CVE-2022-23601

Name of the Vulnerable Software and Affected Versions Symfony versions prior to the patch versions listed

Description The issue is related to insufficient authentication of executed requests in the Symfony framework, which can allow a remote attacker to perform a CSRF attack. The Symfony form component provides a CSRF protection mechanism using a random token injected in the form and stored in the session. However, due to a recent change in the configuration loading, the default behavior of enabling CSRF protection has been dropped, making applications sensitive to CSRF attacks when the protection is not explicitly enabled.

Recommendations For Symfony versions prior to the patch versions listed, update to a version that includes the patch to resolve the issue. As a temporary workaround, consider enabling the CSRF protection mechanism explicitly in the configuration to prevent CSRF attacks.