1702 matches found
Exploit of encryption failure vulnerability
More info at https://medium.com/@taylorotwell/laravel-security-release-5-6-15-and-5-5-40-56f1257933a0...
Laravel CRLF injection in default email rule
Summary A CRLF injection vulnerability in Laravel's email validation, in combination with how Symfony Mailer and Symfony Mime handle certain character sequences, may allow an unauthenticated attacker to interfere with outbound email processing in applications that send mail to user-supplied...
PHP Code Injection
phpWhois PHP Code Injection Vulnerability Overview phpWhois and some of its forks in versions before 5.1.0 are prone to a code injection vulnerability due to insufficient sanitization of returned WHOIS data. This allows attackers controlling the WHOIS information of a requested domain to execute...
PHP Code Injection
phpWhois PHP Code Injection Vulnerability Overview phpWhois and some of its forks in versions before 5.1.0 are prone to a code injection vulnerability due to insufficient sanitization of returned WHOIS data. This allows attackers controlling the WHOIS information of a requested domain to execute...
Attackers can trigger deserialization of arbitrary data via the phar:// wrapper.
Fix for security vulnerability: Using the phar:// wrapper it was possible to trigger the unserialization of user provided data...
Possible cross-site scripting (XSS) vulnerability in the Blade templating engine
A security researcher has disclosed a possible XSS vulnerability in the Blade templating engine. Given the following two Blade templates: resources/views/parent.blade.php: html @section'content' @show resources/views/child.blade.php: html @extends'parent' @section'content' @endsection And a route...
Insert tag injection in front end forms
More info at https://contao.org/en/security-advisories/insert-tag-injection-in-forms.html...
Cross-site scripting (XSS) vulnerability in the system log
More info at https://contao.org/en/security-advisories/cross-site-scripting-in-the-system-log-2021.html...
Cross site scripting via HTML attributes in the back end
More info at https://contao.org/en/security-advisories/cross-site-scripting-via-html-attributes-in-the-back-end.html...
Drupal core - Moderately critical - Third-party libraries - SA-CORE-2021-005
More info at https://www.drupal.org/sa-core-2021-005...
Privilege escalation with the form generator
More info at https://contao.org/en/security-advisories/privilege-escalation-with-the-form-generator.html...
Drupal core - Critical - Arbitrary PHP code execution - SA-CORE-2020-013
More info at https://www.drupal.org/sa-core-2020-013...
PHP file inclusion via insert tags
More info at https://contao.org/en/security-advisories/php-file-inclusion-via-insert-tags.html...
Highly critical - Remote Code Execution
More info at https://www.drupal.org/SA-CORE-2019-003...
Critical - Third Party Libraries
More info at https://www.drupal.org/sa-core-2019-001...
Attackers can trigger deserialization of arbitrary data via the phar:// wrapper.
Fix for security vulnerability: Using the phar:// wrapper it was possible to trigger the unserialization of user provided data...
Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2020-002
More info at https://www.drupal.org/sa-core-2020-002...
Moderately critical - Cross Site Scripting - SA-CORE-2019-004
More info at https://www.drupal.org/SA-CORE-2019-004...
Drupal core - Critical - Arbitrary PHP code execution - SA-CORE-2020-005
More info at https://www.drupal.org/sa-core-2020-005...
Content moderation - Moderately critical - Access bypass
More info at https://www.drupal.org/sa-core-2018-006...
Content moderation - Moderately critical - Access bypass
More info at https://www.drupal.org/sa-core-2018-006...
Existing sessions are not correctly invalidated when a user changes their password
More info at https://contao.org/en/news/security-vulnerability-cve-2019-10641.html...
Contextual Links validation - Critical - Remote Code Execution
More info at https://www.drupal.org/sa-core-2018-006...
XSS vulnerability on password reset page
Impact For Mautic versions prior to 3.3.4, there is an XSS vulnerability on Mautic's password reset page where a vulnerable parameter, "bundle," in the URL could allow an attacker to execute Javascript code. The attacker would be required to convince or trick the target into clicking a password...
Guard bypass in Eloquent models
More info at https://blog.laravel.com/security-release-laravel-61834-7232...
XSS vulnerability on contacts view
Impact Mautic versions before 3.3.4/4.0.0 are vulnerable to an inline JS XSS attack through the contact's first or last name and triggered when viewing a contact's details page then clicking on the action drop down and hovering over the Campaigns button. Contact first and last name can be populat...
XSS vulnerability on asset view
Impact Mautic versions before 3.3.4 / 4.0.0 are vulnerable to an inline JS XSS attack when viewing Mautic assets by utilizing inline JS in the title and adding a broken image URL as a remote asset. This can only be leveraged by an authenticated user with permission to create or edit assets. Patch...
RCE vulnerability in "cookie" session driver
More info at https://blog.laravel.com/laravel-cookie-security-releases...
Use token when logging out
More info at https://phabricator.wikimedia.org/T25227...
Stored XSS vulnerability on Bounce Management Callback
Impact Insufficient sanitization / filtering allows for arbitrary JavaScript Injection in Mautic using the bounce management callback function. The values submitted in the "error" and "errorrelatedto" parameters of the POST request of the bounce management callback will be permanently stored and...
Exploit of encryption failure vulnerability
More info at https://medium.com/@taylorotwell/laravel-security-release-5-6-15-and-5-5-40-56f1257933a0...
Cookie serialization vulnerability
More info at https://laravel.com/docs/5.6/upgradeupgrade-5.6.30...
Mautic core - Highly Critical - XSS vulnerability leveraged through referrers could allow un-authorized admin access
More info at https://www.mautic.org/blog/community/security-release-all-versions-mautic-prior-2-16-5-and-3-2-4...
Mautic core - Highly Critical - XSS vulnerability leveraged through referrers could allow un-authorized admin access
More info at https://www.mautic.org/blog/community/security-release-all-versions-mautic-prior-2-16-5-and-3-2-4...
Secret data exfiltration via symfony parameters
Impact Symfony parameters which is what Mautic transforms configuration parameters into can be used within other Symfony parameters by design. However, this also means that an admin who is normally not privy to certain parameters, such as database credentials, could expose them by leveraging any ...
Moderately critical - Third-party libraries - SA-CORE-2019-007
More info at https://www.drupal.org/SA-CORE-2019-007...
Critical - Third Party Libraries
More info at https://www.drupal.org/sa-core-2019-001...
Moderately critical - Third-party libraries - SA-CORE-2019-007
More info at https://www.drupal.org/SA-CORE-2019-007...
Critical - Arbitrary PHP code execution
More info at https://www.drupal.org/sa-core-2019-002...
Highly critical - Remote Code Execution
More info at https://www.drupal.org/SA-CORE-2019-003...
Drupal core - Critical - Cross Site Request Forgery - SA-CORE-2020-004
More info at https://www.drupal.org/sa-core-2020-004...
SQL Server LIMIT / OFFSET SQL Injection
Impact Those using SQL Server with Laravel and allowing user input to be passed directly to the limit and offset functions are vulnerable to SQL injection. Other database drivers such as MySQL and Postgres are not affected by this vulnerability. Patches This problem has been patched on Laravel...
Guard bypass in Eloquent models
More info at https://blog.laravel.com/security-release-laravel-61834-7232...
Drupal core - Moderately critical - Access bypass - SA-CORE-2020-008
More info at https://www.drupal.org/sa-core-2020-008...
Drupal core - Moderately critical - Information disclosure - SA-CORE-2020-011
More info at https://www.drupal.org/sa-core-2020-011...
Drupal core - Critical - Remote code execution - SA-CORE-2020-012
More info at https://www.drupal.org/sa-core-2020-012...
Drupal core - Moderately critical - Cross-site scripting - SA-CORE-2020-010
More info at https://www.drupal.org/sa-core-2020-010...
Drupal core - Critical - Cross-site scripting - SA-CORE-2021-002
More info at https://www.drupal.org/sa-core-2021-002...
Drupal core - Critical - Cross-site scripting - SA-CORE-2021-002
More info at https://www.drupal.org/sa-core-2021-002...
Drupal core - Moderately critical - Cross-site scripting - SA-CORE-2020-007
More info at https://www.drupal.org/sa-core-2020-007...