{"id":"CVE-2019-18886","details":"An issue was discovered in Symfony 4.2.0 to 4.2.11 and 4.3.0 to 4.3.7. The ability to enumerate users was possible due to different handling depending on whether the user existed when making unauthorized attempts to use the switch users functionality. This is related to symfony/security.","aliases":["GHSA-4vpc-5jx4-cfqg"],"modified":"2026-02-24T01:18:15.637393Z","published":"2019-11-21T18:15:11.820Z","references":[{"type":"ADVISORY","url":"https://github.com/symfony/symfony/releases/tag/v4.3.8"},{"type":"ADVISORY","url":"https://symfony.com/blog/cve-2019-18886-prevent-user-enumeration-using-switch-user-functionality"},{"type":"ADVISORY","url":"https://symfony.com/blog/symfony-4-3-8-released"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/symfony/security-http","events":[{"introduced":"13594beb3faaeea891aaae9eeea8ffde16a99faf"},{"last_affected":"a2f67dfe0ecfb713734847f4ada0f4231e28ae71"},{"introduced":"34e089af7d363bd2ded8ad15f06b2b97348b97e5"},{"last_affected":"a3eddd912d93a8c77ffee2b31448e13864257f4e"}]}],"versions":["v2.7.50","v2.8.49","v3.4.20","v3.4.21","v3.4.22","v3.4.23","v3.4.24","v3.4.25","v3.4.26","v3.4.27","v3.4.28","v3.4.29","v3.4.30","v3.4.31","v3.4.32","v3.4.33","v3.4.34","v3.4.35","v4.1.10","v4.1.11","v4.1.9","v4.2.0","v4.2.0-BETA2","v4.2.0-RC1","v4.2.1","v4.2.10","v4.2.11","v4.2.2","v4.2.3","v4.2.4","v4.2.5","v4.2.6","v4.2.7","v4.2.8","v4.2.9","v4.3.0","v4.3.0-RC1","v4.3.1","v4.3.2","v4.3.3","v4.3.4","v4.3.5","v4.3.6","v4.3.7"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-18886.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/symfony/symfony","events":[{"introduced":"0bf8d128ef3c492436ab5f1b7c7b130f9e96aad2"},{"last_affected":"fb4065ac95f08ca26ee605936e537ba2cd4a6bb7"},{"introduced":"7bd9a1bae87e6b2d7eba499ebf3053ff4bc3a483"},{"last_affected":"2ba6f17744ee8649ac107039f64d1ee4c959bf32"}]}],"versions":["v2.7.48","v2.7.49","v3.4.20","v3.4.21","v3.4.22","v3.4.23","v3.4.24","v3.4.25","v3.4.26","v3.4.27","v3.4.28","v3.4.29","v3.4.30","v3.4.31","v3.4.32","v3.4.33","v4.1.10","v4.1.9","v4.2.0","v4.2.1","v4.2.10","v4.2.11","v4.2.2","v4.2.3","v4.2.4","v4.2.5","v4.2.6","v4.2.7","v4.2.8","v4.2.9","v4.3.0","v4.3.1","v4.3.2","v4.3.3","v4.3.4","v4.3.5","v4.3.6","v4.3.7"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-18886.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}]}