VYPR

Symphony

by Symphony Project

CVEs (7)

  • CVE-2018-10469CriApr 27, 2018
    risk 0.64cvss 9.8epss 0.02

    b3log Symphony (aka Sym) 2.6.0 allows remote attackers to upload and execute arbitrary JSP files via the name[] parameter to the /upload URI.

  • CVE-2025-12491HigDec 23, 2025
    risk 0.49cvss 7.5epss 0.00

    Senstar Symphony FetchStoredLicense Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Senstar Symphony. Authentication is not required to exploit this vulnerability. The specific flaw…

  • CVE-2017-16956MedNov 27, 2017
    risk 0.40cvss 6.1epss 0.01

    b3log Symphony (aka Sym) 2.2.0 allows an XSS attack by sending a private letter with a certain /article URI, and a second private letter with a modified title.

  • CVE-2017-16881MedNov 18, 2017
    risk 0.40cvss 6.1epss 0.01

    b3log Symphony (aka Sym) 2.2.0 does not properly address XSS in JSON objects, as demonstrated by a crafted userAvatarURL value to /settings/avatar, related to processor/AdminProcessor.java, processor/ArticleProcessor.java, processor/UserProcessor.java,…

  • CVE-2017-6067MedMar 27, 2017
    risk 0.40cvss 6.1epss 0.01

    Symphony 2.6.9 has XSS in publish/notes/edit/##/saved/ via the bottom form field.

  • CVE-2017-16821MedNov 15, 2017
    risk 0.35cvss 5.4epss 0.00

    b3log Symphony (aka Sym) 2.2.0 has XSS in processor/AdminProcessor.java in the admin console, as demonstrated by a crafted X-Forwarded-For HTTP header that is mishandled during display of a client IP address in /admin/user/userid.

  • CVE-2019-9142Feb 25, 2019
    risk 0.00cvss epss 0.01

    An issue was discovered in b3log Symphony (aka Sym) before v3.4.7. XSS exists via the userIntro and userNickname fields to processor/SettingsProcessor.java.