How severe is CVE-2023-46733?

This vulnerability has a severity rating of MEDIUM with a CVSS score of 6.5 out of 10.

What type of vulnerability is CVE-2023-46733?

This is classified as CWE-384, which is a common weakness in software security.

CVE-2023-46733

MEDIUM Year: 2023

CVSS v3 Score

6.5

Medium

Weakness Type

CWE-384

View all →

Vulnerability Description

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Starting in versions 5.4.21 and 6.2.7 and prior to versions 5.4.31 and 6.3.8, `SessionStrategyListener` does not migrate the session after every successful login. It does so only in case the logged in user changes by means of checking the user identifier. In some use cases, the user identifier doesn't change between the verification phase and the successful login, while the token itself changes from one type (partially-authenticated) to another (fully-authenticated). When this happens, the session id should be regenerated to prevent possible session fixations, which is not the case at the moment. As of versions 5.4.31 and 6.3.8, Symfony now checks the type of the token in addition to the user identifier before deciding whether the session id should be regenerated.

CVE-2010-3671

MEDIUM

CVSS:6.5(Medium)

TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 is open to a session fixation attack which allows remote attackers to hijack a victim's session.

CWE-3842010

CVE-2017-1368

MEDIUM

CVSS:6.5(Medium)

IBM Security Identity Governance Virtual Appliance 5.2 through 5.2.3.2 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by s...

CWE-3842017

CVE-2018-0229

MEDIUM

CVSS:6.5(Medium)

A vulnerability in the implementation of Security Assertion Markup Language (SAML) Single Sign-On (SSO) authentication for Cisco AnyConnect Secure Mobility Client for Desktop Platforms, Cisco Adaptive...

CWE-3842018

CVE-2018-1000519

MEDIUM

CVSS:6.5(Medium)

aio-libs aiohttp-session contains a Session Fixation vulnerability in load_session function for RedisStorage (see: https://github.com/aio-libs/aiohttp-session/blob/master/aiohttp_session/redis_storage...

CWE-3842018

CVE-2018-1148

MEDIUM

CVSS:6.5(Medium)

In Nessus before 7.1.0, Session Fixation exists due to insufficient session management within the application. An authenticated attacker could maintain system access due to session fixation after a us...

CWE-3842018

CVE-2019-10045

MEDIUM

CVSS:6.5(Medium)

The "action" get_sess_id in the web application of Pydio through 8.2.2 discloses the session cookie value in the response body, enabling scripts to get access to its value. This identifier can be reus...

CWE-3842019

CVE-2023-46733

Vulnerability Description

Related Vulnerabilities

CVE-2010-3671

CVE-2017-1368

CVE-2018-0229

CVE-2018-1000519

CVE-2018-1148

CVE-2019-10045