PT-2015-7732 · Symfony · Symfony
Publicado
2015-11-24
·
Atualizado
2022-05-14
·
CVE-2015-8124
CVSS v2.0
6.8
Média
| Vetor | AV:N/AC:M/Au:N/C:P/I:P/A:P |
Name of the Vulnerable Software and Affected Versions
Symfony versions 2.3.x through 2.3.34
Symfony versions 2.6.x through 2.6.11
Symfony versions 2.7.x through 2.7.6
Description
A session fixation issue in the "Remember Me" login feature allows remote attackers to hijack web sessions via a session id. This issue enables an attacker to impersonate the victim towards the web application if the session id value was previously known to the attacker.
Recommendations
For Symfony versions 2.3.x through 2.3.34, update to version 2.3.35.
For Symfony versions 2.6.x through 2.6.11, update to version 2.6.12.
For Symfony versions 2.7.x through 2.7.6, update to version 2.7.7.
As a temporary workaround, consider disabling the "Remember Me" feature until a patch is available.
Exploit
Correção
Session Fixation
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Symfony