Skip to content
A database of PHP security advisories
PHP
Branch: master
Clone or download
fabpot Merge pull request #409 from ocramleznem/add-drupal2019008
add Drupal core - Critical - Access bypass - SA-CORE-2019-008
Latest commit 9332aea Jul 18, 2019
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
3f/pygmentize Point to 1.x instead of master. May 17, 2017
adodb/adodb-php add potential sql injection vector in adodb-php Apr 30, 2018
alterphp/easyadmin-extension-bundle Add easy-admin extension bundle security flaw Oct 2, 2018
amphp Add advisory for amphp/http header injection Mar 15, 2018
api-platform/core API Platform: assign CVE number to 2019-01-15 Feb 14, 2019
asymmetricrypt/asymmetricrypt Add advisories for (abandoned?) projects with unfixed vulnerabilities. Feb 21, 2018
aws/aws-sdk-php naming convention - cve identifier Dec 24, 2018
brightlocal/phpwhois Add CVE-2015-5243: phpWhois PHP Code Injection Aug 1, 2018
bugsnag/bugsnag-laravel Added bugsnag laravel vulnerability Jul 19, 2016
cakephp/cakephp - Apr 24, 2019
cart2quote/module-quotation Note the Magento 1 Cart2Quote extension RCE vulnerability Feb 3, 2017
cartalyst/sentry use HTTPS whenever possible Apr 20, 2018
codeigniter/framework use HTTPS whenever possible Apr 20, 2018
composer/composer add CVE-2015-8371.yaml Feb 14, 2016
contao-components/mediaelement Update the Contao data and add CVE-2017-10993. Jul 12, 2017
contao Add Contao CVE-2019-11512 Apr 30, 2019
david-garcia/phpwhois Add CVE-2015-5243: phpWhois PHP Code Injection Aug 1, 2018
doctrine naming convention - cve identifier Dec 24, 2018
dompdf/dompdf Add more “disclosed” dompdf issues Feb 6, 2016
drupal add Drupal core - Critical - Access bypass - SA-CORE-2019-008 Jul 18, 2019
erusev/parsedown Use assigned CVE Apr 6, 2019
ezsystems delete file ezplatform-page-builder Jun 14, 2019
ezyang/htmlpurifier Add CVEs for ezyang/htmlpurifier Sep 15, 2018
firebase/php-jwt Add the advisory for the firebase/php-jwt vulnerability Apr 2, 2015
fooman/tcpdf fixed typo Oct 15, 2018
fossar/tcpdf-parser Fix reference for fossar/tcpdf Oct 14, 2018
friendsofsymfony switched to use shortcut URLs for Symfony vuln links May 23, 2018
fuel/core Use correct version constraints. May 10, 2018
gree/jose Add the advisory for the gree/jose vulnerability Dec 11, 2017
gregwar/rst Add Gregwar/RST < v1.0.3 Oct 31, 2016
guzzlehttp/guzzle fixed issues with some YAML files Feb 21, 2018
illuminate Add advisory for Laravel cookie serialization vulnerability Aug 10, 2018
ivankristianto/phpwhois Add CVE-2015-5243: phpWhois PHP Code Injection Aug 1, 2018
james-heinrich/getid3 Add CVE for james-heinrich/getid3 Sep 15, 2018
joomla/session Correct version Dec 14, 2015
jsmitty12/phpwhois Add CVE-2015-5243: phpWhois PHP Code Injection Aug 1, 2018
kazist/phpwhois Add CVE-2015-5243: phpWhois PHP Code Injection Aug 1, 2018
kreait/firebase-php 3.8.0 is affected. Apr 14, 2018
la-haute-societe/tcpdf Added la-haute-societe/tcpdf, not fixed yet Oct 14, 2018
laravel Add advisory for Laravel cookie serialization vulnerability Aug 10, 2018
league/commonmark Add assigned CVE ID to league/commonmark vulnerability Mar 25, 2019
magento Magento - CVE-2019-7139 May 6, 2019
monolog/monolog be more strict with the YAML syntax being used Dec 12, 2015
namshi/jose be more strict with the YAML syntax being used Dec 12, 2015
onelogin/php-saml naming convention - cve identifier Dec 24, 2018
openid/php-openid Add CVE for openid/php-openid Sep 15, 2018
oro use HTTPS whenever possible Apr 20, 2018
padraic/humbug_get_contents fixed package name Feb 19, 2018
pagarme/pagarme-php Adjust report version range Mar 1, 2018
paragonie/random_compat Added in report time May 3, 2016
paypal/merchant-sdk-php replace advisory link with actual issue URL Apr 14, 2018
pear/archive_tar Add CVE-2018-1000888 in pear/archive_tar Jan 14, 2019
phpmailer/phpmailer Create CVE-2018-19296.yaml Nov 16, 2018
phpoffice Fix date format for CVE-2018-19277 Nov 27, 2018
phpunit/phpunit Add CVE-2017-9841 for phpunit Nov 11, 2017
phpwhois/phpwhois Add CVE-2015-5243: phpWhois PHP Code Injection Aug 1, 2018
phpxmlrpc/extras fixed typo in version of phpxmlrpc. Jan 3, 2018
propel Removed file not relating to a Composer release Feb 20, 2018
pusher/pusher-php-server Add the advisory for the pusher-php-server vulnerability May 15, 2015
robrichards/xmlseclibs add possible XPath injection on xmlseclibs Oct 5, 2018
sabre/dav be more strict with the YAML syntax being used Dec 12, 2015
sensiolabs/connect Add new issue in sensiolabs/connect Jun 8, 2018
serluck/phpwhois Add CVE-2015-5243: phpWhois PHP Code Injection Aug 1, 2018
shopware/shopware fixed some links Apr 22, 2018
silverstripe Add CVE-2019-12246 for silverstripe/framework Jun 11, 2019
simple-updates/phpwhois Add CVE-2015-5243: phpWhois PHP Code Injection Aug 1, 2018
simplesamlphp add SimpleSAMLphp 201907-01 Jul 14, 2019
slim/slim Remove trailing comma and add exact time. Apr 11, 2018
smarty/smarty Add CVE-2018-13982: Smarty Trusted-Directory Bypass via Path Traversal Sep 17, 2018
socalnick/scn-social-auth ScnSocialAuth XSS Vulnerability Jan 16, 2015
spoonity/tcpdf Added spoonity/tcpdf, not fixed yet Oct 14, 2018
squizlabs/php_codesniffer Merge pull request #274 from jrfnl/feature/phpcodesniffer-3.0.0 Mar 20, 2018
stormpath/sdk Add advisories for (abandoned?) projects with unfixed vulnerabilities. Feb 21, 2018
swiftmailer/swiftmailer added CVE-2016-10074 Dec 29, 2016
sylius Sylius, CVE-2019-12186: XSS injection in the Grid component May 22, 2019
symfony fix lower version boundary Jun 14, 2019
tecnickcom/tcpdf fixed typo Oct 15, 2018
thelia use HTTPS whenever possible Apr 20, 2018
theonedemon/phpwhois Add CVE-2015-5243: phpWhois PHP Code Injection Aug 1, 2018
titon/framework Add advisories for (abandoned?) projects with unfixed vulnerabilities. Feb 21, 2018
truckersmp/phpwhois Add CVE-2015-5243: phpWhois PHP Code Injection Aug 1, 2018
twig/twig Twig sandbox vulnerability Mar 12, 2019
typo3 [TASK] Add security advisories for TYPO3's June 2019 releases Jun 25, 2019
ua-parser/uap-php DoS in uap-php Dec 14, 2018
wallabag/tcpdf CVE-2018-17057 for wallabag/tcpdf, not fixed yet Oct 14, 2018
willdurand/js-translation-bundle Add entry for willdurand/js-translation-bundle Jul 29, 2014
yiisoft use HTTPS whenever possible Apr 20, 2018
zendframework Updated version constraint, as it requires providing version range Mar 28, 2019
zetacomponents/mail naming convention - cve identifier Dec 24, 2018
zf-commons/zfc-user naming convention - cve identifier Dec 24, 2018
zfcampus/zf-apigility-doctrine naming convention - cve identifier Dec 24, 2018
zfr/zfr-oauth2-server-module Fix package name inconsistencies May 20, 2015
.editorconfig Add editorconfig with 4 spaces for indentation Feb 19, 2019
.gitignore Remove lock file Oct 29, 2015
.travis.yml fixed issues with some YAML files Feb 21, 2018
LICENSE added the missing license Oct 26, 2014
README.md Merge pull request #385 from aidantwoods/help/validator-memory Jun 26, 2019
composer.json fixed issues with some YAML files Feb 21, 2018
validator.php add filename validation Dec 30, 2018

README.md

PHP Security Advisories Database

The PHP Security Advisories Database references known security vulnerabilities in various PHP projects and libraries. This database must not serve as the primary source of information for security issues, it is not authoritative for any referenced software, but it allows to centralize information for convenience and easy consumption.

License

The PHP security advisories database is free and unencumbered software released into the public domain.

Checking for Vulnerabilities

There are several possibilities to check for vulnerabilities in your applications beside manual checks:

  • [Recommended] Use the Symfony CLI (no PHP dependency, no third-party API calls, checks are done locally on a clone of this repository):

     symfony security:check /path/to/composer.lock
    
  • Upload your composer.lock file on https://security.symfony.com/

  • Use the PHP CLI tool:

     php checker security:check /path/to/composer.lock
    

Contributing

Contributing security advisories is as easy as it can get:

  • You can contribute a new entry by sending a pull request or by creating a file directly via the Github interface;

  • Create a directory based on the Composer name of the software where the security issue exists (use symfony/http-foundation for an issue in the Symfony HttpFoundation component for instance);

  • Each security issue must be saved in a file where the name is the CVE identifier (preferred) or the date when the security issue was announced followed by an increment (2012-12-12-1 for instance);

  • The file is in the YAML format and must contain the following entries (have a look at existing entries for examples):

    • title: A text that describes the security issue in a few words;

    • link: A link to the official security issue announcement (HTTPS links are preferred over HTTP ones);

    • reference: A unique reference to identify the software (the only supported scheme is composer:// followed by the Composer identifier);

    • branches: A hash of affected branches, where the name is the branch name (like 2.0.x), and the value is a hash with the following entries:

      • time: The date and time in UTC when the security issue was fixed or null if the issue is not fixed yet (most of the time, the date of the merge commit that fixed the issue in the following format 2012-08-27 19:17:44) -- this information must be as accurate as possible as it is used to determine if a project is affected or not;

      • versions: An array of constraints describing affected versions for this branch (this is the same format as the one used for Composer -- ['>=2.0.0', '<2.0.17']).

  • If you have a CVE identifier, add it under the cve key.

  • Make sure your file validates by running php -d memory_limit=-1 validator.php from the root of this project. This script needs some dependencies to be installed via composer, so you need to run composer install before.

If some affected code is available through different Composer entries (like when you have read-only subtree splits of a main repository), duplicate the information in several files.

You can’t perform that action at this time.