1697 matches found
URL Rewrite vulnerability
More info at https://framework.zend.com/security/advisory/ZF2018-01...
Non-Persistent XSS
More info at https://community.shopware.com/detail2048.html...
Information Disclosure in TYPO3 CMS
More info at https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2017-005/...
Invalid token creation and validation
More info at https://simplesamlphp.org/security/201708-01...
SS-2017-004: XSS in page history comparison
More info at https://www.silverstripe.org/download/security-releases/ss-2017-004/...
Missing state parameter in OAuth requests leading to CSRF vulnerability
More info at https://github.com/sensiolabs/connect/pull/63...
Flow Bugfix Releases for Entity Security
More info at https://www.neos.io/blog/flow-bugfix-releases-for-entity-security.html...
Remote Code Execution Vulnerability
More info at https://community.shopware.com/detail1989.html...
Null reset codes were allowed
More info at https://haxx.ml/post/149975211631/how-i-hacked-your-cfp-and-probably-some-other...
Arbitrary File Disclosure in Form Component
More info at https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2016-010/...
Denial of Service attack possibility in TYPO3 component Indexed Search
More info at https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2016-008/...
Cross-Site Scripting in link validator component
More info at https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2016-002/...
Cross-Site Scripting vulnerability in typolinks
More info at https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2015-012/...
CVE-2015-8124: Session Fixation in the "Remember Me" Login Feature
More info at https://symfony.com/cve-2015-8124...
SS-2015-017: Forum Module CSRF Vulnerability
More info at https://www.silverstripe.org/software/download/security-releases/ss-2015-017/...
Frontend: Unauthenticated Path Disclosure
More info at https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2015-008/...
Insecure state generation
More info at https://github.com/laravel/socialite/pull/91...
Critical vulnerabilities in JSON Web Token libraries
More info at https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/...
SS-2016-012: Missing ACL on reports
More info at https://www.silverstripe.org/download/security-releases/ss-2016-012/...
SS-2015-007: XSS In FormAction
More info at https://www.silverstripe.org/software/download/security-releases/ss-2015-007/...
SS-2015-003: History XSS Vulnerability
More info at https://www.silverstripe.org/software/download/security-releases/ss-2015-003/...
XSS vulnerability in login redirect param
Security advisory: XSS vulnerability in login redirect param ZfcUser version 1.2.2 has been released and includes a security for this vulnerability. Fix has been applied in @baf0e460 Affected versions All versions below 1.2.2 are affected. dev-master is fixed starting from @2cc167a Exploits Becau...
Possible cache poisining on the homepage when anchors are used
More info at https://typo3.org/security/advisory/typo3-core-sa-2014-003...
Entropy is lost in the TokenGenerator
More info at https://symfony.com/blog/fosuserbundle-entropy-of-generated-tokens-is-lost...
Authentication adapter did not verify validity of tokens
Previous to @2ca5bb1c2f11537be8f94ca6867d8d69789e744a release 0.1.2, tokens weren't checked for validity/expiration. This potentially caused a security issue if expired tokens were not deleted after the expiration time was past, allowing anyone to still use invalidated authentication credentials...
Hijacked authentication cookies vulnerability
More info at https://laravel.com/docs/5.1/upgradeupgrade-4.1.26...
Security fixes related to the way XML is handled
More info at https://symfony.com/blog/security-release-symfony-2-0-17-released...
Fixed the user refreshing to check the identity by primary key instead of username
Changelog ========= 4.1.0 2026-02-13 Convert XML config files to other formats to fix the deprecation of XML config files in Symfony Add PHP routing files alongside the XML ones. Loading the XML routing files triggers a deprecation in Symfony 7.4. Fix deprecation in the UserChecker Fix the...
XML decoding attack vector through external entities
More info at https://symfony.com/blog/security-release-symfony-2-0-11-released...
Potential Security Issues in Bundled Dojo Library
More info at https://framework.zend.com/security/advisory/ZF2010-06...
LFI vector in Zend_View::setScriptPath() and render()
More info at https://framework.zend.com/security/advisory/ZF2009-01...
PHP Code Injection
phpWhois PHP Code Injection Vulnerability Overview phpWhois and some of its forks in versions before 5.1.0 are prone to a code injection vulnerability due to insufficient sanitization of returned WHOIS data. This allows attackers controlling the WHOIS information of a requested domain to execute...
Drupal core - Critical - Arbitrary PHP code execution - SA-CORE-2020-013
More info at https://www.drupal.org/sa-core-2020-013...
Drupal core - Moderately critical - Third-party library - SA-CORE-2020-001
More info at https://www.drupal.org/sa-core-2020-001...
Filter input to avoid XPath injection
Filter input for its use in XPath expressions In order to avoid XPath injection, user input must be filtered before it ends up in the query. Unfortunately, there's no way to do this with a standard method in PHP, so we need our own filtering function. Current best practice recommends using white...
PHP Code Injection
phpWhois PHP Code Injection Vulnerability Overview phpWhois and some of its forks in versions before 5.1.0 are prone to a code injection vulnerability due to insufficient sanitization of returned WHOIS data. This allows attackers controlling the WHOIS information of a requested domain to execute...
Content moderation - Moderately critical - Access bypass
More info at https://www.drupal.org/sa-core-2018-006...
Drupal core - Moderately critical - Access bypass - SA-CORE-2019-011
More info at https://www.drupal.org/sa-core-2019-011...
Sandbox: multiple `__toString()` policy bypasses via unguarded string coercion points
More info at https://symfony.com/cve-2026-47732...
symfony/ux-live-component Format-less date LiveProps parsed with the permissive DateTime constructor
Description When a LiveProp is typed as a DateTimeInterface and no explicit format is configured, Symfony\UX\LiveComponent\LiveComponentHydrator::hydrateObjectValue falls back to new $className$value. The DateTime / DateTimeImmutable constructors accept relative strings such as "now", "tomorrow",...
TYPO3-EXT-SA-2026-009: Broken Access Control in extension "Frontend User Registration" (sf_register)
More info at https://typo3.org/security/advisory/typo3-ext-sa-2026-009...
GraphQL grant on a property might be cached with different objects
Original message: I found an issue with security grants on on properties in the GraphQL ItemNormalizer: If you use something like ApiPropertysecurity: 'isgranted"PROPERTYREAD", object, property' on a member of an entity, the grant gets cached and is only evaluated once, even if the object in...
GraphQL query operations security can be bypassed
Summary Using the Relay special node type you can bypass the configured security on an operation. Details Here is an example of how to apply security configurations for the GraphQL operations: php ApiResource security: "isgranted'ROLEUSER'", operations: / ... / , graphQlOperations: new...
TYPO3-EXT-SA-2025-003: Multiple vulnerabilities in extension “[clickstorm] SEO” (cs_seo)
More info at https://typo3.org/security/advisory/typo3-ext-sa-2025-003...
SS-2024-002 - Reflected Cross Site Scripting (XSS) in error message
More info at https://www.silverstripe.org/download/security-releases/ss-2024-002...
SS-2023-001 - XSS vulnerability in underlying TinyMCE library
More info at https://www.silverstripe.org/download/security-releases/SS-2023-001...
Read private customer data reclaiming carts
Klaviyo read customer quotes for guest carts April 28th I've found a endpoint in a thirth party module Klaviyo Magento 2 which allows to read private customer data from stores. It works by reclaiming any guest-cart as your own and reading the private data for the orders in the Magento API. Data -...
Regular expression Denial of Service
More info at https://typo3.org/security/advisory/typo3-ext-sa-2021-002...
$this->validate() returns all properties, not just validated ones
IMPORTANT BUGFIX $this-validate usually only returns the validated dataset, however a regression was introduced, that caused it to return ALL data on the Livewire component. 1659...
EZSA-2020-005 Editor XSS and trashed drafts in review queue
More info at https://ezplatform.com/security-advisories/ezsa-2020-005-editor-xss-and-trashed-drafts-in-review-queue...