Vulnerabilities (CVE)

Filtered by vendor B3log Subscribe
Filtered by product Symphony
Total 6 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2024-23049 1 B3log 1 Symphony 2024-02-12 N/A 9.8 CRITICAL
An issue in symphony v.3.6.3 and before allows a remote attacker to execute arbitrary code via the log4j component.
CVE-2019-17488 1 B3log 1 Symphony 2023-12-10 4.3 MEDIUM 6.1 MEDIUM
b3log Symphony (aka Sym) before 3.6.0 has XSS via the HTTP User-Agent header.
CVE-2018-16249 1 B3log 1 Symphony 2023-12-10 3.5 LOW 4.8 MEDIUM
In Symphony before 3.3.0, there is XSS in the Title under Post. The ID "articleTitle" of this is stored in the "articleTitle" JSON field, and executes a payload when accessing the /member/test/points URI, allowing remote attacks. Any Web script or HTML can be inserted by an admin-authenticated user via a crafted web site name.
CVE-2019-9142 1 B3log 1 Symphony 2023-12-10 4.3 MEDIUM 6.1 MEDIUM
An issue was discovered in b3log Symphony (aka Sym) before v3.4.7. XSS exists via the userIntro and userNickname fields to processor/
CVE-2018-10469 1 B3log 1 Symphony 2023-12-10 7.5 HIGH 9.8 CRITICAL
b3log Symphony (aka Sym) 2.6.0 allows remote attackers to upload and execute arbitrary JSP files via the name[] parameter to the /upload URI.
CVE-2017-16821 1 B3log 1 Symphony 2023-12-10 3.5 LOW 5.4 MEDIUM
b3log Symphony (aka Sym) 2.2.0 has XSS in processor/ in the admin console, as demonstrated by a crafted X-Forwarded-For HTTP header that is mishandled during display of a client IP address in /admin/user/userid.