Skip to main content

Symphony

23 CVEs product

Monthly

CVE-2024-23049 CRITICAL POC Act Now

An issue in symphony v.3.6.3 and before allows a remote attacker to execute arbitrary code via the log4j component. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Command Injection Symphony
NVD GitHub
CVSS 3.1
9.8
EPSS
1.2%
CVE-2020-25912 CRITICAL POC Act Now

A XML External Entity (XXE) vulnerability was discovered in symphony\lib\toolkit\class.xmlelement.php in Symphony 2.7.10 which can lead to an information disclosure or denial of service (DOS). Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure XXE Denial Of Service PHP Symphony
NVD GitHub VulDB
CVSS 3.1
9.1
EPSS
1.4%
CVE-2020-25343 MEDIUM POC This Month

Cross-site scripting (XSS) vulnerabilities in Symphony CMS 3.0.0 allow remote attackers to inject arbitrary web script or HTML to fields['body'] param via events\event.publish_article.php. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS PHP Symphony
NVD Exploit-DB
CVSS 3.1
5.4
EPSS
0.7%
CVE-2020-17405 HIGH This Week

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Senstar Symphony 7.3.2.2. Rated high severity (CVSS 8.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

RCE Deserialization Symphony
NVD
CVSS 3.1
8.8
EPSS
2.0%
CVE-2020-15071 MEDIUM POC This Month

content/content.blueprintsevents.php in Symphony CMS 3.0.0 allows XSS via fields['name'] to appendSubheading. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS PHP Symphony
NVD GitHub
CVSS 3.1
6.1
EPSS
0.7%
CVE-2019-17488 MEDIUM POC This Month

b3log Symphony (aka Sym) before 3.6.0 has XSS via the HTTP User-Agent header. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Symphony
NVD GitHub
CVSS 3.1
6.1
EPSS
0.8%
CVE-2019-9142 Maven MEDIUM PATCH This Month

An issue was discovered in b3log Symphony (aka Sym) before v3.4.7. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Symphony
NVD GitHub
CVSS 3.0
6.1
EPSS
0.8%
CVE-2018-12043 MEDIUM PATCH This Month

content/content.blueprintspages.php in Symphony 2.7.6 has XSS via the pages content page. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS PHP Symphony
NVD GitHub
CVSS 3.0
6.1
EPSS
0.8%
CVE-2018-10469 CRITICAL POC Act Now

b3log Symphony (aka Sym) 2.6.0 allows remote attackers to upload and execute arbitrary JSP files via the name[] parameter to the /upload URI. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

File Upload Symphony
NVD GitHub
CVSS 3.0
9.8
EPSS
2.2%
CVE-2017-16956 MEDIUM POC This Month

b3log Symphony (aka Sym) 2.2.0 allows an XSS attack by sending a private letter with a certain /article URI, and a second private letter with a modified title. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Symphony
NVD GitHub
CVSS 3.0
6.1
EPSS
0.2%
CVE-2017-16881 MEDIUM POC This Month

b3log Symphony (aka Sym) 2.2.0 does not properly address XSS in JSON objects, as demonstrated by a crafted userAvatarURL value to /settings/avatar, related to processor/AdminProcessor.java,. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Symphony
NVD GitHub
CVSS 3.0
6.1
EPSS
0.2%
CVE-2017-16821 MEDIUM POC This Month

b3log Symphony (aka Sym) 2.2.0 has XSS in processor/AdminProcessor.java in the admin console, as demonstrated by a crafted X-Forwarded-For HTTP header that is mishandled during display of a client IP. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Java Symphony
NVD GitHub
CVSS 3.1
5.4
EPSS
0.2%
CVE-2017-8876 MEDIUM PATCH This Month

Symphony 2 2.6.11 has XSS in the meta[navigation_group] parameter to content/content.blueprintssections.php. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS PHP Symphony
NVD GitHub
CVSS 3.1
6.1
EPSS
0.2%
CVE-2017-7694 HIGH POC PATCH This Week

Remote Code Execution vulnerability in symphony/content/content.blueprintsdatasources.php in Symphony CMS through 2.6.11 allows remote attackers to execute code and get a webshell from the back-end. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

RCE Code Injection PHP Symphony
NVD GitHub
CVSS 3.0
8.8
EPSS
5.4%
CVE-2017-6067 MEDIUM This Month

Symphony 2.6.9 has XSS in publish/notes/edit/##/saved/ via the bottom form field. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Symphony
NVD
CVSS 3.0
6.1
EPSS
0.2%
CVE-2017-5542 MEDIUM This Month

Cross-site scripting (XSS) vulnerability in template/usererror.missing_extension.php in Symphony CMS before 2.6.10 allows remote attackers to inject arbitrary web script or HTML via the. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS PHP Symphony
NVD GitHub VulDB
CVSS 3.0
6.1
EPSS
0.3%
CVE-2017-5541 MEDIUM This Month

Directory traversal vulnerability in template/usererror.missing_extension.php in Symphony CMS before 2.6.10 allows remote attackers to rename arbitrary files via a .. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal PHP Symphony
NVD GitHub VulDB
CVSS 3.0
5.3
EPSS
1.3%
CVE-2016-4309 HIGH POC THREAT Act Now

Session fixation vulnerability in Symphony CMS 2.6.7, when session.use_only_cookies is disabled, allows remote attackers to hijack web sessions via the PHPSESSID parameter. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and EPSS exploitation probability 19.1%.

Race Condition Information Disclosure Symphony
NVD GitHub Exploit-DB
CVSS 3.1
7.5
EPSS
19.1%
CVE-2015-8766 PHP MEDIUM POC PATCH This Month

Multiple cross-site scripting (XSS) vulnerabilities in content/content.systempreferences.php in Symphony CMS before 2.6.4 allow remote attackers to inject arbitrary web script or HTML via the (1). Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS PHP Symphony
NVD GitHub
CVSS 3.0
6.1
EPSS
0.3%
CVE-2015-8376 MEDIUM POC This Month

Multiple cross-site scripting (XSS) vulnerabilities in Symphony CMS 2.6.3 allow remote attackers to inject arbitrary web script or HTML via the (1) Name, (2) Navigation Group, or (3) Label parameter. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Symphony
NVD
CVSS 3.0
6.1
EPSS
0.2%
CVE-2015-4661 MEDIUM POC This Month

Cross-site scripting (XSS) vulnerability in Symphony CMS 2.6.2 allows remote attackers to inject arbitrary web script or HTML via the sort parameter to system/authors. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

XSS Symphony
NVD
CVSS 2.0
4.3
EPSS
0.8%
CVE-2013-7346 MEDIUM POC This Month

Cross-site request forgery (CSRF) vulnerability in Symphony CMS before 2.3.2 allows remote attackers to hijack the authentication of administrators for requests that conduct SQL injection attacks via. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

CSRF SQLi Symphony
NVD Exploit-DB VulDB
CVSS 2.0
6.8
EPSS
0.3%
CVE-2013-2559 MEDIUM POC PATCH This Month

SQL injection vulnerability in Symphony CMS before 2.3.2 allows remote authenticated users to execute arbitrary SQL commands via the sort parameter to system/authors/. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

CSRF SQLi Symphony
NVD GitHub Exploit-DB VulDB
CVSS 2.0
6.5
EPSS
1.2%
EPSS 1% CVSS 9.8
CRITICAL POC Act Now

An issue in symphony v.3.6.3 and before allows a remote attacker to execute arbitrary code via the log4j component. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Command Injection Symphony
NVD GitHub
EPSS 1% CVSS 9.1
CRITICAL POC Act Now

A XML External Entity (XXE) vulnerability was discovered in symphony\lib\toolkit\class.xmlelement.php in Symphony 2.7.10 which can lead to an information disclosure or denial of service (DOS). Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure XXE Denial Of Service +2
NVD GitHub VulDB
EPSS 1% CVSS 5.4
MEDIUM POC This Month

Cross-site scripting (XSS) vulnerabilities in Symphony CMS 3.0.0 allow remote attackers to inject arbitrary web script or HTML to fields['body'] param via events\event.publish_article.php. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS PHP Symphony
NVD Exploit-DB
EPSS 2% CVSS 8.8
HIGH This Week

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Senstar Symphony 7.3.2.2. Rated high severity (CVSS 8.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

RCE Deserialization Symphony
NVD
EPSS 1% CVSS 6.1
MEDIUM POC This Month

content/content.blueprintsevents.php in Symphony CMS 3.0.0 allows XSS via fields['name'] to appendSubheading. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS PHP Symphony
NVD GitHub
EPSS 1% CVSS 6.1
MEDIUM POC This Month

b3log Symphony (aka Sym) before 3.6.0 has XSS via the HTTP User-Agent header. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Symphony
NVD GitHub
EPSS 1% CVSS 6.1
MEDIUM PATCH This Month

An issue was discovered in b3log Symphony (aka Sym) before v3.4.7. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Symphony
NVD GitHub
EPSS 1% CVSS 6.1
MEDIUM PATCH This Month

content/content.blueprintspages.php in Symphony 2.7.6 has XSS via the pages content page. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS PHP Symphony
NVD GitHub
EPSS 2% CVSS 9.8
CRITICAL POC Act Now

b3log Symphony (aka Sym) 2.6.0 allows remote attackers to upload and execute arbitrary JSP files via the name[] parameter to the /upload URI. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

File Upload Symphony
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM POC This Month

b3log Symphony (aka Sym) 2.2.0 allows an XSS attack by sending a private letter with a certain /article URI, and a second private letter with a modified title. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Symphony
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM POC This Month

b3log Symphony (aka Sym) 2.2.0 does not properly address XSS in JSON objects, as demonstrated by a crafted userAvatarURL value to /settings/avatar, related to processor/AdminProcessor.java,. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Symphony
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM POC This Month

b3log Symphony (aka Sym) 2.2.0 has XSS in processor/AdminProcessor.java in the admin console, as demonstrated by a crafted X-Forwarded-For HTTP header that is mishandled during display of a client IP. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Java Symphony
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Symphony 2 2.6.11 has XSS in the meta[navigation_group] parameter to content/content.blueprintssections.php. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS PHP Symphony
NVD GitHub
EPSS 5% CVSS 8.8
HIGH POC PATCH This Week

Remote Code Execution vulnerability in symphony/content/content.blueprintsdatasources.php in Symphony CMS through 2.6.11 allows remote attackers to execute code and get a webshell from the back-end. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

RCE Code Injection PHP +1
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM This Month

Symphony 2.6.9 has XSS in publish/notes/edit/##/saved/ via the bottom form field. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Symphony
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

Cross-site scripting (XSS) vulnerability in template/usererror.missing_extension.php in Symphony CMS before 2.6.10 allows remote attackers to inject arbitrary web script or HTML via the. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS PHP Symphony
NVD GitHub VulDB
EPSS 1% CVSS 5.3
MEDIUM This Month

Directory traversal vulnerability in template/usererror.missing_extension.php in Symphony CMS before 2.6.10 allows remote attackers to rename arbitrary files via a .. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal PHP Symphony
NVD GitHub VulDB
EPSS 19% CVSS 7.5
HIGH POC THREAT Act Now

Session fixation vulnerability in Symphony CMS 2.6.7, when session.use_only_cookies is disabled, allows remote attackers to hijack web sessions via the PHPSESSID parameter. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and EPSS exploitation probability 19.1%.

Race Condition Information Disclosure Symphony
NVD GitHub Exploit-DB
EPSS 0% CVSS 6.1
MEDIUM POC PATCH This Month

Multiple cross-site scripting (XSS) vulnerabilities in content/content.systempreferences.php in Symphony CMS before 2.6.4 allow remote attackers to inject arbitrary web script or HTML via the (1). Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS PHP Symphony
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM POC This Month

Multiple cross-site scripting (XSS) vulnerabilities in Symphony CMS 2.6.3 allow remote attackers to inject arbitrary web script or HTML via the (1) Name, (2) Navigation Group, or (3) Label parameter. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Symphony
NVD
EPSS 1% CVSS 4.3
MEDIUM POC This Month

Cross-site scripting (XSS) vulnerability in Symphony CMS 2.6.2 allows remote attackers to inject arbitrary web script or HTML via the sort parameter to system/authors. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

XSS Symphony
NVD
EPSS 0% CVSS 6.8
MEDIUM POC This Month

Cross-site request forgery (CSRF) vulnerability in Symphony CMS before 2.3.2 allows remote attackers to hijack the authentication of administrators for requests that conduct SQL injection attacks via. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

CSRF SQLi Symphony
NVD Exploit-DB VulDB
EPSS 1% CVSS 6.5
MEDIUM POC PATCH This Month

SQL injection vulnerability in Symphony CMS before 2.3.2 allows remote authenticated users to execute arbitrary SQL commands via the sort parameter to system/authors/. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

CSRF SQLi Symphony
NVD GitHub Exploit-DB VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy