1702 matches found
Potential CRLF injection attacks in mail and HTTP headers
More info at https://framework.zend.com/security/advisory/ZF2015-04...
Potential CRLF injection attacks in mail and HTTP headers
More info at https://framework.zend.com/security/advisory/ZF2015-04...
A directory traversal vulnerability allows back end users to view files outside their document root
More info at https://contao.org/en/news/directory-traversal-vulnerability-cve-2015-0269.html...
SQL injection vector when manually quoting values for sqlsrv extension, using null byte
More info at https://framework.zend.com/security/advisory/ZF2014-06...
Potential XXE security issue
improved XXE fix CVE-2014-2053...
Security issue when parsing the Authorization header
More info at https://symfony.com/cve-2014-6061...
Possible Host Spoofing through SERVER_NAME
More info at https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2014-001/...
Validation metadata serialization and loss of information
More info at https://symfony.com/blog/security-releases-symfony-2-0-24-2-1-12-2-2-5-and-2-3-3-released...
Ability to enable/disable PHP parsing in Yaml::parse()
More info at https://symfony.com/blog/security-release-symfony-2-0-22-and-2-1-7-released...
Multiple XSS vulnerabilities exploitable on Internet Explorer
More info at http://htmlpurifier.org/security/2010/css-quoting...
Existing sessions are not correctly invalidated when a user changes their password
More info at https://contao.org/en/news/security-vulnerability-cve-2019-10641.html...
CVE-2019-18889: Forbid serializing AbstractAdapter and TagAwareAdapter instances
More info at https://symfony.com/cve-2019-18889...
CVE-2019-12186: XSS injection in the Grid component
More info at https://sylius.com/blog/cve-2019-12186/...
CVE-2020-15245: Ability to switch customer email address on account detail page and stay verified
Impact The user may register in a shop by email [email protected], verify it, change it to the mail [email protected] and stay verified and enabled. This may lead to having accounts addressed to totally different emails, that were verified. Note, that this way one is not able to take over any...
Denial of Service via HTTP/2 CONTINUATION Frames
amphp/http will collect HTTP/2 CONTINUATION frames in an unbounded buffer and will not check the header size limit until it has received the ENDHEADERS flag, resulting in an OOM crash. amphp/http-client and amphp/http-server are indirectly affected if they're used with an unpatched version of...
Password reset phishing vulnerability
More info at https://laravel.com/docs/5.4/releaseslaravel-5.4.22...
Drupal core - Moderately critical - Cross-site scripting - SA-CORE-2020-010
More info at https://www.drupal.org/sa-core-2020-010...
Attackers can trigger deserialization of arbitrary data via the phar:// wrapper.
Fix for security vulnerability: Using the phar:// wrapper it was possible to trigger the unserialization of user provided data...
Moderately critical - Third-party libraries - SA-CORE-2019-007
More info at https://www.drupal.org/SA-CORE-2019-007...
Drupal core - Moderately critical - Access bypass - SA-CORE-2020-008
More info at https://www.drupal.org/sa-core-2020-008...
CVE-2019-18888: Prevent argument injection in a MimeTypeGuesser
More info at https://symfony.com/cve-2019-18888...
TYPO3-EXT-SA-2023-004: Cross-Site Scripting in extension "Faceted Search" (ke_search)
More info at https://typo3.org/security/advisory/typo3-ext-sa-2023-004...
TYPO3-CORE-SA-2023-001: Persisted Cross-Site Scripting in Frontend Rendering
More info at https://typo3.org/security/advisory/typo3-core-sa-2023-001...
CVE-2022-46170: Potential Session Handlers Vulnerability
Impact When an application uses 1 multiple session cookies e.g., one for user pages and one for admin pages and 2 a session handler is set to DatabaseHandler, MemcachedHandler, or RedisHandler, then if an attacker gets one session cookie e.g., one for user pages, they may be able to access pages...
TYPO3-CORE-SA-2022-007: User Enumeration via Response Timing
More info at https://typo3.org/security/advisory/typo3-core-sa-2022-007...
Diactoros before 2.11.1 vulnerable to HTTP Host Header Attack.
Impact Applications that use Diactoros, and are either not behind a proxy, or can be accessed via untrusted proxies, can potentially have the host, protocol, and/or port of a Laminas\Diactoros\Uri instance associated with the incoming server request modified to reflect values from X-Forwarded-...
TYPO3-CORE-SA-2022-005: Insufficient Session Expiration in Admin Tool
More info at https://typo3.org/security/advisory/typo3-core-sa-2022-005...
Cross site scripting via canonical URL
More info at https://contao.org/en/security-advisories/cross-site-scripting-via-canonical-url.html...
CVE-2022-38146 - URL XSS vulnerability due to outdated jquery in CMS
More info at https://www.silverstripe.org/download/security-releases/cve-2022-38146...
CVE-2021-25817 XXE: Vulnerability in CSSContentParser
More info at https://www.silverstripe.org/download/security-releases/cve-2021-25817...
Improper Certificate Validation in phpseclib
More info at https://github.com/phpseclib/phpseclib/pull/1635...
TYPO3-CORE-SA-2021-008: Cross-Site Scripting in Content Preview
More info at https://typo3.org/security/advisory/typo3-core-sa-2021-008...
TYPO3-CORE-SA-2021-006: Cleartext storage of session identifier
More info at https://typo3.org/security/advisory/typo3-core-sa-2021-006...
Insecure Deserialization in Query Generator & Query View
More info at https://typo3.org/security/advisory/typo3-core-sa-2019-026...
CVE-2019-11325: Fix escaping of strings in VarExporter
More info at https://symfony.com/cve-2019-11325...
PRODSECBUG-2445: Insufficient logging and monitoring of configuration changes
More info at https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update...
CVE-2019-12204: Missing warning on install.php on public webroot can lead to unauthenticated admin access
More info at https://www.silverstripe.org/download/security-releases/cve-2019-12204/...
Cross-Site Scripting in Link Handling
More info at https://typo3.org/security/advisory/typo3-core-sa-2019-015...
PRODSECBUG-2245: Stored cross-site scripting in store shipping methods configuration
More info at https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-23...
PRODSECBUG-2226: Stored cross-site scripting in the admin panel
More info at https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-23...
PRODSECBUG-2298: Arbitrary code execution through product imports and design layout update
More info at https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-13...
PRODSECBUG-2363: Stored cross-site scripting in the admin panel
More info at https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-23...
PRODSECBUG-2387: Cross site request forgery attacks are possible via the gift card removal feature
More info at https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-33...
Possible Arbitrary Code Execution in Image Processing
More info at https://typo3.org/security/advisory/typo3-core-sa-2019-012...
SUPEE-11086 - RCE, XSS, CSRF and other vulnerabilities
More info at https://magento.com/security/patches/supee-11086...
Potential enwiki DOS due to slow WatchedItemStore::countVisitingWatchersMultiple
More info at https://phabricator.wikimedia.org/T204729...
Attackers can trigger deserialization of arbitrary data via the phar:// wrapper.
There was a problem hiding this comment. Choose a reason for hiding this comment The reason will be displayed to describe this comment to others. Learn more. Choose a reason Spam Abuse Off Topic Outdated Duplicate Resolved Hide comment I'm afraid this change is wrong. fileexists is not the only...
CVE-2018-11385: Session Fixation Issue for Guard Authentication
More info at https://symfony.com/cve-2018-11385...
Incorrect signature validation
More info at https://simplesamlphp.org/security/201802-01...
Comment reply form allows access to restricted content.
More info at https://www.drupal.org/SA-CORE-2018-001...