Command Injection

idno/known is vulnerable to Command Injection. The vulnerability is due to improper handling of file imports combined with template path traversal, which allows an attacker to write malicious files and execute arbitrary code on the server...

Command Injection

Overview idno/known is an A social publishing platform Affected versions of this package are vulnerable to Command Injection through the importImagesFromBodyHTML process and unsanitized template parameter handling. An attacker can execute arbitrary operating system commands as the web server user...

Server-side Request Forgery (SSRF)

Overview idno/known is an A social publishing platform Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the Session::tryAuthUser authentication flag handling and UnfurledUrl::unfurl resolution in Idno/Core/Session.php and Idno/Entities/UnfurledUrl.php. An...

Privilege Escalation

idno/known is vulnerable to Privilege Escalation. The vulnerability exists due to the lack of validation in the password reset token in the getContent function of Reset.php, allowing an attacker to account takeover through the password reset poisoning by providing a malicious HTTP header...

GHSA-5JGJ-H9WP-53FR Known vulnerable to code execution via SVG file in v1.3.1

An issue in the isSVG function of Known v1.3.1 allows attackers to execute arbitrary code via a crafted SVG file. The researcher report indicates that versions 1.3.1 and prior are vulnerable. Version 1.2.2 is the last version tagged on GitHub and in Packagist, and development related to the 1.3.x...

Known vulnerable to account takeover via host header injection attack in v1.3.1

Known v1.3.1 was discovered to allow attackers to perform an account takeover via a host header injection attack. The researcher report indicates that versions 1.3.1 and prior are vulnerable. Version 1.2.2 is the last version tagged on GitHub and in Packagist, and development related to the 1.3.x...

GHSA-P757-4V3P-J74F Known vulnerable to account takeover via host header injection attack in v1.3.1

Known v1.3.1 was discovered to allow attackers to perform an account takeover via a host header injection attack. The researcher report indicates that versions 1.3.1 and prior are vulnerable. Version 1.2.2 is the last version tagged on GitHub and in Packagist, and development related to the 1.3.x...

Known v1.3.1 contains Insecure Direct Object Reference

Known v1.3.1 was discovered to contain an Insecure Direct Object Reference IDOR. The researcher report indicates that versions 1.3.1 and prior are vulnerable. Version 1.2.2 is the last version tagged on GitHub and in Packagist, and development related to the 1.3.x branch is currently on the dev...