VYPR

Packagist (Composer) package

symfony/http-kernel

pkg:composer/symfony/http-kernel

Vulnerabilities (7)

  • CVE-2014-5245higMay 30, 2024
    affected >= 2.0.0, < 2.3.19fixed 2.3.19

    All 2.2.X, 2.3.X, 2.4.X, and 2.5.X versions of the Symfony HttpKernel component are affected by this security issue. Your application is vulnerable only if the ESI feature is enabled and there is a proxy in front of the web application. This issue has been fixed in Symfony 2.3.1

  • CVE-2022-24894Feb 3, 2023
    affected >= 2.0.0, < 4.4.50fixed 4.4.50

    Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The Symfony HTTP cache system, acts as a reverse proxy: It caches entire responses (including headers) and returns them to the clients. In a recent change in the `AbstractSessionList

  • CVE-2021-41267Nov 24, 2021
    affected >= 5.2.0, < 5.3.12fixed 5.3.12

    Symfony/Http-Kernel is the HTTP kernel component for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Headers that are not part of the "trusted_headers" allowed list are ignored and protect users from "Cache poisoning" attacks. In Sy

  • CVE-2020-15094Sep 2, 2020
    affected >= 4.3.0, < 4.4.13fixed 4.4.13

    In Symfony before versions 4.4.13 and 5.1.5, the CachingHttpClient class from the HttpClient Symfony component relies on the HttpCache class to handle requests. HttpCache uses internal headers like X-Body-Eval and X-Body-File to control the restoration of cached responses. The cl

  • CVE-2019-18887Nov 21, 2019
    affected >= 2.2.0, < 2.8.52fixed 2.8.52

    An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. The UriSigner was subject to timing attacks. This is related to symfony/http-kernel.

  • CVE-2015-2308Jun 24, 2015
    affected >= 2.0.0, < 2.3.27fixed 2.3.27

    Eval injection vulnerability in the HttpCache class in HttpKernel in Symfony 2.x before 2.3.27, 2.4.x and 2.5.x before 2.5.11, and 2.6.x before 2.6.6 allows remote attackers to execute arbitrary PHP code via a language="php" attribute of a SCRIPT element.

  • CVE-2015-4050Jun 2, 2015
    affected >= 2.3.19, < 2.3.29fixed 2.3.29

    FragmentListener in the HttpKernel component in Symfony 2.3.19 through 2.3.28, 2.4.9 through 2.4.10, 2.5.4 through 2.5.11, and 2.6.0 through 2.6.7, when ESI or SSI support enabled, does not check if the _controller attribute is set, which allows remote attackers to bypass URL sig