CVE-2015-8124
LOW3.1EPSS 0.30%Symfony Session Fixation Vulnerability
Published: 5/14/2022Modified: 5/27/2026
Description
Session fixation vulnerability in the "Remember Me" login feature in Symfony 2.3.x before 2.3.35, 2.6.x before 2.6.12, and 2.7.x before 2.7.7 allows remote attackers to hijack web sessions via a session id.
Affected packages (5)
- Debian/symfonyfrom 0, < 2.7.7+dfsg-1
- Debian/symfonyfrom 0, < 2.3.21+dfsg-4+deb8u2
- Packagist/symfony/security>= 2.3.0, < 2.3.35
- Packagist/symfony/security-http>= 2.4.0, < 2.6.12
- Packagist/symfony/symfony>= 2.3.0, < 2.3.35
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | LOW3.1 | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N |
References (14)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2015-8124
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2015-8124
- WEBhttp://lists.fedoraproject.org/pipermail/package-announce/2015-December/173271.html
- WEBhttp://lists.fedoraproject.org/pipermail/package-announce/2015-December/173300.html
- WEBhttp://seclists.org/fulldisclosure/2015/Dec/89
- WEBhttps://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security/CVE-2015-8124.yaml
- WEBhttps://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security-http/CVE-2015-8124.yaml
- WEBhttps://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2015-8124.yaml
- WEBhttps://github.com/symfony/symfony/pull/16631
- WEBhttps://symfony.com/blog/cve-2015-8124-session-fixation-in-the-remember-me-login-feature
- WEBhttps://symfony.com/cve-2015-8124
- WEBhttps://web.archive.org/web/20201209020014/http://www.securityfocus.com/archive/1/537183/100/0/threaded
- WEBhttps://web.archive.org/web/20210125123853/http://www.securityfocus.com/bid/77694
- WEBhttp://www.debian.org/security/2015/dsa-3402