Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

debian логотип

CVE-2018-11406

Опубликовано: 13 июн. 2018
Источник: debian
EPSS Низкий

Описание

An issue was discovered in the Security component in Symfony 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11. By default, a user's session is invalidated when the user is logged out. This behavior can be disabled through the invalidate_session option. In this case, CSRF tokens were not erased during logout which allowed for CSRF token fixation.

Пакеты

ПакетСтатусВерсия исправленияРелизТип
symfonyfixed3.4.12+dfsg-1package
symfonynot-affectedjessiepackage

Примечания

  • https://symfony.com/blog/cve-2018-11406-csrf-token-fixation

EPSS

Процентиль: 42%
0.00194
Низкий

Связанные уязвимости

CVSS3: 8.8
ubuntu
около 7 лет назад

An issue was discovered in the Security component in Symfony 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11. By default, a user's session is invalidated when the user is logged out. This behavior can be disabled through the invalidate_session option. In this case, CSRF tokens were not erased during logout which allowed for CSRF token fixation.

CVSS3: 8.8
nvd
около 7 лет назад

An issue was discovered in the Security component in Symfony 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11. By default, a user's session is invalidated when the user is logged out. This behavior can be disabled through the invalidate_session option. In this case, CSRF tokens were not erased during logout which allowed for CSRF token fixation.

CVSS3: 8.8
github
около 3 лет назад

Symfony CSRF Token Fixation

CVSS3: 8.8
fstec
около 7 лет назад

Уязвимость компонента Security программной платформы для разработки и управления веб-приложениями Symfony, позволяющая нарушителю осуществить межсайтовую подделку запросов

EPSS

Процентиль: 42%
0.00194
Низкий