Symfony is vulnerable to session fixation attacks. An attacker can impersonate another user if the user’s previous session ID is known to the attacker and the remember me
login feature was used.
CPE | Name | Operator | Version |
---|---|---|---|
symfony/symfony | le | 2.7.6 | |
symfony/symfony | le | 2.5.12 | |
symfony/symfony | le | 2.6.11 | |
symfony/symfony | le | 2.3.34 |
lists.fedoraproject.org/pipermail/package-announce/2015-December/173271.html
lists.fedoraproject.org/pipermail/package-announce/2015-December/173300.html
seclists.org/fulldisclosure/2015/Dec/89
www.debian.org/security/2015/dsa-3402
www.securityfocus.com/archive/1/537183/100/0/threaded
www.securityfocus.com/bid/77694
github.com/symfony/symfony/pull/16631
symfony.com/blog/cve-2015-8124-session-fixation-in-the-remember-me-login-feature