GHSA-8wx3-8m4x-g5h4
Suggest an improvement- Source
- https://github.com/advisories/GHSA-8wx3-8m4x-g5h4
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-8wx3-8m4x-g5h4/GHSA-8wx3-8m4x-g5h4.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-8wx3-8m4x-g5h4
- Published
- 2024-05-15T21:43:23Z
- Modified
- 2024-11-29T05:33:04.026197Z
- Summary
- FOSUserBundle User Identity Validation Vulnerability
- Details
-
Versions of FOSUserBundle prior to 1.2.1 have been found to be vulnerable to a security issue related to user identity validation. Specifically, user refreshing was performed using the primary key instead of the username, leading to a potential security risk if a user is allowed to change their username. The fix in version 1.2.1 addresses this issue by loading the user using the primary key during refreshing.
- Database specific
{ "nvd_published_at": null, "cwe_ids": [ "CWE-285" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2024-05-15T21:43:23Z" }- References
-
- https://github.com/FriendsOfSymfony/FOSUserBundle/commit/5a36e2958068d1e6501dc8cf39bbae3ebb859d9f
- https://github.com/FriendsOfPHP/security-advisories/blob/master/friendsofsymfony/user-bundle/2012-07-10-1.yaml
- https://github.com/FriendsOfSymfony/FOSUserBundle
- https://github.com/FriendsOfSymfony/FOSUserBundle/blob/master/Changelog.md
Affected packages
Packagist / friendsofsymfony/user-bundle
Package
- Name
- friendsofsymfony/user-bundle
- Purl
- pkg:composer/friendsofsymfony/user-bundle