SymfonyWorld Online 2021 Summer Edition
June 17 – 18, 2021
SymfonyWorld Online 2021 Winter Edition
December 9 – 10, 2021
  1. Home
  2. Blog
  3. Category: Security Advisories
If you have found a security issue in Symfony, please send the details to security [at] symfony.com and don't disclose it publicly until we can provide a fix for it.
Manage your notification preferences to receive an email as soon as a Symfony security release is published.

CVE-2019-18889: Forbid serializing AbstractAdapter and TagAwareAdapter instances

CVE-2019-18889 fixes an issue where the destructor of TagAwareAdapter execute callables stored in properties, leading to possible remote code execution when an external payload is unserialized.

November 13, 2019 Avatar of Fabien Potencier Fabien Potencier

CVE-2019-10911: Add a separator in the remember me cookie hash

CVE-2019-10911 fixes an issue where there was not a clear differentiation between different parts of the content of a cookie allowing for potential to authenticate as a different user in particular situations

April 17, 2019 Avatar of Fabien Potencier Fabien Potencier

CVE-2019-10912: Prevent destructors with side-effects from being unserialized

CVE-2019-10912 fixes an issue where files could be deleted or raw output echoed when some classes were unserialized.

April 17, 2019 Avatar of Fabien Potencier Fabien Potencier

CVE-2019-10910: Check service IDs are valid

CVE-2019-10910 fixes an issue where crafted service IDs could be executed as code

April 17, 2019 Avatar of Fabien Potencier Fabien Potencier

CVE-2019-10909: Escape validation messages in the PHP templating engine

CVE-2019-10909 fixes an issue where when using the form theme of the PHP templating engine validation messages were not correctly escaped.

April 17, 2019 Avatar of Fabien Potencier Fabien Potencier

CVE-2019-10913: Reject invalid HTTP method overrides

CVE-2019-10913 ensures that HTTP Methods are sanitized for use in unescaped contexts.

April 17, 2019 Avatar of Fabien Potencier Fabien Potencier

Twig: Sandbox Information Disclosure

Fixing a vulnerability in Twig's sandbox mode.

March 12, 2019 Avatar of Fabien Potencier Fabien Potencier

CVE-2018-19790: Open Redirect Vulnerability when using Security\Http

CVE-2018-19790 fixes an open redirect vulnerability when using Security\Http

December 6, 2018 Avatar of Fabien Potencier Fabien Potencier

CVE-2018-19789: Disclosure of uploaded files full path

CVE-2018-19789 fixes a possible disclosure of an uploaded temporary file's full path in the form component

December 6, 2018 Avatar of Fabien Potencier Fabien Potencier

CVE-2018-14774: Possible host header injection when using HttpCache

CVE-2018-14774 fixes a possible host header injection when using HttpCache

August 1, 2018 Avatar of Fabien Potencier Fabien Potencier