Friendsofphp - Page 14 of Friendsofphp Most Viewed Vulnerabilities List

7.5CVSS9.7AI score0.06195EPSS

PHP Code Injection

5.3CVSS7.2AI score0.00928EPSS

Drupal core - Moderately critical - Access bypass - SA-CORE-2020-008

More info at https://www.drupal.org/sa-core-2020-008...

6.1CVSS5.9AI score0.012EPSS

Cross-Site Scripting

I've picked up on the work started over at https://github.com/erusev/parsedown/pull/276 and rebased on erusev/master. Since this is rebased on master, I can't point at PR at naNuke/master without running into the merge conflicts that I've already resolved manually. I've implemented what I suggest...

7.5CVSS7.2AI score0.01089EPSS

Drupal core - Moderately critical - Information disclosure - SA-CORE-2020-011

More info at https://www.drupal.org/sa-core-2020-011...

7.5CVSS7.2AI score0.01089EPSS

Drupal core - Moderately critical - Information disclosure - SA-CORE-2020-011

More info at https://www.drupal.org/sa-core-2020-011...

9.8CVSS7.2AI score0.05491EPSS

CVE-2019-10910: Check service IDs are valid

More info at https://symfony.com/cve-2019-10910...

Insecure Random Number Generator

Insecure RNG: stormpath-sdk-php/src/Util/UUID.php Lines 167 to 181 in 15aee30 / Generate an UUID version 4 pseudo random / static private function generateRandom$ns, $node $uuid = self::$muuidfield; $uuid'timehi' = 4 12 | mtrand0, 0x1000; $uuid'clockseqhi' = 1 7 | mtrand0, 128; $uuid'timelow' =...

0.9AI score

9.8CVSS9.7AI score0.06195EPSS

PHP Code Injection

phpWhois PHP Code Injection Vulnerability Overview phpWhois and some of its forks in versions before 5.1.0 are prone to a code injection vulnerability due to insufficient sanitization of returned WHOIS data. This allows attackers controlling the WHOIS information of a requested domain to execute...

5.8CVSS5.1AI score0.00345EPSS

Secret data exfiltration via symfony parameters

Impact Symfony parameters which is what Mautic transforms configuration parameters into can be used within other Symfony parameters by design. However, this also means that an admin who is normally not privy to certain parameters, such as database credentials, could expose them by leveraging any ...

9.6CVSS7.2AI score0.02395EPSS

Mautic core - Highly Critical - XSS vulnerability leveraged through referrers could allow un-authorized admin access

More info at https://www.mautic.org/blog/community/security-release-all-versions-mautic-prior-2-16-5-and-3-2-4...

8.2CVSS7.8AI score0.83244EPSS

Denial of Service via HTTP/2 CONTINUATION Frames

amphp/http will collect HTTP/2 CONTINUATION frames in an unbounded buffer and will not check the header size limit until it has received the ENDHEADERS flag, resulting in an OOM crash. amphp/http-client and amphp/http-server are indirectly affected if they're used with an unpatched version of...

9.8CVSS9.7AI score0.06195EPSS

PHP Code Injection

Friends Of PHP•added 2025/05/20 10:0 a.m.•21 views

TYPO3-EXT-SA-2025-007: Multiple vulnerabilities in extension "Backup Plus" (ns_backup)

More info at https://typo3.org/security/advisory/typo3-ext-sa-2025-007...

8.6CVSS7.2AI score0.00301EPSS

Friends Of PHP•added 2023/11/27 6:31 p.m.•21 views

phpseclib vulnerable to denial of service

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-2f25-pfq3-c7h8. This link is maintained to preserve external references. Original Description In Math/BinaryField.php in phpseclib 3 before 3.0.34, excessively large degrees in binary fields can lead to a denial...

7.5CVSS7AI score0.00756EPSS

Friends Of PHP•added 2023/06/09 10:36 a.m.•21 views

TYPO3-EXT-SA-2023-004: Cross-Site Scripting in extension "Faceted Search" (ke_search)

More info at https://typo3.org/security/advisory/typo3-ext-sa-2023-004...

5.8CVSS6.9AI score0.00341EPSS

Friends Of PHP•added 2022/12/13 9:19 a.m.•21 views

TYPO3-CORE-SA-2022-017: By-passing Cross-Site Scripting Protection in HTML Sanitizer

More info at https://typo3.org/security/advisory/typo3-core-sa-2022-017...

6.1CVSS7.2AI score0.00438EPSS

Friends Of PHP•added 2022/06/27 5:27 a.m.•21 views

CVE-2022-29858: Unpublished, protected files can be published via shortcode

More info at https://www.silverstripe.org/download/security-releases/cve-2022-29858...

4.3CVSS7.2AI score0.00962EPSS

Friends Of PHP•added 2022/06/23 1:55 p.m.•22 views

Server-Side Request Forgery in dompdf/dompdf

Server-Side Request Forgery SSRF in GitHub repository dompdf/dompdf prior to 2.0.0...

5.3CVSS5.2AI score0.00846EPSS

Friends Of PHP•added 2022/06/14 7:11 a.m.•21 views

TYPO3-CORE-SA-2022-005: Insufficient Session Expiration in Admin Tool

More info at https://typo3.org/security/advisory/typo3-core-sa-2022-005...

7.2CVSS7.2AI score0.01157EPSS

Friends Of PHP•added 2022/02/15 1:54 a.m.•22 views

A cross-site scripting vulnerability

Description Impact SVG sanitizer library before version 0.15.0 did not remove HTML elements wrapped in a CDATA section. As a result, SVG content embedded in HTML fetched as text/html was susceptible to cross-site scripting. Plain SVG files fetched as image/svg+xml were not affected. Patches This...

4.3CVSS5.6AI score0.00671EPSS

Friends Of PHP•added 2021/10/23 11:11 a.m.•21 views

CVE-2021-41268: Remember me cookie persistance after password changes

More info at https://symfony.com/cve-2021-41268...

8.8CVSS7.2AI score0.01283EPSS

Friends Of PHP•added 2021/07/20 9:14 a.m.•21 views

TYPO3-CORE-SA-2021-009: Cross-Site Scripting in Page Preview

More info at https://typo3.org/security/advisory/typo3-core-sa-2021-009...

6.4CVSS7.2AI score0.00603EPSS

Friends Of PHP•added 2021/03/16 8:59 a.m.•21 views

TYPO3-CORE-SA-2021-004: Cross-Site Scripting in Form Framework

More info at https://typo3.org/security/advisory/typo3-core-sa-2021-004...

5.4CVSS5.8AI score0.00872EPSS

Friends Of PHP•added 2021/03/06 1:37 p.m.•21 views

Path Traversal within joomla/archive zip class

More info at https://developer.joomla.org/security-centre/848-20210308-core-path-traversal-within-joomla-archive-zip-class.html...

5.5CVSS7.2AI score0.01161EPSS

Friends Of PHP•added 2020/09/24 1:26 a.m.•21 views

Non-jqueryMsg version of mw.message(…).parse() doesn't escape HTML

More info at https://phabricator.wikimedia.org/T115888...

6.1CVSS7.2AI score0.01089EPSS

Friends Of PHP•added 2020/07/28 8:18 a.m.•21 views

TYPO3-CORE-SA-2020-008: Sensitive Information Disclosure

More info at https://typo3.org/security/advisory/typo3-core-sa-2020-008...

8.8CVSS7.2AI score0.02229EPSS

Friends Of PHP•added 2019/06/25 12:0 a.m.•21 views

PRODSECBUG-2378: Stored cross-site scripting in the Return Product comments feature

More info at https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-23...

5.4CVSS7.2AI score0.00566EPSS

Friends Of PHP•added 2019/06/25 12:0 a.m.•21 views

PRODSECBUG-2270: Reflected cross-site scripting in the admin panel

More info at https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-23...

4.8CVSS7.2AI score0.00557EPSS

Friends Of PHP•added 2019/06/11 4:34 p.m.•21 views

CVE-2019-12149: Potential SQL injection in restfulserver and registry modules

More info at https://www.silverstripe.org/download/security-releases/cve-2019-12149...

9.8CVSS7.2AI score0.01355EPSS

Friends Of PHP•added 2019/05/06 2:40 p.m.•21 views

By-passing Protection of PharStreamWrapper Interceptor

More info at https://typo3.org/security/advisory/typo3-psa-2019-007...

9.8CVSS7.2AI score0.05586EPSS

Friends Of PHP•added 2019/04/20 10:8 p.m.•21 views

Unsafe deserialization in SmtpTransport

More info at https://bakery.cakephp.org/2019/04/23/cakephp37736153518released.html...

7.5CVSS7.2AI score0.02058EPSS

Friends Of PHP•added 2019/04/09 10:24 a.m.•21 views

Existing sessions are not correctly invalidated when a user changes their password

More info at https://contao.org/en/news/security-vulnerability-cve-2019-10641.html...

9.8CVSS7.2AI score0.01048EPSS

Friends Of PHP•added 2018/11/06 11:52 a.m.•21 views

CVE-2018-19790: Open Redirect Vulnerability on login

More info at https://symfony.com/cve-2018-19790...

6.1CVSS7.2AI score0.01485EPSS

Friends Of PHP•added 2018/11/06 11:52 a.m.•21 views

CVE-2018-19789: Temporary uploaded file path disclosure

More info at https://symfony.com/cve-2018-19789...

5.3CVSS7.2AI score0.03589EPSS

Friends Of PHP•added 2018/05/25 11:46 a.m.•21 views

CVE-2018-11385: Session Fixation Issue for Guard Authentication

More info at https://symfony.com/cve-2018-11385...

8.1CVSS7.2AI score0.02014EPSS

Friends Of PHP•added 2018/02/20 9:35 p.m.•21 views

JavaScript cross-site scripting prevention is incomplete.

More info at https://www.drupal.org/SA-CORE-2018-001...

6.1CVSS7.2AI score0.01705EPSS

Friends Of PHP•added 2017/11/01 7:2 p.m.•21 views

Arbitrary code execution via a crafted email address

More info at https://github.com/zetacomponents/Mail/issues/58...

6.8CVSS7.8AI score0.10652EPSS

Exploits3Affected Software1

Friends Of PHP•added 2017/08/25 11:35 a.m.•21 views

Cross Site Scripting (XSS) in the consentAdmin module

More info at https://simplesamlphp.org/security/201709-01...

6.1CVSS7.2AI score0.01223EPSS