If you have found a security issue in Symfony, please send the details to security [at] symfony.com and don't disclose it publicly until we can provide a fix for it.

CVE-2015-4050: ESI unauthorized access

CVE-2015-4050 fixes unauthorized access when using ESI.

May 27, 2015 Fabien Potencier

CVE-2015-2308: Esi Code Injection

CVE-2015-2308 is about possible code injections via the ESI framework.

April 1, 2015 Fabien Potencier

CVE-2015-2309: Unsafe methods in the Request class

CVE-2015-2309 fixes some unsafe methods in the Request class.

April 1, 2015 Fabien Potencier

CVE-2014-6061: Security issue when parsing the Authorization header

CVE-2014-6061 is about a potential security issue when parsing the Authorization header.

September 3, 2014 Fabien Potencier

CVE-2014-6072: CSRF vulnerability in the Web Profiler

CVE-2014-6072 is about fixing a CSRF vulnerability in the Web Profiler.

September 3, 2014 Fabien Potencier

CVE-2014-5245: Direct access of ESI URLs behind a trusted proxy

CVE-2014-5245 is about being able to access ESI URLs even behind a trusted proxy.

September 3, 2014 Fabien Potencier

CVE-2014-5244: Denial of service with a malicious HTTP Host header

CVE-2014-5244 is about a potential denial of service with a malicious HTTP Host header.

September 3, 2014 Fabien Potencier

Security releases (CVE-2014-4931): Symfony 2.3.18, 2.4.8, and 2.5.2 released

Symfony 2.3.18, 2.4.8, and 2.5.2 have just been released; they contain a security fix for the Translator class provided by FrameworkBundle (CVE-2014-4931).

July 15, 2014 Fabien Potencier

Security releases (CVE-2013-5958): Symfony 2.0.25, 2.1.13, 2.2.9, and 2.3.6 released

Symfony 2.0.25, 2.1.13, 2.2.9, and 2.3.6 have just been released; they contain a security fix for the Security component (CVE-2013-5958).

October 10, 2013 Fabien Potencier

CVE-2013-5750: Security issue in FOSUserBundle login form

A security issue has been discovered in FOSUserBundle (CVE-2013-5750).

September 23, 2013 Fabien Potencier