From https://secunia.com/advisories/51660/ : Description A vulnerability has been reported in Symfony, which can be exploited by malicious people to bypass certain security restrictions. The vulnerability is caused due to an error when handling URL-encoded paths and can be exploited to bypass a security rule by using double-URL-encoded paths. The vulnerability is reported in versions 2.0.0 through 2.0.19. Solution Update to version 2.0.20. From https://secunia.com/advisories/51662/ : Description A vulnerability has been reported in Symfony, which can be exploited by malicious people to bypass certain security restrictions. The vulnerability is caused due to an error when handling _internal routes via the "render" tag and can be exploited to execute arbitrary Controller or Services by using a specially crafted path. Successful exploitation requires _internal routes to be enabled. The vulnerability is reported in all 2.0.x and 2.1.x versions. Solution Please see the vendor's advisory for recommended workarounds. Provided and/or discovered by The vendor credits Victor Berchet. Original Advisory http://symfony.com/blog/security-release-symfony-2-0-20-and-2-1-5-released @maintainer: Since 1.x is not anymore supported you need to check if the latter is valid.
Both of these issues are not valid. Besides, symfony has been masked for removal anyways.
(In reply to Ole Markus With from comment #1) > Both of these issues are not valid. Besides, symfony has been masked for > removal anyways. Yep, we have no vulnerable versions of symfony in tree
