CVSS: 7.5EPSS: 0%CPEs: 27EXPL: 0CVE-2016-4423 – Debian Security Advisory 3588-1
https://notcve.org/view.php?id=CVE-2016-4423
30 May 2016 — The attemptAuthentication function in Component/Security/Http/Firewall/UsernamePasswordFormAuthenticationListener.php in Symfony before 2.3.41, 2.7.x before 2.7.13, 2.8.x before 2.8.6, and 3.0.x before 3.0.6 does not limit the length of a username stored in a session, which allows remote attackers to cause a denial of service (session storage consumption) via a series of authentication attempts with long, non-existent usernames. La función attemptAuthentication en Component/Security/Http/Firewall/UsernamePa... • http://www.debian.org/security/2016/dsa-3588 • CWE-399: Resource Management Errors •
CVSS: 7.5EPSS: 0%CPEs: 24EXPL: 0CVE-2016-1902 – Debian Security Advisory 3588-1
https://notcve.org/view.php?id=CVE-2016-1902
30 May 2016 — The nextBytes function in the SecureRandom class in Symfony before 2.3.37, 2.6.x before 2.6.13, and 2.7.x before 2.7.9 does not properly generate random numbers when used with PHP 5.x without the paragonie/random_compat library and the openssl_random_pseudo_bytes function fails, which makes it easier for attackers to defeat cryptographic protection mechanisms via unspecified vectors. La función nextBytes en la clase SecureRandom en Symfony en versiones anteriores a 2.3.37, 2.6.x en versiones anteriores a 2.... • http://symfony.com/blog/cve-2016-1902-securerandom-s-fallback-not-secure-when-openssl-fails • CWE-310: Cryptographic Issues •
CVSS: 6.8EPSS: 1%CPEs: 54EXPL: 0CVE-2015-8124 – Debian Security Advisory 3402-1
https://notcve.org/view.php?id=CVE-2015-8124
24 Nov 2015 — Session fixation vulnerability in the "Remember Me" login feature in Symfony 2.3.x before 2.3.35, 2.6.x before 2.6.12, and 2.7.x before 2.7.7 allows remote attackers to hijack web sessions via a session id. Vulnerabilidad de fijación de sesión en la funcionalidad de inicio de sesión 'Remember Me' en Symfony 2.3.x en versiones anteriores a 2.3.35, 2.6.x en versiones anteriores a 2.6.12 y 2.7.x en versiones anteriores a 2.7.7 permite a atacantes remotos secuestrar sesiones web a través de un id de sesión. Sev... • http://lists.fedoraproject.org/pipermail/package-announce/2015-December/173271.html •
CVSS: 7.5EPSS: 1%CPEs: 54EXPL: 0CVE-2015-8125 – Debian Security Advisory 3402-1
https://notcve.org/view.php?id=CVE-2015-8125
24 Nov 2015 — Symfony 2.3.x before 2.3.35, 2.6.x before 2.6.12, and 2.7.x before 2.7.7 might allow remote attackers to have unspecified impact via a timing attack involving the (1) Symfony/Component/Security/Http/RememberMe/PersistentTokenBasedRememberMeServices or (2) Symfony/Component/Security/Http/Firewall/DigestAuthenticationListener class in the Symfony Security Component, or (3) legacy CSRF implementation from the Symfony/Component/Form/Extension/Csrf/CsrfProvider/DefaultCsrfProvider class in the Symfony Form compo... • http://lists.fedoraproject.org/pipermail/package-announce/2015-December/173271.html •
CVSS: 4.3EPSS: 0%CPEs: 27EXPL: 0CVE-2015-4050 – Debian Security Advisory 3276-1
https://notcve.org/view.php?id=CVE-2015-4050
01 Jun 2015 — FragmentListener in the HttpKernel component in Symfony 2.3.19 through 2.3.28, 2.4.9 through 2.4.10, 2.5.4 through 2.5.11, and 2.6.0 through 2.6.7, when ESI or SSI support enabled, does not check if the _controller attribute is set, which allows remote attackers to bypass URL signing and security rules by including (1) no hash or (2) an invalid hash in a request to /_fragment. FragmentListener en el componente HttpKernel en Symfony 2.3.19 hasta 2.3.28, 2.4.9 hasta 2.4.10, 2.5.4 hasta 2.5.11, y 2.6.0 hasta 2... • http://lists.fedoraproject.org/pipermail/package-announce/2015-June/159513.html • CWE-284: Improper Access Control •