CVSS: 7.5EPSS: 1%CPEs: 27EXPL: 0CVE-2016-4423 – Debian Security Advisory 3588-1
https://notcve.org/view.php?id=CVE-2016-4423
30 May 2016 — The attemptAuthentication function in Component/Security/Http/Firewall/UsernamePasswordFormAuthenticationListener.php in Symfony before 2.3.41, 2.7.x before 2.7.13, 2.8.x before 2.8.6, and 3.0.x before 3.0.6 does not limit the length of a username stored in a session, which allows remote attackers to cause a denial of service (session storage consumption) via a series of authentication attempts with long, non-existent usernames. La función attemptAuthentication en Component/Security/Http/Firewall/UsernamePa... • http://www.debian.org/security/2016/dsa-3588 • CWE-399: Resource Management Errors •
CVSS: 6.8EPSS: 0%CPEs: 54EXPL: 0CVE-2015-8124 – Debian Security Advisory 3402-1
https://notcve.org/view.php?id=CVE-2015-8124
24 Nov 2015 — Session fixation vulnerability in the "Remember Me" login feature in Symfony 2.3.x before 2.3.35, 2.6.x before 2.6.12, and 2.7.x before 2.7.7 allows remote attackers to hijack web sessions via a session id. Vulnerabilidad de fijación de sesión en la funcionalidad de inicio de sesión 'Remember Me' en Symfony 2.3.x en versiones anteriores a 2.3.35, 2.6.x en versiones anteriores a 2.6.12 y 2.7.x en versiones anteriores a 2.7.7 permite a atacantes remotos secuestrar sesiones web a través de un id de sesión. Sev... • http://lists.fedoraproject.org/pipermail/package-announce/2015-December/173271.html •
CVSS: 7.5EPSS: 0%CPEs: 54EXPL: 0CVE-2015-8125 – Debian Security Advisory 3402-1
https://notcve.org/view.php?id=CVE-2015-8125
24 Nov 2015 — Symfony 2.3.x before 2.3.35, 2.6.x before 2.6.12, and 2.7.x before 2.7.7 might allow remote attackers to have unspecified impact via a timing attack involving the (1) Symfony/Component/Security/Http/RememberMe/PersistentTokenBasedRememberMeServices or (2) Symfony/Component/Security/Http/Firewall/DigestAuthenticationListener class in the Symfony Security Component, or (3) legacy CSRF implementation from the Symfony/Component/Form/Extension/Csrf/CsrfProvider/DefaultCsrfProvider class in the Symfony Form compo... • http://lists.fedoraproject.org/pipermail/package-announce/2015-December/173271.html •
CVSS: 6.8EPSS: 0%CPEs: 75EXPL: 0CVE-2015-2308
https://notcve.org/view.php?id=CVE-2015-2308
24 Jun 2015 — Eval injection vulnerability in the HttpCache class in HttpKernel in Symfony 2.x before 2.3.27, 2.4.x and 2.5.x before 2.5.11, and 2.6.x before 2.6.6 allows remote attackers to execute arbitrary PHP code via a language="php" attribute of a SCRIPT element. Vulnerabilidad de inyección Eval en la clase HttpCache en HttpKernel en Symfony 2.x anterior a 2.3.27, 2.4.x y 2.5.x anterior a 2.5.11, y 2.6.x anterior a 2.6.6 permite a atacantes remotos ejecutar código PHP arbitrario a través de un atributo language='ph... • http://jvn.jp/en/jp/JVN19578958/index.html • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 4.3EPSS: 73%CPEs: 27EXPL: 0CVE-2015-4050 – Debian Security Advisory 3276-1
https://notcve.org/view.php?id=CVE-2015-4050
01 Jun 2015 — FragmentListener in the HttpKernel component in Symfony 2.3.19 through 2.3.28, 2.4.9 through 2.4.10, 2.5.4 through 2.5.11, and 2.6.0 through 2.6.7, when ESI or SSI support enabled, does not check if the _controller attribute is set, which allows remote attackers to bypass URL signing and security rules by including (1) no hash or (2) an invalid hash in a request to /_fragment. FragmentListener en el componente HttpKernel en Symfony 2.3.19 hasta 2.3.28, 2.4.9 hasta 2.4.10, 2.5.4 hasta 2.5.11, y 2.6.0 hasta 2... • http://lists.fedoraproject.org/pipermail/package-announce/2015-June/159513.html • CWE-284: Improper Access Control •
CVSS: 5.3EPSS: 0%CPEs: 53EXPL: 0CVE-2013-5958
https://notcve.org/view.php?id=CVE-2013-5958
27 Dec 2014 — The Security component in Symfony 2.0.x before 2.0.25, 2.1.x before 2.1.13, 2.2.x before 2.2.9, and 2.3.x before 2.3.6 allows remote attackers to cause a denial of service (CPU consumption) via a long password that triggers an expensive hash computation, as demonstrated by a PBKDF2 computation, a similar issue to CVE-2013-5750. El componente de seguridad en Symfony 2.0.x anterior a 2.0.25, 2.1.x anterior a 2.1.13, 2.2.x anterior a 2.2.9, y 2.3.x anterior a 2.3.6 permite a atacantes remotos causar una denega... • http://symfony.com/blog/security-releases-cve-2013-5958-symfony-2-0-25-2-1-13-2-2-9-and-2-3-6-released • CWE-399: Resource Management Errors •
CVSS: 7.5EPSS: 0%CPEs: 22EXPL: 0CVE-2013-1348
https://notcve.org/view.php?id=CVE-2013-1348
02 Jun 2014 — The Yaml::parse function in Symfony 2.0.x before 2.0.22 remote attackers to execute arbitrary PHP code via a PHP file, a different vulnerability than CVE-2013-1397. La función Yaml::parse en Symfony 2.0.x anterior a 2.0.22 permite a atacantes remotos ejecutar código PHP arbitrario a través de un archivo PHP, una vulnerabilidad diferente a CVE-2013-1397. • http://secunia.com/advisories/51980 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.5EPSS: 0%CPEs: 40EXPL: 0CVE-2013-1397
https://notcve.org/view.php?id=CVE-2013-1397
02 Jun 2014 — Symfony 2.0.x before 2.0.22, 2.1.x before 2.1.7, and 2.2.x remote attackers to execute arbitrary PHP code via a serialized PHP object to the (1) Yaml::parse or (2) Yaml\Parser::parse function, a different vulnerability than CVE-2013-1348. Symfony 2.0.x anterior a 2.0.22, 2.1.x anterior a 2.1.7 y 2.2.x permite a atacantes remotos ejecutar código PHP arbitrario a través de un objeto PHP serializado hacia la función (1) Yaml::parse o (2) Yaml\Parser::parse, una vulnerabilidad diferente a CVE-2013-1348. • http://secunia.com/advisories/51980 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 6.5EPSS: 0%CPEs: 20EXPL: 0CVE-2012-6431
https://notcve.org/view.php?id=CVE-2012-6431
27 Dec 2012 — Symfony 2.0.x before 2.0.20 does not process URL encoded data consistently within the Routing and Security components, which allows remote attackers to bypass intended URI restrictions via a doubly encoded string. Symfony v2.0.20 antes de v2.0.x no procesa los datos de URL codificadas consistentemente dentro de los componentes de seguridad y enrutado, lo que permite a atacantes remotos evitar las restricciones de acceso a URIs a través de una cadena doblemente codificada. • http://symfony.com/blog/security-release-symfony-2-0-20-and-2-1-5-released • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 6.8EPSS: 0%CPEs: 26EXPL: 0CVE-2012-6432
https://notcve.org/view.php?id=CVE-2012-6432
27 Dec 2012 — Symfony 2.0.x before 2.0.20, 2.1.x before 2.1.5, and 2.2-dev, when the internal routes configuration is enabled, allows remote attackers to access arbitrary services via vectors involving a URI beginning with a /_internal substring. Symfony v2.0.x antes de v2.0.20, v2.1.x antes de v2.1.5 y v2.2-dev, cuando la configuración de rutas internas está activada, permite a atacantes remotos acceder a los servicios elección a través de vectores relacionados con una subcadena /_internal. • http://symfony.com/blog/security-release-symfony-2-0-20-and-2-1-5-released • CWE-264: Permissions, Privileges, and Access Controls •