CVSS: 9.8EPSS: 0%CPEs: 4EXPL: 0CVE-2018-11407
https://notcve.org/view.php?id=CVE-2018-11407
13 Jun 2018 — An issue was discovered in the Ldap component in Symfony 2.8.x before 2.8.37, 3.3.x before 3.3.17, 3.4.x before 3.4.7, and 4.0.x before 4.0.7. It allows remote attackers to bypass authentication by logging in with a "null" password and valid username, which triggers an unauthenticated bind. NOTE: this issue exists because of an incomplete fix for CVE-2016-2403. Se ha descubierto un problema en el componente Ldap en Symfony en versiones 2.8.x anteriores a la 2.8.37, versiones 3.3.x anteriores a la 3.3.17, ve... • https://symfony.com/blog/cve-2018-11407-unauthorized-access-on-a-misconfigured-ldap-server-when-using-an-empty-password • CWE-287: Improper Authentication •
CVSS: 6.1EPSS: 0%CPEs: 6EXPL: 0CVE-2018-11408
https://notcve.org/view.php?id=CVE-2018-11408
13 Jun 2018 — The security handlers in the Security component in Symfony in 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11 have an Open redirect vulnerability when security.http_utils is inlined by a container. NOTE: this issue exists because of an incomplete fix for CVE-2017-16652. Los gestores de seguridad en el componente Security en Symfony en versiones 2.7.x anteriores a la 2.7.48, versiones 2.8.x anteriores a la 2.8.41, versiones 3.3.x anteriores a la 3.3... • https://lists.debian.org/debian-lts-announce/2019/03/msg00009.html • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 9.8EPSS: 0%CPEs: 12EXPL: 0CVE-2016-2403 – Debian Security Advisory 4262-1
https://notcve.org/view.php?id=CVE-2016-2403
07 Feb 2017 — Symfony before 2.8.6 and 3.x before 3.0.6 allows remote attackers to bypass authentication by logging in with an empty password and valid username, which triggers an unauthenticated bind. Symfony en versiones anteriores a 2.8.6 y 3.x en versiones anteriores a 3.0.6 permite a atacantes remotos eludir la autenticación mediante el inicio de sesión con un nombre de usuario válido y una contraseña vacía, lo que desencadena una unión no autenticada. Multiple vulnerabilities have been found in the Symfony PHP fram... • http://symfony.com/blog/cve-2016-2403-unauthorized-access-on-a-misconfigured-ldap-server-when-using-an-empty-password • CWE-287: Improper Authentication •
CVSS: 7.5EPSS: 1%CPEs: 27EXPL: 0CVE-2016-4423 – Debian Security Advisory 3588-1
https://notcve.org/view.php?id=CVE-2016-4423
30 May 2016 — The attemptAuthentication function in Component/Security/Http/Firewall/UsernamePasswordFormAuthenticationListener.php in Symfony before 2.3.41, 2.7.x before 2.7.13, 2.8.x before 2.8.6, and 3.0.x before 3.0.6 does not limit the length of a username stored in a session, which allows remote attackers to cause a denial of service (session storage consumption) via a series of authentication attempts with long, non-existent usernames. La función attemptAuthentication en Component/Security/Http/Firewall/UsernamePa... • http://www.debian.org/security/2016/dsa-3588 • CWE-399: Resource Management Errors •