CVSS: 5.3EPSS: 0%CPEs: 5EXPL: 0CVE-2021-21424 – Prevent user enumeration using Guard or the new Authenticator-based Security
https://notcve.org/view.php?id=CVE-2021-21424
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The ability to enumerate users was possible without relevant permissions due to different handling depending on whether the user existed or not when attempting to use the switch users functionality. We now ensure that 403s are returned whether the user exists or not if a user cannot switch to a user or if the user does not exist. The patch for this issue is available for branch 3.4. Symfony es un framework PHP para aplicaciones web y de consola y un conjunto de componentes PHP reutilizables. • https://github.com/symfony/symfony/commit/2a581d22cc621b33d5464ed65c4bc2057f72f011 https://github.com/symfony/symfony/security/advisories/GHSA-5pv8-ppvj-4h68 https://lists.debian.org/debian-lts-announce/2023/07/msg00014.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KENRNLB3FYXYGDWRBH2PDBOZZKOD7VY4 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RH7TMM5CHQYBFFGXWRPJDPB3SKCZXI2M https://lists.fedoraproject.org/archives/list/package-announce%40lists.fe • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-203: Observable Discrepancy •
CVSS: 8.1EPSS: 0%CPEs: 6EXPL: 0CVE-2019-18887
https://notcve.org/view.php?id=CVE-2019-18887
An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. The UriSigner was subject to timing attacks. This is related to symfony/http-kernel. Se detectó un problema en Symfony versiones 2.8.0 hasta 2.8.50, 3.4.0 hasta 3.4.34, 4.2.0 hasta 4.2.11 y 4.3.0 hasta 4.3.7. El UriSigner estaba sujeto a ataques de sincronización. • https://github.com/symfony/symfony/releases/tag/v4.3.8 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DZNXRVHDQBNZQUCNRVZICPPBFRAUWUJX https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UED22BOXTL2SSFMGYKA64ZFHGLLJG3EA https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VXEAOEANNIVYANTMOJ42NKSU6BGNBULZ https://symfony.com/blog/cve-2019-18887-use-constant-time-comparison-in-urisigner https://symfony.com/blog/ • CWE-203: Observable Discrepancy •
CVSS: 7.5EPSS: 0%CPEs: 6EXPL: 0CVE-2019-18888
https://notcve.org/view.php?id=CVE-2019-18888
An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. If an application passes unvalidated user input as the file for which MIME type validation should occur, then arbitrary arguments are passed to the underlying file command. This is related to symfony/http-foundation (and symfony/mime in 4.3.x). Se detectó un problema en Symfony versiones 2.8.0 hasta 2.8.50, 3.4.0 hasta 3.4.34, 4.2.0 hasta 4.2.11 y 4.3.0 hasta 4.3.7. Si una aplicación pasa una entrada de usuario no validada como el archivo para el que debe llevarse a cabo la validación de tipo MIME, entonces argumentos arbitrarios son pasados al comando de archivo subyacente. • https://github.com/symfony/symfony/releases/tag/v4.3.8 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DZNXRVHDQBNZQUCNRVZICPPBFRAUWUJX https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UED22BOXTL2SSFMGYKA64ZFHGLLJG3EA https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VXEAOEANNIVYANTMOJ42NKSU6BGNBULZ https://symfony.com/blog/cve-2019-18888-prevent-argument-injection-in-a-mimetypeguesser https://symfony.com/blog • CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') •
CVSS: 9.8EPSS: 0%CPEs: 4EXPL: 0CVE-2019-18889
https://notcve.org/view.php?id=CVE-2019-18889
An issue was discovered in Symfony 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. Serializing certain cache adapter interfaces could result in remote code injection. This is related to symfony/cache. Se detectó un problema en Symfony versiones 3.4.0 hasta 3.4.34, 4.2.0 hasta 4.2.11 y 4.3.0 hasta 4.3.7. La serialización de ciertas interfaces del adaptador de caché podría resultar en la inyección de código remota. • https://github.com/symfony/symfony/releases/tag/v4.3.8 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UED22BOXTL2SSFMGYKA64ZFHGLLJG3EA https://symfony.com/blog/cve-2019-18889-forbid-serializing-abstractadapter-and-tagawareadapter-instances https://symfony.com/blog/symfony-4-3-8-released • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 5.4EPSS: 0%CPEs: 7EXPL: 0CVE-2019-10909
https://notcve.org/view.php?id=CVE-2019-10909
In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, validation messages are not escaped, which can lead to XSS when user input is included. This is related to symfony/framework-bundle. En Symfony anterior de la versión 2.7.51, versión 2.8.x anterior de 2.8.50, versión 3.x anterior de 3.4.26, versión 4.x anterior de 4.1.12 y versión 4.2.x anterior de 4.2.7, los mensajes de validación no son evadidos, lo que puede llevar a una vulnerabilidad de XSS cuando una entrada del usuario sea incluida. Esto está relacionado con symfony/framework-bundle • https://github.com/symfony/symfony/commit/ab4d05358c3d0dd1a36fc8c306829f68e3dd84e2 https://symfony.com/blog/cve-2019-10909-escape-validation-messages-in-the-php-templating-engine https://www.drupal.org/sa-core-2019-005 https://www.synology.com/security/advisory/Synology_SA_19_19 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •