pkg:Packagist/symfony/symfony

All known vulnerabilities

• CRITICAL9.8CVE-2017-11365Symfony Incorrect Access Control
  >= 2.7.30, < 2.7.32
• CRITICAL9.8CVE-2018-11407Symfony Authentication Bypass
  >= 2.8.0, < 2.8.37
• CRITICAL9.8Symfony Authentication Bypass
  >= 2.8.0, < 2.8.6
• CRITICAL9.8Improper Input Validation in Symfony
  >= 4.2.0, < 4.2.12
• CRITICAL9.8Invalid HTTP method overrides allow possible XSS or other attacks in Symfony
  >= 2.7.0, < 2.7.51
• CRITICAL9.8Symfony Unsafe Cache Serialization Could Enable RCE
  >= 3.1.0, < 3.4.35
• CRITICAL9.8Symfony Service IDs Allow Injection
  >= 2.7.0, < 2.7.51
• HIGH8.8Symfony CSRF Token Fixation
  >= 2.7.0, < 2.7.48
• HIGH8.4Symfony vulnerable to command execution hijack on Windows with Process class
  from 0, < 5.4.46
• HIGH8.1Symfony Cross-Site Request Forgery vulnerability in the Web Profiler
  >= 2.0.0, < 2.3.19
• HIGH8.1Symfony Session Fixation Vulnerability
  >= 2.7.0, < 2.7.48
• HIGH8.1Symfony collectionCascaded and collectionCascadedDeeply fields security bypass
  >= 2.0.0, < 2.0.24
• HIGH8.1Symfony Http-Kernel has non-constant time comparison in UriSigner
  >= 2.2.0, < 2.8.52
• HIGH8.0RCE in Symfony
  >= 4.3.0, < 4.4.13
• HIGH7.6Firewall configured with unanimous strategy was not actually unanimous in Symfony
  >= 4.4.0, < 4.4.7
• HIGH7.5Symfony allows direct access of ESI URLs behind a trusted proxy
  >= 2.0.0, < 2.3.19
• HIGH7.5Symfony vulnerable to denial of service via a malicious HTTP Host header
  >= 2.0.0, < 2.3.19
• HIGH7.5Code injection in the way Symfony implements translation caching in FrameworkBundle
  >= 2.0.0, < 2.3.19
• HIGH7.5Symfony Cryptographic Vulnerability
  >= 2.3.0, < 2.3.37
• HIGH7.5Symphony Denial of Service Via Overlong Usernames
  >= 2.3.0, < 2.3.41
• HIGH7.5Symfony Directory Traversal
  >= 2.7.0, < 2.7.38
• HIGH7.5Improper authentication in Symfony
  >= 2.7.0, < 2.7.51
• HIGH7.5Argument injection in a MimeTypeGuesser in Symfony
  >= 2.0.0, < 2.8.52
• HIGH7.3Symfony's incorrect parsing of PATH_INFO can lead to limited authorization bypass
  >= 2.0.0, < 5.4.50
• HIGH7.3Symfony allows changing the environment through a query
  >= 5.3.0, < 5.4.46
• HIGH7.2Symfony Host Header Injection
  >= 2.7.0, < 2.7.49
• HIGH7.1Deserialization of untrusted data in Symfony
  >= 2.8.0, < 2.8.50
• MEDIUM6.8Authentication granted to all firewalls instead of just one
  >= 5.3.0, < 5.3.2
• MEDIUM6.5Symfony possible session fixation vulnerability
  >= 5.4.21, < 5.4.31
• MEDIUM6.5Symfony SSRF Vulnerability via Form Component
  >= 2.7.0, < 2.7.38
• MEDIUM6.5Symfony HTTP Foundation web cache poisoning
  >= 2.7.0, < 2.7.49
• MEDIUM6.5CSV Injection in symfony/serializer
  >= 4.1.0, < 4.4.35
• MEDIUM6.5Cookie persistence after password changes in symfony/security-bundle
  >= 5.3.0, < 5.3.12
• MEDIUM6.5Webcache Poisoning in symfony/http-kernel
  >= 5.2.0, < 5.3.12
• MEDIUM6.3Symfony's incorrect argument escaping under MSYS2/Git Bash can lead to destructive file operations on Windows
  from 0, < 5.4.51
• MEDIUM6.3Symfony vulnerable to Session Fixation of CSRF tokens
  >= 2.0.0, < 4.4.50
• MEDIUM6.1Symfony potential Cross-site Scripting in WebhookController
  >= 6.3.0, < 6.3.8
• MEDIUM6.1Symfony potential Cross-site Scripting vulnerabilities in CodeExtension filters
  >= 2.0.0, < 4.4.51
• MEDIUM6.1Symfony Open Redirect
  >= 2.7.0, < 2.7.38
• MEDIUM6.1Symfony Open Redirect
  >= 2.7.0, < 2.7.48
• MEDIUM6.1Symfony Open Redirect
  >= 2.7.38, < 2.7.50
• MEDIUM6.1Symfony Host Header Injection vulnerability in the HttpFoundation component
  >= 2.0.0, < 2.0.24
• MEDIUM5.9Symfony storing cookie headers in HttpCache
  >= 2.0.0, < 4.4.50
• MEDIUM5.9Symfony DoS
  >= 2.7.0, < 2.7.48
• MEDIUM5.9Symfony CSRF Vulnerability
  >= 2.7.0, < 2.7.38
• MEDIUM5.4Symfony Cross-site Scripting (XSS) vulnerability
  >= 2.7.0, < 2.7.51
• MEDIUM5.3Symfony has unsafe methods in the Request class
  >= 2.0.0, < 2.3.27
• MEDIUM5.3Symfony has a security issue when parsing the Authorization header
  >= 2.0.0, < 2.3.19
• MEDIUM5.3Symfony Path Disclosure
  >= 2.7.0, < 2.7.50
• MEDIUM5.3Prevent user enumeration using Guard or the new Authenticator-based Security
  >= 2.8.0, < 3.4.49
• MEDIUM5.3User enumeration leak using switch user functionality in Symfony
  >= 4.1.0, < 4.2.12
• MEDIUM4.6Exceptions displayed in non-debug configurations in Symfony
  >= 4.4.0, < 4.4.4
• LOW3.1Symfony has an incorrect response from Validator when input ends with `\n`
  from 0, < 5.4.43
• LOW3.1Symfony allows internal address and port enumeration by NoPrivateNetworkHttpClient
  >= 4.3.0, < 5.4.47
• LOW3.1Symfony's `Security::login` does not take into account custom `user_checker`
  >= 6.2.0, < 6.4.10
• LOW3.1Symfony Session Fixation Vulnerability
  >= 2.3.0, < 2.3.35
• LOW2.6Prevent cache poisoning via a Response Content-Type header in Symfony
  >= 4.4.0, < 4.4.7
• —SymfonyRuntime CVE-2024-50340 Patch Bypass: Web Requests Can Still Set APP_ENV/APP_DEBUG via parse_str/SAPI Argv Mismatch
  >= 5.4.46, < 5.4.52
• —Symfony's YAML Parser has a ReDoS via Catastrophic Backtracking in Parser::cleanup() Regex
  from 0, < 5.4.52
• —Symfony's YAML Parser Vulnerable to Exponential Memory Allocation via Recursive Collection-Alias Expansion ("Billion Laughs")
  from 0, < 5.4.52
• —Symfony hardened the parser when handling untrusted input
  from 0, < 5.4.52
• —Symfony has Unauthenticated PHP Object Deserialization in MonologBridge server:log Listener
  from 0, < 5.4.52
• —Synfony's HEAD Request Bypasses methods: ['GET'] Filter in #[IsGranted] / #[IsSignatureValid] / #[IsCsrfTokenValid]
  >= 7.4.0, < 7.4.12
• —Symfony's Cas2Handler Derives CAS service URL from Client Host Header → Cross-Service Ticket Replay
  >= 7.1.0, < 7.4.12
• —Symfony Vulnerable to SQL Injection in PdoAdapter::doClear() via Unsanitized $prefix
  from 0, < 5.4.52
• —Symfony Vulnerable to stored XSS in WebProfiler CodeExtension::fileExcerpt() — Unescaped Non-PHP File Rendering
  >= 6.4.24, < 6.4.40
• —Symfony has XXE (Local File Disclosure) in DomCrawler::addXmlContent() via validateOnParse = true
  from 0, < 5.4.52
• —Symfony has Email Header Injection via Non-Token Characters in Mime Parameter Names
  from 0, < 5.4.52
• —Symfony's OidcTokenHandler Accepts JWTs Missing aud/iss/exp Claims
  >= 6.3.0, < 6.4.40
• —Symfony has an Argument Injection in SendmailTransport via Dash-Prefixed Recipient Address
  from 0, < 5.4.52
• —Symfony has Email Header / SMTP Command Injection via CRLF in Symfony\Component\Mime\Address
  from 0, < 5.4.52
• —Symfony has an HtmlSanitizer allowLinkHosts() / allowMediaHosts() Bypass via URL-Parser Differentials and <area> Misclassification
  >= 6.1.0, < 6.4.40
• —Symfony's HtmlSanitizer URL Attributes Pass Through BiDi Override Characters → Visual href Spoofing
  >= 6.1.0, < 6.4.40
• —Symfony: UrlGenerator Dot-Segment Encoding Skips Every Other Chained `../` or `./` → Generated URL Collapses Off-Route Under RFC 3986 Normalization
  from 0, < 5.4.53
• —Symfony: HtmlSanitizer URL Parser Deny Gates Underinclusive: Percent-Encoded BiDi Marks and Unicode Whitespace Bypass Visual-Spoofing Defense
  >= 6.1.0, < 6.4.41
• —Symfony: Mailomat Mailer Webhook Parser Reads the HMAC Algorithm from the Request: Signature Algorithm Downgrade
  >= 7.2.0, < 7.4.13
• —Symfony: HtmlSanitizer UrlAttributeSanitizer Misses URL Attributes
  >= 6.1.0, < 6.4.41
• —Symfony: IpUtils::PRIVATE_SUBNETS Omits IPv6 Transition Forms (6to4, NAT64, Teredo, IPv4-compatible): SSRF Bypass in NoPrivateNetworkHttpClient
  >= 5.4.0, < 5.4.53
• —Symfony: Security Firewall Bypass via failure_forward Subrequest: Unauthenticated Access to access_control-Protected GET Routes
  from 0, < 5.4.53
• —Symfony has a UrlGenerator Route-Requirement Bypass via Unanchored Regex Alternation → Off-Site //host URL Injection
  from 0, < 5.4.52
• —Symfony Vulnerable to Identity Spoofing via Unanchored DN Regex in X509Authenticator
  from 0, < 5.4.52
• —Symfony's JsonPath Evaluates Attacker-Controlled Regular Expressions in match()/search() Without Limits — ReDoS
  >= 7.3.0, < 7.4.12
• —Symfony: Twilio SMS Notifier allows unauthenticated webhook injection due to missing X-Twilio-Signature verification
  >= 6.4.0, < 6.4.40
• —Symfony's HtmlSanitizer UrlAttributeSanitizer Omits action/formaction/poster/cite — `javascript`: URI Survives Sanitization (XSS)
  >= 6.1.0, < 6.4.40
• —Symfony's Mailtrap Mailer Webhook Parser Never Verifies the X-Mt-Signature HMAC — Unauthenticated Webhook Event Injection
  >= 7.2.0, < 7.4.12
• —Symfony's Mailjet Mailer Webhook Parser Never Verifies the Configured Secret — Unauthenticated Webhook Event Injection
  >= 6.4.0, < 6.4.40
• —Symfony Access Control Vulnerability
• —Symfony Allows URI Restrictions Bypass Via Double-Encoded String
  >= 2.0.0, < 2.0.19
• —Symfony Denial of Service Via Long Password Hashing
  >= 2.0.0, < 2.0.25
• —Symfony Vulnerable to PHP Eval Injection
  >= 2.0.0, < 2.3.27
• —Symfony Vulnerable to Timing Attack
  >= 2.3.0, < 2.3.35
• —Symfony Incorrect Access Control
  >= 2.3.19, < 2.3.29
• —Symphony Vulnerable to PHP Code Injection via YAML Parsing
  >= 2.0.0, < 2.0.22
• —Symfony Arbitrary PHP code Execution
  >= 2.2.0-BETA1, < 2.2.0-BETA2