Friendsofphp - Page 28 of Friendsofphp Most Viewed Vulnerabilities List

Friends Of PHP•added 2017/12/07 1:27 p.m.•10 views

SS-2017-009: Users inadvertently passing sensitive data to LoginAttempt

More info at https://www.silverstripe.org/download/security-releases/ss-2017-009/...

Friends Of PHP•added 2017/12/07 1:27 p.m.•10 views

SS-2017-008: SQL injection in full text search of SilverStripe 4

More info at https://www.silverstripe.org/download/security-releases/ss-2017-008/...

Friends Of PHP•added 2017/09/28 3:37 p.m.•10 views

SS-2017-005: User enumeration via timing attack on login and password reset forms

More info at https://www.silverstripe.org/download/security-releases/ss-2017-005/...

Friends Of PHP•added 2017/09/05 11:37 a.m.•10 views

Cross-Site Scripting in TYPO3 CMS Backend

More info at https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2017-004/...

Friends Of PHP•added 2017/04/12 5:0 p.m.•10 views

Flow Bugfix Releases for Entity Security

More info at https://www.neos.io/blog/flow-bugfix-releases-for-entity-security.html...

Friends Of PHP•added 2017/02/28 10:23 a.m.•10 views

Authentication Bypass in TYPO3 Frontend

More info at https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2017-002/...

Friends Of PHP•added 2017/02/07 12:0 a.m.•10 views

SUPEE-9652 - Remote Code Execution using mail vulnerability

More info at https://magento.com/security/patches/supee-9652...

Friends Of PHP•added 2016/12/19 10:44 p.m.•10 views

Potential remote code execution in zend-mail via Sendmail adapter

More info at https://framework.zend.com/security/advisory/ZF2016-04...

Friends Of PHP•added 2016/11/01 5:0 p.m.•10 views

Time-Based Information Disclosure Vulnerability in Flow

More info at https://www.neos.io/blog/flow-sa-2016-001.html...

Friends Of PHP•added 2016/09/27 8:6 a.m.•10 views

ImageMagick driver does not escape all shell arguments.

More info at https://fuelphp.com/security-advisories...

0.4AI score

Friends Of PHP•added 2016/07/13 12:17 p.m.•10 views

Cross-Site Scripting in TYPO3 Backend

More info at https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2016-021...

Friends Of PHP•added 2016/04/13 5:30 p.m.•10 views

Potential Insufficient Entropy Vulnerability in ZF1

More info at https://framework.zend.com/security/advisory/ZF2016-01...

Friends Of PHP•added 2016/03/16 12:0 a.m.•10 views

Uses insecure CSPRNG (openssl_random_pseudo_bytes())

It's not fork safe - In most versions of PHP, it lies about being secure - And today I learned that OpenSSL, by default i.e. unchangable from PHP land uses MD5 as a CSPRNG thanks @atoponce I'm stuck between several possible avenues: - Release a new version v1.3.0 or most likely v2.0.0 that...

7.1AI score

Friends Of PHP•added 2016/02/23 12:28 p.m.•10 views

Cross-Site Scripting in TYPO3 component CSS styled content

More info at https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2016-007/...

Friends Of PHP•added 2016/02/23 12:28 p.m.•10 views

XML External Entity (XXE) Processing in TYPO3 Core

More info at https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2016-005/...

Friends Of PHP•added 2016/02/16 12:32 p.m.•10 views

Cross-Site Scripting in form component

More info at https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2016-004/...

Friends Of PHP•added 2015/11/23 9:3 p.m.•10 views

XSS vulnerabilities in Neos

More info at https://www.neos.io/blog/neos-sa-2015-002.html...

Friends Of PHP•added 2015/11/23 9:24 a.m.•10 views

Arbitrary file upload and XML External Entity processing

More info at https://www.neos.io/blog/flow-sa-2015-001.html...

Friends Of PHP•added 2015/11/23 9:24 a.m.•10 views

Arbitrary file upload and XML External Entity processing

More info at https://www.neos.io/blog/flow-sa-2015-001.html...

Friends Of PHP•added 2015/07/01 2:16 p.m.•10 views

Cross-Site Scripting exploitable by Editors

More info at https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2015-004/...

Friends Of PHP•added 2015/07/01 2:16 p.m.•10 views

Brute Force Protection Bypass in backend login

More info at https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2015-006/...

Friends Of PHP•added 2015/07/01 9:10 a.m.•10 views

Access bypass when editing file metadata

More info at https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2015-002/...

Friends Of PHP•added 2015/05/28 1:5 p.m.•10 views

SS-2015-014: Vulnerability on 'isDev', 'isTest' and 'flush' $_GET validation

More info at https://www.silverstripe.org/software/download/security-releases/ss-2015-014/...

Friends Of PHP•added 2015/04/29 12:43 a.m.•10 views

XXE Vulnerability

Security: XML filescan in XML-based Readers to prevent XML Entity Expansion XEE see http://projects.webappsec.org/w/page/13247002/XML%20Entity%20Expansion for an explanation of XEE injection attacks...

6.5AI score0.00471EPSS

Friends Of PHP•added 2015/03/20 7:29 p.m.•10 views

SS-2016-015: XSS In OptionsetField and CheckboxSetField

More info at https://www.silverstripe.org/download/security-releases/ss-2016-015/...

Friends Of PHP•added 2015/03/20 7:29 p.m.•10 views

SS-2016-014: Pre-existing alc_enc cookies log users in if remember me is disabled

More info at https://www.silverstripe.org/download/security-releases/ss-2016-014/...

Friends Of PHP•added 2015/03/10 7:41 a.m.•10 views

Critical vulnerabilities in JSON Web Token libraries

More info at https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/...

Friends Of PHP•added 2015/02/12 3:55 p.m.•10 views

SS-2015-005: VirtualPage XSS

More info at https://www.silverstripe.org/software/download/security-releases/ss-2015-005/...

Friends Of PHP•added 2015/01/16 6:44 a.m.•10 views

XSS vulnerability in login redirect param

Security advisory: XSS vulnerability in login redirect param ScnSocialAuth version 1.15.2 has been released and includes a security for this vulnerability. Fix has been applied in https://github.com/SocalNick/ScnSocialAuth/commit/4a00966c41bc37251586d007564c5c891eba3700 Affected versions All...

6.2AI score

Friends Of PHP•added 2015/01/14 10:0 p.m.•10 views

Session validation vulnerability

More info at https://framework.zend.com/security/advisory/ZF2015-01...

Friends Of PHP•added 2014/04/29 11:30 a.m.•10 views

SecurityComponent cross form submission issue

More info at https://bakery.cakephp.org/2014/04/29/CakePHP-1-3-18-and-2-4-8-released.html...

Friends Of PHP•added 2014/02/26 4:2 p.m.•10 views

Potential XSS vector in multiple view helpers

More info at https://framework.zend.com/security/advisory/ZF2014-03...

Friends Of PHP•added 2013/05/16 6:27 p.m.•10 views

Authentication Vulnerability - possible attempt to login via zero-valued password credential

Security advisory: zero-valued authentication credentials vulnerability DoctrineModule version 0.7.2 has been just released and includes a security fix for 248 via @5f79a9f7b and @78018ef568, Affected versions All versions below 0.7.2 are affected. dev-master and 0.8.x are not affected starting...

7.5AI score

Friends Of PHP•added 2012/11/27 7:9 p.m.•10 views

Request::getClientIp() when the trust proxy mode is enabled

More info at https://symfony.com/blog/security-release-symfony-2-0-19-and-2-1-4...

Friends Of PHP•added 2012/09/20 3:22 p.m.•10 views

Potential XSS Vectors in Multiple Zend Framework 2 Components

More info at https://framework.zend.com/security/advisory/ZF2012-03...

Friends Of PHP•added 2012/08/20 5:50 p.m.•10 views

Local file disclosure via XXE injection in Zend_XmlRpc

More info at https://framework.zend.com/security/advisory/ZF2012-01...

Friends Of PHP•added 2011/09/25 5:37 p.m.•10 views

SQL injection possibility

More info at https://www.doctrine-project.org/blog/doctrine-security-fix.html...

Friends Of PHP•added 2010/04/01 3:22 p.m.•10 views

Potential Security Issues in Bundled Dojo Library

More info at https://framework.zend.com/security/advisory/ZF2010-07...

Vulnerability to bypass two-factor authentication with remember-me option

Bundle version: 4.10.0 Symfony version: 3.4.31 Description Bypass 2fa by rememberme cookie To Reproduce We have a login form with rememberme checkbox functionality, When using the checkbox, symfony creates a cookie "REMEMBERME". That moment we get redirected to the 2fa-auth page. We have no acces...

7AI score

CVE-2026-45071: XXE (Local File Disclosure) in DomCrawler::addXmlContent() via validateOnParse = true

More info at https://symfony.com/cve-2026-45071...

5.8AI score0.00052EPSS

CVE-2026-48761: HtmlSanitizer UrlAttributeSanitizer Misses URL Attributes on <object>, <applet>, <iframe>, <img> and the URL Inside <meta http-equiv="refresh"> content

More info at https://symfony.com/cve-2026-48761...

5.8AI score0.00051EPSS

3.1CVSS6.6AI score0.00465EPSS

CVE-2024-50343: Incorrect response from Validator when input ends with ` `

More info at https://symfony.com/cve-2024-50343...

Drupal core - Moderately critical - Third-party libraries - SA-CORE-2021-005

More info at https://www.drupal.org/sa-core-2021-005...