PT-2015-7732 · Symfony · Symfony

Published

2015-11-24

Updated

2022-05-14

CVE-2015-8124

CVSS v2.0

6.8

Medium

Vector

AV:N/AC:M/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions Symfony versions 2.3.x through 2.3.34 Symfony versions 2.6.x through 2.6.11 Symfony versions 2.7.x through 2.7.6

Description A session fixation issue in the "Remember Me" login feature allows remote attackers to hijack web sessions via a session id. This issue enables an attacker to impersonate the victim towards the web application if the session id value was previously known to the attacker.

Recommendations For Symfony versions 2.3.x through 2.3.34, update to version 2.3.35. For Symfony versions 2.6.x through 2.6.11, update to version 2.6.12. For Symfony versions 2.7.x through 2.7.6, update to version 2.7.7. As a temporary workaround, consider disabling the "Remember Me" feature until a patch is available.

Exploit

Fix

Session Fixation

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-384

Related Identifiers

CVE-2015-8124

DSA-3402-1

GHSA-J5JH-HPR4-H332

Affected Products

Symfony

PT-2015-7732 · Symfony · Symfony

CVE-2015-8124

Weakness Enumeration

Related Identifiers

Affected Products

References · 30