CVE-2019-10911 — Improper Authentication in Symfony
Severity
7.5HIGHNVD
EPSS
0.3%
top 49.30%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedMay 16
Latest updateFeb 12
Description
In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, a vulnerability would allow an attacker to authenticate as a privileged user on sites with user registration and remember me login functionality enabled. This is related to symfony/security.
CVSS vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.6 | Impact: 5.9
Affected Packages6 packages
Patches
🔴Vulnerability Details
4📋Vendor Advisories
2💬Community
4Bugzilla▶
CVE-2019-10911 php-symfony: drupal: Part of an expiry time in a remember me cookie could be considered part of the username, where modifying it would lead to authentication as a different user. [epel-↗2019-05-17
Bugzilla▶
CVE-2019-10911 php-symfony: drupal: Part of an expiry time in a remember me cookie could be considered part of the username, where modifying it would lead to authentication as a different user. [fedor↗2019-05-17
Bugzilla▶
CVE-2019-10911 drupal: Part of an expiry time in a remember me cookie could be considered part of the username, where modifying it would lead to authentication as a different user.↗2019-04-30
Bugzilla▶
CVE-2019-10911 drupal: Part of an expiry time in a remember me cookie could be considered part of the username, where modifying it would lead to authentication as a different user. [fedora-all]↗2019-04-30