CVE-2018-11406
EUVD-2022-388213.06.2018, 16:29
An issue was discovered in the Security component in Symfony 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11. By default, a user's session is invalidated when the user is logged out. This behavior can be disabled through the invalidate_session option. In this case, CSRF tokens were not erased during logout which allowed for CSRF token fixation.
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| sensiolabs | symfony | 2.7.0 ≤ 𝑥 < 2.7.48 |
| sensiolabs | symfony | 2.8.0 ≤ 𝑥 < 2.8.41 |
| sensiolabs | symfony | 3.3.0 ≤ 𝑥 < 3.3.17 |
| sensiolabs | symfony | 3.4.0 ≤ 𝑥 < 3.4.11 |
| sensiolabs | symfony | 4.0.0 ≤ 𝑥 < 4.0.11 |
| debian | debian_linux | 9.0 |
𝑥
= Vulnerable software versions
Debian Releases
Ubuntu Releases
Common Weakness Enumeration
References