XML External Entity (XXE) issue

disable external XML entities and libxml errors thanks to Kousuke Ebihara for the report and patch...

Ability to enable/disable PHP parsing in Yaml::parse()

More info at https://symfony.com/blog/security-release-symfony-2-0-22-and-2-1-7-released...

Deserialization of Untrusted Data

Description This affects the package codeception/codeception from 4.0.0 before 4.1.22 and before 3.1.3. The RunProcess class can be leveraged as a gadget to run arbitrary commands on a system that is deserializing user input without validation. References...

Attackers can trigger deserialization of arbitrary data via the phar:// wrapper.

There was a problem hiding this comment. Choose a reason for hiding this comment The reason will be displayed to describe this comment to others. Learn more. Choose a reason Spam Abuse Off Topic Outdated Duplicate Resolved Hide comment I'm afraid this change is wrong. fileexists is not the only...

Denial of Service via HTTP/2 CONTINUATION Frames

Early versions of amphp/http-client with HTTP/2 support v4.0.0-rc10 to 4.0.0 will collect HTTP/2 CONTINUATION frames in an unbounded buffer and will not check the header size limit until it has received the ENDHEADERS flag, resulting in an OOM crash. Later versions of amphp/http-client v4.1.0-rc1...

CVE-2019-10909: Escape validation messages in the PHP templating engine

More info at https://symfony.com/cve-2019-10909...

CVE-2023-46734: Potential XSS vulnerabilities in CodeExtension filters

More info at https://symfony.com/cve-2023-46734...

CVE-2023-46733: Possible session fixation

More info at https://symfony.com/cve-2023-46733...

Unrestricted file uploads

More info at https://contao.org/en/security-advisories/unrestricted-file-uploads.html...

ReactPHP's HTTP server continues parsing unused multipart parts after reaching limits

Summary Previous versions of ReactPHP's HTTP server component contain a potential DoS vulnerability that can cause high CPU load when processing large HTTP request bodies. This vulnerability has little to no impact on the default configuration, but can be exploited when explicitly using the...

Dompdf vulnerable to URI validation failure on SVG parsing

Summary The URI validation on dompdf 2.0.1 can be bypassed on SVG parsing by passing tags with uppercase letters. This might leads to arbitrary object unserialize on PHP tags, in src/Image/Cache.php : if $type === "svg" $parser = xmlparsercreate"utf-8"; xmlparsersetoption$parser,...

TYPO3-EXT-SA-2023-001: Broken Access Control in extension "femanager" (femanager)

More info at https://typo3.org/security/advisory/typo3-ext-sa-2023-001...

smarty_function_mailto - JavaScript injection in eval function

I found a bug in the Smarty package, specifically in the smartyfunctionmailto$params function. Remote exploitation of such vulnerability is unlikely, but it is still advisable to take it into account. A web page that uses this function and that could be parameterized using GET or POST input...

TYPO3-CORE-SA-2022-008: Missing check for expiration time of password reset token for backend users

More info at https://typo3.org/security/advisory/typo3-core-sa-2022-008...

Path Traversal within joomla/archive tar class

More info at https://developer.joomla.org/security-centre/870-20220301-core-zip-slip-within-the-tar-extractor.html...

Remote code injection via remote fonts

Dompdf is an HTML to PDF converter. Dompdf before 1.2.1 allows remote code execution via a .php file in the src:url field of an @font-face Cascading Style Sheets CSS statement within an HTML input file...

CVE-2022-21647: Deserialization of Untrusted Data in Codeigniter4

Impact Deserialization of Untrusted Data was found in the old function in CodeIgniter4. Remote attackers may inject auto-loadable arbitrary objects with this vulnerability, and possibly execute existing PHP code on the server. We are aware of a working exploit, which can lead to SQL injection...

CVE-2022-37430 - Stored XSS using uppercase characters in HTMLEditor

More info at https://www.silverstripe.org/download/security-releases/cve-2022-37430...

CVE-2022-38148 - Blind SQL Injection via GridFieldSortableHeader

More info at https://www.silverstripe.org/download/security-releases/cve-2022-38148...

Image upload bypass

By default Debian includes support for executing .phar files alongside .php and .phtml files, and should be included in the blocked list. See: https://salsa.debian.org/php-team/php/-/blob/debian/main/7.4/debian/php-cgi.confL5-7 This should also be backported into all currently supported versions ...

TYPO3-CORE-SA-2021-010: Cross-Site Scripting in Query Generator & Query View

More info at https://typo3.org/security/advisory/typo3-core-sa-2021-010...

CVE-2021-21424: Prevent user enumeration via response content in authentication mechanisms

More info at https://symfony.com/cve-2021-21424...

Insecure Deserialization of untrusted data

Description Impact Unserialization of untrusted data. Patches The issue has been patched and users of Requests 1.6.0, 1.6.1 and 1.7.0 should update to version 1.8.0. References Publications about the vulnerability:...

CVE-2020-15227: Potential Remote Code Execution vulnerability

More info at https://blog.nette.org/en/cve-2020-15227-potential-remote-code-execution-vulnerability...

TYPO3-CORE-SA-2020-004: Class destructors causing side-effects when being unserialized

More info at https://typo3.org/security/advisory/typo3-core-sa-2020-004...

CVE-2020-5275: All rules set in "access_control" are required when the firewall is configured with the unanimous strategy

More info at https://symfony.com/cve-2020-5275...

PRODSECBUG-2344: Cross-Site Scripting via wysiwyg editor

More info at https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update...

PRODSECBUG-2226: Stored cross-site scripting in the admin panel

More info at https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-23...

API responses for unpatrolled or (not) autopatrolled recent changes require privileges but may be cached publicly

More info at https://phabricator.wikimedia.org/T212118...

The CSRF token check can be bypassed

More info at https://contao.org/en/news/security-vulnerability-cve-2019-10642.html...

CVE-2018-11406: CSRF Token Fixation

More info at https://symfony.com/cve-2018-11406...

Trusted-Directory Bypass via Path Traversal

Smarty Trusted-Directory Bypass via Path Traversal\nVulnerability Overview\nSmarty 3.1.32 or below is prone to a path traversal vulnerability due\nto insufficient sanitization of code in Smarty templates. This allows\nattackers controlling the Smarty template to bypass the trusted\ndirectory...

External link injection on 404 pages when linking to the current page.

More info at https://www.drupal.org/SA-CORE-2018-001...

CVE-2017-16654: Intl bundle readers breaking out of paths

More info at https://symfony.com/cve-2017-16654...

Drupal Core - Highly Critical - Injection - SA-CORE-2016-003

More info at https://www.drupal.org/SA-CORE-2016-003...

HTTP Proxy header vulnerability

Addressing HTTPPROXY security vulnerability, CVE-2016-5385: https://httpoxy.org/. Please update to this version of Guzzle in order to mitigate the vulnerability when sending Guzzle requests inside of a CGI application. - Fixing timeout bug with StreamHandler - Only read up to Content-Length in...

Reflected file download vulnerability

More info at https://www.drupal.org/SA-CORE-2016-001...

Local File Disclosure

SECURITY Fix CVE-2017-5223, local file disclosure vulnerability if content passed to msgHTML is sourced from unfiltered user input. Reported by Yongxiang Li of Asiasecurity. The fix for this means that calls to msgHTML without a $basedir will not import images with relative URLs, and relative...

Remote Code Execution (complement of CVE-2014-2383)

This release is superseded by version 0.7.0 This is a security-focused release that addresses a number of vulnerabilities that can expose your system to exploitation. In tandem with this release we have also posted a document to the wiki with advice for securing dompdf. Please read the new docume...

PHP remote file inclusion vulnerability in dompdf.php

This release is superseded by version 0.7.0 This is a security-focused release that addresses a number of vulnerabilities that can expose your system to exploitation. In tandem with this release we have also posted a document to the wiki with advice for securing dompdf. Please read the new docume...

XML External Entity (XXE) issue

thanks to Kousuke Ebihara for the report and patch...

Drupal core - Critical - Remote code execution - SA-CORE-2020-012

More info at https://www.drupal.org/sa-core-2020-012...

Drupal core - Critical - Cross-site scripting - SA-CORE-2020-009

More info at https://www.drupal.org/sa-core-2020-009...

Critical - Remote Code Execution

More info at https://www.drupal.org/sa-core-2018-004...

Drupal core - Moderately critical - Multiple Vulnerabilities - SA-CORE-2019-005

More info at https://www.drupal.org/sa-core-2019-005...

RCE vulnerability in "cookie" session driver

More info at https://blog.laravel.com/laravel-cookie-security-releases...

CVE-2019-18887: Use constant time comparison in UriSigner

More info at https://symfony.com/cve-2019-18887...

Drupal core - Moderately critical - Cross-site scripting - SA-CORE-2020-007

More info at https://www.drupal.org/sa-core-2020-007...

Github Actions issued GITHUB_TOKEN disclosure in GitHub Actions logs

Summary Composer leaks the full contents of tokens configured as GitHub OAuth tokens if they do not match Composer's expected format for such tokens to stderr. GitHub has introduced a new format for GitHub Actions GITHUBTOKEN values. These tokens are validated in the same way by Composer on GitHu...

TYPO3-EXT-SA-2025-008: Multiple vulnerabilities in extension "Front End User Registration" (sr_feuser_register)

More info at https://typo3.org/security/advisory/typo3-ext-sa-2025-008...