EUVD-2017-17817

Malware in sbrugna...

XML External Entity (XXE)

symphonycms/symphony-2 is vulnerable XML External Entity XXE. The vulnerability exists due to lack of disabling external entity in the function convertFromXMLString of symphony\lib\toolkit\class.xmlelement.php...

Cross-site Scripting (XSS)

symphonycms/symphony-2 is vulnerable to cross-site scripting. An attacker is able to inject and execute malicious script or HTML into the fields'body' param via events\event.publisharticle.php when a user visits the page...

Cross-site Scripting (XSS)

symphonycms/symphony-2 is vulnerable to cross-site scripting XSS attacks. The vulnerability exists due to the lack of sanitization of the page title parameter, allowing self XSS attacks to occur...

Cross-site Scripting (XSS)

symphonycms/symphony-2 is vulnerable to cross-site scripting XSS attacks. Attackers are able to inject web script through the following parameters in content/content.systempreferences.php: emailsendmailfromname, emailsendmailfromaddress, emailsmtpfromname, emailsmtpfromaddress, emailsmtphost,...

Cross-site Scripting (XSS)

symphonycms/symphony-2 is vulnerable to cross-site scripting XSS attacks. A flaw in the template/usererror.missingextension.php allows attackers to inject script through the existing-folder parameter...

Remote Code Execution (RCE)

symphonycms/symphony-2 is vulnerable to remote code execution RCE. This is due to a lack of sanitization on user input strings, allowing a malicious user to inject and execute arbitrary script through symphony/content/content.blueprintsdatasources.php...

CVE-2017-8876

Symphony 2 2.6.11 has XSS in the metanavigationgroup parameter to content/content.blueprintssections.php...

CVE-2017-8876

Symphony 2 2.6.11 has XSS in the metanavigationgroup parameter to content/content.blueprintssections.php...