Session Fixation Vulnerability in Symfony Security Component
CVE-2018-11385

8.1HIGH

Key Information:

Vendor
Sensiolabs
Status
Symfony
Vendor
CVE Published:
13 June 2018

Summary

A session fixation vulnerability exists in the Security component of Symfony, which affects multiple versions of the framework. If an attacker knows the session ID value prior to a user logging in, they can impersonate the victim, gaining unauthorized access to the web application through the 'Guard' login feature. It is vital for developers to update to the latest versions to mitigate this risk.

References

https://lists.fedoraproject.org/archives/list/package-ann...
vendor-advisoryx_refsource_FEDORA
https://lists.fedoraproject.org/archives/list/package-ann...
vendor-advisoryx_refsource_FEDORA
https://symfony.com/blog/cve-2018-11385-session-fixation-...
x_refsource_CONFIRM

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2018-11385 : Session Fixation Vulnerability in Symfony Security Component | SecurityVulnerability.io