CVSS: 8.1EPSS: 0%CPEs: 7EXPL: 0CVE-2013-4751
https://notcve.org/view.php?id=CVE-2013-4751
01 Nov 2019 — php-symfony2-Validator has loss of information during serialization php-symfony2-Validator, presenta una perdida de información durante la serialización • http://lists.fedoraproject.org/pipermail/package-announce/2013-August/114380.html • CWE-20: Improper Input Validation •
CVSS: 9.8EPSS: 0%CPEs: 4EXPL: 0CVE-2017-11365
https://notcve.org/view.php?id=CVE-2017-11365
23 May 2019 — Certain Symfony products are affected by: Incorrect Access Control. This affects Symfony 2.7.30 and Symfony 2.8.23 and Symfony 3.2.10 and Symfony 3.3.3. The type of exploitation is: remote. The component is: Password validator. Ciertos productos de Symfony se ven afectados por: Control de Acceso Incorrecto. • https://github.com/symfony/symfony/commit/878198cefae028386c6dc800ccbf18f2b9cbff3f • CWE-284: Improper Access Control •
CVSS: 5.4EPSS: 0%CPEs: 7EXPL: 0CVE-2019-10909 – Debian Security Advisory 4441-1
https://notcve.org/view.php?id=CVE-2019-10909
10 May 2019 — In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, validation messages are not escaped, which can lead to XSS when user input is included. This is related to symfony/framework-bundle. En Symfony anterior de la versión 2.7.51, versión 2.8.x anterior de 2.8.50, versión 3.x anterior de 3.4.26, versión 4.x anterior de 4.1.12 y versión 4.2.x anterior de 4.2.7, los mensajes de validación no son evadidos, lo que puede llevar a una vulnerabilidad de XSS cuan... • https://github.com/symfony/symfony/commit/ab4d05358c3d0dd1a36fc8c306829f68e3dd84e2 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 18%CPEs: 7EXPL: 1CVE-2019-10910 – Debian Security Advisory 4441-1
https://notcve.org/view.php?id=CVE-2019-10910
10 May 2019 — In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, when service ids allow user input, this could allow for SQL Injection and remote code execution. This is related to symfony/dependency-injection. En Symfony antes de 2.7.51, 2.8.x antes de 2.8.50, 3.x antes de 3.4.26, 4.x antes de 4.1.12 y 4.2.x antes de 4.2.7, cuando los identificadores de servicio permiten la entrada del usuario, esto podría permitir una inyección SQL y ejecución remota de código. ... • https://github.com/symfony/symfony/commit/d2fb5893923292a1da7985f0b56960b5bb10737b • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.5EPSS: 0%CPEs: 7EXPL: 0CVE-2019-10911 – Debian Security Advisory 4441-1
https://notcve.org/view.php?id=CVE-2019-10911
10 May 2019 — In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, a vulnerability would allow an attacker to authenticate as a privileged user on sites with user registration and remember me login functionality enabled. This is related to symfony/security. En Symfony la versión anterior a 2.7.51, versión 2.8.x anterior a 2.8.50, versión 3.x anterior a 3.4.26, versión 4.x anterior a 4.1.12 y versión 4.2.x anterior a 4.2.7, una vulnerabilidad permitiría que un atacan... • https://github.com/symfony/symfony/commit/a29ce2817cf43bb1850cf6af114004ac26c7a081 • CWE-287: Improper Authentication •
CVSS: 9.8EPSS: 0%CPEs: 5EXPL: 0CVE-2019-10913 – Debian Security Advisory 4441-1
https://notcve.org/view.php?id=CVE-2019-10913
10 May 2019 — In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, HTTP Methods provided as verbs or using the override header may be treated as trusted input, but they are not validated, possibly causing SQL injection or XSS. This is related to symfony/http-foundation. En Symfony la versión anterior a 2.7.51, versión 2.8.x anterior a 2.8.50, versión 3.x anterior a 3.4.26, versión 4.x anterior a 4.1.12 y versión 4.2.x anterior a 4.2.7, los métodos HTTP se proporcion... • https://github.com/symfony/symfony/commit/944e60f083c3bffbc6a0b5112db127a10a66a8ec • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.3EPSS: 0%CPEs: 7EXPL: 0CVE-2018-19789 – Debian Security Advisory 4441-1
https://notcve.org/view.php?id=CVE-2018-19789
18 Dec 2018 — An issue was discovered in Symfony 2.7.x before 2.7.50, 2.8.x before 2.8.49, 3.x before 3.4.20, 4.0.x before 4.0.15, 4.1.x before 4.1.9, and 4.2.x before 4.2.1. When using the scalar type hint `string` in a setter method (e.g. `setName(string $name)`) of a class that's the `data_class` of a form, and when a file upload is submitted to the corresponding field instead of a normal text input, then `UploadedFile::__toString()` is called which will then return and disclose the path of the uploaded file. If combi... • http://www.securityfocus.com/bid/106249 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 6.1EPSS: 0%CPEs: 8EXPL: 0CVE-2018-19790 – Debian Security Advisory 4441-1
https://notcve.org/view.php?id=CVE-2018-19790
18 Dec 2018 — An open redirect was discovered in Symfony 2.7.x before 2.7.50, 2.8.x before 2.8.49, 3.x before 3.4.20, 4.0.x before 4.0.15, 4.1.x before 4.1.9 and 4.2.x before 4.2.1. By using backslashes in the `_failure_path` input field of login forms, an attacker can work around the redirection target restrictions and effectively redirect the user to any domain after login. Se ha descubierto una redirección abierta en Symfony en versiones 2.7.x anteriores a la 2.7.50, versiones 2.8.x anteriores a la 2.8.49, versiones 3... • http://www.securityfocus.com/bid/106249 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 5.9EPSS: 0%CPEs: 5EXPL: 0CVE-2017-16653 – Debian Security Advisory 4262-1
https://notcve.org/view.php?id=CVE-2017-16653
06 Aug 2018 — An issue was discovered in Symfony before 2.7.38, 2.8.31, 3.2.14, 3.3.13, 3.4-BETA5, and 4.0-BETA5. The current implementation of CSRF protection in Symfony (Version >=2) does not use different tokens for HTTP and HTTPS; therefore the token is subject to MITM attacks on HTTP and can then be used in an HTTPS context to do CSRF attacks. Se ha descubierto un problema en Symfony en versiones anteriores a la 2.7.38, 2.8.31, 3.2.14, 3.3.13, 3.4-BETA5 y 4.0-BETA5. La implementación actual de la protección CSRF en ... • https://github.com/symfony/symfony/pull/24992 •
CVSS: 7.5EPSS: 0%CPEs: 6EXPL: 0CVE-2017-16654 – Debian Security Advisory 4262-1
https://notcve.org/view.php?id=CVE-2017-16654
06 Aug 2018 — An issue was discovered in Symfony before 2.7.38, 2.8.31, 3.2.14, 3.3.13, 3.4-BETA5, and 4.0-BETA5. The Intl component includes various bundle readers that are used to read resource bundles from the local filesystem. The read() methods of these classes use a path and a locale to determine the language bundle to retrieve. The locale argument value is commonly retrieved from untrusted user input (like a URL parameter). An attacker can use this argument to navigate to arbitrary directories via the dot-dot-slas... • https://github.com/symfony/symfony/pull/24994 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •