1702 matches found
PRODSECBUG-2320: Arbitrary code execution due to unsafe handling of system configuration
More info at https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-13...
Forbid blocking IP ranges as big as /1 and /2, as done on ruwikiquote using the API
More info at https://phabricator.wikimedia.org/T199540...
Cross-Site Scripting in Fluid Engine
More info at https://typo3.org/security/advisory/typo3-core-sa-2019-013...
By-passing Protection of PharStreamWrapper Interceptor
More info at https://typo3.org/security/advisory/typo3-psa-2019-007...
Existing sessions are not correctly invalidated when a user changes their password
More info at https://contao.org/en/news/security-vulnerability-cve-2019-10641.html...
CVE-2018-19790: Open Redirect Vulnerability on login
More info at https://symfony.com/cve-2018-19790...
CVE-2018-11385: Session Fixation Issue for Guard Authentication
More info at https://symfony.com/cve-2018-11385...
Comment reply form allows access to restricted content.
More info at https://www.drupal.org/SA-CORE-2018-001...
Arbitrary code execution via a crafted email address
More info at https://github.com/zetacomponents/Mail/issues/58...
Entity access bypass for entities that do not have UUIDs or have protected revisions.
More info at https://www.drupal.org/SA-CORE-2017-004...
A logged in back end user can include arbitrary existing PHP files by manipulating an URL parameter
More info at https://contao.org/en/news/contao-441.html...
File REST resource does not properly validate
More info at https://www.drupal.org/SA-CORE-2017-003...
Some admin paths were not protected with a CSRF token
More info at https://www.drupal.org/SA-2017-001...
Full config export can be downloaded without administrative permissions
More info at https://www.drupal.org/SA-CORE-2016-004...
Composer Cache Injection vulnerability
More info at http://flyingmana.de/blogen/2016/02/14/composercacheinjectionvulnerabilitycve20158371.html...
CVE-2016-1902: SecureRandom's fallback not secure when OpenSSL fails
More info at https://symfony.com/cve-2016-1902...
Remote Code Execution Vulnerability
More info at https://developer.joomla.org/security-centre/637-20151205-session-remote-code-execution-vulnerability.html...
Information Disclosure
This release is superseded by version 0.7.0 This is a security-focused release that addresses a number of vulnerabilities that can expose your system to exploitation. In tandem with this release we have also posted a document to the wiki with advice for securing dompdf. Please read the new docume...
Filesystem Permissions Issues in Multiple Components
More info at https://framework.zend.com/security/advisory/ZF2015-07...
Security Misconfiguration Vulnerability in various Doctrine projects
More info at https://www.doctrine-project.org/2015/08/31/securitymisconfigurationvulnerabilityinvariousdoctrineprojects.html...
class yii\web\ViewAction allowed to include arbitrary files that end with .php
More info at https://www.yiiframework.com/news/87/yii-2-0-5-is-released-security-fix/...
Routes behind a firewall are accessible even when not logged in
More info at https://symfony.com/blog/security-release-symfony-2-0-20-and-2-1-5-released...
Cross-site scripting (XSS) vulnerability in Paypal-Merchant-SDK-PHP
Hello: I have find a Reflected XSS vulnerability in this sdk. The vulnerability exists due to insufficient filtration of user-supplied data in “token” HTTP GET parameter that will be passed to “merchant-sdk-php\samples\AccountAuthentication\GetAuthDetails.html.php”. The infected source code is li...
Remote Code Execution via Chosen-Ciphertext Attack
framework/src/Titon/Crypto/OpenSslCipher.hh Lines 30 to 39 in cbf4472 public function decryptstring $payload: mixed $payload = $this-decodePayload$payload; $method = $this-getMethod; $value = openssldecrypthex2bin$payload'data', $method, $this-getKey, OPENSSLRAWDATA, hex2bin$payload'iv'; if $valu...
Cross-site scripting (XSS) vulnerability in the system log
More info at https://contao.org/en/security-advisories/cross-site-scripting-in-the-system-log-2021.html...
Cross site scripting via HTML attributes in the back end
More info at https://contao.org/en/security-advisories/cross-site-scripting-via-html-attributes-in-the-back-end.html...
PHP Code Injection
phpWhois PHP Code Injection Vulnerability Overview phpWhois and some of its forks in versions before 5.1.0 are prone to a code injection vulnerability due to insufficient sanitization of returned WHOIS data. This allows attackers controlling the WHOIS information of a requested domain to execute...
Attackers can trigger deserialization of arbitrary data via the phar:// wrapper.
Fix for security vulnerability: Using the phar:// wrapper it was possible to trigger the unserialization of user provided data...
Mautic core - Moderately Critical - XSS vulnerability when creating/editing a company
More info at https://www.mautic.org/blog/community/security-release-all-versions-mautic-prior-2-16-5-and-3-2-4...
Critical - Third Party Libraries
More info at https://www.drupal.org/sa-core-2019-001...
Drupal core - Moderately critical - Access bypass - SA-CORE-2020-008
More info at https://www.drupal.org/sa-core-2020-008...
Drupal core - Critical - Cross-site scripting - SA-CORE-2021-002
More info at https://www.drupal.org/sa-core-2021-002...
CVE-2026-46644: symfony/polyfill-intl-idn accepts xn-- labels whose Punycode payload decodes to ASCII-only: insecure equivalence
More info at https://symfony.com/cve-2026-46644...
Missing output escaping for the null coalesce operator
More info at https://symfony.com/blog/twig-cve-2025-24374-missing-output-escaping-for-the-null-coalesce-operator...
SS-2024-001 - TinyMCE allows svg files linked in object tags
More info at https://www.silverstripe.org/download/security-releases/ss-2024-001...
TYPO3-EXT-SA-2023-011: Configuration Injection in extension "Direct Mail" (direct_mail)
More info at https://typo3.org/security/advisory/typo3-ext-sa-2023-011...
TYPO3-CORE-SA-2022-016: Sensitive Information Disclosure via YAML Placeholder Expressions in Site Configuration
More info at https://typo3.org/security/advisory/typo3-core-sa-2022-016...
TYPO3-CORE-SA-2022-014: Insufficient Session Expiration after Password Reset
More info at https://typo3.org/security/advisory/typo3-core-sa-2022-014...
TYPO3-CORE-SA-2022-013: Weak Authentication in Frontend Login
More info at https://typo3.org/security/advisory/typo3-core-sa-2022-013...
Remote file inclusion
registerFont in FontMetrics.php in Dompdf before 2.0.1 allows remote file inclusion because a URI validation failure does not halt font registration, as demonstrated by a @font-face rule...
Drupal core - Moderately critical - Information Disclosure - SA-CORE-2022-012
More info at https://www.drupal.org/sa-core-2022-012...
CVE-2022-24444: Hybridsessions does not expire session id on logout
More info at https://www.silverstripe.org/download/security-releases/cve-2022-24444...
Possible RCE when rendering untrusted user templates
Fix CVE-2022-0323, possible RCE when rendering untrusted user templates, reported by @altm4n via huntr.dev - Improve compatibility with PHP 8.1...
Sandbox Escape by math function
Impact Template authors could run arbitrary PHP code by crafting a malicious math string. If a math string is passed through as user provided data to the math function, external users could run arbitrary PHP code by crafting a malicious math string. Patches Please upgrade to 4.0.2 or 3.1.42 or...
CVE-2020-26136 GraphQL doesn't honour MFA when using basic auth
More info at https://www.silverstripe.org/download/security-releases/cve-2020-26136...
Possible to circumvent title-blacklist
More info at https://phabricator.wikimedia.org/T239466...
Exposed suppressed log in RevisionDelete page
More info at https://phabricator.wikimedia.org/T222038...
Cross-Site Scripting in Fluid Engine
More info at https://typo3.org/security/advisory/typo3-core-sa-2019-013...
By-passing Protection of PharStreamWrapper Interceptor
More info at https://typo3.org/security/advisory/typo3-psa-2019-008...
The CSRF token check can be bypassed
More info at https://contao.org/en/news/security-vulnerability-cve-2019-10642.html...