QwikSec

Security Database

CVE

CWE

Training

CVE-2017-16653

Published: Aug 6, 2018

Modified: Aug 5, 2024

PUBLISHED

Description

An issue was discovered in Symfony before 2.7.38, 2.8.31, 3.2.14, 3.3.13, 3.4-BETA5, and 4.0-BETA5. The current implementation of CSRF protection in Symfony (Version >=2) does not use different tokens for HTTP and HTTPS; therefore the token is subject to MITM attacks on HTTP and can then be used in an HTTPS context to do CSRF attacks.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://symfony.com/blog/cve-2017-16653-csrf-protection-does-not-use-different-tokens-for-http-and-https

x_refsource_CONFIRM

https://github.com/symfony/symfony/pull/24992

x_refsource_CONFIRM

vendor-advisory

x_refsource_DEBIAN

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.