1702 matches found
XSS vulnerabililty in the front end "unsubscribe" module of the newsletter extension
More info at https://contao.org/en/news/contao-3532.html...
Entity access bypass for entities that do not have UUIDs or have protected revisions.
More info at https://www.drupal.org/SA-CORE-2017-004...
A logged in back end user can include arbitrary existing PHP files by manipulating an URL parameter
More info at https://contao.org/en/news/contao-3528.html...
File upload access bypass and denial of service
More info at https://www.drupal.org/SA-CORE-2016-001...
Brute force amplification attacks via XML-RPC
More info at https://www.drupal.org/SA-CORE-2016-001...
Brute force amplification attacks via XML-RPC
More info at https://www.drupal.org/SA-CORE-2016-001...
HTTP header injection using line breaks
More info at https://www.drupal.org/SA-CORE-2016-001...
Email address can be matched to an account
More info at https://www.drupal.org/SA-CORE-2016-001...
Composer Cache Injection vulnerability
More info at http://flyingmana.de/blogen/2016/02/14/composercacheinjectionvulnerabilitycve20158371.html...
CVE-2016-1902: SecureRandom's fallback not secure when OpenSSL fails
More info at https://symfony.com/cve-2016-1902...
Denial Of Service Vector
This release is superseded by version 0.7.0 This is a security-focused release that addresses a number of vulnerabilities that can expose your system to exploitation. In tandem with this release we have also posted a document to the wiki with advice for securing dompdf. Please read the new docume...
Security Misconfiguration Vulnerability in the AWS SDK for PHP
SECURITY FIX: This release addresses a security issue associated with CVE-2015-5723, specifically, fixes improper default directory umask behavior that could potentially allow unauthorized modifications of PHP code. Thanks to @ryan-lane for the initial report. - Aws\Ec2 - Added support for...
Validation metadata serialization and loss of information
More info at https://symfony.com/blog/security-releases-symfony-2-0-24-2-1-12-2-2-5-and-2-3-3-released...
PHPMemcachedAdmin Path Traversal vulnerability
More info at https://nvd.nist.gov/vuln/detail/CVE-2023-6026...
CVE-2019-10912: Prevent destructors with side-effects from being unserialized
More info at https://symfony.com/cve-2019-10912...
CVE-2024-50342: Internal address and port enumeration allowed by NoPrivateNetworkHttpClient
More info at https://symfony.com/cve-2024-50342...
CVE-2019-18887: Use constant time comparison in UriSigner
More info at https://symfony.com/cve-2019-18887...
CVE-2019-18886: Prevent user enumeration using switch user functionality
More info at https://symfony.com/cve-2019-18886...
PHP Code Injection
phpWhois PHP Code Injection Vulnerability Overview phpWhois and some of its forks in versions before 5.1.0 are prone to a code injection vulnerability due to insufficient sanitization of returned WHOIS data. This allows attackers controlling the WHOIS information of a requested domain to execute...
Privilege escalation with the form generator
More info at https://contao.org/en/security-advisories/privilege-escalation-with-the-form-generator.html...
Secret data exfiltration via symfony parameters
Impact Symfony parameters which is what Mautic transforms configuration parameters into can be used within other Symfony parameters by design. However, this also means that an admin who is normally not privy to certain parameters, such as database credentials, could expose them by leveraging any ...
Critical - Third Party Libraries
More info at https://www.drupal.org/sa-core-2019-001...
Moderately critical - Third-party libraries - SA-CORE-2019-007
More info at https://www.drupal.org/SA-CORE-2019-007...
Drupal core - Critical - Cross Site Request Forgery - SA-CORE-2020-004
More info at https://www.drupal.org/sa-core-2020-004...
Key Commitment Issues in S3 Encryption Clients
More info at https://aws.amazon.com/security/security-bulletins/AWS-2025-032/...
CVE-2023-44401 View permissions are bypassed for paginated lists of ORM data in GraphQL queries
More info at https://www.silverstripe.org/download/security-releases/CVE-2023-44401...
Improper Input Validation in headers
Impact Improper header parsing. An attacker could sneak in a newline \n into both the header names and values. While the specification states that \r\n\r\n is used to terminate the header list, many servers in the wild will also accept \n\n. Patches The issue is patched in 1.6.1. Workarounds Ther...
CVE-2022-24895: Possible CSRF token fixation
More info at https://symfony.com/cve-2022-24895...
TYPO3-CORE-SA-2022-010: Cross-Site Scripting in <f:asset.css> view helper
More info at https://typo3.org/security/advisory/typo3-core-sa-2022-010...
CVE-2022-29858: Unpublished, protected files can be published via shortcode
More info at https://www.silverstripe.org/download/security-releases/cve-2022-29858...
Server-Side Request Forgery in dompdf/dompdf
Server-Side Request Forgery SSRF in GitHub repository dompdf/dompdf prior to 2.0.0...
Missing input validation can lead to command execution in composer
The Composer method VcsDriver::getFileContent with user-controlled $file or $identifier arguments is susceptible to an argument injection vulnerability. It can be leveraged to gain arbitrary command execution if the Mercurial or the Git driver are used. This led to a vulnerability on Packagist.or...
A cross-site scripting vulnerability
Description Impact SVG sanitizer library before version 0.15.0 did not remove HTML elements wrapped in a CDATA section. As a result, SVG content embedded in HTML fetched as text/html was susceptible to cross-site scripting. Plain SVG files fetched as image/svg+xml were not affected. Patches This...
CVE-2021-41268: Remember me cookie persistance after password changes
More info at https://symfony.com/cve-2021-41268...
CVE-2021-41267: Webcache Poisoning via X-Forwarded-Prefix and sub-request
More info at https://symfony.com/cve-2021-41267...
TYPO3-CORE-SA-2021-009: Cross-Site Scripting in Page Preview
More info at https://typo3.org/security/advisory/typo3-core-sa-2021-009...
TYPO3-CORE-SA-2021-009: Cross-Site Scripting in Page Preview
More info at https://typo3.org/security/advisory/typo3-core-sa-2021-009...
CVE-2021-21424: Prevent user enumeration via response content in authentication mechanisms
More info at https://symfony.com/cve-2021-21424...
TYPO3-CORE-SA-2021-004: Cross-Site Scripting in Form Framework
More info at https://typo3.org/security/advisory/typo3-core-sa-2021-004...
TYPO3-CORE-SA-2021-006: Cleartext storage of session identifier
More info at https://typo3.org/security/advisory/typo3-core-sa-2021-006...
TYPO3-CORE-SA-2020-008: Sensitive Information Disclosure
More info at https://typo3.org/security/advisory/typo3-core-sa-2020-008...
CVE-2019-19326: Web Cache Poisoning through HTTPRequestBuilder
More info at https://www.silverstripe.org/download/security-releases/cve-2019-19326/...
Cross-Site Scripting in Link Handling
More info at https://typo3.org/security/advisory/typo3-core-sa-2019-015...
PRODSECBUG-2316: Stored cross-site scripting in the admin panel
More info at https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-23...
PRODSECBUG-2208: Insufficient authorization check when adding users to company accounts
More info at https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-13...
PRODSECBUG-2320: Arbitrary code execution due to unsafe handling of system configuration
More info at https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-13...
PRODSECBUG-2363: Stored cross-site scripting in the admin panel
More info at https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-23...
PRODSECBUG-2387: Cross site request forgery attacks are possible via the gift card removal feature
More info at https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-33...
CVE-2019-12149: Potential SQL injection in restfulserver and registry modules
More info at https://www.silverstripe.org/download/security-releases/cve-2019-12149...
Unsafe deserialization in SmtpTransport
More info at https://bakery.cakephp.org/2019/04/23/cakephp37736153518released.html...