Symfony — фреймворк c открытым исходным кодом, написанный на PHP.

Релизный цикл, информация об уязвимостях

Продукт: Symfony

Вендор: SensioLabs

График релизов

Недавние уязвимости Symfony

Количество 260

CVE-2015-8124

около 10 лет назад

Session fixation vulnerability in the "Remember Me" login feature in S ...

CVSS2: 6.8

EPSS: Низкий

CVE-2015-8125

около 10 лет назад

Symfony 2.3.x before 2.3.35, 2.6.x before 2.6.12, and 2.7.x before 2.7.7 might allow remote attackers to have unspecified impact via a timing attack involving the (1) Symfony/Component/Security/Http/RememberMe/PersistentTokenBasedRememberMeServices or (2) Symfony/Component/Security/Http/Firewall/DigestAuthenticationListener class in the Symfony Security Component, or (3) legacy CSRF implementation from the Symfony/Component/Form/Extension/Csrf/CsrfProvider/DefaultCsrfProvider class in the Symfony Form component.

CVSS2: 7.5

EPSS: Низкий

CVE-2015-8124

около 10 лет назад

Session fixation vulnerability in the "Remember Me" login feature in Symfony 2.3.x before 2.3.35, 2.6.x before 2.6.12, and 2.7.x before 2.7.7 allows remote attackers to hijack web sessions via a session id.

CVSS2: 6.8

EPSS: Низкий

CVE-2015-2308

больше 10 лет назад

Eval injection vulnerability in the HttpCache class in HttpKernel in Symfony 2.x before 2.3.27, 2.4.x and 2.5.x before 2.5.11, and 2.6.x before 2.6.6 allows remote attackers to execute arbitrary PHP code via a language="php" attribute of a SCRIPT element.

CVSS2: 6.8

EPSS: Низкий

CVE-2015-2308

больше 10 лет назад

Eval injection vulnerability in the HttpCache class in HttpKernel in S ...

CVSS2: 6.8

EPSS: Низкий

CVE-2015-2308

больше 10 лет назад

CVSS2: 6.8

EPSS: Низкий

CVE-2015-4050

больше 10 лет назад

FragmentListener in the HttpKernel component in Symfony 2.3.19 through 2.3.28, 2.4.9 through 2.4.10, 2.5.4 through 2.5.11, and 2.6.0 through 2.6.7, when ESI or SSI support enabled, does not check if the _controller attribute is set, which allows remote attackers to bypass URL signing and security rules by including (1) no hash or (2) an invalid hash in a request to /_fragment.

CVSS2: 4.3

EPSS: Высокий

CVE-2015-4050

больше 10 лет назад

FragmentListener in the HttpKernel component in Symfony 2.3.19 through ...

CVSS2: 4.3

EPSS: Высокий

CVE-2015-4050

больше 10 лет назад

CVSS2: 4.3

EPSS: Высокий

CVE-2013-5958

около 11 лет назад

The Security component in Symfony 2.0.x before 2.0.25, 2.1.x before 2.1.13, 2.2.x before 2.2.9, and 2.3.x before 2.3.6 allows remote attackers to cause a denial of service (CPU consumption) via a long password that triggers an expensive hash computation, as demonstrated by a PBKDF2 computation, a similar issue to CVE-2013-5750.

CVSS2: 5

EPSS: Низкий

Уязвимостей на страницу

Уязвимость	CVSS	EPSS	Опубликовано 1
CVE-2015-8124 Session fixation vulnerability in the "Remember Me" login feature in S ...	CVSS2: 6.8	0% Низкий	около 10 лет назад
CVE-2015-8125 Symfony 2.3.x before 2.3.35, 2.6.x before 2.6.12, and 2.7.x before 2.7.7 might allow remote attackers to have unspecified impact via a timing attack involving the (1) Symfony/Component/Security/Http/RememberMe/PersistentTokenBasedRememberMeServices or (2) Symfony/Component/Security/Http/Firewall/DigestAuthenticationListener class in the Symfony Security Component, or (3) legacy CSRF implementation from the Symfony/Component/Form/Extension/Csrf/CsrfProvider/DefaultCsrfProvider class in the Symfony Form component.	CVSS2: 7.5	1% Низкий	около 10 лет назад
CVE-2015-8124 Session fixation vulnerability in the "Remember Me" login feature in Symfony 2.3.x before 2.3.35, 2.6.x before 2.6.12, and 2.7.x before 2.7.7 allows remote attackers to hijack web sessions via a session id.	CVSS2: 6.8	0% Низкий	около 10 лет назад
CVE-2015-2308 Eval injection vulnerability in the HttpCache class in HttpKernel in Symfony 2.x before 2.3.27, 2.4.x and 2.5.x before 2.5.11, and 2.6.x before 2.6.6 allows remote attackers to execute arbitrary PHP code via a language="php" attribute of a SCRIPT element.	CVSS2: 6.8	1% Низкий	больше 10 лет назад
CVE-2015-2308 Eval injection vulnerability in the HttpCache class in HttpKernel in S ...	CVSS2: 6.8	1% Низкий	больше 10 лет назад
CVE-2015-2308 Eval injection vulnerability in the HttpCache class in HttpKernel in Symfony 2.x before 2.3.27, 2.4.x and 2.5.x before 2.5.11, and 2.6.x before 2.6.6 allows remote attackers to execute arbitrary PHP code via a language="php" attribute of a SCRIPT element.	CVSS2: 6.8	1% Низкий	больше 10 лет назад
CVE-2015-4050 FragmentListener in the HttpKernel component in Symfony 2.3.19 through 2.3.28, 2.4.9 through 2.4.10, 2.5.4 through 2.5.11, and 2.6.0 through 2.6.7, when ESI or SSI support enabled, does not check if the _controller attribute is set, which allows remote attackers to bypass URL signing and security rules by including (1) no hash or (2) an invalid hash in a request to /_fragment.	CVSS2: 4.3	76% Высокий	больше 10 лет назад
CVE-2015-4050 FragmentListener in the HttpKernel component in Symfony 2.3.19 through ...	CVSS2: 4.3	76% Высокий	больше 10 лет назад
CVE-2015-4050 FragmentListener in the HttpKernel component in Symfony 2.3.19 through 2.3.28, 2.4.9 through 2.4.10, 2.5.4 through 2.5.11, and 2.6.0 through 2.6.7, when ESI or SSI support enabled, does not check if the _controller attribute is set, which allows remote attackers to bypass URL signing and security rules by including (1) no hash or (2) an invalid hash in a request to /_fragment.	CVSS2: 4.3	76% Высокий	больше 10 лет назад
CVE-2013-5958 The Security component in Symfony 2.0.x before 2.0.25, 2.1.x before 2.1.13, 2.2.x before 2.2.9, and 2.3.x before 2.3.6 allows remote attackers to cause a denial of service (CPU consumption) via a long password that triggers an expensive hash computation, as demonstrated by a PBKDF2 computation, a similar issue to CVE-2013-5750.	CVSS2: 5	0% Низкий	около 11 лет назад

Уязвимостей на страницу