Lucene search
K
GetsymphonySymphony

18 matches found

CVE
CVE
added 2017/01/20 8:39 a.m.71 views

CVE-2017-5541

Symphony CMS before 2.6.10 is affected by a directory traversal vulnerability in template/usererror.missing_extension.php that allows remote attackers to rename arbitrary files via a .. (dot dot) in the existing-folder and new-folder parameters. Root cause: insufficient validation of directory tr...

5.3CVSS5.5AI score0.02497EPSS
Web
CVE
CVE
added 2016/01/08 9:0 p.m.70 views

CVE-2015-8766

Symphony CMS is affected by CVE-2015-8766. Multiple XSS flaws exist in content/systempreferences.php prior to version 2.6.4, allowing remote attackers to inject arbitrary scripts or HTML via parameters such as email_sendmail[from_name], email_sendmail[from_address], email_smtp[from_name], email_s...

6.1CVSS6AI score0.01767EPSS
Web
CVE
CVE
added 2016/06/30 5:0 p.m.63 views

CVE-2016-4309

Symphony CMS 2.6.7 is affected by a session-fixation vulnerability. The issue arises because the system does not regenerate the user’s PHPSESSID upon authentication, allowing an attacker to fix a session token and potentially gain access after a user authenticates. Public sources (Veracode, OpenV...

7.6CVSS7.4AI score0.09421EPSS
Web
CVE
CVE
added 2010/06/03 2:0 p.m.57 views

CVE-2010-2143

CVE-2010-2143 : Symphony CMS is vulnerable to a directory traversal in the index.php file’s mode parameter, allowing remote attackers to read arbitrary files and potentially impact the server. Affected: Symphony CMS 2.0.7 (and references to 2.0.6), with root cause described as unsanitized input d...

7.5CVSS7.4AI score0.07267EPSS
CVE
CVE
added 2014/03/27 4:0 p.m.55 views

CVE-2013-2559

Symphony CMS (before 2.3.2) is affected by a SQL injection in the sort parameter to system/authors/ that can be triggered by remote authenticated users; note that CSRF can enable remote unauthenticated attackers to execute arbitrary SQL commands. The issue is linked to CVE-2013-2559 and is also d...

6.5CVSS8.1AI score0.02355EPSS
Web
CVE
CVE
added 2017/01/20 8:39 a.m.54 views

CVE-2017-5542

Symphony CMS Logitech? No. This CVE (CVE-2017-5542) affects Symphony CMS up to version 2.6.9, where a cross-site scripting (XSS) flaw exists in template/usererror.missing_extension.php. The vulnerability allows an attacker to inject arbitrary web script or HTML through the existing-folder paramet...

6.1CVSS6AI score0.0117EPSS
Web
CVE
CVE
added 2010/09/17 7:0 p.m.53 views

CVE-2010-3458

CVE-2010-3458 describes a SQL injection in Symphony CMS (versions 2.0.7 and 2.1.1) where remote attackers could execute arbitrary SQL via the send-email[recipient] parameter to about/. The OpenVAS entry also notes a broader set of vulnerabilities for Symphony

7.5CVSS8.7AI score0.01023EPSS
Web
CVE
CVE
added 2015/06/18 6:0 p.m.53 views

CVE-2015-4661

CVE-2015-4661 affects Symphony CMS 2.6.2. A cross-site scripting (XSS) vulnerability exists in the sort parameter used by the authors search in system/authors, caused by insufficient input filtering. This can allow remote attackers to inject arbitrary web script or HTML. Based on the cited source...

4.3CVSS6AI score0.02355EPSS
Web
CVE
CVE
added 2010/09/17 7:0 p.m.52 views

CVE-2010-3457

CVE-2010-3457 affects Symphony CMS versions 2.0.7 and 2.1.1, with concrete XSS flaws exploitable via the fields[website] parameter in post comments and the send-email[recipient] parameter to the about/ page. The vulnerabilities allow remote attackers to inject arbitrary web script or HTML. No exp...

4.3CVSS5.9AI score0.01528EPSS
Web
CVE
CVE
added 2017/03/27 1:55 a.m.51 views

CVE-2017-6067

Summary of CVE-2017-6067 : Symphony CMS 2.6.9 is vulnerable to a cross-site scripting (XSS) flaw in the page path publish/notes/edit/##/saved/ via the bottom form field. The issue is confirmed across multiple sources (CNVD/NVD OSV/OpenVAS) and is described as an XSS vulnerability with the affecte...

6.1CVSS5.9AI score0.00761EPSS
Web
CVE
CVE
added 2014/03/27 4:0 p.m.48 views

CVE-2013-7346

Symphony CMS vulnerable before 2.3.2 to a Cross-Site Request Forgery (CSRF) that can hijack administrator authentication to perform SQL injection via the sort parameter in system/authors/. The issue is described as allowing remote (potentially unauthenticated via CSRF) execution of arbitrary SQL ...

6.8CVSS8AI score0.00554EPSS
Web
CVE
CVE
added 2016/01/08 9:0 p.m.48 views

CVE-2015-8376

CVE-2015-8376 affects Symphony CMS 2.6.3, where multiple cross-site scripting (XSS) vulnerabilities allow remote attackers to inject arbitrary web script or HTML via the Name, Navigation Group, or Label parameters to blueprints/sections/edit/1. The root cause is insufficient input filtering in th...

6.1CVSS6AI score0.00948EPSS
Web
CVE
CVE
added 2017/04/11 11:0 p.m.47 views

CVE-2017-7694

Symphony CMS

8.8CVSS7.7AI score0.04433EPSS
Web
CVE
CVE
added 2017/05/10 5:14 a.m.45 views

CVE-2017-8876

CVE-2017-8876 affects Symphony CMS v2.6.11, where an XSS flaw exists in the user-controlled input of the meta[navigation_group] parameter handled by content/content.blueprintssections.php. The vulnerability enables injection of script/HTML in affected pages, consistent with cross-site scripting d...

6.1CVSS5.9AI score0.00763EPSS
Web
CVE
CVE
added 2021/10/31 6:32 p.m.44 views

CVE-2020-25912

CVE-2020-25912 describes an XXE vulnerability in Symphony 2.7.10 affecting symphony/lib/toolkit/class.xmlelement.php. The root cause is lack of disabling external entities in convertFromXMLString, enabling information disclosure or denial of service. Multiple connected sources (Veracode, CNVD, RH...

9.1CVSS8.8AI score0.01385EPSS
CVE
CVE
added 2018/06/07 8:0 p.m.41 views

CVE-2018-12043

Symphony CMS 2.7.6 is affected by a cross-site scripting (XSS) vulnerability in content/content.blueprintspages.php, via the pages content page. The root cause is lack of sanitization of the page parameter, enabling insertion of arbitrary web script/HTML. The CVE descriptions consistently identif...

6.1CVSS5.9AI score0.00822EPSS
CVE
CVE
added 2020/08/11 5:24 p.m.41 views

CVE-2020-15071

Symphony CMS 3.0.0 contains a Cross-Site Scripting (XSS) vulnerability in content/content.blueprintsevents.php where the name field used by appendSubheading is not properly sanitized, enabling injected scripts. Affected component: Symphony CMS 3.0.0; root cause: lack of input sanitization for fie...

6.1CVSS5.9AI score0.007EPSS
Web
CVE
CVE
added 2020/10/07 1:55 p.m.40 views

CVE-2020-25343

CVE-2020-25343 affects Symphony CMS 3.0.0. It describes cross-site scripting (XSS) via the fields['body'] parameter in events\event.publish_article.php, allowing a remote attacker to inject arbitrary web script or HTML. The CVE indicates impact on client-side confidentiality/integrity (via script...

5.4CVSS5.7AI score0.00708EPSS