335 matches found
CVE-2023-46733
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Starting in versions 5.4.21 and 6.2.7 and prior to versions 5.4.31 and 6.3.8, SessionStrategyListener does not migrate the session after every successful login. It does so only in case the logged in...
CVE-2023-46734
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Starting in versions 2.0.0, 5.0.0, and 6.0.0 and prior to versions 4.4.51, 5.4.31, and 6.3.8, some Twig filters in CodeExtension use issafe=html but don't actually ensure their input is safe. As of...
CVE-2023-46735
CVE-2023-46735 concerns the Symfony PHP framework. From version 6.0.0 up to, but not including, 6.3.8, the error message in WebhookController exposed unescaped user-submitted input in responses. As of 6.3.8, Symfony’s WebhookController no longer returns any user-submitted input in its response, m...
CVE-2023-46735
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Starting in version 6.0.0 and prior to version 6.3.8, the error message in WebhookController returns unescaped user-submitted input. As of version 6.3.8, WebhookController now doesn't return any...
CVE-2023-46735 Symfony potential Cross-site Scripting in WebhookController
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Starting in version 6.0.0 and prior to version 6.3.8, the error message in WebhookController returns unescaped user-submitted input. As of version 6.3.8, WebhookController now doesn't return any...
CVE-2023-46735 Symfony potential Cross-site Scripting in WebhookController
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Starting in version 6.0.0 and prior to version 6.3.8, the error message in WebhookController returns unescaped user-submitted input. As of version 6.3.8, WebhookController now doesn't return any...
CVE-2023-46734 Symfony potential Cross-site Scripting vulnerabilities in CodeExtension filters
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Starting in versions 2.0.0, 5.0.0, and 6.0.0 and prior to versions 4.4.51, 5.4.31, and 6.3.8, some Twig filters in CodeExtension use issafe=html but don't actually ensure their input is safe. As of...
CVE-2023-46733 Symfony possible session fixation vulnerability
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Starting in versions 5.4.21 and 6.2.7 and prior to versions 5.4.31 and 6.3.8, SessionStrategyListener does not migrate the session after every successful login. It does so only in case the logged in...
CVE-2023-46733
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Starting in versions 5.4.21 and 6.2.7 and prior to versions 5.4.31 and 6.3.8, SessionStrategyListener does not migrate the session after every successful login. It does so only in case the logged in...
CVE-2023-46240 CodeIgniter4 vulnerable to information disclosure when detailed error report is displayed in production environment
CodeIgniter is a PHP full-stack web framework. Prior to CodeIgniter4 version 4.4.3, if an error or exception occurs, a detailed error report is displayed even if in the production environment. As a result, confidential information may be leaked. Version 4.4.3 contains a patch. As a workaround,...
CVE-2023-46240 CodeIgniter4 vulnerable to information disclosure when detailed error report is displayed in production environment
CodeIgniter is a PHP full-stack web framework. Prior to CodeIgniter4 version 4.4.3, if an error or exception occurs, a detailed error report is displayed even if in the production environment. As a result, confidential information may be leaked. Version 4.4.3 contains a patch. As a workaround,...
Economizzer Code Injection Vulnerability
Economizzer is a simple and open source personal finance management system using PHP Yii Framework 2 by Gustavo G. Andrade, an individual developer. A code injection vulnerability exists in Economizzer v.0.9-beta1, which stems from a host header injection vulnerability that allows an attacker to...
CakeFuzzer - Automatically And Continuously Discover Vulnerabilities In Web Applications Created Based On Specific Frameworks
Cake Fuzzer is a project that is meant to help automatically and continuously discover vulnerabilities in web applications created based on specific frameworks with very limited false positives. Currently it is implemented to support the Cake PHP framework. If you would like to learn more about t...
Debian: Security Advisory (DLA-3493-1)
The remote host is missing an update for the Debian SPDX-FileCopyrightText: 2023 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...
Debian dla-3493 : php-symfony - security update
The remote Debian 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-3493 advisory. ------------------------------------------------------------------------- Debian LTS Advisory DLA-3493-1 [email protected]...
[SECURITY] [DLA 3493-1] symfony security update
Debian LTS Advisory DLA-3493-1 [email protected] https://www.debian.org/lts/security/ Guilhem Moulin July 11, 2023 https://wiki.debian.org/LTS Package : symfony Version : 3.4.22+dfsg-2+deb10u2 CVE ID : CVE-2021-21424 CVE-2022-24894 CVE-2022-24895 Multiple security vulnerabilities were...
Cross site scripting
Winter is a free, open-source content management system CMS based on the Laravel PHP framework. Users with the backend.managebranding permission can upload SVGs as the application logo. Prior to version 1.2.3, SVG uploads were not sanitized, which could have allowed a stored cross-site scripting...
CVE-2023-37269
Winter CMS is vulnerable to a stored XSS due to unsanitized SVG uploads in the branding logo function prior to v1.2.3. The issue requires an attacker with backend.manage_branding permission (or higher) and user interaction by visiting the URL of the malicious SVG; exploitation is further constrai...
X-Man SQL注入漏洞
X-Man is a backend system based on ThinkPHP framework developed by S1xGod individual developers. A security vulnerability exists in X-Man version 1.0. An attacker exploited the vulnerability to perform SQL injection attacks...
CVE-2023-27580
CodeIgniter Shield (for CodeIgniter 4) has a vulnerability in its password storage due to an improper implementation, making all hashed passwords stored in Shield v1.0.0-beta.3 or earlier easier to crack. A fix exists: upgrade to Shield v1.0.0-beta.4 or later. After upgrading, all users’ hashed p...