PT-2024-8444 · Symphony+4 · Symphony+4
M0Xr4
·
Published
2024-11-04
·
Updated
2025-02-18
·
CVE-2024-51996
CVSS v4.0
8.7
High
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
Symphony versions prior to 5.4.47
Symphony versions prior to 6.4.15
Symphony versions prior to 7.1.8
Description
The vulnerability is related to the authentication process in the Symphony PHP framework. When consuming a persisted remember-me cookie, the framework does not check if the username persisted in the database matches the username attached with the cookie, leading to authentication bypass. This issue can be exploited by a remote attacker to bypass security restrictions.
Recommendations
For versions prior to 5.4.47, update to version 5.4.47 or later.
For versions prior to 6.4.15, update to version 6.4.15 or later.
For versions prior to 7.1.8, update to version 7.1.8 or later.
As a temporary workaround, consider disabling the use of remember-me cookies until a patch is applied.
Restrict access to the
PersistentRememberMeHandler class to minimize the risk of exploitation.Exploit
Fix
Improper Authentication
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Astra Linux
Debian
Linuxmint
Symphony
Ubuntu