CVE-2018-11386

MEDIUM Year: 2018
CVSS v3 Score
5.9
Medium
CVSS v2 Score
4.3
Medium
Weakness Type
CWE-613
View all →

Vulnerability Description

An issue was discovered in the HttpFoundation component in Symfony 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11. The PDOSessionHandler class allows storing sessions on a PDO connection. Under some configurations and with a well-crafted payload, it was possible to do a denial of service on a Symfony application without too much resources.

Related Vulnerabilities

CVE-2016-8712

MEDIUM
CVSS:5.9(Medium)

An exploitable nonce reuse vulnerability exists in the Web Application functionality of Moxa AWK-3131A Wireless AP running firmware 1.1. The device uses one nonce for all session authentication reques...

CWE-6132016

CVE-2017-12867

MEDIUM
CVSS:5.9(Medium)

The SimpleSAML_Auth_TimeLimitedToken class in SimpleSAMLphp 1.14.14 and earlier allows attackers with access to a secret token to extend its validity period by manipulating the prepended time offset.

CWE-6132017

CVE-2020-17473

MEDIUM
CVSS:5.9(Medium)

Lack of mutual authentication in ZKTeco FaceDepot 7B 1.0.213 and ZKBiosecurity Server 1.0.0_20190723 allows an attacker to obtain a long-lasting token by impersonating the server.

CWE-6132020

CVE-2022-22317

MEDIUM
CVSS:5.9(Medium)

IBM Curam Social Program Management 8.0.0 and 8.0.1 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 218281.

CWE-6132022

CVE-2022-22318

MEDIUM
CVSS:5.9(Medium)

IBM Curam Social Program Management 8.0.0 and 8.0.1 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system.

CWE-6132022

CVE-2022-34624

MEDIUM
CVSS:5.9(Medium)

Mealie1.0.0beta3 does not terminate download tokens after a user logs out, allowing attackers to perform a man-in-the-middle attack via a crafted GET request.

CWE-6132022