VYPR
High severity8.8NVD Advisory· Published Jun 13, 2018· Updated Jun 17, 2026

CVE-2018-11406

CVE-2018-11406

Description

An issue was discovered in the Security component in Symfony 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11. By default, a user's session is invalidated when the user is logged out. This behavior can be disabled through the invalidate_session option. In this case, CSRF tokens were not erased during logout which allowed for CSRF token fixation.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
symfony/symfonyPackagist
>= 2.7.0, < 2.7.482.7.48
symfony/symfonyPackagist
>= 2.8.0, < 2.8.412.8.41
symfony/symfonyPackagist
>= 3.0.0, < 3.3.173.3.17
symfony/symfonyPackagist
>= 3.4.0, < 3.4.113.4.11
symfony/symfonyPackagist
>= 4.0.0, < 4.0.114.0.11
symfony/security-bundlePackagist
>= 2.7.0, < 2.7.482.7.48
symfony/security-bundlePackagist
>= 2.8.0, < 2.8.412.8.41
symfony/security-bundlePackagist
>= 3.0.0, < 3.3.173.3.17
symfony/security-bundlePackagist
>= 3.4.0, < 3.4.113.4.11
symfony/security-bundlePackagist
>= 4.0.0, < 4.0.114.0.11
symfony/security-httpPackagist
>= 2.7.0, < 2.7.482.7.48
symfony/security-httpPackagist
>= 2.8.0, < 2.8.412.8.41
symfony/security-httpPackagist
>= 3.0.0, < 3.3.173.3.17
symfony/security-httpPackagist
>= 3.4.0, < 3.4.113.4.11
symfony/security-httpPackagist
>= 4.0.0, < 4.0.114.0.11
symfony/securityPackagist
>= 2.7.0, < 2.7.482.7.48
symfony/securityPackagist
>= 2.8.0, < 2.8.412.8.41
symfony/securityPackagist
>= 3.0.0, < 3.3.173.3.17
symfony/securityPackagist
>= 3.4.0, < 3.4.113.4.11
symfony/securityPackagist
>= 4.0.0, < 4.0.114.0.11

Affected products

4

Patches

Vulnerability mechanics

References

16

News mentions

0

No linked articles in our index yet.