Lucene search
K
FriendsofphpMost viewed

1702 matches found

Friends Of PHP
Friends Of PHP
added 2026/05/25 10:58 p.m.8 views

CRLF injection via URI host component

Impact guzzlehttp/psr7 did not reject ASCII control characters, whitespace, or DEL in first-party URI host components. The issue requires a PSR-7 request to be serialized into a raw HTTP/1.x message, for example with GuzzleHttp\Psr7\Message::toString or an equivalent custom serializer. Creating a...

5.3CVSS5.9AI score0.00189EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2020/09/11 2:0 p.m.8 views

IBEXA-SA-2020-006 Object Injection in legacy shop module

More info at https://ezplatform.com/security-advisories/ibexa-sa-2020-006-object-injection-in-legacy-shop-module...

7.2AI score
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2019/02/12 12:0 p.m.8 views

E-mail HTML injection

More info at https://www.passbolt.com/incidents/20190211multiplevulnerabilities...

7.2AI score
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2018/12/11 9:55 a.m.8 views

Security Misconfiguration in Install Tool Cookie

More info at https://typo3.org/security/advisory/typo3-core-sa-2018-009...

7.2AI score
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2018/12/11 9:55 a.m.8 views

Cross-Site Scripting in Backend Modal Component

More info at https://typo3.org/security/advisory/typo3-core-sa-2018-007...

7.2AI score
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2018/11/20 3:30 p.m.8 views

EZSA-2018-007 User data disclosure

More info at http://share.ez.no/community-project/security-advisories/ezsa-2018-007-user-data-disclosure...

7.2AI score
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2018/06/11 3:28 p.m.8 views

URL Rewrite vulnerability

More info at https://framework.zend.com/security/advisory/ZF2018-01...

7.2AI score
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2017/12/07 1:46 p.m.8 views

SS-2017-010: install.php discloses sensitive data by pre-populating DB credential forms

More info at https://www.silverstripe.org/download/security-releases/ss-2017-010/...

7.2AI score
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2017/10/29 12:24 p.m.8 views

XSS in class documenting_xmlrpc_server

More info at https://github.com/gggeek/phpxmlrpc-extras/releases/tag/0.6.1...

7.2AI score
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2017/05/30 9:58 p.m.8 views

SS-2017-003: XSS in RedirectorPage

More info at https://www.silverstripe.org/download/security-releases/ss-2017-003/...

7.2AI score
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2017/02/07 12:0 a.m.8 views

SUPEE-9652 - Remote Code Execution using mail vulnerability

More info at https://magento.com/security/patches/supee-9652...

7.2AI score
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2017/01/19 8:19 a.m.8 views

Remote Code Execution Vulnerability

More info at https://community.shopware.com/detail1989.html...

7.2AI score
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2016/07/19 1:3 p.m.8 views

Cross-Site Scripting in TYPO3 Backend

More info at https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2016-014/...

7.2AI score
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2016/05/24 9:55 a.m.8 views

Missing Access Check in TYPO3 CMS

More info at https://typo3.org/teamssecuritysecurity-bulletins/security-bulletins-single-view/article/missing-access-check-in-typo3-cms/...

7.2AI score
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2016/05/11 11:9 a.m.8 views

SS-2016-006: Missing CSRF protection in login form

More info at https://www.silverstripe.org/download/security-releases/ss-2016-006/...

7.2AI score
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2016/02/18 11:5 a.m.8 views

SS-2016-003: Hostname, IP and Protocol Spoofing through HTTP Headers

More info at https://www.silverstripe.org/download/security-releases/ss-2016-003/...

7.2AI score
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2015/11/23 9:3 p.m.8 views

XSS vulnerabilities in Neos

More info at https://www.neos.io/blog/neos-sa-2015-002.html...

7.2AI score
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2015/11/11 2:31 p.m.8 views

SS-2015-026: Form field validation message XSS vulnerability

More info at https://www.silverstripe.org/download/security-releases/ss-2015-026/...

7.2AI score
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2015/03/20 7:29 p.m.8 views

SS-2016-013: Member.Name is not escaped

More info at https://www.silverstripe.org/download/security-releases/ss-2016-013/...

7.2AI score
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2015/03/20 7:29 p.m.8 views

SS-2016-011: ChangePasswordForm does not check Member::canLogIn()

More info at https://www.silverstripe.org/download/security-releases/ss-2016-011/...

7.2AI score
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2015/03/20 3:7 p.m.8 views

SS-2015-010: XSS in Director::force_redirect()

More info at https://www.silverstripe.org/software/download/security-releases/ss-2015-010-xss-in-directorforce-redirect/...

7.2AI score
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2014/08/12 11:50 a.m.8 views

SS-2014-017: XML Quadratic Blowup Attack

More info at https://www.silverstripe.org/software/download/security-releases/ss-2014-017-xml-quadratic-blowup-attack/...

7.2AI score
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2013/10/31 10:35 a.m.8 views

Potential Remote Address Spoofing Vector in Zend\Http\PhpEnvironment\RemoteAddress

More info at https://framework.zend.com/security/advisory/ZF2013-04...

7.2AI score
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2012/07/10 5:28 p.m.8 views

Fixes a security issue where the session could be hijacked

Changelog ========= 4.1.0 2026-02-13 Convert XML config files to other formats to fix the deprecation of XML config files in Symfony Add PHP routing files alongside the XML ones. Loading the XML routing files triggers a deprecation in Symfony 7.4. Fix deprecation in the UserChecker Fix the...

5.8AI score
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2010/01/08 5:31 p.m.8 views

Potential XSS vector in Zend_Dojo_View_Helper_Editor

More info at https://framework.zend.com/security/advisory/ZF2010-02...

7.2AI score
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 1970/01/01 12:0 a.m.8 views

CVE-2026-45753: HtmlSanitizer UrlAttributeSanitizer Omits action/formaction/poster/cite: javascript: URI Survives Sanitization (XSS)

More info at https://symfony.com/cve-2026-45753...

5.8AI score0.00082EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 1970/01/01 12:0 a.m.8 views

Sandbox does not protect against resource exhaustion

More info at https://symfony.com/cve-2026-46627...

5.8AI score
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 1970/01/01 12:0 a.m.8 views

CVE-2026-48784: UrlGenerator Dot-Segment Encoding Skips Every Other Chained `../` or `./` → Generated URL Collapses Off-Route Under RFC 3986 Normalization

More info at https://symfony.com/cve-2026-48784...

5.8AI score0.00026EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 1970/01/01 12:0 a.m.8 views

Sandbox property allowlist bypass via the `column` filter (array_column on objects)

More info at https://symfony.com/cve-2026-46635...

5.8AI score0.00047EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 1970/01/01 12:0 a.m.8 views

Reflected Cross-Site-Scripting

More info at https://simplesamlphp.org/security/201907-01...

7.2AI score
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 1970/01/01 12:0 a.m.8 views

Possible sandbox bypass when using a source policy

More info at https://symfony.com/cve-2026-24425...

9.9CVSS5.8AI score0.00738EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 1970/01/01 12:0 a.m.8 views

CVE-2026-45074: Cas2Handler Derives CAS service URL from Client Host Header → Cross-Service Ticket Replay

More info at https://symfony.com/cve-2026-45074...

5.8AI score0.00064EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 1970/01/01 12:0 a.m.8 views

CVE-2026-45754: Mailjet Mailer and LOX24 Notifier Webhook Parsers Never Verify the Configured Secret: Unauthenticated Webhook Event Injection

More info at https://symfony.com/cve-2026-45754...

5.8AI score0.00103EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 1970/01/01 12:0 a.m.8 views

CVE-2026-45755: Mailtrap Mailer Webhook Parser Never Verifies the X-Mt-Signature HMAC: Unauthenticated Webhook Event Injection

More info at https://symfony.com/cve-2026-45755...

5.8AI score0.00026EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 1970/01/01 12:0 a.m.8 views

CVE-2026-45304: YAML Parser Exponential Memory Allocation via Recursive Collection-Alias Expansion ("Billion Laughs")

More info at https://symfony.com/cve-2026-45304...

5.8AI score0.00076EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 1970/01/01 12:0 a.m.8 views

CVE-2026-45133: YAML Parser Stack Exhaustion via Unbounded Recursion in Nested Blocks, Sequences, and Mappings

More info at https://symfony.com/cve-2026-45133...

5.8AI score0.00089EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 1970/01/01 12:0 a.m.8 views

Drupal core - Moderately critical - Denial of Service

More info at https://www.drupal.org/sa-core-2024-001...

7.2AI score
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 1970/01/01 12:0 a.m.8 views

CVE-2026-48760: HtmlSanitizer URL Parser Deny Gates Underinclusive: Percent-Encoded BiDi Marks and Unicode Whitespace Bypass Visual-Spoofing Defense

More info at https://symfony.com/cve-2026-48760...

5.8AI score0.00025EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 1970/01/01 12:0 a.m.8 views

CVE-2026-45077: Unauthenticated PHP Object Deserialization in MonologBridge server:log Listener

More info at https://symfony.com/cve-2026-45077...

5.8AI score0.01261EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 1970/01/01 12:0 a.m.8 views

CVE-2026-48784: UrlGenerator Dot-Segment Encoding Skips Every Other Chained `../` or `./` → Generated URL Collapses Off-Route Under RFC 3986 Normalization

More info at https://symfony.com/cve-2026-48784...

5.8AI score0.00026EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 1970/01/01 12:0 a.m.8 views

CVE-2026-45065: UrlGenerator Route-Requirement Bypass via Unanchored Regex Alternation → Off-Site //host URL Injection

More info at https://symfony.com/cve-2026-45065...

5.8AI score0.0004EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 1970/01/01 12:0 a.m.8 views

CVE-2026-45063: Identity Spoofing via Unanchored DN Regex in X509Authenticator

More info at https://symfony.com/cve-2026-45063...

5.8AI score0.00069EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 1970/01/01 12:0 a.m.8 views

CVE-2026-45063: Identity Spoofing via Unanchored DN Regex in X509Authenticator

More info at https://symfony.com/cve-2026-45063...

5.8AI score0.00069EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2026/06/24 4:5 a.m.7 views

CVE-2026-54721 - Remote code execution via userforms email subject

More info at https://www.silverstripe.org/download/security-releases/cve-2026-54721...

5.8AI score
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2026/06/18 2:12 p.m.7 views

Silent HTTPS proxy downgrade to cleartext

Impact The built-in cURL handlers GuzzleHttp\Handler\CurlHandler and GuzzleHttp\Handler\CurlMultiHandler, used by default whenever the PHP cURL extension is available accept an https:// proxy — a proxy reached over a TLS-encrypted connection — through the proxy request option, client-level proxy...

5.9CVSS5.9AI score0.00106EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2026/06/18 9:49 a.m.7 views

CRLF injection in HTTP start-line serialization

Impact guzzlehttp/psr7 did not reject CR/LF characters in certain first-party HTTP start-line fields: the request method, protocol version, and response reason phrase. If an application placed attacker-controlled data into one of those fields and later serialized the PSR-7 message as raw HTTP/1.x...

4.8CVSS5.8AI score0.00158EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2026/06/02 11:38 a.m.7 views

XML injection via CDATA terminator in XML request serialization

Impact guzzlehttp/guzzle-services does not safely serialize scalar XML element values containing the CDATA terminator . The XML request serializer writes values containing , or & with XMLWriter::writeCData$value. If attacker-controlled input contains , the CDATA section closes early and the...

5.8CVSS5.8AI score0.00219EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2026/05/31 9:8 a.m.7 views

Mass-assignment in Factory::loadFromProvisioningUri lets a hostile provisioning URI corrupt OTP state or leak an uncaught TypeError

Summary OTPHP\Factory::loadFromProvisioningUri parses an attacker-supplied otpauth:// URI and forwards every query key to OTP::setParameter$key, $value. setParameter resolves the name with propertyexists$this, $parameter and performs a dynamic write $this-$parameter = $value src/OTP.php:196-197...

5.3AI score
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2026/05/31 9:6 a.m.7 views

Unbounded digits parameter in a provisioning URI triggers an uncaught DivisionByZeroError in OTP generation

Summary The digits parameter parsed from a provisioning URI is validated only with a lower bound $value 0 and has no upper bound src/OTP.php:353-357. OTP generation computes $code % 10 $this-getDigits src/OTP.php:283. When digits is large enough that 10 digits overflows PHP's integer range and th...

5.4AI score
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
added 2025/01/06 7:15 p.m.7 views

Insufficient nonce entropy

Impact Nonce generation does not use sufficient entropy nor a cryptographically secure pseudorandom source https://github.com/guzzle/oauth-subscriber/blob/0.8.0/src/Oauth1.phpL192. This can leave servers vulnerable to replay attacks when TLS is not used. Patches Upgrade to version 0.8.1 or higher...

6.3CVSS5.8AI score0.00595EPSS
Exploits0Affected Software1
Total number of security vulnerabilities1702