1702 matches found
PHP file inclusion via insert tags
More info at https://contao.org/en/security-advisories/php-file-inclusion-via-insert-tags.html...
Insert tag injection in front end forms
More info at https://contao.org/en/security-advisories/insert-tag-injection-in-forms.html...
CVE-2019-10912: Prevent destructors with side-effects from being unserialized
More info at https://symfony.com/cve-2019-10912...
CVE-2018-14773: Remove support for legacy and risky HTTP headers
More info at https://symfony.com/blog/cve-2018-14773-remove-support-for-legacy-and-risky-http-headers...
CVE-2019-18889: Forbid serializing AbstractAdapter and TagAwareAdapter instances
More info at https://symfony.com/cve-2019-18889...
TYPO3-EXT-SA-2025-007: Multiple vulnerabilities in extension "Backup Plus" (ns_backup)
More info at https://typo3.org/security/advisory/typo3-ext-sa-2025-007...
Laravel Reflected XSS via Request Parameter in Debug-Mode Error Page
Laravel Reflected XSS via Request Parameter in Debug-Mode Error Page Vulnerability Overview The Laravel framework versions between 11.9.0 and 11.35.1 are susceptible to reflected cross-site scripting due to an improper encoding of request parameters in the debug-mode error page. Identifier :...
Microweber Business Logic Errors
More info at https://nvd.nist.gov/vuln/detail/CVE-2023-6566...
CVE-2023-22728 - Missing permission check in GridFieldPrintButton
More info at https://www.silverstripe.org/download/security-releases/cve-2023-22728...
TYPO3-CORE-SA-2022-014: Insufficient Session Expiration after Password Reset
More info at https://typo3.org/security/advisory/typo3-core-sa-2022-014...
CVE-2022-28803: Stored XSS in link tags added via XHR
More info at https://www.silverstripe.org/download/security-releases/cve-2022-28803...
CVE-2022-25238: Stored XSS via HTML fields
More info at https://www.silverstripe.org/download/security-releases/cve-2022-25238...
TYPO3-CORE-SA-2022-005: Insufficient Session Expiration in Admin Tool
More info at https://typo3.org/security/advisory/typo3-core-sa-2022-005...
Multi-Factor Authentication issue in Laravel Fortify
Laravel Fortify before 1.11.1 allows reuse within a short time window, thus calling into question the "OT" part of the "TOTP" concept...
Disallow non closures in the sort filter
More info at https://symfony.com/blog/twig-security-release-disallow-non-closures-in-the-sort-filter...
CVE-2021-36150 - Insert from files link text - Reflective (self) Cross Site Scripting
More info at https://www.silverstripe.org/download/security-releases/CVE-2021-36150...
TYPO3-CORE-SA-2021-012: Information Disclosure in User Authentication
More info at https://typo3.org/security/advisory/typo3-core-sa-2021-012...
Missing argument delimiter can lead to command execution via VCS repository URLs or source download URLs on systems with Mercurial
URLs for Mercurial repositories in the root composer.json and package source download URLs are not sanitized correctly. Specifically crafted URL values allow commands to be executed in the HgDriver if hg/Mercurial is installed on the system. Impact - The impact to Composer users directly is limit...
TYPO3-CORE-SA-2021-007: Cross-Site Scripting in Content Preview
More info at https://typo3.org/security/advisory/typo3-core-sa-2021-007...
TYPO3-CORE-SA-2021-001: Open Redirection in Login Handling
More info at https://typo3.org/security/advisory/typo3-core-sa-2021-001...
TYPO3-CORE-SA-2020-006: Same-Site Request Forgery to Backend User Interface
More info at https://typo3.org/security/advisory/typo3-core-sa-2020-006...
TYPO3-CORE-SA-2020-005: Insecure Deserialization in Backend User Settings
More info at https://typo3.org/security/advisory/typo3-core-sa-2020-005...
TYPO3-CORE-SA-2020-002: Cross-Site Scripting in Form Engine
More info at https://typo3.org/security/advisory/typo3-core-sa-2020-002...
makeCollapsible allows applying event handler to any CSS selector
More info at https://phabricator.wikimedia.org/T246602...
Exposed suppressed username via Special:Redirect
More info at https://phabricator.wikimedia.org/T230402...
PRODSECBUG-2322: Arbitrary code execution due to unsafe handling of a shipping gateway
More info at https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-13...
PRODSECBUG-2267: Use of insufficiently random values when generating initialization vector
More info at https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-33...
PRODSECBUG-2172: Insecure user credential storage
More info at https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-23...
Possible Arbitrary Code Execution in Image Processing
More info at https://typo3.org/security/advisory/typo3-core-sa-2019-012...
Confirming an opt-in token does not invalidate previous opt-in tokens
More info at https://contao.org/en/news/security-vulnerability-cve-2019-10643.html...
Sandbox Information Disclosure
More info at https://symfony.com/blog/twig-sandbox-information-disclosure...
Cross-Site Scripting in Bootstrap CSS toolkit
More info at https://typo3.org/security/advisory/typo3-core-sa-2019-006...
CVE-2019-1000011: Access control bypass in GraphQL mutations
| Q | A | ------------- | --- | Bug fix? | yes | New feature? | no | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | 2364 | License | MIT | Doc PR | This prevents passing IRIs belonging to different resource classes, which would bypass access control in some instances s...
CVE-2018-11386: Denial of service when using PDOSessionHandler
More info at https://symfony.com/cve-2018-11386...
Cross-site scripting (XSS) vulnerability in the system log of the back end
More info at https://contao.org/en/news/contao-4418.html...
Potential SQL injection in methods `yii\db\ActiveRecord::findOne()` and `::findAll()`
More info at https://www.yiiframework.com/news/168/releasing-yii-2-0-15-and-database-extensions-with-security-fixes/...
jQuery vulnerability with untrusted domains.
More info at https://www.drupal.org/SA-CORE-2018-001...
Session fixation and authentication bypass (authcrypt module)
More info at https://simplesamlphp.org/security/201705-01...
Incorrect IV generation for encryption
More info at https://simplesamlphp.org/security/201703-02...
Some admin paths were not protected with a CSRF token
More info at https://www.drupal.org/SA-2017-001...
Remote Code Execution when using the mail transport
More info at https://legalhackers.com/advisories/SwiftMailer-Exploit-Remote-Code-Exec-CVE-2016-10074-Vuln.html...
Incorrect persistent NameID generation
More info at https://simplesamlphp.org/security/201612-04...
Incorrect signature verification
More info at https://simplesamlphp.org/security/201612-01...
Vulnerability to Response Wrapping attacks resulting in a malicious user gaining unauthorized access to a system.
Improve Signature validation process. Validates NameID only if strict is enabled...
Open redirect via double-encoded 'destination' parameter
More info at https://www.drupal.org/SA-CORE-2016-001...
CVE-2015-8125: Potential Remote Timing Attack Vulnerability in Security Remember-Me Service
More info at https://symfony.com/cve-2015-8125...
Multiple CRLF injection vulnerabilities
This release contains an important security update. Security update Takeshi Terada discovered that PHPMailer accepted addresses containing line breaks. This is valid in RFC5322, but allowing such addresses resulted in invalid RFC5321 SMTP commands, permitting a kind of message injection attack...
Potential CRLF injection attacks in mail and HTTP headers
More info at https://framework.zend.com/security/advisory/ZF2015-04...
Potential CRLF injection attacks in mail and HTTP headers
More info at https://framework.zend.com/security/advisory/ZF2015-04...
A directory traversal vulnerability allows back end users to view files outside their document root
More info at https://contao.org/en/news/directory-traversal-vulnerability-cve-2015-0269.html...