Detections
Analytics

Debian dsa-6317 : php-symfony - security update

critical Nessus Plugin ID 318254

Synopsis

The remote Debian host is missing one or more security-related updates.

Description

The remote Debian 12 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-6317 advisory.

 - ------------------------------------------------------------------------- Debian Security Advisory DSA-6317-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff June 01, 2026 https://www.debian.org/security/faq
 - -------------------------------------------------------------------------

 Package : symfony CVE ID : CVE-2024-50340 CVE-2026-45063 CVE-2026-45065 CVE-2026-45067 CVE-2026-45068 CVE-2026-45071 CVE-2026-45073 CVE-2026-45077 CVE-2026-45133 CVE-2026-45304 CVE-2026-45305 CVE-2026-46626 CVE-2026-48489 CVE-2026-48736 CVE-2026-48784

 Multiple vulnerabilities have been found in the Symfony PHP framework which could lead to a bypass of security controls, cross-site scripting, denial of service, SQL injection, email header injection, information disclosure or code execution via PHP object deserialization.

 For the oldstable distribution (bookworm), these problems have been fixed in version 5.4.53+dfsg-0+deb12u1.

 We recommend that you upgrade your symfony packages.

 For the detailed security status of symfony please refer to its security tracker page at:
 https://security-tracker.debian.org/tracker/symfony

 Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

 Mailing list: [email protected]

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade the php-symfony packages.

See Also

https://security-tracker.debian.org/tracker/source-package/symfony

https://security-tracker.debian.org/tracker/CVE-2024-50340

https://security-tracker.debian.org/tracker/CVE-2026-45063

https://security-tracker.debian.org/tracker/CVE-2026-45065

https://security-tracker.debian.org/tracker/CVE-2026-45067

https://security-tracker.debian.org/tracker/CVE-2026-45068

https://security-tracker.debian.org/tracker/CVE-2026-45071

https://security-tracker.debian.org/tracker/CVE-2026-45073

https://security-tracker.debian.org/tracker/CVE-2026-45077

https://security-tracker.debian.org/tracker/CVE-2026-45133

https://security-tracker.debian.org/tracker/CVE-2026-45304

https://security-tracker.debian.org/tracker/CVE-2026-45305

https://security-tracker.debian.org/tracker/CVE-2026-46626

https://security-tracker.debian.org/tracker/CVE-2026-48489

https://security-tracker.debian.org/tracker/CVE-2026-48736

https://security-tracker.debian.org/tracker/CVE-2026-48784

https://packages.debian.org/source/bookworm/symfony

Plugin Details

Severity: Critical

ID: 318254

File Name: debian_DSA-6317.nasl

Version: 1.1

Type: Local

Agent: unix

Published: 6/2/2026

Updated: 6/2/2026

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Continuous Assessment, Nessus

Risk Information

VPR

Risk Factor: High

Score: 7.4

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2024-50340

CVSS v3

Risk Factor: High

Base Score: 7.3

Temporal Score: 6.6

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS v4

Risk Factor: Critical

Base Score: 9.3

Threat Score: 8.9

Threat Vector: CVSS:4.0/E:P

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CVSS Score Source: CVE-2026-45077

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:php-symfony-sendgrid-mailer, p-cpe:/a:debian:debian_linux:php-symfony-framework-bundle, p-cpe:/a:debian:debian_linux:php-symfony-zulip-notifier, p-cpe:/a:debian:debian_linux:php-symfony-amazon-sns-notifier, p-cpe:/a:debian:debian_linux:php-symfony-mattermost-notifier, p-cpe:/a:debian:debian_linux:php-symfony-browser-kit, p-cpe:/a:debian:debian_linux:php-symfony-filesystem, p-cpe:/a:debian:debian_linux:php-symfony-ldap, p-cpe:/a:debian:debian_linux:php-symfony-routing, p-cpe:/a:debian:debian_linux:php-symfony-http-kernel, p-cpe:/a:debian:debian_linux:php-symfony-one-signal-notifier, p-cpe:/a:debian:debian_linux:php-symfony-esendex-notifier, p-cpe:/a:debian:debian_linux:php-symfony-fake-chat-notifier, p-cpe:/a:debian:debian_linux:php-symfony-mercure-notifier, p-cpe:/a:debian:debian_linux:php-symfony-sendinblue-mailer, p-cpe:/a:debian:debian_linux:php-symfony-gateway-api-notifier, p-cpe:/a:debian:debian_linux:php-symfony-lock, p-cpe:/a:debian:debian_linux:php-symfony-security-core, p-cpe:/a:debian:debian_linux:php-symfony-smsapi-notifier, p-cpe:/a:debian:debian_linux:php-symfony-expression-language, p-cpe:/a:debian:debian_linux:php-symfony-http-foundation, p-cpe:/a:debian:debian_linux:php-symfony-inflector, p-cpe:/a:debian:debian_linux:php-symfony-yunpian-notifier, p-cpe:/a:debian:debian_linux:php-symfony-security-csrf, p-cpe:/a:debian:debian_linux:php-symfony-mailchimp-mailer, p-cpe:/a:debian:debian_linux:php-symfony-process, p-cpe:/a:debian:debian_linux:php-symfony-amqp-messenger, p-cpe:/a:debian:debian_linux:php-symfony-event-dispatcher, p-cpe:/a:debian:debian_linux:php-symfony-security-http, p-cpe:/a:debian:debian_linux:php-symfony-clickatell-notifier, p-cpe:/a:debian:debian_linux:php-symfony-notifier, p-cpe:/a:debian:debian_linux:php-symfony-semaphore, p-cpe:/a:debian:debian_linux:php-symfony-monolog-bridge, p-cpe:/a:debian:debian_linux:php-symfony-sms-biuras-notifier, p-cpe:/a:debian:debian_linux:php-symfony-slack-notifier, p-cpe:/a:debian:debian_linux:php-symfony-serializer, p-cpe:/a:debian:debian_linux:php-symfony-twilio-notifier, p-cpe:/a:debian:debian_linux:php-symfony-string, p-cpe:/a:debian:debian_linux:php-symfony-ovh-cloud-notifier, p-cpe:/a:debian:debian_linux:php-symfony-telnyx-notifier, p-cpe:/a:debian:debian_linux:php-symfony-web-link, p-cpe:/a:debian:debian_linux:php-symfony, p-cpe:/a:debian:debian_linux:php-symfony-turbo-sms-notifier, p-cpe:/a:debian:debian_linux:php-symfony-all-my-sms-notifier, p-cpe:/a:debian:debian_linux:php-symfony-debug-bundle, p-cpe:/a:debian:debian_linux:php-symfony-property-access, p-cpe:/a:debian:debian_linux:php-symfony-security-guard, p-cpe:/a:debian:debian_linux:php-symfony-stopwatch, p-cpe:/a:debian:debian_linux:php-symfony-uid, p-cpe:/a:debian:debian_linux:php-symfony-config, p-cpe:/a:debian:debian_linux:php-symfony-smsc-notifier, p-cpe:/a:debian:debian_linux:php-symfony-mime, p-cpe:/a:debian:debian_linux:php-symfony-cache, p-cpe:/a:debian:debian_linux:php-symfony-firebase-notifier, p-cpe:/a:debian:debian_linux:php-symfony-twig-bundle, p-cpe:/a:debian:debian_linux:php-symfony-mobyt-notifier, p-cpe:/a:debian:debian_linux:php-symfony-finder, p-cpe:/a:debian:debian_linux:php-symfony-google-mailer, p-cpe:/a:debian:debian_linux:php-symfony-redis-messenger, p-cpe:/a:debian:debian_linux:php-symfony-mailjet-mailer, p-cpe:/a:debian:debian_linux:php-symfony-vonage-notifier, p-cpe:/a:debian:debian_linux:php-symfony-light-sms-notifier, p-cpe:/a:debian:debian_linux:php-symfony-free-mobile-notifier, p-cpe:/a:debian:debian_linux:php-symfony-octopush-notifier, p-cpe:/a:debian:debian_linux:php-symfony-security-bundle, p-cpe:/a:debian:debian_linux:php-symfony-doctrine-bridge, p-cpe:/a:debian:debian_linux:php-symfony-intl, p-cpe:/a:debian:debian_linux:php-symfony-dom-crawler, p-cpe:/a:debian:debian_linux:php-symfony-lokalise-translation-provider, p-cpe:/a:debian:debian_linux:php-symfony-sendinblue-notifier, p-cpe:/a:debian:debian_linux:php-symfony-fake-sms-notifier, p-cpe:/a:debian:debian_linux:php-symfony-error-handler, p-cpe:/a:debian:debian_linux:php-symfony-postmark-mailer, p-cpe:/a:debian:debian_linux:php-symfony-discord-notifier, p-cpe:/a:debian:debian_linux:php-symfony-mailjet-notifier, p-cpe:/a:debian:debian_linux:php-symfony-nexmo-notifier, p-cpe:/a:debian:debian_linux:php-symfony-property-info, p-cpe:/a:debian:debian_linux:php-symfony-spot-hit-notifier, p-cpe:/a:debian:debian_linux:php-symfony-translation, p-cpe:/a:debian:debian_linux:php-symfony-phpunit-bridge, p-cpe:/a:debian:debian_linux:php-symfony-doctrine-messenger, p-cpe:/a:debian:debian_linux:php-symfony-infobip-notifier, p-cpe:/a:debian:debian_linux:php-symfony-css-selector, p-cpe:/a:debian:debian_linux:php-symfony-loco-translation-provider, p-cpe:/a:debian:debian_linux:php-symfony-workflow, p-cpe:/a:debian:debian_linux:php-symfony-telegram-notifier, p-cpe:/a:debian:debian_linux:php-symfony-oh-my-smtp-mailer, p-cpe:/a:debian:debian_linux:php-symfony-var-dumper, p-cpe:/a:debian:debian_linux:php-symfony-google-chat-notifier, p-cpe:/a:debian:debian_linux:php-symfony-crowdin-translation-provider, p-cpe:/a:debian:debian_linux:php-symfony-validator, p-cpe:/a:debian:debian_linux:php-symfony-mailgun-mailer, p-cpe:/a:debian:debian_linux:php-symfony-sinch-notifier, p-cpe:/a:debian:debian_linux:php-symfony-linked-in-notifier, p-cpe:/a:debian:debian_linux:php-symfony-runtime, p-cpe:/a:debian:debian_linux:php-symfony-web-profiler-bundle, p-cpe:/a:debian:debian_linux:php-symfony-expo-notifier, p-cpe:/a:debian:debian_linux:php-symfony-microsoft-teams-notifier, p-cpe:/a:debian:debian_linux:php-symfony-http-client, p-cpe:/a:debian:debian_linux:php-symfony-beanstalkd-messenger, p-cpe:/a:debian:debian_linux:php-symfony-rocket-chat-notifier, cpe:/o:debian:debian_linux:12.0, p-cpe:/a:debian:debian_linux:php-symfony-message-bird-notifier, p-cpe:/a:debian:debian_linux:php-symfony-iqsms-notifier, p-cpe:/a:debian:debian_linux:php-symfony-password-hasher, p-cpe:/a:debian:debian_linux:php-symfony-proxy-manager-bridge, p-cpe:/a:debian:debian_linux:php-symfony-form, p-cpe:/a:debian:debian_linux:php-symfony-messenger, p-cpe:/a:debian:debian_linux:php-symfony-amazon-sqs-messenger, p-cpe:/a:debian:debian_linux:php-symfony-console, p-cpe:/a:debian:debian_linux:php-symfony-sms77-notifier, p-cpe:/a:debian:debian_linux:php-symfony-templating, p-cpe:/a:debian:debian_linux:php-symfony-dependency-injection, p-cpe:/a:debian:debian_linux:php-symfony-mailer, p-cpe:/a:debian:debian_linux:php-symfony-twig-bridge, p-cpe:/a:debian:debian_linux:php-symfony-asset, p-cpe:/a:debian:debian_linux:php-symfony-options-resolver, p-cpe:/a:debian:debian_linux:php-symfony-var-exporter, p-cpe:/a:debian:debian_linux:php-symfony-amazon-mailer, p-cpe:/a:debian:debian_linux:php-symfony-yaml, p-cpe:/a:debian:debian_linux:php-symfony-rate-limiter, p-cpe:/a:debian:debian_linux:php-symfony-dotenv, p-cpe:/a:debian:debian_linux:php-symfony-gitter-notifier, p-cpe:/a:debian:debian_linux:php-symfony-message-media-notifier

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 6/1/2026

Vulnerability Publication Date: 11/6/2024

Reference Information

CVE: CVE-2024-50340, CVE-2026-45063, CVE-2026-45065, CVE-2026-45067, CVE-2026-45068, CVE-2026-45071, CVE-2026-45073, CVE-2026-45077, CVE-2026-45133, CVE-2026-45304, CVE-2026-45305, CVE-2026-46626, CVE-2026-48489, CVE-2026-48736, CVE-2026-48784