Back to search
CVE-2018-11406
Published: Jun 13, 2018
Modified: Aug 5, 2024
PUBLISHED
Description
An issue was discovered in the Security component in Symfony 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11. By default, a user's session is invalidated when the user is logged out. This behavior can be disabled through the invalidate_session option. In this case, CSRF tokens were not erased during logout which allowed for CSRF token fixation.
| Vendor | Product | Versions |
|---|---|---|
n/a | n/a | affected n/a |
References
FEDORA-2018-96d770ddc9
vendor-advisory
x_refsource_FEDORA
FEDORA-2018-ba0b683c10
vendor-advisory
x_refsource_FEDORA
https://symfony.com/blog/cve-2018-11406-csrf-token-fixation
x_refsource_CONFIRM
FEDORA-2018-eba0006df2
vendor-advisory
x_refsource_FEDORA
DSA-4262
vendor-advisory
x_refsource_DEBIAN
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now