1702 matches found
Entity access bypass for entities that do not have UUIDs or have protected revisions.
More info at https://www.drupal.org/SA-CORE-2017-004...
REST API can bypass comment approval.
More info at https://www.drupal.org/SA-CORE-2017-004...
Entity access bypass for entities that do not have UUIDs or have protected revisions.
More info at https://www.drupal.org/SA-CORE-2017-004...
Views does not properly restrict access to the Ajax endpoint.
More info at https://www.drupal.org/SA-CORE-2017-004...
Views does not properly restrict access to the Ajax endpoint.
More info at https://www.drupal.org/SA-CORE-2017-004...
REST API can bypass comment approval.
More info at https://www.drupal.org/SA-CORE-2017-004...
XSS vulnerability in code example
SECURITY Fix XSS vulnerability in one of the code examples, CVE-2017-11503. The codegenerator.phps example did not filter user input prior to output. This file is distributed with a .phps extension, so it it not normally executable unless it is explicitly renamed, so it is safe by default. There...
Object injection
SECURITY Fix potential object injection vulnerability. CVE-2018-19296. Reported by Sehun Oh of cyberone.kr. Added Tagalog translation, thanks to @StoneArtz Added Malagache translation, thanks to @Hackinet Updated Serbian translation, fixed incorrect language code, thanks to @mmilanovic4 Updated...
CVE-2017-11365: Empty passwords validation issue
More info at https://symfony.com/cve-2017-11365...
CVE-2017-11365: Empty passwords validation issue
More info at https://symfony.com/cve-2017-11365...
CVE-2017-11365: Empty passwords validation issue
More info at https://symfony.com/cve-2017-11365...
A logged in back end user can include arbitrary existing PHP files by manipulating an URL parameter
More info at https://contao.org/en/news/contao-441.html...
A logged in back end user can include arbitrary existing PHP files by manipulating an URL parameter
More info at https://contao.org/en/news/contao-441.html...
A logged in back end user can include arbitrary existing PHP files by manipulating an URL parameter
More info at https://contao.org/en/news/contao-3528.html...
Invalid token creation and validation
More info at https://simplesamlphp.org/security/201708-01...
Remote Code Execution Vulnerability
More info at https://community.shopware.com/detail2015.html...
Files uploaded by anonymous users into a private file system can be accessed by other anonymous users
More info at https://www.drupal.org/SA-CORE-2017-003...
PECL YAML parser unsafe object handling
More info at https://www.drupal.org/SA-CORE-2017-003...
File REST resource does not properly validate
More info at https://www.drupal.org/SA-CORE-2017-003...
Files uploaded by anonymous users into a private file system can be accessed by other anonymous users
More info at https://www.drupal.org/SA-CORE-2017-003...
File REST resource does not properly validate
More info at https://www.drupal.org/SA-CORE-2017-003...
PECL YAML parser unsafe object handling
More info at https://www.drupal.org/SA-CORE-2017-003...
SS-2017-003: XSS in RedirectorPage
More info at https://www.silverstripe.org/download/security-releases/ss-2017-003/...
SS-2017-004: XSS in page history comparison
More info at https://www.silverstripe.org/download/security-releases/ss-2017-004/...
SS-2017-002: Member disclosure in login form
More info at https://www.silverstripe.org/download/security-releases/ss-2017-002/...
Missing state parameter in OAuth requests leading to CSRF vulnerability
No description provided...
Missing state parameter in OAuth requests leading to CSRF vulnerability
More info at https://github.com/sensiolabs/connect/pull/63...
EZSA-2017-005 XSS issue in search
More info at http://share.ez.no/community-project/security-advisories/ezsa-2017-005-xss-issue-in-search...
Arbitrary shell execution
Security Advisory - This release contains a fix for a security advisory related to the improper handling of a shell command - A properly crafted filename would allow for arbitrary code execution when using the --filter=gitmodified command line option - All version 3 users are encouraged to upgrad...
Remote Code Execution
$highlight = Pygmentize::highlight'?php phpinfo;', ';uname -a '; printr$highlight; This will produce the following output: Darwin Micheals-MBP 16.1.0 Darwin Kernel Version 16.1.0: Thu Oct 13 21:26:57 PDT 2016; root:xnu-3789.21.360/RELEASEX8664 x8664 The problem lines appear to be here:...
Remote Code Execution
$highlight = Pygmentize::highlight'?php phpinfo;', ';uname -a '; printr$highlight; This will produce the following output: Darwin Micheals-MBP 16.1.0 Darwin Kernel Version 16.1.0: Thu Oct 13 21:26:57 PDT 2016; root:xnu-3789.21.360/RELEASEX8664 x8664 The problem lines appear to be here:...
Cookie leakage to wrong origins and non-restricted cookie acceptance
Security and maintenance release. - Security: Previously cookies of foo.bar.example.com were leaked to foo.bar. Additionally, any site could set cookies for any other site. Artax follows newer browser implementations now. Cookies can only be set on domains higher or equal to the current domain, b...
Authentication context bypass (multiauth module)
More info at https://simplesamlphp.org/security/201704-02...
Session fixation and authentication bypass (authcrypt module)
More info at https://simplesamlphp.org/security/201705-01...
Unauthenticated encryption in CBC mode
More info at https://simplesamlphp.org/security/201704-01...
Access bypass
More info at https://www.drupal.org/SA-2017-002...
Access bypass
More info at https://www.drupal.org/SA-2017-002...
Flow Bugfix Releases for Entity Security
More info at https://www.neos.io/blog/flow-bugfix-releases-for-entity-security.html...
Flow Bugfix Releases for Entity Security
More info at https://www.neos.io/blog/flow-bugfix-releases-for-entity-security.html...
Incorrect IV generation for encryption
More info at https://simplesamlphp.org/security/201703-02...
Multiple timing side-channel issues
More info at https://simplesamlphp.org/security/201703-01...
Remote code execution
More info at https://www.drupal.org/SA-2017-001...
Editor module incorrectly checks access to inline private files
More info at https://www.drupal.org/SA-2017-001...
Some admin paths were not protected with a CSRF token
More info at https://www.drupal.org/SA-2017-001...
Remote code execution
More info at https://www.drupal.org/SA-2017-001...
Some admin paths were not protected with a CSRF token
More info at https://www.drupal.org/SA-2017-001...
Editor module incorrectly checks access to inline private files
More info at https://www.drupal.org/SA-2017-001...
An error during signature verification can be treated as a successful verification.
…nse. In order to verify Signatures on Logoutrequests and LogoutResponses we use the verifySignature of the class XMLSecurityKey from the xmlseclibs library. That method end up calling opensslverify depending on the signature algorithm used. The opensslverify function returns 1 when the signature...
An error during signature verification can be treated as a successful verification.
Security update for signature validation on LogoutRequest/LogoutResponse. In order to verify Signatures on Logoutrequests and LogoutResponses we use the verifySignature of the class XMLSecurityKey from the xmlseclibs library. That method end up calling opensslverify depending on the signature...
Authentication Bypass in TYPO3 Frontend
More info at https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2017-002/...