本ページは b3log symphony に影響する公開済み CVE(NVD の CPE 経由で関連付け)を列挙します。各行に深刻度指標・概要・公開日が含まれます。
| CVE | 概要 | ソース | CVSS 最大値 | EPSS(%) | 公開 | 更新 |
|---|---|---|---|---|---|---|
| CVE-2024-23049 | An issue in symphony v.3.6.3 and before allows a remote attacker to execute arbitrary code via the log4j component. | [email protected] | 9.8 | 3.75% | 2024-02-05 | 2025-06-17 |
| CVE-2019-17488 | b3log Symphony (aka Sym) before 3.6.0 has XSS via the HTTP User-Agent header. | [email protected] | 6.1 | 0.24% | 2019-10-10 | 2024-11-21 |
| CVE-2018-16249 | In Symphony before 3.3.0, there is XSS in the Title under Post. The ID "articleTitle" of this is stored in the "articleTitle" JSON field, and executes a payload when accessing the /member/test/points URI, allowing remote attacks. Any Web script or HTML can be inserted by an admin-authenticated user via a crafted web site name. | [email protected] | 4.8 | 0.34% | 2019-06-20 | 2024-11-21 |
| CVE-2019-9142 | An issue was discovered in b3log Symphony (aka Sym) before v3.4.7. XSS exists via the userIntro and userNickname fields to processor/SettingsProcessor.java. | [email protected] | 6.1 | 0.24% | 2019-02-25 | 2024-11-21 |
| CVE-2018-10469 | b3log Symphony (aka Sym) 2.6.0 allows remote attackers to upload and execute arbitrary JSP files via the name[] parameter to the /upload URI. | [email protected] | 9.8 | 0.84% | 2018-04-27 | 2024-11-21 |
| CVE-2017-16821 | b3log Symphony (aka Sym) 2.2.0 has XSS in processor/AdminProcessor.java in the admin console, as demonstrated by a crafted X-Forwarded-For HTTP header that is mishandled during display of a client IP address in /admin/user/userid. | [email protected] | 5.4 | 0.19% | 2017-11-15 | 2026-05-13 |