CSRF Vulnerability in Symfony's CSRF Protection Implementation

CSRF Vulnerability in Symfony's CSRF Protection Implementation

CVE-2017-16653 · MEDIUM Severity

AV:N/AC:M/AU:N/C:P/I:N/A:N

An issue was discovered in Symfony before 2.7.38, 2.8.31, 3.2.14, 3.3.13, 3.4-BETA5, and 4.0-BETA5. The current implementation of CSRF protection in Symfony (Version >=2) does not use different tokens for HTTP and HTTPS; therefore the token is subject to MITM attacks on HTTP and can then be used in an HTTPS context to do CSRF attacks.

Learn more about our Web Application Penetration Testing UK.