CVSS: 6.1EPSS: 0%CPEs: 6EXPL: 0CVE-2013-4752
https://notcve.org/view.php?id=CVE-2013-4752
02 Jan 2020 — Symfony 2.0.X before 2.0.24, 2.1.X before 2.1.12, 2.2.X before 2.2.5, and 2.3.X before 2.3.3 have an issue in the HttpFoundation component. The Host header can be manipulated by an attacker when the framework is generating an absolute URL. A remote attacker could exploit this vulnerability to inject malicious content into the Web application page and conduct various attacks. Symfony versiones 2.0.X anteriores a 2.0.24, versiones 2.1.X anteriores a 2.1.12, versiones 2.2.X anteriores a 2.2.5 y versiones 2.3.X... • http://lists.fedoraproject.org/pipermail/package-announce/2013-August/114450.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 8%CPEs: 2EXPL: 0CVE-2019-11325
https://notcve.org/view.php?id=CVE-2019-11325
21 Nov 2019 — An issue was discovered in Symfony before 4.2.12 and 4.3.x before 4.3.8. The VarExport component incorrectly escapes strings, allowing some specially crafted ones to escalate to execution of arbitrary PHP code. This is related to symfony/var-exporter. Se detectó un problema en Symfony versiones anteriores a 4.2.12 y versiones 4.3.x anteriores a 4.3.8. El componente VarExport escapa incorrectamente las cadenas, lo que permite a algunas especialmente diseñadas escalar a la ejecución de código PHP arbitrario. • https://github.com/symfony/symfony/releases/tag/v4.3.8 • CWE-116: Improper Encoding or Escaping of Output •
CVSS: 5.3EPSS: 1%CPEs: 2EXPL: 0CVE-2019-18886
https://notcve.org/view.php?id=CVE-2019-18886
21 Nov 2019 — An issue was discovered in Symfony 4.2.0 to 4.2.11 and 4.3.0 to 4.3.7. The ability to enumerate users was possible due to different handling depending on whether the user existed when making unauthorized attempts to use the switch users functionality. This is related to symfony/security. Se detectó un problema en Symfony versiones 4.2.0 hasta 4.2.11 y 4.3.0 hasta 4.3.7. La capacidad para enumerar usuarios fue posible debido a un manejo diferente dependiendo de si el usuario existía cuando se realizaron inte... • https://github.com/symfony/symfony/releases/tag/v4.3.8 • CWE-203: Observable Discrepancy •
CVSS: 8.1EPSS: 1%CPEs: 6EXPL: 0CVE-2019-18887 – Debian Security Advisory 4573-1
https://notcve.org/view.php?id=CVE-2019-18887
19 Nov 2019 — An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. The UriSigner was subject to timing attacks. This is related to symfony/http-kernel. Se detectó un problema en Symfony versiones 2.8.0 hasta 2.8.50, 3.4.0 hasta 3.4.34, 4.2.0 hasta 4.2.11 y 4.3.0 hasta 4.3.7. El UriSigner estaba sujeto a ataques de sincronización. • https://github.com/symfony/symfony/releases/tag/v4.3.8 • CWE-203: Observable Discrepancy •
CVSS: 7.5EPSS: 2%CPEs: 6EXPL: 0CVE-2019-18888 – Debian Security Advisory 4573-1
https://notcve.org/view.php?id=CVE-2019-18888
19 Nov 2019 — An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. If an application passes unvalidated user input as the file for which MIME type validation should occur, then arbitrary arguments are passed to the underlying file command. This is related to symfony/http-foundation (and symfony/mime in 4.3.x). Se detectó un problema en Symfony versiones 2.8.0 hasta 2.8.50, 3.4.0 hasta 3.4.34, 4.2.0 hasta 4.2.11 y 4.3.0 hasta 4.3.7. Si una aplicación... • https://github.com/symfony/symfony/releases/tag/v4.3.8 • CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') •
CVSS: 9.8EPSS: 2%CPEs: 4EXPL: 0CVE-2019-18889 – Debian Security Advisory 4573-1
https://notcve.org/view.php?id=CVE-2019-18889
19 Nov 2019 — An issue was discovered in Symfony 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. Serializing certain cache adapter interfaces could result in remote code injection. This is related to symfony/cache. Se detectó un problema en Symfony versiones 3.4.0 hasta 3.4.34, 4.2.0 hasta 4.2.11 y 4.3.0 hasta 4.3.7. La serialización de ciertas interfaces del adaptador de caché podría resultar en la inyección de código remota. • https://github.com/symfony/symfony/releases/tag/v4.3.8 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.1EPSS: 0%CPEs: 7EXPL: 0CVE-2013-4751
https://notcve.org/view.php?id=CVE-2013-4751
01 Nov 2019 — php-symfony2-Validator has loss of information during serialization php-symfony2-Validator, presenta una perdida de información durante la serialización • http://lists.fedoraproject.org/pipermail/package-announce/2013-August/114380.html • CWE-20: Improper Input Validation •
CVSS: 9.8EPSS: 0%CPEs: 4EXPL: 0CVE-2017-11365
https://notcve.org/view.php?id=CVE-2017-11365
23 May 2019 — Certain Symfony products are affected by: Incorrect Access Control. This affects Symfony 2.7.30 and Symfony 2.8.23 and Symfony 3.2.10 and Symfony 3.3.3. The type of exploitation is: remote. The component is: Password validator. Ciertos productos de Symfony se ven afectados por: Control de Acceso Incorrecto. • https://github.com/symfony/symfony/commit/878198cefae028386c6dc800ccbf18f2b9cbff3f • CWE-284: Improper Access Control •
CVSS: 5.4EPSS: 0%CPEs: 7EXPL: 0CVE-2019-10909 – Debian Security Advisory 4441-1
https://notcve.org/view.php?id=CVE-2019-10909
10 May 2019 — In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, validation messages are not escaped, which can lead to XSS when user input is included. This is related to symfony/framework-bundle. En Symfony anterior de la versión 2.7.51, versión 2.8.x anterior de 2.8.50, versión 3.x anterior de 3.4.26, versión 4.x anterior de 4.1.12 y versión 4.2.x anterior de 4.2.7, los mensajes de validación no son evadidos, lo que puede llevar a una vulnerabilidad de XSS cuan... • https://github.com/symfony/symfony/commit/ab4d05358c3d0dd1a36fc8c306829f68e3dd84e2 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 18%CPEs: 7EXPL: 1CVE-2019-10910 – Debian Security Advisory 4441-1
https://notcve.org/view.php?id=CVE-2019-10910
10 May 2019 — In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, when service ids allow user input, this could allow for SQL Injection and remote code execution. This is related to symfony/dependency-injection. En Symfony antes de 2.7.51, 2.8.x antes de 2.8.50, 3.x antes de 3.4.26, 4.x antes de 4.1.12 y 4.2.x antes de 4.2.7, cuando los identificadores de servicio permiten la entrada del usuario, esto podría permitir una inyección SQL y ejecución remota de código. ... • https://github.com/symfony/symfony/commit/d2fb5893923292a1da7985f0b56960b5bb10737b • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •