Lucene search
K
FriendsofphpMost viewed

1702 matches found

Friends Of PHP
Friends Of PHP
added 2015/12/15 11:38 a.m.11 views

Multiple Cross-Site Scripting vulnerabilities in TYPO3 backend

More info at https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2015-011/...

7.2AI score
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2015/11/23 9:3 p.m.11 views

XSS vulnerabilities in Neos

More info at https://www.neos.io/blog/neos-sa-2015-002.html...

7.2AI score
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2015/11/23 9:24 a.m.11 views

Arbitrary file upload and XML External Entity processing

More info at https://www.neos.io/blog/flow-sa-2015-001.html...

7.2AI score
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2015/08/03 12:55 p.m.11 views

State guessing vulnerability

By doing this we're protecting against people trying to guess the state...

7AI score
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2015/07/26 7:42 p.m.11 views

Critical SQL injection bug in the ODBC database driver

More info at https://forum.codeigniter.com/thread-65803.html...

7.2AI score
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2015/07/01 2:16 p.m.11 views

Cross-Site Scripting exploitable by Editors

More info at https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2015-004/...

7.2AI score
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2015/04/29 12:43 a.m.11 views

XXE Vulnerability

Security: XML filescan in XML-based Readers to prevent XML Entity Expansion XEE see http://projects.webappsec.org/w/page/13247002/XML%20Entity%20Expansion for an explanation of XEE injection attacks...

6.5AI score0.00471EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2015/03/20 7:29 p.m.11 views

SS-2016-014: Pre-existing alc_enc cookies log users in if remember me is disabled

More info at https://www.silverstripe.org/download/security-releases/ss-2016-014/...

7.2AI score
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2015/03/20 7:29 p.m.11 views

SS-2016-008: Password encryption salt expiry

More info at https://www.silverstripe.org/download/security-releases/ss-2016-008/...

7.2AI score
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2015/01/14 10:0 p.m.11 views

Session validation vulnerability

More info at https://framework.zend.com/security/advisory/ZF2015-01...

7.2AI score
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2014/12/29 1:23 p.m.11 views

Header injection in NativeMailerHandler

Hopefully attacker controlled data is never used to set the encoding or content type, but just in case, prevent: $nmh = new NativeMailerHandler$to, $subject, $from; $nmh-setEncoding "utf-8\r\nFrom: [email protected]"; Since the injection happened in send, there doesn't seem to be a good way to a...

7.2AI score
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2014/06/13 11:45 a.m.11 views

Sendmail transport arbitrary shell execution

More info at http://blog.swiftmailer.org/post/88660759928/security-fix-swiftmailer-5-2-1-released...

7.2AI score
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2014/05/22 7:34 a.m.11 views

The ExtJS JavaScript framework that is shipped with TYPO3 is susceptible to XSS

More info at https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2014-001/...

7.2AI score
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2014/04/26 8:4 p.m.11 views

Authentication adapter did not verify validity of tokens

Previous to @2ca5bb1c2f11537be8f94ca6867d8d69789e744a release 0.1.2, tokens weren't checked for validity/expiration. This potentially caused a security issue if expired tokens were not deleted after the expiration time was past, allowing anyone to still use invalidated authentication credentials...

7.4AI score
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2014/02/26 4:2 p.m.11 views

Potential XSS vector in multiple view helpers

More info at https://framework.zend.com/security/advisory/ZF2014-03...

7.2AI score
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2014/02/26 4:2 p.m.11 views

Potential XXE/XEE attacks using PHP functions: simplexml_load_*, DOMDocument::loadXML, and xml_parse

More info at https://framework.zend.com/security/advisory/ZF2014-01...

7.2AI score
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2013/05/16 6:27 p.m.11 views

Authentication Vulnerability - possible attempt to login via zero-valued password credential

Security advisory: zero-valued authentication credentials vulnerability DoctrineModule version 0.7.2 has been just released and includes a security fix for 248 via @5f79a9f7b and @78018ef568, Affected versions All versions below 0.7.2 are affected. dev-master and 0.8.x are not affected starting...

7.5AI score
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2012/11/27 7:9 p.m.11 views

Request::getClientIp() when the trust proxy mode is enabled

More info at https://symfony.com/blog/security-release-symfony-2-0-19-and-2-1-4...

7.2AI score
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2012/09/20 3:22 p.m.11 views

Potential XSS Vectors in Multiple Zend Framework 2 Components

More info at https://framework.zend.com/security/advisory/ZF2012-03...

7.2AI score
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2012/08/20 5:50 p.m.11 views

Local file disclosure via XXE injection in Zend_XmlRpc

More info at https://framework.zend.com/security/advisory/ZF2012-01...

7.2AI score
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2012/02/24 1:26 p.m.11 views

XML decoding attack vector through external entities

More info at https://symfony.com/blog/security-release-symfony-2-0-11-released...

7.2AI score
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2011/09/25 5:37 p.m.11 views

SQL injection possibility

More info at https://www.doctrine-project.org/blog/doctrine-security-fix.html...

7.2AI score
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2010/04/01 3:22 p.m.11 views

Potential Security Issues in Bundled Dojo Library

More info at https://framework.zend.com/security/advisory/ZF2010-07...

7.2AI score
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 1970/01/01 12:0 a.m.11 views

Padding Oracle Vulnerability in RSA Encryption

See https://framework.zend.com/security/advisory/ZF2015-10 it's essentially the same vulnerability...

7.1AI score
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 1970/01/01 12:0 a.m.11 views

CVE-2026-45077: Unauthenticated PHP Object Deserialization in MonologBridge server:log Listener

More info at https://symfony.com/cve-2026-45077...

5.8AI score0.01261EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 1970/01/01 12:0 a.m.11 views

Sandbox property allowlist bypass via the `column` filter under `SourcePolicyInterface`

More info at https://symfony.com/blog/cve-2026-48808-sandbox-property-allowlist-bypass-via-the-column-filter-under-sourcepolicyinterface...

5.8AI score
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 1970/01/01 12:0 a.m.11 views

CVE-2026-48761: HtmlSanitizer UrlAttributeSanitizer Misses URL Attributes on <object>, <applet>, <iframe>, <img> and the URL Inside <meta http-equiv="refresh"> content

More info at https://symfony.com/cve-2026-48761...

5.8AI score0.00051EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 1970/01/01 12:0 a.m.11 views

CVE-2026-45072: Stored XSS in WebProfiler CodeExtension::fileExcerpt(): Unescaped Non-PHP File Rendering

More info at https://symfony.com/cve-2026-45072...

5.8AI score0.00062EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 1970/01/01 12:0 a.m.11 views

CVE-2024-50343: Incorrect response from Validator when input ends with ` `

More info at https://symfony.com/cve-2024-50343...

3.1CVSS6.6AI score0.00465EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 1970/01/01 12:0 a.m.11 views

CVE-2026-45305: YAML Parser ReDoS via Catastrophic Backtracking in Parser::cleanup() Regex

More info at https://symfony.com/cve-2026-45305...

5.8AI score0.00076EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 1970/01/01 12:0 a.m.11 views

External URL injection through URL aliases - Moderately Critical - Open Redirect

More info at https://www.drupal.org/sa-core-2018-006...

7.2AI score
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 1970/01/01 12:0 a.m.11 views

Content moderation - Moderately critical - Access bypass

More info at https://www.drupal.org/sa-core-2018-006...

7.2AI score
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 1970/01/01 12:0 a.m.11 views

External URL injection through URL aliases - Moderately Critical - Open Redirect

More info at https://www.drupal.org/sa-core-2018-006...

7.2AI score
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 1970/01/01 12:0 a.m.11 views

Drupal core - Critical - Arbitrary PHP code execution - SA-CORE-2020-013

More info at https://www.drupal.org/sa-core-2020-013...

7.2AI score
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 1970/01/01 12:0 a.m.11 views

Drupal core - Moderately critical - Third-party libraries - SA-CORE-2021-005

More info at https://www.drupal.org/sa-core-2021-005...

7.2AI score
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 1970/01/01 12:0 a.m.11 views

Laravel CRLF injection in default email rule

Summary A CRLF injection vulnerability in Laravel's email validation, in combination with how Symfony Mailer and Symfony Mime handle certain character sequences, may allow an unauthenticated attacker to interfere with outbound email processing in applications that send mail to user-supplied...

5.2AI score0.00048EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 1970/01/01 12:0 a.m.11 views

CVE-2026-48489: Security Firewall Bypass via failure_forward Subrequest: Unauthenticated Access to access_control-Protected GET Routes

More info at https://symfony.com/cve-2026-48489...

5.8AI score0.00058EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2026/06/19 7:21 a.m.10 views

symfony/ux-toolkit Path Traversal allows arbitrary file write and read via crafted recipe manifest

Description The ux:install console command installs files from a recipe kit by copying paths listed in a copy-files map. The only guard against malicious paths was Path::isRelative, which returns true for paths like ../../../etc. Path::join then resolves the .. segments without complaint, so the...

7.8CVSS6.1AI score0.00146EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2026/06/09 8:57 a.m.10 views

TYPO3-CORE-SA-2026-009: Open Redirect in TYPO3 CMS

More info at https://typo3.org/security/advisory/typo3-core-sa-2026-009...

5.3CVSS5.4AI score0.00294EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2026/06/06 4:26 p.m.10 views

PBES2-HS*+A*KW unwrap accepts an unbounded p2c iteration count, enabling CPU-amplification denial of service

Impact When a JWE uses a password-based key-encryption algorithm PBES2-HS256+A128KW, PBES2-HS384+A192KW, PBES2-HS512+A256KW, PBES2AESKW::unwrapKey reads the p2c PBKDF2 iteration count parameter directly from the attacker-controlled JOSE header and passes it to hashpbkdf2 with no upper bound. The...

5.6AI score
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2026/01/27 5:21 a.m.10 views

Unsafe Deserialization in PHPT Code Coverage Handling

Overview A vulnerability has been discovered involving unsafe deserialization of code coverage data in PHPT test execution. The vulnerability exists in the cleanupForCoverage method, which deserializes code coverage files without validation, potentially allowing remote code execution if malicious...

7.8CVSS6.7AI score0.00343EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2022/02/04 8:13 a.m.10 views

Possible SQL injection in widget field value

Impact The currently selected widget values were not correctly sanitized before passing it to the database, leading to an SQL injection possibility. Patches The issue has been patched in tablelookupwizard version 3.3.5 and version 4.0.0. For more information If you have any questions or comments...

5.8AI score
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2020/07/06 2:8 p.m.10 views

Potentially sensitive data exposure

Description Impact Inside Gos\Bundle\WebSocketBundle\Server\App\Dispatcher\TopicDispatcher::onPublish, messages are arbitrarily broadcasted to the related Topic if Gos\Bundle\WebSocketBundle\Server\App\Dispatcher\TopicDispatcher::dispatch does not succeed. The dispatch method can be considered to...

1.2AI score
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2020/05/04 2:50 p.m.10 views

Insecure default secret key and IV allowing anyone to decrypt values

This issue has been deleted...

7.1AI score
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2020/04/21 12:7 p.m.10 views

EZSA-2020-003 XSS in DemoBundle/ezdemo bundled VideoJS

More info at https://ezplatform.com/security-advisories/ezsa-2020-003-xss-in-demobundle-ezdemo-bundled-videojs...

7.2AI score
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2020/03/13 1:52 p.m.10 views

XSS vulnerability in blade templating

More info at https://github.com/laravel/framework/pull/31945...

7.2AI score
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2019/12/17 9:50 a.m.10 views

Cross-Site Scripting in Link Handling

More info at https://typo3.org/security/advisory/typo3-core-sa-2019-022...

7.2AI score
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2019/12/17 9:50 a.m.10 views

Cross-Site Scripting in Link Handling

More info at https://typo3.org/security/advisory/typo3-core-sa-2019-022...

7.2AI score
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2019/10/08 12:0 a.m.10 views

PRODSECBUG-2422: Cross-Site Scripting via Email Template Name

More info at https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update...

5.4CVSS7.2AI score0.00556EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2019/07/08 12:27 p.m.10 views

Vulnerability to bypass two-factor authentication with unverified JWT trusted device token

Before version 3.7 the bundle is vulnerable to a security issue in JWT, which can be exploited by an attacker to generate trusted device cookies on their own, effectively by-passing two-factor authentication. Please either disable the trusted feature in your application or upgrade to a bundle...

6.9AI score
Exploits0Affected Software1
Total number of security vulnerabilities1702