Friendsofphp - Page 4 of Friendsofphp Vulnerabilities List

FriendsofphpRecent

Recent Most viewed

1697 matches found

Friends Of PHP•added 2023/04/25 11:32 p.m.•11 views

SS-2023-001 - XSS vulnerability in underlying TinyMCE library

More info at https://www.silverstripe.org/download/security-releases/SS-2023-001...

7.2AI score

Exploits0Affected Software1

Friends Of PHP•added 2023/04/25 11:30 p.m.•27 views

CVE-2023-22729 - Open redirect vulnerability on CMSSecurity relogin screen

More info at https://www.silverstripe.org/download/security-releases/cve-2023-22729...

6.1CVSS7.2AI score0.00419EPSS

Exploits0Affected Software1

Friends Of PHP•added 2023/04/25 11:24 p.m.•22 views

CVE-2023-22728 - Missing permission check in GridFieldPrintButton

More info at https://www.silverstripe.org/download/security-releases/cve-2023-22728...

4.3CVSS7.2AI score0.00486EPSS

Exploits0Affected Software1

Friends Of PHP•added 2023/04/25 9:11 a.m.•26 views

Directory traversal vulnerability in the file manager

More info at https://contao.org/en/security-advisories/directory-traversal-in-the-file-manager.html...

6.5CVSS7.2AI score0.00797EPSS

Exploits0Affected Software1

Friends Of PHP•added 2023/04/25 9:11 a.m.•44 views

Directory traversal vulnerability in the file manager

More info at https://contao.org/en/security-advisories/directory-traversal-in-the-file-manager.html...

6.5CVSS7.2AI score0.00797EPSS

Exploits0Affected Software1

Friends Of PHP•added 2023/04/17 4:0 p.m.•31 views

Improper header validation

Impact Improper header parsing. An attacker could sneak in a newline \n into both the header names and values. While the specification states that \r\n\r\n is used to terminate the header list, many servers in the wild will also accept \n\n. Patches The issue is patched in 1.9.1 and 2.4.5...

7.5CVSS5.8AI score0.01216EPSS

Exploits0Affected Software1

Friends Of PHP•added 2023/04/17 4:0 p.m.•84 views

Improper Input Validation in headers

Description Impact Improper header parsing. An attacker could sneak in a newline \n into both the header names and values. While the specification states that \r\n\r\n is used to terminate the header list, many servers in the wild will also accept \n\n. Patches The issue is patched in 1.6.1...

5.7AI score0.01216EPSS

Exploits0Affected Software1

Friends Of PHP•added 2023/04/17 4:0 p.m.•19 views

Improper Input Validation in headers

6.1AI score

Exploits0Affected Software1

Friends Of PHP•added 2023/03/28 7:41 p.m.•27 views

Cross site scripting vulnerability in Javascript escaping

Impact An attacker could exploit this vulnerability to execute arbitrary JavaScript code in the context of the user's browser session. This may lead to unauthorized access to sensitive user data, manipulation of the web application's behavior, or unauthorized actions performed on behalf of the...

7.1CVSS7AI score0.01016EPSS

Exploits0Affected Software1

Friends Of PHP•added 2023/03/22 12:31 p.m.•25 views

TYPO3-EXT-SA-2023-003: Cross-Site Scripting in extension "Fluid Components" (fluid_components)

More info at https://typo3.org/security/advisory/typo3-ext-sa-2023-003...

5.8CVSS6.1AI score0.00512EPSS

Exploits1Affected Software1

Friends Of PHP•added 2023/03/22 12:31 p.m.•30 views

TYPO3-EXT-SA-2023-003: Cross-Site Scripting in extension "Fluid Components" (fluid_components)

More info at https://typo3.org/security/advisory/typo3-ext-sa-2023-003...

6.1CVSS7.2AI score0.00512EPSS

Exploits1Affected Software1

Friends Of PHP•added 2023/03/17 3:47 p.m.•39 views

PHAR deserialization allowing remote code execution

Description Description snappy is vulnerable to PHAR deserialization due to a lack of checking on the protocol before passing it into the fileexists function. If an attacker can upload files of any type to the server he can pass in the phar:// protocol to unserialize the uploaded file and...

7.5CVSS9.9AI score0.03207EPSS

Exploits1Affected Software1

Friends Of PHP•added 2023/03/17 3:47 p.m.•25 views

PHAR deserialization allowing remote code execution

Description snappy is vulnerable to PHAR deserialization due to a lack of checking on the protocol before passing it into the fileexists function. If an attacker can upload files of any type to the server he can pass in the phar:// protocol to unserialize the uploaded file and instantiate arbitra...

9.8CVSS9.9AI score0.03207EPSS

Exploits1Affected Software1

Friends Of PHP•added 2023/03/15 10:19 p.m.•30 views

CVE-2023-28104 DDOS attack on graphql endpoints

More info at https://www.silverstripe.org/download/security-releases/CVE-2023-28104...

7.5CVSS7.2AI score0.01055EPSS

Exploits0Affected Software1

Friends Of PHP•added 2023/03/06 9:20 a.m.•16 views

Infinite Loop vulnerability

Math/PrimeField.php in phpseclib has an infinite loop with composite primefields. This vulnerability was introduced in version 3.0.0, and has been patched in 3.0.19. The CVE for this issue originally identified the the vulnerable version as 2.x, however, the vulnerable functionality was not...

7.5CVSS7.3AI score0.00808EPSS

Exploits0Affected Software1

Friends Of PHP•added 2023/02/28 10:37 a.m.•32 views

CVE-2023-25575: Secured properties may be accessible within collections

Impact Resource properties secured with the security option of the ApiPlatform\Metadata\ApiProperty attribute can be disclosed to unauthorized users. The problem affects most serialization formats, including raw JSON, which is enabled by default when installing API Platform. Custom serialization...

7.7CVSS6.7AI score0.00604EPSS

Exploits0Affected Software1

Friends Of PHP•added 2023/02/27 3:5 p.m.•29 views

ReactPHP's HTTP server continues parsing unused multipart parts after reaching limits

Summary Previous versions of ReactPHP's HTTP server component contain a potential DoS vulnerability that can cause high CPU load when processing large HTTP request bodies. This vulnerability has little to no impact on the default configuration, but can be exploited when explicitly using the...

7.5CVSS6.8AI score0.01408EPSS

Exploits0Affected Software1

Friends Of PHP•added 2023/02/21 8:31 a.m.•28 views

TYPO3-EXT-SA-2023-002: Persisted Cross-Site Scripting in extension "Forms Export" (frp_form_answers)

More info at https://typo3.org/security/advisory/typo3-ext-sa-2023-002...

5.8CVSS6.2AI score0.00424EPSS

Exploits0Affected Software1

Friends Of PHP•added 2023/02/21 8:31 a.m.•22 views

TYPO3-EXT-SA-2023-002: Persisted Cross-Site Scripting in extension "Forms Export" (frp_form_answers)

More info at https://typo3.org/security/advisory/typo3-ext-sa-2023-002...

6.1CVSS7.2AI score0.00424EPSS

Exploits0Affected Software1

Friends Of PHP•added 2023/02/07 9:24 a.m.•22 views

TYPO3-CORE-SA-2023-001: Persisted Cross-Site Scripting in Frontend Rendering

More info at https://typo3.org/security/advisory/typo3-core-sa-2023-001...

8.8CVSS7.2AI score0.00831EPSS

Exploits1Affected Software1

Friends Of PHP•added 2023/02/07 9:24 a.m.•34 views

TYPO3-CORE-SA-2023-001: Persisted Cross-Site Scripting in Frontend Rendering

More info at https://typo3.org/security/advisory/typo3-core-sa-2023-001...

8.8CVSS7.2AI score0.00831EPSS

Exploits1Affected Software1

Friends Of PHP•added 2023/02/01 8:0 a.m.•22 views

CVE-2022-24895: Possible CSRF token fixation

More info at https://symfony.com/cve-2022-24895...

8.8CVSS7.2AI score0.0079EPSS

Exploits0Affected Software1

Friends Of PHP•added 2023/02/01 8:0 a.m.•26 views

CVE-2022-24894: Prevent storing cookie headers in HttpCache

More info at https://symfony.com/cve-2022-24894...

8.8CVSS7.2AI score0.00753EPSS

Exploits0Affected Software1

Friends Of PHP•added 2023/02/01 8:0 a.m.•30 views

CVE-2022-24894: Prevent storing cookie headers in HttpCache

More info at https://symfony.com/cve-2022-24894...

8.8CVSS7.2AI score0.00753EPSS

Exploits0Affected Software1

Friends Of PHP•added 2023/02/01 8:0 a.m.•24 views

CVE-2022-24895: Possible CSRF token fixation

More info at https://symfony.com/cve-2022-24895...

8.8CVSS7.2AI score0.0079EPSS

Exploits0Affected Software1

Friends Of PHP•added 2023/01/31 2:30 p.m.•29 views

Dompdf vulnerable to URI validation failure on SVG parsing

Summary The URI validation on dompdf 2.0.1 can be bypassed on SVG parsing by passing tags with uppercase letters. This might leads to arbitrary object unserialize on PHP tags, in src/Image/Cache.php : if $type === "svg" $parser = xmlparsercreate"utf-8"; xmlparsersetoption$parser,...

10CVSS9.4AI score0.03572EPSS

Exploits2Affected Software1

Friends Of PHP•added 2023/01/19 12:56 p.m.•29 views

TYPO3-EXT-SA-2023-001: Broken Access Control in extension "femanager" (femanager)

More info at https://typo3.org/security/advisory/typo3-ext-sa-2023-001...

8.6CVSS7.2AI score0.00501EPSS

Exploits0Affected Software1

Friends Of PHP•added 2022/12/22 2:49 a.m.•23 views

CVE-2022-46170: Potential Session Handlers Vulnerability

Impact When an application uses 1 multiple session cookies e.g., one for user pages and one for admin pages and 2 a session handler is set to DatabaseHandler, MemcachedHandler, or RedisHandler, then if an attacker gets one session cookie e.g., one for user pages, they may be able to access pages...

9.8CVSS9.1AI score0.00841EPSS

Exploits0Affected Software1

Friends Of PHP•added 2022/12/22 2:49 a.m.•32 views

CVE-2022-23556: Attackers may spoof IP address when using proxy

Impact This vulnerability may allow attackers to spoof their IP address when your server is behind a reverse proxy. Patches Upgrade to v4.2.11 or later, and configure Config\App::$proxyIPs. Workarounds Do not use $request-getIPAddress. References -...

7.5CVSS7AI score0.00373EPSS

Exploits1Affected Software1

Friends Of PHP•added 2022/12/18 10:37 p.m.•38 views

CVE-2022-42949 - Subsite weakens file permissions

More info at https://www.silverstripe.org/download/security-releases/cve-2022-42949...

7.5CVSS7.2AI score0.00524EPSS

Exploits0Affected Software1

Friends Of PHP•added 2022/12/13 11:23 a.m.•17 views

TYPO3-EXT-SA-2022-016: Insufficient Session Expiration after Password Change in extension "Change password for frontend users" (fe_change_pwd)

More info at https://typo3.org/security/advisory/typo3-ext-sa-2022-016...

7.5CVSS9AI score0.00441EPSS

Exploits0Affected Software1

Friends Of PHP•added 2022/12/13 11:23 a.m.•18 views

TYPO3-EXT-SA-2022-016: Insufficient Session Expiration after Password Change in extension "Change password for frontend users" (fe_change_pwd)

More info at https://typo3.org/security/advisory/typo3-ext-sa-2022-016...

9.8CVSS7.2AI score0.00441EPSS

Exploits0Affected Software1

Friends Of PHP•added 2022/12/13 10:32 a.m.•17 views

TYPO3-EXT-SA-2022-017: Multiple vulnerabilities in extension "Newsletter subscriber management" (fp_newsletter)

More info at https://typo3.org/security/advisory/typo3-ext-sa-2022-017...

9.1CVSS7.2AI score0.00651EPSS

Exploits0Affected Software1

Friends Of PHP•added 2022/12/13 10:14 a.m.•25 views

TYPO3-EXT-SA-2022-018: Multiple vulnerabilities in extension "Master-Quiz" (fp_masterquiz)

More info at https://typo3.org/security/advisory/typo3-ext-sa-2022-018...

6.5CVSS7.2AI score0.00364EPSS

Exploits0Affected Software1

Friends Of PHP•added 2022/12/13 9:19 a.m.•21 views

TYPO3-CORE-SA-2022-017: By-passing Cross-Site Scripting Protection in HTML Sanitizer

More info at https://typo3.org/security/advisory/typo3-core-sa-2022-017...

6.1CVSS7.2AI score0.00438EPSS

Exploits0Affected Software1

Friends Of PHP•added 2022/12/13 9:19 a.m.•31 views

TYPO3-CORE-SA-2022-017: By-passing Cross-Site Scripting Protection in HTML Sanitizer

More info at https://typo3.org/security/advisory/typo3-core-sa-2022-017...

6.1CVSS7.2AI score0.00438EPSS

Exploits0Affected Software1

Friends Of PHP•added 2022/12/13 9:19 a.m.•33 views

TYPO3-CORE-SA-2022-016: Sensitive Information Disclosure via YAML Placeholder Expressions in Site Configuration

More info at https://typo3.org/security/advisory/typo3-core-sa-2022-016...

5.7CVSS7.2AI score0.00514EPSS

Exploits0Affected Software1

Friends Of PHP•added 2022/12/13 9:19 a.m.•18 views

TYPO3-CORE-SA-2022-016: Sensitive Information Disclosure via YAML Placeholder Expressions in Site Configuration

More info at https://typo3.org/security/advisory/typo3-core-sa-2022-016...

5.7CVSS7.2AI score0.00514EPSS

Exploits0Affected Software1

Friends Of PHP•added 2022/12/13 9:19 a.m.•38 views

TYPO3-CORE-SA-2022-015: Arbitrary Code Execution via Form Framework

More info at https://typo3.org/security/advisory/typo3-core-sa-2022-015...

8.8CVSS7.2AI score0.00785EPSS

Exploits0Affected Software1

Friends Of PHP•added 2022/12/13 9:19 a.m.•27 views

TYPO3-CORE-SA-2022-015: Arbitrary Code Execution via Form Framework

More info at https://typo3.org/security/advisory/typo3-core-sa-2022-015...

8.8CVSS7.2AI score0.00785EPSS

Exploits0Affected Software1

Friends Of PHP•added 2022/12/13 9:19 a.m.•22 views

TYPO3-CORE-SA-2022-014: Insufficient Session Expiration after Password Reset

More info at https://typo3.org/security/advisory/typo3-core-sa-2022-014...

5.4CVSS7.2AI score0.004EPSS

Exploits0Affected Software1

Friends Of PHP•added 2022/12/13 9:19 a.m.•19 views

TYPO3-CORE-SA-2022-014: Insufficient Session Expiration after Password Reset

More info at https://typo3.org/security/advisory/typo3-core-sa-2022-014...

5.4CVSS7.2AI score0.004EPSS

Exploits0Affected Software1

Friends Of PHP•added 2022/12/13 9:18 a.m.•24 views

TYPO3-CORE-SA-2022-013: Weak Authentication in Frontend Login

More info at https://typo3.org/security/advisory/typo3-core-sa-2022-013...

6.5CVSS7.2AI score0.00479EPSS

Exploits0Affected Software1

Friends Of PHP•added 2022/12/13 9:18 a.m.•20 views

TYPO3-CORE-SA-2022-013: Weak Authentication in Frontend Login

More info at https://typo3.org/security/advisory/typo3-core-sa-2022-013...

6.5CVSS7.2AI score0.00479EPSS

Exploits0Affected Software1

Friends Of PHP•added 2022/12/13 9:18 a.m.•28 views

TYPO3-CORE-SA-2022-012: Denial of Service in Page Error Handling

More info at https://typo3.org/security/advisory/typo3-core-sa-2022-012...

7.5CVSS7.2AI score0.00686EPSS

Exploits0Affected Software1

Friends Of PHP•added 2022/12/13 9:18 a.m.•25 views

TYPO3-CORE-SA-2022-012: Denial of Service in Page Error Handling

More info at https://typo3.org/security/advisory/typo3-core-sa-2022-012...

7.5CVSS7.2AI score0.00686EPSS

Exploits0Affected Software1

Friends Of PHP•added 2022/10/31 5:7 p.m.•32 views

TYPO3-EXT-SA-2022-015: Broken Access Control in extension "femanager" (femanager)

More info at https://typo3.org/security/advisory/typo3-ext-sa-2022-015...

5.3CVSS7.2AI score0.00603EPSS

Exploits0Affected Software1

Friends Of PHP•added 2022/10/06 9:39 a.m.•35 views

CVE-2022-39284: Config\Cookie Secure or HttpOnly flag not set in CodeIgniter4

Impact Setting $secure or $httponly value to true in Config\Cookie is not reflected in setcookie or Response::setCookie. Note This vulnerability does not affect session cookies. The following code does not issue a cookie with the secure flag even if you set $secure = true in Config\Cookie. php...

4.3CVSS4.2AI score0.00825EPSS

Exploits1Affected Software1

Friends Of PHP•added 2022/09/28 10:36 a.m.•31 views

Possibility to load a template outside a configured directory when using the filesystem loader

More info at https://symfony.com/blog/twig-security-release-possibility-to-load-a-template-outside-a-configured-directory-when-using-the-filesystem-loader...

7.5CVSS7.2AI score0.01488EPSS

Exploits0Affected Software1

Friends Of PHP•added 2022/09/22 1:54 p.m.•20 views

Remote file inclusion

registerFont in FontMetrics.php in Dompdf before 2.0.1 allows remote file inclusion because a URI validation failure does not halt font registration, as demonstrated by a @font-face rule...

7.5CVSS7.5AI score0.04057EPSS

Exploits3Affected Software1

Total number of security vulnerabilities1697