symfony/security
Packagist17 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting symfony/securitypage 1 of 1
- CVE-2012-6431NONECVSS 0.0EG 0.0✓ Fixed in 2.0.192012-12-27
vulnerable: 2.0.4 ... v2.0.9 (13 versions)
Symfony 2.0.x before 2.0.20 does not process URL encoded data consistently within the Routing and Security components, which allows remote attackers to bypass intended URI restrictions via a doubly encoded string.
- CVE-2013-5958NONECVSS 0.0EG 0.0✓ Fixed in 2.3.62014-12-27
vulnerable: v2.3.0 ... v2.3.5 (6 versions)
The Security component in Symfony 2.0.x before 2.0.25, 2.1.x before 2.1.13, 2.2.x before 2.2.9, and 2.3.x before 2.3.6 allows remote attackers to cause a denial of service (CPU consumption) via a long password that triggers an expensive ha…
- CVE-2015-8124NONECVSS 0.0EG 0.0✓ Fixed in 2.7.72015-12-07
vulnerable: v2.7.0 ... v2.7.6 (7 versions)
Session fixation vulnerability in the "Remember Me" login feature in Symfony 2.3.x before 2.3.35, 2.6.x before 2.6.12, and 2.7.x before 2.7.7 allows remote attackers to hijack web sessions via a session id.
- CVE-2015-8125NONECVSS 0.0EG 0.0✓ Fixed in 2.7.72015-12-07
vulnerable: v2.7.0 ... v2.7.6 (7 versions)
Symfony 2.3.x before 2.3.35, 2.6.x before 2.6.12, and 2.7.x before 2.7.7 might allow remote attackers to have unspecified impact via a timing attack involving the (1) Symfony/Component/Security/Http/RememberMe/PersistentTokenBasedRememberM…
- CVE-2016-1902HIGHCVSS 7.5EG 7.5✓ Fixed in 2.7.92016-06-01
vulnerable: v2.7.0 ... v2.7.8 (9 versions)
The nextBytes function in the SecureRandom class in Symfony before 2.3.37, 2.6.x before 2.6.13, and 2.7.x before 2.7.9 does not properly generate random numbers when used with PHP 5.x without the paragonie/random_compat library and the ope…
- CVE-2016-2403CRITICALCVSS 9.8EG 9.8✓ Fixed in 3.0.62017-02-07
vulnerable: v3.0.0 ... v3.0.5 (6 versions)
Symfony before 2.8.6 and 3.x before 3.0.6 allows remote attackers to bypass authentication by logging in with an empty password and valid username, which triggers an unauthenticated bind.
- CVE-2016-4423HIGHCVSS 7.5EG 7.5✓ Fixed in 3.0.62016-06-01
vulnerable: v3.0.0 ... v3.0.5 (6 versions)
The attemptAuthentication function in Component/Security/Http/Firewall/UsernamePasswordFormAuthenticationListener.php in Symfony before 2.3.41, 2.7.x before 2.7.13, 2.8.x before 2.8.6, and 3.0.x before 3.0.6 does not limit the length of a …
- CVE-2017-11365CRITICALCVSS 9.8EG 9.8✓ Fixed in 3.3.52019-05-23
vulnerable: v3.3.3, v3.3.4
Certain Symfony products are affected by: Incorrect Access Control. This affects Symfony 2.7.30 and Symfony 2.8.23 and Symfony 3.2.10 and Symfony 3.3.3. The type of exploitation is: remote. The component is: Password validator.
- CVE-2017-16652MEDIUMCVSS 6.1EG 6.1✓ Fixed in 3.3.132018-06-13
vulnerable: v3.3.0 ... v3.3.9 (13 versions)
An issue was discovered in Symfony 2.7.x before 2.7.38, 2.8.x before 2.8.31, 3.2.x before 3.2.14, and 3.3.x before 3.3.13. DefaultAuthenticationSuccessHandler or DefaultAuthenticationFailureHandler takes the content of the _target_path par…
- CVE-2017-16653MEDIUMCVSS 5.9EG 5.9✓ Fixed in 3.3.132018-08-06
vulnerable: v3.3.0 ... v3.3.9 (13 versions)
An issue was discovered in Symfony before 2.7.38, 2.8.31, 3.2.14, 3.3.13, 3.4-BETA5, and 4.0-BETA5. The current implementation of CSRF protection in Symfony (Version >=2) does not use different tokens for HTTP and HTTPS; therefore the toke…
- CVE-2018-11385HIGHCVSS 8.1EG 8.1✓ Fixed in 4.0.112018-06-13
vulnerable: v4.0.0 ... v4.0.9 (11 versions)
An issue was discovered in the Security component in Symfony 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11. A session fixation vulnerability within the "Guard" login feature may…
- CVE-2018-11406HIGHCVSS 8.8EG 8.8✓ Fixed in 4.0.112018-06-13
vulnerable: v4.0.0 ... v4.0.9 (11 versions)
An issue was discovered in the Security component in Symfony 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11. By default, a user's session is invalidated when the user is logged o…
- CVE-2018-11407CRITICALCVSS 9.8EG 9.8✓ Fixed in 4.0.72018-06-13
vulnerable: v4.0.0 ... v4.0.6 (7 versions)
An issue was discovered in the Ldap component in Symfony 2.8.x before 2.8.37, 3.3.x before 3.3.17, 3.4.x before 3.4.7, and 4.0.x before 4.0.7. It allows remote attackers to bypass authentication by logging in with a "null" password and val…
- CVE-2018-19790MEDIUMCVSS 6.1EG 6.1✓ Fixed in 4.2.12018-12-18
vulnerable: v4.2.0
An open redirect was discovered in Symfony 2.7.x before 2.7.50, 2.8.x before 2.8.49, 3.x before 3.4.20, 4.0.x before 4.0.15, 4.1.x before 4.1.9 and 4.2.x before 4.2.1. By using backslashes in the `_failure_path` input field of login forms,…
- CVE-2019-10911HIGHCVSS 7.5EG 7.5✓ Fixed in 4.2.72019-05-16
vulnerable: v4.2.0 ... v4.2.6 (7 versions)
In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, a vulnerability would allow an attacker to authenticate as a privileged user on sites with user registration and remember me login…
- CVE-2020-5275HIGHCVSS 7.6EG 7.6✓ Fixed in 5.0.72020-03-30
In symfony/security-http before versions 4.4.7 and 5.0.7, when a `Firewall` checks access control rule, it iterate overs each rule's attributes and stops as soon as the accessDecisionManager decides to grant access on the attribute, preven…
- CVE-2021-21424MEDIUMCVSS 5.3EG 5.3✓ Fixed in 4.4.242021-05-13
vulnerable: v4.0.0 ... v4.4.9 (90 versions)
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The ability to enumerate users was possible without relevant permissions due to different handling depending on whether the user existed or n…
Check whether symfony/security is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for symfony/security CVEs against the assets you own.
Start Free Scan →