Friendica
Products
1- 9 CVEs
Recent CVEs
9| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-25864 | Cri | 0.59 | 9.1 | 0.01 | Apr 3, 2024 | Server Side Request Forgery (SSRF) vulnerability in Friendica versions after v.2023.12, allows a remote attacker to execute arbitrary code and obtain sensitive information via the fpostit.php component. | ||
| CVE-2024-39094 | 0.00 | — | 0.00 | Aug 20, 2024 | Friendica 2024.03 is vulnerable to Cross Site Scripting (XSS) in settings/profile via the homepage, xmpp, and matrix parameters. | |||
| CVE-2024-27730 | 0.00 | — | 0.06 | Aug 15, 2024 | Insecure Permissions vulnerability in Friendica v.2023.12 allows a remote attacker to obtain sensitive information and execute arbitrary code via the cid parameter of the calendar event feature. | |||
| CVE-2024-27731 | 0.00 | — | 0.00 | Aug 15, 2024 | Cross Site Scripting vulnerability in Friendica v.2023.12 allows a remote attacker to obtain sensitive information via the lack of file type filtering in the file attachment parameter. | |||
| CVE-2024-27728 | 0.00 | — | 0.00 | Aug 15, 2024 | Cross Site Scripting vulnerability in Friendica v.2023.12 allows a remote attacker to obtain sensitive information via the text parameter of the babel debug feature. | |||
| CVE-2024-27729 | 0.00 | — | 0.00 | Aug 15, 2024 | Cross Site Scripting vulnerability in Friendica v.2023.12 allows a remote attacker to obtain sensitive information via the location parameter of the calendar event feature. | |||
| CVE-2024-26495 | 0.00 | — | 0.00 | Apr 3, 2024 | Cross Site Scripting (XSS) vulnerability in Friendica versions after v.2023.12, allows a remote attacker to execute arbitrary code and obtain sensitive information via the BBCode tags in the post content and post comments function. | |||
| CVE-2021-30141 | 0.00 | — | 0.00 | Apr 5, 2021 | Module/Settings/UserExport.php in Friendica through 2021.01 allows settings/userexport to be used by anonymous users, as demonstrated by an attempted access to an array offset on a value of type null, and excessive memory consumption. NOTE: the vendor states "the feature still… | |||
| CVE-2021-27329 | 0.00 | — | 0.00 | Feb 18, 2021 | Friendica 2021.01 allows SSRF via parse_url?binurl= for DNS lookups or HTTP requests to arbitrary domain names. |
- risk 0.59cvss 9.1epss 0.01
Server Side Request Forgery (SSRF) vulnerability in Friendica versions after v.2023.12, allows a remote attacker to execute arbitrary code and obtain sensitive information via the fpostit.php component.
- CVE-2024-39094Aug 20, 2024risk 0.00cvss —epss 0.00
Friendica 2024.03 is vulnerable to Cross Site Scripting (XSS) in settings/profile via the homepage, xmpp, and matrix parameters.
- CVE-2024-27730Aug 15, 2024risk 0.00cvss —epss 0.06
Insecure Permissions vulnerability in Friendica v.2023.12 allows a remote attacker to obtain sensitive information and execute arbitrary code via the cid parameter of the calendar event feature.
- CVE-2024-27731Aug 15, 2024risk 0.00cvss —epss 0.00
Cross Site Scripting vulnerability in Friendica v.2023.12 allows a remote attacker to obtain sensitive information via the lack of file type filtering in the file attachment parameter.
- CVE-2024-27728Aug 15, 2024risk 0.00cvss —epss 0.00
Cross Site Scripting vulnerability in Friendica v.2023.12 allows a remote attacker to obtain sensitive information via the text parameter of the babel debug feature.
- CVE-2024-27729Aug 15, 2024risk 0.00cvss —epss 0.00
Cross Site Scripting vulnerability in Friendica v.2023.12 allows a remote attacker to obtain sensitive information via the location parameter of the calendar event feature.
- CVE-2024-26495Apr 3, 2024risk 0.00cvss —epss 0.00
Cross Site Scripting (XSS) vulnerability in Friendica versions after v.2023.12, allows a remote attacker to execute arbitrary code and obtain sensitive information via the BBCode tags in the post content and post comments function.
- CVE-2021-30141Apr 5, 2021risk 0.00cvss —epss 0.00
Module/Settings/UserExport.php in Friendica through 2021.01 allows settings/userexport to be used by anonymous users, as demonstrated by an attempted access to an array offset on a value of type null, and excessive memory consumption. NOTE: the vendor states "the feature still…
- CVE-2021-27329Feb 18, 2021risk 0.00cvss —epss 0.00
Friendica 2021.01 allows SSRF via parse_url?binurl= for DNS lookups or HTTP requests to arbitrary domain names.