CVE-2018-11406
Published:June 13, 2018
Updated:May 17, 2026
An issue was discovered in the Security component in Symfony 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11. By default, a user's session is invalidated when the user is logged out. This behavior can be disabled through the invalidate_session option. In this case, CSRF tokens were not erased during logout which allowed for CSRF token fixation.
Affected Packages
https://github.com/symfony/symfony.git (GITHUB):
Affected version(s) >=v4.0.0 <v4.0.11Fix Suggestion:
Update to version v4.0.11https://github.com/symfony/symfony.git (GITHUB):
Affected version(s) >=v2.7.0 <v2.7.48Fix Suggestion:
Update to version v2.7.48https://github.com/symfony/symfony.git (GITHUB):
Affected version(s) >=v2.8.0 <v2.8.41Fix Suggestion:
Update to version v2.8.41https://github.com/symfony/symfony.git (GITHUB):
Affected version(s) >=v3.4.0 <v3.4.11Fix Suggestion:
Update to version v3.4.11https://github.com/symfony/symfony.git (GITHUB):
Affected version(s) >=v3.0.0 <v3.3.17Fix Suggestion:
Update to version v3.3.17symfony/symfony (PHP):
Affected version(s) >=v4.0.0 <v4.0.11Fix Suggestion:
Update to version v4.0.11symfony/security (PHP):
Affected version(s) >=v4.0.0 <v4.0.11Fix Suggestion:
Update to version v4.0.11symfony/security-http (PHP):
Affected version(s) >=v3.0.0 <v3.3.17Fix Suggestion:
Update to version v3.3.17symfony/security-bundle (PHP):
Affected version(s) >=v3.0.0 <v3.3.17Fix Suggestion:
Update to version v3.3.17symfony/security-http (PHP):
Affected version(s) >=v4.0.0 <v4.0.11Fix Suggestion:
Update to version v4.0.11symfony/symfony (PHP):
Affected version(s) >=v2.7.0 <v2.7.48Fix Suggestion:
Update to version v2.7.48symfony/symfony (PHP):
Affected version(s) >=v3.4.0 <v3.4.11Fix Suggestion:
Update to version v3.4.11symfony/security-http (PHP):
Affected version(s) >=v2.7.0 <v2.7.48Fix Suggestion:
Update to version v2.7.48symfony/security-http (PHP):
Affected version(s) >=v3.4.0 <v3.4.11Fix Suggestion:
Update to version v3.4.11symfony/security-bundle (PHP):
Affected version(s) >=v3.4.0 <v3.4.11Fix Suggestion:
Update to version v3.4.11symfony/security-bundle (PHP):
Affected version(s) >=v2.7.0 <v2.7.48Fix Suggestion:
Update to version v2.7.48symfony/security (PHP):
Affected version(s) >=v2.7.0 <v2.7.48Fix Suggestion:
Update to version v2.7.48symfony/security-http (PHP):
Affected version(s) >=v2.8.0 <v2.8.41Fix Suggestion:
Update to version v2.8.41symfony/security-bundle (PHP):
Affected version(s) >=v4.0.0 <v4.0.11Fix Suggestion:
Update to version v4.0.11symfony/security (PHP):
Affected version(s) >=v3.4.0 <v3.4.11Fix Suggestion:
Update to version v3.4.11symfony/symfony (PHP):
Affected version(s) >=v2.8.0 <v2.8.41Fix Suggestion:
Update to version v2.8.41symfony/security (PHP):
Affected version(s) >=v2.8.0 <v2.8.41Fix Suggestion:
Update to version v2.8.41symfony/security-bundle (PHP):
Affected version(s) >=v2.8.0 <v2.8.41Fix Suggestion:
Update to version v2.8.41symfony/symfony (PHP):
Affected version(s) >=v3.0.0 <v3.3.17Fix Suggestion:
Update to version v3.3.17symfony/security (PHP):
Affected version(s) >=v3.0.0 <v3.3.17Fix Suggestion:
Update to version v3.3.17Related Resources (16)
Do you need more information?
Contact UsCVSS v4
Base Score:
8.7
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
PASSIVE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
HIGH
Vulnerable System Availability
HIGH
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
8.8
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
HIGH
Weakness Type (CWE)
Cross-Site Request Forgery (CSRF)
EPSS
Base Score:
0.18