Article writen by Gabs Ferreira.January 20, 2012. That’s the date of the initial release of Meteor.js.Back then, the web was a very different place.Front-end development was dominated by jQuery for cross-browser compatibility and DOM manipulation.Responsive design was gaining traction, with Bootstrap standardizing mobile-friendly web design.

Affected versions

Symfony versions >=5.3, <5.4.47; >=6, <6.4.15; >=7, <7.1.8 of the Symfony Security-Http component are affected by this security issue.

The issue has been fixed in Symfony 5.4.47, 6.4.15, and 7.1.8.

Description

When consuming a persisted remember-me cookie, Symfony does not check if the username persisted in the database matches the username attached with the cookie, leading to authentication bypass.

Resolution

The PersistentRememberMeHandler class now ensures the submitted username is the cookie owner.

Symfony 7.1.8 has just been released.
Here is the list of the most important changes since 7.1.7: