code Execution.	v2.7.1, v2.7.6, v2.7.2, v2.7.5, v2.7.3, v2.7.4, v2.7.0, v2.8.26 (Show all)	Major → v5.4.47
CVE-2018-14774	An issue was discovered in HttpKernel in Symfony 2.7.0 through 2.7.48, 2.8.0 through 2.8.43, 3.3.0 through 3.3.17, 3.4.0 through 3.4.13, 4.0.0 through 4.0.13, and 4.1.0 through 4.1.2. When using HttpCache, the values of the X-Forwarded-Host headers are implicitly set as trusted while this should be forbidden, leading to potential host header injection.	v2.3.0, v2.2.3, v2.3.5, v2.3.12, v2.5.2, v2.1.12, v2.1.2, v2.0.16 (Show all)	Major → v5.4.47
CVE-2018-14773	An issue was discovered in Http Foundation in Symfony 2.7.0 through 2.7.48, 2.8.0 through 2.8.43, 3.3.0 through 3.3.17, 3.4.0 through 3.4.13, 4.0.0 through 4.0.13, and 4.1.0 through 4.1.2. It arises from support for a (legacy) IIS header that lets users override the path in the request URL via the X-Original-URL or X-Rewrite-URL HTTP request header. These headers are designed for IIS support, but it's not verified that the server is in fact running IIS, which means anybody who can send these requests to an application can trigger this. This affects \Symfony\Component\HttpFoundation\Request::prepareRequestUri() where X-Original-URL and X_REWRITE_URL are both used. The fix drops support for these methods so that they cannot be used as attack vectors such as web cache poisoning.	v2.3.0, v2.2.3, v2.3.5, v2.3.12, v2.5.2, v2.1.12, v2.1.2, v2.0.16 (Show all)	Major → v5.4.47
CVE-2018-12043	content/content.blueprintspages.php in Symphony 2.7.6 has XSS via the pages content page.	v2.3.0, v2.2.3, v2.3.5, v2.3.12, v2.5.2, v2.1.12, v2.1.2, v2.0.16 (Show all)	Major → v5.4.47
CVE-2018-12040	DISPUTED Reflected Cross-site scripting (XSS) vulnerability in the web profiler in SensioLabs Symfony 3.3.6 allows remote attackers to inject arbitrary web script or HTML via the "file" parameter, aka an _profiler/open?file= URI. NOTE: The vendor states "The XSS ... is in the web profiler, a tool that should never be deployed in production (so, we don't handle those issues as security issues)."	v2.3.0, v2.2.3, v2.3.5, v2.3.12, v2.5.2, v2.1.12, v2.1.2, v2.0.16 (Show all)	Major → v5.4.47
CVE-2018-11408	The security handlers in the Security component in Symfony in 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11 have an Open redirect vulnerability when security.http_utils is inlined by a container. NOTE: this issue exists because of an incomplete fix for CVE-2017-16652.	v2.7.1, v2.7.6, v2.7.2, v2.7.5, v2.7.3, v2.7.4, v2.7.0, v2.8.26 (Show all)	Major → v5.4.47
CVE-2018-11407	An issue was discovered in the Ldap component in Symfony 2.8.x before 2.8.37, 3.3.x before 3.3.17, 3.4.x before 3.4.7, and 4.0.x before 4.0.7. It allows remote attackers to bypass authentication by logging in with a "null" password and valid username, which triggers an unauthenticated bind. NOTE: this issue exists because of an incomplete fix for CVE-2016-2403.	v2.8.26, v3.2.6, v3.3.6, v2.8.4, v2.8.7, v3.0.0, v3.2.1, v3.0.6 (Show all)	Major → v5.4.47
CVE-2018-11406	An issue was discovered in the Security component in Symfony 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11. By default, a user's session is invalidated when the user is logged out. This behavior can be disabled through the invalidate_session option. In this case, CSRF tokens were not erased during logout which allowed for CSRF token fixation.	v2.7.1, v2.7.6, v2.7.2, v2.7.5, v2.7.3, v2.7.4, v2.7.0, v2.8.26 (Show all)	Major → v5.4.47
CVE-2018-11386	An issue was discovered in the HttpFoundation component in Symfony 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11. The PDOSessionHandler class allows storing sessions on a PDO connection. Under some configurations and with a well-crafted payload, it was possible to do a denial of service on a Symfony application without too much resources.	v2.7.1, v2.7.6, v2.7.2, v2.7.5, v2.7.3, v2.7.4, v2.7.0, v2.8.26 (Show all)	Major → v5.4.47
CVE-2018-11385	An issue was discovered in the Security component in Symfony 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11. A session fixation vulnerability within the "Guard" login feature may allow an attacker to impersonate a victim towards the web application if the session id value was previously known to the attacker.	v2.3.0, v2.2.3, v2.3.5, v2.3.12, v2.5.2, v2.1.12, v2.1.2, v2.0.16 (Show all)	Major → v5.4.47
CVE-2017-18343	DISPUTED The debug handler in Symfony before v2.7.33, 2.8.x before v2.8.26, 3.x before v3.2.13, and 3.3.x before v3.3.6 has XSS via an array key during exception pretty printing in ExceptionHandler.php, as demonstrated by a /_debugbar/open?op=get URI. NOTE: the vendor's position is that this is not a vulnerability because the debug tools are not intended for production use. NOTE: the Symfony Debug component is used by Laravel Debugbar.	v2.3.0, v2.2.3, v2.3.5, v2.3.12, v2.5.2, v2.1.12, v2.1.2, v2.0.16 (Show all)	Major → v5.4.47
CVE-2017-16790	An issue was discovered in Symfony before 2.7.38, 2.8.31, 3.2.14, 3.3.13, 3.4-BETA5, and 4.0-BETA5. When a form is submitted by the user, the request handler classes of the Form component merge POST data and uploaded files data into one array. This big array forms the data that are then bound to the form. At this stage there is no difference anymore between submitted POST data and uploaded files. A user can send a crafted HTTP request where the value of a "FileType" is sent as normal POST data that could be interpreted as a local file path on the server-side (for example, "file:///etc/passwd"). If the application did not perform any additional checks about the value submitted to the "FileType", the contents of the given file on the server could have been exposed to the attacker.	v2.7.1, v2.7.6, v2.7.2, v2.7.5, v2.7.3, v2.7.4, v2.7.0, v2.8.26 (Show all)	Major → v5.4.47
CVE-2017-16654	An issue was discovered in Symfony before 2.7.38, 2.8.31, 3.2.14, 3.3.13, 3.4-BETA5, and 4.0-BETA5. The Intl component includes various bundle readers that are used to read resource bundles from the local filesystem. The read() methods of these classes use a path and a locale to determine the language bundle to retrieve. The locale argument value is commonly retrieved from untrusted user input (like a URL parameter). An attacker can use this argument to navigate to arbitrary directories via the dot-dot-slash attack, aka Directory Traversal.	v2.7.1, v2.7.6, v2.7.2, v2.7.5, v2.7.3, v2.7.4, v2.7.0, v2.8.26 (Show all)	Major → v5.4.47
CVE-2017-16653	An issue was discovered in Symfony before 2.7.38, 2.8.31, 3.2.14, 3.3.13, 3.4-BETA5, and 4.0-BETA5. The current implementation of CSRF protection in Symfony (Version >=2) does not use different tokens for HTTP and HTTPS; therefore the token is subject to MITM attacks on HTTP and can then be used in an HTTPS context to do CSRF attacks.	v2.7.1, v2.7.6, v2.7.2, v2.7.5, v2.7.3, v2.7.4, v2.7.0, v2.8.26 (Show all)	Major → v5.4.47
CVE-2017-16652	An issue was discovered in Symfony 2.7.x before 2.7.38, 2.8.x before 2.8.31, 3.2.x before 3.2.14, and 3.3.x before 3.3.13. DefaultAuthenticationSuccessHandler or DefaultAuthenticationFailureHandler takes the content of the _target_path parameter and generates a redirect response, but no check is performed on the path, which could be an absolute URL to an external domain. This Open redirect vulnerability can be exploited for example to mount effective phishing attacks.	v2.7.1, v2.7.6, v2.7.2, v2.7.5, v2.7.3, v2.7.4, v2.7.0, v2.8.26 (Show all)	Major → v5.4.47
CVE-2017-11365	Certain Symfony products are affected by: Incorrect Access Control. This affects Symfony 2.7.30 and Symfony 2.8.23 and Symfony 3.2.10 and Symfony 3.3.3. The type of exploitation is: remote. The component is: Password validator.	v2.7.31, v2.8.24, v3.3.3, v2.8.23, v3.3.4, v3.2.10, v3.2.11, v2.7.30	Major → v5.4.47
CVE-2016-4423	The attemptAuthentication function in Component/Security/Http/Firewall/UsernamePasswordFormAuthenticationListener.php in Symfony before 2.3.41, 2.7.x before 2.7.13, 2.8.x before 2.8.6, and 3.0.x before 3.0.6 does not limit the length of a username stored in a session, which allows remote attackers to cause a denial of service (session storage consumption) via a series of authentication attempts with long, non-existent usernames.	v2.3.0, v2.3.5, v2.3.12, v2.5.2, v2.4.6, v2.4.1, v2.3.9, v2.3.3 (Show all)	Major → v5.4.47
CVE-2016-2403	Symfony before 2.8.6 and 3.x before 3.0.6 allows remote attackers to bypass authentication by logging in with an empty password and valid username, which triggers an unauthenticated bind.	v2.8.4, v3.0.0, v2.8.1, v2.8.2, v3.0.5, v3.0.3, v3.0.2, v2.8.5 , v3.0.1, v3.0.4, v2.8.3, v2.8.0 (Show all)	Major → v5.4.47
CVE-2016-1902	The nextBytes function in the SecureRandom class in Symfony before 2.3.37, 2.6.x before 2.6.13, and 2.7.x before 2.7.9 does not properly generate random numbers when used with PHP 5.x without the paragonie/random_compat library and the openssl_random_pseudo_bytes function fails, which makes it easier for attackers to defeat cryptographic protection mechanisms via unspecified vectors.	v2.3.0, v2.3.5, v2.3.12, v2.5.2, v2.4.6, v2.4.1, v2.3.9, v2.3.3 (Show all)	Major → v5.4.47
CVE-2015-8766	Multiple cross-site scripting (XSS) vulnerabilities in content/content.systempreferences.php in Symphony CMS before 2.6.4 allow remote attackers to inject arbitrary web script or HTML via the (1) email_sendmail[from_name], (2) email_sendmail[from_address], (3) email_smtp[from_name], (4) email_smtp[from_address], (5) email_smtp[host], (6) email_smtp[port], (7) jit_image_manipulation[trusted_external_sites], or (8) maintenance_mode[ip_whitelist] parameters to system/preferences.	v2.3.0, v2.2.3, v2.3.5, v2.3.12, v2.5.2, v2.1.12, v2.1.2, v2.0.16 (Show all)	Major → v5.4.47
CVE-2015-8125	Symfony 2.3.x before 2.3.35, 2.6.x before 2.6.12, and 2.7.x before 2.7.7 might allow remote attackers to have unspecified impact via a timing attack involving the (1) Symfony/Component/Security/Http/RememberMe/PersistentTokenBasedRememberMeServices or (2) Symfony/Component/Security/Http/Firewall/DigestAuthenticationListener class in the Symfony Security Component, or (3) legacy CSRF implementation from the Symfony/Component/Form/Extension/Csrf/CsrfProvider/DefaultCsrfProvider class in the Symfony Form component.	v2.3.0, v2.3.5, v2.3.12, v2.5.2, v2.4.6, v2.4.1, v2.3.9, v2.3.3 (Show all)	Major → v5.4.47
CVE-2015-8124	Session fixation vulnerability in the "Remember Me" login feature in Symfony 2.3.x before 2.3.35, 2.6.x before 2.6.12, and 2.7.x before 2.7.7 allows remote attackers to hijack web sessions via a session id.	v2.3.0, v2.3.5, v2.3.12, v2.5.2, v2.4.6, v2.4.1, v2.3.9, v2.3.3 (Show all)	Major → v5.4.47
CVE-2015-4050	FragmentListener in the HttpKernel component in Symfony 2.3.19 through 2.3.28, 2.4.9 through 2.4.10, 2.5.4 through 2.5.11, and 2.6.0 through 2.6.7, when ESI or SSI support enabled, does not check if the _controller attribute is set, which allows remote attackers to bypass URL signing and security rules by including (1) no hash or (2) an invalid hash in a request to /_fragment.	v2.6.3, v2.6.6, v2.5.6, v2.5.0-BETA1, v2.3.23, v2.5.7, v2.5.0-RC1, v2.4.9 (Show all)	Major → v5.4.47
CVE-2015-2309	Unsafe methods in the Request class	v2.3.0, v2.2.3, v2.3.5, v2.3.12, v2.5.2, v2.1.12, v2.1.2, v2.0.16 (Show all)	Major → v5.4.47
CVE-2015-2308	Eval injection vulnerability in the HttpCache class in HttpKernel in Symfony 2.x before 2.3.27, 2.4.x and 2.5.x before 2.5.11, and 2.6.x before 2.6.6 allows remote attackers to execute arbitrary PHP code via a language="php" attribute of a SCRIPT element.	v2.3.0, v2.2.3, v2.3.5, v2.3.12, v2.5.2, v2.1.12, v2.1.2, v2.0.16 (Show all)	Major → v5.4.47
CVE-2014-6072	CSRF vulnerability in the Web Profiler	v2.2.3, v2.3.5, v2.3.12, v2.5.2, v2.1.12, v2.1.2, v2.0.16, v2.0.22 (Show all)	Major → v5.4.47
CVE-2014-6061	Security issue when parsing the Authorization header	v2.3.0, v2.3.5, v2.3.12, v2.5.2, v2.4.6, v2.4.1, v2.3.9, v2.3.3 (Show all)	Major → v5.4.47
CVE-2014-5245	Direct access of ESI URLs behind a trusted proxy	v2.2.3, v2.3.5, v2.3.12, v2.5.2, v2.1.12, v2.1.2, v2.0.16, v2.0.22 (Show all)	Major → v5.4.47
CVE-2014-5244	Denial of service with a malicious HTTP Host header	v2.3.0, v2.2.3, v2.3.5, v2.3.12, v2.5.2, v2.1.12, v2.1.2, v2.0.16 (Show all)	Major → v5.4.47
CVE-2014-4931	Code injection in the way Symfony implements translation caching in FrameworkBundle	v2.3.0, v2.2.3, v2.3.5, v2.3.12, v2.5.2, v2.1.12, v2.1.2, v2.0.16 (Show all)	Major → v5.4.47
CVE-2013-5958	The Security component in Symfony 2.0.x before 2.0.25, 2.1.x before 2.1.13, 2.2.x before 2.2.9, and 2.3.x before 2.3.6 allows remote attackers to cause a denial of service (CPU consumption) via a long password that triggers an expensive hash computation, as demonstrated by a PBKDF2 computation, a similar issue to CVE-2013-5750.	v2.3.0, v2.2.3, v2.3.5, v2.1.12, v2.1.2, v2.0.16, v2.0.22, v2.0.11 (Show all)	Major → v5.4.47
CVE-2013-4752	Symfony 2.0.X before 2.0.24, 2.1.X before 2.1.12, 2.2.X before 2.2.5, and 2.3.X before 2.3.3 have an issue in the HttpFoundation component. The Host header can be manipulated by an attacker when the framework is generating an absolute URL. A remote attacker could exploit this vulnerability to inject malicious content into the Web application page and conduct various attacks.	v2.3.0, v2.2.3, v2.1.2, v2.0.16, v2.0.22, v2.0.11, v2.1.8, v2.2.2 (Show all)	Major → v5.4.47
CVE-2013-4751	php-symfony2-Validator has loss of information during serialization	v2.3.0, v2.2.3, v2.1.2, v2.0.16, v2.0.22, v2.0.11, v2.1.8, v2.2.2 (Show all)	Major → v5.4.47
CVE-2013-1397	Symfony 2.0.x before 2.0.22, 2.1.x before 2.1.7, and 2.2.x remote attackers to execute arbitrary PHP code via a serialized PHP object to the (1) Yaml::parse or (2) Yaml\Parser::parse function, a different vulnerability than CVE-2013-1348.	v2.1.2, v2.0.16, v2.0.11, v2.0.12, v2.0.17, v2.0.18, v2.0.20, v2.0.21 (Show all)	Major → v5.4.47
CVE-2013-1348	The Yaml::parse function in Symfony 2.0.x before 2.0.22 remote attackers to execute arbitrary PHP code via a PHP file, a different vulnerability than CVE-2013-1397.	v2.0.16, v2.0.11, v2.0.12, v2.0.17, v2.0.18, v2.0.20, v2.0.21, v2.0.14 (Show all)	Major → v5.4.47
CVE-2012-6432	Symfony 2.0.x before 2.0.20, 2.1.x before 2.1.5, and 2.2-dev, when the internal routes configuration is enabled, allows remote attackers to access arbitrary services via vectors involving a URI beginning with a /_internal substring.	v2.1.2, v2.0.16, v2.0.11, v2.0.12, v2.0.17, v2.0.18, v2.1.0, v2.1.1 (Show all)	Major → v5.4.47
CVE-2012-6431	Symfony 2.0.x before 2.0.20 does not process URL encoded data consistently within the Routing and Security components, which allows remote attackers to bypass intended URI restrictions via a doubly encoded string.	v2.0.16, v2.0.11, v2.0.12, v2.0.17, v2.0.18, v2.0.14, v2.0.9, v2.0.13 (Show all)	Major → v5.4.47

Instantly see if these symfony/symfony vulnerabilities affect your code.

Scan for Free