1697 matches found
CVE-2018-11406: CSRF Token Fixation
More info at https://symfony.com/cve-2018-11406...
CVE-2018-11406: CSRF Token Fixation
More info at https://symfony.com/cve-2018-11406...
Settings Tray access bypass.
More info at https://www.drupal.org/SA-CORE-2018-001...
CVE-2017-11365: Empty passwords validation issue
More info at https://symfony.com/cve-2017-11365...
CVE-2017-11365: Empty passwords validation issue
More info at https://symfony.com/cve-2017-11365...
A logged in back end user can include arbitrary existing PHP files by manipulating an URL parameter
More info at https://contao.org/en/news/contao-441.html...
PECL YAML parser unsafe object handling
More info at https://www.drupal.org/SA-CORE-2017-003...
Arbitrary shell execution
Security Advisory This release contains a fix for a security advisory related to the improper handling of shell commands Uses of shellexec and exec were not escaping filenames and configuration settings in most cases A properly crafted filename or configuration option would allow for arbitrary co...
Environment Variable Injection
More info at https://typo3.org/security/advisory/typo3-core-sa-2016-019...
Saving user accounts can sometimes grant the user all roles
More info at https://www.drupal.org/SA-CORE-2016-002...
Open redirect via path manipulation
More info at https://www.drupal.org/SA-CORE-2016-001...
HTTP header injection using line breaks
More info at https://www.drupal.org/SA-CORE-2016-001...
Session data truncation can lead to unserialization of user provided data
More info at https://www.drupal.org/SA-CORE-2016-001...
Email address can be matched to an account
More info at https://www.drupal.org/SA-CORE-2016-001...
Composer Cache Injection vulnerability
More info at http://flyingmana.de/blogen/2016/02/14/composercacheinjectionvulnerabilitycve20158371.html...
CVE-2016-1902: SecureRandom's fallback not secure when OpenSSL fails
More info at https://symfony.com/cve-2016-1902...
Remote Code Execution Vulnerability
More info at https://developer.joomla.org/security-centre/637-20151205-session-remote-code-execution-vulnerability.html...
Security Misconfiguration Vulnerability in various Doctrine projects
More info at https://www.doctrine-project.org/2015/08/31/securitymisconfigurationvulnerabilityinvariousdoctrineprojects.html...
class yii\web\ViewAction allowed to include arbitrary files that end with .php
More info at https://www.yiiframework.com/news/87/yii-2-0-5-is-released-security-fix/...
CVE-2015-4050: ESI unauthorized access
More info at https://symfony.com/cve-2015-4050...
Potential CRLF injection attacks in mail and HTTP headers
More info at https://framework.zend.com/security/advisory/ZF2015-04...
Critical vulnerabilities in JSON Web Token libraries
More info at https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/...
Denial of Service in OpenID System Extension
More info at https://typo3.org/security/advisory/typo3-core-sa-2014-002...
Anonymous authentication in ldap_bind() function of PHP, using null byte
More info at https://framework.zend.com/security/advisory/ZF2014-05...
Security issue when parsing the Authorization header
More info at https://symfony.com/cve-2014-6061...
Cross-Site Scripting in TYPO3 Flow
More info at https://www.neos.io/blog/flow-sa-2013-001.html...
Cross-Site Scripting in TYPO3 Flow
More info at https://www.neos.io/blog/flow-sa-2013-001.html...
Routes behind a firewall are accessible even when not logged in
More info at https://symfony.com/blog/security-release-symfony-2-0-20-and-2-1-5-released...
Routes behind a firewall are accessible even when not logged in
More info at https://symfony.com/blog/security-release-symfony-2-0-20-and-2-1-5-released...
XSS vulnerability exploitable on Internet Explorer
More info at http://htmlpurifier.org/news/2010/0531-4.1.1-released...
Remote Code Execution via Chosen-Ciphertext Attack
framework/src/Titon/Crypto/OpenSslCipher.hh Lines 30 to 39 in cbf4472 public function decryptstring $payload: mixed $payload = $this-decodePayload$payload; $method = $this-getMethod; $value = openssldecrypthex2bin$payload'data', $method, $this-getKey, OPENSSLRAWDATA, hex2bin$payload'iv'; if $valu...
Drupal core - Critical - Arbitrary PHP code execution - SA-CORE-2020-005
More info at https://www.drupal.org/sa-core-2020-005...
CVE-2019-10911: Add a separator in the remember me cookie hash
More info at https://symfony.com/cve-2019-10911...
Privilege escalation with the form generator
More info at https://contao.org/en/security-advisories/privilege-escalation-with-the-form-generator.html...
Missing output escaping for the null coalesce operator
More info at https://symfony.com/blog/twig-cve-2025-24374-missing-output-escaping-for-the-null-coalesce-operator...
Laravel Reflected XSS via Route Parameter in Debug-Mode Error Page
Laravel Reflected XSS via Route Parameter in Debug-Mode Error Page Vulnerability Overview The Laravel framework versions between 11.9.0 and 11.35.1 are susceptible to reflected cross-site scripting due to an improper encoding of route parameters in the debug-mode error page. Identifier :...
SS-2024-001 - TinyMCE allows svg files linked in object tags
More info at https://www.silverstripe.org/download/security-releases/ss-2024-001...
Observable Response Discrepancy on Admin Login
Impact It allows over the Admin Login form to detect which user username, email exists and which one do not exist. Impacted by this issue are Sulu installation = 2.5.0 and getMessage; instead the $exception-getMessageKey; References Currently no references...
Improper Input Validation in headers
Impact Improper header parsing. An attacker could sneak in a newline \n into both the header names and values. While the specification states that \r\n\r\n is used to terminate the header list, many servers in the wild will also accept \n\n. Patches The issue is patched in 1.6.1. Workarounds Ther...
TYPO3-CORE-SA-2022-014: Insufficient Session Expiration after Password Reset
More info at https://typo3.org/security/advisory/typo3-core-sa-2022-014...
Drupal core - Moderately critical - Access Bypass - SA-CORE-2022-013
More info at https://www.drupal.org/sa-core-2022-013...
TYPO3-CORE-SA-2022-001: Information Disclosure via Export Module
More info at https://typo3.org/security/advisory/typo3-core-sa-2022-001...
Cross-Site Scripting
More info at https://typo3.org/security/advisory/typo3-ext-sa-2022-011...
Path manipulation
matyhtf framework v3.0.5 is affected by a path manipulation vulnerability in Smarty.class.php. The issue was fixed in version 3.0.6...
A cross-site scripting vulnerability
Impact SVG sanitizer library before version 0.15.0 did not remove HTML elements wrapped in a CDATA section. As a result, SVG content embedded in HTML fetched as text/html was susceptible to cross-site scripting. Plain SVG files fetched as image/svg+xml were not affected. Patches This issue is fix...
Possible RCE when rendering untrusted user templates
Fix CVE-2022-0323, possible RCE when rendering untrusted user templates, reported by @altm4n via huntr.dev - Improve compatibility with PHP 8.1...
Sandbox Escape by math function
Impact Template authors could run arbitrary PHP code by crafting a malicious math string. If a math string is passed through as user provided data to the math function, external users could run arbitrary PHP code by crafting a malicious math string. Patches Please upgrade to 4.0.2 or 3.1.42 or...
TYPO3-CORE-SA-2020-006: Same-Site Request Forgery to Backend User Interface
More info at https://typo3.org/security/advisory/typo3-core-sa-2020-006...
CVE-2019-18888: Prevent argument injection in a MimeTypeGuesser
More info at https://symfony.com/cve-2019-18888...
PRODSECBUG-2426: Cross-Site Scripting via store name
More info at https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update...