Packagist (Composer) package

symfony/security-http

pkg:composer/symfony/security-http

Vulnerabilities (15)

CVE	Sev	CVSS	Affected versions	Fixed in	Published	Description
CVE-2024-36611	Hig	7.5	< 7.1.0	7.1.0	Nov 29, 2024	In Symfony v7.07, a security vulnerability was identified in the FormLoginAuthenticator component, where it failed to adequately handle cases where the username or password field of a login request is empty. This flaw could lead to various security risks, including improper authe
CVE-2024-51996	Hig	7.5	>= 5.3.0, < 5.4.47	5.4.47	Nov 13, 2024	Symphony process is a module for the Symphony PHP framework which executes commands in sub-processes. When consuming a persisted remember-me cookie, Symfony does not check if the username persisted in the database matches the username attached with the cookie, leading to authenti
CVE-2023-46733		—	>= 5.4.21, < 5.4.31	5.4.31	Nov 10, 2023	Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Starting in versions 5.4.21 and 6.2.7 and prior to versions 5.4.31 and 6.3.8, `SessionStrategyListener` does not migrate the session after every successful login. It does so only in
CVE-2021-32693		—	>= 5.3.0, < 5.3.2	5.3.2	Jun 17, 2021	Symfony is a PHP framework for web and console applications and a set of reusable PHP components. A vulnerability related to firewall authentication is in Symfony starting with version 5.3.0 and prior to 5.3.2. When an application defines multiple firewalls, the token authenticat
CVE-2021-21424		—	>= 5.1.0, < 5.2.8	5.2.8	May 13, 2021	Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The ability to enumerate users was possible without relevant permissions due to different handling depending on whether the user existed or not when attempting to use the switch user
CVE-2020-5275		—	>= 4.4.0, < 4.4.7	4.4.7	Mar 30, 2020	In symfony/security-http before versions 4.4.7 and 5.0.7, when a `Firewall` checks access control rule, it iterate overs each rule's attributes and stops as soon as the accessDecisionManager decides to grant access on the attribute, preventing the check of next attributes that sh
CVE-2019-18886		—	>= 4.1.0, < 4.2.12	4.2.12	Nov 21, 2019	An issue was discovered in Symfony 4.2.0 to 4.2.11 and 4.3.0 to 4.3.7. The ability to enumerate users was possible due to different handling depending on whether the user existed when making unauthorized attempts to use the switch users functionality. This is related to symfony/s
CVE-2019-10911		—	>= 2.7.0, < 2.7.51	2.7.51	May 16, 2019	In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, a vulnerability would allow an attacker to authenticate as a privileged user on sites with user registration and remember me login functionality enabled. This is related t
CVE-2018-19790		—	>= 2.7.38, < 2.7.50	2.7.50	Dec 18, 2018	An open redirect was discovered in Symfony 2.7.x before 2.7.50, 2.8.x before 2.8.49, 3.x before 3.4.20, 4.0.x before 4.0.15, 4.1.x before 4.1.9 and 4.2.x before 4.2.1. By using backslashes in the `_failure_path` input field of login forms, an attacker can work around the redirect
CVE-2018-11406		—	>= 2.7.0, < 2.7.48	2.7.48	Jun 13, 2018	An issue was discovered in the Security component in Symfony 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11. By default, a user's session is invalidated when the user is logged out. This behavior can be disabled through
CVE-2018-11385		—	>= 2.7.0, < 2.7.48	2.7.48	Jun 13, 2018	An issue was discovered in the Security component in Symfony 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11. A session fixation vulnerability within the "Guard" login feature may allow an attacker to impersonate a victi
CVE-2017-16652		—	>= 2.7.0, < 2.7.38	2.7.38	Jun 13, 2018	An issue was discovered in Symfony 2.7.x before 2.7.38, 2.8.x before 2.8.31, 3.2.x before 3.2.14, and 3.3.x before 3.3.13. DefaultAuthenticationSuccessHandler or DefaultAuthenticationFailureHandler takes the content of the _target_path parameter and generates a redirect response,
CVE-2016-4423	Hig	7.5	>= 2.3.0, < 2.3.41	2.3.41	Jun 1, 2016	The attemptAuthentication function in Component/Security/Http/Firewall/UsernamePasswordFormAuthenticationListener.php in Symfony before 2.3.41, 2.7.x before 2.7.13, 2.8.x before 2.8.6, and 3.0.x before 3.0.6 does not limit the length of a username stored in a session, which allow
CVE-2015-8125		—	>= 2.4.0, < 2.6.12	2.6.12	Dec 7, 2015	Symfony 2.3.x before 2.3.35, 2.6.x before 2.6.12, and 2.7.x before 2.7.7 might allow remote attackers to have unspecified impact via a timing attack involving the (1) Symfony/Component/Security/Http/RememberMe/PersistentTokenBasedRememberMeServices or (2) Symfony/Component/Securi
CVE-2015-8124		—	>= 2.4.0, < 2.6.12	2.6.12	Dec 7, 2015	Session fixation vulnerability in the "Remember Me" login feature in Symfony 2.3.x before 2.3.35, 2.6.x before 2.6.12, and 2.7.x before 2.7.7 allows remote attackers to hijack web sessions via a session id.

CVE-2024-36611HigNov 29, 2024
affected < 7.1.0fixed 7.1.0
In Symfony v7.07, a security vulnerability was identified in the FormLoginAuthenticator component, where it failed to adequately handle cases where the username or password field of a login request is empty. This flaw could lead to various security risks, including improper authe
CVE-2024-51996HigNov 13, 2024
affected >= 5.3.0, < 5.4.47fixed 5.4.47
Symphony process is a module for the Symphony PHP framework which executes commands in sub-processes. When consuming a persisted remember-me cookie, Symfony does not check if the username persisted in the database matches the username attached with the cookie, leading to authenti
CVE-2023-46733Nov 10, 2023
affected >= 5.4.21, < 5.4.31fixed 5.4.31
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Starting in versions 5.4.21 and 6.2.7 and prior to versions 5.4.31 and 6.3.8, `SessionStrategyListener` does not migrate the session after every successful login. It does so only in
CVE-2021-32693Jun 17, 2021
affected >= 5.3.0, < 5.3.2fixed 5.3.2
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. A vulnerability related to firewall authentication is in Symfony starting with version 5.3.0 and prior to 5.3.2. When an application defines multiple firewalls, the token authenticat
CVE-2021-21424May 13, 2021
affected >= 5.1.0, < 5.2.8fixed 5.2.8
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The ability to enumerate users was possible without relevant permissions due to different handling depending on whether the user existed or not when attempting to use the switch user
CVE-2020-5275Mar 30, 2020
affected >= 4.4.0, < 4.4.7fixed 4.4.7
In symfony/security-http before versions 4.4.7 and 5.0.7, when a `Firewall` checks access control rule, it iterate overs each rule's attributes and stops as soon as the accessDecisionManager decides to grant access on the attribute, preventing the check of next attributes that sh
CVE-2019-18886Nov 21, 2019
affected >= 4.1.0, < 4.2.12fixed 4.2.12
An issue was discovered in Symfony 4.2.0 to 4.2.11 and 4.3.0 to 4.3.7. The ability to enumerate users was possible due to different handling depending on whether the user existed when making unauthorized attempts to use the switch users functionality. This is related to symfony/s
CVE-2019-10911May 16, 2019
affected >= 2.7.0, < 2.7.51fixed 2.7.51
In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, a vulnerability would allow an attacker to authenticate as a privileged user on sites with user registration and remember me login functionality enabled. This is related t
CVE-2018-19790Dec 18, 2018
affected >= 2.7.38, < 2.7.50fixed 2.7.50
An open redirect was discovered in Symfony 2.7.x before 2.7.50, 2.8.x before 2.8.49, 3.x before 3.4.20, 4.0.x before 4.0.15, 4.1.x before 4.1.9 and 4.2.x before 4.2.1. By using backslashes in the `_failure_path` input field of login forms, an attacker can work around the redirect
CVE-2018-11406Jun 13, 2018
affected >= 2.7.0, < 2.7.48fixed 2.7.48
An issue was discovered in the Security component in Symfony 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11. By default, a user's session is invalidated when the user is logged out. This behavior can be disabled through
CVE-2018-11385Jun 13, 2018
affected >= 2.7.0, < 2.7.48fixed 2.7.48
An issue was discovered in the Security component in Symfony 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11. A session fixation vulnerability within the "Guard" login feature may allow an attacker to impersonate a victi
CVE-2017-16652Jun 13, 2018
affected >= 2.7.0, < 2.7.38fixed 2.7.38
An issue was discovered in Symfony 2.7.x before 2.7.38, 2.8.x before 2.8.31, 3.2.x before 3.2.14, and 3.3.x before 3.3.13. DefaultAuthenticationSuccessHandler or DefaultAuthenticationFailureHandler takes the content of the _target_path parameter and generates a redirect response,
CVE-2016-4423HigJun 1, 2016
affected >= 2.3.0, < 2.3.41fixed 2.3.41
The attemptAuthentication function in Component/Security/Http/Firewall/UsernamePasswordFormAuthenticationListener.php in Symfony before 2.3.41, 2.7.x before 2.7.13, 2.8.x before 2.8.6, and 3.0.x before 3.0.6 does not limit the length of a username stored in a session, which allow
CVE-2015-8125Dec 7, 2015
affected >= 2.4.0, < 2.6.12fixed 2.6.12
Symfony 2.3.x before 2.3.35, 2.6.x before 2.6.12, and 2.7.x before 2.7.7 might allow remote attackers to have unspecified impact via a timing attack involving the (1) Symfony/Component/Security/Http/RememberMe/PersistentTokenBasedRememberMeServices or (2) Symfony/Component/Securi
CVE-2015-8124Dec 7, 2015
affected >= 2.4.0, < 2.6.12fixed 2.6.12
Session fixation vulnerability in the "Remember Me" login feature in Symfony 2.3.x before 2.3.35, 2.6.x before 2.6.12, and 2.7.x before 2.7.7 allows remote attackers to hijack web sessions via a session id.