Manuele Menozzi

**Name of the Vulnerable Software and Affected Versions** Symfony versions 2.0.x before 2.0.20 **Description** The issue allows remote attackers to bypass intended URI restrictions via a doubly encoded string. This is due to inconsistent processing of URL encoded data within the Routing and Security components. Specifically, the Routing component decodes the path a second time, whereas the Security component does not, causing a difference that makes Symfony vulnerable to double encoding attacks. This security issue allows access to routes protected by a firewall even when the user is not logged in. **Recommendations** For Symfony versions 2.0.x before 2.0.20, update to version 2.0.20 or later to resolve the issue. As a temporary workaround, consider restricting access to protected routes until the update is applied.