Symphony
CVEs (7)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2018-10469 | Cri | 0.64 | 9.8 | 0.02 | Apr 27, 2018 | b3log Symphony (aka Sym) 2.6.0 allows remote attackers to upload and execute arbitrary JSP files via the name[] parameter to the /upload URI. | ||
| CVE-2025-12491 | Hig | 0.49 | 7.5 | 0.00 | Dec 23, 2025 | Senstar Symphony FetchStoredLicense Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Senstar Symphony. Authentication is not required to exploit this vulnerability. The specific flaw… | ||
| CVE-2017-16956 | Med | 0.40 | 6.1 | 0.01 | Nov 27, 2017 | b3log Symphony (aka Sym) 2.2.0 allows an XSS attack by sending a private letter with a certain /article URI, and a second private letter with a modified title. | ||
| CVE-2017-16881 | Med | 0.40 | 6.1 | 0.01 | Nov 18, 2017 | b3log Symphony (aka Sym) 2.2.0 does not properly address XSS in JSON objects, as demonstrated by a crafted userAvatarURL value to /settings/avatar, related to processor/AdminProcessor.java, processor/ArticleProcessor.java, processor/UserProcessor.java,… | ||
| CVE-2017-6067 | Med | 0.40 | 6.1 | 0.01 | Mar 27, 2017 | Symphony 2.6.9 has XSS in publish/notes/edit/##/saved/ via the bottom form field. | ||
| CVE-2017-16821 | Med | 0.35 | 5.4 | 0.00 | Nov 15, 2017 | b3log Symphony (aka Sym) 2.2.0 has XSS in processor/AdminProcessor.java in the admin console, as demonstrated by a crafted X-Forwarded-For HTTP header that is mishandled during display of a client IP address in /admin/user/userid. | ||
| CVE-2019-9142 | 0.00 | — | 0.01 | Feb 25, 2019 | An issue was discovered in b3log Symphony (aka Sym) before v3.4.7. XSS exists via the userIntro and userNickname fields to processor/SettingsProcessor.java. |
- risk 0.64cvss 9.8epss 0.02
b3log Symphony (aka Sym) 2.6.0 allows remote attackers to upload and execute arbitrary JSP files via the name[] parameter to the /upload URI.
- risk 0.49cvss 7.5epss 0.00
Senstar Symphony FetchStoredLicense Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Senstar Symphony. Authentication is not required to exploit this vulnerability. The specific flaw…
- risk 0.40cvss 6.1epss 0.01
b3log Symphony (aka Sym) 2.2.0 allows an XSS attack by sending a private letter with a certain /article URI, and a second private letter with a modified title.
- risk 0.40cvss 6.1epss 0.01
b3log Symphony (aka Sym) 2.2.0 does not properly address XSS in JSON objects, as demonstrated by a crafted userAvatarURL value to /settings/avatar, related to processor/AdminProcessor.java, processor/ArticleProcessor.java, processor/UserProcessor.java,…
- risk 0.40cvss 6.1epss 0.01
Symphony 2.6.9 has XSS in publish/notes/edit/##/saved/ via the bottom form field.
- risk 0.35cvss 5.4epss 0.00
b3log Symphony (aka Sym) 2.2.0 has XSS in processor/AdminProcessor.java in the admin console, as demonstrated by a crafted X-Forwarded-For HTTP header that is mishandled during display of a client IP address in /admin/user/userid.
- CVE-2019-9142Feb 25, 2019risk 0.00cvss —epss 0.01
An issue was discovered in b3log Symphony (aka Sym) before v3.4.7. XSS exists via the userIntro and userNickname fields to processor/SettingsProcessor.java.