Skip to main content

Session Fixation

CVE-2015-8124

Severity Medium
Score 6.8/10

Summary

Session fixation vulnerability in the "Remember Me" login feature in Symfony 2.3.x before 2.3.35, 2.4.x, 2.5.x and 2.6.x before 2.6.12, and 2.7.x before 2.7.7, v2.8.0-BETA1 and v3.0.0-BETA1 allows remote attackers to hijack web sessions via a session id.

  • MEDIUM
  • NETWORK
  • NONE
  • PARTIAL
  • PARTIAL
  • PARTIAL

CWE-384 - Session Fixation

Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.

Advisory Timeline

  • Published