Search for vulnerabilities
Vulnerability details: VCID-wuph-bc4e-8ba3
Vulnerability ID VCID-wuph-bc4e-8ba3
Aliases CVE-2021-41268
GHSA-qw36-p97w-vcqr
Summary Cookie persistence after password changes in symfony/security-bundle Description ----------- Since the rework of the Remember me cookie in Symfony 5.3, the cookie is not invalidated anymore when the user changes its password. Attackers can therefore maintain their access to the account even if the password is changed as long as they have had the chance to login once and get a valid remember me cookie. Resolution ---------- Symfony now makes the password part of the signature by default. In that way, when the password changes then the cookie is not valid anymore. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/36a808b857cd3240244f4b224452fb1e70dc6dfc) for branch 5.3. Credits ------- We would like to thank Thibaut Decherit for reporting the issue and Wouter J for fixing the issue.
Status Published
Exploitability 0.5
Weighted Severity 7.9
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-384 Session Fixation
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.00476 https://api.first.org/data/v1/epss?cve=CVE-2021-41268
epss 0.00476 https://api.first.org/data/v1/epss?cve=CVE-2021-41268
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-qw36-p97w-vcqr
cvssv3.1 6.5 https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security-bundle/CVE-2021-41268.yaml
generic_textual MODERATE https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security-bundle/CVE-2021-41268.yaml
cvssv3.1 6.5 https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2021-41268.yaml
generic_textual MODERATE https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2021-41268.yaml
cvssv3.1 6.5 https://github.com/symfony/symfony
generic_textual MODERATE https://github.com/symfony/symfony
cvssv3.1 6.5 https://github.com/symfony/symfony/commit/36a808b857cd3240244f4b224452fb1e70dc6dfc
generic_textual MODERATE https://github.com/symfony/symfony/commit/36a808b857cd3240244f4b224452fb1e70dc6dfc
cvssv3.1 6.5 https://github.com/symfony/symfony/pull/44243
generic_textual MODERATE https://github.com/symfony/symfony/pull/44243
cvssv3.1 6.5 https://github.com/symfony/symfony/releases/tag/v5.3.12
generic_textual MODERATE https://github.com/symfony/symfony/releases/tag/v5.3.12
cvssv3.1 6.5 https://github.com/symfony/symfony/security/advisories/GHSA-qw36-p97w-vcqr
cvssv3.1_qr MODERATE https://github.com/symfony/symfony/security/advisories/GHSA-qw36-p97w-vcqr
generic_textual MODERATE https://github.com/symfony/symfony/security/advisories/GHSA-qw36-p97w-vcqr
cvssv2 6.5 https://nvd.nist.gov/vuln/detail/CVE-2021-41268
cvssv3.1 6.5 https://nvd.nist.gov/vuln/detail/CVE-2021-41268
cvssv3.1 8.8 https://nvd.nist.gov/vuln/detail/CVE-2021-41268
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2021-41268
cvssv3.1 6.5 https://symfony.com/cve-2021-41268
generic_textual MODERATE https://symfony.com/cve-2021-41268
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2021-41268
https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security-bundle/CVE-2021-41268.yaml
https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2021-41268.yaml
https://github.com/symfony/symfony
https://github.com/symfony/symfony/commit/36a808b857cd3240244f4b224452fb1e70dc6dfc
https://github.com/symfony/symfony/pull/44243
https://github.com/symfony/symfony/releases/tag/v5.3.12
https://github.com/symfony/symfony/security/advisories/GHSA-qw36-p97w-vcqr
https://nvd.nist.gov/vuln/detail/CVE-2021-41268
https://symfony.com/cve-2021-41268
cpe:2.3:a:sensiolabs:symfony:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:sensiolabs:symfony:*:*:*:*:*:*:*:*
GHSA-qw36-p97w-vcqr https://github.com/advisories/GHSA-qw36-p97w-vcqr
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security-bundle/CVE-2021-41268.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2021-41268.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/symfony/symfony
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/symfony/symfony/commit/36a808b857cd3240244f4b224452fb1e70dc6dfc
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/symfony/symfony/pull/44243
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/symfony/symfony/releases/tag/v5.3.12
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/symfony/symfony/security/advisories/GHSA-qw36-p97w-vcqr
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P Found at https://nvd.nist.gov/vuln/detail/CVE-2021-41268
Exploitability (E) Access Vector (AV) Access Complexity (AC) Authentication (Au) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

none

partial

complete

none

partial

complete

none

partial

complete
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2021-41268
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2021-41268
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Found at https://symfony.com/cve-2021-41268
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.63899
EPSS Score 0.00476
Published At June 30, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-07-01T12:19:27.379344+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/11/GHSA-qw36-p97w-vcqr/GHSA-qw36-p97w-vcqr.json 36.1.3