VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-t2dx-5us4-mkf1

Essentials
Severities (36)
References (21)
Severity details (21)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-t2dx-5us4-mkf1
Aliases	CVE-2017-16653 GHSA-92x6-h2gr-8gxq
Summary	Cross-Site Request Forgery (CSRF) The current implementation of CSRF protection in Symfony does not use different tokens for HTTP and HTTPS.
Status	Published
Exploitability	0.5
Weighted Severity	6.2
Risk	3.1
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-352	Cross-Site Request Forgery (CSRF)

System	Score	Found at
epss	0.00325	https://api.first.org/data/v1/epss?cve=CVE-2017-16653
epss	0.00325	https://api.first.org/data/v1/epss?cve=CVE-2017-16653
epss	0.00325	https://api.first.org/data/v1/epss?cve=CVE-2017-16653
epss	0.00325	https://api.first.org/data/v1/epss?cve=CVE-2017-16653
epss	0.00325	https://api.first.org/data/v1/epss?cve=CVE-2017-16653
epss	0.00325	https://api.first.org/data/v1/epss?cve=CVE-2017-16653
epss	0.00325	https://api.first.org/data/v1/epss?cve=CVE-2017-16653
epss	0.00325	https://api.first.org/data/v1/epss?cve=CVE-2017-16653
epss	0.00325	https://api.first.org/data/v1/epss?cve=CVE-2017-16653
epss	0.00325	https://api.first.org/data/v1/epss?cve=CVE-2017-16653
epss	0.00325	https://api.first.org/data/v1/epss?cve=CVE-2017-16653
epss	0.00325	https://api.first.org/data/v1/epss?cve=CVE-2017-16653
epss	0.00325	https://api.first.org/data/v1/epss?cve=CVE-2017-16653
epss	0.00325	https://api.first.org/data/v1/epss?cve=CVE-2017-16653
epss	0.00325	https://api.first.org/data/v1/epss?cve=CVE-2017-16653
cvssv3.1_qr	MODERATE	https://github.com/advisories/GHSA-92x6-h2gr-8gxq
cvssv3.1	5.9	https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security-csrf/CVE-2017-16653.yaml
generic_textual	MODERATE	https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security-csrf/CVE-2017-16653.yaml
cvssv3.1	5.9	https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security/CVE-2017-16653.yaml
generic_textual	MODERATE	https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security/CVE-2017-16653.yaml
cvssv3.1	5.9	https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2017-16653.yaml
generic_textual	MODERATE	https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2017-16653.yaml
cvssv3.1	5.9	https://github.com/symfony/symfony
generic_textual	MODERATE	https://github.com/symfony/symfony
cvssv3.1	5.9	https://github.com/symfony/symfony/commit/b4dbdd7cd8732483d585eacff3428c16b07ad15e
generic_textual	MODERATE	https://github.com/symfony/symfony/commit/b4dbdd7cd8732483d585eacff3428c16b07ad15e
cvssv3.1	5.9	https://github.com/symfony/symfony/pull/24992
generic_textual	MODERATE	https://github.com/symfony/symfony/pull/24992
cvssv3.1	5.9	https://nvd.nist.gov/vuln/detail/CVE-2017-16653
generic_textual	MODERATE	https://nvd.nist.gov/vuln/detail/CVE-2017-16653
cvssv3.1	5.9	https://symfony.com/blog/cve-2017-16653-csrf-protection-does-not-use-different-tokens-for-http-and-https
generic_textual	MODERATE	https://symfony.com/blog/cve-2017-16653-csrf-protection-does-not-use-different-tokens-for-http-and-https
cvssv3.1	5.9	https://symfony.com/cve-2017-16653
generic_textual	MODERATE	https://symfony.com/cve-2017-16653
cvssv3.1	5.9	https://www.debian.org/security/2018/dsa-4262
generic_textual	MODERATE	https://www.debian.org/security/2018/dsa-4262

Reference id	Reference type	URL
		http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16653
		https://api.first.org/data/v1/epss?cve=CVE-2017-16653
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2403
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16652
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16653
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16654
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16790
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11385
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11386
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11406
		https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security-csrf/CVE-2017-16653.yaml
		https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security/CVE-2017-16653.yaml
		https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2017-16653.yaml
		https://github.com/symfony/symfony
		https://github.com/symfony/symfony/commit/b4dbdd7cd8732483d585eacff3428c16b07ad15e
		https://github.com/symfony/symfony/pull/24992
		https://symfony.com/blog/cve-2017-16653-csrf-protection-does-not-use-different-tokens-for-http-and-https
		https://www.debian.org/security/2018/dsa-4262
CVE-2017-16653		https://nvd.nist.gov/vuln/detail/CVE-2017-16653
CVE-2017-16653		https://symfony.com/cve-2017-16653
GHSA-92x6-h2gr-8gxq		https://github.com/advisories/GHSA-92x6-h2gr-8gxq

No exploits are available.

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security-csrf/CVE-2017-16653.yaml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security/CVE-2017-16653.yaml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2017-16653.yaml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/symfony/symfony

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/symfony/symfony/commit/b4dbdd7cd8732483d585eacff3428c16b07ad15e

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/symfony/symfony/pull/24992

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2017-16653

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://symfony.com/blog/cve-2017-16653-csrf-protection-does-not-use-different-tokens-for-http-and-https

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://symfony.com/cve-2017-16653

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://www.debian.org/security/2018/dsa-4262

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.55414
EPSS Score	0.00325
Published At	April 1, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-04-01T12:47:54.995814+00:00	GitLab Importer	Import	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/symfony/CVE-2017-16653.yml	38.0.0