CVE-2018-11406

Name of the Vulnerable Software and Affected Versions Symfony versions 2.7.x through 2.7.47 Symfony versions 2.8.x through 2.8.40 Symfony versions 3.3.x through 3.3.16 Symfony versions 3.4.x through 3.4.10 Symfony versions 4.0.x through 4.0.10

Description An issue in the Security component of Symfony allows for CSRF token fixation when the invalidate session option is disabled. By default, a user's session is invalidated when the user is logged out, but with this option disabled, CSRF tokens are not erased during logout. This behavior can be exploited to allow for cross-site request forgery.

Recommendations For Symfony versions 2.7.x through 2.7.47, update to version 2.7.48 or later. For Symfony versions 2.8.x through 2.8.40, update to version 2.8.41 or later. For Symfony versions 3.3.x through 3.3.16, update to version 3.3.17 or later. For Symfony versions 3.4.x through 3.4.10, update to version 3.4.11 or later. For Symfony versions 4.0.x through 4.0.10, update to version 4.0.11 or later. As a temporary workaround, consider enabling the invalidate session option to ensure CSRF tokens are erased during logout.