Friendsofphp - Page 15 of Friendsofphp Most Viewed Vulnerabilities List

Friends Of PHP•added 2016/02/15 6:57 p.m.•21 views

Open redirect via double-encoded 'destination' parameter

More info at https://www.drupal.org/SA-CORE-2016-001...

7.4CVSS7.2AI score0.01352EPSS

Friends Of PHP•added 2016/02/15 6:57 p.m.•21 views

Brute force amplification attacks via XML-RPC

More info at https://www.drupal.org/SA-CORE-2016-001...

7.5CVSS7.2AI score0.01426EPSS

Friends Of PHP•added 2016/02/15 6:57 p.m.•21 views

Session data truncation can lead to unserialization of user provided data

More info at https://www.drupal.org/SA-CORE-2016-001...

8.1CVSS7.2AI score0.0319EPSS

Friends Of PHP•added 2015/12/07 12:7 a.m.•21 views

Information Disclosure

This release is superseded by version 0.7.0 This is a security-focused release that addresses a number of vulnerabilities that can expose your system to exploitation. In tandem with this release we have also posted a document to the wiki with advice for securing dompdf. Please read the new docume...

8.8CVSS7.6AI score0.39374EPSS

Exploits7Affected Software1

Friends Of PHP•added 2015/08/31 12:36 p.m.•21 views

Security Misconfiguration Vulnerability in various Doctrine projects

More info at https://www.doctrine-project.org/2015/08/31/securitymisconfigurationvulnerabilityinvariousdoctrineprojects.html...

7.8CVSS7.2AI score0.00384EPSS

Friends Of PHP•added 2015/05/10 3:38 a.m.•21 views

JSON Data encoded for use in HTML was not safe to use in IE6/IE7, possible XSS attacks

More info at https://www.yiiframework.com/news/86/yii-2-0-4-is-released/...

4.3CVSS7.2AI score0.01521EPSS

Friends Of PHP•added 2015/04/01 6:55 p.m.•21 views

Unsafe methods in the Request class

More info at https://symfony.com/cve-2015-2309...

7.2AI score0.00785EPSS

Friends Of PHP•added 2015/04/01 6:55 p.m.•21 views

Esi Code Injection

More info at https://symfony.com/cve-2015-2308...

6.8CVSS7.2AI score0.01365EPSS

Friends Of PHP•added 2013/04/11 10:24 a.m.•21 views

Local file exposure on Windows installations

More info at https://groups.google.com/forum/?fromgroups=!topic/sabredav-discuss/ehOUu7wTSGQ...

5CVSS6.4AI score0.01779EPSS

7.5CVSS9.7AI score0.06195EPSS

PHP Code Injection

phpWhois PHP Code Injection\nVulnerability Overview\nphpWhois and some of its forks in versions before 5.1.0 are prone to a\ncode injection vulnerability due to insufficient sanitization of returned\nWHOIS data. This allows attackers controlling the WHOIS information of a\nrequested domain to...

9.8CVSS7.2AI score0.01275EPSS

Drupal core - Less critical - Access bypass - SA-CORE-2020-006

More info at https://www.drupal.org/sa-core-2020-006...

8CVSS7.2AI score0.02275EPSS

Critical - Third Party Libraries

More info at https://www.drupal.org/sa-core-2019-001...

9.8CVSS9.7AI score0.06195EPSS

PHP Code Injection

phpWhois PHP Code Injection Vulnerability Overview phpWhois and some of its forks in versions before 5.1.0 are prone to a code injection vulnerability due to insufficient sanitization of returned WHOIS data. This allows attackers controlling the WHOIS information of a requested domain to execute...

6.1CVSS7.2AI score0.00661EPSS

Drupal core - Critical - Cross-site scripting - SA-CORE-2021-002

More info at https://www.drupal.org/sa-core-2021-002...

9.8CVSS9.3AI score0.26172EPSS

Attackers can trigger deserialization of arbitrary data via the phar:// wrapper.

Fix for security vulnerability: Using the phar:// wrapper it was possible to trigger the unserialization of user provided data...

Exploits7Affected Software1

RCE vulnerability in "cookie" session driver

More info at https://blog.laravel.com/laravel-cookie-security-releases...

7.2AI score

9.6CVSS7.2AI score0.02694EPSS

Mautic core - Highly Critical - XSS vulnerability leveraged through referrers could allow un-authorized admin access

More info at https://www.mautic.org/blog/community/security-release-all-versions-mautic-prior-2-16-5-and-3-2-4...

9.8CVSS7.2AI score0.01854EPSS

CVE-2019-10913: Reject invalid HTTP method overrides

More info at https://symfony.com/cve-2019-10913...

6.1CVSS7.2AI score0.0074EPSS

Cross-site scripting (XSS) vulnerability in the system log

More info at https://contao.org/en/security-advisories/cross-site-scripting-in-the-system-log-2021.html...

4.8CVSS7.2AI score0.00557EPSS

Cross site scripting via HTML attributes in the back end

More info at https://contao.org/en/security-advisories/cross-site-scripting-via-html-attributes-in-the-back-end.html...

Friends Of PHP•added 2022/12/13 9:18 a.m.•20 views

TYPO3-CORE-SA-2022-013: Weak Authentication in Frontend Login

More info at https://typo3.org/security/advisory/typo3-core-sa-2022-013...

6.5CVSS7.2AI score0.00479EPSS

Friends Of PHP•added 2022/09/22 1:54 p.m.•20 views

Remote file inclusion

registerFont in FontMetrics.php in Dompdf before 2.0.1 allows remote file inclusion because a URI validation failure does not halt font registration, as demonstrated by a @font-face rule...

7.5CVSS7.5AI score0.04057EPSS

Exploits3Affected Software1

Friends Of PHP•added 2022/07/20 6:0 p.m.•20 views

Drupal core - Moderately critical - Information Disclosure - SA-CORE-2022-012

More info at https://www.drupal.org/sa-core-2022-012...

7.5CVSS7.2AI score0.00667EPSS

Friends Of PHP•added 2022/06/27 5:27 a.m.•20 views

CVE-2022-24444: Hybridsessions does not expire session id on logout

More info at https://www.silverstripe.org/download/security-releases/cve-2022-24444...

6.5CVSS7.2AI score0.00721EPSS

Friends Of PHP•added 2021/06/07 10:31 p.m.•20 views

CVE-2020-26136 GraphQL doesn't honour MFA when using basic auth

More info at https://www.silverstripe.org/download/security-releases/cve-2020-26136...

6.5CVSS7.2AI score0.01157EPSS

Friends Of PHP•added 2021/05/14 2:37 p.m.•20 views

Improper Certificate Validation in WP-CLI framework

Description Impact An improper error handling in HTTPS requests management in WP-CLI version 0.12.0 and later allows remote attackers able to intercept the communication to remotely disable the certificate verification on WP-CLI side, gaining full control over the communication content, including...

7.5CVSS7.2AI score0.01312EPSS

Friends Of PHP•added 2021/05/12 8:0 a.m.•20 views

CVE-2021-21424: Prevent user enumeration via response content in authentication mechanisms

More info at https://symfony.com/cve-2021-21424...

5.3CVSS5.7AI score0.01712EPSS

Friends Of PHP•added 2021/03/16 8:58 a.m.•20 views

TYPO3-CORE-SA-2021-006: Cleartext storage of session identifier

More info at https://typo3.org/security/advisory/typo3-core-sa-2021-006...

7.5CVSS7.8AI score0.00918EPSS

Friends Of PHP•added 2020/11/16 9:38 p.m.•20 views

Cross-Site Scripting through Fluid view helper arguments

More info at https://typo3.org/security/advisory/typo3-core-sa-2020-009...

8CVSS7.2AI score0.01026EPSS

Friends Of PHP•added 2020/07/25 11:16 a.m.•20 views

Vulnerability which allows remote image dimensions check to be used to SSRF

More info at https://www.phpbb.com/community/viewtopic.php?f=14&t=2562636...

5.8CVSS7.2AI score0.00966EPSS

Friends Of PHP•added 2020/03/30 2:0 p.m.•20 views

CVE-2020-5255: Prevent cache poisoning via a Response Content-Type header

More info at https://symfony.com/cve-2020-5255...

4.3CVSS7.2AI score0.01297EPSS

Friends Of PHP•added 2019/10/08 12:0 a.m.•20 views

PRODSECBUG-2398: Cross-Site Scripting via Customer Attribute Labels

More info at https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update...

5.4CVSS7.2AI score0.00556EPSS

7.5CVSS7.2AI score0.01186EPSS

PRODSECBUG-2174: Use of insufficiently random values in multiple security relevant contexts

More info at https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-33...

6.5CVSS7.2AI score0.00439EPSS

PRODSECBUG-2387: Cross site request forgery attacks are possible via the gift card removal feature

More info at https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-33...

7.5CVSS7.2AI score0.01186EPSS

PRODSECBUG-2267: Use of insufficiently random values when generating initialization vector

More info at https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-33...

7.5CVSS7.2AI score0.01151EPSS

PRODSECBUG-2095: Defense-in-depth session validation check implemented

More info at https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-33...

Friends Of PHP•added 2019/05/30 8:55 p.m.•20 views

Exposed suppressed log in RevisionDelete page

More info at https://phabricator.wikimedia.org/T222038...

6.5CVSS7.2AI score0.01382EPSS

Friends Of PHP•added 2019/05/30 8:55 p.m.•20 views

Forbid blocking IP ranges as big as /1 and /2, as done on ruwikiquote using the API

More info at https://phabricator.wikimedia.org/T199540...

7.5CVSS7.2AI score0.01362EPSS

Friends Of PHP•added 2019/05/07 6:59 a.m.•20 views

Cross-Site Scripting in Fluid Engine

More info at https://typo3.org/security/advisory/typo3-core-sa-2019-013...

4.3CVSS6.2AI score0.00955EPSS

Friends Of PHP•added 2019/04/09 12:21 p.m.•20 views

The CSRF token check can be bypassed

More info at https://contao.org/en/news/security-vulnerability-cve-2019-10642.html...

8.8CVSS7.2AI score0.00499EPSS

Friends Of PHP•added 2019/03/26 12:0 a.m.•20 views

SUPEE-11086 - RCE, XSS, CSRF and other vulnerabilities

More info at https://magento.com/security/patches/supee-11086...

9.8CVSS7.2AI score0.17437EPSS

Exploits2Affected Software1

Friends Of PHP•added 2018/09/20 6:59 p.m.•20 views

BotPassword can bypass CentralAuth's account lock

More info at https://phabricator.wikimedia.org/T194605...

6.5CVSS6.7AI score0.01916EPSS