[SECURITY] Fedora 37 Update: php-symfony4-4.4.50-1.fc37

Symfony PHP framework version 4. NOTE: Does not require PHPUnit bridge...

Fedora: Security Advisory for php-symfony4 (FEDORA-2023-aecde14648)

The remote host is missing an update for the Copyright C 2023 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can...

CVE-2022-24895

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. When authenticating users Symfony by default regenerates the session ID upon login, but preserves the rest of session attributes. Because this does not clear CSRF tokens upon login, this might enable...

CVE-2022-24895

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. When authenticating users Symfony by default regenerates the session ID upon login, but preserves the rest of session attributes. Because this does not clear CSRF tokens upon login, this might enable...

Design/Logic Flaw

CodeIgniter is a PHP full-stack web framework. This vulnerability may allow attackers to spoof their IP address when the server is behind a reverse proxy. This issue has been patched, please upgrade to version 4.2.11 or later, and configure Config\App::$proxyIPs. As a workaround, do not use...

CVE-2022-35944

CVE-2022-35944 affects October CMS (Laravel-based). The flaw allows bypass of the Safe Mode cms.safe_mode when an attacker with admin Editor access crafts a request to inject PHP code into a CMS template. Patches exist in v2.2.34 and v3.0.66; no public exploit details are provided in the connecte...

CVE-2022-35944 October CMS Safe Mode bypass leads to authenticated RCE (Remote Code Execution)

October is a self-hosted Content Management System CMS platform based on the Laravel PHP Framework. This vulnerability only affects installations that rely on the safe mode restriction, commonly used when providing public access to the admin panel. Assuming an attacker has access to the admin pan...

Race condition

October/System is the system module for October CMS, a self-hosted CMS platform based on the Laravel PHP Framework. Prior to versions 1.0.476, 1.1.12, and 2.2.15, when the developer allows the user to specify their own filename in the fromData method, an unauthenticated user can perform remote co...

CVE-2022-24800

CVE-2022-24800 describes a race-condition vulnerability in the October CMS upload process. If a plugin exposes the public method Octo​ber\Rain\Database\Attach\File::fromData and a user can supply a filename, an unauthenticated attacker can achieve remote code execution by racing in the temporary ...

CVE-2022-24800 Race Condition in October CMS upload process

October/System is the system module for October CMS, a self-hosted CMS platform based on the Laravel PHP Framework. Prior to versions 1.0.476, 1.1.12, and 2.2.15, when the developer allows the user to specify their own filename in the fromData method, an unauthenticated user can perform remote co...

HumHub Cross-Site Scripting Vulnerability (CNVD-2022-82657)

HumHub is a set of open source social networking software written on the Yii PHP framework. HumHub suffers from a cross-site scripting vulnerability that could be exploited by attackers to insert malicious javascript into the space name...

HumHub has an unspecified vulnerability (CNVD-2022-82660)

Humhub is a set of open source social networking software written on the Yii PHP framework. HumHub has a security vulnerability that could be exploited by attackers to escalate privileges...

HumHub Licensing Issue Vulnerability

Humhub is a set of open source social networking software written on the Yii PHP framework. HumHub suffers from an authorization issue vulnerability that stems from the possibility of registered users becoming unauthorized members of a private space. No detailed vulnerability details are availabl...

Yii PHP Framework arbitrary PHP scripts execution

The CDetailView widget in Yii PHP Framework 1.1.14 allows remote attackers to execute arbitrary PHP scripts via vectors related to the value property...

GHSA-74QV-RV53-5WCX Yii PHP Framework arbitrary PHP scripts execution

The CDetailView widget in Yii PHP Framework 1.1.14 allows remote attackers to execute arbitrary PHP scripts via vectors related to the value property...

ShopWind 路径遍历漏洞

ShopWind is a B2B2C, O2O industry e-commerce system software based on the Yii2.0 framework deeply reconstructed by China ShopWind. You can easily create and publish your own brand of professional e-commerce platform for a full range of branding and product promotion. ShopWind v3.4.2 version and t...

Default credentials

Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. In affected versions user sessions are not logged out if the password is reset via password recovery. This issue has been resolved in version 6.4.8.1. For older versions of 6.1, 6.2, and 6.3...

CVE-2022-24744

CVE-2022-24744 – Shopware Affected: Shopware (open commerce platform based on Symfony and Vue) where, in affected versions, user sessions remain active after a password reset via the recovery flow. Root cause (as described in security docs): insufficient session expiration management allowing a u...

CVE-2022-24745 Guest session is shared between customers in shopware

Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. In affected versions guest sessions are shared between customers when HTTP cache is enabled. This can lead to inconsistent experiences for guest users. Setups with Varnish are not affected b...

CVE-2022-24745

CVE-2022-24745 affects Shopware (Shopware platform) when HTTP caching is enabled. The issue allows guest sessions to be shared between customers due to improper handling of HTTP cache headers in affected versions (Varnish setups are not affected). Root cause is related to caching behavior that ex...