Security advisory: IBEXA-SA-2023-001

Symfony vulnerabilities - Session cookie leak, CSRF token fixation
Publication date:
03/02/2023, 16:00


Affected versions: Ibexa DXP v4.3.*, v3.3.*, eZ Platform v2.5.*
Resolving versions: Ibexa DXP v4.4.0, v4.3.3, v3.3.30

Symfony released the fixes for two vulnerabilities. One involves a potential session cookie leak, the other CSRF token fixation. Please read more about them here:

These are fixed in Symfony 5.4.20, which is used in Ibexa DXP v4 and v3.

As Symfony 3.4 is no longer maintained since November 2021, there is no fix for it, and therefore no fix for eZ Platform v2.5. We strongly recommend upgrading to Ibexa DXP v3.3 LTS, or v4.3 / v4.4 FT.

Have you found a security bug in Ibexa DXP? See how to report it responsibly here:

All security advisories