Cross-Site Request Forgery Vulnerability in Symfony by Sensio Labs
CVE-2017-16653

5.9MEDIUM

Key Information:

Vendor
Sensiolabs
Status
Symfony
Vendor
CVE Published:
6 August 2018

Summary

A flaw in the CSRF protection mechanism was identified in Symfony versions prior to specified updates. The vulnerability arises from the identical usage of tokens for both HTTP and HTTPS requests. This opens a potential window for man-in-the-middle (MITM) attacks on HTTP connections, where an attacker could intercept the token and leverage it for CSRF attacks when the target application is accessed securely over HTTPS.

References

https://symfony.com/blog/cve-2017-16653-csrf-protection-d...
x_refsource_CONFIRM
https://github.com/symfony/symfony/pull/24992
x_refsource_CONFIRM
https://www.debian.org/security/2018/dsa-4262
vendor-advisoryx_refsource_DEBIAN

CVSS V3.1

Score:
5.9
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2017-16653 : Cross-Site Request Forgery Vulnerability in Symfony by Sensio Labs | SecurityVulnerability.io