1697 matches found
Cross-Site Scripting in CKEditor
More info at https://typo3.org/security/advisory/typo3-core-sa-2018-005...
CVE-2018-19790: Open Redirect Vulnerability on login
More info at https://symfony.com/cve-2018-19790...
CVE-2017-16654: Intl bundle readers breaking out of paths
More info at https://symfony.com/cve-2017-16654...
SQL injection vulnerabililty in the back end search filter and the front end listing module
More info at https://contao.org/en/news/contao-3531.html...
Signature validation bypass (SAML 1.1)
More info at https://simplesamlphp.org/security/201710-01...
Unauthenticated encryption in CBC mode
More info at https://simplesamlphp.org/security/201704-01...
Multiple timing side-channel issues
More info at https://simplesamlphp.org/security/201703-01...
Incorrect signature verification
More info at https://simplesamlphp.org/security/201612-02...
Full config export can be downloaded without administrative permissions
More info at https://www.drupal.org/SA-CORE-2016-004...
HTTP Proxy header vulnerability
Bug Fixes - Removed support for using HTTPPROXY environment variable for non-CLI apps per CVE-2016-5385 httpoxy. Graham Campbell 143 145 - Convert BUGSNAGNOTIFYRELEASESTAGES to a comma-delimited array Jason Graham Campbell 142 144...
CVE-2016-2403: Unauthorized access on a misconfigured Ldap server when using an empty password
More info at https://symfony.com/cve-2016-2403...
CVE-2016-1902: SecureRandom's fallback not secure when OpenSSL fails
More info at https://symfony.com/cve-2016-1902...
Cross-Site Scripting in 3rd party library Flowplayer
More info at https://typo3.org/security/advisory/typo3-core-sa-2015-007...
Denial of service with a malicious HTTP Host header
More info at https://symfony.com/cve-2014-5244...
The CDetailView widget allows remote attackers to execute arbitrary PHP scripts via vectors related to the value property
More info at https://www.yiiframework.com/news/78/yii-1-1-15-is-released-security-fix/...
XEE issue that could expose local files or easily trigger a DOS attack.
XXE security issue. Issue 414...
Moderately critical - Cross Site Scripting - SA-CORE-2019-004
More info at https://www.drupal.org/SA-CORE-2019-004...
Drupal core - Critical - Cross-site scripting - SA-CORE-2020-009
More info at https://www.drupal.org/sa-core-2020-009...
Moderately critical - Cross Site Scripting
More info at https://www.drupal.org/sa-core-2018-003...
CVE-2026-46626: SymfonyRuntime CVE-2024-50340 Patch Bypass: Web Requests Can Still Set APP_ENV/APP_DEBUG via parse_str/SAPI Argv Mismatch
More info at https://symfony.com/cve-2026-46626...
CVE-2019-10910: Check service IDs are valid
More info at https://symfony.com/cve-2019-10910...
CVE-2019-18888: Prevent argument injection in a MimeTypeGuesser
More info at https://symfony.com/cve-2019-18888...
CVE-2024-50340: Ability to change environment from query
More info at https://symfony.com/cve-2024-50340...
Unauthenticated crypto and weak IV in Magento\Framework\Encryption
More info at http://www.openwall.com/lists/oss-security/2016/07/19/3...
Information disclosure in the back end
More info at https://contao.org/en/security-advisories/information-disclosure-in-the-back-end.html...
CVE-2019-10909: Escape validation messages in the PHP templating engine
More info at https://symfony.com/cve-2019-10909...
XSS vulnerability on asset view
Impact Mautic versions before 3.3.4 / 4.0.0 are vulnerable to an inline JS XSS attack when viewing Mautic assets by utilizing inline JS in the title and adding a broken image URL as a remote asset. This can only be leveraged by an authenticated user with permission to create or edit assets. Patch...
TYPO3-EXT-SA-2024-007: Insecure Direct Object Reference in extension "powermail" (powermail)
More info at https://typo3.org/security/advisory/typo3-ext-sa-2024-007...
TYPO3-EXT-SA-2023-003: Cross-Site Scripting in extension "Fluid Components" (fluid_components)
More info at https://typo3.org/security/advisory/typo3-ext-sa-2023-003...
PHAR deserialization allowing remote code execution
Description snappy is vulnerable to PHAR deserialization due to a lack of checking on the protocol before passing it into the fileexists function. If an attacker can upload files of any type to the server he can pass in the phar:// protocol to unserialize the uploaded file and instantiate arbitra...
CVE-2022-24895: Possible CSRF token fixation
More info at https://symfony.com/cve-2022-24895...
TYPO3-EXT-SA-2022-018: Multiple vulnerabilities in extension "Master-Quiz" (fp_masterquiz)
More info at https://typo3.org/security/advisory/typo3-ext-sa-2022-018...
TYPO3-CORE-SA-2022-012: Denial of Service in Page Error Handling
More info at https://typo3.org/security/advisory/typo3-core-sa-2022-012...
TYPO3-CORE-SA-2022-008: Missing check for expiration time of password reset token for backend users
More info at https://typo3.org/security/advisory/typo3-core-sa-2022-008...
TYPO3-CORE-SA-2022-004: Cross-Site Scripting in Frontend Login Mailer
More info at https://typo3.org/security/advisory/typo3-core-sa-2022-004...
Failure to strip the Cookie header on change in host or HTTP downgrade
Impact Cookie headers on requests are sensitive information. On making a request using the https scheme to a server which responds with a redirect to a URI with the http scheme, or on making a request to a server which responds with a redirect to a a URI to a different host, we should not forward...
XSS within joomla/filter class
More info at https://developer.joomla.org/security-centre/877-20220308-core-inadequate-content-filtering-within-the-filter-code.html...
CVE-2022-23601: CSRF token missing in forms
More info at https://symfony.com/cve-2022-23601...
Improper escaping of command arguments on Windows leading to command injection
Impact Windows users running Composer to install untrusted dependencies are affected and should definitely upgrade for safety. Other OSs and WSL are not affected. Patches 1.10.23 and 2.1.9 fix the issue Workarounds None...
Improper Certificate Validation in WP-CLI framework
Impact An improper error handling in HTTPS requests management in WP-CLI version 0.12.0 and later allows remote attackers able to intercept the communication to remotely disable the certificate verification on WP-CLI side, gaining full control over the communication content, including the ability...
Parsoid comment fostering allows for inserting mostly arbitrary <meta> tags
More info at https://phabricator.wikimedia.org/T279451...
Sensitive Information Disclosure in extension "Media Content Element" (mediace)
More info at https://typo3.org/security/advisory/typo3-ext-sa-2020-014...
CVE-2020-6165: Limited queries break CanViewPermissionChecker
More info at https://www.silverstripe.org/download/security-releases/cve-2020-6165...
SQL injection vulnerability in SearchController
More info at https://www.phpmyadmin.net/security/PMASA-2020-6/...
TYPO3-CORE-SA-2020-001: Information Disclosure in Password Reset
More info at https://typo3.org/security/advisory/typo3-core-sa-2020-001...
TYPO3-CORE-SA-2020-003: Cross-Site Scripting in Link Handling
More info at https://typo3.org/security/advisory/typo3-core-sa-2020-003...
CVE-2020-5275: All rules set in "access_control" are required when the firewall is configured with the unanimous strategy
More info at https://symfony.com/cve-2020-5275...
Relative Path Traversal (CWE-23) in chunked uploads
Description Impact The vulnerability was identified in the web service for a chunked file upload. While the names of the POST parameters vary with the used frontend, their values are always used in the same way to build a path where the chunks are stored and assembled temporarily. By not validati...
SQL Injection in low-level Query Generator
More info at https://typo3.org/security/advisory/typo3-core-sa-2019-025...
Exposed suppressed username via Special:Redirect
More info at https://phabricator.wikimedia.org/T230402...