CVE-2016-4309

Published on: 06/30/2016 12:00:00 AM UTC

Last Modified on: 03/23/2021 11:26:58 PM UTC

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Certain versions of Symphony from Getsymphony contain the following vulnerability:

Session fixation vulnerability in Symphony CMS 2.6.7, when session.use_only_cookies is disabled, allows remote attackers to hijack web sessions via the PHPSESSID parameter.

  • CVE-2016-4309 has been assigned by [email protected] to track the vulnerability - currently rated as HIGH severity.

CVSS3 Score: 7.5 - HIGH

Attack
Vector
Attack
Complexity
Privileges
Required
User
Interaction
NETWORK HIGH NONE REQUIRED
Scope Confidentiality
Impact
Integrity
Impact
Availability
Impact
UNCHANGED HIGH HIGH HIGH

CVSS2 Score: 7.6 - HIGH

Access
Vector
Access
Complexity
Authentication
NETWORK HIGH NONE
Confidentiality
Impact
Integrity
Impact
Availability
Impact
COMPLETE COMPLETE COMPLETE

CVE References

Description Tags Link
Third Party Advisory
hyp3rlinx.altervista.org
text/plain
MISC hyp3rlinx.altervista.org/advisories/SYMPHONY-CMS-SESSION-FIXATION.txt
Symphony CMS 2.6.7 Session Fixation ≈ Packet Storm Exploit
Third Party Advisory
VDB Entry
packetstormsecurity.com
text/html
URL Logo MISC packetstormsecurity.com/files/137551/Symphony-CMS-2.6.7-Session-Fixation.html
Symphony CMS 2.6.7 - Session Fixation - PHP webapps Exploit Exploit
Third Party Advisory
VDB Entry
www.exploit-db.com
Proof of Concept
text/html
URL Logo EXPLOIT-DB 39983
SecurityFocus Third Party Advisory
VDB Entry
www.securityfocus.com
text/html
URL Logo BUGTRAQ 20160620 Symphony CMS v2.6.7 Session Fixation
Better php.ini overrides for insecure setups · symphonycms/[email protected] · GitHub Third Party Advisory
github.com
text/html
URL Logo CONFIRM github.com/symphonycms/symphony-2/commit/b329a14adc40868965076a77210452e396243dcd
Symphony CMS PHPSESSID Session Fixation Vulnerability Third Party Advisory
VDB Entry
cve.report (archive)
text/html
URL Logo BID 91299

Known Affected Configurations (CPE V2.3)

Type Vendor Product Version Update Edition Language
ApplicationGetsymphonySymphony2.6.7AllAllAll
ApplicationGetsymphonySymphony2.6.7AllAllAll
  • cpe:2.3:a:getsymphony:symphony:2.6.7:*:*:*:*:*:*:*:
  • cpe:2.3:a:getsymphony:symphony:2.6.7:*:*:*:*:*:*:*: