Symfony — фреймворк c открытым исходным кодом, написанный на PHP.
Релизный цикл, информация об уязвимостях
График релизов
Количество 247
CVE-2020-5275
In symfony/security-http before versions 4.4.7 and 5.0.7, when a `Firewall` checks access control rule, it iterate overs each rule's attributes and stops as soon as the accessDecisionManager decides to grant access on the attribute, preventing the check of next attributes that should have been take into account in an unanimous strategy. The accessDecisionManager is now called with all attributes at once, allowing the unanimous strategy being applied on each attribute. This issue is patched in versions 4.4.7 and 5.0.7.
CVE-2020-5274
In Symfony before versions 5.0.5 and 4.4.5, some properties of the Exception were not properly escaped when the `ErrorHandler` rendered it stacktrace. In addition, the stacktrace were displayed even in a non-debug configuration. The ErrorHandler now escape alls properties of the exception, and the stacktrace is only display in debug configuration. This issue is patched in symfony/http-foundation versions 4.4.5 and 5.0.5
CVE-2020-5255
In Symfony before versions 4.4.7 and 5.0.7, when a `Response` does not contain a `Content-Type` header, affected versions of Symfony can fallback to the format defined in the `Accept` header of the request, leading to a possible mismatch between the response's content and `Content-Type` header. When the response is cached, this can prevent the use of the website by other users. This has been patched in versions 4.4.7 and 5.0.7.
GHSA-g4m9-5hpf-hx72
Firewall configured with unanimous strategy was not actually unanimous in Symfony
GHSA-m884-279h-32v2
Exceptions displayed in non-debug configurations in Symfony
GHSA-mcx4-f5f5-4859
Prevent cache poisoning via a Response Content-Type header in Symfony
GHSA-cchx-mfrc-fwqr
Improper authentication in Symfony
GHSA-w2fr-65vp-mxw3
Deserialization of untrusted data in Symfony
GHSA-w4rc-rx25-8m86
Improper Input Validation in Symfony
CVE-2013-4752
Symfony 2.0.X before 2.0.24, 2.1.X before 2.1.12, 2.2.X before 2.2.5, and 2.3.X before 2.3.3 have an issue in the HttpFoundation component. The Host header can be manipulated by an attacker when the framework is generating an absolute URL. A remote attacker could exploit this vulnerability to inject malicious content into the Web application page and conduct various attacks.
Уязвимостей на страницу
Уязвимость | CVSS | EPSS | Опубликовано 1 | |
|---|---|---|---|---|
 | CVE-2020-5275 In symfony/security-http before versions 4.4.7 and 5.0.7, when a `Firewall` checks access control rule, it iterate overs each rule's attributes and stops as soon as the accessDecisionManager decides to grant access on the attribute, preventing the check of next attributes that should have been take into account in an unanimous strategy. The accessDecisionManager is now called with all attributes at once, allowing the unanimous strategy being applied on each attribute. This issue is patched in versions 4.4.7 and 5.0.7. | CVSS3: 7.6 | 0% Низкий | больше 5 лет назад |
| CVE-2020-5274 In Symfony before versions 5.0.5 and 4.4.5, some properties of the Exception were not properly escaped when the `ErrorHandler` rendered it stacktrace. In addition, the stacktrace were displayed even in a non-debug configuration. The ErrorHandler now escape alls properties of the exception, and the stacktrace is only display in debug configuration. This issue is patched in symfony/http-foundation versions 4.4.5 and 5.0.5 | CVSS3: 4.6 | 0% Низкий | больше 5 лет назад |
| CVE-2020-5255 In Symfony before versions 4.4.7 and 5.0.7, when a `Response` does not contain a `Content-Type` header, affected versions of Symfony can fallback to the format defined in the `Accept` header of the request, leading to a possible mismatch between the response's content and `Content-Type` header. When the response is cached, this can prevent the use of the website by other users. This has been patched in versions 4.4.7 and 5.0.7. | CVSS3: 2.6 | 0% Низкий | больше 5 лет назад |
| GHSA-g4m9-5hpf-hx72 Firewall configured with unanimous strategy was not actually unanimous in Symfony | CVSS3: 7.6 | 0% Низкий | больше 5 лет назад |
| GHSA-m884-279h-32v2 Exceptions displayed in non-debug configurations in Symfony | CVSS3: 4.6 | 0% Низкий | больше 5 лет назад |
| GHSA-mcx4-f5f5-4859 Prevent cache poisoning via a Response Content-Type header in Symfony | CVSS3: 2.6 | 0% Низкий | больше 5 лет назад |
| GHSA-cchx-mfrc-fwqr Improper authentication in Symfony | CVSS3: 7.5 | 0% Низкий | больше 5 лет назад |
| GHSA-w2fr-65vp-mxw3 Deserialization of untrusted data in Symfony | CVSS3: 7.1 | 1% Низкий | больше 5 лет назад |
| GHSA-w4rc-rx25-8m86 Improper Input Validation in Symfony | CVSS3: 9.8 | 5% Низкий | больше 5 лет назад |
 | CVE-2013-4752 Symfony 2.0.X before 2.0.24, 2.1.X before 2.1.12, 2.2.X before 2.2.5, and 2.3.X before 2.3.3 have an issue in the HttpFoundation component. The Host header can be manipulated by an attacker when the framework is generating an absolute URL. A remote attacker could exploit this vulnerability to inject malicious content into the Web application page and conduct various attacks. | CVSS3: 6.1 | 1% Низкий | больше 5 лет назад |
Уязвимостей на страницу