1702 matches found
DOS attack in FOSUserBundle login form
More info at https://symfony.com/cve-2013-5750...
Drupal core - Critical - Cross-site scripting - SA-CORE-2020-009
More info at https://www.drupal.org/sa-core-2020-009...
Drupal core - Moderately critical - Multiple Vulnerabilities - SA-CORE-2019-005
More info at https://www.drupal.org/sa-core-2019-005...
Drupal core - Critical - Remote code execution - SA-CORE-2020-012
More info at https://www.drupal.org/sa-core-2020-012...
RCE vulnerability in "cookie" session driver
More info at https://blog.laravel.com/laravel-cookie-security-releases...
Moderately critical - Cross Site Scripting
More info at https://www.drupal.org/sa-core-2018-003...
CVE-2019-18887: Use constant time comparison in UriSigner
More info at https://symfony.com/cve-2019-18887...
Critical - Remote Code Execution
More info at https://www.drupal.org/sa-core-2018-004...
PHP Code Injection
phpWhois PHP Code Injection\nVulnerability Overview\nphpWhois and some of its forks in versions before 5.1.0 are prone to a\ncode injection vulnerability due to insufficient sanitization of returned\nWHOIS data. This allows attackers controlling the WHOIS information of a\nrequested domain to...
phpseclib does not properly limit the ASN1 OID length
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-f2qx-66wf-wvvx. This link is maintained to preserve external references. Original Description An issue was discovered in phpseclib 1.x before 1.0.23, 2.x before 2.0.47, and 3.x before 3.0.36. When processing the...
TYPO3-EXT-SA-2023-007: Broken Access Control in extension "hCaptcha for EXT:form" (hcaptcha)
More info at https://typo3.org/security/advisory/typo3-ext-sa-2023-007...
TYPO3-EXT-SA-2023-004: Cross-Site Scripting in extension "Faceted Search" (ke_search)
More info at https://typo3.org/security/advisory/typo3-ext-sa-2023-004...
CVE-2023-22729 - Open redirect vulnerability on CMSSecurity relogin screen
More info at https://www.silverstripe.org/download/security-releases/cve-2023-22729...
Cross site scripting vulnerability in Javascript escaping
Impact An attacker could exploit this vulnerability to execute arbitrary JavaScript code in the context of the user's browser session. This may lead to unauthorized access to sensitive user data, manipulation of the web application's behavior, or unauthorized actions performed on behalf of the...
TYPO3-EXT-SA-2023-002: Persisted Cross-Site Scripting in extension "Forms Export" (frp_form_answers)
More info at https://typo3.org/security/advisory/typo3-ext-sa-2023-002...
CVE-2022-24894: Prevent storing cookie headers in HttpCache
More info at https://symfony.com/cve-2022-24894...
TYPO3-CORE-SA-2022-010: Cross-Site Scripting in <f:asset.css> view helper
More info at https://typo3.org/security/advisory/typo3-core-sa-2022-010...
GHSA-47m6-46mj-p235: By-passing Cross-Site Scripting Protection in HTML Sanitizer
Meta CVSS: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C 5.7 Problem Due to a parsing issue in upstream package masterminds/html5, malicious markup used in a sequence with special HTML comments cannot be filtered and sanitized. This allows to by-pass the cross-site scripting mechanis...
Diactoros before 2.11.1 vulnerable to HTTP Host Header Attack.
Description Impact Applications that use Diactoros, and are either not behind a proxy, or can be accessed via untrusted proxies, can potentially have the host, protocol, and/or port of a Laminas\Diactoros\Uri instance associated with the incoming server request modified to reflect values from...
Drupal core - Critical - Arbitrary PHP code execution - SA-CORE-2022-014
More info at https://www.drupal.org/sa-core-2022-014...
CVE-2022-23601: CSRF token missing in forms
More info at https://symfony.com/cve-2022-23601...
CVE-2020-26138 FormField: with square brackets in field name skips validation
More info at https://www.silverstripe.org/download/security-releases/cve-2020-26138...
Improper Certificate Validation in WP-CLI framework
Impact An improper error handling in HTTPS requests management in WP-CLI version 0.12.0 and later allows remote attackers able to intercept the communication to remotely disable the certificate verification on WP-CLI side, gaining full control over the communication content, including the ability...
CVE-2021-21424: Prevent user enumeration via response content in authentication mechanisms
More info at https://symfony.com/cve-2021-21424...
TYPO3-CORE-SA-2021-004: Cross-Site Scripting in Form Framework
More info at https://typo3.org/security/advisory/typo3-core-sa-2021-004...
TYPO3-CORE-SA-2020-011: Cleartext storage of session identifier
More info at https://typo3.org/security/advisory/typo3-core-sa-2020-011...
Directory Traversal on ZIP extraction
More info at https://typo3.org/security/advisory/typo3-core-sa-2019-024...
PRODSECBUG-2405: Injection vulnerability via email templates
More info at https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update...
PRODSECBUG-2478: Broken authentication and session managememt
More info at https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update...
PRODSECBUG-2190: Stored cross-site scripting in the admin panel
More info at https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-23...
PRODSECBUG-2380: Stored cross-site scripting in the Currency Symbols field
More info at https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-23...
Exposed suppressed username or log in Special:EditTags
More info at https://phabricator.wikimedia.org/T222036...
Cross-Site Scripting in Fluid Engine
More info at https://typo3.org/security/advisory/typo3-core-sa-2019-013...
CVE-2018-11406: CSRF Token Fixation
More info at https://symfony.com/cve-2018-11406...
CVE-2018-11385: Session Fixation Issue for Guard Authentication
More info at https://symfony.com/cve-2018-11385...
Remote attackers could obtain potentially sensitive information from exception messages printed by the error handler in non-debug mode.
More info at https://www.yiiframework.com/news/165/yii-2-0-14-is-released/...
CVE-2017-16653: CSRF protection does not use different tokens for HTTP and HTTPS
More info at https://symfony.com/cve-2017-16653...
Views can allow unauthorized users to see Statistics information
More info at https://www.drupal.org/SA-CORE-2016-002...
CVE-2016-1902: SecureRandom's fallback not secure when OpenSSL fails
More info at https://symfony.com/cve-2016-1902...
JSON Data encoded for use in HTML was not safe to use in IE6/IE7, possible XSS attacks
More info at https://www.yiiframework.com/news/86/yii-2-0-4-is-released/...
Possible link spoofing on the homepage when anchors are used
More info at https://typo3.org/security/advisory/typo3-core-sa-2014-003...
SQL injection vector when manually quoting values for sqlsrv extension, using null byte
More info at https://framework.zend.com/security/advisory/ZF2014-06...
Unguarded calls to __toString() when nesting an object into an array
More info at https://symfony.com/blog/cve-2024-51754-unguarded-calls-to-tostring-in-a-sandbox-when-an-object-is-in-an-array-or-an-argument-list...
CVE-2018-14773: Remove support for legacy and risky HTTP headers
More info at https://symfony.com/blog/cve-2018-14773-remove-support-for-legacy-and-risky-http-headers...
CVE-2026-48736: IpUtils::PRIVATE_SUBNETS Omits IPv6 Transition Forms (6to4, NAT64, Teredo, IPv4-compatible): SSRF Bypass in NoPrivateNetworkHttpClient
More info at https://symfony.com/cve-2026-48736...
Drupal core - Critical - Cross-site scripting - SA-CORE-2021-003
More info at https://www.drupal.org/sa-core-2021-003...
Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2020-002
More info at https://www.drupal.org/sa-core-2020-002...
Critical - Arbitrary PHP code execution
More info at https://www.drupal.org/sa-core-2019-002...
Drupal core - Critical - Cross-site scripting - SA-CORE-2021-002
More info at https://www.drupal.org/sa-core-2021-002...
Attackers can trigger deserialization of arbitrary data via the phar:// wrapper.
Fix for security vulnerability: Using the phar:// wrapper it was possible to trigger the unserialization of user provided data...