CVE-2015-8124 – symfony/security

Package

Manager: composer
Name: symfony/security
Vulnerable Version: >=2.3.0 <2.3.35 || >=2.4.0 <2.6.12 || >=2.7.0 <2.7.7

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00247 pctl0.47858

Details

Symfony Session Fixation Vulnerability A session fixation vulnerability within the "Remember Me" login feature allows an attacker to impersonate the victim towards the web application if the session id value was previously known to the attacker. This issue has been fixed in Symfony 2.3.35, 2.6.12, and 2.7.7. Note that no fixes are provided for Symfony 2.4 and 2.5 as they are not maintained anymore. Symfony 2.8 and 3.0 haven't been released yet and the fix will be included in their first stable releases.

Metadata

Created: 2022-05-14T02:47:28Z
Modified: 2024-02-08T19:16:23Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-j5jh-hpr4-h332/GHSA-j5jh-hpr4-h332.json
CWE IDs: ["CWE-384"]
Alternative ID: GHSA-j5jh-hpr4-h332
Finding: F280
Auto approve: 1