Input validation error in Symfony

#VU40586 Input validation error in Symfony

Published: 2015-12-07 | Updated: 2020-08-09

Vulnerability identifier: #VU40586

Vulnerability risk: Medium

CVSSv3.1: 6.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2015-8124

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Symfony
Web applications / CMS

Vendor: SensioLabs

Description

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

Session fixation vulnerability in the "Remember Me" login feature in Symfony 2.3.x before 2.3.35, 2.6.x before 2.6.12, and 2.7.x before 2.7.7 allows remote attackers to hijack web sessions via a session id. <a href="https://cwe.mitre.org/data/definitions/384.htm">CWE-384: Session Fixation</a>

Mitigation
Install update from vendor's website.

Vulnerable software versions

Symfony: 2.3.0 - 2.7.6

External links
http://lists.fedoraproject.org/pipermail/package-announce/2015-December/173271.html
http://lists.fedoraproject.org/pipermail/package-announce/2015-December/173300.html
http://seclists.org/fulldisclosure/2015/Dec/89
http://www.debian.org/security/2015/dsa-3402
http://www.securityfocus.com/archive/1/537183/100/0/threaded
http://www.securityfocus.com/bid/77694
http://symfony.com/blog/cve-2015-8124-session-fixation-in-the-remember-me-login-feature

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in SensioLabs Symfony