1702 matches found
Confirming an opt-in token does not invalidate previous opt-in tokens
More info at https://contao.org/en/news/security-vulnerability-cve-2019-10643.html...
XSS vulnerability with unsafe link protocols
An XSS vulnerability CVE-2018-20583 has been identified in the following versions of this library: 0.15.6 0.15.7 0.16.0 0.17.0 0.17.1 0.17.2 0.17.3 0.17.4 0.17.5 0.18.0 It allows unsafe URLs to be added to links. The issue has been fixed in version 0.18.1. All users should upgrade to version 0.18...
Cross-Site Scripting in CKEditor
More info at https://typo3.org/security/advisory/typo3-core-sa-2018-005...
RCE vulnerability in phpunit
More info at https://nvd.nist.gov/vuln/detail/CVE-2017-9841...
Highly critical - Remote Code Execution
More info at https://www.drupal.org/SA-CORE-2019-003...
SQL injection vulnerabililty in the file manager search filter
More info at https://contao.org/en/news/security-vulnerability-cve-2019-11512.html...
Existing sessions are not correctly invalidated when a user changes their password
More info at https://contao.org/en/news/security-vulnerability-cve-2019-10641.html...
Information disclosure in the back end
More info at https://contao.org/en/security-advisories/information-disclosure-in-the-back-end.html...
Deserialization of Untrusted Data in timber/timber
Summary Timber is vulnerable to PHAR deserialization due to a lack of checking the input before passing it into the fileexists function. If an attacker can upload files of any type to the server, he can pass in the phar:// protocol to unserialize the uploaded file and instantiate arbitrary PHP...
PHAR deserialization allowing remote code execution
Description Description snappy is vulnerable to PHAR deserialization due to a lack of checking on the protocol before passing it into the fileexists function. If an attacker can upload files of any type to the server he can pass in the phar:// protocol to unserialize the uploaded file and...
TYPO3-CORE-SA-2022-015: Arbitrary Code Execution via Form Framework
More info at https://typo3.org/security/advisory/typo3-core-sa-2022-015...
TYPO3-CORE-SA-2022-009: Stored Cross-Site Scripting via FileDumpController
More info at https://typo3.org/security/advisory/typo3-core-sa-2022-009...
ReactPHP's HTTP server parses encoded cookie names so malicious `__Host-` and `__Secure-` cookies can be sent
Impact In ReactPHP's HTTP server component versions below v1.7.0, when ReactPHP is processing incoming HTTP cookie values, the cookie names are url-decoded. This may lead to cookies with prefixes like Host- and Secure- confused with cookies that decode to such prefix, thus leading to an attacker...
TYPO3-CORE-SA-2021-010: Cross-Site Scripting in Query Generator & Query View
More info at https://typo3.org/security/advisory/typo3-core-sa-2021-010...
TYPO3-CORE-SA-2020-010: Cross-Site Scripting in Fluid view helpers
More info at https://typo3.org/security/advisory/typo3-core-sa-2020-010...
XSS relating to the transformation feature
More info at https://www.phpmyadmin.net/security/PMASA-2020-5/...
TYPO3-CORE-SA-2020-002: Cross-Site Scripting in Form Engine
More info at https://typo3.org/security/advisory/typo3-core-sa-2020-002...
CVE-2020-5274: Fix Exception message escaping rendered by ErrorHandler
More info at https://symfony.com/cve-2020-5274...
PRODSECBUG-2440: Information disclosure through processing of external XML entities
More info at https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update...
PRODSECBUG-2426: Cross-Site Scripting via store name
More info at https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update...
PRODSECBUG-2125: Deletion of Blocks via cross-site request forgery (CSRF)
More info at https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-33...
XSS vulnerability in code example
SECURITY Fix XSS vulnerability in one of the code examples, CVE-2017-11503. The codegenerator.phps example did not filter user input prior to output. This file is distributed with a .phps extension, so it it not normally executable unless it is explicitly renamed, so it is safe by default. There...
JSON Data encoded for use in HTML was not safe to use in IE6/IE7, possible XSS attacks
More info at https://www.yiiframework.com/news/86/yii-2-0-4-is-released/...
TYPO3-EXT-SA-2023-001: Broken Access Control in extension "femanager" (femanager)
More info at https://typo3.org/security/advisory/typo3-ext-sa-2023-001...
Server-Side Request Forgery (SSRF) and URL Redirection to Untrusted Site ('Open Redirect')
Impact On releases prior to 3.0.3, an attacker could craft a special HTML page to trigger either an open redirect attack or a Server-Side Request Forgery attack depending on how AllTube is configured. The impact is mitigated by the fact the SSRF attack is only possible when the stream option is...
TYPO3-CORE-SA-2021-012: Information Disclosure in User Authentication
More info at https://typo3.org/security/advisory/typo3-core-sa-2021-012...
PRODSECBUG-2445: Insufficient logging and monitoring of configuration changes
More info at https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update...
PRODSECBUG-2444: Missing logs of configuration changes related to design update
More info at https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update...
PRODSECBUG-2392: Cross-Site Scripting via PageBuilder Banner
More info at https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update...
PRODSECBUG-2408: Unrestricted upload of file with dangerous type
More info at https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update...
PRODSECBUG-2489: Cross side scripting during the preview of email templates
More info at https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update...
PRODSECBUG-2464: Use of weak cryptographic function
More info at https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update...
PRODSECBUG-2270: Reflected cross-site scripting in the admin panel
More info at https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-23...
PRODSECBUG-2116: Stored cross-site scripting in the catalog events feature
More info at https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-13...
PRODSECBUG-2187: Cross-site request forgery (CSRF) in checkout cart item
More info at https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-33...
SQL injection vulnerabililty in the back end search filter
More info at https://contao.org/en/news/contao-448.html...
HTTP Proxy header vulnerability
Bug Fixes Removed support for using HTTPPROXY environment variable for non-CLI apps per CVE-2016-5385 httpoxy. Graham Campbell 143 145 Convert BUGSNAGNOTIFYRELEASESTAGES to a comma-delimited array Jason Graham Campbell 142 144...
Highly critical - Remote Code Execution
More info at https://www.drupal.org/SA-CORE-2019-003...
CVE-2019-10913: Reject invalid HTTP method overrides
More info at https://symfony.com/cve-2019-10913...
Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2020-002
More info at https://www.drupal.org/sa-core-2020-002...
CVE-2023-46734: Potential XSS vulnerabilities in CodeExtension filters
More info at https://symfony.com/cve-2023-46734...
CVE-2024-51736: Command execution hijack on Windows with Process class
More info at https://symfony.com/cve-2024-51736...
Server-Side Request Forgery (SSRF)
Impact Releases prior to 3.0.2 are vulnerable to a Server-Side Request Forgery vulnerability that allows an attacker to send a request to an internal hostname. Patches 3.0.2 contains a fix for this vulnerability. The 1.x and 2.x releases are not maintained anymore. Part of the fix requires applyi...
CVE-2022-38145 - Stored XSS in Compare Mode
More info at https://www.silverstripe.org/download/security-releases/cve-2022-38145...
CVE-2021-32693: Authentication granted to all firewalls instead of just one
More info at https://symfony.com/cve-2021-32693...
PRODSECBUG-2417: Remote code execution via vulnerable Symphony dependecy injection
More info at https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update...
PRODSECBUG-2455: Stored cross-site scripting (XSS) from URL in to product page
More info at https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update...
PRODSECBUG-2371: Stored cross-site scripting in the admin panel
More info at https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-23...
PRODSECBUG-2369: Stored cross-site scripting in the admin panel
More info at https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-23...
PRODSECBUG-2273: Sensitive data disclosure though malicious email templates
More info at https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-33...