CVE-2018-11406

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2018-11406
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2018-11406.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2018-11406
Aliases
Downstream
Published
2018-06-13T16:29:00.813Z
Modified
2026-02-24T11:26:03.279284Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

An issue was discovered in the Security component in Symfony 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11. By default, a user's session is invalidated when the user is logged out. This behavior can be disabled through the invalidate_session option. In this case, CSRF tokens were not erased during logout which allowed for CSRF token fixation.

References

Affected packages

Git / github.com/symfony/security-http

Affected ranges

Type
GIT
Repo
https://github.com/symfony/security-http
Events
Introduced
33c98765dc6fec4907b7431d10e3c0945f061108
Fixed
f5d8fff7eb3ffa21764788d5eed9f0b6d825ab3e
Introduced
760872233cd3147870184697e3481ffa492ac2fb
Fixed
7cb076f64ed0310504caaad1180a211be949c5db
Introduced
a8d5dd00894f8b5e3edb897f4504c51ddc442370
Fixed
2c846c6c79093fce67a424c779de7c12bc8f8870
Introduced
afa69c531f22fb4b9fc95017ec0e5d6c77db0c3c
Fixed
1761ec249d4af3d5aa8e831c70fd7c0fd23c88f7
Introduced
de2f3d51160791ef254010953dbde178fee9845f
Fixed
682c866cd03064d74c884ba67ff0db212dba5575

Affected versions

v2.*
v2.6.10
v2.6.11
v2.7.0
v2.7.1
v2.7.10
v2.7.12
v2.7.13
v2.7.14
v2.7.15
v2.7.16
v2.7.17
v2.7.18
v2.7.19
v2.7.2
v2.7.20
v2.7.21
v2.7.22
v2.7.23
v2.7.24
v2.7.25
v2.7.26
v2.7.27
v2.7.28
v2.7.29
v2.7.3
v2.7.30
v2.7.31
v2.7.32
v2.7.33
v2.7.34
v2.7.35
v2.7.36
v2.7.37
v2.7.38
v2.7.39
v2.7.4
v2.7.40
v2.7.41
v2.7.42
v2.7.43
v2.7.44
v2.7.45
v2.7.46
v2.7.47
v2.7.48
v2.7.49
v2.7.5
v2.7.6
v2.7.7
v2.7.8
v2.7.9
v2.8.0
v2.8.1
v2.8.10
v2.8.11
v2.8.12
v2.8.13
v2.8.14
v2.8.15
v2.8.16
v2.8.17
v2.8.18
v2.8.19
v2.8.2
v2.8.20
v2.8.21
v2.8.22
v2.8.23
v2.8.24
v2.8.25
v2.8.26
v2.8.27
v2.8.28
v2.8.29
v2.8.3
v2.8.30
v2.8.31
v2.8.32
v2.8.33
v2.8.34
v2.8.35
v2.8.36
v2.8.37
v2.8.38
v2.8.39
v2.8.4
v2.8.40
v2.8.41
v2.8.5
v2.8.6
v2.8.7
v2.8.8
v2.8.9
v3.*
v3.2.10
v3.2.11
v3.2.12
v3.2.13
v3.3.0
v3.3.1
v3.3.10
v3.3.11
v3.3.12
v3.3.13
v3.3.14
v3.3.15
v3.3.16
v3.3.2
v3.3.3
v3.3.4
v3.3.5
v3.3.6
v3.3.7
v3.3.8
v3.3.9
v3.4.0
v3.4.0-RC1
v3.4.0-RC2
v3.4.1
v3.4.10
v3.4.2
v3.4.3
v3.4.4
v3.4.5
v3.4.6
v3.4.7
v3.4.8
v3.4.9

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2018-11406.json"

Git / github.com/symfony/symfony

Affected ranges

Type
GIT
Repo
https://github.com/symfony/symfony
Events
Introduced
0a47db379b8cc74cdd84e1e6870fafc4a4ac8351
Fixed
8eb567d8398ce31a402ea8db3e6b5b1faf121cbc
Introduced
26ca7023b1c45dce951da7206ed70049267d27bc
Fixed
a54fa082103acd599b7d5de9204dc1f4aa8a5615
Introduced
5615b92cd452cd54f1433a3f53de87c096a1107f
Fixed
24fc640d544a67869a4106de5fc303c597398629
Introduced
5a7e31c48e7cd4831efa409fffb661beb9995174
Fixed
4639525c796227ec36652ad97192a5eb3de74f76
Introduced
9975b1eca3de4db792a2c3e4e16f676a4aadcd46
Fixed
34d6116e2b80351c5a6f591285a4e9381b0dd127

Affected versions

v2.*
v2.3.30
v2.3.31
v2.3.32
v2.3.33
v2.3.34
v2.3.35
v2.3.36
v2.3.37
v2.3.38
v2.3.39
v2.3.40
v2.3.41
v2.3.42
v2.6.10
v2.7.0
v2.7.1
v2.7.10
v2.7.11
v2.7.12
v2.7.13
v2.7.14
v2.7.15
v2.7.16
v2.7.17
v2.7.18
v2.7.19
v2.7.2
v2.7.20
v2.7.21
v2.7.22
v2.7.23
v2.7.24
v2.7.25
v2.7.26
v2.7.27
v2.7.28
v2.7.29
v2.7.3
v2.7.30
v2.7.31
v2.7.32
v2.7.33
v2.7.34
v2.7.35
v2.7.36
v2.7.37
v2.7.38
v2.7.39
v2.7.4
v2.7.40
v2.7.41
v2.7.42
v2.7.43
v2.7.44
v2.7.45
v2.7.46
v2.7.47
v2.7.5
v2.7.6
v2.7.7
v2.7.8
v2.7.9
v2.8.0
v2.8.1
v2.8.10
v2.8.11
v2.8.12
v2.8.13
v2.8.14
v2.8.15
v2.8.16
v2.8.17
v2.8.18
v2.8.19
v2.8.2
v2.8.20
v2.8.21
v2.8.22
v2.8.23
v2.8.24
v2.8.25
v2.8.26
v2.8.27
v2.8.28
v2.8.29
v2.8.3
v2.8.30
v2.8.31
v2.8.32
v2.8.33
v2.8.34
v2.8.35
v2.8.36
v2.8.37
v2.8.38
v2.8.39
v2.8.4
v2.8.40
v2.8.5
v2.8.6
v2.8.7
v2.8.8
v2.8.9
v3.*
v3.0.0
v3.0.0-BETA1
v3.0.1
v3.0.2
v3.0.3
v3.0.4
v3.0.5
v3.0.6
v3.0.7
v3.0.8
v3.1.0
v3.1.0-BETA1
v3.1.0-RC1
v3.1.1
v3.1.2
v3.1.3
v3.1.4
v3.1.5
v3.1.6
v3.1.7
v3.1.8
v3.1.9
v3.2.0
v3.2.0-BETA1
v3.2.0-RC1
v3.2.0-RC2
v3.2.1
v3.2.10
v3.2.11
v3.2.12
v3.2.13
v3.2.2
v3.2.3
v3.2.4
v3.2.5
v3.2.6
v3.2.7
v3.2.8
v3.2.9
v3.3.0
v3.3.0-BETA1
v3.3.0-RC1
v3.3.1
v3.3.10
v3.3.11
v3.3.12
v3.3.13
v3.3.14
v3.3.15
v3.3.16
v3.3.2
v3.3.3
v3.3.4
v3.3.5
v3.3.6
v3.3.7
v3.3.8
v3.3.9
v3.4.0
v3.4.1
v3.4.10
v3.4.2
v3.4.3
v3.4.4
v3.4.5
v3.4.6
v3.4.7
v3.4.8
v3.4.9

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2018-11406.json"