Total
57 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2022-23601 | 1 Sensiolabs | 1 Symfony | 2024-11-21 | 6.8 MEDIUM | 8.1 HIGH |
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The Symfony form component provides a CSRF protection mechanism by using a random token injected in the form and using the session to store and control the token submitted by the user. When using the FrameworkBundle, this protection can be enabled or disabled with the configuration. If the configuration is not specified, by default, the mechanism is enabled as long as the session is enabled. In a recent change in the way the configuration is loaded, the default behavior has been dropped and, as a result, the CSRF protection is not enabled in form when not explicitly enabled, which makes the application sensible to CSRF attacks. This issue has been resolved in the patch versions listed and users are advised to update. There are no known workarounds for this issue. | |||||
CVE-2021-41270 | 2 Fedoraproject, Sensiolabs | 2 Fedora, Symfony | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
Symfony/Serializer handles serializing and deserializing data structures for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Symfony versions 4.1.0 before 4.4.35 and versions 5.0.0 before 5.3.12 are vulnerable to CSV injection, also known as formula injection. In Symfony 4.1, maintainers added the opt-in `csv_escape_formulas` option in the `CsvEncoder`, to prefix all cells starting with `=`, `+`, `-` or `@` with a tab `\t`. Since then, OWASP added 2 chars in that list: Tab (0x09) and Carriage return (0x0D). This makes the previous prefix char (Tab `\t`) part of the vulnerable characters, and OWASP suggests using the single quote `'` for prefixing the value. Starting with versions 4.4.34 and 5.3.12, Symfony now follows the OWASP recommendations and uses the single quote `'` to prefix formulas and add the prefix to cells starting by `\t`, `\r` as well as `=`, `+`, `-` and `@`. | |||||
CVE-2021-41268 | 1 Sensiolabs | 1 Symfony | 2024-11-21 | 6.5 MEDIUM | 6.5 MEDIUM |
Symfony/SecurityBundle is the security system for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Since the rework of the Remember me cookie in version 5.3.0, the cookie is not invalidated when the user changes their password. Attackers can therefore maintain their access to the account even if the password is changed as long as they have had the chance to login once and get a valid remember me cookie. Starting with version 5.3.12, Symfony makes the password part of the signature by default. In that way, when the password changes, then the cookie is not valid anymore. | |||||
CVE-2021-41267 | 1 Sensiolabs | 1 Symfony | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
Symfony/Http-Kernel is the HTTP kernel component for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Headers that are not part of the "trusted_headers" allowed list are ignored and protect users from "Cache poisoning" attacks. In Symfony 5.2, maintainers added support for the `X-Forwarded-Prefix` headers, but this header was accessible in SubRequest, even if it was not part of the "trusted_headers" allowed list. An attacker could leverage this opportunity to forge requests containing a `X-Forwarded-Prefix` header, leading to a web cache poisoning issue. Versions 5.3.12 and later have a patch to ensure that the `X-Forwarded-Prefix` header is not forwarded to subrequests when it is not trusted. | |||||
CVE-2021-32693 | 1 Sensiolabs | 1 Symfony | 2024-11-21 | 6.5 MEDIUM | 6.8 MEDIUM |
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. A vulnerability related to firewall authentication is in Symfony starting with version 5.3.0 and prior to 5.3.2. When an application defines multiple firewalls, the token authenticated by one of the firewalls was available for all other firewalls. This could be abused when the application defines different providers for each part of the application, in such a situation, a user authenticated on a part of the application could be considered authenticated on the rest of the application. Starting in version 5.3.2, a patch ensures that the authenticated token is only available for the firewall that generates it. | |||||
CVE-2021-21424 | 2 Fedoraproject, Sensiolabs | 2 Fedora, Symfony | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The ability to enumerate users was possible without relevant permissions due to different handling depending on whether the user existed or not when attempting to use the switch users functionality. We now ensure that 403s are returned whether the user exists or not if a user cannot switch to a user or if the user does not exist. The patch for this issue is available for branch 3.4. | |||||
CVE-2020-5275 | 1 Sensiolabs | 1 Symfony | 2024-11-21 | 5.5 MEDIUM | 7.6 HIGH |
In symfony/security-http before versions 4.4.7 and 5.0.7, when a `Firewall` checks access control rule, it iterate overs each rule's attributes and stops as soon as the accessDecisionManager decides to grant access on the attribute, preventing the check of next attributes that should have been take into account in an unanimous strategy. The accessDecisionManager is now called with all attributes at once, allowing the unanimous strategy being applied on each attribute. This issue is patched in versions 4.4.7 and 5.0.7. | |||||
CVE-2020-5274 | 1 Sensiolabs | 1 Symfony | 2024-11-21 | 5.5 MEDIUM | 4.6 MEDIUM |
In Symfony before versions 5.0.5 and 4.4.5, some properties of the Exception were not properly escaped when the `ErrorHandler` rendered it stacktrace. In addition, the stacktrace were displayed even in a non-debug configuration. The ErrorHandler now escape alls properties of the exception, and the stacktrace is only display in debug configuration. This issue is patched in symfony/http-foundation versions 4.4.5 and 5.0.5 | |||||
CVE-2020-5255 | 1 Sensiolabs | 1 Symfony | 2024-11-21 | 4.0 MEDIUM | 2.6 LOW |
In Symfony before versions 4.4.7 and 5.0.7, when a `Response` does not contain a `Content-Type` header, affected versions of Symfony can fallback to the format defined in the `Accept` header of the request, leading to a possible mismatch between the response's content and `Content-Type` header. When the response is cached, this can prevent the use of the website by other users. This has been patched in versions 4.4.7 and 5.0.7. | |||||
CVE-2020-15094 | 2 Fedoraproject, Sensiolabs | 3 Fedora, Httpclient, Symfony | 2024-11-21 | 7.5 HIGH | 8.0 HIGH |
In Symfony before versions 4.4.13 and 5.1.5, the CachingHttpClient class from the HttpClient Symfony component relies on the HttpCache class to handle requests. HttpCache uses internal headers like X-Body-Eval and X-Body-File to control the restoration of cached responses. The class was initially written with surrogate caching and ESI support in mind (all HTTP calls come from a trusted backend in that scenario). But when used by CachingHttpClient and if an attacker can control the response for a request being made by the CachingHttpClient, remote code execution is possible. This has been fixed in versions 4.4.13 and 5.1.5. | |||||
CVE-2019-18889 | 2 Fedoraproject, Sensiolabs | 2 Fedora, Symfony | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
An issue was discovered in Symfony 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. Serializing certain cache adapter interfaces could result in remote code injection. This is related to symfony/cache. | |||||
CVE-2019-18888 | 2 Fedoraproject, Sensiolabs | 2 Fedora, Symfony | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. If an application passes unvalidated user input as the file for which MIME type validation should occur, then arbitrary arguments are passed to the underlying file command. This is related to symfony/http-foundation (and symfony/mime in 4.3.x). | |||||
CVE-2019-18887 | 2 Fedoraproject, Sensiolabs | 2 Fedora, Symfony | 2024-11-21 | 6.8 MEDIUM | 8.1 HIGH |
An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. The UriSigner was subject to timing attacks. This is related to symfony/http-kernel. | |||||
CVE-2019-18886 | 1 Sensiolabs | 1 Symfony | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
An issue was discovered in Symfony 4.2.0 to 4.2.11 and 4.3.0 to 4.3.7. The ability to enumerate users was possible due to different handling depending on whether the user existed when making unauthorized attempts to use the switch users functionality. This is related to symfony/security. | |||||
CVE-2019-11325 | 1 Sensiolabs | 1 Symfony | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
An issue was discovered in Symfony before 4.2.12 and 4.3.x before 4.3.8. The VarExport component incorrectly escapes strings, allowing some specially crafted ones to escalate to execution of arbitrary PHP code. This is related to symfony/var-exporter. | |||||
CVE-2019-10913 | 1 Sensiolabs | 1 Symfony | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, HTTP Methods provided as verbs or using the override header may be treated as trusted input, but they are not validated, possibly causing SQL injection or XSS. This is related to symfony/http-foundation. | |||||
CVE-2019-10912 | 1 Sensiolabs | 1 Symfony | 2024-11-21 | 6.5 MEDIUM | 7.1 HIGH |
In Symfony before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, it is possible to cache objects that may contain bad user input. On serialization or unserialization, this could result in the deletion of files that the current user has access to. This is related to symfony/cache and symfony/phpunit-bridge. | |||||
CVE-2019-10911 | 2 Drupal, Sensiolabs | 2 Drupal, Symfony | 2024-11-21 | 6.0 MEDIUM | 7.5 HIGH |
In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, a vulnerability would allow an attacker to authenticate as a privileged user on sites with user registration and remember me login functionality enabled. This is related to symfony/security. | |||||
CVE-2019-10910 | 2 Drupal, Sensiolabs | 2 Drupal, Symfony | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, when service ids allow user input, this could allow for SQL Injection and remote code execution. This is related to symfony/dependency-injection. | |||||
CVE-2019-10909 | 2 Drupal, Sensiolabs | 2 Drupal, Symfony | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, validation messages are not escaped, which can lead to XSS when user input is included. This is related to symfony/framework-bundle. |