Lucene search

Symphony Security Vulnerabilities

cve

CVE-2017-16821

b3log Symphony (aka Sym) 2.2.0 has XSS in processor/AdminProcessor.java in the admin console, as demonstrated by a crafted X-Forwarded-For HTTP header that is mishandled during display of a client IP address in /admin/user/userid.

5.4CVSS

5.2AI Score

0.001EPSS

2017-11-15 03:29 AM

cve

CVE-2018-10469

b3log Symphony (aka Sym) 2.6.0 allows remote attackers to upload and execute arbitrary JSP files via the name[] parameter to the /upload URI.

9.8CVSS

9.6AI Score

0.011EPSS

2018-04-27 04:29 AM

cve

CVE-2018-16249

In Symphony before 3.3.0, there is XSS in the Title under Post. The ID "articleTitle" of this is stored in the "articleTitle" JSON field, and executes a payload when accessing the /member/test/points URI, allowing remote attacks. Any Web script or HTML can be inserted by an admin-authenticated user...

4.8CVSS

4.8AI Score

0.001EPSS

2019-06-20 02:15 PM

cve

CVE-2019-17488

b3log Symphony (aka Sym) before 3.6.0 has XSS via the HTTP User-Agent header.

6.1CVSS

6AI Score

0.001EPSS

2019-10-10 09:15 PM

cve

CVE-2019-9142

An issue was discovered in b3log Symphony (aka Sym) before v3.4.7. XSS exists via the userIntro and userNickname fields to processor/SettingsProcessor.java.

6.1CVSS

5.9AI Score

0.001EPSS

2019-02-25 03:29 PM

cve

CVE-2024-23049

An issue in symphony v.3.6.3 and before allows a remote attacker to execute arbitrary code via the log4j component.

9.8CVSS

9.6AI Score

0.004EPSS

2024-02-05 11:15 PM

130