Lucene search
K
FriendsofphpMost viewed

1702 matches found

Friends Of PHP
Friends Of PHP
•added 1970/01/01 12:0 a.m.•34 views

Drupal core - Moderately critical - Multiple Vulnerabilities - SA-CORE-2019-005

More info at https://www.drupal.org/sa-core-2019-005...

5.4CVSS7.2AI score0.01048EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
•added 1970/01/01 12:0 a.m.•35 views

Unrestricted file uploads

More info at https://contao.org/en/security-advisories/unrestricted-file-uploads.html...

8.8CVSS7.2AI score0.01108EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
•added 1970/01/01 12:0 a.m.•34 views

Cross-site scripting (XSS) vulnerability in the system log

More info at https://contao.org/en/security-advisories/cross-site-scripting-in-the-system-log-2021.html...

6.1CVSS7.2AI score0.0074EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
•added 1970/01/01 12:0 a.m.•34 views

Cross site scripting via HTML attributes in the back end

More info at https://contao.org/en/security-advisories/cross-site-scripting-via-html-attributes-in-the-back-end.html...

4.8CVSS7.2AI score0.00557EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
•added 1970/01/01 12:0 a.m.•34 views

CVE-2020-5220: Ability to define unintended serialisation groups via HTTP header which might lead to data exposure

Impact ResourceBundle accepts and uses any serialisation groups to be passed via a HTTP header. This might lead to data exposure by using an unintended serialisation group - for example it could make Shop API use a more permissive group from Admin API. Anyone exposing an API with ResourceBundle's...

5.3CVSS4.9AI score0.00737EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
•added 1970/01/01 12:0 a.m.•34 views

CVE-2020-15146: Remote Code Execution in OptionsParser while using request parameters inside expression language

Impact Request parameters injected inside an expression evaluated by symfony/expression-language package haven't been sanitized properly. This allows the attacker to access any public service by manipulating that request parameter, allowing for Remote Code Execution. The vulnerable versions...

9.6CVSS9.3AI score0.02149EPSS
Exploits1Affected Software1
Friends Of PHP
Friends Of PHP
•added 2024/06/08 8:35 a.m.•33 views

TYPO3-EXT-SA-2024-003: Multiple vulnerabilities in "Events 2" (events2)

More info at https://typo3.org/security/advisory/typo3-ext-sa-2024-003...

5.4CVSS6.8AI score0.0029EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
•added 2023/02/28 10:37 a.m.•33 views

CVE-2023-25575: Secured properties may be accessible within collections

Impact Resource properties secured with the security option of the ApiPlatform\Metadata\ApiProperty attribute can be disclosed to unauthorized users. The problem affects most serialization formats, including raw JSON, which is enabled by default when installing API Platform. Custom serialization...

7.7CVSS6.7AI score0.00604EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
•added 2022/12/13 9:19 a.m.•33 views

TYPO3-CORE-SA-2022-017: By-passing Cross-Site Scripting Protection in HTML Sanitizer

More info at https://typo3.org/security/advisory/typo3-core-sa-2022-017...

6.1CVSS7.2AI score0.00438EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
•added 2022/06/14 7:11 a.m.•33 views

TYPO3-CORE-SA-2022-002: Information Disclosure via Exception Handling/Logger

More info at https://typo3.org/security/advisory/typo3-core-sa-2022-002...

6.5CVSS7.2AI score0.01047EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
•added 2022/01/04 12:59 a.m.•33 views

CVE-2022-21647: Deserialization of Untrusted Data in Codeigniter4

Description Impact Deserialization of Untrusted Data was found in the old function in CodeIgniter4. Remote attackers may inject auto-loadable arbitrary objects with this vulnerability, and possibly execute existing PHP code on the server. We are aware of a working exploit, which can lead to SQL...

7.5CVSS10.1AI score0.37671EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
•added 2021/06/07 10:31 p.m.•33 views

CVE-2021-28661 Default GraphQL permission checker not inherited by query subclass

More info at https://www.silverstripe.org/download/security-releases/CVE-2021-28661...

4.3CVSS7.2AI score0.00786EPSS
Exploits1Affected Software1
Friends Of PHP
Friends Of PHP
•added 2021/03/16 8:57 a.m.•33 views

TYPO3-CORE-SA-2021-003: Broken Access Control in Form Framework

More info at https://typo3.org/security/advisory/typo3-core-sa-2021-003...

8.3CVSS8.5AI score0.01606EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
•added 2021/03/16 8:57 a.m.•33 views

TYPO3-CORE-SA-2021-001: Open Redirection in Login Handling

More info at https://typo3.org/security/advisory/typo3-core-sa-2021-001...

6.1CVSS6.5AI score0.01104EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
•added 2020/07/28 8:18 a.m.•33 views

TYPO3-CORE-SA-2020-007: Potential Privilege Escalation

More info at https://typo3.org/security/advisory/typo3-core-sa-2020-007...

8.1CVSS7.2AI score0.01782EPSS
Exploits1Affected Software1
Friends Of PHP
Friends Of PHP
•added 2020/05/12 9:21 a.m.•33 views

TYPO3-CORE-SA-2020-003: Cross-Site Scripting in Link Handling

More info at https://typo3.org/security/advisory/typo3-core-sa-2020-003...

5.4CVSS7.2AI score0.0054EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
•added 2020/02/16 11:54 p.m.•33 views

CVE-2019-19325: XSS through non-scalar FormField attributes

More info at https://www.silverstripe.org/download/security-releases/cve-2019-19325/...

6.1CVSS7.2AI score0.00685EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
•added 2020/01/18 10:13 p.m.•33 views

SQL injection relating to searching

More info at https://www.phpmyadmin.net/security/PMASA-2020-3/...

8CVSS7.2AI score0.02115EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
•added 2019/09/24 5:1 p.m.•33 views

CVE-2019-16409: Secureassets and versionedfiles modules can expose versions of protected files

More info at https://www.silverstripe.org/download/security-releases/cve-2019-16409/...

5.3CVSS7.2AI score0.01203EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
•added 2019/07/16 4:24 p.m.•33 views

Critical - Access bypass

More info at https://www.drupal.org/sa-core-2019-008...

9.8CVSS7.2AI score0.01861EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
•added 2019/06/25 12:0 a.m.•33 views

PRODSECBUG-2183: Stored cross-site scripting in admin panel

More info at https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-23...

4.8CVSS7.2AI score0.00557EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
•added 2019/06/25 12:0 a.m.•33 views

PRODSECBUG-2300: Information about disabled products can be leaked due to inadequate validation checks

More info at https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-23...

5.3CVSS7.2AI score0.00928EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
•added 2019/06/25 12:0 a.m.•33 views

PRODSECBUG-2202: Security bypass via form data injection

More info at https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-13...

8.8CVSS7.2AI score0.01253EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
•added 2019/06/25 12:0 a.m.•33 views

PRODSECBUG-2095: Defense-in-depth session validation check implemented

More info at https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-33...

7.5CVSS7.2AI score0.01151EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
•added 2019/06/25 12:0 a.m.•34 views

PRODSECBUG-2371: Stored cross-site scripting in the admin panel

More info at https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-23...

4.8CVSS7.2AI score0.00557EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
•added 2019/06/25 12:0 a.m.•33 views

PRODSECBUG-2222: Deletion of user roles via cross-site request forgery (CSRF)

More info at https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-13...

6.5CVSS7.2AI score0.00439EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
•added 2019/06/25 12:0 a.m.•33 views

PRODSECBUG-2339: Arbitrary code execution due to unsafe handling of a carrier gateway

More info at https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-13...

7.2CVSS7.2AI score0.01438EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
•added 2019/06/25 12:0 a.m.•33 views

PRODSECBUG-2325: Denial-of-service by forcing a store to respond with a 404 error

More info at https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-13...

7.5CVSS7.2AI score0.01175EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
•added 2018/05/29 6:12 p.m.•33 views

PHP Code Injection

phpWhois PHP Code Injection Vulnerability Overview phpWhois and some of its forks in versions before 5.1.0 are prone to a code injection vulnerability due to insufficient sanitization of returned WHOIS data. This allows attackers controlling the WHOIS information of a requested domain to execute...

9.8CVSS9.7AI score0.06195EPSS
Exploits1Affected Software1
Friends Of PHP
Friends Of PHP
•added 2018/05/25 11:46 a.m.•33 views

CVE-2018-11406: CSRF Token Fixation

More info at https://symfony.com/cve-2018-11406...

8.8CVSS7.2AI score0.00761EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
•added 2017/11/16 3:14 p.m.•33 views

CVE-2017-16652: Open redirect vulnerability on security handlers

More info at https://symfony.com/cve-2017-16652...

6.1CVSS7.2AI score0.00949EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
•added 2016/12/23 11:40 p.m.•33 views

Remote Code Execution

SECURITY Critical security update for CVE-2016-10033 please update now! Thanks to Dawid Golunski. - Add ability to extract the SMTP transaction ID from some common SMTP success messages - Minor documentation tweaks...

9.8CVSS9.9AI score0.99714EPSS
Exploits58Affected Software1
Friends Of PHP
Friends Of PHP
•added 2016/07/18 4:1 p.m.•33 views

Drupal Core - Highly Critical - Injection - SA-CORE-2016-003

More info at https://www.drupal.org/SA-CORE-2016-003...

8.1CVSS9.7AI score0.50427EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
•added 2016/02/15 6:57 p.m.•33 views

File upload access bypass and denial of service

More info at https://www.drupal.org/SA-CORE-2016-001...

8.1CVSS7.2AI score0.0159EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
•added 2014/07/25 10:18 p.m.•33 views

Code injection in the way Symfony implements translation caching in FrameworkBundle

More info at https://symfony.com/blog/security-releases-cve-2014-4931-symfony-2-3-18-2-4-8-and-2-5-2-released...

7.2AI score0.0078EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
•added 1970/01/01 12:0 a.m.•33 views

CVE-2024-50340: Ability to change environment from query

More info at https://symfony.com/cve-2024-50340...

7.3CVSS6.6AI score0.63422EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
•added 1970/01/01 12:0 a.m.•33 views

Denial of Service via HTTP/2 CONTINUATION Frames

Early versions of amphp/http-client with HTTP/2 support v4.0.0-rc10 to 4.0.0 will collect HTTP/2 CONTINUATION frames in an unbounded buffer and will not check the header size limit until it has received the ENDHEADERS flag, resulting in an OOM crash. Later versions of amphp/http-client v4.1.0-rc1...

8.2CVSS7.8AI score0.83244EPSS
Exploits1Affected Software1
Friends Of PHP
Friends Of PHP
•added 2024/11/12 3:29 p.m.•32 views

Laravel environment manipulation via query string

Description When the registerargcargv php directive is set to on , and users call any URL with a special crafted query string, they are able to change the environment used by the framework when handling the request. Resolution The framework now ignores argv values for environment detection on...

8.7CVSS5.9AI score0.37981EPSS
Exploits1Affected Software1
Friends Of PHP
Friends Of PHP
•added 2024/01/23 3:15 a.m.•32 views

CVE-2023-49783 No permission checks for editing or deleting records with CSV import form

More info at https://www.silverstripe.org/download/security-releases/CVE-2023-49783...

4.3CVSS7.2AI score0.00341EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
•added 2023/04/17 4:0 p.m.•32 views

Improper header validation

Impact Improper header parsing. An attacker could sneak in a newline \n into both the header names and values. While the specification states that \r\n\r\n is used to terminate the header list, many servers in the wild will also accept \n\n. Patches The issue is patched in 1.9.1 and 2.4.5...

7.5CVSS5.8AI score0.01216EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
•added 2023/03/22 12:31 p.m.•32 views

TYPO3-EXT-SA-2023-003: Cross-Site Scripting in extension "Fluid Components" (fluid_components)

More info at https://typo3.org/security/advisory/typo3-ext-sa-2023-003...

6.1CVSS7.2AI score0.00512EPSS
Exploits1Affected Software1
Friends Of PHP
Friends Of PHP
•added 2023/03/15 10:19 p.m.•32 views

CVE-2023-28104 DDOS attack on graphql endpoints

More info at https://www.silverstripe.org/download/security-releases/CVE-2023-28104...

7.5CVSS7.2AI score0.01055EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
•added 2022/12/13 9:18 a.m.•32 views

TYPO3-CORE-SA-2022-012: Denial of Service in Page Error Handling

More info at https://typo3.org/security/advisory/typo3-core-sa-2022-012...

7.5CVSS7.2AI score0.00686EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
•added 2022/09/28 10:36 a.m.•32 views

Possibility to load a template outside a configured directory when using the filesystem loader

More info at https://symfony.com/blog/twig-security-release-possibility-to-load-a-template-outside-a-configured-directory-when-using-the-filesystem-loader...

7.5CVSS7.2AI score0.01557EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
•added 2022/09/13 8:6 a.m.•32 views

TYPO3-CORE-SA-2022-009: Stored Cross-Site Scripting via FileDumpController

More info at https://typo3.org/security/advisory/typo3-core-sa-2022-009...

6.5CVSS7.2AI score0.00722EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
•added 2022/09/13 8:6 a.m.•32 views

TYPO3-CORE-SA-2022-007: User Enumeration via Response Timing

More info at https://typo3.org/security/advisory/typo3-core-sa-2022-007...

5.3CVSS7.2AI score0.00977EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
•added 2022/06/14 7:11 a.m.•32 views

TYPO3-CORE-SA-2022-003: Cross-Site Scripting in Form Framework

More info at https://typo3.org/security/advisory/typo3-core-sa-2022-003...

5.4CVSS7.2AI score0.00717EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
•added 2022/05/25 1:19 p.m.•32 views

Cross-domain cookie leakage

Impact Previous version of Guzzle contain a vulnerability with the cookie middleware. The vulnerability is that it is not checked if the cookie domain equals the domain of the server which sets the cookie via the Set-Cookie header, allowing a malicious server to set cookies for unrelated domains...

8.1CVSS7.7AI score0.01239EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
•added 2022/05/17 12:59 p.m.•32 views

PHP Code Injection by malicious block or filename

Impact Template authors could inject php code by choosing a malicous block name or include file name. Sites that cannot fully trust template authors should update asap. Patches Please upgrade to the most recent version of Smarty v3 or v4. Workarounds Is there a way for users to fix or remediate t...

8.8CVSS8.5AI score0.0454EPSS
Exploits1Affected Software1
Friends Of PHP
Friends Of PHP
•added 2022/02/15 1:54 a.m.•32 views

A cross-site scripting vulnerability

Impact SVG sanitizer library before version 0.15.0 did not remove HTML elements wrapped in a CDATA section. As a result, SVG content embedded in HTML fetched as text/html was susceptible to cross-site scripting. Plain SVG files fetched as image/svg+xml were not affected. Patches This issue is fix...

6.2CVSS5.9AI score0.00682EPSS
Exploits0Affected Software1
Total number of security vulnerabilities1702