2 matches found
CVE-2017-16881
The CVE-2017-16881 entry describes a Cross-Site Scripting (XSS) vulnerability in b3log Symphony (Sym) 2.2.0. A crafted userAvatarURL value sent to /settings/avatar can inject arbitrary scripts/HTML due to improper handling of JSON objects. The issue affects multiple components, including processo...
CVE-2017-16956
Affected product: b3log Symphony (Sym) 2.2.0. Vulnerability: Cross-site scripting in the private messaging flow, exploited by sending a private letter with a specific /article URI followed by a second private letter with a modified title to obtain a user cookie. Root cause / impact: XSS issue ena...