Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Cookie persistence in Symfony
Vulnerability Description
Symfony/SecurityBundle is the security system for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Since the rework of the Remember me cookie in version 5.3.0, the cookie is not invalidated when the user changes their password. Attackers can therefore maintain their access to the account even if the password is changed as long as they have had the chance to login once and get a valid remember me cookie. Starting with version 5.3.12, Symfony makes the password part of the signature by default. In that way, when the password changes, then the cookie is not valid anymore.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Vulnerability Type
会话固定
Vulnerability Title
Sensio Labs Symfony 授权问题漏洞
Vulnerability Description
Sensio Labs Symfony是法国Sensio Labs公司的一套免费的、基于MVC架构的PHP开发框架。该框架提供常用的功能组件及工具,可用于快速创建复杂的WEB程序。 Symfony SecurityBundle存在授权问题漏洞,该漏洞源于Symfony SecurityBundle是Symfony的安全系统,一个用于web和控制台应用程序的PHP框架和一组可重用的PHP组件。由于在5.3.0版本中rework的Remember me cookie,当用户更改其密码时,cookie不会失效。
CVSS Information
N/A
Vulnerability Type
N/A