Lucene search
K
FriendsofphpRecent

1702 matches found

Friends Of PHP
Friends Of PHP
•added 2022/12/13 9:18 a.m.•28 views

TYPO3-CORE-SA-2022-012: Denial of Service in Page Error Handling

More info at https://typo3.org/security/advisory/typo3-core-sa-2022-012...

7.5CVSS7.2AI score0.00686EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
•added 2022/10/31 5:7 p.m.•35 views

TYPO3-EXT-SA-2022-015: Broken Access Control in extension "femanager" (femanager)

More info at https://typo3.org/security/advisory/typo3-ext-sa-2022-015...

5.3CVSS7.2AI score0.00603EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
•added 2022/10/06 9:39 a.m.•36 views

CVE-2022-39284: Config\Cookie Secure or HttpOnly flag not set in CodeIgniter4

Impact Setting $secure or $httponly value to true in Config\Cookie is not reflected in setcookie or Response::setCookie. Note This vulnerability does not affect session cookies. The following code does not issue a cookie with the secure flag even if you set $secure = true in Config\Cookie. php...

4.3CVSS4.2AI score0.00825EPSS
Exploits1Affected Software1
Friends Of PHP
Friends Of PHP
•added 2022/09/28 10:36 a.m.•32 views

Possibility to load a template outside a configured directory when using the filesystem loader

More info at https://symfony.com/blog/twig-security-release-possibility-to-load-a-template-outside-a-configured-directory-when-using-the-filesystem-loader...

7.5CVSS7.2AI score0.01557EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
•added 2022/09/22 1:54 p.m.•21 views

Remote file inclusion

registerFont in FontMetrics.php in Dompdf before 2.0.1 allows remote file inclusion because a URI validation failure does not halt font registration, as demonstrated by a @font-face rule...

7.5CVSS7.5AI score0.04173EPSS
Exploits3Affected Software1
Friends Of PHP
Friends Of PHP
•added 2022/09/14 11:32 a.m.•31 views

smarty_function_mailto - JavaScript injection in eval function

I found a bug in the Smarty package, specifically in the smartyfunctionmailto$params function. Remote exploitation of such vulnerability is unlikely, but it is still advisable to take it into account. A web page that uses this function and that could be parameterized using GET or POST input...

5.4CVSS5.6AI score0.00826EPSS
Exploits1Affected Software1
Friends Of PHP
Friends Of PHP
•added 2022/09/13 8:7 a.m.•41 views

TYPO3-CORE-SA-2022-006: Denial of Service in Page Error Handling

More info at https://typo3.org/security/advisory/typo3-core-sa-2022-006...

7.5CVSS7.2AI score0.01312EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
•added 2022/09/13 8:7 a.m.•28 views

TYPO3-CORE-SA-2022-006: Denial of Service in Page Error Handling

More info at https://typo3.org/security/advisory/typo3-core-sa-2022-006...

7.5CVSS7.2AI score0.01312EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
•added 2022/09/13 8:7 a.m.•43 views

TYPO3-CORE-SA-2022-011: By-passing Cross-Site Scripting Protection in HTML Sanitizer

More info at https://typo3.org/security/advisory/typo3-core-sa-2022-011...

6.1CVSS7.2AI score0.00633EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
•added 2022/09/13 8:7 a.m.•28 views

TYPO3-CORE-SA-2022-011: By-passing Cross-Site Scripting Protection in HTML Sanitizer

More info at https://typo3.org/security/advisory/typo3-core-sa-2022-011...

6.1CVSS7.2AI score0.00633EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
•added 2022/09/13 8:6 a.m.•29 views

TYPO3-CORE-SA-2022-010: Cross-Site Scripting in <f:asset.css> view helper

More info at https://typo3.org/security/advisory/typo3-core-sa-2022-010...

6.5CVSS7.2AI score0.0072EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
•added 2022/09/13 8:6 a.m.•23 views

TYPO3-CORE-SA-2022-010: Cross-Site Scripting in <f:asset.css> view helper

More info at https://typo3.org/security/advisory/typo3-core-sa-2022-010...

6.5CVSS7.2AI score0.0072EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
•added 2022/09/13 8:6 a.m.•40 views

TYPO3-CORE-SA-2022-009: Stored Cross-Site Scripting via FileDumpController

More info at https://typo3.org/security/advisory/typo3-core-sa-2022-009...

6.5CVSS7.2AI score0.00722EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
•added 2022/09/13 8:6 a.m.•32 views

TYPO3-CORE-SA-2022-009: Stored Cross-Site Scripting via FileDumpController

More info at https://typo3.org/security/advisory/typo3-core-sa-2022-009...

6.5CVSS7.2AI score0.00722EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
•added 2022/09/13 8:6 a.m.•31 views

TYPO3-CORE-SA-2022-008: Missing check for expiration time of password reset token for backend users

More info at https://typo3.org/security/advisory/typo3-core-sa-2022-008...

5.4CVSS7.2AI score0.00735EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
•added 2022/09/13 8:6 a.m.•26 views

TYPO3-CORE-SA-2022-008: Missing check for expiration time of password reset token for backend users

More info at https://typo3.org/security/advisory/typo3-core-sa-2022-008...

5.4CVSS7.2AI score0.00735EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
•added 2022/09/13 8:6 a.m.•32 views

TYPO3-CORE-SA-2022-007: User Enumeration via Response Timing

More info at https://typo3.org/security/advisory/typo3-core-sa-2022-007...

5.3CVSS7.2AI score0.00977EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
•added 2022/09/13 8:6 a.m.•24 views

TYPO3-CORE-SA-2022-007: User Enumeration via Response Timing

More info at https://typo3.org/security/advisory/typo3-core-sa-2022-007...

5.3CVSS7.2AI score0.00977EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
•added 2022/09/13 7:28 a.m.•29 views

GHSA-47m6-46mj-p235: By-passing Cross-Site Scripting Protection in HTML Sanitizer

Meta CVSS: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C 5.7 Problem Due to a parsing issue in upstream package masterminds/html5, malicious markup used in a sequence with special HTML comments cannot be filtered and sanitized. This allows to by-pass the cross-site scripting mechanis...

6.1CVSS5.8AI score0.00633EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
•added 2022/08/20 11:11 a.m.•102 views

ReactPHP's HTTP server parses encoded cookie names so malicious `__Host-` and `__Secure-` cookies can be sent

Description Impact In ReactPHP's HTTP server component versions below v1.7.0, when ReactPHP is processing incoming HTTP cookie values, the cookie names are url-decoded. This may lead to cookies with prefixes like Host- and Secure- confused with cookies that decode to such prefix, thus leading to ...

5CVSS6.5AI score0.05029EPSS
Exploits2Affected Software1
Friends Of PHP
Friends Of PHP
•added 2022/08/20 11:11 a.m.•40 views

ReactPHP's HTTP server parses encoded cookie names so malicious `__Host-` and `__Secure-` cookies can be sent

Impact In ReactPHP's HTTP server component versions below v1.7.0, when ReactPHP is processing incoming HTTP cookie values, the cookie names are url-decoded. This may lead to cookies with prefixes like Host- and Secure- confused with cookies that decode to such prefix, thus leading to an attacker...

5.3CVSS6.7AI score0.00804EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
•added 2022/07/25 7:29 p.m.•29 views

Diactoros before 2.11.1 vulnerable to HTTP Host Header Attack.

Description Impact Applications that use Diactoros, and are either not behind a proxy, or can be accessed via untrusted proxies, can potentially have the host, protocol, and/or port of a Laminas\Diactoros\Uri instance associated with the incoming server request modified to reflect values from...

5.8CVSS5.8AI score0.00615EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
•added 2022/07/25 7:29 p.m.•24 views

Diactoros before 2.11.1 vulnerable to HTTP Host Header Attack.

Impact Applications that use Diactoros, and are either not behind a proxy, or can be accessed via untrusted proxies, can potentially have the host, protocol, and/or port of a Laminas\Diactoros\Uri instance associated with the incoming server request modified to reflect values from X-Forwarded-...

7.2CVSS6.3AI score0.00615EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
•added 2022/07/21 7:9 p.m.•16 views

Cross-site Scripting in Semantic MediaWiki

More info at https://nvd.nist.gov/vuln/detail/CVE-2022-48614...

6.1CVSS7.2AI score0.00422EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
•added 2022/07/20 6:0 p.m.•28 views

Drupal core - Critical - Arbitrary PHP code execution - SA-CORE-2022-014

More info at https://www.drupal.org/sa-core-2022-014...

7.2CVSS7.2AI score0.01422EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
•added 2022/07/20 6:0 p.m.•20 views

Drupal core - Moderately critical - Information Disclosure - SA-CORE-2022-012

More info at https://www.drupal.org/sa-core-2022-012...

7.5CVSS7.2AI score0.00667EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
•added 2022/07/20 10:11 a.m.•19 views

Drupal core - Moderately critical - Access Bypass - SA-CORE-2022-013

More info at https://www.drupal.org/sa-core-2022-013...

6.5CVSS7.2AI score0.0059EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
•added 2022/06/27 5:27 a.m.•25 views

CVE-2022-25238: Stored XSS via HTML fields

More info at https://www.silverstripe.org/download/security-releases/cve-2022-25238...

5.4CVSS7.2AI score0.00641EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
•added 2022/06/27 5:27 a.m.•25 views

CVE-2022-28803: Stored XSS in link tags added via XHR

More info at https://www.silverstripe.org/download/security-releases/cve-2022-28803...

5.4CVSS7.2AI score0.00513EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
•added 2022/06/27 5:27 a.m.•31 views

CVE-2021-41559: Quadratic blowup in Convert::xml2array()

More info at https://www.silverstripe.org/download/security-releases/cve-2021-41559...

6.5CVSS7.2AI score0.00985EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
•added 2022/06/27 5:27 a.m.•21 views

CVE-2022-29858: Unpublished, protected files can be published via shortcode

More info at https://www.silverstripe.org/download/security-releases/cve-2022-29858...

4.3CVSS7.2AI score0.01156EPSS
Exploits1Affected Software1
Friends Of PHP
Friends Of PHP
•added 2022/06/27 5:27 a.m.•21 views

CVE-2022-24444: Hybridsessions does not expire session id on logout

More info at https://www.silverstripe.org/download/security-releases/cve-2022-24444...

6.5CVSS7.2AI score0.00834EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
•added 2022/06/23 1:55 p.m.•22 views

Server-Side Request Forgery in dompdf/dompdf

Server-Side Request Forgery SSRF in GitHub repository dompdf/dompdf prior to 2.0.0...

5.3CVSS5.2AI score0.00953EPSS
Exploits1Affected Software1
Friends Of PHP
Friends Of PHP
•added 2022/06/20 10:16 p.m.•47 views

CURLOPT_HTTPAUTH option not cleared on change of origin

Impact Authorization headers on requests are sensitive information. When using our Curl handler, it is possible to use the CURLOPTHTTPAUTH option to specify an Authorization header. On making a request which responds with a redirect to a URI with a different origin, if we choose to follow it, we...

7.7CVSS7.3AI score0.03425EPSS
Exploits1Affected Software1
Friends Of PHP
Friends Of PHP
•added 2022/06/20 10:16 p.m.•44 views

Change in port should be considered a change in origin

Impact Authorization and Cookie headers on requests are sensitive information. On making a request which responds with a redirect to a URI with a different port, if we choose to follow it, we should remove the Authorization and Cookie headers from the request, before containing. Previously, we...

7.7CVSS7.4AI score0.03425EPSS
Exploits1Affected Software1
Friends Of PHP
Friends Of PHP
•added 2022/06/14 10:59 a.m.•20 views

TYPO3-EXT-SA-2022-014: SQL Injection in extension "LUX - TYPO3 Marketing Automation" (lux)

More info at https://typo3.org/security/advisory/typo3-ext-sa-2022-014...

9.8CVSS7.2AI score0.26299EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
•added 2022/06/14 7:11 a.m.•24 views

TYPO3-CORE-SA-2022-005: Insufficient Session Expiration in Admin Tool

More info at https://typo3.org/security/advisory/typo3-core-sa-2022-005...

7.2CVSS7.2AI score0.01165EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
•added 2022/06/14 7:11 a.m.•25 views

TYPO3-CORE-SA-2022-005: Insufficient Session Expiration in Admin Tool

More info at https://typo3.org/security/advisory/typo3-core-sa-2022-005...

7.2CVSS7.2AI score0.01165EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
•added 2022/06/14 7:11 a.m.•37 views

TYPO3-CORE-SA-2022-004: Cross-Site Scripting in Frontend Login Mailer

More info at https://typo3.org/security/advisory/typo3-core-sa-2022-004...

5.4CVSS7.2AI score0.00717EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
•added 2022/06/14 7:11 a.m.•27 views

TYPO3-CORE-SA-2022-004: Cross-Site Scripting in Frontend Login Mailer

More info at https://typo3.org/security/advisory/typo3-core-sa-2022-004...

5.4CVSS7.2AI score0.00717EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
•added 2022/06/14 7:11 a.m.•32 views

TYPO3-CORE-SA-2022-003: Cross-Site Scripting in Form Framework

More info at https://typo3.org/security/advisory/typo3-core-sa-2022-003...

5.4CVSS7.2AI score0.00717EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
•added 2022/06/14 7:11 a.m.•28 views

TYPO3-CORE-SA-2022-003: Cross-Site Scripting in Form Framework

More info at https://typo3.org/security/advisory/typo3-core-sa-2022-003...

5.4CVSS7.2AI score0.00717EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
•added 2022/06/14 7:11 a.m.•33 views

TYPO3-CORE-SA-2022-002: Information Disclosure via Exception Handling/Logger

More info at https://typo3.org/security/advisory/typo3-core-sa-2022-002...

6.5CVSS7.2AI score0.01047EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
•added 2022/06/14 7:11 a.m.•26 views

TYPO3-CORE-SA-2022-002: Information Disclosure via Exception Handling/Logger

More info at https://typo3.org/security/advisory/typo3-core-sa-2022-002...

6.5CVSS7.2AI score0.01047EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
•added 2022/06/14 7:11 a.m.•30 views

TYPO3-CORE-SA-2022-001: Information Disclosure via Export Module

More info at https://typo3.org/security/advisory/typo3-core-sa-2022-001...

4.3CVSS7.2AI score0.00585EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
•added 2022/06/14 7:11 a.m.•20 views

TYPO3-CORE-SA-2022-001: Information Disclosure via Export Module

More info at https://typo3.org/security/advisory/typo3-core-sa-2022-001...

4.3CVSS7.2AI score0.00585EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
•added 2022/06/13 1:44 p.m.•51 views

Cross-Site Scripting

More info at https://typo3.org/security/advisory/typo3-ext-sa-2022-012...

5.4CVSS7.2AI score0.00487EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
•added 2022/06/13 1:40 p.m.•54 views

Cross-Site Scripting

More info at https://typo3.org/security/advisory/typo3-ext-sa-2022-011...

6.1CVSS7.2AI score0.00541EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
•added 2022/06/09 9:36 p.m.•26 views

Fix failure to strip Authorization header on HTTP downgrade

Impact Authorization headers on requests are sensitive information. On making a request using the https scheme to a server which responds with a redirect to a URI with the http scheme, we should not forward the Authorization header on. This is much the same as to how we don't forward on the heade...

7.5CVSS7.4AI score0.0182EPSS
Exploits0Affected Software1
Friends Of PHP
Friends Of PHP
•added 2022/06/09 9:36 p.m.•26 views

Failure to strip the Cookie header on change in host or HTTP downgrade

Impact Cookie headers on requests are sensitive information. On making a request using the https scheme to a server which responds with a redirect to a URI with the http scheme, or on making a request to a server which responds with a redirect to a a URI to a different host, we should not forward...

7.5CVSS7.5AI score0.0182EPSS
Exploits0Affected Software1
Total number of security vulnerabilities1702