1702 matches found
Broken Access Control in Import Module
More info at https://typo3.org/security/advisory/typo3-core-sa-2019-017...
CVE-2018-11408: Open redirect vulnerability on security handlers
More info at https://symfony.com/cve-2018-11408...
Language fallback can be incorrect on multilingual sites with node access restrictions.
More info at https://www.drupal.org/SA-CORE-2018-001...
Insecure Unserialize in TYPO3 Backend
More info at https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2016-023/...
SS-2016-016: XSS In CMSSecurity BackURL
More info at https://www.silverstripe.org/download/security-releases/ss-2016-016/...
Incorrect cache context on password reset page
More info at https://www.drupal.org/SA-CORE-2016-005...
Users without "Administer comments" can set comment visibility on nodes they can edit
More info at https://www.drupal.org/SA-CORE-2016-004...
Cross-site Scripting in http exceptions
More info at https://www.drupal.org/SA-CORE-2016-004...
Cache Flooding in TYPO3 Frontend
More info at https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2016-022...
Unauthenticated Remote Code Execution Vulnerability
More info at https://community.shopware.com/detail1918.html...
XSS attack vector in Security Library method xss_clean()
More info at https://www.codeigniter.com/userguide/changelog.htmlversion-3-0-3...
Potential XSS and Open Redirect vectors in zend-diactoros
More info at https://framework.zend.com/security/advisory/ZF2015-05...
Header injection in NativeMailerHandler
Hopefully attacker controlled data is never used to set the encoding or content type, but just in case, prevent: $nmh = new NativeMailerHandler$to, $subject, $from; $nmh-setEncoding "utf-8\r\nFrom: [email protected]"; Since the injection happened in send, there doesn't seem to be a good way to a...
Possible DOS attack with long user-submitted passwords
More info at https://symfony.com/blog/security-releases-cve-2013-5958-symfony-2-0-25-2-1-13-2-2-9-and-2-3-6-released...
Filter input to avoid XPath injection
In order to avoid XPath injection, user input must be filtered before it ends up in the query. Unfortunately, there's no way to do this with a standard method in PHP, so we need our own filtering function. Current best practice recommends using white lists instead of black lists to allow only a...
CVE-2024-51996: Authentication Bypass via persisted RememberMe cookie
More info at https://symfony.com/cve-2024-51996...
Insecure Random Number Generator
Insecure RNG: https://github.com/stormpath/stormpath-sdk-php/blob/15aee3007b8aa41c20cdf28fd650b8a2368a7fa9/src/Util/UUID.phpL167-L181 Insecure RNG fallback: https://github.com/stormpath/stormpath-sdk-php/blob/62698ea98ef89217f932e28cf3e511d39af3b4cf/src/Authc/Api/ApiKeyEncryptionOptions.phpL48-L5...
Drupal core - Critical - Cross-site scripting - SA-CORE-2021-003
More info at https://www.drupal.org/sa-core-2021-003...
CVE-2024-50345: Open redirect via browser-sanitized URLs
More info at https://symfony.com/cve-2024-50345...
Code injection vulnerability in allSelectors()
More info at https://packetstormsecurity.com/files/cve/CVE-2020-13756...
symfony/ux-live-component Format-less date LiveProps parsed with the permissive DateTime constructor
Description When a LiveProp is typed as a DateTimeInterface and no explicit format is configured, Symfony\UX\LiveComponent\LiveComponentHydrator::hydrateObjectValue falls back to new $className$value. The DateTime / DateTimeImmutable constructors accept relative strings such as "now", "tomorrow",...
symfony/ux-live-component LiveComponentHydrator HMAC checksum lacks component and slot binding
Description In symfony/ux-live-component, a component's server-side state is exposed to the browser as a set of props LiveProp-annotated properties. Props marked writable: true can be freely changed by the client. Read-only props are round-tripped to the browser and back, and their integrity is...
CVE-2026-45075: HEAD Request Bypasses methods: ['GET'] Filter in #[IsGranted] / #[IsSignatureValid] / #[IsCsrfTokenValid]
More info at https://symfony.com/cve-2026-45075...
TYPO3-EXT-SA-2026-011: XML External Entity Injection in extension "Faceted Search" (ke_search)
More info at https://typo3.org/security/advisory/typo3-ext-sa-2026-011...
symfony/ux-twig-component Unsanitized HTML attribute injection via ComponentAttributes
More info at https://symfony.com/blog/symfony-ux-cve-2025-47946-unsanitized-html-attribute-injection-via-componentattributes...
symfony/ux-live-component Unsanitized HTML attribute injection via ComponentAttributes
More info at https://symfony.com/blog/symfony-ux-cve-2025-47946-unsanitized-html-attribute-injection-via-componentattributes...
CVE-2025-25197 - XSS attack in elemental "Content blocks in use" report
More info at https://www.silverstripe.org/download/security-releases/cve-2025-25197...
CVE-2024-53277 - XSS in form messages
More info at https://www.silverstripe.org/download/security-releases/cve-2024-53277...
SS-2023-002 - Cross-site scripting (XSS) vulnerabilities inherited form TinyMCE
More info at https://www.silverstripe.org/download/security-releases/SS-2023-002...
CVE-2023-32302 - Members with no password can be created and bypass custom login forms
More info at https://www.silverstripe.org/download/security-releases/CVE-2023-32302...
XSS vulnerability in blade templating
More info at https://github.com/laravel/framework/pull/31945...
PRODSECBUG-2406: Cross-Site Scripting via Payment Method Title
More info at https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update...
PRODSECBUG-2367: Remote code execution due to unsafe handling of a carrier gateway
More info at https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update...
CVE-2019-12203: Session fixation in "change password" form
More info at https://www.silverstripe.org/download/security-releases/cve-2019-12203/...
Arbitrary Code Execution via File List Module
More info at https://typo3.org/security/advisory/typo3-core-sa-2019-008...
Cross-Site Scripting in Form Framework
More info at https://typo3.org/security/advisory/typo3-core-sa-2019-007...
Information Disclosure in Install Tool
More info at https://typo3.org/security/advisory/typo3-core-sa-2018-010...
CVE-2018-19789: Temporary uploaded file path disclosure
More info at https://symfony.com/cve-2018-19789...
Action case insensitivity
Fix security breach = required role for action was not required for Action nor ACTION. Thanks to [email protected]...
Authentication Bypass in TYPO3 CMS
More info at https://typo3.org/security/advisory/typo3-core-sa-2018-001...
Insecure Deserialization & Arbitrary Code Execution in TYPO3 CMS
More info at https://typo3.org/security/advisory/typo3-core-sa-2018-002...
Adminer script versions up to 4.6.2 contains file disclosure vulnerability
More info at https://sansec.io/research/adminer-4.6.2-file-disclosure-vulnerability...
Potential SQL injection vector
The SelectLimit function has a potential SQLi exploit through the use of the nrows and offset parameters which are not forced to integers. Fixes 400...
Remote Code Execution Vulnerability
More info at https://community.shopware.com/detail2015.html...
Remote Code Execution
$highlight = Pygmentize::highlight'?php phpinfo;', ';uname -a '; printr$highlight; This will produce the following output: Darwin Micheals-MBP 16.1.0 Darwin Kernel Version 16.1.0: Thu Oct 13 21:26:57 PDT 2016; root:xnu-3789.21.360/RELEASEX8664 x8664 The problem lines appear to be here:...
Local File Inclusion Vulnerability
More info at https://hackerone.com/reports/179034...
Potential SQL injection in ORDER and GROUP functions of ZF1
More info at https://framework.zend.com/security/advisory/ZF2016-03...
Potential Information Disclosure in Zend\Crypt\PublicKey\Rsa\PublicKey
More info at https://framework.zend.com/security/advisory/ZF2015-10...
CVE-2015-8125: Potential Remote Timing Attack Vulnerability in Security Remember-Me Service
More info at https://symfony.com/cve-2015-8125...
SecurityComponent cross form submission issue
More info at https://bakery.cakephp.org/2014/04/29/CakePHP-1-3-18-and-2-4-8-released.html...