CSRF Token Fixation Affecting symfony/security-bundle package, versions <2.7.48 >=2.8.0, <2.8.41 >=3.0.0, <3.3.17 >=3.4.0, <3.4.11 >=4.0.0, <4.0.11
Threat Intelligence
EPSS
0.28% (70th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PHP-SYMFONYSECURITYBUNDLE-72190
- published 30 May 2018
- disclosed 30 May 2018
- credit Kevin Liagre
Introduced: 30 May 2018
CVE-2018-11406 Open this link in a new tabHow to fix?
Upgrade symfony/security-bundle
to versions 2.7.48, 2.8.41, 3.3.17, 3.4.11, 4.0.11 or higher.
Overview
symfony/security-bundle is a security component for symphony.
Affected versions of this package are vulnerable to CSRF Token Fixation. CSRF tokens where not erased during logout, when the invalidate_session
option was disabled. By default, a user’s session is invalidated when the user is logged out.
References
CVSS Scores
version 3.1