Vulnerabilites related to getsymphony - symphony
cve-2017-6067
Vulnerability from cvelistv5
Published
2017-03-27 01:55
Modified
2024-08-05 15:18
Severity ?
EPSS score ?
Summary
Symphony 2.6.9 has XSS in publish/notes/edit/##/saved/ via the bottom form field.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.yiwang6.cn/Symphony-XSS1.docx | x_refsource_MISC | |
| http://www.securityfocus.com/bid/97101 | vdb-entry, x_refsource_BID |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T15:18:49.811Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.yiwang6.cn/Symphony-XSS1.docx"
},
{
"name": "97101",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/97101"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-03-26T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Symphony 2.6.9 has XSS in publish/notes/edit/##/saved/ via the bottom form field."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-03-28T09:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.yiwang6.cn/Symphony-XSS1.docx"
},
{
"name": "97101",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/97101"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-6067",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Symphony 2.6.9 has XSS in publish/notes/edit/##/saved/ via the bottom form field."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.yiwang6.cn/Symphony-XSS1.docx",
"refsource": "MISC",
"url": "https://www.yiwang6.cn/Symphony-XSS1.docx"
},
{
"name": "97101",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/97101"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-6067",
"datePublished": "2017-03-27T01:55:00",
"dateReserved": "2017-02-17T00:00:00",
"dateUpdated": "2024-08-05T15:18:49.811Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2013-2559
Vulnerability from cvelistv5
Published
2014-03-27 16:00
Modified
2024-08-06 15:44
Severity ?
EPSS score ?
Summary
SQL injection vulnerability in Symphony CMS before 2.3.2 allows remote authenticated users to execute arbitrary SQL commands via the sort parameter to system/authors/. NOTE: this can be leveraged using CSRF to allow remote unauthenticated attackers to execute arbitrary SQL commands.
References
| ▼ | URL | Tags |
|---|---|---|
| https://exchange.xforce.ibmcloud.com/vulnerabilities/83227 | vdb-entry, x_refsource_XF | |
| http://archives.neohapsis.com/archives/bugtraq/2013-04/0018.html | mailing-list, x_refsource_BUGTRAQ | |
| https://www.htbridge.com/advisory/HTB23148 | x_refsource_MISC | |
| http://www.securityfocus.com/bid/58843 | vdb-entry, x_refsource_BID | |
| https://github.com/symphonycms/symphony-2/commit/6c8aa4e9c810994f7632837487426867ce50f468 | x_refsource_CONFIRM | |
| http://www.getsymphony.com/download/releases/version/2.3.2 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T15:44:32.088Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "symphony-sort-sql-injection(83227)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/83227"
},
{
"name": "20130403 SQL Injection Vulnerability in Symphony",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://archives.neohapsis.com/archives/bugtraq/2013-04/0018.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.htbridge.com/advisory/HTB23148"
},
{
"name": "58843",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/58843"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/symphonycms/symphony-2/commit/6c8aa4e9c810994f7632837487426867ce50f468"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.getsymphony.com/download/releases/version/2.3.2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2013-04-03T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in Symphony CMS before 2.3.2 allows remote authenticated users to execute arbitrary SQL commands via the sort parameter to system/authors/. NOTE: this can be leveraged using CSRF to allow remote unauthenticated attackers to execute arbitrary SQL commands."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-28T12:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "symphony-sort-sql-injection(83227)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/83227"
},
{
"name": "20130403 SQL Injection Vulnerability in Symphony",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://archives.neohapsis.com/archives/bugtraq/2013-04/0018.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.htbridge.com/advisory/HTB23148"
},
{
"name": "58843",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/58843"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/symphonycms/symphony-2/commit/6c8aa4e9c810994f7632837487426867ce50f468"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.getsymphony.com/download/releases/version/2.3.2"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2013-2559",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SQL injection vulnerability in Symphony CMS before 2.3.2 allows remote authenticated users to execute arbitrary SQL commands via the sort parameter to system/authors/. NOTE: this can be leveraged using CSRF to allow remote unauthenticated attackers to execute arbitrary SQL commands."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "symphony-sort-sql-injection(83227)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/83227"
},
{
"name": "20130403 SQL Injection Vulnerability in Symphony",
"refsource": "BUGTRAQ",
"url": "http://archives.neohapsis.com/archives/bugtraq/2013-04/0018.html"
},
{
"name": "https://www.htbridge.com/advisory/HTB23148",
"refsource": "MISC",
"url": "https://www.htbridge.com/advisory/HTB23148"
},
{
"name": "58843",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/58843"
},
{
"name": "https://github.com/symphonycms/symphony-2/commit/6c8aa4e9c810994f7632837487426867ce50f468",
"refsource": "CONFIRM",
"url": "https://github.com/symphonycms/symphony-2/commit/6c8aa4e9c810994f7632837487426867ce50f468"
},
{
"name": "http://www.getsymphony.com/download/releases/version/2.3.2",
"refsource": "CONFIRM",
"url": "http://www.getsymphony.com/download/releases/version/2.3.2"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2013-2559",
"datePublished": "2014-03-27T16:00:00",
"dateReserved": "2013-03-13T00:00:00",
"dateUpdated": "2024-08-06T15:44:32.088Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-5542
Vulnerability from cvelistv5
Published
2017-01-20 08:39
Modified
2024-08-05 15:04
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) vulnerability in template/usererror.missing_extension.php in Symphony CMS before 2.6.10 allows remote attackers to inject arbitrary web script or HTML via the existing-folder parameter.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/bid/95686 | vdb-entry, x_refsource_BID | |
| https://github.com/symphonycms/symphony-2/releases/tag/2.6.10 | x_refsource_CONFIRM | |
| https://github.com/symphonycms/symphony-2/issues/2639 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T15:04:15.279Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "95686",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/95686"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/symphonycms/symphony-2/releases/tag/2.6.10"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/symphonycms/symphony-2/issues/2639"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-01-19T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in template/usererror.missing_extension.php in Symphony CMS before 2.6.10 allows remote attackers to inject arbitrary web script or HTML via the existing-folder parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-01-23T10:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "95686",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/95686"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/symphonycms/symphony-2/releases/tag/2.6.10"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/symphonycms/symphony-2/issues/2639"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-5542",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in template/usererror.missing_extension.php in Symphony CMS before 2.6.10 allows remote attackers to inject arbitrary web script or HTML via the existing-folder parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "95686",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/95686"
},
{
"name": "https://github.com/symphonycms/symphony-2/releases/tag/2.6.10",
"refsource": "CONFIRM",
"url": "https://github.com/symphonycms/symphony-2/releases/tag/2.6.10"
},
{
"name": "https://github.com/symphonycms/symphony-2/issues/2639",
"refsource": "CONFIRM",
"url": "https://github.com/symphonycms/symphony-2/issues/2639"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-5542",
"datePublished": "2017-01-20T08:39:00",
"dateReserved": "2017-01-19T00:00:00",
"dateUpdated": "2024-08-05T15:04:15.279Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2010-2143
Vulnerability from cvelistv5
Published
2010-06-03 14:00
Modified
2024-08-07 02:25
Severity ?
EPSS score ?
Summary
Directory traversal vulnerability in index.php in Symphony CMS 2.0.7 allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the mode parameter.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.vupen.com/english/advisories/2010/1286 | vdb-entry, x_refsource_VUPEN | |
| http://www.exploit-db.com/exploits/12809 | exploit, x_refsource_EXPLOIT-DB | |
| http://www.securityfocus.com/bid/40441 | vdb-entry, x_refsource_BID | |
| http://packetstormsecurity.org/1005-exploits/symphony-lfi.txt | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T02:25:06.839Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "ADV-2010-1286",
"tags": [
"vdb-entry",
"x_refsource_VUPEN",
"x_transferred"
],
"url": "http://www.vupen.com/english/advisories/2010/1286"
},
{
"name": "12809",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "http://www.exploit-db.com/exploits/12809"
},
{
"name": "40441",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/40441"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.org/1005-exploits/symphony-lfi.txt"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2010-05-30T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Directory traversal vulnerability in index.php in Symphony CMS 2.0.7 allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the mode parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-02-27T17:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "ADV-2010-1286",
"tags": [
"vdb-entry",
"x_refsource_VUPEN"
],
"url": "http://www.vupen.com/english/advisories/2010/1286"
},
{
"name": "12809",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "http://www.exploit-db.com/exploits/12809"
},
{
"name": "40441",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/40441"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.org/1005-exploits/symphony-lfi.txt"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2010-2143",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Directory traversal vulnerability in index.php in Symphony CMS 2.0.7 allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the mode parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "ADV-2010-1286",
"refsource": "VUPEN",
"url": "http://www.vupen.com/english/advisories/2010/1286"
},
{
"name": "12809",
"refsource": "EXPLOIT-DB",
"url": "http://www.exploit-db.com/exploits/12809"
},
{
"name": "40441",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/40441"
},
{
"name": "http://packetstormsecurity.org/1005-exploits/symphony-lfi.txt",
"refsource": "MISC",
"url": "http://packetstormsecurity.org/1005-exploits/symphony-lfi.txt"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2010-2143",
"datePublished": "2010-06-03T14:00:00",
"dateReserved": "2010-06-03T00:00:00",
"dateUpdated": "2024-08-07T02:25:06.839Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-15071
Vulnerability from cvelistv5
Published
2020-08-11 17:24
Modified
2024-08-04 13:08
Severity ?
EPSS score ?
Summary
content/content.blueprintsevents.php in Symphony CMS 3.0.0 allows XSS via fields['name'] to appendSubheading.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/symphonycms/symphonycms/issues/2917 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T13:08:21.748Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/symphonycms/symphonycms/issues/2917"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "content/content.blueprintsevents.php in Symphony CMS 3.0.0 allows XSS via fields[\u0027name\u0027] to appendSubheading."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-08-11T17:24:08",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/symphonycms/symphonycms/issues/2917"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-15071",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "content/content.blueprintsevents.php in Symphony CMS 3.0.0 allows XSS via fields[\u0027name\u0027] to appendSubheading."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/symphonycms/symphonycms/issues/2917",
"refsource": "MISC",
"url": "https://github.com/symphonycms/symphonycms/issues/2917"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-15071",
"datePublished": "2020-08-11T17:24:08",
"dateReserved": "2020-06-25T00:00:00",
"dateUpdated": "2024-08-04T13:08:21.748Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-7694
Vulnerability from cvelistv5
Published
2017-04-11 23:00
Modified
2024-08-05 16:12
Severity ?
EPSS score ?
Summary
Remote Code Execution vulnerability in symphony/content/content.blueprintsdatasources.php in Symphony CMS through 2.6.11 allows remote attackers to execute code and get a webshell from the back-end. The attacker must be authenticated and enter PHP code in the datasource editor or event editor.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/symphonycms/symphony-2/commit/e30a18f8f09dca836e141bf126a26e565c9a2bc7 | x_refsource_MISC | |
| https://github.com/symphonycms/symphony-2/issues/2655 | x_refsource_MISC | |
| http://www.securityfocus.com/bid/97594 | vdb-entry, x_refsource_BID | |
| http://www.math1as.com/symphonycms_2.7_exec.txt | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T16:12:28.185Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/symphonycms/symphony-2/commit/e30a18f8f09dca836e141bf126a26e565c9a2bc7"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/symphonycms/symphony-2/issues/2655"
},
{
"name": "97594",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/97594"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.math1as.com/symphonycms_2.7_exec.txt"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-04-11T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Remote Code Execution vulnerability in symphony/content/content.blueprintsdatasources.php in Symphony CMS through 2.6.11 allows remote attackers to execute code and get a webshell from the back-end. The attacker must be authenticated and enter PHP code in the datasource editor or event editor."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-04-13T09:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/symphonycms/symphony-2/commit/e30a18f8f09dca836e141bf126a26e565c9a2bc7"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/symphonycms/symphony-2/issues/2655"
},
{
"name": "97594",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/97594"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.math1as.com/symphonycms_2.7_exec.txt"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-7694",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Remote Code Execution vulnerability in symphony/content/content.blueprintsdatasources.php in Symphony CMS through 2.6.11 allows remote attackers to execute code and get a webshell from the back-end. The attacker must be authenticated and enter PHP code in the datasource editor or event editor."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/symphonycms/symphony-2/commit/e30a18f8f09dca836e141bf126a26e565c9a2bc7",
"refsource": "MISC",
"url": "https://github.com/symphonycms/symphony-2/commit/e30a18f8f09dca836e141bf126a26e565c9a2bc7"
},
{
"name": "https://github.com/symphonycms/symphony-2/issues/2655",
"refsource": "MISC",
"url": "https://github.com/symphonycms/symphony-2/issues/2655"
},
{
"name": "97594",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/97594"
},
{
"name": "http://www.math1as.com/symphonycms_2.7_exec.txt",
"refsource": "MISC",
"url": "http://www.math1as.com/symphonycms_2.7_exec.txt"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-7694",
"datePublished": "2017-04-11T23:00:00",
"dateReserved": "2017-04-11T00:00:00",
"dateUpdated": "2024-08-05T16:12:28.185Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2016-4309
Vulnerability from cvelistv5
Published
2016-06-30 17:00
Modified
2024-08-06 00:25
Severity ?
EPSS score ?
Summary
Session fixation vulnerability in Symphony CMS 2.6.7, when session.use_only_cookies is disabled, allows remote attackers to hijack web sessions via the PHPSESSID parameter.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.exploit-db.com/exploits/39983/ | exploit, x_refsource_EXPLOIT-DB | |
| http://www.securityfocus.com/bid/91299 | vdb-entry, x_refsource_BID | |
| http://hyp3rlinx.altervista.org/advisories/SYMPHONY-CMS-SESSION-FIXATION.txt | x_refsource_MISC | |
| https://github.com/symphonycms/symphony-2/commit/b329a14adc40868965076a77210452e396243dcd | x_refsource_CONFIRM | |
| http://www.securityfocus.com/archive/1/538714/100/0/threaded | mailing-list, x_refsource_BUGTRAQ | |
| http://packetstormsecurity.com/files/137551/Symphony-CMS-2.6.7-Session-Fixation.html | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T00:25:14.089Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "39983",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/39983/"
},
{
"name": "91299",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/91299"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://hyp3rlinx.altervista.org/advisories/SYMPHONY-CMS-SESSION-FIXATION.txt"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/symphonycms/symphony-2/commit/b329a14adc40868965076a77210452e396243dcd"
},
{
"name": "20160620 Symphony CMS v2.6.7 Session Fixation",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/538714/100/0/threaded"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/137551/Symphony-CMS-2.6.7-Session-Fixation.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-05-23T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Session fixation vulnerability in Symphony CMS 2.6.7, when session.use_only_cookies is disabled, allows remote attackers to hijack web sessions via the PHPSESSID parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-09T18:57:01",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"name": "39983",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "https://www.exploit-db.com/exploits/39983/"
},
{
"name": "91299",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/91299"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://hyp3rlinx.altervista.org/advisories/SYMPHONY-CMS-SESSION-FIXATION.txt"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/symphonycms/symphony-2/commit/b329a14adc40868965076a77210452e396243dcd"
},
{
"name": "20160620 Symphony CMS v2.6.7 Session Fixation",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/538714/100/0/threaded"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/137551/Symphony-CMS-2.6.7-Session-Fixation.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cert@cert.org",
"ID": "CVE-2016-4309",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Session fixation vulnerability in Symphony CMS 2.6.7, when session.use_only_cookies is disabled, allows remote attackers to hijack web sessions via the PHPSESSID parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "39983",
"refsource": "EXPLOIT-DB",
"url": "https://www.exploit-db.com/exploits/39983/"
},
{
"name": "91299",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/91299"
},
{
"name": "http://hyp3rlinx.altervista.org/advisories/SYMPHONY-CMS-SESSION-FIXATION.txt",
"refsource": "MISC",
"url": "http://hyp3rlinx.altervista.org/advisories/SYMPHONY-CMS-SESSION-FIXATION.txt"
},
{
"name": "https://github.com/symphonycms/symphony-2/commit/b329a14adc40868965076a77210452e396243dcd",
"refsource": "CONFIRM",
"url": "https://github.com/symphonycms/symphony-2/commit/b329a14adc40868965076a77210452e396243dcd"
},
{
"name": "20160620 Symphony CMS v2.6.7 Session Fixation",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/538714/100/0/threaded"
},
{
"name": "http://packetstormsecurity.com/files/137551/Symphony-CMS-2.6.7-Session-Fixation.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/137551/Symphony-CMS-2.6.7-Session-Fixation.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2016-4309",
"datePublished": "2016-06-30T17:00:00",
"dateReserved": "2016-04-27T00:00:00",
"dateUpdated": "2024-08-06T00:25:14.089Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-25343
Vulnerability from cvelistv5
Published
2020-10-07 13:55
Modified
2024-08-04 15:33
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) vulnerabilities in Symphony CMS 3.0.0 allow remote attackers to inject arbitrary web script or HTML to fields['body'] param via events\event.publish_article.php
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.exploit-db.com/exploits/48773 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T15:33:05.550Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/48773"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerabilities in Symphony CMS 3.0.0 allow remote attackers to inject arbitrary web script or HTML to fields[\u0027body\u0027] param via events\\event.publish_article.php"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-10-07T13:55:32",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.exploit-db.com/exploits/48773"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-25343",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerabilities in Symphony CMS 3.0.0 allow remote attackers to inject arbitrary web script or HTML to fields[\u0027body\u0027] param via events\\event.publish_article.php"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.exploit-db.com/exploits/48773",
"refsource": "MISC",
"url": "https://www.exploit-db.com/exploits/48773"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-25343",
"datePublished": "2020-10-07T13:55:32",
"dateReserved": "2020-09-14T00:00:00",
"dateUpdated": "2024-08-04T15:33:05.550Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2010-3457
Vulnerability from cvelistv5
Published
2010-09-17 19:00
Modified
2024-08-07 03:11
Severity ?
EPSS score ?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in Symphony CMS 2.0.7 and 2.1.1 allow remote attackers to inject arbitrary web script or HTML via the (1) fields[website] parameter in the post comments feature in articles/a-primer-to-symphony-2s-default-theme/ or (2) send-email[recipient] parameter to about/. NOTE: some of these details are obtained from third party information.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/bid/43180 | vdb-entry, x_refsource_BID | |
| http://secunia.com/advisories/41379 | third-party-advisory, x_refsource_SECUNIA | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/61750 | vdb-entry, x_refsource_XF | |
| http://www.exploit-db.com/exploits/14968 | exploit, x_refsource_EXPLOIT-DB | |
| http://packetstormsecurity.org/1009-exploits/symphony-sqlxss.txt | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T03:11:43.749Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "43180",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/43180"
},
{
"name": "41379",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/41379"
},
{
"name": "symphony-fieldswebsite-xss(61750)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/61750"
},
{
"name": "14968",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "http://www.exploit-db.com/exploits/14968"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.org/1009-exploits/symphony-sqlxss.txt"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2010-09-10T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in Symphony CMS 2.0.7 and 2.1.1 allow remote attackers to inject arbitrary web script or HTML via the (1) fields[website] parameter in the post comments feature in articles/a-primer-to-symphony-2s-default-theme/ or (2) send-email[recipient] parameter to about/. NOTE: some of these details are obtained from third party information."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-16T14:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "43180",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/43180"
},
{
"name": "41379",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/41379"
},
{
"name": "symphony-fieldswebsite-xss(61750)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/61750"
},
{
"name": "14968",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "http://www.exploit-db.com/exploits/14968"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.org/1009-exploits/symphony-sqlxss.txt"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2010-3457",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in Symphony CMS 2.0.7 and 2.1.1 allow remote attackers to inject arbitrary web script or HTML via the (1) fields[website] parameter in the post comments feature in articles/a-primer-to-symphony-2s-default-theme/ or (2) send-email[recipient] parameter to about/. NOTE: some of these details are obtained from third party information."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "43180",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/43180"
},
{
"name": "41379",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/41379"
},
{
"name": "symphony-fieldswebsite-xss(61750)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/61750"
},
{
"name": "14968",
"refsource": "EXPLOIT-DB",
"url": "http://www.exploit-db.com/exploits/14968"
},
{
"name": "http://packetstormsecurity.org/1009-exploits/symphony-sqlxss.txt",
"refsource": "MISC",
"url": "http://packetstormsecurity.org/1009-exploits/symphony-sqlxss.txt"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2010-3457",
"datePublished": "2010-09-17T19:00:00",
"dateReserved": "2010-09-17T00:00:00",
"dateUpdated": "2024-08-07T03:11:43.749Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-8876
Vulnerability from cvelistv5
Published
2017-05-10 05:14
Modified
2024-08-05 16:48
Severity ?
EPSS score ?
Summary
Symphony 2 2.6.11 has XSS in the meta[navigation_group] parameter to content/content.blueprintssections.php.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/DeuxHuitHuit/symphony-2/commit/cd69a2a516e6503c1a1c7e097ee90d255ec3d6b7 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T16:48:22.865Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/DeuxHuitHuit/symphony-2/commit/cd69a2a516e6503c1a1c7e097ee90d255ec3d6b7"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-05-10T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Symphony 2 2.6.11 has XSS in the meta[navigation_group] parameter to content/content.blueprintssections.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-05-10T05:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/DeuxHuitHuit/symphony-2/commit/cd69a2a516e6503c1a1c7e097ee90d255ec3d6b7"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-8876",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Symphony 2 2.6.11 has XSS in the meta[navigation_group] parameter to content/content.blueprintssections.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/DeuxHuitHuit/symphony-2/commit/cd69a2a516e6503c1a1c7e097ee90d255ec3d6b7",
"refsource": "MISC",
"url": "https://github.com/DeuxHuitHuit/symphony-2/commit/cd69a2a516e6503c1a1c7e097ee90d255ec3d6b7"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-8876",
"datePublished": "2017-05-10T05:14:00",
"dateReserved": "2017-05-09T00:00:00",
"dateUpdated": "2024-08-05T16:48:22.865Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-25912
Vulnerability from cvelistv5
Published
2021-10-31 18:32
Modified
2024-08-04 15:49
Severity ?
EPSS score ?
Summary
A XML External Entity (XXE) vulnerability was discovered in symphony\lib\toolkit\class.xmlelement.php in Symphony 2.7.10 which can lead to an information disclosure or denial of service (DOS).
References
| ▼ | URL | Tags |
|---|---|---|
| http://symphony.com | x_refsource_MISC | |
| https://github.com/symphonycms/symphonycms/issues/2924 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T15:49:06.755Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://symphony.com"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/symphonycms/symphonycms/issues/2924"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A XML External Entity (XXE) vulnerability was discovered in symphony\\lib\\toolkit\\class.xmlelement.php in Symphony 2.7.10 which can lead to an information disclosure or denial of service (DOS)."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-10-31T18:32:50",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://symphony.com"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/symphonycms/symphonycms/issues/2924"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-25912",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A XML External Entity (XXE) vulnerability was discovered in symphony\\lib\\toolkit\\class.xmlelement.php in Symphony 2.7.10 which can lead to an information disclosure or denial of service (DOS)."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://symphony.com",
"refsource": "MISC",
"url": "http://symphony.com"
},
{
"name": "https://github.com/symphonycms/symphonycms/issues/2924",
"refsource": "MISC",
"url": "https://github.com/symphonycms/symphonycms/issues/2924"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-25912",
"datePublished": "2021-10-31T18:32:50",
"dateReserved": "2020-09-24T00:00:00",
"dateUpdated": "2024-08-04T15:49:06.755Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-5541
Vulnerability from cvelistv5
Published
2017-01-20 08:39
Modified
2024-08-05 15:04
Severity ?
EPSS score ?
Summary
Directory traversal vulnerability in template/usererror.missing_extension.php in Symphony CMS before 2.6.10 allows remote attackers to rename arbitrary files via a .. (dot dot) in the existing-folder and new-folder parameters.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/symphonycms/symphony-2/releases/tag/2.6.10 | x_refsource_CONFIRM | |
| https://github.com/symphonycms/symphony-2/issues/2639 | x_refsource_CONFIRM | |
| http://www.securityfocus.com/bid/95689 | vdb-entry, x_refsource_BID |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T15:04:15.355Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/symphonycms/symphony-2/releases/tag/2.6.10"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/symphonycms/symphony-2/issues/2639"
},
{
"name": "95689",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/95689"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-01-19T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Directory traversal vulnerability in template/usererror.missing_extension.php in Symphony CMS before 2.6.10 allows remote attackers to rename arbitrary files via a .. (dot dot) in the existing-folder and new-folder parameters."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-01-23T10:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/symphonycms/symphony-2/releases/tag/2.6.10"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/symphonycms/symphony-2/issues/2639"
},
{
"name": "95689",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/95689"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-5541",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Directory traversal vulnerability in template/usererror.missing_extension.php in Symphony CMS before 2.6.10 allows remote attackers to rename arbitrary files via a .. (dot dot) in the existing-folder and new-folder parameters."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/symphonycms/symphony-2/releases/tag/2.6.10",
"refsource": "CONFIRM",
"url": "https://github.com/symphonycms/symphony-2/releases/tag/2.6.10"
},
{
"name": "https://github.com/symphonycms/symphony-2/issues/2639",
"refsource": "CONFIRM",
"url": "https://github.com/symphonycms/symphony-2/issues/2639"
},
{
"name": "95689",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/95689"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-5541",
"datePublished": "2017-01-20T08:39:00",
"dateReserved": "2017-01-19T00:00:00",
"dateUpdated": "2024-08-05T15:04:15.355Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-12043
Vulnerability from cvelistv5
Published
2018-06-07 20:00
Modified
2024-09-17 03:14
Severity ?
EPSS score ?
Summary
content/content.blueprintspages.php in Symphony 2.7.6 has XSS via the pages content page.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/symphonycms/symphony-2/commit/1ace6b31867cc83267b3550686271c9c65ac3ec0 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T08:24:03.611Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/symphonycms/symphony-2/commit/1ace6b31867cc83267b3550686271c9c65ac3ec0"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "content/content.blueprintspages.php in Symphony 2.7.6 has XSS via the pages content page."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-06-07T20:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/symphonycms/symphony-2/commit/1ace6b31867cc83267b3550686271c9c65ac3ec0"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-12043",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "content/content.blueprintspages.php in Symphony 2.7.6 has XSS via the pages content page."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/symphonycms/symphony-2/commit/1ace6b31867cc83267b3550686271c9c65ac3ec0",
"refsource": "MISC",
"url": "https://github.com/symphonycms/symphony-2/commit/1ace6b31867cc83267b3550686271c9c65ac3ec0"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-12043",
"datePublished": "2018-06-07T20:00:00Z",
"dateReserved": "2018-06-07T00:00:00Z",
"dateUpdated": "2024-09-17T03:14:09.116Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2015-8376
Vulnerability from cvelistv5
Published
2016-01-08 21:00
Modified
2024-08-06 08:13
Severity ?
EPSS score ?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in Symphony CMS 2.6.3 allow remote attackers to inject arbitrary web script or HTML via the (1) Name, (2) Navigation Group, or (3) Label parameter to blueprints/sections/edit/1.
References
| ▼ | URL | Tags |
|---|---|---|
| http://seclists.org/fulldisclosure/2015/Dec/101 | mailing-list, x_refsource_FULLDISC | |
| http://seclists.org/fulldisclosure/2015/Dec/7 | mailing-list, x_refsource_FULLDISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T08:13:32.537Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "20151223 Re: [FD] Symfony CMS 2.6.3 \u00c3\u00a2\u00e2\u0082\u00ac\u00e2\u0080\u009c Multiple Cross-Site Scripting Vulnerability",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2015/Dec/101"
},
{
"name": "20151209 Symfony CMS 2.6.3 \u00c3\u00a2\u00e2\u0082\u00ac\u00e2\u0080\u009c Multiple Cross-Site Scripting Vulnerability",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2015/Dec/7"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-12-09T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in Symphony CMS 2.6.3 allow remote attackers to inject arbitrary web script or HTML via the (1) Name, (2) Navigation Group, or (3) Label parameter to blueprints/sections/edit/1."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2016-01-08T20:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "20151223 Re: [FD] Symfony CMS 2.6.3 \u00c3\u00a2\u00e2\u0082\u00ac\u00e2\u0080\u009c Multiple Cross-Site Scripting Vulnerability",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2015/Dec/101"
},
{
"name": "20151209 Symfony CMS 2.6.3 \u00c3\u00a2\u00e2\u0082\u00ac\u00e2\u0080\u009c Multiple Cross-Site Scripting Vulnerability",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2015/Dec/7"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-8376",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in Symphony CMS 2.6.3 allow remote attackers to inject arbitrary web script or HTML via the (1) Name, (2) Navigation Group, or (3) Label parameter to blueprints/sections/edit/1."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "20151223 Re: [FD] Symfony CMS 2.6.3 \u00c3\u00a2\u00e2\u0082\u00ac\u00e2\u0080\u009c Multiple Cross-Site Scripting Vulnerability",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2015/Dec/101"
},
{
"name": "20151209 Symfony CMS 2.6.3 \u00c3\u00a2\u00e2\u0082\u00ac\u00e2\u0080\u009c Multiple Cross-Site Scripting Vulnerability",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2015/Dec/7"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-8376",
"datePublished": "2016-01-08T21:00:00",
"dateReserved": "2015-11-29T00:00:00",
"dateUpdated": "2024-08-06T08:13:32.537Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2015-8766
Vulnerability from cvelistv5
Published
2016-01-08 21:00
Modified
2024-08-06 08:29
Severity ?
EPSS score ?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in content/content.systempreferences.php in Symphony CMS before 2.6.4 allow remote attackers to inject arbitrary web script or HTML via the (1) email_sendmail[from_name], (2) email_sendmail[from_address], (3) email_smtp[from_name], (4) email_smtp[from_address], (5) email_smtp[host], (6) email_smtp[port], (7) jit_image_manipulation[trusted_external_sites], or (8) maintenance_mode[ip_whitelist] parameters to system/preferences.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.getsymphony.com/download/releases/version/2.6.4/ | x_refsource_CONFIRM | |
| https://github.com/symphonycms/symphony-2/commit/651e150091c61fb60ad1dff2bc2166185a83d9d6 | x_refsource_CONFIRM | |
| http://seclists.org/fulldisclosure/2015/Dec/60 | mailing-list, x_refsource_FULLDISC | |
| https://cybersecurityworks.com/zerodays/cve-2015-8766-getsymphoney.html | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T08:29:22.057Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.getsymphony.com/download/releases/version/2.6.4/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/symphonycms/symphony-2/commit/651e150091c61fb60ad1dff2bc2166185a83d9d6"
},
{
"name": "20151213 Symphony 2.6.3 \u00c3\u00a2\u00e2\u0082\u00ac\u00e2\u0080\u009c Multiple Persistent Cross-Site Scripting Vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2015/Dec/60"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://cybersecurityworks.com/zerodays/cve-2015-8766-getsymphoney.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-12-12T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in content/content.systempreferences.php in Symphony CMS before 2.6.4 allow remote attackers to inject arbitrary web script or HTML via the (1) email_sendmail[from_name], (2) email_sendmail[from_address], (3) email_smtp[from_name], (4) email_smtp[from_address], (5) email_smtp[host], (6) email_smtp[port], (7) jit_image_manipulation[trusted_external_sites], or (8) maintenance_mode[ip_whitelist] parameters to system/preferences."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-10-29T21:24:49",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.getsymphony.com/download/releases/version/2.6.4/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/symphonycms/symphony-2/commit/651e150091c61fb60ad1dff2bc2166185a83d9d6"
},
{
"name": "20151213 Symphony 2.6.3 \u00c3\u00a2\u00e2\u0082\u00ac\u00e2\u0080\u009c Multiple Persistent Cross-Site Scripting Vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2015/Dec/60"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://cybersecurityworks.com/zerodays/cve-2015-8766-getsymphoney.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-8766",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in content/content.systempreferences.php in Symphony CMS before 2.6.4 allow remote attackers to inject arbitrary web script or HTML via the (1) email_sendmail[from_name], (2) email_sendmail[from_address], (3) email_smtp[from_name], (4) email_smtp[from_address], (5) email_smtp[host], (6) email_smtp[port], (7) jit_image_manipulation[trusted_external_sites], or (8) maintenance_mode[ip_whitelist] parameters to system/preferences."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://www.getsymphony.com/download/releases/version/2.6.4/",
"refsource": "CONFIRM",
"url": "http://www.getsymphony.com/download/releases/version/2.6.4/"
},
{
"name": "https://github.com/symphonycms/symphony-2/commit/651e150091c61fb60ad1dff2bc2166185a83d9d6",
"refsource": "CONFIRM",
"url": "https://github.com/symphonycms/symphony-2/commit/651e150091c61fb60ad1dff2bc2166185a83d9d6"
},
{
"name": "20151213 Symphony 2.6.3 \u00c3\u00a2\u00e2\u0082\u00ac\u00e2\u0080\u009c Multiple Persistent Cross-Site Scripting Vulnerabilities",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2015/Dec/60"
},
{
"name": "https://cybersecurityworks.com/zerodays/cve-2015-8766-getsymphoney.html",
"refsource": "MISC",
"url": "https://cybersecurityworks.com/zerodays/cve-2015-8766-getsymphoney.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-8766",
"datePublished": "2016-01-08T21:00:00",
"dateReserved": "2016-01-08T00:00:00",
"dateUpdated": "2024-08-06T08:29:22.057Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2013-7346
Vulnerability from cvelistv5
Published
2014-03-27 16:00
Modified
2024-09-17 04:24
Severity ?
EPSS score ?
Summary
Cross-site request forgery (CSRF) vulnerability in Symphony CMS before 2.3.2 allows remote attackers to hijack the authentication of administrators for requests that conduct SQL injection attacks via the sort parameter to system/authors/, related to CVE-2013-2559.
References
| ▼ | URL | Tags |
|---|---|---|
| http://archives.neohapsis.com/archives/bugtraq/2013-04/0018.html | mailing-list, x_refsource_BUGTRAQ | |
| https://www.htbridge.com/advisory/HTB23148 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T18:01:20.352Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "20130403 SQL Injection Vulnerability in Symphony",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://archives.neohapsis.com/archives/bugtraq/2013-04/0018.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.htbridge.com/advisory/HTB23148"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site request forgery (CSRF) vulnerability in Symphony CMS before 2.3.2 allows remote attackers to hijack the authentication of administrators for requests that conduct SQL injection attacks via the sort parameter to system/authors/, related to CVE-2013-2559."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2014-03-27T16:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "20130403 SQL Injection Vulnerability in Symphony",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://archives.neohapsis.com/archives/bugtraq/2013-04/0018.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.htbridge.com/advisory/HTB23148"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2013-7346",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site request forgery (CSRF) vulnerability in Symphony CMS before 2.3.2 allows remote attackers to hijack the authentication of administrators for requests that conduct SQL injection attacks via the sort parameter to system/authors/, related to CVE-2013-2559."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "20130403 SQL Injection Vulnerability in Symphony",
"refsource": "BUGTRAQ",
"url": "http://archives.neohapsis.com/archives/bugtraq/2013-04/0018.html"
},
{
"name": "https://www.htbridge.com/advisory/HTB23148",
"refsource": "MISC",
"url": "https://www.htbridge.com/advisory/HTB23148"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2013-7346",
"datePublished": "2014-03-27T16:00:00Z",
"dateReserved": "2014-03-27T00:00:00Z",
"dateUpdated": "2024-09-17T04:24:38.468Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2015-4661
Vulnerability from cvelistv5
Published
2015-06-18 18:00
Modified
2024-08-06 06:18
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) vulnerability in Symphony CMS 2.6.2 allows remote attackers to inject arbitrary web script or HTML via the sort parameter to system/authors.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/archive/1/535714/100/0/threaded | mailing-list, x_refsource_BUGTRAQ | |
| http://hyp3rlinx.altervista.org/advisories/AS-SYMPHONY0606.txt | x_refsource_MISC | |
| http://packetstormsecurity.com/files/132193/Symphony-CMS-2.6.2-Cross-Site-Scripting.html | x_refsource_MISC | |
| http://www.securityfocus.com/bid/75059 | vdb-entry, x_refsource_BID |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T06:18:12.218Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "20150609 Symphony CMS XSS Vulnerability [Corrected Post]",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/535714/100/0/threaded"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://hyp3rlinx.altervista.org/advisories/AS-SYMPHONY0606.txt"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/132193/Symphony-CMS-2.6.2-Cross-Site-Scripting.html"
},
{
"name": "75059",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/75059"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-06-08T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in Symphony CMS 2.6.2 allows remote attackers to inject arbitrary web script or HTML via the sort parameter to system/authors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-09T18:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "20150609 Symphony CMS XSS Vulnerability [Corrected Post]",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/535714/100/0/threaded"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://hyp3rlinx.altervista.org/advisories/AS-SYMPHONY0606.txt"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/132193/Symphony-CMS-2.6.2-Cross-Site-Scripting.html"
},
{
"name": "75059",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/75059"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-4661",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in Symphony CMS 2.6.2 allows remote attackers to inject arbitrary web script or HTML via the sort parameter to system/authors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "20150609 Symphony CMS XSS Vulnerability [Corrected Post]",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/535714/100/0/threaded"
},
{
"name": "http://hyp3rlinx.altervista.org/advisories/AS-SYMPHONY0606.txt",
"refsource": "MISC",
"url": "http://hyp3rlinx.altervista.org/advisories/AS-SYMPHONY0606.txt"
},
{
"name": "http://packetstormsecurity.com/files/132193/Symphony-CMS-2.6.2-Cross-Site-Scripting.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/132193/Symphony-CMS-2.6.2-Cross-Site-Scripting.html"
},
{
"name": "75059",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/75059"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-4661",
"datePublished": "2015-06-18T18:00:00",
"dateReserved": "2015-06-18T00:00:00",
"dateUpdated": "2024-08-06T06:18:12.218Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2010-3458
Vulnerability from cvelistv5
Published
2010-09-17 19:00
Modified
2024-08-07 03:11
Severity ?
EPSS score ?
Summary
SQL injection vulnerability in lib/toolkit/events/event.section.php in Symphony CMS 2.0.7 and 2.1.1 allows remote attackers to execute arbitrary SQL commands via the send-email[recipient] parameter to about/. NOTE: some of these details are obtained from third party information.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/bid/43180 | vdb-entry, x_refsource_BID | |
| http://secunia.com/advisories/41379 | third-party-advisory, x_refsource_SECUNIA | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/61749 | vdb-entry, x_refsource_XF | |
| http://www.exploit-db.com/exploits/14968 | exploit, x_refsource_EXPLOIT-DB | |
| http://packetstormsecurity.org/1009-exploits/symphony-sqlxss.txt | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T03:11:44.313Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "43180",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/43180"
},
{
"name": "41379",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/41379"
},
{
"name": "symphony-sendemail-sql-injection(61749)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/61749"
},
{
"name": "14968",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "http://www.exploit-db.com/exploits/14968"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.org/1009-exploits/symphony-sqlxss.txt"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2010-09-10T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in lib/toolkit/events/event.section.php in Symphony CMS 2.0.7 and 2.1.1 allows remote attackers to execute arbitrary SQL commands via the send-email[recipient] parameter to about/. NOTE: some of these details are obtained from third party information."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-16T14:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "43180",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/43180"
},
{
"name": "41379",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/41379"
},
{
"name": "symphony-sendemail-sql-injection(61749)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/61749"
},
{
"name": "14968",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "http://www.exploit-db.com/exploits/14968"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.org/1009-exploits/symphony-sqlxss.txt"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2010-3458",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SQL injection vulnerability in lib/toolkit/events/event.section.php in Symphony CMS 2.0.7 and 2.1.1 allows remote attackers to execute arbitrary SQL commands via the send-email[recipient] parameter to about/. NOTE: some of these details are obtained from third party information."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "43180",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/43180"
},
{
"name": "41379",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/41379"
},
{
"name": "symphony-sendemail-sql-injection(61749)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/61749"
},
{
"name": "14968",
"refsource": "EXPLOIT-DB",
"url": "http://www.exploit-db.com/exploits/14968"
},
{
"name": "http://packetstormsecurity.org/1009-exploits/symphony-sqlxss.txt",
"refsource": "MISC",
"url": "http://packetstormsecurity.org/1009-exploits/symphony-sqlxss.txt"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2010-3458",
"datePublished": "2010-09-17T19:00:00",
"dateReserved": "2010-09-17T00:00:00",
"dateUpdated": "2024-08-07T03:11:44.313Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Vulnerability from fkie_nvd
Published
2010-09-17 20:00
Modified
2024-11-21 01:18
Severity ?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in Symphony CMS 2.0.7 and 2.1.1 allow remote attackers to inject arbitrary web script or HTML via the (1) fields[website] parameter in the post comments feature in articles/a-primer-to-symphony-2s-default-theme/ or (2) send-email[recipient] parameter to about/. NOTE: some of these details are obtained from third party information.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| getsymphony | symphony | 2.0.7 | |
| getsymphony | symphony | 2.1.1 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:getsymphony:symphony:2.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "394B8CA2-4C11-4C2C-8BFE-C2BADA341502",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:getsymphony:symphony:2.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "C922F66F-8E3D-404C-95B7-C57DA8DDC162",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in Symphony CMS 2.0.7 and 2.1.1 allow remote attackers to inject arbitrary web script or HTML via the (1) fields[website] parameter in the post comments feature in articles/a-primer-to-symphony-2s-default-theme/ or (2) send-email[recipient] parameter to about/. NOTE: some of these details are obtained from third party information."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades de ejecuci\u00f3n de comandos en sitios cruzados (XSS) en Symphony CMS v2.0.7 y v2.1.1 permiten a atacantes remotos inyectar secuencias de comandos web o HTML a trav\u00e9s del par\u00e1metro (1) fields[website] en la caracter\u00edstica de envio de comentarios en articles/a-primer-to-symphony-2s-default-theme/ o (2) par\u00e1metro send-email[recipient] a about/. NOTA: algunos de estos detalles han sido obtenidos de informaci\u00f3n de terceros."
}
],
"id": "CVE-2010-3457",
"lastModified": "2024-11-21T01:18:46.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2010-09-17T20:00:02.213",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://packetstormsecurity.org/1009-exploits/symphony-sqlxss.txt"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/41379"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://www.exploit-db.com/exploits/14968"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/43180"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/61750"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://packetstormsecurity.org/1009-exploits/symphony-sqlxss.txt"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/41379"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.exploit-db.com/exploits/14968"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/43180"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/61750"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2016-01-08 21:59
Modified
2024-11-21 02:38
Severity ?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in Symphony CMS 2.6.3 allow remote attackers to inject arbitrary web script or HTML via the (1) Name, (2) Navigation Group, or (3) Label parameter to blueprints/sections/edit/1.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| getsymphony | symphony | 2.6.3 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:getsymphony:symphony:2.6.3:*:*:*:*:*:*:*",
"matchCriteriaId": "24024228-1BAF-4E48-BA13-B355D36BC984",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in Symphony CMS 2.6.3 allow remote attackers to inject arbitrary web script or HTML via the (1) Name, (2) Navigation Group, or (3) Label parameter to blueprints/sections/edit/1."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades de XSS en Symphony CMS 2.6.3 permiten a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a trav\u00e9s del par\u00e1metro (1) Name, (2) Navigation Group o (3) Label en blueprints/sections/edit/1."
}
],
"id": "CVE-2015-8376",
"lastModified": "2024-11-21T02:38:24.213",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2016-01-08T21:59:05.013",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://seclists.org/fulldisclosure/2015/Dec/101"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://seclists.org/fulldisclosure/2015/Dec/7"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://seclists.org/fulldisclosure/2015/Dec/101"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://seclists.org/fulldisclosure/2015/Dec/7"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2010-09-17 20:00
Modified
2024-11-21 01:18
Severity ?
Summary
SQL injection vulnerability in lib/toolkit/events/event.section.php in Symphony CMS 2.0.7 and 2.1.1 allows remote attackers to execute arbitrary SQL commands via the send-email[recipient] parameter to about/. NOTE: some of these details are obtained from third party information.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| getsymphony | symphony | 2.0.7 | |
| getsymphony | symphony | 2.1.1 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:getsymphony:symphony:2.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "394B8CA2-4C11-4C2C-8BFE-C2BADA341502",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:getsymphony:symphony:2.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "C922F66F-8E3D-404C-95B7-C57DA8DDC162",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in lib/toolkit/events/event.section.php in Symphony CMS 2.0.7 and 2.1.1 allows remote attackers to execute arbitrary SQL commands via the send-email[recipient] parameter to about/. NOTE: some of these details are obtained from third party information."
},
{
"lang": "es",
"value": "Vulnerabilidad de inyecci\u00f3n SQL en lib/toolkit/events/event.section.php en la Symphony CMS v2.0.7 y v2.1.1 permite a atacantes remotos ejecutar comandos SQL a trav\u00e9s del par\u00e1metro send-email[recipient] a about/. NOTA: algunos de estos detalles han sido obtenidos de informaci\u00f3n de terceros."
}
],
"id": "CVE-2010-3458",
"lastModified": "2024-11-21T01:18:47.007",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2010-09-17T20:00:02.260",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://packetstormsecurity.org/1009-exploits/symphony-sqlxss.txt"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/41379"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://www.exploit-db.com/exploits/14968"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/43180"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/61749"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://packetstormsecurity.org/1009-exploits/symphony-sqlxss.txt"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/41379"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.exploit-db.com/exploits/14968"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/43180"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/61749"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2010-06-03 14:30
Modified
2024-11-21 01:16
Severity ?
Summary
Directory traversal vulnerability in index.php in Symphony CMS 2.0.7 allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the mode parameter.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| getsymphony | symphony | 2.0.7 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:getsymphony:symphony:2.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "394B8CA2-4C11-4C2C-8BFE-C2BADA341502",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Directory traversal vulnerability in index.php in Symphony CMS 2.0.7 allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the mode parameter."
},
{
"lang": "es",
"value": "Vulnerabilidad de salto de directorio en index.php de Symphony CMS v2.0.7 que permite a atacantes remotos leer ficheros aleatorios pudiento tener otros impactos, al utilizar caracteres .. (punto punto) en el par\u00e1metro mode."
}
],
"id": "CVE-2010-2143",
"lastModified": "2024-11-21T01:16:00.467",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2010-06-03T14:30:01.663",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://packetstormsecurity.org/1005-exploits/symphony-lfi.txt"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://www.exploit-db.com/exploits/12809"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://www.securityfocus.com/bid/40441"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://www.vupen.com/english/advisories/2010/1286"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://packetstormsecurity.org/1005-exploits/symphony-lfi.txt"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.exploit-db.com/exploits/12809"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.securityfocus.com/bid/40441"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://www.vupen.com/english/advisories/2010/1286"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2018-06-07 20:29
Modified
2024-11-21 03:44
Severity ?
Summary
content/content.blueprintspages.php in Symphony 2.7.6 has XSS via the pages content page.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/symphonycms/symphony-2/commit/1ace6b31867cc83267b3550686271c9c65ac3ec0 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/symphonycms/symphony-2/commit/1ace6b31867cc83267b3550686271c9c65ac3ec0 | Patch, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| getsymphony | symphony | 2.7.6 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:getsymphony:symphony:2.7.6:*:*:*:*:*:*:*",
"matchCriteriaId": "B2D7D3E9-265F-4F2C-8CF3-2AFD22525048",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "content/content.blueprintspages.php in Symphony 2.7.6 has XSS via the pages content page."
},
{
"lang": "es",
"value": "content/content.blueprintspages.php en Symphony 2.7.6 tiene Cross-Site Scripting (XSS) mediante la p\u00e1gina de contenido de p\u00e1ginas."
}
],
"id": "CVE-2018-12043",
"lastModified": "2024-11-21T03:44:28.973",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-06-07T20:29:00.323",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/symphonycms/symphony-2/commit/1ace6b31867cc83267b3550686271c9c65ac3ec0"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/symphonycms/symphony-2/commit/1ace6b31867cc83267b3550686271c9c65ac3ec0"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-04-11 23:59
Modified
2024-11-21 03:32
Severity ?
Summary
Remote Code Execution vulnerability in symphony/content/content.blueprintsdatasources.php in Symphony CMS through 2.6.11 allows remote attackers to execute code and get a webshell from the back-end. The attacker must be authenticated and enter PHP code in the datasource editor or event editor.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://www.math1as.com/symphonycms_2.7_exec.txt | Exploit, Third Party Advisory | |
| cve@mitre.org | http://www.securityfocus.com/bid/97594 | Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://github.com/symphonycms/symphony-2/commit/e30a18f8f09dca836e141bf126a26e565c9a2bc7 | Patch | |
| cve@mitre.org | https://github.com/symphonycms/symphony-2/issues/2655 | Issue Tracking, Patch | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.math1as.com/symphonycms_2.7_exec.txt | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/97594 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/symphonycms/symphony-2/commit/e30a18f8f09dca836e141bf126a26e565c9a2bc7 | Patch | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/symphonycms/symphony-2/issues/2655 | Issue Tracking, Patch |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| getsymphony | symphony | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:getsymphony:symphony:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DAFE4994-A060-4853-8E49-2E8F20A5EF41",
"versionEndIncluding": "2.6.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Remote Code Execution vulnerability in symphony/content/content.blueprintsdatasources.php in Symphony CMS through 2.6.11 allows remote attackers to execute code and get a webshell from the back-end. The attacker must be authenticated and enter PHP code in the datasource editor or event editor."
},
{
"lang": "es",
"value": "Vulnerabilidad de ejecuci\u00f3n remota de c\u00f3digo en symphony/content/content.blueprintsdatasources.php en Symphony CMS hasta la versi\u00f3n 2.6.11 permite a atacantes remotos ejecutar c\u00f3digo y obtener una webshell desde el back-end. El atacante debe estar autenticado e ingresar c\u00f3digo PHP en el editor de datasource o editor de eventos."
}
],
"id": "CVE-2017-7694",
"lastModified": "2024-11-21T03:32:28.830",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-04-11T23:59:00.203",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "http://www.math1as.com/symphonycms_2.7_exec.txt"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/97594"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "https://github.com/symphonycms/symphony-2/commit/e30a18f8f09dca836e141bf126a26e565c9a2bc7"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Patch"
],
"url": "https://github.com/symphonycms/symphony-2/issues/2655"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "http://www.math1as.com/symphonycms_2.7_exec.txt"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/97594"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/symphonycms/symphony-2/commit/e30a18f8f09dca836e141bf126a26e565c9a2bc7"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch"
],
"url": "https://github.com/symphonycms/symphony-2/issues/2655"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-94"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-10-31 19:15
Modified
2024-11-21 05:18
Severity ?
Summary
A XML External Entity (XXE) vulnerability was discovered in symphony\lib\toolkit\class.xmlelement.php in Symphony 2.7.10 which can lead to an information disclosure or denial of service (DOS).
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://symphony.com | Product | |
| cve@mitre.org | https://github.com/symphonycms/symphonycms/issues/2924 | Exploit, Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://symphony.com | Product | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/symphonycms/symphonycms/issues/2924 | Exploit, Issue Tracking, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| getsymphony | symphony | 2.7.10 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:getsymphony:symphony:2.7.10:*:*:*:*:*:*:*",
"matchCriteriaId": "19FE5DB3-D579-431F-A470-4B9BDDD7BB21",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A XML External Entity (XXE) vulnerability was discovered in symphony\\lib\\toolkit\\class.xmlelement.php in Symphony 2.7.10 which can lead to an information disclosure or denial of service (DOS)."
},
{
"lang": "es",
"value": "Se detect\u00f3 una vulnerabilidad de entidad externa XML (XXE) en el archivo symphony\\lib\\toolkit\\class.xmlelement.php en Symphony versi\u00f3n 2.7.10, que puede conllevar a una divulgaci\u00f3n de informaci\u00f3n o denegaci\u00f3n de servicio (DOS)"
}
],
"id": "CVE-2020-25912",
"lastModified": "2024-11-21T05:18:59.407",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.4,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.2,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-10-31T19:15:09.857",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "http://symphony.com"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://github.com/symphonycms/symphonycms/issues/2924"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "http://symphony.com"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://github.com/symphonycms/symphonycms/issues/2924"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-611"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-01-20 08:59
Modified
2024-11-21 03:27
Severity ?
Summary
Directory traversal vulnerability in template/usererror.missing_extension.php in Symphony CMS before 2.6.10 allows remote attackers to rename arbitrary files via a .. (dot dot) in the existing-folder and new-folder parameters.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://www.securityfocus.com/bid/95689 | Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://github.com/symphonycms/symphony-2/issues/2639 | VDB Entry | |
| cve@mitre.org | https://github.com/symphonycms/symphony-2/releases/tag/2.6.10 | Release Notes | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/95689 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/symphonycms/symphony-2/issues/2639 | VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/symphonycms/symphony-2/releases/tag/2.6.10 | Release Notes |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| getsymphony | symphony | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:getsymphony:symphony:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0A93B3B7-30C5-42C4-A298-AD37FE96F010",
"versionEndIncluding": "2.6.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Directory traversal vulnerability in template/usererror.missing_extension.php in Symphony CMS before 2.6.10 allows remote attackers to rename arbitrary files via a .. (dot dot) in the existing-folder and new-folder parameters."
},
{
"lang": "es",
"value": "Vulnerabilidad de salto de directorio en template/usererror.missing_extension.php en Symphony CMS en versiones anteriores a 2.6.10 permite a atacantes remotos renombrar archivos arbitrarios a trav\u00e9s de un .. (dot dot) en los par\u00e1metros de carpeta existente y nueva carpeta."
}
],
"id": "CVE-2017-5541",
"lastModified": "2024-11-21T03:27:51.073",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-01-20T08:59:00.470",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/95689"
},
{
"source": "cve@mitre.org",
"tags": [
"VDB Entry"
],
"url": "https://github.com/symphonycms/symphony-2/issues/2639"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes"
],
"url": "https://github.com/symphonycms/symphony-2/releases/tag/2.6.10"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/95689"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"VDB Entry"
],
"url": "https://github.com/symphonycms/symphony-2/issues/2639"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/symphonycms/symphony-2/releases/tag/2.6.10"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-08-11 18:15
Modified
2024-11-21 05:04
Severity ?
Summary
content/content.blueprintsevents.php in Symphony CMS 3.0.0 allows XSS via fields['name'] to appendSubheading.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/symphonycms/symphonycms/issues/2917 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/symphonycms/symphonycms/issues/2917 | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| getsymphony | symphony | 3.0.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:getsymphony:symphony:3.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "8AE817F8-2BFA-44BD-ABB1-5F011285A168",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "content/content.blueprintsevents.php in Symphony CMS 3.0.0 allows XSS via fields[\u0027name\u0027] to appendSubheading."
},
{
"lang": "es",
"value": "El archivo content/content.blueprintsevents.php en Symphony CMS versi\u00f3n 3.0.0, permite un ataque de tipo XSS por medio de fields[\u0027name\u0027] en appendSubheading"
}
],
"id": "CVE-2020-15071",
"lastModified": "2024-11-21T05:04:44.923",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-08-11T18:15:13.020",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/symphonycms/symphonycms/issues/2917"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/symphonycms/symphonycms/issues/2917"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2015-06-18 18:59
Modified
2024-11-21 02:31
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in Symphony CMS 2.6.2 allows remote attackers to inject arbitrary web script or HTML via the sort parameter to system/authors.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://hyp3rlinx.altervista.org/advisories/AS-SYMPHONY0606.txt | Exploit, Third Party Advisory | |
| cve@mitre.org | http://packetstormsecurity.com/files/132193/Symphony-CMS-2.6.2-Cross-Site-Scripting.html | Exploit, Third Party Advisory, VDB Entry | |
| cve@mitre.org | http://www.securityfocus.com/archive/1/535714/100/0/threaded | Exploit, Third Party Advisory, VDB Entry | |
| cve@mitre.org | http://www.securityfocus.com/bid/75059 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | http://hyp3rlinx.altervista.org/advisories/AS-SYMPHONY0606.txt | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://packetstormsecurity.com/files/132193/Symphony-CMS-2.6.2-Cross-Site-Scripting.html | Exploit, Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/archive/1/535714/100/0/threaded | Exploit, Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/75059 | Third Party Advisory, VDB Entry |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| getsymphony | symphony | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:getsymphony:symphony:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0C3E5B96-3840-42C5-BE7A-89B4965C9D97",
"versionEndIncluding": "2.6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in Symphony CMS 2.6.2 allows remote attackers to inject arbitrary web script or HTML via the sort parameter to system/authors."
},
{
"lang": "es",
"value": "Vulnerabilidad de XSS en Symphony CMS 2.6.2 permite a atacantes remotos inyectar secuencias de comandos web arbitrarios o HTML a trav\u00e9s del par\u00e1metro sort en system/authors."
}
],
"id": "CVE-2015-4661",
"lastModified": "2024-11-21T02:31:30.533",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2015-06-18T18:59:13.583",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "http://hyp3rlinx.altervista.org/advisories/AS-SYMPHONY0606.txt"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/132193/Symphony-CMS-2.6.2-Cross-Site-Scripting.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/archive/1/535714/100/0/threaded"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/75059"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "http://hyp3rlinx.altervista.org/advisories/AS-SYMPHONY0606.txt"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/132193/Symphony-CMS-2.6.2-Cross-Site-Scripting.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/archive/1/535714/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/75059"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-10-07 14:15
Modified
2024-11-21 05:17
Severity ?
Summary
Cross-site scripting (XSS) vulnerabilities in Symphony CMS 3.0.0 allow remote attackers to inject arbitrary web script or HTML to fields['body'] param via events\event.publish_article.php
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://www.exploit-db.com/exploits/48773 | Exploit, Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.exploit-db.com/exploits/48773 | Exploit, Third Party Advisory, VDB Entry |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| getsymphony | symphony | 3.0.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:getsymphony:symphony:3.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "8AE817F8-2BFA-44BD-ABB1-5F011285A168",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerabilities in Symphony CMS 3.0.0 allow remote attackers to inject arbitrary web script or HTML to fields[\u0027body\u0027] param via events\\event.publish_article.php"
},
{
"lang": "es",
"value": "Unas vulnerabilidades de tipo cross-site scripting (XSS) en Symphony CMS versi\u00f3n 3.0.0, permite a atacantes remotos inyectar c\u00f3digo web o HTML arbitrario en el par\u00e1metro fields[\"body\"] por medio del archivo events\\event.publish_article.php"
}
],
"id": "CVE-2020-25343",
"lastModified": "2024-11-21T05:17:53.177",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-10-07T14:15:11.920",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.exploit-db.com/exploits/48773"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.exploit-db.com/exploits/48773"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2014-03-27 16:55
Modified
2024-11-21 02:00
Severity ?
Summary
Cross-site request forgery (CSRF) vulnerability in Symphony CMS before 2.3.2 allows remote attackers to hijack the authentication of administrators for requests that conduct SQL injection attacks via the sort parameter to system/authors/, related to CVE-2013-2559.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| getsymphony | symphony | * | |
| getsymphony | symphony | 2.0 | |
| getsymphony | symphony | 2.0.3 | |
| getsymphony | symphony | 2.0.4 | |
| getsymphony | symphony | 2.0.5 | |
| getsymphony | symphony | 2.0.6 | |
| getsymphony | symphony | 2.0.7 | |
| getsymphony | symphony | 2.1.0 | |
| getsymphony | symphony | 2.1.1 | |
| getsymphony | symphony | 2.3 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:getsymphony:symphony:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6C440112-0B21-4832-A89C-1A343B627039",
"versionEndIncluding": "2.3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:getsymphony:symphony:2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "254956B4-E86A-429C-A8E6-0ABA833A9DB6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:getsymphony:symphony:2.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "13379528-0C53-474F-B2E7-D5650C7F5F3C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:getsymphony:symphony:2.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "8865CA96-3DF6-4499-8CEC-59977CC86FEB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:getsymphony:symphony:2.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "570A8AE5-E4A6-4400-982C-F725D15E35ED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:getsymphony:symphony:2.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "EB2D9ACA-2A2A-4169-A8AC-ED259921E24B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:getsymphony:symphony:2.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "394B8CA2-4C11-4C2C-8BFE-C2BADA341502",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:getsymphony:symphony:2.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C9D49697-497A-44EC-892B-DB8C5545AFE4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:getsymphony:symphony:2.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "C922F66F-8E3D-404C-95B7-C57DA8DDC162",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:getsymphony:symphony:2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "DF41854C-206A-4BCF-B6FD-55253E3BC0AF",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site request forgery (CSRF) vulnerability in Symphony CMS before 2.3.2 allows remote attackers to hijack the authentication of administrators for requests that conduct SQL injection attacks via the sort parameter to system/authors/, related to CVE-2013-2559."
},
{
"lang": "es",
"value": "Vulnerabilidad de CSRF en Symphony CMS anterior a 2.3.2 permite a atacantes remotos secuestrar la autenticaci\u00f3n de administradores para solicitudes que realizan ataques de inyecci\u00f3n SQL a trav\u00e9s del par\u00e1metro sort hacia system/authors/, relacionado con CVE-2013-2559."
}
],
"id": "CVE-2013-7346",
"lastModified": "2024-11-21T02:00:48.047",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2014-03-27T16:55:05.613",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://archives.neohapsis.com/archives/bugtraq/2013-04/0018.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "https://www.htbridge.com/advisory/HTB23148"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://archives.neohapsis.com/archives/bugtraq/2013-04/0018.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "https://www.htbridge.com/advisory/HTB23148"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-05-10 05:29
Modified
2024-11-21 03:34
Severity ?
Summary
Symphony 2 2.6.11 has XSS in the meta[navigation_group] parameter to content/content.blueprintssections.php.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/DeuxHuitHuit/symphony-2/commit/cd69a2a516e6503c1a1c7e097ee90d255ec3d6b7 | Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/DeuxHuitHuit/symphony-2/commit/cd69a2a516e6503c1a1c7e097ee90d255ec3d6b7 | Issue Tracking, Patch, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| getsymphony | symphony | 2.6.11 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:getsymphony:symphony:2.6.11:*:*:*:*:*:*:*",
"matchCriteriaId": "89A66A3F-7AE2-4C5C-A94F-80F056835B61",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Symphony 2 2.6.11 has XSS in the meta[navigation_group] parameter to content/content.blueprintssections.php."
},
{
"lang": "es",
"value": "Symphony 2 2.6.11 tiene XSS en el par\u00e1metro meta [navigation_group] a content/content.blueprintssections.php."
}
],
"id": "CVE-2017-8876",
"lastModified": "2024-11-21T03:34:54.210",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-05-10T05:29:00.410",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/DeuxHuitHuit/symphony-2/commit/cd69a2a516e6503c1a1c7e097ee90d255ec3d6b7"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/DeuxHuitHuit/symphony-2/commit/cd69a2a516e6503c1a1c7e097ee90d255ec3d6b7"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2016-06-30 17:59
Modified
2024-11-21 02:51
Severity ?
Summary
Session fixation vulnerability in Symphony CMS 2.6.7, when session.use_only_cookies is disabled, allows remote attackers to hijack web sessions via the PHPSESSID parameter.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| getsymphony | symphony | 2.6.7 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:getsymphony:symphony:2.6.7:*:*:*:*:*:*:*",
"matchCriteriaId": "5419CF4B-3C1B-4A9D-9201-BAF80999C3BB",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Session fixation vulnerability in Symphony CMS 2.6.7, when session.use_only_cookies is disabled, allows remote attackers to hijack web sessions via the PHPSESSID parameter."
},
{
"lang": "es",
"value": "Vulnerabilidad de fijaci\u00f3n de sesi\u00f3n en Symphony CMS 2.6.7, cuando session.use_only_cookies est\u00e1 deshabilitado, permite a atacantes remotos secuestrar sesiones web a trav\u00e9s del par\u00e1metro PHPSESSID."
}
],
"evaluatorComment": "\u003ca href=\"http://cwe.mitre.org/data/definitions/384.html\"\u003eCWE-384: Session Fixation\u003c/a\u003e",
"id": "CVE-2016-4309",
"lastModified": "2024-11-21T02:51:50.560",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "HIGH",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 7.6,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 4.9,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2016-06-30T17:59:02.813",
"references": [
{
"source": "cret@cert.org",
"tags": [
"Third Party Advisory"
],
"url": "http://hyp3rlinx.altervista.org/advisories/SYMPHONY-CMS-SESSION-FIXATION.txt"
},
{
"source": "cret@cert.org",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/137551/Symphony-CMS-2.6.7-Session-Fixation.html"
},
{
"source": "cret@cert.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/archive/1/538714/100/0/threaded"
},
{
"source": "cret@cert.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/91299"
},
{
"source": "cret@cert.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/symphonycms/symphony-2/commit/b329a14adc40868965076a77210452e396243dcd"
},
{
"source": "cret@cert.org",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.exploit-db.com/exploits/39983/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://hyp3rlinx.altervista.org/advisories/SYMPHONY-CMS-SESSION-FIXATION.txt"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/137551/Symphony-CMS-2.6.7-Session-Fixation.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/archive/1/538714/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/91299"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/symphonycms/symphony-2/commit/b329a14adc40868965076a77210452e396243dcd"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.exploit-db.com/exploits/39983/"
}
],
"sourceIdentifier": "cret@cert.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-362"
},
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2016-01-08 21:59
Modified
2024-11-21 02:39
Severity ?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in content/content.systempreferences.php in Symphony CMS before 2.6.4 allow remote attackers to inject arbitrary web script or HTML via the (1) email_sendmail[from_name], (2) email_sendmail[from_address], (3) email_smtp[from_name], (4) email_smtp[from_address], (5) email_smtp[host], (6) email_smtp[port], (7) jit_image_manipulation[trusted_external_sites], or (8) maintenance_mode[ip_whitelist] parameters to system/preferences.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| getsymphony | symphony | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:getsymphony:symphony:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C7F8ADDA-D69F-4A34-893A-C67C89957AF2",
"versionEndIncluding": "2.6.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in content/content.systempreferences.php in Symphony CMS before 2.6.4 allow remote attackers to inject arbitrary web script or HTML via the (1) email_sendmail[from_name], (2) email_sendmail[from_address], (3) email_smtp[from_name], (4) email_smtp[from_address], (5) email_smtp[host], (6) email_smtp[port], (7) jit_image_manipulation[trusted_external_sites], or (8) maintenance_mode[ip_whitelist] parameters to system/preferences."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades de XSS en content/content.systempreferences.php en Symphony CMS en versiones anteriores a 2.6.4 permiten permiten a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a trav\u00e9s de los par\u00e1metros (1) email_sendmail[from_name], (2) email_sendmail[from_address], (3) email_smtp[from_name], (4) email_smtp[from_address], (5) email_smtp[host], (6) email_smtp[port], (7) jit_image_manipulation[trusted_external_sites] o (8) maintenance_mode[ip_whitelist] en system/preferences."
}
],
"id": "CVE-2015-8766",
"lastModified": "2024-11-21T02:39:08.333",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2016-01-08T21:59:05.997",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://seclists.org/fulldisclosure/2015/Dec/60"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://www.getsymphony.com/download/releases/version/2.6.4/"
},
{
"source": "cve@mitre.org",
"url": "https://cybersecurityworks.com/zerodays/cve-2015-8766-getsymphoney.html"
},
{
"source": "cve@mitre.org",
"url": "https://github.com/symphonycms/symphony-2/commit/651e150091c61fb60ad1dff2bc2166185a83d9d6"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://seclists.org/fulldisclosure/2015/Dec/60"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://www.getsymphony.com/download/releases/version/2.6.4/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://cybersecurityworks.com/zerodays/cve-2015-8766-getsymphoney.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://github.com/symphonycms/symphony-2/commit/651e150091c61fb60ad1dff2bc2166185a83d9d6"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-03-27 02:59
Modified
2024-11-21 03:29
Severity ?
Summary
Symphony 2.6.9 has XSS in publish/notes/edit/##/saved/ via the bottom form field.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://www.securityfocus.com/bid/97101 | Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://www.yiwang6.cn/Symphony-XSS1.docx | Broken Link, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/97101 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.yiwang6.cn/Symphony-XSS1.docx | Broken Link, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| getsymphony | symphony | 2.6.9 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:getsymphony:symphony:2.6.9:*:*:*:*:*:*:*",
"matchCriteriaId": "11AA0090-87F7-4344-A362-E5B9F4D6E63C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Symphony 2.6.9 has XSS in publish/notes/edit/##/saved/ via the bottom form field."
},
{
"lang": "es",
"value": "Symphony 2.6.9 tiene XSS en publish/notes/edit/##/saved/ a trav\u00e9s del campo de formulario inferior."
}
],
"id": "CVE-2017-6067",
"lastModified": "2024-11-21T03:29:01.557",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-03-27T02:59:00.347",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/97101"
},
{
"source": "cve@mitre.org",
"tags": [
"Broken Link",
"Third Party Advisory"
],
"url": "https://www.yiwang6.cn/Symphony-XSS1.docx"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/97101"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link",
"Third Party Advisory"
],
"url": "https://www.yiwang6.cn/Symphony-XSS1.docx"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2014-03-27 16:55
Modified
2024-11-21 01:51
Severity ?
Summary
SQL injection vulnerability in Symphony CMS before 2.3.2 allows remote authenticated users to execute arbitrary SQL commands via the sort parameter to system/authors/. NOTE: this can be leveraged using CSRF to allow remote unauthenticated attackers to execute arbitrary SQL commands.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| getsymphony | symphony | * | |
| getsymphony | symphony | 2.0 | |
| getsymphony | symphony | 2.0.3 | |
| getsymphony | symphony | 2.0.4 | |
| getsymphony | symphony | 2.0.5 | |
| getsymphony | symphony | 2.0.6 | |
| getsymphony | symphony | 2.0.7 | |
| getsymphony | symphony | 2.1.0 | |
| getsymphony | symphony | 2.1.1 | |
| getsymphony | symphony | 2.3 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:getsymphony:symphony:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6C440112-0B21-4832-A89C-1A343B627039",
"versionEndIncluding": "2.3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:getsymphony:symphony:2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "254956B4-E86A-429C-A8E6-0ABA833A9DB6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:getsymphony:symphony:2.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "13379528-0C53-474F-B2E7-D5650C7F5F3C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:getsymphony:symphony:2.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "8865CA96-3DF6-4499-8CEC-59977CC86FEB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:getsymphony:symphony:2.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "570A8AE5-E4A6-4400-982C-F725D15E35ED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:getsymphony:symphony:2.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "EB2D9ACA-2A2A-4169-A8AC-ED259921E24B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:getsymphony:symphony:2.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "394B8CA2-4C11-4C2C-8BFE-C2BADA341502",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:getsymphony:symphony:2.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C9D49697-497A-44EC-892B-DB8C5545AFE4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:getsymphony:symphony:2.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "C922F66F-8E3D-404C-95B7-C57DA8DDC162",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:getsymphony:symphony:2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "DF41854C-206A-4BCF-B6FD-55253E3BC0AF",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in Symphony CMS before 2.3.2 allows remote authenticated users to execute arbitrary SQL commands via the sort parameter to system/authors/. NOTE: this can be leveraged using CSRF to allow remote unauthenticated attackers to execute arbitrary SQL commands."
},
{
"lang": "es",
"value": "Vulnerabilidad de inyecci\u00f3n SQL en Symphony CMS anterior a 2.3.2 permite a usuarios remotos autenticados ejecutar comandos SQL arbitrarios a trav\u00e9s del par\u00e1metro sort hacia system/authors/. NOTA: esto puede ser aprovechado mediante el uso de CSRF para permitir a atacantes remotos no autenticados ejecutar comandos SQL arbitrarios."
}
],
"id": "CVE-2013-2559",
"lastModified": "2024-11-21T01:51:56.643",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2014-03-27T16:55:05.537",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://archives.neohapsis.com/archives/bugtraq/2013-04/0018.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://www.getsymphony.com/download/releases/version/2.3.2"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/58843"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/83227"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Patch"
],
"url": "https://github.com/symphonycms/symphony-2/commit/6c8aa4e9c810994f7632837487426867ce50f468"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "https://www.htbridge.com/advisory/HTB23148"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://archives.neohapsis.com/archives/bugtraq/2013-04/0018.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://www.getsymphony.com/download/releases/version/2.3.2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/58843"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/83227"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch"
],
"url": "https://github.com/symphonycms/symphony-2/commit/6c8aa4e9c810994f7632837487426867ce50f468"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "https://www.htbridge.com/advisory/HTB23148"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-01-20 08:59
Modified
2024-11-21 03:27
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in template/usererror.missing_extension.php in Symphony CMS before 2.6.10 allows remote attackers to inject arbitrary web script or HTML via the existing-folder parameter.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://www.securityfocus.com/bid/95686 | Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://github.com/symphonycms/symphony-2/issues/2639 | Vendor Advisory | |
| cve@mitre.org | https://github.com/symphonycms/symphony-2/releases/tag/2.6.10 | Release Notes | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/95686 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/symphonycms/symphony-2/issues/2639 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/symphonycms/symphony-2/releases/tag/2.6.10 | Release Notes |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| getsymphony | symphony | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:getsymphony:symphony:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0A93B3B7-30C5-42C4-A298-AD37FE96F010",
"versionEndIncluding": "2.6.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in template/usererror.missing_extension.php in Symphony CMS before 2.6.10 allows remote attackers to inject arbitrary web script or HTML via the existing-folder parameter."
},
{
"lang": "es",
"value": "Vulnerabilidad de XSS en template/usererror.missing_extension.php en Symphony CMS en versiones anteriores a 2.6.10 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a trav\u00e9s del par\u00e1metro de carpeta existente."
}
],
"id": "CVE-2017-5542",
"lastModified": "2024-11-21T03:27:51.217",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-01-20T08:59:00.517",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/95686"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/symphonycms/symphony-2/issues/2639"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes"
],
"url": "https://github.com/symphonycms/symphony-2/releases/tag/2.6.10"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/95686"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/symphonycms/symphony-2/issues/2639"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/symphonycms/symphony-2/releases/tag/2.6.10"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}