Total
5 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-16821 | 1 B3log | 1 Symphony | 2020-07-28 | 3.5 LOW | 5.4 MEDIUM |
| b3log Symphony (aka Sym) 2.2.0 has XSS in processor/AdminProcessor.java in the admin console, as demonstrated by a crafted X-Forwarded-For HTTP header that is mishandled during display of a client IP address in /admin/user/userid. | |||||
| CVE-2019-17488 | 1 B3log | 1 Symphony | 2019-10-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| b3log Symphony (aka Sym) before 3.6.0 has XSS via the HTTP User-Agent header. | |||||
| CVE-2018-16249 | 1 B3log | 1 Symphony | 2019-06-21 | 3.5 LOW | 4.8 MEDIUM |
| In Symphony before 3.3.0, there is XSS in the Title under Post. The ID "articleTitle" of this is stored in the "articleTitle" JSON field, and executes a payload when accessing the /member/test/points URI, allowing remote attacks. Any Web script or HTML can be inserted by an admin-authenticated user via a crafted web site name. | |||||
| CVE-2019-9142 | 1 B3log | 1 Symphony | 2019-02-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in b3log Symphony (aka Sym) before v3.4.7. XSS exists via the userIntro and userNickname fields to processor/SettingsProcessor.java. | |||||
| CVE-2018-10469 | 1 B3log | 1 Symphony | 2018-06-04 | 7.5 HIGH | 9.8 CRITICAL |
| b3log Symphony (aka Sym) 2.6.0 allows remote attackers to upload and execute arbitrary JSP files via the name[] parameter to the /upload URI. | |||||