3.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2015-8124

GHSA ID

GHSA-j5jh-hpr4-h332

EPSS Score

0.4794%

CWE

CWE-384

Published

5/14/2022

Updated

2/8/2024

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2015-8124

CVE-2015-8124: Symfony Session Fixation Vulnerability

A session fixation vulnerability within the "Remember Me" login feature allows an attacker to impersonate the victim towards the web application if the session id value was previously known to the attacker. This issue has been fixed in Symfony 2.3.35, 2.6.12, and 2.7.7. Note that no fixes are provided for Symfony 2.4 and 2.5 as they are not maintained anymore. Symfony 2.8 and 3.0 haven't been released yet and the fix will be included in their first stable releases.

(GitHub Advisory)

3.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2015-8124

GHSA ID

GHSA-j5jh-hpr4-h332

EPSS Score

0.4794%

CWE

CWE-384

Published

5/14/2022

Updated

2/8/2024

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
symfony/symfony	composer	>= 2.3.0, < 2.3.35	2.3.35
symfony/symfony	composer	>= 2.4.0, < 2.6.12	2.6.12
symfony/symfony	composer	>= 2.7.0, < 2.7.7	2.7.7
symfony/security-http	composer	>= 2.4.0, < 2.6.12	2.6.12
symfony/security-http	composer	>= 2.7.0, < 2.7.7	2.7.7
symfony/security	composer	>= 2.3.0, < 2.3.35	2.3.35
symfony/security	composer	>= 2.4.0, < 2.6.12	2.6.12
symfony/security	composer	>= 2.7.0, < 2.7.7	2.7.7

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from missing session migration after remember-me authentication. The patch adds sessionStrategy->onAuthentication() in RememberMeListener::handle() to trigger session migration. In vulnerable versions, the absence of this session ID rotation in the handle() method allowed attackers to fixate sessions. The handle() method is the entry point for remember-me authentication processing and would appear in stack traces during exploitation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* s*ssion *ix*tion vuln*r**ility wit*in t** "R*m*m**r M*" lo*in ***tur* *llows *n *tt**k*r to imp*rson*t* t** vi*tim tow*r*s t** w** *ppli**tion i* t** s*ssion i* v*lu* w*s pr*viously known to t** *tt**k*r. T*is issu* **s ***n *ix** in Sym*ony *.*.**

Reasoning

T** vuln*r**ility st*ms *rom missin* s*ssion mi*r*tion **t*r r*m*m**r-m* *ut**nti**tion. T** p*t** ***s `s*ssionStr*t**y->on*ut**nti**tion()` in `R*m*m**rM*List*n*r::**n*l*()` to tri***r s*ssion mi*r*tion. In vuln*r**l* v*rsions, t** **s*n** o* t*is

3.1

Basic Information

Concerned about an active attack path?

CVE-2015-8124: Symfony Session Fixation Vulnerability

3.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI