#VU40586 Input validation error in Symfony - CVE-2015-8124
Published: December 7, 2015 / Updated: August 9, 2020
Vulnerability identifier: #VU40586
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2015-8124
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Symfony
Symfony
Software vendor:
SensioLabs
SensioLabs
Description
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
Session fixation vulnerability in the "Remember Me" login feature in Symfony 2.3.x before 2.3.35, 2.6.x before 2.6.12, and 2.7.x before 2.7.7 allows remote attackers to hijack web sessions via a session id. <a href="https://cwe.mitre.org/data/definitions/384.htm">CWE-384: Session Fixation</a>
Remediation
Install update from vendor's website.
External links
- http://lists.fedoraproject.org/pipermail/package-announce/2015-December/173271.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-December/173300.html
- http://seclists.org/fulldisclosure/2015/Dec/89
- http://www.debian.org/security/2015/dsa-3402
- http://www.securityfocus.com/archive/1/537183/100/0/threaded
- http://www.securityfocus.com/bid/77694
- https://symfony.com/blog/cve-2015-8124-session-fixation-in-the-remember-me-login-feature