A database of PHP security advisories
PHP
Latest commit 604f8be Jan 20, 2017 @fabpot fabpot committed on GitHub Merge pull request #197 from marcomenzel/fix-typo3
fix typo3/cms branches/version for two advisories
Permalink
Failed to load latest commit information.
adodb/adodb-php adodb/adodb-php CVE-2016-4855 Oct 7, 2016
amphp/artax Fix Artax version constraint to >0.7.1 to include alpha and beta vers… Jul 20, 2016
aws/aws-sdk-php be more strict with the YAML syntax being used Dec 12, 2015
bugsnag/bugsnag-laravel Added bugsnag laravel vulnerability Jul 19, 2016
cakephp/cakephp Fix ranges in CakePHP range. Sep 8, 2016
cartalyst/sentry Renamed file Sep 5, 2016
codeigniter/framework Fix branches Sep 14, 2016
composer/composer add CVE-2015-8371.yaml Feb 14, 2016
contao-components/mediaelement XSS vulnerabilities in conato/core and contao-components/mediaelement… Jul 15, 2016
contao/core XSS vulnerabilities in conato/core and contao-components/mediaelement… Jul 15, 2016
doctrine Correcting syntax error in `doctrine/doctrine-bundle` advisories Dec 12, 2015
dompdf/dompdf Add more “disclosed” dompdf issues Feb 6, 2016
drupal adding drupal advisory SA-CORE-2016-005 Nov 19, 2016
firebase/php-jwt Add the advisory for the firebase/php-jwt vulnerability Apr 2, 2015
friendsofsymfony be more strict with the YAML syntax being used Dec 12, 2015
gregwar/rst Add Gregwar/RST < v1.0.3 Oct 31, 2016
guzzlehttp/guzzle Add CVE-2016-5385 for guzzlehttp/guzzle Jul 18, 2016
illuminate be more strict with the YAML syntax being used Dec 12, 2015
joomla/session Correct version Dec 14, 2015
laravel be more strict with the YAML syntax being used Dec 12, 2015
magento/magento2ce Disallowing installation of current `magento/magento2ce` versions due… Jul 20, 2016
monolog/monolog be more strict with the YAML syntax being used Dec 12, 2015
namshi/jose be more strict with the YAML syntax being used Dec 12, 2015
oro be more strict with the YAML syntax being used Dec 12, 2015
phpmailer/phpmailer adding CVE-2017-5223 for phpmailer/phpmailer Jan 9, 2017
pusher/pusher-php-server Add the advisory for the pusher-php-server vulnerability May 15, 2015
sabre/dav be more strict with the YAML syntax being used Dec 12, 2015
shopware/shopware Add CVE identifier for shopware/shopware Vulnerability Apr 25, 2016
silverstripe Adding latest silverstripe notices Mar 5, 2016
simplesamlphp Update the latest vulnerabilities related to SimpleSAMLphp with the a… Jan 19, 2017
socalnick/scn-social-auth ScnSocialAuth XSS Vulnerability Jan 16, 2015
swiftmailer/swiftmailer added CVE-2016-10074 Dec 29, 2016
symfony add CVE-2403 May 10, 2016
thelia be more strict with the YAML syntax being used Dec 12, 2015
twig/twig be more strict with the YAML syntax being used Dec 12, 2015
typo3 fix typo3/cms TYPO3-CORE-SA-2016-023 and TYPO3-CORE-SA-2016-024 Jan 20, 2017
willdurand/js-translation-bundle Add entry for willdurand/js-translation-bundle Jul 29, 2014
yiisoft be more strict with the YAML syntax being used Dec 12, 2015
zendframework ZF2016-04: Potential remote code execution in zend-mail via Sendmail … Dec 21, 2016
zf-commons/zfc-user Add CVE Jan 13, 2015
zfcampus/zf-apigility-doctrine be more strict with the YAML syntax being used Dec 12, 2015
zfr/zfr-oauth2-server-module Fix package name inconsistencies May 20, 2015
.gitignore Remove lock file Oct 29, 2015
.travis.yml Switch to the docker-based infrastructure on Travis Aug 12, 2015
LICENSE added the missing license Oct 26, 2014
README.md be more strict with the YAML syntax being used Dec 12, 2015
composer.json Add formatting to the validator Apr 18, 2016
validator.php fixed CS Jul 29, 2016

README.md

PHP Security Advisories Database

The PHP Security Advisories Database references known security vulnerabilities in various PHP projects and libraries. This database must not serve as the primary source of information for security issues, it is not authoritative for any referenced software, but it allows to centralize information for convenience and easy consumption.

License

The PHP security advisories database is free and unencumbered software released into the public domain.

Browsing Vulnerabilities

You can browse the database entries on https://security.sensiolabs.org/database.

Checking for Vulnerabilities

There are several possibilities to check for vulnerabilities in your applications beside manual checks:

  • Upload your composer.lock file on https://security.sensiolabs.org/;

  • Use the CLI tool:

    php checker security:check /path/to/composer.lock
    
  • Use the web service:

    curl -H "Accept: text/plain" https://security.sensiolabs.org/check_lock -F lock=@/path/to/composer.lock
    

    It will return all vulnerabilities detected in your dependencies in plain text. You can also retrieve the information in the JSON format:

    curl -H "Accept: application/json" https://security.sensiolabs.org/check_lock -F lock=@/path/to/composer.lock
    

Contributing

Contributing security advisories is as easy as it can get:

  • You can contribute a new entry by sending a pull request or by creating a file directly via the Github interface;

  • Create a directory based on the Composer name of the software where the security issue exists (use symfony/http-foundation for an issue in the Symfony HttpFoundation component for instance);

  • Each security issue must be saved in a file where the name is the CVE identifier (preferred) or the date when the security issue was announced followed by an increment (2012-12-12-1 for instance);

  • The file is in the YAML format and must contain the following entries (have a look at existing entries for examples):

    • title: A text that describes the security issue in a few words;

    • link: A link to the official security issue announcement;

    • reference: A unique reference to identify the software (the only supported scheme is composer:// followed by the Composer identifier);

    • branches: A hash of affected branches, where the name is the branch name (like 2.0.x), and the value is a hash with the following entries:

      • time: The date when the security issue was fixed (most of the time the date of the commit that fixed the issue (2012-08-27 19:17:44) -- this information must be as accurate as possible as it is used to determined if a software is affected or not;

      • versions: An array of constraints describing affected versions for this branch (this is the same format as the one used for Composer -- ['>=2.0.0', '<2.0.17']).

  • If you have a CVE identifier, add it under the cve key.

  • Make sure your file validates by running php validator.php from the root of this project. This script needs some dependencies to be installed via composer, so you need to run composer install before.

If some affected code is available through different Composer entries (like when you have read-only subtree splits of a main repository), duplicate the information in several files.