Skip to main content

Session Fixation

CVE-2018-11385

Severity High
Score 8.1/10

Summary

An issue was discovered in the Security component in Symfony 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, 4.0.x before 4.0.11, v4.1.0-BETA1 and v4.1.0-BETA2. A session fixation vulnerability within the "Guard" login feature may allow an attacker to impersonate a victim towards the web application if the session id value was previously known to the attacker.

  • HIGH
  • NETWORK
  • HIGH
  • UNCHANGED
  • NONE
  • NONE
  • HIGH
  • HIGH

CWE-384 - Session Fixation

Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.

Advisory Timeline

  • Published