1702 matches found
Potential XSS vector in multiple view helpers
More info at https://framework.zend.com/security/advisory/ZF2014-03...
code injection in `Wrapper::buildClientWrapperCode` via manipulation of the `$client` argument
security fix: hardened the Client::send method against misuse of the $method argument issue 81. Abusing its value, it was possible to force the client to access local files or connect to undesired urls instead of the intended target server's url the one used in the Client constructor. This weakne...
Potential XSS vector in Zend_Service_ReCaptcha_MailHide
More info at https://framework.zend.com/security/advisory/ZF2010-05...
CVE-2026-48747: Mailomat Mailer Webhook Parser Reads the HMAC Algorithm from the Request: Signature Algorithm Downgrade
More info at https://symfony.com/cve-2026-48747...
CVE-2026-48761: HtmlSanitizer UrlAttributeSanitizer Misses URL Attributes on <object>, <applet>, <iframe>, <img> and the URL Inside <meta http-equiv="refresh"> content
More info at https://symfony.com/cve-2026-48761...
CVE-2024-50345: Open redirect via browser-sanitized URLs
More info at https://symfony.com/cve-2024-50345...
Sandbox: multiple `__toString()` policy bypasses via unguarded string coercion points
More info at https://symfony.com/cve-2026-47732...
CVE-2026-45064: HtmlSanitizer URL Attributes Pass Through BiDi Override Characters → Visual href Spoofing
More info at https://symfony.com/cve-2026-45064...
XSS in various backend modules
More info at https://www.neos.io/blog/xss-in-various-backend-modules.html...
Remote code execution via evaluation of user-controlled input in validation rules
Impact A remote code execution RCE vulnerability affects versions 0.13.2 through 0.13.21. When documentation endpoints are publicly accessible and validation rules reference user-controlled input, request supplied data may be evaluated during documentation generation, leading to execution of...
CVE-2025-30148 - XSS vulnerability in HTML editor
More info at https://www.silverstripe.org/download/security-releases/cve-2025-30148...
GraphQL grant on a property might be cached with different objects
Original message: I found an issue with security grants on on properties in the GraphQL ItemNormalizer: If you use something like ApiPropertysecurity: 'isgranted"PROPERTYREAD", object, property' on a member of an entity, the grant gets cached and is only evaluated once, even if the object in...
TYPO3-EXT-SA-2025-002: Cross-Site Scripting in extension “Additional TCA” (additional_tca)
More info at https://typo3.org/security/advisory/typo3-ext-sa-2025-002...
TYPO3-EXT-SA-2023-009: Insecure Direct Object Reference in extension "Content Consent" (content_consent)
More info at https://typo3.org/security/advisory/typo3-ext-sa-2023-009...
EZSA-2020-005 Editor XSS and trashed drafts in review queue
More info at https://ezplatform.com/security-advisories/ezsa-2020-005-editor-xss-and-trashed-drafts-in-review-queue...
Critical - Access bypass
More info at https://www.drupal.org/sa-core-2019-008...
Broken Access Control in Import Module
More info at https://typo3.org/security/advisory/typo3-core-sa-2019-017...
Information Disclosure in Page Tree
More info at https://typo3.org/security/advisory/typo3-core-sa-2019-009...
Remote code execution
More info at https://www.passbolt.com/incidents/20190211multiplevulnerabilities...
Credentials exposure in session storage
More info at https://simplesamlphp.org/security/201812-01...
Possible DOS attack with long user-submitted passwords (correct fix for CVE-2013-5958)
See https://twitter.com/CiPHPerCoder/status/1050427719941525504 for discussion...
Insecure Deserialization & Arbitrary Code Execution in TYPO3 CMS
More info at https://typo3.org/security/advisory/typo3-core-sa-2018-002...
SS-2018-012: Uploaded PHP script execution in assets
More info at https://www.silverstripe.org/download/security-releases/ss-2018-012/...
SS-2018-006: Code execution vulnerability
More info at https://www.silverstripe.org/download/security-releases/ss-2018-006/...
SQL injection possible with limit() on MySQL
The limit query method is susceptible to catastrophic SQL injection with MySQL. For example, given a model User for a table users: php UserQuery::create-limit'1;DROP TABLE users'-find; This will drop the users table! The cause appears to be a lack of integer casting of the limit input in either...
Information Disclosure in TYPO3 CMS
More info at https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2017-005/...
Remote code execution
More info at https://www.drupal.org/SA-2017-001...
SS-2017-001: XSS In page name
More info at https://www.silverstripe.org/download/security-releases/ss-2017-001/...
Remote Code Execution Vulnerability
More info at https://community.shopware.com/detail1989.html...
Path Traversal in TYPO3 Core
More info at https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2016-024/...
Local File Inclusion Vulnerability
More info at https://hackerone.com/reports/179034...
Critical vulnerabilities in JSON Web Token libraries
More info at https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/...
SS-2016-007: VersionedRequestFilter vulnerability
More info at https://www.silverstripe.org/download/security-releases/ss-2016-007/...
SQL Injection in TYPO3 Frontend Login
More info at https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2016-016...
Information Disclosure in TYPO3 Backend
More info at https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2016-017...
Link injection
More info at https://simplesamlphp.org/security/201606-01...
Uses insecure CSPRNG (openssl_random_pseudo_bytes())
It's not fork safe In most versions of PHP, it lies about being secure And today I learned that OpenSSL, by default i.e. unchangable from PHP land uses MD5 as a CSPRNG thanks @atoponce I'm stuck between several possible avenues: Release a new version v1.3.0 or most likely v2.0.0 that doesn't rely...
Cross-Site Scripting in legacy form component
More info at https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2016-003/...
Multiple Cross-Site Scripting vulnerabilities in frontend
More info at https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2015-013/...
Potential Information Disclosure in Zend\Crypt\PublicKey\Rsa\PublicKey
More info at https://framework.zend.com/security/advisory/ZF2015-10...
CVE-2015-8124: Session Fixation in the "Remember Me" Login Feature
More info at https://symfony.com/cve-2015-8124...
XSS attack vector in Security Library method xss_clean()
More info at https://www.codeigniter.com/userguide/changelog.htmlversion-3-0-3...
Attackers able to impersonate users
Merge branch 'disabling-none-by-default'...
Sendmail transport arbitrary shell execution
More info at http://blog.swiftmailer.org/post/88660759928/security-fix-swiftmailer-5-2-1-released...
Risk of mass-assignment vulnerabilities
More info at https://laravel.com/docs/5.3/upgradeupgrade-4.1.29...
Potential XXE/XEE attacks using PHP functions: simplexml_load_*, DOMDocument::loadXML, and xml_parse
More info at https://framework.zend.com/security/advisory/ZF2014-01...
PHP object injection vulnerability allows for arbitrary code execution
More info at https://contao.org/en/news/major-security-hole-found-in-contao.html...
Fixed issue with broken validation of JSONP callbacks
More info at https://symfony.com/blog/fosrestbundle-security-issue-with-jsonp-handler...
Local file exposure on Windows installations
More info at https://groups.google.com/forum/?fromgroups=!topic/sabredav-discuss/ehOUu7wTSGQ...
Security fixes related to the way XML is handled
More info at https://symfony.com/blog/security-release-symfony-2-0-17-released...