Developers of the popular Symfony PHP framework have reversed a recent change that accidentally turned off protection against cross-site request forgery (CSRF) attacks.
Users of affected versions of Symfony (5.3.14 and earlier, 5.4.0-5.4.3, and 6.0.0-6.03) need to upgrade to patched versions, as explained in an advisory posted on GitHub.
The issue tracked as CVE-2022-23501 has a CVSS score of 8.1. Because of its high impact early remediation is recommended.
CSRF vulnerabilities create a mechanism for attackers to trick users into carrying out actions they did not intend to perform. The problem arises in cases where it’s possible for different websites to interfere with each other.