CVSS: 6.1EPSS: 0%CPEs: 4EXPL: 2CVE-2017-18343
https://notcve.org/view.php?id=CVE-2017-18343
20 Jul 2018 — The debug handler in Symfony before v2.7.33, 2.8.x before v2.8.26, 3.x before v3.2.13, and 3.3.x before v3.3.6 has XSS via an array key during exception pretty printing in ExceptionHandler.php, as demonstrated by a /_debugbar/open?op=get URI. NOTE: the vendor's position is that this is not a vulnerability because the debug tools are not intended for production use. NOTE: the Symfony Debug component is used by Laravel Debugbar ** EN DISPUTA ** El manipulador de depuración en Symfony, en versiones anteriores ... • https://github.com/barryvdh/laravel-debugbar/issues/850 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.1EPSS: 0%CPEs: 8EXPL: 0CVE-2018-11385 – Debian Security Advisory 4262-1
https://notcve.org/view.php?id=CVE-2018-11385
13 Jun 2018 — An issue was discovered in the Security component in Symfony 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11. A session fixation vulnerability within the "Guard" login feature may allow an attacker to impersonate a victim towards the web application if the session id value was previously known to the attacker. Se ha descubierto un problema en el componente Security en Symfony en versiones 2.7.x anteriores a la 2.7.48, versiones 2.8.x anteriores a l... • https://lists.debian.org/debian-lts-announce/2019/03/msg00009.html • CWE-384: Session Fixation •
CVSS: 5.9EPSS: 0%CPEs: 6EXPL: 0CVE-2018-11386 – Debian Security Advisory 4262-1
https://notcve.org/view.php?id=CVE-2018-11386
13 Jun 2018 — An issue was discovered in the HttpFoundation component in Symfony 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11. The PDOSessionHandler class allows storing sessions on a PDO connection. Under some configurations and with a well-crafted payload, it was possible to do a denial of service on a Symfony application without too much resources. Se ha descubierto un problema en el componente HttpFoundation en Symfony en versiones 2.7.x anteriores a la 2... • https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G4XNBMFW33H47O5TZGA7JYCVLDBCXAJV • CWE-613: Insufficient Session Expiration •
CVSS: 6.1EPSS: 0%CPEs: 5EXPL: 0CVE-2017-16652
https://notcve.org/view.php?id=CVE-2017-16652
13 Jun 2018 — An issue was discovered in Symfony 2.7.x before 2.7.38, 2.8.x before 2.8.31, 3.2.x before 3.2.14, and 3.3.x before 3.3.13. DefaultAuthenticationSuccessHandler or DefaultAuthenticationFailureHandler takes the content of the _target_path parameter and generates a redirect response, but no check is performed on the path, which could be an absolute URL to an external domain. This Open redirect vulnerability can be exploited for example to mount effective phishing attacks. Se ha descubierto un problema en Symfon... • https://lists.debian.org/debian-lts-announce/2019/03/msg00009.html • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 8.8EPSS: 0%CPEs: 6EXPL: 0CVE-2018-11406 – Debian Security Advisory 4262-1
https://notcve.org/view.php?id=CVE-2018-11406
13 Jun 2018 — An issue was discovered in the Security component in Symfony 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11. By default, a user's session is invalidated when the user is logged out. This behavior can be disabled through the invalidate_session option. In this case, CSRF tokens were not erased during logout which allowed for CSRF token fixation. Se ha descubierto un problema en el componente Security en Symfony en versiones 2.7.x anteriores a la 2.7... • https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G4XNBMFW33H47O5TZGA7JYCVLDBCXAJV • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.1EPSS: 0%CPEs: 6EXPL: 0CVE-2018-11408
https://notcve.org/view.php?id=CVE-2018-11408
13 Jun 2018 — The security handlers in the Security component in Symfony in 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11 have an Open redirect vulnerability when security.http_utils is inlined by a container. NOTE: this issue exists because of an incomplete fix for CVE-2017-16652. Los gestores de seguridad en el componente Security en Symfony en versiones 2.7.x anteriores a la 2.7.48, versiones 2.8.x anteriores a la 2.8.41, versiones 3.3.x anteriores a la 3.3... • https://lists.debian.org/debian-lts-announce/2019/03/msg00009.html • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 7.5EPSS: 0%CPEs: 27EXPL: 0CVE-2016-4423 – Debian Security Advisory 3588-1
https://notcve.org/view.php?id=CVE-2016-4423
30 May 2016 — The attemptAuthentication function in Component/Security/Http/Firewall/UsernamePasswordFormAuthenticationListener.php in Symfony before 2.3.41, 2.7.x before 2.7.13, 2.8.x before 2.8.6, and 3.0.x before 3.0.6 does not limit the length of a username stored in a session, which allows remote attackers to cause a denial of service (session storage consumption) via a series of authentication attempts with long, non-existent usernames. La función attemptAuthentication en Component/Security/Http/Firewall/UsernamePa... • http://www.debian.org/security/2016/dsa-3588 • CWE-399: Resource Management Errors •
CVSS: 7.5EPSS: 0%CPEs: 24EXPL: 0CVE-2016-1902 – Debian Security Advisory 3588-1
https://notcve.org/view.php?id=CVE-2016-1902
30 May 2016 — The nextBytes function in the SecureRandom class in Symfony before 2.3.37, 2.6.x before 2.6.13, and 2.7.x before 2.7.9 does not properly generate random numbers when used with PHP 5.x without the paragonie/random_compat library and the openssl_random_pseudo_bytes function fails, which makes it easier for attackers to defeat cryptographic protection mechanisms via unspecified vectors. La función nextBytes en la clase SecureRandom en Symfony en versiones anteriores a 2.3.37, 2.6.x en versiones anteriores a 2.... • http://symfony.com/blog/cve-2016-1902-securerandom-s-fallback-not-secure-when-openssl-fails • CWE-310: Cryptographic Issues •
CVSS: 6.8EPSS: 1%CPEs: 54EXPL: 0CVE-2015-8124 – Debian Security Advisory 3402-1
https://notcve.org/view.php?id=CVE-2015-8124
24 Nov 2015 — Session fixation vulnerability in the "Remember Me" login feature in Symfony 2.3.x before 2.3.35, 2.6.x before 2.6.12, and 2.7.x before 2.7.7 allows remote attackers to hijack web sessions via a session id. Vulnerabilidad de fijación de sesión en la funcionalidad de inicio de sesión 'Remember Me' en Symfony 2.3.x en versiones anteriores a 2.3.35, 2.6.x en versiones anteriores a 2.6.12 y 2.7.x en versiones anteriores a 2.7.7 permite a atacantes remotos secuestrar sesiones web a través de un id de sesión. Sev... • http://lists.fedoraproject.org/pipermail/package-announce/2015-December/173271.html •
CVSS: 7.5EPSS: 1%CPEs: 54EXPL: 0CVE-2015-8125 – Debian Security Advisory 3402-1
https://notcve.org/view.php?id=CVE-2015-8125
24 Nov 2015 — Symfony 2.3.x before 2.3.35, 2.6.x before 2.6.12, and 2.7.x before 2.7.7 might allow remote attackers to have unspecified impact via a timing attack involving the (1) Symfony/Component/Security/Http/RememberMe/PersistentTokenBasedRememberMeServices or (2) Symfony/Component/Security/Http/Firewall/DigestAuthenticationListener class in the Symfony Security Component, or (3) legacy CSRF implementation from the Symfony/Component/Form/Extension/Csrf/CsrfProvider/DefaultCsrfProvider class in the Symfony Form compo... • http://lists.fedoraproject.org/pipermail/package-announce/2015-December/173271.html •