Marek Alaksa

**Name of the Vulnerable Software and Affected Versions** WebsiteBaker versions 2.10.0 and earlier **Description** The issue concerns SQL injection vulnerabilities in certain PHP files. These vulnerabilities allow remote attackers to execute arbitrary SQL commands via the `username` and `display name` parameters. **Recommendations** For versions 2.10.0 and earlier, update to a version later than 2.10.0 to resolve the issue. As a temporary workaround, consider restricting access to the account/signup.php and account/signup2.php files until a patch is available. Avoid using the `username` and `display name` parameters in the affected files until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Symfony versions prior to 2.3.41 Symfony versions 2.7.x prior to 2.7.13 Symfony versions 2.8.x prior to 2.8.6 Symfony versions 3.0.x prior to 3.0.6 **Description** The issue is related to the `attemptAuthentication` function in `Component/Security/Http/Firewall/UsernamePasswordFormAuthenticationListener.php`, which does not limit the length of a username stored in a session. This allows remote attackers to cause a denial of service (session storage consumption) via a series of authentication attempts with long, non-existent usernames. **Recommendations** For Symfony versions prior to 2.3.41, update to version 2.3.41 or later. For Symfony versions 2.7.x prior to 2.7.13, update to version 2.7.13 or later. For Symfony versions 2.8.x prior to 2.8.6, update to version 2.8.6 or later. For Symfony versions 3.0.x prior to 3.0.6, update to version 3.0.6 or later.