CVE-2018-11406

HIGH

Symfony Security 2.7.0-2.7.47 - Cross-Site Request Forgery Token Fixation via Session Invalidation Bypass

Title source: llm
STIX 2.1

Description

An issue was discovered in the Security component in Symfony 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11. By default, a user's session is invalidated when the user is logged out. This behavior can be disabled through the invalidate_session option. In this case, CSRF tokens were not erased during logout which allowed for CSRF token fixation.

References (5)

Core 5
Core References
Third Party Advisory vendor-advisory x_refsource_debian
https://www.debian.org/security/2018/dsa-4262

Scores

CVSS v3 8.8
EPSS 0.0076
EPSS Percentile 50.9%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CWE
CWE-352
Status published
Products (6)
debian/debian_linux 9.0
sensiolabs/symfony 2.7.0 - 2.7.48
symfony/security 2.7.0 - 2.7.48Packagist
symfony/security-bundle 2.7.0 - 2.7.48Packagist
symfony/security-http 2.7.0 - 2.7.48Packagist
symfony/symfony 2.7.0 - 2.7.48Packagist
Published Jun 13, 2018
Tracked Since Feb 18, 2026