Skip to content

FOSUserBundle User Identity Validation Vulnerability

Moderate severity GitHub Reviewed Published May 15, 2024 to the GitHub Advisory Database • Updated May 15, 2024

Package

composer friendsofsymfony/user-bundle (Composer)

Affected versions

>= 1.2.0, < 1.2.1

Patched versions

1.2.1

Description

Versions of FOSUserBundle prior to 1.2.1 have been found to be vulnerable to a security issue related to user identity validation. Specifically, user refreshing was performed using the primary key instead of the username, leading to a potential security risk if a user is allowed to change their username. The fix in version 1.2.1 addresses this issue by loading the user using the primary key during refreshing.

References

Published to the GitHub Advisory Database May 15, 2024
Reviewed May 15, 2024
Last updated May 15, 2024

Severity

Moderate

Weaknesses

CVE ID

No known CVE

GHSA ID

GHSA-8wx3-8m4x-g5h4

Source code

Checking history
See something to contribute? Suggest improvements for this vulnerability.