Soner Sayakci

**Name of the Vulnerable Software and Affected Versions** Symfony versions prior to 4.4 **Description** The Symfony HTTP cache system acts as a reverse proxy, caching entire responses, including headers, and returning them to clients. A recent change in the `AbstractSessionListener` may cause the response to contain a `Set-Cookie` header. If the Symfony HTTP cache system is enabled, this response might be stored and returned to other clients, allowing an attacker to retrieve the victim's session. **Recommendations** For versions prior to 4.4, update to branch 4.4 to resolve the issue. As a temporary workaround, consider disabling the `AbstractSessionListener` or restricting access to the Symfony HTTP cache system until the patch is applied. The `HttpStore` constructor now takes a parameter containing a list of private headers that are removed from the HTTP response headers, with the default value being `Set-Cookie`, which can be overridden or extended by the application.

**Name of the Vulnerable Software and Affected Versions** Symfony/Http-Kernel versions 5.2 through 5.3.11 **Description** The issue arises from the accessibility of the `X-Forwarded-Prefix` header in sub-requests, even when it is not part of the "trusted headers" allowed list. This allows an attacker to forge requests containing the `X-Forwarded-Prefix` header, leading to a web cache poisoning issue. The vulnerability can be exploited when a Symfony application is running behind a proxy or a load-balancer. **Recommendations** For Symfony/Http-Kernel versions 5.2 through 5.3.11, update to version 5.3.12 or later to ensure that the `X-Forwarded-Prefix` header is not forwarded to sub-requests when it is not trusted. As a temporary workaround, consider restricting access to the `X-Forwarded-Prefix` header in sub-requests to minimize the risk of exploitation.