CVSS: 9.8EPSS: 2%CPEs: 4EXPL: 0CVE-2019-18889 – Debian Security Advisory 4573-1
https://notcve.org/view.php?id=CVE-2019-18889
19 Nov 2019 — An issue was discovered in Symfony 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. Serializing certain cache adapter interfaces could result in remote code injection. This is related to symfony/cache. Se detectó un problema en Symfony versiones 3.4.0 hasta 3.4.34, 4.2.0 hasta 4.2.11 y 4.3.0 hasta 4.3.7. La serialización de ciertas interfaces del adaptador de caché podría resultar en la inyección de código remota. • https://github.com/symfony/symfony/releases/tag/v4.3.8 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.1EPSS: 0%CPEs: 7EXPL: 0CVE-2013-4751
https://notcve.org/view.php?id=CVE-2013-4751
01 Nov 2019 — php-symfony2-Validator has loss of information during serialization php-symfony2-Validator, presenta una perdida de información durante la serialización • http://lists.fedoraproject.org/pipermail/package-announce/2013-August/114380.html • CWE-20: Improper Input Validation •
CVSS: 9.8EPSS: 0%CPEs: 4EXPL: 0CVE-2017-11365
https://notcve.org/view.php?id=CVE-2017-11365
23 May 2019 — Certain Symfony products are affected by: Incorrect Access Control. This affects Symfony 2.7.30 and Symfony 2.8.23 and Symfony 3.2.10 and Symfony 3.3.3. The type of exploitation is: remote. The component is: Password validator. Ciertos productos de Symfony se ven afectados por: Control de Acceso Incorrecto. • https://github.com/symfony/symfony/commit/878198cefae028386c6dc800ccbf18f2b9cbff3f • CWE-284: Improper Access Control •
CVSS: 5.4EPSS: 0%CPEs: 7EXPL: 0CVE-2019-10909 – Debian Security Advisory 4441-1
https://notcve.org/view.php?id=CVE-2019-10909
10 May 2019 — In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, validation messages are not escaped, which can lead to XSS when user input is included. This is related to symfony/framework-bundle. En Symfony anterior de la versión 2.7.51, versión 2.8.x anterior de 2.8.50, versión 3.x anterior de 3.4.26, versión 4.x anterior de 4.1.12 y versión 4.2.x anterior de 4.2.7, los mensajes de validación no son evadidos, lo que puede llevar a una vulnerabilidad de XSS cuan... • https://github.com/symfony/symfony/commit/ab4d05358c3d0dd1a36fc8c306829f68e3dd84e2 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 18%CPEs: 7EXPL: 1CVE-2019-10910 – Debian Security Advisory 4441-1
https://notcve.org/view.php?id=CVE-2019-10910
10 May 2019 — In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, when service ids allow user input, this could allow for SQL Injection and remote code execution. This is related to symfony/dependency-injection. En Symfony antes de 2.7.51, 2.8.x antes de 2.8.50, 3.x antes de 3.4.26, 4.x antes de 4.1.12 y 4.2.x antes de 4.2.7, cuando los identificadores de servicio permiten la entrada del usuario, esto podría permitir una inyección SQL y ejecución remota de código. ... • https://github.com/symfony/symfony/commit/d2fb5893923292a1da7985f0b56960b5bb10737b • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.5EPSS: 0%CPEs: 7EXPL: 0CVE-2019-10911 – Debian Security Advisory 4441-1
https://notcve.org/view.php?id=CVE-2019-10911
10 May 2019 — In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, a vulnerability would allow an attacker to authenticate as a privileged user on sites with user registration and remember me login functionality enabled. This is related to symfony/security. En Symfony la versión anterior a 2.7.51, versión 2.8.x anterior a 2.8.50, versión 3.x anterior a 3.4.26, versión 4.x anterior a 4.1.12 y versión 4.2.x anterior a 4.2.7, una vulnerabilidad permitiría que un atacan... • https://github.com/symfony/symfony/commit/a29ce2817cf43bb1850cf6af114004ac26c7a081 • CWE-287: Improper Authentication •
CVSS: 7.1EPSS: 0%CPEs: 4EXPL: 0CVE-2019-10912 – Debian Security Advisory 4441-1
https://notcve.org/view.php?id=CVE-2019-10912
10 May 2019 — In Symfony before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, it is possible to cache objects that may contain bad user input. On serialization or unserialization, this could result in the deletion of files that the current user has access to. This is related to symfony/cache and symfony/phpunit-bridge. En Symfony versión anterior a 2.8.50, versión 3.x anterior a 3.4.26, versión 4.x anterior a 4.1.12 y versión 4.2.x anterior a 4.2.7, es posible guardar en caché objetos que pueden c... • https://github.com/symfony/symfony/commit/4fb975281634b8d49ebf013af9e502e67c28816b • CWE-502: Deserialization of Untrusted Data •
CVSS: 9.8EPSS: 0%CPEs: 5EXPL: 0CVE-2019-10913 – Debian Security Advisory 4441-1
https://notcve.org/view.php?id=CVE-2019-10913
10 May 2019 — In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, HTTP Methods provided as verbs or using the override header may be treated as trusted input, but they are not validated, possibly causing SQL injection or XSS. This is related to symfony/http-foundation. En Symfony la versión anterior a 2.7.51, versión 2.8.x anterior a 2.8.50, versión 3.x anterior a 3.4.26, versión 4.x anterior a 4.1.12 y versión 4.2.x anterior a 4.2.7, los métodos HTTP se proporcion... • https://github.com/symfony/symfony/commit/944e60f083c3bffbc6a0b5112db127a10a66a8ec • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.3EPSS: 0%CPEs: 7EXPL: 0CVE-2018-19789 – Debian Security Advisory 4441-1
https://notcve.org/view.php?id=CVE-2018-19789
18 Dec 2018 — An issue was discovered in Symfony 2.7.x before 2.7.50, 2.8.x before 2.8.49, 3.x before 3.4.20, 4.0.x before 4.0.15, 4.1.x before 4.1.9, and 4.2.x before 4.2.1. When using the scalar type hint `string` in a setter method (e.g. `setName(string $name)`) of a class that's the `data_class` of a form, and when a file upload is submitted to the corresponding field instead of a normal text input, then `UploadedFile::__toString()` is called which will then return and disclose the path of the uploaded file. If combi... • http://www.securityfocus.com/bid/106249 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 6.1EPSS: 0%CPEs: 8EXPL: 0CVE-2018-19790 – Debian Security Advisory 4441-1
https://notcve.org/view.php?id=CVE-2018-19790
18 Dec 2018 — An open redirect was discovered in Symfony 2.7.x before 2.7.50, 2.8.x before 2.8.49, 3.x before 3.4.20, 4.0.x before 4.0.15, 4.1.x before 4.1.9 and 4.2.x before 4.2.1. By using backslashes in the `_failure_path` input field of login forms, an attacker can work around the redirection target restrictions and effectively redirect the user to any domain after login. Se ha descubierto una redirección abierta en Symfony en versiones 2.7.x anteriores a la 2.7.50, versiones 2.8.x anteriores a la 2.8.49, versiones 3... • http://www.securityfocus.com/bid/106249 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •