Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

nvd логотип

CVE-2022-23601

Опубликовано: 01 фев. 2022
Источник: nvd
CVSS3: 8.1
CVSS3: 8.8
CVSS2: 6.8
EPSS Низкий

Описание

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The Symfony form component provides a CSRF protection mechanism by using a random token injected in the form and using the session to store and control the token submitted by the user. When using the FrameworkBundle, this protection can be enabled or disabled with the configuration. If the configuration is not specified, by default, the mechanism is enabled as long as the session is enabled. In a recent change in the way the configuration is loaded, the default behavior has been dropped and, as a result, the CSRF protection is not enabled in form when not explicitly enabled, which makes the application sensible to CSRF attacks. This issue has been resolved in the patch versions listed and users are advised to update. There are no known workarounds for this issue.

Ссылки

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:sensiolabs:symfony:*:*:*:*:*:*:*:*
Версия до 5.3.15 (исключая)
cpe:2.3:a:sensiolabs:symfony:*:*:*:*:*:*:*:*
Версия от 5.4.0 (включая) до 5.4.4 (исключая)
cpe:2.3:a:sensiolabs:symfony:*:*:*:*:*:*:*:*
Версия от 6.0.0 (включая) до 6.0.4 (исключая)

EPSS

Процентиль: 35%
0.00137
Низкий

8.1 High

CVSS3

8.8 High

CVSS3

6.8 Medium

CVSS2

Дефекты

CWE-352

Связанные уязвимости

ubuntu логотип

CVE-2022-23601

CVSS3: 8.1
ubuntu
больше 3 лет назад

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The Symfony form component provides a CSRF protection mechanism by using a random token injected in the form and using the session to store and control the token submitted by the user. When using the FrameworkBundle, this protection can be enabled or disabled with the configuration. If the configuration is not specified, by default, the mechanism is enabled as long as the session is enabled. In a recent change in the way the configuration is loaded, the default behavior has been dropped and, as a result, the CSRF protection is not enabled in form when not explicitly enabled, which makes the application sensible to CSRF attacks. This issue has been resolved in the patch versions listed and users are advised to update. There are no known workarounds for this issue.

debian логотип

CVE-2022-23601

CVSS3: 8.1
debian
больше 3 лет назад

Symfony is a PHP framework for web and console applications and a set ...

github логотип

GHSA-vvmr-8829-6whx

CVSS3: 8.1
github
больше 3 лет назад

CSRF token missing in Symfony

fstec логотип

BDU:2023-05710

CVSS3: 8.8
fstec
больше 3 лет назад

Уязвимость программной платформы для разработки и управления веб-приложениями Symfony , связанная с недостаточной проверкой подлинности выполняемых запросов, позволяющая нарушителю осуществить CSRF-атаку

EPSS

Процентиль: 35%
0.00137
Низкий

8.1 High

CVSS3

8.8 High

CVSS3

6.8 Medium

CVSS2

Дефекты

CWE-352