6 matches found
CVE-2024-23049
CVE-2024-23049 affects Symphony (v3.6.3 and earlier). The vulnerability enables remote code execution via the log4j component, with impact on confidentiality, integrity, and availability reported as High. Affected is Symphony’s log4j handling; root cause details are not fully enumerated in the pr...
CVE-2019-17488
CVE-2019-17488 affects b3log Symphony (Sym) before 3.6.0, where a cross-site scripting (XSS) vulnerability exists via the HTTP User-Agent header. The connected CNVD entry notes the root cause as lack of proper validation of client-side data by the web application, enabling potential client-side c...
CVE-2018-16249
Symphony (before 3.3.0) is affected by a stored XSS in the articleTitle field of the Title under Post. An admin-authenticated user can insert arbitrary HTML/JS via a crafted site name, triggering payload execution when accessing /member/test/points. The vulnerability stems from how the articleTit...
CVE-2017-16821
Vulnerability : b3log Symphony 2.2.0 is affected by an XSS in processor/AdminProcessor.java within the admin console, triggered by a crafted X-Forwarded-For header that is mishandled when displaying a client IP at /admin/user/userid. Impact : potential XSS in the admin interface as described. Rem...
CVE-2018-10469
CVE-2018-10469 affects b3log Symphony (Sym) 2.6.0. A remote attacker can upload and execute arbitrary JSP files by sending the name[] parameter to the /upload URI, enabling remote code execution with partial to high impact as per the CVE description. No explicit remediation/patch details are prov...
CVE-2019-9142
The CVE-2019-9142 issue affects b3log Symphony (Sym) prior to v3.4.7. The vulnerability is an XSS flaw exposed via userIntro and userNickname fields in processor/SettingsProcessor.java. Connections across multiple sources confirm the root cause is input handling in SettingsProcessor.java, leading...