Improper Authentication The advisory has been revoked - it doesn't affect any version of package symfony/security Open this link in a new tab
Threat Intelligence
EPSS
0.13% (48th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PHP-SYMFONYSECURITY-1925887
- published 24 Nov 2021
- disclosed 24 Nov 2021
- credit Thibaut Decherit, Wouter J
Introduced: 24 Nov 2021
CVE-2021-41268 Open this link in a new tabAmendment
This was deemed not a vulnerability.
Overview
symfony/security is a security component which provides a complete security system for a symfony web application.
Affected versions of this package are vulnerable to Improper Authentication since the remember me cookie is not invalidated anymore after the user changes its password.
Attackers can maintain their access to the account even if the password is changed as long as they have had the chance to login once and get a valid remember me cookie.