Versio.io

CVE-2022-23601

Common vulnerabilities & exposures (CVE)

CVE databaseCVE database blogpostRelease & EoL database
 
Published at: - 01-02-2022 02:15
Last modified: - 05-02-2022 03:18
Total changes: - 2

Description

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The Symfony form component provides a CSRF protection mechanism by using a random token injected in the form and using the session to store and control the token submitted by the user. When using the FrameworkBundle, this protection can be enabled or disabled with the configuration. If the configuration is not specified, by default, the mechanism is enabled as long as the session is enabled. In a recent change in the way the configuration is loaded, the default behavior has been dropped and, as a result, the CSRF protection is not enabled in form when not explicitly enabled, which makes the application sensible to CSRF attacks. This issue has been resolved in the patch versions listed and users are advised to update. There are no known workarounds for this issue.

Common Vulnerability Scoring System (CVSS)

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Low
Attack complexity
Network
Attack vector
High
Availability
High
Confidentiality
High
Integrity
None
Privileges required
Unchanged
Scope
Required
User interaction
8.8
Base score
2.8
5.9
Exploitability score
Impact score
 

Verification logic

OR
vendor=sensiolabs AND product=symfony AND versionEndExcluding=5.3.15
vendor=sensiolabs AND product=symfony AND versionStartIncluding=5.4.0 AND versionEndExcluding=5.4.4
vendor=sensiolabs AND product=symfony AND versionStartIncluding=6.0.0 AND versionEndExcluding=6.0.4
 

Reference

 


Keywords

NVD

 

CVE-2022-23601

 

CVE

 

Common vulnerabilities & exposures

 

CVSS

 

Common vulnerability scoring system

 

Security

 

Vulnerabilities

 

Exposures

 

We use cookies to ensure that we give you the best experience on our website. Read privacy policies for more information.