Session Fixation
CVE-2018-11385
Summary
An issue was discovered in the Security component in Symfony 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, 4.0.x before 4.0.11, v4.1.0-BETA1 and v4.1.0-BETA2. A session fixation vulnerability within the "Guard" login feature may allow an attacker to impersonate a victim towards the web application if the session id value was previously known to the attacker.
- HIGH
- NETWORK
- HIGH
- UNCHANGED
- NONE
- NONE
- HIGH
- HIGH
CWE-384 - Session Fixation
Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.
References
Advisory Timeline
- Published