Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2012-2667

Overview

Vulnerability Score 4.3 4.3
CVE Id CVE-2012-2667
Last Modified 08 Jun 2012 12:12:58
Published 07 Jun 2012 03:55:09
Confidentiality Impact NONE NONE
Integrity Impact PARTIAL PARTIAL
Availability Impact NONE NONE
Access Vector NETWORK
Access Complexity MEDIUM
Authentication NONE

CVE-2012-2667

Summary

Session fixation vulnerability in lib/user/sfBasicSecurityUser.class.php in SensioLabs Symfony before 1.4.18 allows remote attackers to hijack web sessions via vectors related to the regenerate method and unspecified "database backed session classes."

Vulnerable Systems

Application

  • Sensiolabs Symfony 1.4.0

  • Sensiolabs Symfony 1.4.1

  • Sensiolabs Symfony 1.4.10

  • Sensiolabs Symfony 1.4.11

  • Sensiolabs Symfony 1.4.12

  • Sensiolabs Symfony 1.4.13

  • Sensiolabs Symfony 1.4.14

  • Sensiolabs Symfony 1.4.15

  • Sensiolabs Symfony 1.4.16

  • Sensiolabs Symfony 1.4.17

  • Sensiolabs Symfony 1.4.2

  • Sensiolabs Symfony 1.4.3

  • Sensiolabs Symfony 1.4.4

  • Sensiolabs Symfony 1.4.5

  • Sensiolabs Symfony 1.4.6

  • Sensiolabs Symfony 1.4.7

  • Sensiolabs Symfony 1.4.8

  • Sensiolabs Symfony 1.4.9


References

XF - symfony-session-hijacking(76027)

BID - 53776

MLIST - [oss-security] 20120605 Re: CVE Request -- Symfony / php-symfony-symfony: Session fixation flaw corrected in upstream 1.4.18 version

MLIST - [oss-security] 20120604 CVE Request -- Symfony / php-symfony-symfony: Session fixation flaw corrected in upstream 1.4.18 version

CONFIRM - http://trac.symfony-project.org/browser/tags/RELEASE_1_4_18/CHANGELOG

CONFIRM - http://symfony.com/blog/security-release-symfony-1-4-18-released

SECUNIA - 49312


Last Updated: 27 May 2016 10:49:37