Symfony/security-http

This hub aggregates every CVE we track for Symfony/security-http, a product in the oss libraries space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 15 most recently published vulnerabilities affecting Symfony/security-http.

• CVE-2024-36611In Symfony v7.07, a security vulnerability was identified in the FormLoginAuthenticator component, where it failed to adequately handle cases where the username or password field of a login request...7.5Nov 29, 2024
• CVE-2024-51996Symphony has an Authentication Bypass via RememberMe7.5Nov 13, 2024
• CVE-2023-46733Symfony possible session fixation vulnerability6.5Nov 10, 2023
• CVE-2021-32693Authentication granted with multiple firewalls6.8Jun 17, 2021
• CVE-2021-21424Prevent user enumeration using Guard or the new Authenticator-based Security5.3May 13, 2021
• CVE-2020-5275Firewall configured with unanimous strategy was not actually unanimous in symfony/security-http7.6Mar 30, 2020
• CVE-2019-18886An issue was discovered in Symfony 4.2.0 to 4.2.11 and 4.3.0 to 4.3.7. The ability to enumerate users was possible due to different handling depending on whether the user existed when making unauth...5.3Nov 21, 2019
• CVE-2019-10911In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, a vulnerability would allow an attacker to authenticate as a privileged user on sites wi...7.5May 16, 2019
• CVE-2018-19790An open redirect was discovered in Symfony 2.7.x before 2.7.50, 2.8.x before 2.8.49, 3.x before 3.4.20, 4.0.x before 4.0.15, 4.1.x before 4.1.9 and 4.2.x before 4.2.1. By using backslashes in the `...6.1Dec 18, 2018
• CVE-2018-11385An issue was discovered in the Security component in Symfony 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11. A session fixation vulnerab...8.1Jun 13, 2018
• CVE-2018-11406An issue was discovered in the Security component in Symfony 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11. By default, a user's sessio...8.8Jun 13, 2018
• CVE-2017-16652An issue was discovered in Symfony 2.7.x before 2.7.38, 2.8.x before 2.8.31, 3.2.x before 3.2.14, and 3.3.x before 3.3.13. DefaultAuthenticationSuccessHandler or DefaultAuthenticationFailureHandler...6.1Jun 13, 2018
• CVE-2016-4423The attemptAuthentication function in Component/Security/Http/Firewall/UsernamePasswordFormAuthenticationListener.php in Symfony before 2.3.41, 2.7.x before 2.7.13, 2.8.x before 2.8.6, and 3.0.x be...7.5Jun 1, 2016
• CVE-2015-8125Symfony 2.3.x before 2.3.35, 2.6.x before 2.6.12, and 2.7.x before 2.7.7 might allow remote attackers to have unspecified impact via a timing attack involving the (1) Symfony/Component/Security/Htt...7.5Dec 7, 2015
• CVE-2015-8124Session fixation vulnerability in the "Remember Me" login feature in Symfony 2.3.x before 2.3.35, 2.6.x before 2.6.12, and 2.7.x before 2.7.7 allows remote attackers to hijack web sessions via a se...6.8Dec 7, 2015