Lucene search
K
FriendsofphpMost viewed

1702 matches found

Friends Of PHP
Friends Of PHP
•added 2022/05/25 1:19 p.m.•32 views

Cross-domain cookie leakage

Impact Previous version of Guzzle contain a vulnerability with the cookie middleware. The vulnerability is that it is not checked if the cookie domain equals the domain of the server which sets the cookie via the Set-Cookie header, allowing a malicious server to set cookies for unrelated domains...

8.1CVSS7.7AI score0.01239EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
•added 2022/02/15 1:54 a.m.•32 views

A cross-site scripting vulnerability

Impact SVG sanitizer library before version 0.15.0 did not remove HTML elements wrapped in a CDATA section. As a result, SVG content embedded in HTML fetched as text/html was susceptible to cross-site scripting. Plain SVG files fetched as image/svg+xml were not affected. Patches This issue is fix...

6.2CVSS5.9AI score0.00682EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
•added 2021/08/10 7:50 a.m.•32 views

TYPO3-CORE-SA-2021-013: Cross-Site Scripting via Rich-Text Content

More info at https://typo3.org/security/advisory/typo3-core-sa-2021-013...

6.1CVSS7.2AI score0.00727EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
•added 2021/03/16 8:57 a.m.•32 views

TYPO3-CORE-SA-2021-002: Unrestricted File Upload in Form Framework

More info at https://typo3.org/security/advisory/typo3-core-sa-2021-002...

8.6CVSS8.8AI score0.01631EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
•added 2021/01/18 12:0 a.m.•32 views

Allows write operations with Directory Traversal due to inadequate checking of symbolic links

Disallow symlinks to out-of-path filenames...

7.5CVSS7.5AI score0.70595EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
•added 2020/09/02 8:0 a.m.•32 views

CVE-2020-15094: Prevent RCE when calling untrusted remote with CachingHttpClient

More info at https://symfony.com/cve-2020-15094...

8.8CVSS7.2AI score0.03043EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
•added 2020/07/28 8:18 a.m.•32 views

TYPO3-CORE-SA-2020-008: Sensitive Information Disclosure

More info at https://typo3.org/security/advisory/typo3-core-sa-2020-008...

8.8CVSS7.2AI score0.02229EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
•added 2020/05/12 9:21 a.m.•32 views

TYPO3-CORE-SA-2020-004: Class destructors causing side-effects when being unserialized

More info at https://typo3.org/security/advisory/typo3-core-sa-2020-004...

10CVSS7.2AI score0.01472EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
•added 2020/03/30 2:0 p.m.•32 views

CVE-2020-5274: Fix Exception message escaping rendered by ErrorHandler

More info at https://symfony.com/cve-2020-5274...

5.5CVSS7.2AI score0.01197EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
•added 2019/12/17 9:51 a.m.•32 views

SQL Injection in low-level Query Generator

More info at https://typo3.org/security/advisory/typo3-core-sa-2019-025...

7.2CVSS7.2AI score0.00868EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
•added 2019/10/08 12:0 a.m.•32 views

PRODSECBUG-2407: Remote code execution due to unsafe PHP archieve deserialization in the import functionality

More info at https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update...

7.2CVSS7.2AI score0.0238EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
•added 2019/10/08 12:0 a.m.•32 views

PRODSECBUG-2469: Remote Code Execution in email templates

More info at https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update...

8.8CVSS7.2AI score0.01919EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
•added 2019/10/08 12:0 a.m.•32 views

PRODSECBUG-2344: Cross-Site Scripting via wysiwyg editor

More info at https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update...

5.4CVSS7.2AI score0.00591EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
•added 2019/06/25 6:40 a.m.•32 views

Possible deserialization side-effects in symfony/cache

More info at https://typo3.org/security/advisory/typo3-core-sa-2019-016...

7.1CVSS7.2AI score0.02302EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
•added 2019/06/25 6:40 a.m.•32 views

Possible deserialization side-effects in symfony/cache

More info at https://typo3.org/security/advisory/typo3-core-sa-2019-016...

7.1CVSS7.2AI score0.02302EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
•added 2019/06/25 6:39 a.m.•32 views

Insecure Deserialization in TYPO3 CMS

More info at https://typo3.org/security/advisory/typo3-core-sa-2019-020...

8.8CVSS7.2AI score0.01525EPSS
Exploits1Affected Software1
Friends Of PHP
Friends Of PHP
•added 2019/06/25 12:0 a.m.•32 views

PRODSECBUG-2266: Arbitrary code execution through malicious elastic search module configuration

More info at https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-13...

8.8CVSS7.2AI score0.01954EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
•added 2019/06/25 12:0 a.m.•32 views

PRODSECBUG-2226: Stored cross-site scripting in the admin panel

More info at https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-23...

4.8CVSS7.2AI score0.00557EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
•added 2019/06/25 12:0 a.m.•32 views

PRODSECBUG-2182: Reflected cross-site scripting in the admin panel.

More info at https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-13...

4.8CVSS7.2AI score0.00557EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
•added 2019/06/25 12:0 a.m.•32 views

PRODSECBUG-2306: Remote code execution through crafted email templates

More info at https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-13...

7.2CVSS7.2AI score0.02137EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
•added 2018/12/20 7:11 p.m.•32 views

Potential RCE if filename starts with phar://

More info at https://pear.php.net/bugs/bug.php?id=23782...

8.8CVSS8.9AI score0.19207EPSS
Exploits5Affected Software1
Friends Of PHP
Friends Of PHP
•added 2016/02/15 6:57 p.m.•32 views

Reflected file download vulnerability

More info at https://www.drupal.org/SA-CORE-2016-001...

8.5CVSS7.2AI score0.02483EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
•added 2016/02/15 6:57 p.m.•32 views

Saving user accounts can sometimes grant the user all roles

More info at https://www.drupal.org/SA-CORE-2016-001...

8.1CVSS7.2AI score0.02221EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
•added 2014/09/16 10:0 p.m.•32 views

Anonymous authentication in ldap_bind() function of PHP, using null byte

More info at https://framework.zend.com/security/advisory/ZF2014-05...

5CVSS7.2AI score0.02495EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
•added 2014/03/10 9:57 p.m.•32 views

PHP remote file inclusion vulnerability in dompdf.php

This release is superseded by version 0.7.0 This is a security-focused release that addresses a number of vulnerabilities that can expose your system to exploitation. In tandem with this release we have also posted a document to the wiki with advice for securing dompdf. Please read the new docume...

8.8CVSS7.6AI score0.39374EPSS
Exploits7Affected Software1
Friends Of PHP
Friends Of PHP
•added 2013/08/12 1:41 a.m.•32 views

XML External Entity (XXE) issue

disable external XML entities and libxml errors thanks to Kousuke Ebihara for the report and patch...

7.5CVSS6AI score0.02997EPSS
Exploits1Affected Software1
Friends Of PHP
Friends Of PHP
•added 2013/01/15 9:16 p.m.•32 views

Ability to enable/disable PHP parsing in Yaml::parse()

More info at https://symfony.com/blog/security-release-symfony-2-0-22-and-2-1-7-released...

7.5CVSS6.8AI score0.01619EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
•added 1970/01/01 12:0 a.m.•32 views

Guard bypass in Eloquent models

More info at https://blog.laravel.com/security-release-laravel-61834-7232...

7.5CVSS7.2AI score0.01203EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
•added 1970/01/01 12:0 a.m.•32 views

CVE-2026-46626: SymfonyRuntime CVE-2024-50340 Patch Bypass: Web Requests Can Still Set APP_ENV/APP_DEBUG via parse_str/SAPI Argv Mismatch

More info at https://symfony.com/cve-2026-46626...

7.3CVSS5.8AI score0.63422EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
•added 1970/01/01 12:0 a.m.•32 views

PHP Code Injection

phpWhois PHP Code Injection\nVulnerability Overview\nphpWhois and some of its forks in versions before 5.1.0 are prone to a\ncode injection vulnerability due to insufficient sanitization of returned\nWHOIS data. This allows attackers controlling the WHOIS information of a\nrequested domain to...

7.5CVSS9.7AI score0.06195EPSS
Exploits1Affected Software1
Friends Of PHP
Friends Of PHP
•added 2026/05/13 7:0 a.m.•31 views

Github Actions issued GITHUB_TOKEN disclosure in GitHub Actions logs

Summary Composer leaks the full contents of tokens configured as GitHub OAuth tokens if they do not match Composer's expected format for such tokens to stderr. GitHub has introduced a new format for GitHub Actions GITHUBTOKEN values. These tokens are validated in the same way by Composer on GitHu...

5.7AI score0.00079EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
•added 2023/11/10 8:0 a.m.•31 views

CVE-2023-46735: Potential XSS in WebhookController

More info at https://symfony.com/cve-2023-46735...

6.1CVSS7.2AI score0.00568EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
•added 2023/02/27 3:5 p.m.•31 views

ReactPHP's HTTP server continues parsing unused multipart parts after reaching limits

Summary Previous versions of ReactPHP's HTTP server component contain a potential DoS vulnerability that can cause high CPU load when processing large HTTP request bodies. This vulnerability has little to no impact on the default configuration, but can be exploited when explicitly using the...

7.5CVSS6.8AI score0.01408EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
•added 2023/02/01 8:0 a.m.•31 views

CVE-2022-24894: Prevent storing cookie headers in HttpCache

More info at https://symfony.com/cve-2022-24894...

8.8CVSS7.2AI score0.00753EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
•added 2022/09/14 11:32 a.m.•31 views

smarty_function_mailto - JavaScript injection in eval function

I found a bug in the Smarty package, specifically in the smartyfunctionmailto$params function. Remote exploitation of such vulnerability is unlikely, but it is still advisable to take it into account. A web page that uses this function and that could be parameterized using GET or POST input...

5.4CVSS5.6AI score0.00826EPSS
Exploits1Affected Software1
Friends Of PHP
Friends Of PHP
•added 2022/09/13 8:6 a.m.•31 views

TYPO3-CORE-SA-2022-008: Missing check for expiration time of password reset token for backend users

More info at https://typo3.org/security/advisory/typo3-core-sa-2022-008...

5.4CVSS7.2AI score0.00735EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
•added 2022/06/27 5:27 a.m.•31 views

CVE-2021-41559: Quadratic blowup in Convert::xml2array()

More info at https://www.silverstripe.org/download/security-releases/cve-2021-41559...

6.5CVSS7.2AI score0.00985EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
•added 2022/03/29 6:0 p.m.•31 views

Path Traversal within joomla/archive tar class

More info at https://developer.joomla.org/security-centre/870-20220301-core-zip-slip-within-the-tar-extractor.html...

7.5CVSS7.2AI score0.02007EPSS
Exploits3Affected Software1
Friends Of PHP
Friends Of PHP
•added 2022/03/24 1:59 p.m.•31 views

Remote code injection via remote fonts

Dompdf is an HTML to PDF converter. Dompdf before 1.2.1 allows remote code execution via a .php file in the src:url field of an @font-face Cascading Style Sheets CSS statement within an HTML input file...

9.8CVSS9.5AI score0.82438EPSS
Exploits8Affected Software1
Friends Of PHP
Friends Of PHP
•added 2022/01/10 10:48 a.m.•31 views

Access to restricted PHP code by dynamic static class access

Impact Template authors could run restricted static php methods. Patches Please upgrade to 3.1.40 or higher. References See the documentation on Smarty security features on the staticclasses access filter. For more information If you have any questions or comments about this advisory please open ...

8.8CVSS9.1AI score0.0222EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
•added 2022/01/04 12:59 a.m.•31 views

CVE-2022-21647: Deserialization of Untrusted Data in Codeigniter4

Impact Deserialization of Untrusted Data was found in the old function in CodeIgniter4. Remote attackers may inject auto-loadable arbitrary objects with this vulnerability, and possibly execute existing PHP code on the server. We are aware of a working exploit, which can lead to SQL injection...

9.8CVSS9.1AI score0.37671EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
•added 2021/11/21 12:0 a.m.•31 views

CVE-2022-38148 - Blind SQL Injection via GridFieldSortableHeader

More info at https://www.silverstripe.org/download/security-releases/cve-2022-38148...

8.8CVSS7.2AI score0.00724EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
•added 2021/07/20 9:14 a.m.•31 views

TYPO3-CORE-SA-2021-010: Cross-Site Scripting in Query Generator & Query View

More info at https://typo3.org/security/advisory/typo3-core-sa-2021-010...

6.4CVSS7.2AI score0.00598EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
•added 2021/05/12 8:0 a.m.•31 views

CVE-2021-21424: Prevent user enumeration via response content in authentication mechanisms

More info at https://symfony.com/cve-2021-21424...

5.3CVSS7.2AI score0.01712EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
•added 2020/11/03 8:51 a.m.•31 views

Insecure Deserialization of untrusted data

Description Impact Unserialization of untrusted data. Patches The issue has been patched and users of Requests 1.6.0, 1.6.1 and 1.7.0 should update to version 1.8.0. References Publications about the vulnerability:...

7.5CVSS8.9AI score0.16119EPSS
Exploits1Affected Software1
Friends Of PHP
Friends Of PHP
•added 2020/08/25 3:50 a.m.•31 views

CVE-2020-15227: Potential Remote Code Execution vulnerability

More info at https://blog.nette.org/en/cve-2020-15227-potential-remote-code-execution-vulnerability...

9.8CVSS7.2AI score0.35228EPSS
Exploits3Affected Software1
Friends Of PHP
Friends Of PHP
•added 2020/03/05 5:34 p.m.•31 views

SQL injection relating to data display

More info at https://www.phpmyadmin.net/security/PMASA-2020-4/...

5.4CVSS7.2AI score0.01593EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
•added 2019/12/17 11:43 a.m.•31 views

Insert tag injection in the login module

More info at https://contao.org/en/security-advisories/insert-tag-injection-in-the-login-module.html...

5.3CVSS7.2AI score0.00819EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
•added 2019/10/08 12:0 a.m.•31 views

PRODSECBUG-2223: Remote code execution when using functionality that imports a new product

More info at https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update...

9CVSS7.2AI score0.03267EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
•added 2019/06/25 12:0 a.m.•31 views

PRODSECBUG-2430: Security bypass via crafted SOAP requests

More info at https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-13...

7.5CVSS7.2AI score0.01186EPSS
Exploits0Affected Software1
Total number of security vulnerabilities1702