Jakub Zalas

**Name of the Vulnerable Software and Affected Versions** Symfony versions 2.3.19 through 2.3.28 Symfony versions 2.4.9 through 2.4.10 Symfony versions 2.5.4 through 2.5.11 Symfony versions 2.6.0 through 2.6.7 **Description** The issue allows remote attackers to bypass URL signing and security rules by including no hash or an invalid hash in a request to the `/ fragment` endpoint when ESI or SSI support is enabled. This occurs because the `FragmentListener` in the `HttpKernel` component does not check if the ` controller` attribute is set. **Recommendations** For Symfony versions 2.3.19 through 2.3.28, update to version 2.3.29 to resolve the issue. For Symfony versions 2.4.9 through 2.4.10, there is no fix available as this version is not maintained anymore. For Symfony versions 2.5.4 through 2.5.11, update to version 2.5.12 to resolve the issue. For Symfony versions 2.6.0 through 2.6.7, update to version 2.6.8 to resolve the issue.