Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS00YzV3LXFxZmctZ3JmM831xg
Symphony CMS XSS Vulnerabilities
Multiple cross-site scripting (XSS) vulnerabilities in content/content.systempreferences.php
in Symphony CMS before 2.6.4 allow remote attackers to inject arbitrary web script or HTML via the (1) email_sendmail[from_name]
, (2) email_sendmail[from_address]
, (3) email_smtp[from_name]
, (4) email_smtp[from_address]
, (5) email_smtp[host]
, (6) email_smtp[port]
, (7) jit_image_manipulation[trusted_external_sites]
, or (8) maintenance_mode[ip_whitelist]
parameters to system/preferences.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS00YzV3LXFxZmctZ3JmM831xg
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 2 years ago
Updated: 12 months ago
CVSS Score: 6.1
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS Percentage: 0.00235
EPSS Percentile: 0.61697
Identifiers: GHSA-4c5w-qqfg-grf3, CVE-2015-8766
References:
- https://nvd.nist.gov/vuln/detail/CVE-2015-8766
- https://github.com/symphonycms/symphony-2/commit/651e150091c61fb60ad1dff2bc2166185a83d9d6
- http://seclists.org/fulldisclosure/2015/Dec/60
- http://www.getsymphony.com/download/releases/version/2.6.4/
- https://web.archive.org/web/20210321090853/https://cybersecurityworks.com/zerodays/cve-2015-8766-getsymphoney.html
- https://github.com/advisories/GHSA-4c5w-qqfg-grf3
Blast Radius: 4.3
Affected Packages
packagist:symphonycms/symphony-2
Dependent packages: 1Dependent repositories: 5
Downloads: 1,318 total
Affected Version Ranges: < 2.6.4
Fixed in: 2.6.4
All affected versions: 2.6.0, 2.6.1, 2.6.2, 2.6.3
All unaffected versions: 2.6.4, 2.6.5, 2.6.6, 2.6.7, 2.6.8, 2.6.9, 2.6.10, 2.6.11, 2.7.0, 2.7.1, 2.7.2, 2.7.3, 2.7.4, 2.7.5, 2.7.6, 2.7.7, 2.7.8, 2.7.9, 2.7.10, 3.0.0