Veracode Vulnerability DatabaseVERACODE:4750Session Fixation
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.015 Low
EPSS
Percentile
87.2%
Symfony is vulnerable to session fixation attacks. An attacker can impersonate another user if the user’s previous session ID is known to the attacker and the remember me login feature was used.
| CPE | Name | Operator | Version |
|---|---|---|---|
| symfony/symfony | le | 2.7.6 | |
| symfony/symfony | le | 2.5.12 | |
| symfony/symfony | le | 2.6.11 | |
| symfony/symfony | le | 2.3.34 |
References
lists.fedoraproject.org/pipermail/package-announce/2015-December/173271.html
lists.fedoraproject.org/pipermail/package-announce/2015-December/173300.html
seclists.org/fulldisclosure/2015/Dec/89
www.debian.org/security/2015/dsa-3402
www.securityfocus.com/archive/1/537183/100/0/threaded
www.securityfocus.com/bid/77694
github.com/symfony/symfony/pull/16631
symfony.com/blog/cve-2015-8124-session-fixation-in-the-remember-me-login-feature
Related
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.015 Low
EPSS
Percentile
87.2%