CVE-2017-16653 — Cross-Site Request Forgery in Security
Severity
5.9MEDIUMNVD
EPSS
0.3%
top 44.41%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedAug 6
Latest updateMay 13
Description
An issue was discovered in Symfony before 2.7.38, 2.8.31, 3.2.14, 3.3.13, 3.4-BETA5, and 4.0-BETA5. The current implementation of CSRF protection in Symfony (Version >=2) does not use different tokens for HTTP and HTTPS; therefore the token is subject to MITM attacks on HTTP and can then be used in an HTTPS context to do CSRF attacks.
CVSS vector
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 2.2 | Impact: 3.6
Affected Packages5 packages
Also affects: Debian Linux 9.0
🔴Vulnerability Details
4📋Vendor Advisories
1Debian▶
CVE-2017-16653: symfony - An issue was discovered in Symfony before 2.7.38, 2.8.31, 3.2.14, 3.3.13, 3.4-BE...↗2017
💬Community
5Bugzilla▶
CVE-2017-16653 php-symfony: improper CSRF token generation for HTTP and HTTPS [fedora-27]↗2018-08-22
Bugzilla
▶
Bugzilla▶
CVE-2017-16653 php-symfony4: php-symfony: improper CSRF token generation for HTTP and HTTPS [fedora-all]↗2018-08-22
Bugzilla▶
CVE-2017-16653 php-symfony3: php-symfony: improper CSRF token generation for HTTP and HTTPS [fedora-28]↗2018-08-22