CVE-2023-46733: 
PHP vulnerability analysis and mitigation

Symfony, a PHP framework for web and console applications, disclosed a session fixation vulnerability (CVE-2023-46733) affecting versions 5.4.21 through 5.4.31 and 6.2.7 through 6.3.8. The vulnerability was discovered in the SessionStrategyListener component, which failed to properly migrate sessions after successful login operations (Symfony Advisory).

The vulnerability stems from the SessionStrategyListener component only migrating sessions when the logged-in user identifier changes. However, in certain scenarios where the user identifier remains the same between verification and successful login, but the token type changes from partially-authenticated to fully-authenticated, the session ID was not being regenerated. This oversight could lead to session fixation attacks (Symfony Advisory). The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N (NVD).

The vulnerability could allow attackers to perform session fixation attacks, potentially hijacking user sessions during the authentication process. This could lead to unauthorized access to user accounts and compromise the security of authenticated sessions (Symfony Advisory).

The vulnerability has been patched in Symfony versions 5.4.31 and 6.3.8. The fix involves modifying the SessionStrategyListener to check both the user identifier and token type before deciding whether to regenerate the session ID (Symfony Advisory).