Twig CVE-2024-51755: Unguarded calls to __isset() and to array-accesses in a sandbox

Affected versions

Twig versions <3.11.2; >=3.12,<3.14.1 are affected by this security issue.

The issue has been fixed in Twig 3.11.2 and 3.14.1. Note that Twig versions 1 and 2 are not maintained anymore and are vulnerable.

Description

In a sandbox,… https://symfony.com/blog/cve-2024-51755-unguarded-calls-to-isset-and-to-array-accesses-in-a-sandbox?utm_source=Symfony%20Blog%20Feed&utm_medium=feed

2mo | Symfony
CVE-2024-51736: Command execution hijack on Windows with Process class

Affected versions

Symfony versions <5.4.46; >=6, <6.4.14; >=7, <7.1.7 of the Symfony Process component are affected by this security issue.

The issue has been fixed in Symfony 5.4.46, 6.4.14, and 7.1.7.

Description

On Window, when an executable… https://symfony.com/blog/cve-2024-51736-command-execution-hijack-on-windows-with-process-class?utm_source=Symfony%20Blog%20Feed&utm_medium=feed

2mo | Symfony
CVE-2024-50345: Open redirect via browser-sanitized URLs

Affected versions

Symfony versions <5.4.46; >=6, <6.4.14; >=7, <7.1.7 of the Symfony HttpFoundation component are affected by this security issue.

The issue has been fixed in Symfony 5.4.46, 6.4.14, and 7.1.7.

Description

The Request class, does… https://symfony.com/blog/cve-2024-50345-open-redirect-via-browser-sanitized-urls?utm_source=Symfony%20Blog%20Feed&utm_medium=feed

2mo | Symfony
CVE-2024-50343: Incorrect response from Validator when input ends with `\n`

Affected versions

Symfony versions <5.4.43; >=6, <6.4.11; >=7, <7.1.4 of the Symfony Validator component are affected by this security issue.

The issue has been fixed in Symfony 5.4.43, 6.4.11, and 7.1.4.

Description

It is possible to trick a… https://symfony.com/blog/cve-2024-50343-incorrect-response-from-validator-when-input-ends-with-n?utm_source=Symfony%20Blog%20Feed&utm_medium=feed

2mo | Symfony
Symfony 5.4.46 released

Symfony 5.4.46 has just been released. Here is the list of the most important changes since 5.4.45:

bug #58772 [DoctrineBridge] Backport detection fix of Xml/Yaml driver in DoctrineExtension (@MatTheCat)

security #cve-2024-51736 [Process] Use PATH before… https://symfony.com/blog/symfony-5-4-46-released?utm_source=Symfony%20Blog%20Feed&utm_medium=feed

2mo | Symfony
CVE-2024-50341: Security::login does not take into account custom user_checker

Affected versions

Symfony versions >=6.2, <6.4.10; >=7.0, <7.0.10; >=7.1, <7.1.3 of the Symfony SecurityBundle component are affected by this security issue.

The issue has been fixed in Symfony 6.4.10, 7.0.10, and 7.1.3.

Description

The custom… https://symfony.com/blog/cve-2024-50341-security-login-does-not-take-into-account-custom-user-checker?utm_source=Symfony%20Blog%20Feed&utm_medium=feed

2mo | Symfony
CVE-2024-50342: Internal address and port enumeration allowed by NoPrivateNetworkHttpClient

Affected versions

Symfony versions <5.4.46; >=6, <6.4.14; >=7, <7.1.7 of the Symfony HttpClient component are affected by this security issue.

The issue has been fixed in Symfony 5.4.46, 6.4.14, and 7.1.7.

Description

When using the NoPrivateNetworkHttpClient,… https://symfony.com/blog/cve-2024-50342-internal-address-and-port-enumeration-allowed-by-noprivatenetworkhttpclient?utm_source=Symfony%20Blog%20Feed&utm_medium=feed

2mo | Symfony
CVE-2024-50340: Ability to change environment from query

Affected versions

Symfony versions <5.4.46; >=6, <6.4.14; >=7, <7.1.7 of the Symfony Runtime component are affected by this security issue.

The issue has been fixed in Symfony 5.4.46, 6.4.14, and 7.1.7.

Description

When the register_argv_argc… https://symfony.com/blog/cve-2024-50340-ability-to-change-environment-from-query?utm_source=Symfony%20Blog%20Feed&utm_medium=feed

2mo | Symfony
Symfony 6.4.14 released

Symfony 6.4.14 has just been released. Here is the list of the most important changes since 6.4.13:

bug #58772 [DoctrineBridge] Backport detection fix of Xml/Yaml driver in DoctrineExtension (@MatTheCat)

security #cve-2024-51736 [Process] Use PATH before… https://symfony.com/blog/symfony-6-4-14-released?utm_source=Symfony%20Blog%20Feed&utm_medium=feed

2mo | Symfony
Symfony 7.1.7 released

Symfony 7.1.7 has just been released. Here is the list of the most important changes since 7.1.6:

bug #58772 [DoctrineBridge] Backport detection fix of Xml/Yaml driver in DoctrineExtension (@MatTheCat)

security #cve-2024-51736 [Process] Use PATH before… https://symfony.com/blog/symfony-7-1-7-released?utm_source=Symfony%20Blog%20Feed&utm_medium=feed

2mo | Symfony

Members



Search