SensioLabs Symfony 1.4.9

CPE Details

SensioLabs Symfony 1.4.9
sensiolabs
symfony
1.4.9
2012-06-08
14h12 +00:00
2012-12-21
15h45 +00:00
CPE NVD
Alerte pour un CPE
Restez informé de toutes modifications pour un CPE spécifique.
Gestion des notifications

CPE Name: cpe:2.3:a:sensiolabs:symfony:1.4.9:*:*:*:*:*:*:*

Informations

Vendor

sensiolabs

Product

symfony

Version

1.4.9

Related CVE

Open and find in CVE List

CVE ID Publié Description Score Gravité
CVE-2022-23601 2022-02-01 11h17 +00:00 Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The Symfony form component provides a CSRF protection mechanism by using a random token injected in the form and using the session to store and control the token submitted by the user. When using the FrameworkBundle, this protection can be enabled or disabled with the configuration. If the configuration is not specified, by default, the mechanism is enabled as long as the session is enabled. In a recent change in the way the configuration is loaded, the default behavior has been dropped and, as a result, the CSRF protection is not enabled in form when not explicitly enabled, which makes the application sensible to CSRF attacks. This issue has been resolved in the patch versions listed and users are advised to update. There are no known workarounds for this issue.
8.8
Haute
CVE-2017-18343 2018-07-19 22h00 +00:00 The debug handler in Symfony before v2.7.33, 2.8.x before v2.8.26, 3.x before v3.2.13, and 3.3.x before v3.3.6 has XSS via an array key during exception pretty printing in ExceptionHandler.php, as demonstrated by a /_debugbar/open?op=get URI. NOTE: the vendor's position is that this is not a vulnerability because the debug tools are not intended for production use. NOTE: the Symfony Debug component is used by Laravel Debugbar
6.1
Moyen
CVE-2016-1902 2016-06-01 20h00 +00:00 The nextBytes function in the SecureRandom class in Symfony before 2.3.37, 2.6.x before 2.6.13, and 2.7.x before 2.7.9 does not properly generate random numbers when used with PHP 5.x without the paragonie/random_compat library and the openssl_random_pseudo_bytes function fails, which makes it easier for attackers to defeat cryptographic protection mechanisms via unspecified vectors.
7.5
Haute
CVE-2016-4423 2016-06-01 20h00 +00:00 The attemptAuthentication function in Component/Security/Http/Firewall/UsernamePasswordFormAuthenticationListener.php in Symfony before 2.3.41, 2.7.x before 2.7.13, 2.8.x before 2.8.6, and 3.0.x before 3.0.6 does not limit the length of a username stored in a session, which allows remote attackers to cause a denial of service (session storage consumption) via a series of authentication attempts with long, non-existent usernames.
7.5
Haute
CVE-2012-5574 2012-12-18 00h00 +00:00 lib/form/sfForm.class.php in Symfony CMS before 1.4.20 allows remote attackers to read arbitrary files via a crafted upload request.
5
CVE-2012-2667 2012-06-07 17h00 +00:00 Session fixation vulnerability in lib/user/sfBasicSecurityUser.class.php in SensioLabs Symfony before 1.4.18 allows remote attackers to hijack web sessions via vectors related to the regenerate method and unspecified "database backed session classes."
4.3