| CVE-2016-2403 |
critical |
9.8 |
9.8 |
|
|
|
9y ago |
Symfony before 2.8.6 and 3.x before 3.0.6 allows remote attackers to bypass authentication by logging in with an empty password and valid username, which triggers an unauthenticated bind. |
| CVE-2016-4423 |
high |
7.5 |
7.5 |
|
|
|
10y ago |
The attemptAuthentication function in Component/Security/Http/Firewall/UsernamePasswordFormAuthenticationListener.php in Symfony before 2.3.41, 2.7.x before 2.7.13, 2.8.x before 2.8.6, and 3.0.x befo… |
| CVE-2016-1902 |
high |
7.5 |
7.5 |
|
|
|
10y ago |
The nextBytes function in the SecureRandom class in Symfony before 2.3.37, 2.6.x before 2.6.13, and 2.7.x before 2.7.9 does not properly generate random numbers when used with PHP 5.x without the par… |
| CVE-2015-8125 |
high |
— |
7.5 |
|
|
|
11y ago |
Symfony 2.3.x before 2.3.35, 2.6.x before 2.6.12, and 2.7.x before 2.7.7 might allow remote attackers to have unspecified impact via a timing attack involving the (1) Symfony/Component/Security/Http/… |
| CVE-2015-8124 |
medium |
— |
6.8 |
|
|
|
11y ago |
Session fixation vulnerability in the "Remember Me" login feature in Symfony 2.3.x before 2.3.35, 2.6.x before 2.6.12, and 2.7.x before 2.7.7 allows remote attackers to hijack web sessions via a sess… |
| CVE-2012-6431 |
medium |
— |
6.4 |
|
|
|
14y ago |
Symfony Allows URI Restrictions Bypass Via Double-Encoded String |
| CVE-2013-5958 |
medium |
— |
5.0 |
|
|
|
12y ago |
The Security component in Symfony 2.0.x before 2.0.25, 2.1.x before 2.1.13, 2.2.x before 2.2.9, and 2.3.x before 2.3.6 allows remote attackers to cause a denial of service (CPU consumption) via a lon… |