Name of the Vulnerable Software and Affected Versions:

Symfony/SecurityBundle versions 5.3.0 through 5.3.11

Description:

The issue arises from the rework of the Remember me cookie in Symfony version 5.3.0, where the cookie is not invalidated when a user changes their password. This allows attackers to maintain access to an account even after a password change, provided they have previously logged in and obtained a valid remember me cookie. Starting with version 5.3.12, Symfony includes the password in the signature by default, rendering the cookie invalid upon password change.

Recommendations:

For Symfony/SecurityBundle versions 5.3.0 through 5.3.11, update to version 5.3.12 or later, where Symfony makes the password part of the signature by default, thus invalidating the remember me cookie when the password is changed.