VulnerableCode Package Details - pkg:composer/symfony/security-bundle@5.3.12

Search for packages

Vulnerability	Summary	Fixed by
VCID-3p45-9gge-y3d9 Aliases: CVE-2022-24895 GHSA-3gv2-29qc-v67m GMS-2023-210 GMS-2023-211	Symfony vulnerable to Session Fixation of CSRF tokens Description ----------- When authenticating users Symfony by default regenerates the session ID upon login, but preserves the rest of session attributes. Because this does not clear CSRF tokens upon login, this might enables [same-site attackers](https://canitakeyoursubdomain.name/) to bypass the CSRF protection mechanism by performing an attack similar to a session-fixation. Resolution ---------- Symfony removes all CSRF tokens from the session on successful login. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/5909d74ecee359ea4982fcf4331aaf2e489a1fd4) for branch 4.4. Credits ------- We would like to thank Marco Squarcina for reporting the issue and Nicolas Grekas for fixing it.	5.4.20 Affected by 0 other vulnerabilities. 6.0.20 Affected by 0 other vulnerabilities. 6.1.12 Affected by 0 other vulnerabilities. 6.2.6 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-3p45-9gge-y3d9
Aliases:
CVE-2022-24895
GHSA-3gv2-29qc-v67m
GMS-2023-210
GMS-2023-211

Symfony vulnerable to Session Fixation of CSRF tokens Description ----------- When authenticating users Symfony by default regenerates the session ID upon login, but preserves the rest of session attributes. Because this does not clear CSRF tokens upon login, this might enables [same-site attackers](https://canitakeyoursubdomain.name/) to bypass the CSRF protection mechanism by performing an attack similar to a session-fixation. Resolution ---------- Symfony removes all CSRF tokens from the session on successful login. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/5909d74ecee359ea4982fcf4331aaf2e489a1fd4) for branch 4.4. Credits ------- We would like to thank Marco Squarcina for reporting the issue and Nicolas Grekas for fixing it.

5.4.20
Affected by 0 other vulnerabilities.

6.0.20
Affected by 0 other vulnerabilities.

6.1.12
Affected by 0 other vulnerabilities.

6.2.6
Affected by 1 other vulnerability.

Vulnerability	Summary	Aliases
VCID-wuph-bc4e-8ba3	Cookie persistence after password changes in symfony/security-bundle Description ----------- Since the rework of the Remember me cookie in Symfony 5.3, the cookie is not invalidated anymore when the user changes its password. Attackers can therefore maintain their access to the account even if the password is changed as long as they have had the chance to login once and get a valid remember me cookie. Resolution ---------- Symfony now makes the password part of the signature by default. In that way, when the password changes then the cookie is not valid anymore. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/36a808b857cd3240244f4b224452fb1e70dc6dfc) for branch 5.3. Credits ------- We would like to thank Thibaut Decherit for reporting the issue and Wouter J for fixing the issue.	CVE-2021-41268 GHSA-qw36-p97w-vcqr

Vulnerability

Summary

Aliases

VCID-wuph-bc4e-8ba3

Cookie persistence after password changes in symfony/security-bundle Description ----------- Since the rework of the Remember me cookie in Symfony 5.3, the cookie is not invalidated anymore when the user changes its password. Attackers can therefore maintain their access to the account even if the password is changed as long as they have had the chance to login once and get a valid remember me cookie. Resolution ---------- Symfony now makes the password part of the signature by default. In that way, when the password changes then the cookie is not valid anymore. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/36a808b857cd3240244f4b224452fb1e70dc6dfc) for branch 5.3. Credits ------- We would like to thank Thibaut Decherit for reporting the issue and Wouter J for fixing the issue.

CVE-2021-41268
GHSA-qw36-p97w-vcqr

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2025-07-04T19:00:19.764025+00:00	GitLab Importer	Affected by	VCID-3p45-9gge-y3d9	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/security-bundle/GMS-2023-210.yml	37.0.0
2025-07-01T18:12:17.566203+00:00	GitLab Importer	Fixing	VCID-wuph-bc4e-8ba3	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/security-bundle/CVE-2021-41268.yml	36.1.3
2025-07-01T14:30:47.253846+00:00	GHSA Importer	Fixing	VCID-wuph-bc4e-8ba3	https://github.com/advisories/GHSA-qw36-p97w-vcqr	36.1.3
2025-07-01T12:19:27.416155+00:00	GithubOSV Importer	Fixing	VCID-wuph-bc4e-8ba3	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/11/GHSA-qw36-p97w-vcqr/GHSA-qw36-p97w-vcqr.json	36.1.3