VYPR

Packagist (Composer) package

symfony/security

pkg:composer/symfony/security

Vulnerabilities (17)

  • CVE-2021-21424May 13, 2021
    affected >= 5.0.0, < 5.2.8fixed 5.2.8

    Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The ability to enumerate users was possible without relevant permissions due to different handling depending on whether the user existed or not when attempting to use the switch user

  • CVE-2020-5275Mar 30, 2020
    affected >= 4.4.0, < 4.4.7fixed 4.4.7

    In symfony/security-http before versions 4.4.7 and 5.0.7, when a `Firewall` checks access control rule, it iterate overs each rule's attributes and stops as soon as the accessDecisionManager decides to grant access on the attribute, preventing the check of next attributes that sh

  • CVE-2017-11365May 23, 2019
    affected >= 2.7.30, < 2.7.32fixed 2.7.32

    Certain Symfony products are affected by: Incorrect Access Control. This affects Symfony 2.7.30 and Symfony 2.8.23 and Symfony 3.2.10 and Symfony 3.3.3. The type of exploitation is: remote. The component is: Password validator.

  • CVE-2019-10911May 16, 2019
    affected >= 2.7.0, < 2.7.51fixed 2.7.51

    In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, a vulnerability would allow an attacker to authenticate as a privileged user on sites with user registration and remember me login functionality enabled. This is related t

  • CVE-2018-19790Dec 18, 2018
    affected >= 2.7.38, < 2.7.50fixed 2.7.50

    An open redirect was discovered in Symfony 2.7.x before 2.7.50, 2.8.x before 2.8.49, 3.x before 3.4.20, 4.0.x before 4.0.15, 4.1.x before 4.1.9 and 4.2.x before 4.2.1. By using backslashes in the `_failure_path` input field of login forms, an attacker can work around the redirect

  • CVE-2017-16653Aug 6, 2018
    affected >= 2.7.0, < 2.7.38fixed 2.7.38

    An issue was discovered in Symfony before 2.7.38, 2.8.31, 3.2.14, 3.3.13, 3.4-BETA5, and 4.0-BETA5. The current implementation of CSRF protection in Symfony (Version >=2) does not use different tokens for HTTP and HTTPS; therefore the token is subject to MITM attacks on HTTP and

  • CVE-2018-11407Jun 13, 2018
    affected >= 2.8.0, < 2.8.37fixed 2.8.37

    An issue was discovered in the Ldap component in Symfony 2.8.x before 2.8.37, 3.3.x before 3.3.17, 3.4.x before 3.4.7, and 4.0.x before 4.0.7. It allows remote attackers to bypass authentication by logging in with a "null" password and valid username, which triggers an unauthenti

  • CVE-2018-11406Jun 13, 2018
    affected >= 2.7.0, < 2.7.48fixed 2.7.48

    An issue was discovered in the Security component in Symfony 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11. By default, a user's session is invalidated when the user is logged out. This behavior can be disabled through

  • CVE-2018-11385Jun 13, 2018
    affected >= 2.7.0, < 2.7.48fixed 2.7.48

    An issue was discovered in the Security component in Symfony 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11. A session fixation vulnerability within the "Guard" login feature may allow an attacker to impersonate a victi

  • CVE-2017-16652Jun 13, 2018
    affected >= 2.7.0, < 2.7.38fixed 2.7.38

    An issue was discovered in Symfony 2.7.x before 2.7.38, 2.8.x before 2.8.31, 3.2.x before 3.2.14, and 3.3.x before 3.3.13. DefaultAuthenticationSuccessHandler or DefaultAuthenticationFailureHandler takes the content of the _target_path parameter and generates a redirect response,

  • CVE-2016-2403CriFeb 7, 2017
    affected >= 2.8.0, < 2.8.6fixed 2.8.6

    Symfony before 2.8.6 and 3.x before 3.0.6 allows remote attackers to bypass authentication by logging in with an empty password and valid username, which triggers an unauthenticated bind.

  • CVE-2016-4423HigJun 1, 2016
    affected >= 2.3.0, < 2.3.41fixed 2.3.41

    The attemptAuthentication function in Component/Security/Http/Firewall/UsernamePasswordFormAuthenticationListener.php in Symfony before 2.3.41, 2.7.x before 2.7.13, 2.8.x before 2.8.6, and 3.0.x before 3.0.6 does not limit the length of a username stored in a session, which allow

  • CVE-2016-1902HigJun 1, 2016
    affected >= 2.3.0, < 2.3.37fixed 2.3.37

    The nextBytes function in the SecureRandom class in Symfony before 2.3.37, 2.6.x before 2.6.13, and 2.7.x before 2.7.9 does not properly generate random numbers when used with PHP 5.x without the paragonie/random_compat library and the openssl_random_pseudo_bytes function fails,

  • CVE-2015-8125Dec 7, 2015
    affected >= 2.3.0, < 2.3.35fixed 2.3.35

    Symfony 2.3.x before 2.3.35, 2.6.x before 2.6.12, and 2.7.x before 2.7.7 might allow remote attackers to have unspecified impact via a timing attack involving the (1) Symfony/Component/Security/Http/RememberMe/PersistentTokenBasedRememberMeServices or (2) Symfony/Component/Securi

  • CVE-2015-8124Dec 7, 2015
    affected >= 2.3.0, < 2.3.35fixed 2.3.35

    Session fixation vulnerability in the "Remember Me" login feature in Symfony 2.3.x before 2.3.35, 2.6.x before 2.6.12, and 2.7.x before 2.7.7 allows remote attackers to hijack web sessions via a session id.

  • CVE-2013-5958Dec 27, 2014
    affected >= 2.0.0, < 2.0.25fixed 2.0.25

    The Security component in Symfony 2.0.x before 2.0.25, 2.1.x before 2.1.13, 2.2.x before 2.2.9, and 2.3.x before 2.3.6 allows remote attackers to cause a denial of service (CPU consumption) via a long password that triggers an expensive hash computation, as demonstrated by a PBKD

  • CVE-2012-6431Dec 27, 2012
    affected >= 2.0.0, < 2.0.19fixed 2.0.19

    Symfony 2.0.x before 2.0.20 does not process URL encoded data consistently within the Routing and Security components, which allows remote attackers to bypass intended URI restrictions via a doubly encoded string.