Friendsofphp - Page 17 of Friendsofphp Most Viewed Vulnerabilities List

Friends Of PHP•added 2018/09/20 6:59 p.m.•19 views

$wgRateLimits (rate limit / ping limiter) entry for 'user' overrides that for 'newbie'

More info at https://phabricator.wikimedia.org/T169545...

4.3CVSS5AI score0.01517EPSS

Friends Of PHP•added 2018/03/02 2:30 p.m.•19 views

Incorrect signature validation

More info at https://simplesamlphp.org/security/201803-01...

8.1CVSS7.2AI score0.01221EPSS

Friends Of PHP•added 2018/01/16 10:51 a.m.•19 views

Incorrect Access Control vulnerability in src/Firebase/Auth/IdTokenVerifier.php does not verify for token signature that can result in JWT with any email address and user ID could be forged from an actual token, or from thin air.

Bugfixes Fixed a security issue discovered by @hernandev that enabled an attacker to impersonate any registered user in a Firebase application...

6.8CVSS7.7AI score0.01335EPSS

Friends Of PHP•added 2018/01/16 10:51 a.m.•19 views

Bugfixes Fixed a security issue discovered by @hernandev that enabled an attacker to impersonate any registered user in a Firebase application...

8.1CVSS7.9AI score0.01335EPSS

Friends Of PHP•added 2017/06/21 6:13 p.m.•19 views

Files uploaded by anonymous users into a private file system can be accessed by other anonymous users

More info at https://www.drupal.org/SA-CORE-2017-003...

6.5CVSS7.2AI score0.01947EPSS

Friends Of PHP•added 2017/03/15 8:19 p.m.•19 views

Remote code execution

More info at https://www.drupal.org/SA-2017-001...

8.1CVSS7.2AI score0.03901EPSS

Friends Of PHP•added 2017/02/01 10:45 a.m.•19 views

Remote Code Execution in Qquoteadv/controllers/DownloadController.php

More info at https://cart2quote.zendesk.com/hc/en-us/articles/115000616303--FIXED-Security-Vulnerability-in-downloadCustomOptionAction...

0.8AI score

Friends Of PHP•added 2016/06/15 8:59 p.m.•19 views

Saving user accounts can sometimes grant the user all roles

More info at https://www.drupal.org/SA-CORE-2016-002...

8.8CVSS7.2AI score0.02531EPSS

Friends Of PHP•added 2016/02/15 6:57 p.m.•19 views

Reflected file download vulnerability

More info at https://www.drupal.org/SA-CORE-2016-001...

8.5CVSS7.2AI score0.02483EPSS

Friends Of PHP•added 2015/11/23 11:45 a.m.•19 views

CVE-2015-8125: Potential Remote Timing Attack Vulnerability in Security Remember-Me Service

More info at https://symfony.com/cve-2015-8125...

7.5CVSS7.2AI score0.02545EPSS

Friends Of PHP•added 2015/09/15 6:52 p.m.•19 views

Filesystem Permissions Issues in Multiple Components

More info at https://framework.zend.com/security/advisory/ZF2015-07...

7.8CVSS7.2AI score0.00384EPSS

Friends Of PHP•added 2015/08/31 1:34 p.m.•19 views

Security Misconfiguration Vulnerability in various Doctrine projects

More info at https://www.doctrine-project.org/2015/08/31/securitymisconfigurationvulnerabilityinvariousdoctrineprojects.html...

7.8CVSS7.2AI score0.00384EPSS

Friends Of PHP•added 2015/08/31 1:2 p.m.•19 views

Security Misconfiguration Vulnerability in various Doctrine projects

More info at https://www.doctrine-project.org/2015/08/31/securitymisconfigurationvulnerabilityinvariousdoctrineprojects.html...

7.8CVSS7.2AI score0.00384EPSS

Friends Of PHP•added 2015/04/01 6:55 p.m.•19 views

Unsafe methods in the Request class

More info at https://symfony.com/cve-2015-2309...

7.2AI score0.00785EPSS

Friends Of PHP•added 2015/04/01 6:55 p.m.•19 views

Esi Code Injection

More info at https://symfony.com/cve-2015-2308...

6.8CVSS7.2AI score0.01365EPSS

Friends Of PHP•added 2015/03/01 9:13 a.m.•19 views

PHP object injection attack vulnerability in Slim.

https://github.com/slimphp/Slim/blob/master/Slim/Middleware/SessionCookie.phpL127 Generally, it's a bad idea to blindly unserialize user-controllable input. https://www.owasp.org/index.php/PHPObjectInjection EDIT - for people who don't want to read the whole thread: The SessionCookie class is not...

7.5CVSS6AI score0.02515EPSS

Friends Of PHP•added 2014/03/10 9:57 p.m.•19 views

Arbitrary file read in dompdf

More info at https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-2383/...

6.8CVSS7.2AI score0.39374EPSS

Exploits6Affected Software1

Friends Of PHP•added 2013/01/15 9:21 p.m.•19 views

Ability to enable/disable object support in YAML parsing and dumping

More info at https://symfony.com/blog/security-release-symfony-2-0-22-and-2-1-7-released...

7.5CVSS6.7AI score0.01619EPSS

4.3CVSS6.1AI score0.01244EPSS

Cross-site scripting (XSS) vulnerability in Paypal-Merchant-SDK-PHP

Hello: I have find a Reflected XSS vulnerability in this sdk. The vulnerability exists due to insufficient filtration of user-supplied data in “token” HTTP GET parameter that will be passed to “merchant-sdk-php\samples\AccountAuthentication\GetAuthDetails.html.php”. The infected source code is li...

7.5CVSS2.9AI score0.26172EPSS

Attackers can trigger deserialization of arbitrary data via the phar:// wrapper.

There was a problem hiding this comment. Choose a reason for hiding this comment The reason will be displayed to describe this comment to others. Learn more. Choose a reason Spam Abuse Off Topic Outdated Duplicate Resolved Hide comment I'm afraid this change is wrong. fileexists is not the only...

Exploits7Affected Software1

7.5CVSS9.7AI score0.06195EPSS

PHP Code Injection

phpWhois PHP Code Injection\nVulnerability Overview\nphpWhois and some of its forks in versions before 5.1.0 are prone to a\ncode injection vulnerability due to insufficient sanitization of returned\nWHOIS data. This allows attackers controlling the WHOIS information of a\nrequested domain to...

SQL Server LIMIT / OFFSET SQL Injection

Impact Those using SQL Server with Laravel and allowing user input to be passed directly to the limit and offset functions are vulnerable to SQL injection. Other database drivers such as MySQL and Postgres are not affected by this vulnerability. Patches This problem has been patched on Laravel...

7.9AI score

7.5CVSS7.2AI score0.01752EPSS

TOTP throttle not enforced cross-wiki

More info at https://phabricator.wikimedia.org/T251661...

Mautic core - Moderately Critical - XSS vulnerability when creating/editing a company

More info at https://www.mautic.org/blog/community/security-release-all-versions-mautic-prior-2-16-5-and-3-2-4...

7.2AI score

6.1CVSS7.2AI score0.00633EPSS

Drupal core - Moderately critical - Cross-site scripting - SA-CORE-2020-010

More info at https://www.drupal.org/sa-core-2020-010...

6.1CVSS5.8AI score0.00799EPSS

Possible cross-site scripting (XSS) vulnerability in the Blade templating engine

A security researcher has disclosed a possible XSS vulnerability in the Blade templating engine. Given the following two Blade templates: resources/views/parent.blade.php: html @section'content' @show resources/views/child.blade.php: html @extends'parent' @section'content' @endsection And a route...

7.5CVSS6.6AI score0.00633EPSS

CVE-2024-51996: Authentication Bypass via persisted RememberMe cookie

More info at https://symfony.com/cve-2024-51996...

6.1CVSS7.2AI score0.00883EPSS

CVE-2019-12205: Clipboard Reflected XSS

More info at https://www.silverstripe.org/download/security-releases/cve-2019-12205/...

9.8CVSS9.7AI score0.06195EPSS

PHP Code Injection

phpWhois PHP Code Injection Vulnerability Overview phpWhois and some of its forks in versions before 5.1.0 are prone to a code injection vulnerability due to insufficient sanitization of returned WHOIS data. This allows attackers controlling the WHOIS information of a requested domain to execute...

3.1CVSS6.6AI score0.00465EPSS

CVE-2024-50343: Incorrect response from Validator when input ends with ` `

More info at https://symfony.com/cve-2024-50343...

Friends Of PHP•added 2023/12/13 11:55 a.m.•18 views

TYPO3-EXT-SA-2023-010: Broken Access Control in extension "femanager" (femanager)

More info at https://typo3.org/security/advisory/typo3-ext-sa-2023-010...

7.2AI score0.00341EPSS