CVSS: 6.1EPSS: 0%CPEs: 4EXPL: 2CVE-2017-18343
https://notcve.org/view.php?id=CVE-2017-18343
20 Jul 2018 — The debug handler in Symfony before v2.7.33, 2.8.x before v2.8.26, 3.x before v3.2.13, and 3.3.x before v3.3.6 has XSS via an array key during exception pretty printing in ExceptionHandler.php, as demonstrated by a /_debugbar/open?op=get URI. NOTE: the vendor's position is that this is not a vulnerability because the debug tools are not intended for production use. NOTE: the Symfony Debug component is used by Laravel Debugbar ** EN DISPUTA ** El manipulador de depuración en Symfony, en versiones anteriores ... • https://github.com/barryvdh/laravel-debugbar/issues/850 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 5EXPL: 0CVE-2017-16652
https://notcve.org/view.php?id=CVE-2017-16652
13 Jun 2018 — An issue was discovered in Symfony 2.7.x before 2.7.38, 2.8.x before 2.8.31, 3.2.x before 3.2.14, and 3.3.x before 3.3.13. DefaultAuthenticationSuccessHandler or DefaultAuthenticationFailureHandler takes the content of the _target_path parameter and generates a redirect response, but no check is performed on the path, which could be an absolute URL to an external domain. This Open redirect vulnerability can be exploited for example to mount effective phishing attacks. Se ha descubierto un problema en Symfon... • https://lists.debian.org/debian-lts-announce/2019/03/msg00009.html • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 8.1EPSS: 1%CPEs: 8EXPL: 0CVE-2018-11385 – Debian Security Advisory 4262-1
https://notcve.org/view.php?id=CVE-2018-11385
13 Jun 2018 — An issue was discovered in the Security component in Symfony 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11. A session fixation vulnerability within the "Guard" login feature may allow an attacker to impersonate a victim towards the web application if the session id value was previously known to the attacker. Se ha descubierto un problema en el componente Security en Symfony en versiones 2.7.x anteriores a la 2.7.48, versiones 2.8.x anteriores a l... • https://lists.debian.org/debian-lts-announce/2019/03/msg00009.html • CWE-384: Session Fixation •
CVSS: 5.9EPSS: 1%CPEs: 6EXPL: 0CVE-2018-11386 – Debian Security Advisory 4262-1
https://notcve.org/view.php?id=CVE-2018-11386
13 Jun 2018 — An issue was discovered in the HttpFoundation component in Symfony 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11. The PDOSessionHandler class allows storing sessions on a PDO connection. Under some configurations and with a well-crafted payload, it was possible to do a denial of service on a Symfony application without too much resources. Se ha descubierto un problema en el componente HttpFoundation en Symfony en versiones 2.7.x anteriores a la 2... • https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G4XNBMFW33H47O5TZGA7JYCVLDBCXAJV • CWE-613: Insufficient Session Expiration •
CVSS: 8.8EPSS: 0%CPEs: 6EXPL: 0CVE-2018-11406 – Debian Security Advisory 4262-1
https://notcve.org/view.php?id=CVE-2018-11406
13 Jun 2018 — An issue was discovered in the Security component in Symfony 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11. By default, a user's session is invalidated when the user is logged out. This behavior can be disabled through the invalidate_session option. In this case, CSRF tokens were not erased during logout which allowed for CSRF token fixation. Se ha descubierto un problema en el componente Security en Symfony en versiones 2.7.x anteriores a la 2.7... • https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G4XNBMFW33H47O5TZGA7JYCVLDBCXAJV • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.8EPSS: 0%CPEs: 4EXPL: 0CVE-2018-11407
https://notcve.org/view.php?id=CVE-2018-11407
13 Jun 2018 — An issue was discovered in the Ldap component in Symfony 2.8.x before 2.8.37, 3.3.x before 3.3.17, 3.4.x before 3.4.7, and 4.0.x before 4.0.7. It allows remote attackers to bypass authentication by logging in with a "null" password and valid username, which triggers an unauthenticated bind. NOTE: this issue exists because of an incomplete fix for CVE-2016-2403. Se ha descubierto un problema en el componente Ldap en Symfony en versiones 2.8.x anteriores a la 2.8.37, versiones 3.3.x anteriores a la 3.3.17, ve... • https://symfony.com/blog/cve-2018-11407-unauthorized-access-on-a-misconfigured-ldap-server-when-using-an-empty-password • CWE-287: Improper Authentication •
CVSS: 6.1EPSS: 0%CPEs: 6EXPL: 0CVE-2018-11408
https://notcve.org/view.php?id=CVE-2018-11408
13 Jun 2018 — The security handlers in the Security component in Symfony in 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11 have an Open redirect vulnerability when security.http_utils is inlined by a container. NOTE: this issue exists because of an incomplete fix for CVE-2017-16652. Los gestores de seguridad en el componente Security en Symfony en versiones 2.7.x anteriores a la 2.7.48, versiones 2.8.x anteriores a la 2.8.41, versiones 3.3.x anteriores a la 3.3... • https://lists.debian.org/debian-lts-announce/2019/03/msg00009.html • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 3CVE-2018-12040 – SensioLabs Symfony 3.3.6 Cross Site Scripting
https://notcve.org/view.php?id=CVE-2018-12040
09 Jun 2018 — Reflected Cross-site scripting (XSS) vulnerability in the web profiler in SensioLabs Symfony 3.3.6 allows remote attackers to inject arbitrary web script or HTML via the "file" parameter, aka an _profiler/open?file= URI. NOTE: The vendor states "The XSS ... is in the web profiler, a tool that should never be deployed in production (so, we don't handle those issues as security issues). ** EN DISPUTA ** Vulnerabilidad de Cross-Site Scripting (XSS) reflejado en el generador de perfiles web en Symfony 3.3.6, de... • https://packetstorm.news/files/id/148125 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 12EXPL: 0CVE-2016-2403 – Debian Security Advisory 4262-1
https://notcve.org/view.php?id=CVE-2016-2403
07 Feb 2017 — Symfony before 2.8.6 and 3.x before 3.0.6 allows remote attackers to bypass authentication by logging in with an empty password and valid username, which triggers an unauthenticated bind. Symfony en versiones anteriores a 2.8.6 y 3.x en versiones anteriores a 3.0.6 permite a atacantes remotos eludir la autenticación mediante el inicio de sesión con un nombre de usuario válido y una contraseña vacía, lo que desencadena una unión no autenticada. Multiple vulnerabilities have been found in the Symfony PHP fram... • http://symfony.com/blog/cve-2016-2403-unauthorized-access-on-a-misconfigured-ldap-server-when-using-an-empty-password • CWE-287: Improper Authentication •
CVSS: 7.5EPSS: 0%CPEs: 24EXPL: 0CVE-2016-1902 – Debian Security Advisory 3588-1
https://notcve.org/view.php?id=CVE-2016-1902
30 May 2016 — The nextBytes function in the SecureRandom class in Symfony before 2.3.37, 2.6.x before 2.6.13, and 2.7.x before 2.7.9 does not properly generate random numbers when used with PHP 5.x without the paragonie/random_compat library and the openssl_random_pseudo_bytes function fails, which makes it easier for attackers to defeat cryptographic protection mechanisms via unspecified vectors. La función nextBytes en la clase SecureRandom en Symfony en versiones anteriores a 2.3.37, 2.6.x en versiones anteriores a 2.... • http://symfony.com/blog/cve-2016-1902-securerandom-s-fallback-not-secure-when-openssl-fails • CWE-310: Cryptographic Issues •