Symfony — фреймворк c открытым исходным кодом, написанный на PHP.
Релизный цикл, информация об уязвимостях
График релизов
Количество 255
CVE-2017-18343
The debug handler in Symfony before v2.7.33, 2.8.x before v2.8.26, 3.x ...
CVE-2017-18343
The debug handler in Symfony before v2.7.33, 2.8.x before v2.8.26, 3.x before v3.2.13, and 3.3.x before v3.3.6 has XSS via an array key during exception pretty printing in ExceptionHandler.php, as demonstrated by a /_debugbar/open?op=get URI. NOTE: the vendor's position is that this is not a vulnerability because the debug tools are not intended for production use. NOTE: the Symfony Debug component is used by Laravel Debugbar
BDU:2019-01955
Уязвимость компонента HttpFoundation фреймворка Symfony, связанная с ошибками обработки HTTP-загловков, позволяющая нарушителю оказать воздействие на целостность защищаемых данных
CVE-2018-12040
Reflected Cross-site scripting (XSS) vulnerability in the web profiler in SensioLabs Symfony 3.3.6 allows remote attackers to inject arbitrary web script or HTML via the "file" parameter, aka an _profiler/open?file= URI. NOTE: The vendor states "The XSS ... is in the web profiler, a tool that should never be deployed in production (so, we don't handle those issues as security issues).
CVE-2018-12040
Reflected Cross-site scripting (XSS) vulnerability in the web profiler ...
CVE-2018-12040
Reflected Cross-site scripting (XSS) vulnerability in the web profiler in SensioLabs Symfony 3.3.6 allows remote attackers to inject arbitrary web script or HTML via the "file" parameter, aka an _profiler/open?file= URI. NOTE: The vendor states "The XSS ... is in the web profiler, a tool that should never be deployed in production (so, we don't handle those issues as security issues).
CVE-2018-11408
The security handlers in the Security component in Symfony in 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11 have an Open redirect vulnerability when security.http_utils is inlined by a container. NOTE: this issue exists because of an incomplete fix for CVE-2017-16652.
CVE-2018-11408
The security handlers in the Security component in Symfony in 2.7.x be ...
CVE-2018-11407
An issue was discovered in the Ldap component in Symfony 2.8.x before 2.8.37, 3.3.x before 3.3.17, 3.4.x before 3.4.7, and 4.0.x before 4.0.7. It allows remote attackers to bypass authentication by logging in with a "null" password and valid username, which triggers an unauthenticated bind. NOTE: this issue exists because of an incomplete fix for CVE-2016-2403.
CVE-2018-11407
An issue was discovered in the Ldap component in Symfony 2.8.x before ...
Уязвимостей на страницу
Уязвимость | CVSS | EPSS | Опубликовано 1 | |
|---|---|---|---|---|
| CVE-2017-18343 The debug handler in Symfony before v2.7.33, 2.8.x before v2.8.26, 3.x ... | CVSS3: 6.1 | 1% Низкий | больше 7 лет назад |
 | CVE-2017-18343 The debug handler in Symfony before v2.7.33, 2.8.x before v2.8.26, 3.x before v3.2.13, and 3.3.x before v3.3.6 has XSS via an array key during exception pretty printing in ExceptionHandler.php, as demonstrated by a /_debugbar/open?op=get URI. NOTE: the vendor's position is that this is not a vulnerability because the debug tools are not intended for production use. NOTE: the Symfony Debug component is used by Laravel Debugbar | CVSS3: 6.1 | 1% Низкий | больше 7 лет назад |
 | BDU:2019-01955 Уязвимость компонента HttpFoundation фреймворка Symfony, связанная с ошибками обработки HTTP-загловков, позволяющая нарушителю оказать воздействие на целостность защищаемых данных | CVSS3: 6.5 | 17% Средний | больше 7 лет назад |
 | CVE-2018-12040 Reflected Cross-site scripting (XSS) vulnerability in the web profiler in SensioLabs Symfony 3.3.6 allows remote attackers to inject arbitrary web script or HTML via the "file" parameter, aka an _profiler/open?file= URI. NOTE: The vendor states "The XSS ... is in the web profiler, a tool that should never be deployed in production (so, we don't handle those issues as security issues). | CVSS3: 6.1 | 0% Низкий | больше 7 лет назад |
| CVE-2018-12040 Reflected Cross-site scripting (XSS) vulnerability in the web profiler ... | CVSS3: 6.1 | 0% Низкий | больше 7 лет назад |
| CVE-2018-12040 Reflected Cross-site scripting (XSS) vulnerability in the web profiler in SensioLabs Symfony 3.3.6 allows remote attackers to inject arbitrary web script or HTML via the "file" parameter, aka an _profiler/open?file= URI. NOTE: The vendor states "The XSS ... is in the web profiler, a tool that should never be deployed in production (so, we don't handle those issues as security issues). | CVSS3: 6.1 | 0% Низкий | больше 7 лет назад |
| CVE-2018-11408 The security handlers in the Security component in Symfony in 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11 have an Open redirect vulnerability when security.http_utils is inlined by a container. NOTE: this issue exists because of an incomplete fix for CVE-2017-16652. | CVSS3: 6.1 | 0% Низкий | больше 7 лет назад |
| CVE-2018-11408 The security handlers in the Security component in Symfony in 2.7.x be ... | CVSS3: 6.1 | 0% Низкий | больше 7 лет назад |
| CVE-2018-11407 An issue was discovered in the Ldap component in Symfony 2.8.x before 2.8.37, 3.3.x before 3.3.17, 3.4.x before 3.4.7, and 4.0.x before 4.0.7. It allows remote attackers to bypass authentication by logging in with a "null" password and valid username, which triggers an unauthenticated bind. NOTE: this issue exists because of an incomplete fix for CVE-2016-2403. | CVSS3: 9.8 | 0% Низкий | больше 7 лет назад |
| CVE-2018-11407 An issue was discovered in the Ldap component in Symfony 2.8.x before ... | CVSS3: 9.8 | 0% Низкий | больше 7 лет назад |
Уязвимостей на страницу