« Security Advisories » blog posts
Have found a security issue in Symfony? Send the details to security [at] symfony.com and don't disclose it publicly until we can provide a fix for it.
CVE-2019-10911: Add a separator in the remember me cookie hash
CVE-2019-10911 fixes an issue where there was not a clear differentiation between different parts of the content of a cookie allowing for potential to authenticate as a different user in particular situations
April 17, 2019 · Published in #Security AdvisoriesCVE-2019-10910: Check service IDs are valid
CVE-2019-10910 fixes an issue where crafted service IDs could be executed as code
April 17, 2019 · Published in #Security AdvisoriesTwig: Sandbox Information Disclosure
Fixing a vulnerability in Twig's sandbox mode.
March 12, 2019 · Published in #Security AdvisoriesCVE-2018-19790: Open Redirect Vulnerability when using Security\Http
CVE-2018-19790 fixes an open redirect vulnerability when using Security\Http
December 6, 2018 · Published in #Security AdvisoriesCVE-2018-19789: Disclosure of uploaded files full path
CVE-2018-19789 fixes a possible disclosure of an uploaded temporary file's full path in the form component
December 6, 2018 · Published in #Security AdvisoriesCVE-2018-14773: Remove support for legacy and risky HTTP headers
CVE-2018-14773 fixes a possible URL injection in HttpFoundation
August 1, 2018 · Published in #Security AdvisoriesCVE-2018-14774: Possible host header injection when using HttpCache
CVE-2018-14774 fixes a possible host header injection when using HttpCache
August 1, 2018 · Published in #Security AdvisoriesCVE-2018-11407: Unauthorized access on a misconfigured LDAP server when using an empty password
CVE-2018-11407 fixes an unauthorized access on a misconfigured LDAP server when using an empty password.
May 25, 2018 · Published in #Security AdvisoriesCVE-2018-11408: Open redirect vulnerability on security handlers
CVE-2018-11408 fixes an open redirect vulnerability on DefaultAuthenticationSuccessHandler and DefaultAuthenticationFailureHandler.
May 25, 2018 · Published in #Security AdvisoriesCVE-2018-11406: CSRF Token Fixation
CVE-2018-11406 fixes a possible CSRF token fixation.
May 25, 2018 · Published in #Security Advisories