Security Advisory IBEXA-SA-2023-001: Symfony vulnerabilities - Session cookie leak, CSRF token fixation

Publication date: 03/02/2023, 16:00

Severity: High

Affected versions: Ibexa DXP v4.3.*, v3.3.*, eZ Platform v2.5.*
Resolving versions: Ibexa DXP v4.4.0, v4.3.3, v3.3.30

Symfony released the fixes for two vulnerabilities. One involves a potential session cookie leak, the other CSRF token fixation. Please read more about them here:
https://symfony.com/blog/cve-2022-24894-prevent-storing-cookie-headers-in-httpcache
https://symfony.com/blog/cve-2022-24895-csrf-token-fixation

These are fixed in Symfony 5.4.20, which is used in Ibexa DXP v4 and v3.

As Symfony 3.4 is no longer maintained since November 2021, there is no fix for it, and therefore no fix for eZ Platform v2.5. We strongly recommend upgrading to Ibexa DXP v3.3 LTS, or v4.3 / v4.4 FT.

Have you found a security bug in Ibexa DXP? See how to report it responsibly here: https://doc.ibexa.co/en/latest/guide/reporting_issues/

All security advisories

Tech blog

Get started with Ibexa DXP

Tutorials

Training

Slack

GitHub

Product roadmap

Community packages

REST API reference

GraphQL API docs

Product security at Ibexa

Security Advisories

Software service life

Issue tracker

Security advisory: IBEXA-SA-2023-001

Symfony vulnerabilities - Session cookie leak, CSRF token fixation