Symfony — фреймворк c открытым исходным кодом, написанный на PHP.
Релизный цикл, информация об уязвимостях
График релизов
Количество 263
BDU:2019-01955
Уязвимость компонента HttpFoundation фреймворка Symfony, связанная с ошибками обработки HTTP-загловков, позволяющая нарушителю оказать воздействие на целостность защищаемых данных
CVE-2018-12040
Reflected Cross-site scripting (XSS) vulnerability in the web profiler in SensioLabs Symfony 3.3.6 allows remote attackers to inject arbitrary web script or HTML via the "file" parameter, aka an _profiler/open?file= URI. NOTE: The vendor states "The XSS ... is in the web profiler, a tool that should never be deployed in production (so, we don't handle those issues as security issues).
CVE-2018-12040
Reflected Cross-site scripting (XSS) vulnerability in the web profiler ...
CVE-2018-12040
Reflected Cross-site scripting (XSS) vulnerability in the web profiler in SensioLabs Symfony 3.3.6 allows remote attackers to inject arbitrary web script or HTML via the "file" parameter, aka an _profiler/open?file= URI. NOTE: The vendor states "The XSS ... is in the web profiler, a tool that should never be deployed in production (so, we don't handle those issues as security issues).
CVE-2018-11408
The security handlers in the Security component in Symfony in 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11 have an Open redirect vulnerability when security.http_utils is inlined by a container. NOTE: this issue exists because of an incomplete fix for CVE-2017-16652.
CVE-2018-11408
The security handlers in the Security component in Symfony in 2.7.x be ...
CVE-2018-11407
An issue was discovered in the Ldap component in Symfony 2.8.x before 2.8.37, 3.3.x before 3.3.17, 3.4.x before 3.4.7, and 4.0.x before 4.0.7. It allows remote attackers to bypass authentication by logging in with a "null" password and valid username, which triggers an unauthenticated bind. NOTE: this issue exists because of an incomplete fix for CVE-2016-2403.
CVE-2018-11407
An issue was discovered in the Ldap component in Symfony 2.8.x before ...
CVE-2018-11406
An issue was discovered in the Security component in Symfony 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11. By default, a user's session is invalidated when the user is logged out. This behavior can be disabled through the invalidate_session option. In this case, CSRF tokens were not erased during logout which allowed for CSRF token fixation.
CVE-2018-11406
An issue was discovered in the Security component in Symfony 2.7.x bef ...
Уязвимостей на страницу
Уязвимость | CVSS | EPSS | Опубликовано 1 | |
|---|---|---|---|---|
 | BDU:2019-01955 Уязвимость компонента HttpFoundation фреймворка Symfony, связанная с ошибками обработки HTTP-загловков, позволяющая нарушителю оказать воздействие на целостность защищаемых данных | CVSS3: 6.5 | 4% Низкий | больше 7 лет назад |
 | CVE-2018-12040 Reflected Cross-site scripting (XSS) vulnerability in the web profiler in SensioLabs Symfony 3.3.6 allows remote attackers to inject arbitrary web script or HTML via the "file" parameter, aka an _profiler/open?file= URI. NOTE: The vendor states "The XSS ... is in the web profiler, a tool that should never be deployed in production (so, we don't handle those issues as security issues). | CVSS3: 6.1 | 0% Низкий | больше 7 лет назад |
| CVE-2018-12040 Reflected Cross-site scripting (XSS) vulnerability in the web profiler ... | CVSS3: 6.1 | 0% Низкий | больше 7 лет назад |
 | CVE-2018-12040 Reflected Cross-site scripting (XSS) vulnerability in the web profiler in SensioLabs Symfony 3.3.6 allows remote attackers to inject arbitrary web script or HTML via the "file" parameter, aka an _profiler/open?file= URI. NOTE: The vendor states "The XSS ... is in the web profiler, a tool that should never be deployed in production (so, we don't handle those issues as security issues). | CVSS3: 6.1 | 0% Низкий | больше 7 лет назад |
| CVE-2018-11408 The security handlers in the Security component in Symfony in 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11 have an Open redirect vulnerability when security.http_utils is inlined by a container. NOTE: this issue exists because of an incomplete fix for CVE-2017-16652. | CVSS3: 6.1 | 0% Низкий | больше 7 лет назад |
| CVE-2018-11408 The security handlers in the Security component in Symfony in 2.7.x be ... | CVSS3: 6.1 | 0% Низкий | больше 7 лет назад |
| CVE-2018-11407 An issue was discovered in the Ldap component in Symfony 2.8.x before 2.8.37, 3.3.x before 3.3.17, 3.4.x before 3.4.7, and 4.0.x before 4.0.7. It allows remote attackers to bypass authentication by logging in with a "null" password and valid username, which triggers an unauthenticated bind. NOTE: this issue exists because of an incomplete fix for CVE-2016-2403. | CVSS3: 9.8 | 0% Низкий | больше 7 лет назад |
| CVE-2018-11407 An issue was discovered in the Ldap component in Symfony 2.8.x before ... | CVSS3: 9.8 | 0% Низкий | больше 7 лет назад |
| CVE-2018-11406 An issue was discovered in the Security component in Symfony 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11. By default, a user's session is invalidated when the user is logged out. This behavior can be disabled through the invalidate_session option. In this case, CSRF tokens were not erased during logout which allowed for CSRF token fixation. | CVSS3: 8.8 | 0% Низкий | больше 7 лет назад |
| CVE-2018-11406 An issue was discovered in the Security component in Symfony 2.7.x bef ... | CVSS3: 8.8 | 0% Низкий | больше 7 лет назад |
Уязвимостей на страницу