VDB
KO
MEDIUM

GHSA-8wx3-8m4x-g5h4

FOSUserBundle User Identity Validation Vulnerability

Details

Versions of FOSUserBundle prior to 1.2.1 have been found to be vulnerable to a security issue related to user identity validation. Specifically, user refreshing was performed using the primary key instead of the username, leading to a potential security risk if a user is allowed to change their username. The fix in version 1.2.1 addresses this issue by loading the user using the primary key during refreshing.

Are you affected?

Enter the version of the package you're using.

Affected packages

Packagist / friendsofsymfony/user-bundle
Introduced in: 1.0.0 Fixed in: 1.2.1
Fix composer require friendsofsymfony/user-bundle:^1.2.1

References