B3log: >> Symphony >> 2.2.0 Security Vulnerabilities
An issue in symphony v.3.6.3 and before allows a remote attacker to execute arbitrary code via the log4j component.
CVSS Score
9.8
EPSS Score
0.038
Published
2024-02-05
b3log Symphony (aka Sym) before 3.6.0 has XSS via the HTTP User-Agent header.
CVSS Score
6.1
EPSS Score
0.002
Published
2019-10-10
In Symphony before 3.3.0, there is XSS in the Title under Post. The ID "articleTitle" of this is stored in the "articleTitle" JSON field, and executes a payload when accessing the /member/test/points URI, allowing remote attacks. Any Web script or HTML can be inserted by an admin-authenticated user via a crafted web site name.
CVSS Score
4.8
EPSS Score
0.004
Published
2019-06-20
An issue was discovered in b3log Symphony (aka Sym) before v3.4.7. XSS exists via the userIntro and userNickname fields to processor/SettingsProcessor.java.
CVSS Score
6.1
EPSS Score
0.002
Published
2019-02-25
b3log Symphony (aka Sym) 2.2.0 has XSS in processor/AdminProcessor.java in the admin console, as demonstrated by a crafted X-Forwarded-For HTTP header that is mishandled during display of a client IP address in /admin/user/userid.
CVSS Score
5.4
EPSS Score
0.002
Published
2017-11-15