VulnerableCode Package Details - pkg:composer/symfony/security-bundle@5.3.11

Search for packages

Vulnerability	Summary	Fixed by
VCID-3p45-9gge-y3d9 Aliases: CVE-2022-24895 GHSA-3gv2-29qc-v67m GMS-2023-210 GMS-2023-211	Symfony vulnerable to Session Fixation of CSRF tokens Description ----------- When authenticating users Symfony by default regenerates the session ID upon login, but preserves the rest of session attributes. Because this does not clear CSRF tokens upon login, this might enables [same-site attackers](https://canitakeyoursubdomain.name/) to bypass the CSRF protection mechanism by performing an attack similar to a session-fixation. Resolution ---------- Symfony removes all CSRF tokens from the session on successful login. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/5909d74ecee359ea4982fcf4331aaf2e489a1fd4) for branch 4.4. Credits ------- We would like to thank Marco Squarcina for reporting the issue and Nicolas Grekas for fixing it.	5.4.20 Affected by 0 other vulnerabilities. 6.0.20 Affected by 0 other vulnerabilities. 6.1.12 Affected by 0 other vulnerabilities. 6.2.6 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-wuph-bc4e-8ba3 Aliases: CVE-2021-41268 GHSA-qw36-p97w-vcqr	Cookie persistence after password changes in symfony/security-bundle Description ----------- Since the rework of the Remember me cookie in Symfony 5.3, the cookie is not invalidated anymore when the user changes its password. Attackers can therefore maintain their access to the account even if the password is changed as long as they have had the chance to login once and get a valid remember me cookie. Resolution ---------- Symfony now makes the password part of the signature by default. In that way, when the password changes then the cookie is not valid anymore. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/36a808b857cd3240244f4b224452fb1e70dc6dfc) for branch 5.3. Credits ------- We would like to thank Thibaut Decherit for reporting the issue and Wouter J for fixing the issue.	5.3.12 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 5.4.0-BETA1 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-3p45-9gge-y3d9
Aliases:
CVE-2022-24895
GHSA-3gv2-29qc-v67m
GMS-2023-210
GMS-2023-211

Symfony vulnerable to Session Fixation of CSRF tokens Description ----------- When authenticating users Symfony by default regenerates the session ID upon login, but preserves the rest of session attributes. Because this does not clear CSRF tokens upon login, this might enables [same-site attackers](https://canitakeyoursubdomain.name/) to bypass the CSRF protection mechanism by performing an attack similar to a session-fixation. Resolution ---------- Symfony removes all CSRF tokens from the session on successful login. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/5909d74ecee359ea4982fcf4331aaf2e489a1fd4) for branch 4.4. Credits ------- We would like to thank Marco Squarcina for reporting the issue and Nicolas Grekas for fixing it.

5.4.20
Affected by 0 other vulnerabilities.

6.0.20
Affected by 0 other vulnerabilities.

6.1.12
Affected by 0 other vulnerabilities.

6.2.6
Affected by 1 other vulnerability.

VCID-wuph-bc4e-8ba3
Aliases:
CVE-2021-41268
GHSA-qw36-p97w-vcqr

Cookie persistence after password changes in symfony/security-bundle Description ----------- Since the rework of the Remember me cookie in Symfony 5.3, the cookie is not invalidated anymore when the user changes its password. Attackers can therefore maintain their access to the account even if the password is changed as long as they have had the chance to login once and get a valid remember me cookie. Resolution ---------- Symfony now makes the password part of the signature by default. In that way, when the password changes then the cookie is not valid anymore. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/36a808b857cd3240244f4b224452fb1e70dc6dfc) for branch 5.3. Credits ------- We would like to thank Thibaut Decherit for reporting the issue and Wouter J for fixing the issue.

5.3.12
Affected by 1 other vulnerability.

5.4.0-BETA1
Affected by 1 other vulnerability.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2025-07-04T19:00:19.761778+00:00	GitLab Importer	Affected by	VCID-3p45-9gge-y3d9	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/security-bundle/GMS-2023-210.yml	37.0.0
2025-07-03T18:07:21.193629+00:00	GitLab Importer	Affected by	VCID-wuph-bc4e-8ba3	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/security-bundle/CVE-2021-41268.yml	37.0.0

2025-07-04T19:00:19.761778+00:00

GitLab Importer

Affected by

VCID-3p45-9gge-y3d9

https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/security-bundle/GMS-2023-210.yml

37.0.0

2025-07-03T18:07:21.193629+00:00

GitLab Importer

Affected by

VCID-wuph-bc4e-8ba3

https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/security-bundle/CVE-2021-41268.yml

37.0.0

Next non-vulnerable version	5.4.20
Latest non-vulnerable version	7.1.3
Risk	4.0