vulnerability
Ubuntu: (CVE-2018-11406): symfony vulnerability
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 7 | (AV:N/AC:M/Au:N/C:P/I:P/A:P) | Jun 13, 2018 | Jun 26, 2025 | Jun 26, 2025 |
Severity
7
CVSS
(AV:N/AC:M/Au:N/C:P/I:P/A:P)
Published
Jun 13, 2018
Added
Jun 26, 2025
Modified
Jun 26, 2025
Description
An issue was discovered in the Security component in Symfony 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11. By default, a user's session is invalidated when the user is logged out. This behavior can be disabled through the invalidate_session option. In this case, CSRF tokens were not erased during logout which allowed for CSRF token fixation.
Solution
no-fix-ubuntu-package
References
- CVE-2018-11406
- https://attackerkb.com/topics/CVE-2018-11406
- URL-https://lists.fedoraproject.org/archives/list/[email protected]/message/G4XNBMFW33H47O5TZGA7JYCVLDBCXAJV/
- URL-https://lists.fedoraproject.org/archives/list/[email protected]/message/UBQK7JDXIELADIPGZIOUCZKMAJM5LSBW/
- URL-https://lists.fedoraproject.org/archives/list/[email protected]/message/WU5N2TZFNGXDGMXMPP7LZCWTFLENF6WH/
- URL-https://symfony.com/blog/cve-2018-11406-csrf-token-fixation
- URL-https://www.cve.org/CVERecord?id=CVE-2018-11406
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.