Cross-site Request Forgery (CSRF) Affecting symfony/security-csrf package, versions >=2.7.0, <2.7.38 >=2.8.0, <2.8.31 >=3, <3.1.0 >=3.1.0, <3.2.0 >=3.2.0, <3.2.14 >=3.3.0, <3.3.13 >=3.4-BETA0, <3.4-BETA5 >=4.0-BETA0, <4.0-BETA5
Snyk CVSS
Attack Complexity
High
Confidentiality
High
Threat Intelligence
EPSS
0.08% (34th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PHP-SYMFONYSECURITYCSRF-70379
- published 4 Dec 2017
- disclosed 16 Nov 2017
- credit Oliver Hoff
Introduced: 16 Nov 2017
CVE-2017-16653 Open this link in a new tabHow to fix?
Upgrade symfony/security-csrf
to versions 2.7.38, 2.8.31, 3.1.0, 3.2.0, 3.2.14, <3.3.13 higher.
Overview
Affected versions of symfony/security-csrf
are vulnerable to Cross-site Request Forgery (CSRF).
The implementation of CSRF protection did not use different tokens for HTTP and HTTPS, therefore the token was subject to MITM attacks on HTTP and could then be used in HTTPS context to do CSRF attacks.