VYPR

Symfony

by Sensiolabs

Source repositories

CVEs (43)

  • CVE-2022-24894Feb 3, 2023
    risk 0.00cvss epss 0.01

    Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The Symfony HTTP cache system, acts as a reverse proxy: It caches entire responses (including headers) and returns them to the clients. In a recent change in the…

  • CVE-2022-24895Feb 3, 2023
    risk 0.00cvss epss 0.01

    Symfony is a PHP framework for web and console applications and a set of reusable PHP components. When authenticating users Symfony by default regenerates the session ID upon login, but preserves the rest of session attributes. Because this does not clear CSRF tokens upon login,…

  • CVE-2022-23601Feb 1, 2022
    risk 0.00cvss epss 0.01

    Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The Symfony form component provides a CSRF protection mechanism by using a random token injected in the form and using the session to store and control the token submitted by the…

  • CVE-2021-41270Nov 24, 2021
    risk 0.00cvss epss 0.01

    Symfony/Serializer handles serializing and deserializing data structures for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Symfony versions 4.1.0 before 4.4.35 and versions 5.0.0 before 5.3.12 are vulnerable to CSV injection,…

  • CVE-2021-41267Nov 24, 2021
    risk 0.00cvss epss 0.01

    Symfony/Http-Kernel is the HTTP kernel component for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Headers that are not part of the "trusted_headers" allowed list are ignored and protect users from "Cache poisoning" attacks. In…

  • CVE-2021-41268Nov 24, 2021
    risk 0.00cvss epss 0.01

    Symfony/SecurityBundle is the security system for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Since the rework of the Remember me cookie in version 5.3.0, the cookie is not invalidated when the user changes their password.…

  • CVE-2021-32693Jun 17, 2021
    risk 0.00cvss epss 0.01

    Symfony is a PHP framework for web and console applications and a set of reusable PHP components. A vulnerability related to firewall authentication is in Symfony starting with version 5.3.0 and prior to 5.3.2. When an application defines multiple firewalls, the token…

  • CVE-2021-21424May 13, 2021
    risk 0.00cvss epss 0.02

    Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The ability to enumerate users was possible without relevant permissions due to different handling depending on whether the user existed or not when attempting to use the switch…

  • CVE-2020-15094Sep 2, 2020
    risk 0.00cvss epss 0.03

    In Symfony before versions 4.4.13 and 5.1.5, the CachingHttpClient class from the HttpClient Symfony component relies on the HttpCache class to handle requests. HttpCache uses internal headers like X-Body-Eval and X-Body-File to control the restoration of cached responses. The…

  • CVE-2020-5275Mar 30, 2020
    risk 0.00cvss epss 0.01

    In symfony/security-http before versions 4.4.7 and 5.0.7, when a `Firewall` checks access control rule, it iterate overs each rule's attributes and stops as soon as the accessDecisionManager decides to grant access on the attribute, preventing the check of next attributes that…

  • CVE-2020-5274Mar 30, 2020
    risk 0.00cvss epss 0.01

    In Symfony before versions 5.0.5 and 4.4.5, some properties of the Exception were not properly escaped when the `ErrorHandler` rendered it stacktrace. In addition, the stacktrace were displayed even in a non-debug configuration. The ErrorHandler now escape alls properties of the…

  • CVE-2020-5255Mar 30, 2020
    risk 0.00cvss epss 0.01

    In Symfony before versions 4.4.7 and 5.0.7, when a `Response` does not contain a `Content-Type` header, affected versions of Symfony can fallback to the format defined in the `Accept` header of the request, leading to a possible mismatch between the response's content and…

  • CVE-2017-18343MedJul 20, 2018
    risk 0.00cvss 6.1epss 0.06

    The debug handler in Symfony before v2.7.33, 2.8.x before v2.8.26, 3.x before v3.2.13, and 3.3.x before v3.3.6 has XSS via an array key during exception pretty printing in ExceptionHandler.php, as demonstrated by a /_debugbar/open?op=get URI. NOTE: the vendor's position is that…

  • CVE-2015-8125Dec 7, 2015
    risk 0.00cvss epss 0.03

    Symfony 2.3.x before 2.3.35, 2.6.x before 2.6.12, and 2.7.x before 2.7.7 might allow remote attackers to have unspecified impact via a timing attack involving the (1) Symfony/Component/Security/Http/RememberMe/PersistentTokenBasedRememberMeServices or (2)…

  • CVE-2015-8124Dec 7, 2015
    risk 0.00cvss epss 0.03

    Session fixation vulnerability in the "Remember Me" login feature in Symfony 2.3.x before 2.3.35, 2.6.x before 2.6.12, and 2.7.x before 2.7.7 allows remote attackers to hijack web sessions via a session id.

  • CVE-2015-2308Jun 24, 2015
    risk 0.00cvss epss 0.01

    Eval injection vulnerability in the HttpCache class in HttpKernel in Symfony 2.x before 2.3.27, 2.4.x and 2.5.x before 2.5.11, and 2.6.x before 2.6.6 allows remote attackers to execute arbitrary PHP code via a language="php" attribute of a SCRIPT element.

  • CVE-2013-5958Dec 27, 2014
    risk 0.00cvss epss 0.02

    The Security component in Symfony 2.0.x before 2.0.25, 2.1.x before 2.1.13, 2.2.x before 2.2.9, and 2.3.x before 2.3.6 allows remote attackers to cause a denial of service (CPU consumption) via a long password that triggers an expensive hash computation, as demonstrated by a…

  • CVE-2013-1397Jun 2, 2014
    risk 0.00cvss epss 0.02

    Symfony 2.0.x before 2.0.22, 2.1.x before 2.1.7, and 2.2.x remote attackers to execute arbitrary PHP code via a serialized PHP object to the (1) Yaml::parse or (2) Yaml\Parser::parse function, a different vulnerability than CVE-2013-1348.

  • CVE-2013-1348Jun 2, 2014
    risk 0.00cvss epss 0.02

    The Yaml::parse function in Symfony 2.0.x before 2.0.22 remote attackers to execute arbitrary PHP code via a PHP file, a different vulnerability than CVE-2013-1397.

  • CVE-2012-6432Dec 27, 2012
    risk 0.00cvss epss 0.01

    Symfony 2.0.x before 2.0.20, 2.1.x before 2.1.5, and 2.2-dev, when the internal routes configuration is enabled, allows remote attackers to access arbitrary services via vectors involving a URI beginning with a /_internal substring.