CVE-2018-11385

Name of the Vulnerable Software and Affected Versions Symfony versions 2.7.x through 2.7.47 Symfony versions 2.8.x through 2.8.40 Symfony versions 3.3.x through 3.3.16 Symfony versions 3.4.x through 3.4.10 Symfony versions 4.0.x through 4.0.10

Description The issue is related to session management errors in the Security component of the Symfony platform. It may allow a remote attacker to elevate their privileges. A session fixation vulnerability within the "Guard" login feature may allow an attacker to impersonate a victim towards the web application if the session id value was previously known to the attacker.

Recommendations For Symfony versions 2.7.x through 2.7.47, update to version 2.7.48 or later. For Symfony versions 2.8.x through 2.8.40, update to version 2.8.41 or later. For Symfony versions 3.3.x through 3.3.16, update to version 3.3.17 or later. For Symfony versions 3.4.x through 3.4.10, update to version 3.4.11 or later. For Symfony versions 4.0.x through 4.0.10, update to version 4.0.11 or later.