symfony/security-http
Packagist19 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting symfony/security-httppage 1 of 1
- CVE-2015-8124NONECVSS 0.0EG 0.0✓ Fixed in 2.7.72015-12-07
vulnerable: v2.7.0 ... v2.7.6 (7 versions)
Session fixation vulnerability in the "Remember Me" login feature in Symfony 2.3.x before 2.3.35, 2.6.x before 2.6.12, and 2.7.x before 2.7.7 allows remote attackers to hijack web sessions via a session id.
- CVE-2015-8125NONECVSS 0.0EG 0.0✓ Fixed in 2.7.72015-12-07
vulnerable: v2.7.0 ... v2.7.6 (7 versions)
Symfony 2.3.x before 2.3.35, 2.6.x before 2.6.12, and 2.7.x before 2.7.7 might allow remote attackers to have unspecified impact via a timing attack involving the (1) Symfony/Component/Security/Http/RememberMe/PersistentTokenBasedRememberM…
- CVE-2016-4423HIGHCVSS 7.5EG 7.5✓ Fixed in 3.0.62016-06-01
vulnerable: v3.0.0 ... v3.0.5 (6 versions)
The attemptAuthentication function in Component/Security/Http/Firewall/UsernamePasswordFormAuthenticationListener.php in Symfony before 2.3.41, 2.7.x before 2.7.13, 2.8.x before 2.8.6, and 3.0.x before 3.0.6 does not limit the length of a …
- CVE-2017-16652MEDIUMCVSS 6.1EG 6.1✓ Fixed in 3.3.132018-06-13
vulnerable: v3.3.0 ... v3.3.9 (13 versions)
An issue was discovered in Symfony 2.7.x before 2.7.38, 2.8.x before 2.8.31, 3.2.x before 3.2.14, and 3.3.x before 3.3.13. DefaultAuthenticationSuccessHandler or DefaultAuthenticationFailureHandler takes the content of the _target_path par…
- CVE-2018-11385HIGHCVSS 8.1EG 8.1✓ Fixed in 4.0.112018-06-13
vulnerable: v4.0.0 ... v4.0.9 (11 versions)
An issue was discovered in the Security component in Symfony 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11. A session fixation vulnerability within the "Guard" login feature may…
- CVE-2018-11406HIGHCVSS 8.8EG 8.8✓ Fixed in 4.0.112018-06-13
vulnerable: v4.0.0 ... v4.0.9 (11 versions)
An issue was discovered in the Security component in Symfony 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11. By default, a user's session is invalidated when the user is logged o…
- CVE-2018-19790MEDIUMCVSS 6.1EG 6.1✓ Fixed in 4.2.12018-12-18
vulnerable: v4.2.0
An open redirect was discovered in Symfony 2.7.x before 2.7.50, 2.8.x before 2.8.49, 3.x before 3.4.20, 4.0.x before 4.0.15, 4.1.x before 4.1.9 and 4.2.x before 4.2.1. By using backslashes in the `_failure_path` input field of login forms,…
- CVE-2019-10911HIGHCVSS 7.5EG 7.5✓ Fixed in 4.2.72019-05-16
vulnerable: v4.2.0 ... v4.2.6 (7 versions)
In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, a vulnerability would allow an attacker to authenticate as a privileged user on sites with user registration and remember me login…
- CVE-2019-18886MEDIUMCVSS 5.3EG 5.3✓ Fixed in 4.3.82019-11-21
vulnerable: v4.3.0 ... v4.3.7 (8 versions)
An issue was discovered in Symfony 4.2.0 to 4.2.11 and 4.3.0 to 4.3.7. The ability to enumerate users was possible due to different handling depending on whether the user existed when making unauthorized attempts to use the switch users fu…
- CVE-2020-5275HIGHCVSS 7.6EG 7.6✓ Fixed in 5.0.72020-03-30
vulnerable: v5.0.0 ... v5.0.6 (7 versions)
In symfony/security-http before versions 4.4.7 and 5.0.7, when a `Firewall` checks access control rule, it iterate overs each rule's attributes and stops as soon as the accessDecisionManager decides to grant access on the attribute, preven…
- CVE-2021-21424MEDIUMCVSS 5.3EG 5.3✓ Fixed in 5.2.82021-05-13
vulnerable: v5.1.0 ... v5.2.7 (25 versions)
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The ability to enumerate users was possible without relevant permissions due to different handling depending on whether the user existed or n…
- CVE-2021-32693MEDIUMCVSS 6.8EG 6.8✓ Fixed in 5.3.22021-06-17
vulnerable: v5.3.0, v5.3.1
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. A vulnerability related to firewall authentication is in Symfony starting with version 5.3.0 and prior to 5.3.2. When an application defines …
- CVE-2023-46733MEDIUMCVSS 6.5EG 6.5✓ Fixed in 6.3.82023-11-10
vulnerable: v6.2.10 ... v6.3.6 (13 versions)
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Starting in versions 5.4.21 and 6.2.7 and prior to versions 5.4.31 and 6.3.8, `SessionStrategyListener` does not migrate the session after ev…
- CVE-2024-51996HIGHCVSS 7.5EG 7.5✓ Fixed in 7.1.82024-11-13
vulnerable: v7.0.0 ... v7.1.7 (21 versions)
Symphony process is a module for the Symphony PHP framework which executes commands in sub-processes. When consuming a persisted remember-me cookie, Symfony does not check if the username persisted in the database matches the username atta…
- CVE-2026-45063HIGHCVSS 0.0EG 0.0✓ Fixed in 8.0.122026-05-27
vulnerable: v8.0.0 ... v8.0.9 (11 versions)
Symfony Vulnerable to Identity Spoofing via Unanchored DN Regex in X509Authenticator ### Description `X509Authenticator` implements client-certificate (mTLS) authentication: the web server validates the client's certificate against a tru…
- CVE-2026-45069MEDIUMCVSS 0.0EG 0.0✓ Fixed in 8.0.122026-05-27
vulnerable: v8.0.0 ... v8.0.9 (8 versions)
Symfony's OidcTokenHandler Accepts JWTs Missing aud/iss/exp Claims ### Description `OidcTokenHandler` is Symfony's built-in access-token handler for OpenID Connect: it validates a bearer JWT and returns the authenticated user identity. I…
- CVE-2026-45074MEDIUMCVSS 0.0EG 0.0✓ Fixed in 8.0.122026-05-27
vulnerable: v8.0.0 ... v8.0.9 (8 versions)
Symfony's Cas2Handler Derives CAS service URL from Client Host Header → Cross-Service Ticket Replay `Cas2Handler` builds this `service` parameter from `Request::getSchemeAndHttpHost()`, which reflects the attacker-controlled HTTP `Host`…
- CVE-2026-45075MEDIUMCVSS 0.0EG 0.0✓ Fixed in 8.0.122026-05-27
vulnerable: v8.0.0 ... v8.0.9 (8 versions)
Synfony's HEAD Request Bypasses methods: ['GET'] Filter in #[IsGranted] / #[IsSignatureValid] / #[IsCsrfTokenValid] ### Description Symfony's `#[IsGranted('...')]`, `#[IsSignatureValid]`, and `#[IsCsrfTokenValid(...)]` attributes allow y…
- CVE-2026-48489HIGHCVSS 0.0EG 0.0✓ Fixed in 8.0.132026-06-15
vulnerable: v8.0.0 ... v8.0.9 (9 versions)
Symfony: Security Firewall Bypass via failure_forward Subrequest: Unauthenticated Access to access_control-Protected GET Routes ### Description When a firewall is configured with `form-login` (or any authenticator using `DefaultAuthentic…
Check whether symfony/security-http is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for symfony/security-http CVEs against the assets you own.
Start Free Scan →