Security Advisories - symfony/symfony

symfony/symfony Security Advisories for v6.4.7 (7)

CVE-2024-51996: Authentication Bypass via persisted RememberMe cookie

PKSA-yvfh-tnnw-3w9h CVE-2024-51996

Affected version: >=5.3.0,<5.4.0|>=5.4.0,<5.4.47|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.15|>=7.0.0,<7.1.0|>=7.1.0,<7.1.8

Reported by:
FriendsOfPHP/security-advisories
[LOW] CVE-2024-50342: Internal address and port enumeration allowed by NoPrivateNetworkHttpClient

PKSA-vxd1-4ssb-3qdw CVE-2024-50342 GHSA-9c3x-r3wp-mgxm

Affected version: >=4.3.0,<4.4.0|>=4.4.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.47|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.15|>=7.0.0,<7.1.0|>=7.1.0,<7.1.8

Reported by:
GitHub, FriendsOfPHP/security-advisories
[HIGH] CVE-2024-51736: Command execution hijack on Windows with Process class

PKSA-jdmc-h4p3-hds2 CVE-2024-51736 GHSA-qq5c-677p-737q

Affected version: >=2.0.0,<3.0.0|>=3.0.0,<4.0.0|>=4.0.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.46|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.14|>=7.0.0,<7.1.0|>=7.1.0,<7.1.7

Reported by:
GitHub, FriendsOfPHP/security-advisories
[LOW] CVE-2024-50345: Open redirect via browser-sanitized URLs

PKSA-rb2q-qy38-2dj7 CVE-2024-50345 GHSA-mrqx-rp3w-jpjp

Affected version: >=2.0.0,<3.0.0|>=3.0.0,<4.0.0|>=4.0.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.46|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.14|>=7.0.0,<7.1.0|>=7.1.0,<7.1.7

Reported by:
GitHub, FriendsOfPHP/security-advisories
[MEDIUM] CVE-2024-50340: Ability to change environment from query

PKSA-2dqt-6z5j-rcvr CVE-2024-50340 GHSA-x8vp-gf4q-mw5j

Affected version: >=5.3.0,<5.4.0|>=5.4.0,<5.4.46|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.14|>=7.0.0,<7.1.0|>=7.1.0,<7.1.7

Reported by:
GitHub, FriendsOfPHP/security-advisories
[LOW] CVE-2024-50343: Incorrect response from Validator when input ends with ` `

PKSA-19z7-hn1j-mtcg CVE-2024-50343 GHSA-g3rh-rrhp-jhh9

Affected version: >=2.0.0,<3.0.0|>=3.0.0,<4.0.0|>=4.0.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.43|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.11|>=7.0.0,<7.1.0|>=7.1.0,<7.1.4

Reported by:
GitHub, FriendsOfPHP/security-advisories
[LOW] CVE-2024-50341: Security::login does not take into account custom user_checker

PKSA-nmpz-hw89-qbtt CVE-2024-50341 GHSA-jxgr-3v7q-3w9v

Affected version: >=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.10|>=7.0.0,<7.0.10|>=7.1.0,<7.1.3

Reported by:
GitHub, FriendsOfPHP/security-advisories

symfony/symfony Security Advisories for v6.4.7 (7)

CVE-2024-51996: Authentication Bypass via persisted RememberMe cookie

[LOW] CVE-2024-50342: Internal address and port enumeration allowed by NoPrivateNetworkHttpClient

[HIGH] CVE-2024-51736: Command execution hijack on Windows with Process class

[LOW] CVE-2024-50345: Open redirect via browser-sanitized URLs

[MEDIUM] CVE-2024-50340: Ability to change environment from query

[LOW] CVE-2024-50343: Incorrect response from Validator when input ends with ` `

[LOW] CVE-2024-50341: Security::login does not take into account custom user_checker