Debian Symfony vulnerabilities

CVE-2018-11386 [MEDIUM] CVE-2018-11386: symfony - An issue was discovered in the HttpFoundation component in Symfony 2.7.x before ... An issue was discovered in the HttpFoundation component in Symfony 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11. The PDOSessionHandler class allows storing sessions on a PDO connection. Under some configurations and with a well-crafted payload, it was possible to do a denial of service on a Symfony app

CVE-2018-19789 [MEDIUM] CVE-2018-19789: symfony - An issue was discovered in Symfony 2.7.x before 2.7.50, 2.8.x before 2.8.49, 3.x... An issue was discovered in Symfony 2.7.x before 2.7.50, 2.8.x before 2.8.49, 3.x before 3.4.20, 4.0.x before 4.0.15, 4.1.x before 4.1.9, and 4.2.x before 4.2.1. When using the scalar type hint `string` in a setter method (e.g. `setName(string $name)`) of a class that's the `data_class` of a form, and when a file upload is submitted to the corresponding field inste

CVE-2018-14773 [MEDIUM] CVE-2018-14773: symfony - An issue was discovered in Http Foundation in Symfony 2.7.0 through 2.7.48, 2.8.... An issue was discovered in Http Foundation in Symfony 2.7.0 through 2.7.48, 2.8.0 through 2.8.43, 3.3.0 through 3.3.17, 3.4.0 through 3.4.13, 4.0.0 through 4.0.13, and 4.1.0 through 4.1.2. It arises from support for a (legacy) IIS header that lets users override the path in the request URL via the X-Original-URL or X-Rewrite-URL HTTP request header. These headers

CVE-2018-11408 [MEDIUM] CVE-2018-11408: symfony - The security handlers in the Security component in Symfony in 2.7.x before 2.7.4... The security handlers in the Security component in Symfony in 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11 have an Open redirect vulnerability when security.http_utils is inlined by a container. NOTE: this issue exists because of an incomplete fix for CVE-2017-16652. Scope: local bookworm: resolved (fi

CVE-2018-12040 [MEDIUM] CVE-2018-12040: symfony - Reflected Cross-site scripting (XSS) vulnerability in the web profiler in Sensio... Reflected Cross-site scripting (XSS) vulnerability in the web profiler in SensioLabs Symfony 3.3.6 allows remote attackers to inject arbitrary web script or HTML via the "file" parameter, aka an _profiler/open?file= URI. NOTE: The vendor states "The XSS ... is in the web profiler, a tool that should never be deployed in production (so, we don't handle those issues

CVE-2017-16654 [HIGH] CVE-2017-16654: symfony - An issue was discovered in Symfony before 2.7.38, 2.8.31, 3.2.14, 3.3.13, 3.4-BE... An issue was discovered in Symfony before 2.7.38, 2.8.31, 3.2.14, 3.3.13, 3.4-BETA5, and 4.0-BETA5. The Intl component includes various bundle readers that are used to read resource bundles from the local filesystem. The read() methods of these classes use a path and a locale to determine the language bundle to retrieve. The locale argument value is commonly retriev

CVE-2017-16652 [MEDIUM] CVE-2017-16652: symfony - An issue was discovered in Symfony 2.7.x before 2.7.38, 2.8.x before 2.8.31, 3.2... An issue was discovered in Symfony 2.7.x before 2.7.38, 2.8.x before 2.8.31, 3.2.x before 3.2.14, and 3.3.x before 3.3.13. DefaultAuthenticationSuccessHandler or DefaultAuthenticationFailureHandler takes the content of the _target_path parameter and generates a redirect response, but no check is performed on the path, which could be an absolute URL to an external

CVE-2017-16790 [MEDIUM] CVE-2017-16790: symfony - An issue was discovered in Symfony before 2.7.38, 2.8.31, 3.2.14, 3.3.13, 3.4-BE... An issue was discovered in Symfony before 2.7.38, 2.8.31, 3.2.14, 3.3.13, 3.4-BETA5, and 4.0-BETA5. When a form is submitted by the user, the request handler classes of the Form component merge POST data and uploaded files data into one array. This big array forms the data that are then bound to the form. At this stage there is no difference anymore between submit

CVE-2017-16653 [MEDIUM] CVE-2017-16653: symfony - An issue was discovered in Symfony before 2.7.38, 2.8.31, 3.2.14, 3.3.13, 3.4-BE... An issue was discovered in Symfony before 2.7.38, 2.8.31, 3.2.14, 3.3.13, 3.4-BETA5, and 4.0-BETA5. The current implementation of CSRF protection in Symfony (Version >=2) does not use different tokens for HTTP and HTTPS; therefore the token is subject to MITM attacks on HTTP and can then be used in an HTTPS context to do CSRF attacks. Scope: local bookworm: resolv

CVE-2017-11365 [CRITICAL] CVE-2017-11365: symfony - Certain Symfony products are affected by: Incorrect Access Control. This affects... Certain Symfony products are affected by: Incorrect Access Control. This affects Symfony 2.7.30 and Symfony 2.8.23 and Symfony 3.2.10 and Symfony 3.3.3. The type of exploitation is: remote. The component is: Password validator. Scope: local bookworm: resolved bullseye: resolved forky: resolved sid: resolved trixie: resolved

CVE-2017-18343 [MEDIUM] CVE-2017-18343: symfony - The debug handler in Symfony before v2.7.33, 2.8.x before v2.8.26, 3.x before v3... The debug handler in Symfony before v2.7.33, 2.8.x before v2.8.26, 3.x before v3.2.13, and 3.3.x before v3.3.6 has XSS via an array key during exception pretty printing in ExceptionHandler.php, as demonstrated by a /_debugbar/open?op=get URI. NOTE: the vendor's position is that this is not a vulnerability because the debug tools are not intended for production use

CVE-2016-2403 [CRITICAL] CVE-2016-2403: symfony - Symfony before 2.8.6 and 3.x before 3.0.6 allows remote attackers to bypass auth... Symfony before 2.8.6 and 3.x before 3.0.6 allows remote attackers to bypass authentication by logging in with an empty password and valid username, which triggers an unauthenticated bind. Scope: local bookworm: resolved (fixed in 2.8.6+dfsg-1) bullseye: resolved (fixed in 2.8.6+dfsg-1) forky: resolved (fixed in 2.8.6+dfsg-1) sid: resolved (fixed in 2.8.6+dfsg-1) t

CVE-2016-1902 [HIGH] CVE-2016-1902: symfony - The nextBytes function in the SecureRandom class in Symfony before 2.3.37, 2.6.x... The nextBytes function in the SecureRandom class in Symfony before 2.3.37, 2.6.x before 2.6.13, and 2.7.x before 2.7.9 does not properly generate random numbers when used with PHP 5.x without the paragonie/random_compat library and the openssl_random_pseudo_bytes function fails, which makes it easier for attackers to defeat cryptographic protection mechanisms via unsp

CVE-2016-4423 [HIGH] CVE-2016-4423: symfony - The attemptAuthentication function in Component/Security/Http/Firewall/UsernameP... The attemptAuthentication function in Component/Security/Http/Firewall/UsernamePasswordFormAuthenticationListener.php in Symfony before 2.3.41, 2.7.x before 2.7.13, 2.8.x before 2.8.6, and 3.0.x before 3.0.6 does not limit the length of a username stored in a session, which allows remote attackers to cause a denial of service (session storage consumption) via a series

CVE-2015-8125 [HIGH] CVE-2015-8125: symfony - Symfony 2.3.x before 2.3.35, 2.6.x before 2.6.12, and 2.7.x before 2.7.7 might a... Symfony 2.3.x before 2.3.35, 2.6.x before 2.6.12, and 2.7.x before 2.7.7 might allow remote attackers to have unspecified impact via a timing attack involving the (1) Symfony/Component/Security/Http/RememberMe/PersistentTokenBasedRememberMeServices or (2) Symfony/Component/Security/Http/Firewall/DigestAuthenticationListener class in the Symfony Security Component, or

CVE-2015-8124 [MEDIUM] CVE-2015-8124: symfony - Session fixation vulnerability in the "Remember Me" login feature in Symfony 2.3... Session fixation vulnerability in the "Remember Me" login feature in Symfony 2.3.x before 2.3.35, 2.6.x before 2.6.12, and 2.7.x before 2.7.7 allows remote attackers to hijack web sessions via a session id. Scope: local bookworm: resolved (fixed in 2.7.7+dfsg-1) bullseye: resolved (fixed in 2.7.7+dfsg-1) forky: resolved (fixed in 2.7.7+dfsg-1) sid: resolved (fixed i

CVE-2015-2308 [MEDIUM] CVE-2015-2308: symfony - Eval injection vulnerability in the HttpCache class in HttpKernel in Symfony 2.x... Eval injection vulnerability in the HttpCache class in HttpKernel in Symfony 2.x before 2.3.27, 2.4.x and 2.5.x before 2.5.11, and 2.6.x before 2.6.6 allows remote attackers to execute arbitrary PHP code via a language="php" attribute of a SCRIPT element. Scope: local bookworm: resolved (fixed in 2.3.21+dfsg-4) bullseye: resolved (fixed in 2.3.21+dfsg-4) forky: reso

CVE-2015-4050 [MEDIUM] CVE-2015-4050: symfony - FragmentListener in the HttpKernel component in Symfony 2.3.19 through 2.3.28, 2... FragmentListener in the HttpKernel component in Symfony 2.3.19 through 2.3.28, 2.4.9 through 2.4.10, 2.5.4 through 2.5.11, and 2.6.0 through 2.6.7, when ESI or SSI support enabled, does not check if the _controller attribute is set, which allows remote attackers to bypass URL signing and security rules by including (1) no hash or (2) an invalid hash in a request to

CVE-2015-2309 CVE-2015-2309: symfony bookworm: resolved (fixed in 2.3.21+dfsg-4) bullseye: resolved (fixed in 2.3.21+dfsg-4) forky: resolved (fixed in 2.3.21+dfsg-4) sid: resolved (fixed in 2.3.21+dfsg-4) trixie: resolved (fixed in 2.3.21+dfsg-4)

CVE-2013-5958 [MEDIUM] CVE-2013-5958: symfony - The Security component in Symfony 2.0.x before 2.0.25, 2.1.x before 2.1.13, 2.2.... The Security component in Symfony 2.0.x before 2.0.25, 2.1.x before 2.1.13, 2.2.x before 2.2.9, and 2.3.x before 2.3.6 allows remote attackers to cause a denial of service (CPU consumption) via a long password that triggers an expensive hash computation, as demonstrated by a PBKDF2 computation, a similar issue to CVE-2013-5750. Scope: local bookworm: resolved bullse