Vulnerabilities > CVE-2016-4309 - Unspecified vulnerability in Getsymphony Symphony 2.6.7
Attack vector
NETWORK Attack complexity
HIGH Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
Session fixation vulnerability in Symphony CMS 2.6.7, when session.use_only_cookies is disabled, allows remote attackers to hijack web sessions via the PHPSESSID parameter. <a href="http://cwe.mitre.org/data/definitions/384.html">CWE-384: Session Fixation</a>
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 1 |
Exploit-Db
| description | Symphony CMS 2.6.7 - Session Fixation. CVE-2016-4309. Webapps exploit for php platform |
| file | exploits/php/webapps/39983.txt |
| id | EDB-ID:39983 |
| last seen | 2016-06-20 |
| modified | 2016-06-20 |
| platform | php |
| port | 80 |
| published | 2016-06-20 |
| reporter | hyp3rlinx |
| source | https://www.exploit-db.com/download/39983/ |
| title | Symphony CMS 2.6.7 - Session Fixation |
| type | webapps |
Packetstorm
| data source | https://packetstormsecurity.com/files/download/137551/SYMPHONY-CMS-SESSION-FIXATION.txt |
| id | PACKETSTORM:137551 |
| last seen | 2016-12-05 |
| published | 2016-06-20 |
| reporter | hyp3rlinx |
| source | https://packetstormsecurity.com/files/137551/Symphony-CMS-2.6.7-Session-Fixation.html |
| title | Symphony CMS 2.6.7 Session Fixation |
References
- http://hyp3rlinx.altervista.org/advisories/SYMPHONY-CMS-SESSION-FIXATION.txt
- http://packetstormsecurity.com/files/137551/Symphony-CMS-2.6.7-Session-Fixation.html
- http://www.securityfocus.com/archive/1/538714/100/0/threaded
- http://www.securityfocus.com/bid/91299
- https://github.com/symphonycms/symphony-2/commit/b329a14adc40868965076a77210452e396243dcd
- https://www.exploit-db.com/exploits/39983/