First published: Sat Oct 23 2021(Updated: )
CVE-2021-41268: Remember me cookie persistance after password changes
Credit: security-advisories@github.com security-advisories@github.com security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
composer/symfony/symfony | >=5.3.0<5.3.12 | |
composer/symfony/security-bundle | >=5.3.0<5.3.12 | |
SensioLabs Symfony | >=5.3.0<5.3.12 | |
composer/symfony/symfony | >=5.3.0<5.3.12 | 5.3.12 |
composer/symfony/security-bundle | >=5.3.0<5.3.12 | 5.3.12 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2021-41268 is a vulnerability in the Symfony/SecurityBundle that allows the Remember me cookie to persist after password changes.
CVE-2021-41268 affects Symfony version 5.3.0 up to version 5.3.12.
The severity of CVE-2021-41268 is high, with a severity score of 8.8.
Attackers can exploit CVE-2021-41268 by taking advantage of the Remember me cookie not being invalidated when a user changes their password.
Yes, a fix for CVE-2021-41268 is available in the Symfony framework, with commits and pull requests available on GitHub.