XML External Entity (XXE) Injection

neos/flow is vulnerable to XML External Entity XXE. The vulnerability is due to the MediaTypeConverter improperly handling XML input, which could be exploited to conduct XXE attacks...

GHSA-9CW3-J7WG-JWJ8 Neos Flow Information disclosure in entity security

If you had used entity security and wanted to secure entities not just based on the user's role, but on some property of the user like the company he belongs to, entity security did not work properly together with the doctrine query cache. This could lead to other users re-using SQL queries from...

Neos Flow Information disclosure in entity security

If you had used entity security and wanted to secure entities not just based on the user's role, but on some property of the user like the company he belongs to, entity security did not work properly together with the doctrine query cache. This could lead to other users re-using SQL queries from...

Neos Flow Arbitrary file upload and XML External Entity processing

It has been discovered that Flow 3.0.0 allows arbitrary file uploads, inlcuding server-side scripts, posing the risk of attacks. If those scripts are executed by the server when accessed through their public URL, anything not blocked through other means is possible information disclosure, placeme...