« Security Advisories » blog posts
Have found a security issue in Symfony? Send the details to security [at] symfony.com and don't disclose it publicly until we can provide a fix for it.
CVE-2020-5275: All "access_control" rules are required when a firewall uses the unanimous strategy
CVE-2020-5275 fixes an issue preventing all rules set in "access_control" to be checked when a firewall is configured with the unanimous strategy
March 30, 2020 · Published in #Security AdvisoriesCVE-2020-5255: Prevent cache poisoning via a Response Content-Type header
CVE-2020-5255 fixes a cache poisoning issue via a Response Content-Type header
March 30, 2020 · Published in #Security AdvisoriesCVE-2020-5274: Fix Exception message escaping rendered by ErrorHandler
CVE-2020-5274 fixes Exception message escaping rendered by ErrorHandler.
March 30, 2020 · Published in #Security AdvisoriesCVE-2019-18888: Prevent argument injection in a MimeTypeGuesser
CVE-2019-18888 fixes an issue where provided file paths to the MimeTypeGuesser were not properly escaped before being executed.
November 13, 2019 · Published in #Security AdvisoriesCVE-2019-11325: Fix escaping of strings in VarExporter
CVE-2019-11325 fixes an issue where some strings were not properly escaped while dumping, leading to possible remote code execution.
November 13, 2019 · Published in #Security AdvisoriesCVE-2019-18886: Prevent user enumeration using switch user functionality
CVE-2019-18886 fixes an issue where one could enumerate users using the switch user functionality as different behaviour would occur when a user existed compared to when a user did not
November 13, 2019 · Published in #Security AdvisoriesCVE-2019-18887: Use constant time comparison in UriSigner
CVE-2019-18887 fixes an issue where one could guess the signature of an URI using a remote timing attack.
November 13, 2019 · Published in #Security AdvisoriesCVE-2019-18889: Forbid serializing AbstractAdapter and TagAwareAdapter instances
CVE-2019-18889 fixes an issue where the destructor of TagAwareAdapter execute callables stored in properties, leading to possible remote code execution when an external payload is unserialized.
November 13, 2019 · Published in #Security AdvisoriesCVE-2019-10909: Escape validation messages in the PHP templating engine
CVE-2019-10909 fixes an issue where when using the form theme of the PHP templating engine validation messages were not correctly escaped.
April 17, 2019 · Published in #Security AdvisoriesCVE-2019-10913: Reject invalid HTTP method overrides
CVE-2019-10913 ensures that HTTP Methods are sanitized for use in unescaped contexts.
April 17, 2019 · Published in #Security Advisories