Lucene search
K
FriendsofphpMost viewed

1702 matches found

Friends Of PHP
Friends Of PHP
added 2026/06/09 8:55 a.m.11 views

TYPO3-CORE-SA-2026-007: Broken Access Control in File Abstraction Layer

More info at https://typo3.org/security/advisory/typo3-core-sa-2026-007...

7.2CVSS5.4AI score0.00238EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2026/06/06 4:30 p.m.11 views

JWSVerifier uses algorithm from unprotected header, enabling algorithm confusion attacks

Summary JWSVerifier::getAlgorithm in src/Library/Signature/JWSVerifier.php line 144 merges protected and unprotected headers using PHP's spread operator: php $completeHeader = ...$signature-getProtectedHeader, ...$signature-getHeader; In PHP, when spreading arrays with duplicate string keys, the...

5.4AI score
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2026/06/06 4:26 p.m.11 views

PBES2-HS*+A*KW unwrap accepts an unbounded p2c iteration count, enabling CPU-amplification denial of service

Impact When a JWE uses a password-based key-encryption algorithm PBES2-HS256+A128KW, PBES2-HS384+A192KW, PBES2-HS512+A256KW, PBES2AESKW::unwrapKey reads the p2c PBKDF2 iteration count parameter directly from the attacker-controlled JOSE header and passes it to hashpbkdf2 with no upper bound. The...

5.6AI score
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2026/05/29 8:0 a.m.11 views

symfony/ux-live-component XSS via attacker-controlled child component tag

Description Symfony\UX\LiveComponent\Util\ChildComponentPartialRenderer::createHtml interpolates the $childTag argument directly into the HTML output as a tag name, without escaping or validation. The value originates from client-controlled JSON childrenid.tag parsed by LiveComponentSubscriber an...

6AI score
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2026/05/19 12:0 p.m.11 views

SQL Injection in extension "News system" (news)

More info at https://typo3.org/security/advisory/typo3-ext-sa-2026-010...

8.2CVSS5.8AI score0.00386EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2026/05/18 3:13 p.m.11 views

TYPO3-EXT-SA-2026-012: SQL Injection in extension "Address List" (tt_address)

More info at https://typo3.org/security/advisory/typo3-ext-sa-2026-012...

8.2CVSS5.8AI score0.00327EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2026/05/18 2:30 p.m.11 views

TYPO3-EXT-SA-2026-011: Path Traversal in extension "Faceted Search" (ke_search)

More info at https://typo3.org/security/advisory/typo3-ext-sa-2026-011...

5.9CVSS5.8AI score0.00318EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2026/04/17 12:52 p.m.11 views

Argument injection via newline in PHP INI values forwarded to child processes

Impact PHPUnit forwards PHP INI settings to child processes used for isolated/PHPT test execution as -d name=value command-line arguments without neutralizing INI metacharacters. Because PHP's INI parser interprets " as a string delimiter, ; as the start of a comment, and most importantly a newli...

7.8CVSS6.6AI score0.00343EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2025/04/03 3:2 p.m.11 views

GraphQL query operations security can be bypassed

Summary Using the Relay special node type you can bypass the configured security on an operation. Details Here is an example of how to apply security configurations for the GraphQL operations: php ApiResource security: "isgranted'ROLEUSER'", operations: / ... / , graphQlOperations: new...

7.5CVSS7.2AI score0.00439EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2021/01/01 4:46 p.m.11 views

Regular expression Denial of Service

More info at https://typo3.org/security/advisory/typo3-ext-sa-2021-002...

7.2AI score
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2020/07/06 2:8 p.m.11 views

Potentially sensitive data exposure

Impact Inside Gos\Bundle\WebSocketBundle\Server\App\Dispatcher\TopicDispatcher::onPublish, messages are arbitrarily broadcasted to the related Topic if Gos\Bundle\WebSocketBundle\Server\App\Dispatcher\TopicDispatcher::dispatch does not succeed. The dispatch method can be considered to not succeed...

7AI score
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2020/01/01 4:15 p.m.11 views

Disclosure of files via logo_path query parameter

Require version that checks mime type...

7.2AI score
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2019/12/17 9:50 a.m.11 views

Cross-Site Scripting in Form Framework validation handling

More info at https://typo3.org/security/advisory/typo3-core-sa-2019-021...

7.2AI score
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2019/12/17 9:50 a.m.11 views

Possible Insecure Deserialization in Extbase Request Handling

More info at https://typo3.org/security/advisory/typo3-psa-2019-011...

7.2AI score
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2019/06/25 6:39 a.m.11 views

Arbitrary Code Execution and Cross-Site Scripting in Backend API

More info at https://typo3.org/security/advisory/typo3-core-sa-2019-019...

7.2AI score
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2019/06/17 5:0 p.m.11 views

Information Disclosure Security Note

More info at https://www.neos.io/blog/neos-workspace-disclosure-security.html...

7.2AI score
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2019/04/03 12:0 a.m.11 views

EZSA-2019-002 Password reset vulnerability

More info at https://share.ez.no/community-project/security-advisories/ezsa-2019-002-password-reset-vulnerability...

7.2AI score
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2019/02/12 12:0 p.m.11 views

Remote code execution

More info at https://www.passbolt.com/incidents/20190211multiplevulnerabilities...

7.2AI score
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2019/01/22 8:42 a.m.11 views

Cross-Site Scripting in Language Pack Handling

More info at https://typo3.org/security/advisory/typo3-core-sa-2019-004...

7.2AI score
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2019/01/22 8:42 a.m.11 views

Cross-Site Scripting in Language Pack Handling

More info at https://typo3.org/security/advisory/typo3-core-sa-2019-004...

7.2AI score
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2019/01/22 8:41 a.m.11 views

Broken Access Control in Localization Handling

More info at https://typo3.org/security/advisory/typo3-core-sa-2019-003...

7.2AI score
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2019/01/22 8:41 a.m.11 views

Security Misconfiguration for Backend User Accounts

More info at https://typo3.org/security/advisory/typo3-core-sa-2019-002...

7.2AI score
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2019/01/22 8:41 a.m.11 views

Information Disclosure of Installed Extensions

More info at https://typo3.org/security/advisory/typo3-core-sa-2019-001...

7.2AI score
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2018/12/11 9:55 a.m.11 views

Cross-Site Scripting in Frontend User Login

More info at https://typo3.org/security/advisory/typo3-core-sa-2018-008...

7.2AI score
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2018/12/11 9:55 a.m.11 views

Cross-Site Scripting in Online Media Asset Rendering

More info at https://typo3.org/security/advisory/typo3-core-sa-2018-006...

7.2AI score
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2018/10/17 12:52 p.m.11 views

EZSA-2018-006 XSS vulnerability in 'disabled module' error template

More info at http://share.ez.no/community-project/security-advisories/ezsa-2018-006-xss-vulnerability-in-disabled-module-error-template...

7.2AI score
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2018/10/17 9:52 a.m.11 views

EZSA-2018-005 Passwordless login for LDAP users

More info at http://share.ez.no/community-project/security-advisories/ezsa-2018-005-passwordless-login-for-ldap-users...

7.2AI score
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2018/09/10 12:0 a.m.11 views

Magento 2.2.6 and 2.1.15 Security update

More info at https://magento.com/security/patches/magento-2.2.6-and-2.1.15-security-update...

7.2AI score
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2018/06/28 12:0 a.m.11 views

Adminer script versions up to 4.6.2 contains file disclosure vulnerability

More info at https://sansec.io/research/adminer-4.6.2-file-disclosure-vulnerability...

7.2AI score
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2018/05/24 1:11 p.m.11 views

SS-2018-005: isDev and isTest unguarded

More info at https://www.silverstripe.org/download/security-releases/ss-2018-005/...

7.2AI score
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2018/05/24 1:11 p.m.11 views

SS-2018-008: BackURL validation bypass with malformed URLs

More info at https://www.silverstripe.org/download/security-releases/ss-2018-008/...

7.2AI score
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2018/05/24 1:11 p.m.11 views

SS-2018-013: Passwords sent back to browsers under some circumstances

More info at https://www.silverstripe.org/download/security-releases/ss-2018-013/...

7.2AI score
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2018/05/20 10:8 p.m.11 views

XSS in some development error pages

More info at https://bakery.cakephp.org/2018/05/20/cakephp36435173414released.html...

7.2AI score
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2018/05/14 2:20 p.m.11 views

SS-2018-011: SQL injection vulnerability

More info at https://www.silverstripe.org/download/security-releases/ss-2018-011/...

7.2AI score
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2018/02/19 1:4 p.m.11 views

SQL injection possible with limit() on MySQL

The limit query method is susceptible to catastrophic SQL injection with MySQL. For example, given a model User for a table users: php UserQuery::create-limit'1;DROP TABLE users'-find; This will drop the users table! The cause appears to be a lack of integer casting of the limit input in either...

8.5AI score
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2017/12/07 1:27 p.m.11 views

SS-2017-008: SQL injection in full text search of SilverStripe 4

More info at https://www.silverstripe.org/download/security-releases/ss-2017-008/...

7.2AI score
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2017/12/07 1:27 p.m.11 views

SS-2017-009: Users inadvertently passing sensitive data to LoginAttempt

More info at https://www.silverstripe.org/download/security-releases/ss-2017-009/...

7.2AI score
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2017/09/05 11:37 a.m.11 views

Cross-Site Scripting in TYPO3 CMS Backend

More info at https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2017-004/...

7.2AI score
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2017/05/30 11:55 a.m.11 views

Missing state parameter in OAuth requests leading to CSRF vulnerability

No description provided...

2.8AI score
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2017/04/12 5:0 p.m.11 views

Flow Bugfix Releases for Entity Security

More info at https://www.neos.io/blog/flow-bugfix-releases-for-entity-security.html...

7.2AI score
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2017/02/28 10:23 a.m.11 views

Authentication Bypass in TYPO3 Frontend

More info at https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2017-002/...

7.2AI score
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2017/02/07 12:0 a.m.11 views

SUPEE-9652 - Remote Code Execution using mail vulnerability

More info at https://magento.com/security/patches/supee-9652...

7.2AI score
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2016/11/01 5:0 p.m.11 views

Time-Based Information Disclosure Vulnerability in Flow

More info at https://www.neos.io/blog/flow-sa-2016-001.html...

7.2AI score
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2016/11/01 5:0 p.m.11 views

Time-Based Information Disclosure Vulnerability in Flow

More info at https://www.neos.io/blog/flow-sa-2016-001.html...

7.2AI score
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2016/07/13 12:17 p.m.11 views

Cross-Site Scripting in TYPO3 Backend

More info at https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2016-021...

7.2AI score
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2016/04/13 5:30 p.m.11 views

Potential Insufficient Entropy Vulnerability in ZF1

More info at https://framework.zend.com/security/advisory/ZF2016-01...

7.2AI score
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2016/03/16 12:0 a.m.11 views

Uses insecure CSPRNG (openssl_random_pseudo_bytes())

It's not fork safe - In most versions of PHP, it lies about being secure - And today I learned that OpenSSL, by default i.e. unchangable from PHP land uses MD5 as a CSPRNG thanks @atoponce I'm stuck between several possible avenues: - Release a new version v1.3.0 or most likely v2.0.0 that...

7.1AI score
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2016/02/23 12:28 p.m.11 views

Cross-Site Scripting in TYPO3 component CSS styled content

More info at https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2016-007/...

7.2AI score
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2016/02/23 12:28 p.m.11 views

XML External Entity (XXE) Processing in TYPO3 Core

More info at https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2016-005/...

7.2AI score
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2016/02/16 12:32 p.m.11 views

Cross-Site Scripting in form component

More info at https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2016-004/...

7.2AI score
Exploits0Affected Software1
Total number of security vulnerabilities1702