CVSS: 5.4EPSS: 0%CPEs: 7EXPL: 0CVE-2019-10909 – Debian Security Advisory 4441-1
https://notcve.org/view.php?id=CVE-2019-10909
10 May 2019 — In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, validation messages are not escaped, which can lead to XSS when user input is included. This is related to symfony/framework-bundle. En Symfony anterior de la versión 2.7.51, versión 2.8.x anterior de 2.8.50, versión 3.x anterior de 3.4.26, versión 4.x anterior de 4.1.12 y versión 4.2.x anterior de 4.2.7, los mensajes de validación no son evadidos, lo que puede llevar a una vulnerabilidad de XSS cuan... • https://github.com/symfony/symfony/commit/ab4d05358c3d0dd1a36fc8c306829f68e3dd84e2 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 5EXPL: 0CVE-2019-10913 – Debian Security Advisory 4441-1
https://notcve.org/view.php?id=CVE-2019-10913
10 May 2019 — In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, HTTP Methods provided as verbs or using the override header may be treated as trusted input, but they are not validated, possibly causing SQL injection or XSS. This is related to symfony/http-foundation. En Symfony la versión anterior a 2.7.51, versión 2.8.x anterior a 2.8.50, versión 3.x anterior a 3.4.26, versión 4.x anterior a 4.1.12 y versión 4.2.x anterior a 4.2.7, los métodos HTTP se proporcion... • https://github.com/symfony/symfony/commit/944e60f083c3bffbc6a0b5112db127a10a66a8ec • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.5EPSS: 0%CPEs: 7EXPL: 0CVE-2019-10911 – Debian Security Advisory 4441-1
https://notcve.org/view.php?id=CVE-2019-10911
10 May 2019 — In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, a vulnerability would allow an attacker to authenticate as a privileged user on sites with user registration and remember me login functionality enabled. This is related to symfony/security. En Symfony la versión anterior a 2.7.51, versión 2.8.x anterior a 2.8.50, versión 3.x anterior a 3.4.26, versión 4.x anterior a 4.1.12 y versión 4.2.x anterior a 4.2.7, una vulnerabilidad permitiría que un atacan... • https://github.com/symfony/symfony/commit/a29ce2817cf43bb1850cf6af114004ac26c7a081 • CWE-287: Improper Authentication •
CVSS: 9.8EPSS: 2%CPEs: 7EXPL: 1CVE-2019-10910 – Debian Security Advisory 4441-1
https://notcve.org/view.php?id=CVE-2019-10910
10 May 2019 — In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, when service ids allow user input, this could allow for SQL Injection and remote code execution. This is related to symfony/dependency-injection. En Symfony antes de 2.7.51, 2.8.x antes de 2.8.50, 3.x antes de 3.4.26, 4.x antes de 4.1.12 y 4.2.x antes de 4.2.7, cuando los identificadores de servicio permiten la entrada del usuario, esto podría permitir una inyección SQL y ejecución remota de código. ... • https://github.com/symfony/symfony/commit/d2fb5893923292a1da7985f0b56960b5bb10737b • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 0%CPEs: 8EXPL: 0CVE-2018-19790 – Debian Security Advisory 4441-1
https://notcve.org/view.php?id=CVE-2018-19790
18 Dec 2018 — An open redirect was discovered in Symfony 2.7.x before 2.7.50, 2.8.x before 2.8.49, 3.x before 3.4.20, 4.0.x before 4.0.15, 4.1.x before 4.1.9 and 4.2.x before 4.2.1. By using backslashes in the `_failure_path` input field of login forms, an attacker can work around the redirection target restrictions and effectively redirect the user to any domain after login. Se ha descubierto una redirección abierta en Symfony en versiones 2.7.x anteriores a la 2.7.50, versiones 2.8.x anteriores a la 2.8.49, versiones 3... • http://www.securityfocus.com/bid/106249 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 5.3EPSS: 0%CPEs: 7EXPL: 0CVE-2018-19789 – Debian Security Advisory 4441-1
https://notcve.org/view.php?id=CVE-2018-19789
18 Dec 2018 — An issue was discovered in Symfony 2.7.x before 2.7.50, 2.8.x before 2.8.49, 3.x before 3.4.20, 4.0.x before 4.0.15, 4.1.x before 4.1.9, and 4.2.x before 4.2.1. When using the scalar type hint `string` in a setter method (e.g. `setName(string $name)`) of a class that's the `data_class` of a form, and when a file upload is submitted to the corresponding field instead of a normal text input, then `UploadedFile::__toString()` is called which will then return and disclose the path of the uploaded file. If combi... • http://www.securityfocus.com/bid/106249 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 7.5EPSS: 0%CPEs: 6EXPL: 0CVE-2017-16654 – Debian Security Advisory 4262-1
https://notcve.org/view.php?id=CVE-2017-16654
06 Aug 2018 — An issue was discovered in Symfony before 2.7.38, 2.8.31, 3.2.14, 3.3.13, 3.4-BETA5, and 4.0-BETA5. The Intl component includes various bundle readers that are used to read resource bundles from the local filesystem. The read() methods of these classes use a path and a locale to determine the language bundle to retrieve. The locale argument value is commonly retrieved from untrusted user input (like a URL parameter). An attacker can use this argument to navigate to arbitrary directories via the dot-dot-slas... • https://github.com/symfony/symfony/pull/24994 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.5EPSS: 0%CPEs: 5EXPL: 0CVE-2017-16790 – Debian Security Advisory 4262-1
https://notcve.org/view.php?id=CVE-2017-16790
06 Aug 2018 — An issue was discovered in Symfony before 2.7.38, 2.8.31, 3.2.14, 3.3.13, 3.4-BETA5, and 4.0-BETA5. When a form is submitted by the user, the request handler classes of the Form component merge POST data and uploaded files data into one array. This big array forms the data that are then bound to the form. At this stage there is no difference anymore between submitted POST data and uploaded files. A user can send a crafted HTTP request where the value of a "FileType" is sent as normal POST data that could be... • https://symfony.com/blog/cve-2017-16790-ensure-that-submitted-data-are-uploaded-files • CWE-20: Improper Input Validation •
CVSS: 5.9EPSS: 0%CPEs: 5EXPL: 0CVE-2017-16653 – Debian Security Advisory 4262-1
https://notcve.org/view.php?id=CVE-2017-16653
06 Aug 2018 — An issue was discovered in Symfony before 2.7.38, 2.8.31, 3.2.14, 3.3.13, 3.4-BETA5, and 4.0-BETA5. The current implementation of CSRF protection in Symfony (Version >=2) does not use different tokens for HTTP and HTTPS; therefore the token is subject to MITM attacks on HTTP and can then be used in an HTTPS context to do CSRF attacks. Se ha descubierto un problema en Symfony en versiones anteriores a la 2.7.38, 2.8.31, 3.2.14, 3.3.13, 3.4-BETA5 y 4.0-BETA5. La implementación actual de la protección CSRF en ... • https://github.com/symfony/symfony/pull/24992 •
CVSS: 7.2EPSS: 0%CPEs: 6EXPL: 0CVE-2018-14774
https://notcve.org/view.php?id=CVE-2018-14774
03 Aug 2018 — An issue was discovered in HttpKernel in Symfony 2.7.0 through 2.7.48, 2.8.0 through 2.8.43, 3.3.0 through 3.3.17, 3.4.0 through 3.4.13, 4.0.0 through 4.0.13, and 4.1.0 through 4.1.2. When using HttpCache, the values of the X-Forwarded-Host headers are implicitly set as trusted while this should be forbidden, leading to potential host header injection. Se ha descubierto un problema en HttpKernel en Symfony, desde la versión 2.7.0 hasta la 2.7.48, desde la versión 2.8.0 hasta la 2.8.43, desde la versión 3.3.... • https://github.com/symfony/symfony/commit/725dee4cd8b4ccd52e335ae4b4522242cea9bd4a • CWE-20: Improper Input Validation •