CVE-2021-41268— Cookie persistence in Symfony
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2021-41268
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Cookie persistence in Symfony
Source: NVD (National Vulnerability Database)
Vulnerability Description
Symfony/SecurityBundle is the security system for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Since the rework of the Remember me cookie in version 5.3.0, the cookie is not invalidated when the user changes their password. Attackers can therefore maintain their access to the account even if the password is changed as long as they have had the chance to login once and get a valid remember me cookie. Starting with version 5.3.12, Symfony makes the password part of the signature by default. In that way, when the password changes, then the cookie is not valid anymore.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
会话固定
Source: NVD (National Vulnerability Database)
Vulnerability Title
Sensio Labs Symfony 授权问题漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Sensio Labs Symfony是法国Sensio Labs公司的一套免费的、基于MVC架构的PHP开发框架。该框架提供常用的功能组件及工具,可用于快速创建复杂的WEB程序。 Symfony SecurityBundle存在授权问题漏洞,该漏洞源于Symfony SecurityBundle是Symfony的安全系统,一个用于web和控制台应用程序的PHP框架和一组可重用的PHP组件。由于在5.3.0版本中rework的Remember me cookie,当用户更改其密码时,cookie不会失效。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2021-41268
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2021-41268
请登录查看更多情报信息。
- https://github.com/symfony/symfony/releases/tag/v5.3.12x_refsource_MISC
- https://github.com/symfony/symfony/security/advisories/GHSA-qw36-p97w-vcqrx_refsource_CONFIRM
- https://github.com/symfony/symfony/pull/44243x_refsource_MISC
- https://nvd.nist.gov/vuln/detail/CVE-2021-41268
Same Patch Batch · symfony · 2021-11-24 · 3 CVEs total
| CVE-2021-41267 | 6.5 MEDIUM | Webcache Poisoning in Symfony |
| CVE-2021-41270 | 6.5 MEDIUM | CSV Injection in Symfony |
IV. Related Vulnerabilities
Same product: symfony
- CVE-2026-24739
Symfony has incorrect argument escaping under MSYS2/Git Bash - CVE-2025-64500
Symfony's incorrect parsing of PATH_INFO can lead to limited - CVE-2024-51996
Symphony has an Authentication Bypass via RememberMe - CVE-2024-50340
Ability to change environment from query in symfony/runtime - CVE-2024-50341
Security::login does not take into account custom user_check
Same vendor: symfony
- CVE-2026-24739
Symfony has incorrect argument escaping under MSYS2/Git Bash - CVE-2025-64500
Symfony's incorrect parsing of PATH_INFO can lead to limited - CVE-2025-47946
symfony/ux-live-component and symfony/ux-twig-component vuln - CVE-2024-51996
Symphony has an Authentication Bypass via RememberMe - CVE-2024-50340
Ability to change environment from query in symfony/runtime
Same weakness: CWE-384
- CVE-2025-46605
Dell PowerProtect Data Domain(Dell PowerProtect DD) 安全漏洞 - CVE-2026-31940
Session Fixation in Chamilo LMS - CVE-2026-33946
MCP Ruby SDK: Insufficient Session Binding Allows SSE Stream - CVE-2026-33757
OpenBao lacks user confirmation for OIDC direct callback mod - CVE-2026-25101
Session Fixation in Bludit
V. Comments for CVE-2021-41268
No comments yet