This site has been archived. To learn more about our current products Ibexa Content, Ibexa Experience, Ibexa Commerce head over to the Ibexa Developer Portal

eZ Community » Security Advisories » EZSA-2018-004: Symfony security...

EZSA-2018-004: Symfony security advisories

Publication date : 31/05/2018
Severity : High
Affected versions : 2.x, 1.13, 1.7, 5.4, all community versions at time of writing (new stack only)
Resolving versions : Symfony 2.7.48, 2.8.41, 3.4.11

This is to warn you about 5 security advisories recently released by Symfony:

  • CVE-2018-11406: CSRF Token Fixation
  • CVE-2018-11407: Unauthorized access on a misconfigured LDAP server when using an empty password
  • CVE-2018-11385: Session Fixation Issue for Guard Authentication
  • CVE-2018-11386: Denial of service when using PDOSessionHandler
  • CVE-2018-11408: Open redirect vulnerability on security handlers

You can read more about them here:

We recommend that you install them as soon as possible. They are distribute via Composer. You can update Symfony with the following command:

composer update symfony/symfony

Depending on your version of eZ Platform, you will be on the 2.7, 2.8, or 3.4 branch of Symfony. The issues are fixed in Symfony 2.7.48, 2.8.41, and 3.4.11. Please make sure you are updated to one of these versions, or higher.

If you come across a security issue in our products, here is how you can report it to us:

36 542 Users on board!

Community Project menu

Proudly Developed with from