A database of PHP security advisories
PHP
Clone or download
fabpot Merge pull request #316 from tgalopin/patch-1
Add a reference to #314 for zendframework/zendframework
Latest commit 5975747 Aug 14, 2018
Permalink
Failed to load latest commit information.
3f/pygmentize Point to 1.x instead of master. May 17, 2017
adodb/adodb-php add potential sql injection vector in adodb-php Apr 30, 2018
amphp Add advisory for amphp/http header injection Mar 15, 2018
asymmetricrypt/asymmetricrypt Add advisories for (abandoned?) projects with unfixed vulnerabilities. Feb 21, 2018
aws/aws-sdk-php be more strict with the YAML syntax being used Dec 12, 2015
bugsnag/bugsnag-laravel Added bugsnag laravel vulnerability Jul 19, 2016
cakephp/cakephp Add new issue in CakePHP May 21, 2018
cart2quote/module-quotation Note the Magento 1 Cart2Quote extension RCE vulnerability Feb 3, 2017
cartalyst/sentry use HTTPS whenever possible Apr 20, 2018
codeigniter/framework use HTTPS whenever possible Apr 20, 2018
composer/composer add CVE-2015-8371.yaml Feb 14, 2016
contao-components/mediaelement Update the Contao data and add CVE-2017-10993. Jul 12, 2017
contao Fix the version number (not sure if it works this way). Apr 18, 2018
doctrine use HTTPS whenever possible Apr 20, 2018
dompdf/dompdf Add more “disclosed” dompdf issues Feb 6, 2016
drupal Merge pull request #293 from ocramleznem/add-SA-CORE-2018-004 May 9, 2018
erusev/parsedown Add CVE for Parsedown vulnerability Apr 7, 2018
ezsystems/ezpublish-legacy Add advisory EZSA-2018-001 Feb 27, 2018
firebase/php-jwt Add the advisory for the firebase/php-jwt vulnerability Apr 2, 2015
friendsofsymfony switched to use shortcut URLs for Symfony vuln links May 23, 2018
fuel/core Use correct version constraints. May 10, 2018
gree/jose Add the advisory for the gree/jose vulnerability Dec 11, 2017
gregwar/rst Add Gregwar/RST < v1.0.3 Oct 31, 2016
guzzlehttp/guzzle fixed issues with some YAML files Feb 21, 2018
illuminate Add advisory for Laravel cookie serialization vulnerability Aug 10, 2018
joomla/session Correct version Dec 14, 2015
kreait/firebase-php 3.8.0 is affected. Apr 14, 2018
laravel Add advisory for Laravel cookie serialization vulnerability Aug 10, 2018
magento Merge pull request #304 from barryvdh/patch-2 Jul 18, 2018
monolog/monolog be more strict with the YAML syntax being used Dec 12, 2015
namshi/jose be more strict with the YAML syntax being used Dec 12, 2015
onelogin/php-saml add onelogin/php-saml security issues Jun 7, 2017
oro use HTTPS whenever possible Apr 20, 2018
padraic/humbug_get_contents fixed package name Feb 19, 2018
pagarme/pagarme-php Adjust report version range Mar 1, 2018
paragonie/random_compat Added in report time May 3, 2016
paypal/merchant-sdk-php replace advisory link with actual issue URL Apr 14, 2018
phpmailer/phpmailer add CVE-2017-11503 Jul 27, 2017
phpunit/phpunit Add CVE-2017-9841 for phpunit Nov 11, 2017
phpxmlrpc/extras fixed typo in version of phpxmlrpc. Jan 3, 2018
propel Removed file not relating to a Composer release Feb 20, 2018
pusher/pusher-php-server Add the advisory for the pusher-php-server vulnerability May 15, 2015
sabre/dav be more strict with the YAML syntax being used Dec 12, 2015
sensiolabs/connect Add new issue in sensiolabs/connect Jun 8, 2018
shopware/shopware fixed some links Apr 22, 2018
silverstripe use HTTPS whenever possible Apr 20, 2018
simplesamlphp Add CVE ID assigned to SSPSA 201803-01. Mar 7, 2018
slim/slim Remove trailing comma and add exact time. Apr 11, 2018
socalnick/scn-social-auth ScnSocialAuth XSS Vulnerability Jan 16, 2015
squizlabs/php_codesniffer Merge pull request #274 from jrfnl/feature/phpcodesniffer-3.0.0 Mar 20, 2018
stormpath/sdk Add advisories for (abandoned?) projects with unfixed vulnerabilities. Feb 21, 2018
swiftmailer/swiftmailer added CVE-2016-10074 Dec 29, 2016
sylius Add an information about CSRF vulnerability in Sylius/AdminBundle Jul 9, 2018
symfony added missing file Aug 2, 2018
thelia use HTTPS whenever possible Apr 20, 2018
titon/framework Add advisories for (abandoned?) projects with unfixed vulnerabilities. Feb 21, 2018
twig/twig be more strict with the YAML syntax being used Dec 12, 2015
typo3 [TASK] Add TYPO3-CORE-SA-2018-001 to TYPO3-CORE-SA-2018-004 Jul 18, 2018
willdurand/js-translation-bundle Add entry for willdurand/js-translation-bundle Jul 29, 2014
yiisoft use HTTPS whenever possible Apr 20, 2018
zendframework Add a reference to #314 for zendframework/zendframework Aug 14, 2018
zetacomponents/mail CVE-2017-15806 Nov 15, 2017
zf-commons/zfc-user Add CVE Jan 13, 2015
zfcampus/zf-apigility-doctrine use HTTPS whenever possible Apr 20, 2018
zfr/zfr-oauth2-server-module Fix package name inconsistencies May 20, 2015
.gitignore Remove lock file Oct 29, 2015
.travis.yml fixed issues with some YAML files Feb 21, 2018
LICENSE added the missing license Oct 26, 2014
README.md Be more clear about the time zone of `time` Jul 13, 2018
composer.json fixed issues with some YAML files Feb 21, 2018
validator.php fixed typo Feb 21, 2018

README.md

PHP Security Advisories Database

The PHP Security Advisories Database references known security vulnerabilities in various PHP projects and libraries. This database must not serve as the primary source of information for security issues, it is not authoritative for any referenced software, but it allows to centralize information for convenience and easy consumption.

License

The PHP security advisories database is free and unencumbered software released into the public domain.

Browsing Vulnerabilities

You can browse the database entries on https://security.sensiolabs.org/database.

Checking for Vulnerabilities

There are several possibilities to check for vulnerabilities in your applications beside manual checks:

  • Upload your composer.lock file on https://security.sensiolabs.org/;

  • Use the CLI tool:

     php checker security:check /path/to/composer.lock
    
  • Use the web service:

     curl -H "Accept: text/plain" https://security.sensiolabs.org/check_lock -F lock=@/path/to/composer.lock
    

    It will return all vulnerabilities detected in your dependencies in plain text. You can also retrieve the information in the JSON format:

     curl -H "Accept: application/json" https://security.sensiolabs.org/check_lock -F lock=@/path/to/composer.lock
    

Contributing

Contributing security advisories is as easy as it can get:

  • You can contribute a new entry by sending a pull request or by creating a file directly via the Github interface;

  • Create a directory based on the Composer name of the software where the security issue exists (use symfony/http-foundation for an issue in the Symfony HttpFoundation component for instance);

  • Each security issue must be saved in a file where the name is the CVE identifier (preferred) or the date when the security issue was announced followed by an increment (2012-12-12-1 for instance);

  • The file is in the YAML format and must contain the following entries (have a look at existing entries for examples):

    • title: A text that describes the security issue in a few words;

    • link: A link to the official security issue announcement (HTTPS links are preferred over HTTP ones);

    • reference: A unique reference to identify the software (the only supported scheme is composer:// followed by the Composer identifier);

    • branches: A hash of affected branches, where the name is the branch name (like 2.0.x), and the value is a hash with the following entries:

      • time: The date and time in UTC when the security issue was fixed or null if the issue is not fixed yet (most of the time, the date of the merge commit that fixed the issue in the following format 2012-08-27 19:17:44) -- this information must be as accurate as possible as it is used to determine if a project is affected or not;

      • versions: An array of constraints describing affected versions for this branch (this is the same format as the one used for Composer -- ['>=2.0.0', '<2.0.17']).

  • If you have a CVE identifier, add it under the cve key.

  • Make sure your file validates by running php validator.php from the root of this project. This script needs some dependencies to be installed via composer, so you need to run composer install before.

If some affected code is available through different Composer entries (like when you have read-only subtree splits of a main repository), duplicate the information in several files.