Debian Symfony vulnerabilities

CVE-2026-24739 [MEDIUM] CVE-2026-24739: symfony - Symfony is a PHP framework for web and console applications and a set of reusabl... Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Prior to versions 5.4.51, 6.4.33, 7.3.11, 7.4.5, and 8.0.5, the Symfony Process component did not correctly treat some characters (notably `=`) as “special” when escaping arguments on Windows. When PHP is executed from an MSYS2-based environment (e.g. Git Bash) and Sy

CVE-2025-64500 [HIGH] CVE-2025-64500: symfony - Symfony is a PHP framework for web and console applications and a set of reusabl... Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Symfony's HttpFoundation component defines an object-oriented layer for the HTTP specification. Starting in version 2.0.0 and prior to version 5.4.50, 6.4.29, and 7.3.7, the `Request` class improperly interprets some `PATH_INFO` in a way that leads to representing some

CVE-2024-51996 [HIGH] CVE-2024-51996: symfony - Symphony process is a module for the Symphony PHP framework which executes comma... Symphony process is a module for the Symphony PHP framework which executes commands in sub-processes. When consuming a persisted remember-me cookie, Symfony does not check if the username persisted in the database matches the username attached with the cookie, leading to authentication bypass. This vulnerability is fixed in 5.4.47, 6.4.15, and 7.1.8. Scope: local bo

CVE-2024-50340 [HIGH] CVE-2024-50340: symfony - symfony/runtime is a module for the Symphony PHP framework which enables decoupl... symfony/runtime is a module for the Symphony PHP framework which enables decoupling PHP applications from global state. When the `register_argv_argc` php directive is set to `on` , and users call any URL with a special crafted query string, they are able to change the environment or debug mode used by the kernel when handling the request. As of versions 5.4.46, 6.4.

CVE-2024-36611 [HIGH] CVE-2024-36611: symfony - In Symfony v7.07, a security vulnerability was identified in the FormLoginAuthen... In Symfony v7.07, a security vulnerability was identified in the FormLoginAuthenticator component, where it failed to adequately handle cases where the username or password field of a login request is empty. This flaw could lead to various security risks, including improper authentication logic handling or denial of service. NOTE: the Supplier has concluded that thi

CVE-2024-50342 [LOW] CVE-2024-50342: symfony - symfony/http-client is a module for the Symphony PHP framework which provides po... symfony/http-client is a module for the Symphony PHP framework which provides powerful methods to fetch HTTP resources synchronously or asynchronously. When using the `NoPrivateNetworkHttpClient`, some internal information is still leaking during host resolution, which leads to possible IP/port enumeration. As of versions 5.4.46, 6.4.14, and 7.1.7 the `NoPrivateNetwo

CVE-2024-50341 [LOW] CVE-2024-50341: symfony - symfony/security-bundle is a module for the Symphony PHP framework which provide... symfony/security-bundle is a module for the Symphony PHP framework which provides a tight integration of the Security component into the Symfony full-stack framework. The custom `user_checker` defined on a firewall is not called when Login Programmaticaly with the `Security::login` method, leading to unwanted login. As of versions 6.4.10, 7.0.10 and 7.1.3 the `Securi

CVE-2024-50345 [LOW] CVE-2024-50345: symfony - symfony/http-foundation is a module for the Symphony PHP framework which defines... symfony/http-foundation is a module for the Symphony PHP framework which defines an object-oriented layer for the HTTP specification. The `Request` class, does not parse URI with special characters the same way browsers do. As a result, an attacker can trick a validator relying on the `Request` class to redirect users to another domain. The `Request::create` methods

CVE-2024-50343 [LOW] CVE-2024-50343: symfony - symfony/validator is a module for the Symphony PHP framework which provides tool... symfony/validator is a module for the Symphony PHP framework which provides tools to validate values. It is possible to trick a `Validator` configured with a regular expression using the `$` metacharacters, with an input ending with `\n`. Symfony as of versions 5.4.43, 6.4.11, and 7.1.4 now uses the `D` regex modifier to match the entire input. Users are advised to u

CVE-2024-51736 [NONE] CVE-2024-51736: symfony - Symphony process is a module for the Symphony PHP framework which executes comma... Symphony process is a module for the Symphony PHP framework which executes commands in sub-processes. On Windows, when an executable file named `cmd.exe` is located in the current working directory it will be called by the `Process` class when preparing command arguments, leading to possible hijacking. This issue has been addressed in release versions 5.4.46, 6.4.14

CVE-2023-46734 [MEDIUM] CVE-2023-46734: symfony - Symfony is a PHP framework for web and console applications and a set of reusabl... Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Starting in versions 2.0.0, 5.0.0, and 6.0.0 and prior to versions 4.4.51, 5.4.31, and 6.3.8, some Twig filters in CodeExtension use `is_safe=html` but don't actually ensure their input is safe. As of versions 4.4.51, 5.4.31, and 6.3.8, Symfony now escapes the output

CVE-2023-46733 [MEDIUM] CVE-2023-46733: symfony - Symfony is a PHP framework for web and console applications and a set of reusabl... Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Starting in versions 5.4.21 and 6.2.7 and prior to versions 5.4.31 and 6.3.8, `SessionStrategyListener` does not migrate the session after every successful login. It does so only in case the logged in user changes by means of checking the user identifier. In some use

CVE-2023-46735 [MEDIUM] CVE-2023-46735: symfony - Symfony is a PHP framework for web and console applications and a set of reusabl... Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Starting in version 6.0.0 and prior to version 6.3.8, the error message in `WebhookController` returns unescaped user-submitted input. As of version 6.3.8, `WebhookController` now doesn't return any user-submitted input in its response. Scope: local bookworm: resolved

CVE-2022-24895 [MEDIUM] CVE-2022-24895: symfony - Symfony is a PHP framework for web and console applications and a set of reusabl... Symfony is a PHP framework for web and console applications and a set of reusable PHP components. When authenticating users Symfony by default regenerates the session ID upon login, but preserves the rest of session attributes. Because this does not clear CSRF tokens upon login, this might enables same-site attackers to bypass the CSRF protection mechanism by perf

CVE-2022-24894 [MEDIUM] CVE-2022-24894: symfony - Symfony is a PHP framework for web and console applications and a set of reusabl... Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The Symfony HTTP cache system, acts as a reverse proxy: It caches entire responses (including headers) and returns them to the clients. In a recent change in the `AbstractSessionListener`, the response might contain a `Set-Cookie` header. If the Symfony HTTP cache sys

CVE-2022-23601 [HIGH] CVE-2022-23601: symfony - Symfony is a PHP framework for web and console applications and a set of reusabl... Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The Symfony form component provides a CSRF protection mechanism by using a random token injected in the form and using the session to store and control the token submitted by the user. When using the FrameworkBundle, this protection can be enabled or disabled with the c

CVE-2021-21424 [MEDIUM] CVE-2021-21424: symfony - Symfony is a PHP framework for web and console applications and a set of reusabl... Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The ability to enumerate users was possible without relevant permissions due to different handling depending on whether the user existed or not when attempting to use the switch users functionality. We now ensure that 403s are returned whether the user exists or not i

CVE-2021-41270 [MEDIUM] CVE-2021-41270: symfony - Symfony/Serializer handles serializing and deserializing data structures for Sym... Symfony/Serializer handles serializing and deserializing data structures for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Symfony versions 4.1.0 before 4.4.35 and versions 5.0.0 before 5.3.12 are vulnerable to CSV injection, also known as formula injection. In Symfony 4.1, maintainers added the opt-in `csv_escape_

CVE-2021-41267 [MEDIUM] CVE-2021-41267: symfony - Symfony/Http-Kernel is the HTTP kernel component for Symfony, a PHP framework fo... Symfony/Http-Kernel is the HTTP kernel component for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Headers that are not part of the "trusted_headers" allowed list are ignored and protect users from "Cache poisoning" attacks. In Symfony 5.2, maintainers added support for the `X-Forwarded-Prefix` headers, but this he

CVE-2021-41268 [MEDIUM] CVE-2021-41268: symfony - Symfony/SecurityBundle is the security system for Symfony, a PHP framework for w... Symfony/SecurityBundle is the security system for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Since the rework of the Remember me cookie in version 5.3.0, the cookie is not invalidated when the user changes their password. Attackers can therefore maintain their access to the account even if the password is change