CVSS: 6.1EPSS: 0%CPEs: 6EXPL: 0CVE-2013-4752
https://notcve.org/view.php?id=CVE-2013-4752
Symfony 2.0.X before 2.0.24, 2.1.X before 2.1.12, 2.2.X before 2.2.5, and 2.3.X before 2.3.3 have an issue in the HttpFoundation component. The Host header can be manipulated by an attacker when the framework is generating an absolute URL. A remote attacker could exploit this vulnerability to inject malicious content into the Web application page and conduct various attacks. Symfony versiones 2.0.X anteriores a 2.0.24, versiones 2.1.X anteriores a 2.1.12, versiones 2.2.X anteriores a 2.2.5 y versiones 2.3.X anteriores a 2.3.3, tienen un problema en el componente HttpFoundation. El atacante puede manipular el encabezado del host cuando el framework está generando una URL absoluta. • http://lists.fedoraproject.org/pipermail/package-announce/2013-August/114450.html http://lists.fedoraproject.org/pipermail/package-announce/2013-August/114461.html http://symfony.com/blog/security-releases-symfony-2-0-24-2-1-12-2-2-5-and-2-3-3-released http://www.securityfocus.com/bid/61715 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4752 https://exchange.xforce.ibmcloud.com/vulnerabilities/86365 https://exchange.xforce.ibmcloud.com/vulnerabilities/86366 https://exchange.xforce.ibm • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 1%CPEs: 2EXPL: 0CVE-2019-11325
https://notcve.org/view.php?id=CVE-2019-11325
An issue was discovered in Symfony before 4.2.12 and 4.3.x before 4.3.8. The VarExport component incorrectly escapes strings, allowing some specially crafted ones to escalate to execution of arbitrary PHP code. This is related to symfony/var-exporter. Se detectó un problema en Symfony versiones anteriores a 4.2.12 y versiones 4.3.x anteriores a 4.3.8. El componente VarExport escapa incorrectamente las cadenas, lo que permite a algunas especialmente diseñadas escalar a la ejecución de código PHP arbitrario. • https://github.com/symfony/symfony/releases/tag/v4.3.8 https://github.com/symfony/var-exporter/compare/d8bf442...57e00f3 https://symfony.com/blog/cve-2019-11325-fix-escaping-of-strings-in-varexporter https://symfony.com/blog/symfony-4-3-8-released • CWE-116: Improper Encoding or Escaping of Output •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0CVE-2019-18886
https://notcve.org/view.php?id=CVE-2019-18886
An issue was discovered in Symfony 4.2.0 to 4.2.11 and 4.3.0 to 4.3.7. The ability to enumerate users was possible due to different handling depending on whether the user existed when making unauthorized attempts to use the switch users functionality. This is related to symfony/security. Se detectó un problema en Symfony versiones 4.2.0 hasta 4.2.11 y 4.3.0 hasta 4.3.7. La capacidad para enumerar usuarios fue posible debido a un manejo diferente dependiendo de si el usuario existía cuando se realizaron intentos no autorizados de utilizar la funcionalidad switch users. • https://github.com/symfony/symfony/releases/tag/v4.3.8 https://symfony.com/blog/cve-2019-18886-prevent-user-enumeration-using-switch-user-functionality https://symfony.com/blog/symfony-4-3-8-released • CWE-203: Observable Discrepancy •
CVSS: 8.1EPSS: 1%CPEs: 6EXPL: 0CVE-2019-18887
https://notcve.org/view.php?id=CVE-2019-18887
An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. The UriSigner was subject to timing attacks. This is related to symfony/http-kernel. Se detectó un problema en Symfony versiones 2.8.0 hasta 2.8.50, 3.4.0 hasta 3.4.34, 4.2.0 hasta 4.2.11 y 4.3.0 hasta 4.3.7. El UriSigner estaba sujeto a ataques de sincronización. • https://github.com/symfony/symfony/releases/tag/v4.3.8 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DZNXRVHDQBNZQUCNRVZICPPBFRAUWUJX https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UED22BOXTL2SSFMGYKA64ZFHGLLJG3EA https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VXEAOEANNIVYANTMOJ42NKSU6BGNBULZ https://symfony.com/blog/cve-2019-18887-use-constant-time-comparison-in-urisigner https://symfony.com/blog/ • CWE-203: Observable Discrepancy •
CVSS: 7.5EPSS: 0%CPEs: 6EXPL: 0CVE-2019-18888
https://notcve.org/view.php?id=CVE-2019-18888
An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. If an application passes unvalidated user input as the file for which MIME type validation should occur, then arbitrary arguments are passed to the underlying file command. This is related to symfony/http-foundation (and symfony/mime in 4.3.x). Se detectó un problema en Symfony versiones 2.8.0 hasta 2.8.50, 3.4.0 hasta 3.4.34, 4.2.0 hasta 4.2.11 y 4.3.0 hasta 4.3.7. Si una aplicación pasa una entrada de usuario no validada como el archivo para el que debe llevarse a cabo la validación de tipo MIME, entonces argumentos arbitrarios son pasados al comando de archivo subyacente. • https://github.com/symfony/symfony/releases/tag/v4.3.8 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DZNXRVHDQBNZQUCNRVZICPPBFRAUWUJX https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UED22BOXTL2SSFMGYKA64ZFHGLLJG3EA https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VXEAOEANNIVYANTMOJ42NKSU6BGNBULZ https://symfony.com/blog/cve-2019-18888-prevent-argument-injection-in-a-mimetypeguesser https://symfony.com/blog • CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') •