Page 7 of 33 results (0.005 seconds)

CVSS: 5.9EPSS: 0%CPEs: 6EXPL: 0

An issue was discovered in the HttpFoundation component in Symfony 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11. The PDOSessionHandler class allows storing sessions on a PDO connection. Under some configurations and with a well-crafted payload, it was possible to do a denial of service on a Symfony application without too much resources. Se ha descubierto un problema en el componente HttpFoundation en Symfony en versiones 2.7.x anteriores a la 2.7.48, versiones 2.8.x anteriores a la 2.8.41, versiones 3.3.x anteriores a la 3.3.17, versiones 3.4.x anteriores a la 3.4.11 y versiones 4.0.x anteriores a la 4.0.11. La clase PDOSessionHandler permite el almacenamiento de sesiones en una conexión PDO. • https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G4XNBMFW33H47O5TZGA7JYCVLDBCXAJV https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UBQK7JDXIELADIPGZIOUCZKMAJM5LSBW https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WU5N2TZFNGXDGMXMPP7LZCWTFLENF6WH https://symfony.com/blog/cve-2018-11386-denial-of-service-when-using-pdosessionhandler https://www.debian.org/security/2018/dsa-4262 • CWE-613: Insufficient Session Expiration •

CVSS: 6.1EPSS: 0%CPEs: 5EXPL: 0

An issue was discovered in Symfony 2.7.x before 2.7.38, 2.8.x before 2.8.31, 3.2.x before 3.2.14, and 3.3.x before 3.3.13. DefaultAuthenticationSuccessHandler or DefaultAuthenticationFailureHandler takes the content of the _target_path parameter and generates a redirect response, but no check is performed on the path, which could be an absolute URL to an external domain. This Open redirect vulnerability can be exploited for example to mount effective phishing attacks. Se ha descubierto un problema en Symfony en versiones 2.7.x anteriores a la 2.7.38, versiones 2.8.x anteriores a la 2.8.31, versiones 3.2.x anteriores a la 3.2.14 y versiones 3.3.x anteriores a la 3.3.13. DefaultAuthenticationSuccessHandler o DefaultAuthenticationFailureHandler toman el contenido del parámetro _target_path y generan una respuesta de redirección, pero no se realiza una comprobación de ruta, que puede ser una URL absoluta o un dominio externo. • https://lists.debian.org/debian-lts-announce/2019/03/msg00009.html https://symfony.com/blog/cve-2017-16652-open-redirect-vulnerability-on-security-handlers • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •

CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 2

Reflected Cross-site scripting (XSS) vulnerability in the web profiler in SensioLabs Symfony 3.3.6 allows remote attackers to inject arbitrary web script or HTML via the "file" parameter, aka an _profiler/open?file= URI. NOTE: The vendor states "The XSS ... is in the web profiler, a tool that should never be deployed in production (so, we don't handle those issues as security issues). ** EN DISPUTA ** Vulnerabilidad de Cross-Site Scripting (XSS) reflejado en el generador de perfiles web en Symfony 3.3.6, de SensioLabs, permite que atacantes remotos inyecten scripts web o HTML mediante el parámetro "file". Esto también se conoce como URI _profiler/open?file=. • http://packetstormsecurity.com/files/148125/SensioLabs-Symfony-3.3.6-Cross-Site-Scripting.html http://www.securityfocus.com/archive/1/542071/100/0/threaded • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •