-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability stemmed from missing session migration in Guard authentication handlers. The patch added migrateSession() calls to onSuccess methods in multiple listeners. The commit diff shows UsernamePasswordJsonAuthenticationListener was missing this critical session rotation step before token storage, leaving sessions vulnerable to fixation. This matches the CVE description of Guard component session fixation and the explicit patch implementation.
PHPPHP| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| symfony/symfony | composer | >= 2.7.0, < 2.7.48 | 2.7.48 |
| symfony/symfony | composer | >= 2.8.0, < 2.8.41 | 2.8.41 |
| symfony/symfony |
| composer |
| >= 3.4.0, < 3.4.11 |
| 3.4.11 |
| symfony/symfony | composer | >= 4.0.0, < 4.0.11 | 4.0.11 |
| symfony/symfony | composer | >= 3.0.0, < 3.3.17 | 3.3.17 |
| symfony/security-http | composer | >= 2.7.0, < 2.7.48 | 2.7.48 |
| symfony/security-http | composer | >= 2.8.0, < 2.8.41 | 2.8.41 |
| symfony/security-http | composer | >= 3.0.0, < 3.3.17 | 3.3.17 |
| symfony/security-http | composer | >= 3.4.0, < 3.4.11 | 3.4.11 |
| symfony/security-http | composer | >= 4.0.0, < 4.0.11 | 4.0.11 |
| symfony/security | composer | >= 2.7.0, < 2.7.48 | 2.7.48 |
| symfony/security | composer | >= 2.8.0, < 2.8.41 | 2.8.41 |
| symfony/security | composer | >= 3.0.0, < 3.3.17 | 3.3.17 |
| symfony/security | composer | >= 3.4.0, < 3.4.11 | 3.4.11 |
| symfony/security | composer | >= 4.0.0, < 4.0.11 | 4.0.11 |
Ongoing coverage of React2Shell