Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS00YzV3LXFxZmctZ3JmM831xg

Symphony CMS XSS Vulnerabilities

Multiple cross-site scripting (XSS) vulnerabilities in content/content.systempreferences.php in Symphony CMS before 2.6.4 allow remote attackers to inject arbitrary web script or HTML via the (1) email_sendmail[from_name], (2) email_sendmail[from_address], (3) email_smtp[from_name], (4) email_smtp[from_address], (5) email_smtp[host], (6) email_smtp[port], (7) jit_image_manipulation[trusted_external_sites], or (8) maintenance_mode[ip_whitelist] parameters to system/preferences.

Permalink: https://github.com/advisories/GHSA-4c5w-qqfg-grf3
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS00YzV3LXFxZmctZ3JmM831xg
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 2 years ago
Updated: 12 months ago


CVSS Score: 6.1
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS Percentage: 0.00235
EPSS Percentile: 0.61697

Identifiers: GHSA-4c5w-qqfg-grf3, CVE-2015-8766
References: Repository: https://github.com/symphonycms/symphony-2
Blast Radius: 4.3

Affected Packages

packagist:symphonycms/symphony-2
Dependent packages: 1
Dependent repositories: 5
Downloads: 1,318 total
Affected Version Ranges: < 2.6.4
Fixed in: 2.6.4
All affected versions: 2.6.0, 2.6.1, 2.6.2, 2.6.3
All unaffected versions: 2.6.4, 2.6.5, 2.6.6, 2.6.7, 2.6.8, 2.6.9, 2.6.10, 2.6.11, 2.7.0, 2.7.1, 2.7.2, 2.7.3, 2.7.4, 2.7.5, 2.7.6, 2.7.7, 2.7.8, 2.7.9, 2.7.10, 3.0.0