VDB
CVE-2018-11406
CVE-2018-11406
PUBLISHED
An issue was discovered in the Security component in Symfony 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11. By default, a user's session is invalidated when the user is logged out. This behavior can be disabled through the invalidate_session option. In this case, CSRF tokens were not erased during logout which allowed for CSRF token fixation.
EPSS 0.18% · 40.0th percentile
Risk Scores
EPSS Score
0.18%
40.0th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:Pro:18.04:LTS | symfony | 0, 3.4.3+dfsg-1ubuntu4, 3.4.6+dfsg-1 |
| Ubuntu:16.04:LTS | symfony | 0, 2.7.1+dfsg-1, 2.7.5+dfsg-1 |
Exploit Intelligence
- FEDORA-2018-96d770ddc9 (circl)
- FEDORA-2018-ba0b683c10 (circl)
- https://symfony.com/blog/cve-2018-11406-csrf-token-fixation (circl)
- FEDORA-2018-eba0006df2 (circl)
- DSA-4262 (circl)
Timeline
- Jun 13, 2018 CVE Published
- Mar 29, 2019 CVE Updated
- Apr 14, 2021 EPSS Score
- Jun 23, 2021 EPSS Score
- Aug 24, 2021 EPSS Score
- Oct 26, 2021 EPSS Score
- Dec 27, 2021 EPSS Score
- Feb 28, 2022 EPSS Score
- May 2, 2022 EPSS Score
- Jul 3, 2022 EPSS Score
- Sep 5, 2022 EPSS Score
- Nov 6, 2022 EPSS Score
References
- https://ubuntu.com/security/CVE-2018-11406 third-party-advisory
- https://symfony.com/blog/cve-2018-11406-csrf-token-fixation third-party-advisory
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/G4XNBMFW33H47O5TZGA7JYCVLDBCXAJV/ third-party-advisory
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UBQK7JDXIELADIPGZIOUCZKMAJM5LSBW/ third-party-advisory
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WU5N2TZFNGXDGMXMPP7LZCWTFLENF6WH/ third-party-advisory
- https://www.cve.org/CVERecord?id=CVE-2018-11406 third-party-advisory