CVE-2018-11385 – symfony/security-http

Package

Manager: composer
Name: symfony/security-http
Vulnerable Version: >=2.7.0 <2.7.48 || >=2.8.0 <2.8.41 || >=3.0.0 <3.3.17 || >=3.4.0 <3.4.11 || >=4.0.0 <4.0.11

Severity

Level: High

CVSS v3.1: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00952 pctl0.75491

Details

Symfony Session Fixation Vulnerability An issue was discovered in the Security component in Symfony 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11. A session fixation vulnerability within the "Guard" login feature may allow an attacker to impersonate a victim towards the web application if the session id value was previously known to the attacker.

Metadata

Created: 2022-05-14T01:22:27Z
Modified: 2024-02-08T19:28:13Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-g4rg-rw65-8hfg/GHSA-g4rg-rw65-8hfg.json
CWE IDs: ["CWE-384"]
Alternative ID: GHSA-g4rg-rw65-8hfg
Finding: F280
Auto approve: 1