1697 matches found
TYPO3-CORE-SA-2022-004: Cross-Site Scripting in Frontend Login Mailer
More info at https://typo3.org/security/advisory/typo3-core-sa-2022-004...
Server-Side Request Forgery (SSRF)
Impact Releases prior to 3.0.2 are vulnerable to a Server-Side Request Forgery vulnerability that allows an attacker to send a request to an internal hostname. Patches 3.0.2 contains a fix for this vulnerability. The 1.x and 2.x releases are not maintained anymore. Part of the fix requires applyi...
CVE-2021-32693: Authentication granted to all firewalls instead of just one
More info at https://symfony.com/cve-2021-32693...
RCE affecting Windows hosts via UNC paths to translation files
This is a security release. SECURITY Fixes CVE-2021-34551, a complex RCE affecting Windows hosts. See SECURITY.md for details. The fix for this issue changes the way that language files are loaded. While they remain in the same PHP-like format, they are processed as plain text, and any code in th...
PRODSECBUG-2301: Names of disabled products can be leaked due to inadequate validation checks
More info at https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-33...
PRODSECBUG-2095: Defense-in-depth session validation check implemented
More info at https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-33...
XXE/XEE vector when using ZendXml on multibyte payloads
More info at https://framework.zend.com/security/advisory/ZF2015-06...
Highly critical - Remote Code Execution
More info at https://www.drupal.org/SA-CORE-2019-003...
Denial of service caused by infinite recursion when parsing SVG images
More info at https://nvd.nist.gov/vuln/detail/CVE-2023-50262...
CVE-2022-39284: Config\Cookie Secure or HttpOnly flag not set in CodeIgniter4
Impact Setting $secure or $httponly value to true in Config\Cookie is not reflected in setcookie or Response::setCookie. Note This vulnerability does not affect session cookies. The following code does not issue a cookie with the secure flag even if you set $secure = true in Config\Cookie. php...
CVE-2022-21715: XSS Vulnerability in API\ResponseTrait in CodeIgniter4
Impact Cross-Site Scripting XSS vulnerability was found in API\ResponseTrait in Codeigniter4. Attackers can do XSS attacks if you are using API\ResponseTrait. Patches Upgrade to v4.1.8 or later. Workarounds Do one of the following: 1. Do not use API\ResponseTrait nor ResourceController 2. Disable...
CVE-2022-38724 - XSS in shortcodes
More info at https://www.silverstripe.org/download/security-releases/cve-2022-38724...
Untrusted code may be run from an overridden address validator
This is a security release. SECURITY Fixes CVE-2021-34551, a complex RCE affecting Windows hosts. See SECURITY.md for details. The fix for this issue changes the way that language files are loaded. While they remain in the same PHP-like format, they are processed as plain text, and any code in th...
CVE-2021-21424: Prevent user enumeration via response content in authentication mechanisms
More info at https://symfony.com/cve-2021-21424...
Improper Certificate Validation in phpseclib
No description provided...
Deserialization Gadget chain in Swift Mailer
Summary Symfony 1 has a gadget chain due to vulnerable Swift Mailer dependency that would enable an attacker to get remote code execution if a developer unserialize user input in his project. Details This vulnerability present no direct threat but is a vector that will enable remote code executio...
XSS relating to the transformation feature
More info at https://www.phpmyadmin.net/security/PMASA-2020-5/...
PRODSECBUG-2275: Unsafe functionality is exposed via email templates manipulation
More info at https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-13...
PRODSECBUG-2270: Reflected cross-site scripting in the admin panel
More info at https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-23...
elFinder before 2.1.48 has a command injection vulnerability in the PHP connector.
Changes form previous version All previous changes is here. - VD:abstract fix animated image conversion on ImageMagick - Security,VD:abstract CVE-2019-9194 fix command injection vulnerability of PHP connector Special thanks to Thomas Chauchefoin Synacktiv for reporting this vulnerability...
Cross-Site Scripting in Bootstrap CSS toolkit
More info at https://typo3.org/security/advisory/typo3-core-sa-2019-006...
Remote Code Execution
Important security update! This release patches the critical vulnerability described in CVE-2016-10045 a remote code execution vulnerability, responsibly reported by Dawid Golunski, and patched by Paul Buonopane @Zenexer. Possible side effect - complex sender addresses such as those used in VERP...
HTTP Proxy header vulnerability
More info at https://twitter.com/asyncphp/status/755136084917583872...
Exploit in the private channel authentication
More info at https://blog.pusher.com/update-on-security/...
CVE-2020-15143: Remote Code Execution in ParametersParser while using request parameters inside expression language
Impact Request parameters injected inside an expression evaluated by symfony/expression-language package haven't been sanitized properly. This allows the attacker to access any public service by manipulating that request parameter, allowing for Remote Code Execution. The vulnerable versions...
Drupal core - Critical - Remote code execution - SA-CORE-2020-012
More info at https://www.drupal.org/sa-core-2020-012...
CVE-2023-46734: Potential XSS vulnerabilities in CodeExtension filters
More info at https://symfony.com/cve-2023-46734...
CVE-2023-46733: Potential XSS in WebhookController
More info at https://symfony.com/cve-2023-46733...
Test code in published microsoft-graph-core package exposes phpinfo()
More info at https://nvd.nist.gov/vuln/detail/CVE-2023-49283...
TYPO3-CORE-SA-2023-001: Persisted Cross-Site Scripting in Frontend Rendering
More info at https://typo3.org/security/advisory/typo3-core-sa-2023-001...
Cross site scripting via canonical URL
More info at https://contao.org/en/security-advisories/cross-site-scripting-via-canonical-url.html...
CVE-2022-38724 - XSS in shortcodes
More info at https://www.silverstripe.org/download/security-releases/cve-2022-38724...
CVE-2021-41270: Prevent CSV Injection via formulas
More info at https://symfony.com/cve-2021-41270...
TYPO3-CORE-SA-2021-008: Cross-Site Scripting in Content Preview
More info at https://typo3.org/security/advisory/typo3-core-sa-2021-008...
Remote code execution
Hello, as discussed by email, this fixes a serious vulnerability. Hopefully my code is OK-ish...
CVE-2020-15227: Potential Remote Code Execution vulnerability
More info at https://blog.nette.org/en/cve-2020-15227-potential-remote-code-execution-vulnerability...
Relative Path Traversal (CWE-23) in chunked uploads
Impact The vulnerability was identified in the web service for a chunked file upload. While the names of the POST parameters vary with the used frontend, their values are always used in the same way to build a path where the chunks are stored and assembled temporarily. By not validating these...
Unexpected bindings in QueryBuilder
More info at https://blog.laravel.com/security-laravel-62011-7302-8221-released...
PRODSECBUG-2270: Reflected cross-site scripting in the admin panel
More info at https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-23...
XSS vulnerability with double-encoded entities
An XSS vulnerability CVE-2019-10010 has been identified in all previous versions of this library 0.18.2 and below. The issue has been fixed in version 0.18.3. All users should upgrade to version 0.18.3 immediately. Additionally, if your application caches the resulting HTML, please purge and/or...
Highly critical - Remote Code Execution
More info at https://www.drupal.org/sa-core-2018-002...
CVE-2017-16653: CSRF protection does not use different tokens for HTTP and HTTPS
More info at https://symfony.com/cve-2017-16653...
CVE-2016-2403: Unauthorized access on a misconfigured Ldap server when using an empty password
More info at https://symfony.com/cve-2016-2403...
Security Misconfiguration Vulnerability in the AWS SDK for PHP
SECURITY FIX: This release addresses a security issue associated with CVE-2015-5723, specifically, fixes improper default directory umask behavior that could potentially allow unauthorized modifications of PHP code. Thanks to @ryan-lane for the initial report. Aws\Ec2 - Added support for...
Routes behind a firewall are accessible even when not logged in
More info at https://symfony.com/blog/security-release-symfony-2-0-20-and-2-1-5-released...
CVE-2019-18886: Prevent user enumeration using switch user functionality
More info at https://symfony.com/cve-2019-18886...
Unrestricted file uploads
More info at https://contao.org/en/security-advisories/unrestricted-file-uploads.html...
TYPO3-EXT-SA-2023-007: Broken Access Control in extension "hCaptcha for EXT:form" (hcaptcha)
More info at https://typo3.org/security/advisory/typo3-ext-sa-2023-007...
TYPO3-CORE-SA-2022-016: Sensitive Information Disclosure via YAML Placeholder Expressions in Site Configuration
More info at https://typo3.org/security/advisory/typo3-core-sa-2022-016...
CVE-2022-38147 - XSS via uploaded gpx file
More info at https://www.silverstripe.org/download/security-releases/cve-2022-38147...