Vulnerabilities > CVE-2017-16653

047910
CVSS 4.3 - MEDIUM
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
NONE
Availability impact
NONE
network
sensiolabs
debian
nessus

Summary

An issue was discovered in Symfony before 2.7.38, 2.8.31, 3.2.14, 3.3.13, 3.4-BETA5, and 4.0-BETA5. The current implementation of CSRF protection in Symfony (Version >=2) does not use different tokens for HTTP and HTTPS; therefore the token is subject to MITM attacks on HTTP and can then be used in an HTTPS context to do CSRF attacks.

Vulnerable Configurations

Part Description Count
Application
Sensiolabs
73
OS
Debian
1

Nessus

NASL familyDebian Local Security Checks
NASL idDEBIAN_DSA-4262.NASL
descriptionMultiple vulnerabilities have been found in the Symfony PHP framework which could lead to open redirects, cross-site request forgery, information disclosure, session fixation or denial of service.
last seen2020-06-01
modified2020-06-02
plugin id111535
published2018-08-06
reporterThis script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/111535
titleDebian DSA-4262-1 : symfony - security update