Security Audit v2.1.4

Language
- English
- Français
Login / Register

prod

Ibexa OSS 4.6

52 vulnerabilities has been found

6 abandonned packages has been found

Last analyse : 4 hours ago

No result.

52 vulnerabilities has been found

#	Total	C	H	M	L
Composer	29	0	13	11	5	0
Php	23	2	10	5	2	4

Composer

6 ibexa/admin-ui —— v4.6.7 +

high XSS in fields used in the Content name pattern

Affected versions : v4.0.0,v4.0.8|v4.1.0,v4.1.5|v4.2.0,v4.2.4|v4.3.0,v4.3.5|v4.4.0,v4.4.4|v4.5.0,v4.5.7|v4.6.0,v4.6.13
Patched versions : v4.6.14
https://developers.ibexa.co/security-advisories/ibexa-sa-2024-006-vulnerabilities-in-content-name-pattern-commerce-shop-and-varnish-vhost-templates

Reported 11/28/24

IBEXA-SA-2024-006

high XSS vulnerabilities in back office

Affected versions : v4.6.0,v4.6.20
Patched versions : v4.6.21
https://developers.ibexa.co/security-advisories/ibexa-sa-2025-003-xss-vulnerabilities-in-back-office

Reported 6/11/25

IBEXA-SA-2025-003

medium Ibexa Admin UI XSS vulnerabilities in back office

Affected versions : >=4.6.0-beta1,<4.6.21
Patched versions : 4.6.21
https://github.com/advisories/GHSA-5r6x-g6jv-4v87

Reported 6/13/25

medium ibexa/admin-ui has an XSS vulnerability in Cancel/Reschedule future publication modal

Affected versions : >=4.6.0,<4.6.25|>=5.0.0,<5.0.3
Patched versions : 5.0.3 4.6.25
https://github.com/advisories/GHSA-2mx6-fq24-g2mh

Reported 10/17/25

medium Ibexa Admin UI vulnerable to DOM-based Cross-site Scripting in file upload widget

Affected versions : >=4.6.0-beta1,<4.6.9
Patched versions : 4.6.9
https://github.com/advisories/GHSA-qm44-wjm2-pr59

Reported 7/31/24

CVE-2024-39318

medium Ibexa Admin UI vulnerable to Cross-site Scripting in a field that is used in the Content name pattern

Affected versions : >=4.6.0,<4.6.14
Patched versions : 4.6.14
https://github.com/advisories/GHSA-8w3p-gf85-qcch

Reported 12/2/24

CVE-2024-53864

6 ibexa/fieldtype-richtext —— v4.6.7 +

high XXE vulnerability in RichText

Affected versions : v4.6.0,v4.6.18
Patched versions : v4.6.19
https://developers.ibexa.co/security-advisories/ibexa-sa-2025-002-xxe-vulnerability-in-richtext

Reported 4/9/25

IBEXA-SA-2025-002

high XSS vulnerabilities in back office

Affected versions : v4.6.0,v4.6.20
Patched versions : v4.6.21
https://developers.ibexa.co/security-advisories/ibexa-sa-2025-003-xss-vulnerabilities-in-back-office

Reported 6/11/25

IBEXA-SA-2025-003

high Persistent Cross-site Scripting in Ibexa RichText Field Type

Affected versions : >=4.6.0,<4.6.10
Patched versions : 4.6.10
https://github.com/advisories/GHSA-hvcf-6324-cjh7

Reported 8/14/24

CVE-2024-43369

high ibexa/fieldtype-richtext allows access to external entities in XML

Affected versions : >=4.6.0-beta1,<4.6.19
Patched versions : 4.6.19
https://github.com/advisories/GHSA-cj3w-g42v-wcj6

Reported 4/10/25

medium Ibexa RichText Field Type XSS vulnerabilities in back office

Affected versions : >=4.6.0-beta1,<4.6.21
Patched versions : 4.6.21
https://github.com/advisories/GHSA-9qv6-4pwm-m68f

Reported 6/13/25

medium ibexa/fieldtype-richtext has an XSS vulnerability via acronym custom tag in Rich Text

Affected versions : >=4.6.0,<4.6.25|>=5.0.0,<5.0.3
Patched versions : 5.0.3 4.6.25
https://github.com/advisories/GHSA-8c2g-f8jm-5cr7

Reported 10/17/25

3 twig/twig —— v3.10.3 +

high Twig has a possible sandbox bypass

Affected versions : >=3.0.0,<3.14.0|>=2.0.0,<2.16.1|>=1.0.0,<1.44.8
Patched versions : 1.44.8 2.16.1 3.14.0
https://github.com/advisories/GHSA-6j75-5wfj-gh66

Reported 9/9/24

CVE-2024-45411

low Unguarded calls to __isset() and to array-accesses when the sandbox is enabled

Affected versions : >=1.0.0,<2.0.0|>=2.0.0,<3.0.0|>=3.0.0,<3.11.2|>=3.12.0,<3.14.1
Patched versions : 3.11.2 3.14.1
https://symfony.com/blog/unguarded-calls-to-__isset-and-to-array-accesses-when-the-sandbox-is-enabled

Reported 11/6/24

CVE-2024-51755

low Unguarded calls to __toString() when nesting an object into an array

Reported 11/6/24

CVE-2024-51754

2 symfony/http-foundation —— v5.4.40 +

high CVE-2025-64500: Incorrect parsing of PATH_INFO can lead to limited authorization bypass

Affected versions : >=2.0.0,<3.0.0|>=3.0.0,<4.0.0|>=4.0.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.50|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.29|>=7.0.0,<7.1.0|>=7.1.0,<7.2.0|>=7.2.0,<7.3.0|>=7.3.0,<7.3.7
Patched versions : 5.4.50 6.4.29 7.3.7 5.4.50 6.4.29 7.3.7
https://symfony.com/blog/cve-2025-64500-incorrect-parsing-of-path-info-can-lead-to-limited-authorization-bypass

Reported 11/12/25

CVE-2025-64500

low CVE-2024-50345: Open redirect via browser-sanitized URLs

Affected versions : >=2.0.0,<3.0.0|>=3.0.0,<4.0.0|>=4.0.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.46|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.14|>=7.0.0,<7.1.0|>=7.1.0,<7.1.7
Patched versions : 5.4.46 6.4.14 7.1.7 5.4.46 6.4.14 7.1.7
https://symfony.com/cve-2024-50345

Reported 11/5/24

CVE-2024-50345

2 symfony/process —— v5.4.40 +

high CVE-2024-51736: Command execution hijack on Windows with Process class

Reported 11/5/24

CVE-2024-51736

medium Symfony's incorrect argument escaping under MSYS2/Git Bash can lead to destructive file operations on Windows

Affected versions : >=8.0,<8.0.5|>=7.4,<7.4.5|>=7.3,<7.3.11|>=6.4,<6.4.33|<5.4.51
Patched versions : 5.4.51 6.4.33 7.3.11 7.4.5 8.0.5 5.4.51 6.4.33 7.3.11 7.4.5 8.0.5
https://github.com/advisories/GHSA-r39x-jcww-82v6

Reported 1/28/26

CVE-2026-24739

1 symfony/runtime —— v5.4.40 +

medium CVE-2024-50340: Ability to change environment from query

Affected versions : >=5.3.0,<5.4.0|>=5.4.0,<5.4.46|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.14|>=7.0.0,<7.1.0|>=7.1.0,<7.1.7
Patched versions : 5.4.46 6.4.14 7.1.7 5.4.46 6.4.14 7.1.7
https://symfony.com/cve-2024-50340

Reported 11/5/24

CVE-2024-50340

1 symfony/http-client —— v5.4.40 +

low CVE-2024-50342: Internal address and port enumeration allowed by NoPrivateNetworkHttpClient

Affected versions : >=4.3.0,<4.4.0|>=4.4.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.46|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.14|>=7.0.0,<7.1.0|>=7.1.0,<7.1.7
Patched versions : 5.4.46 6.4.14 7.1.7 5.4.46 6.4.14 7.1.7
https://symfony.com/cve-2024-50342

Reported 11/5/24

CVE-2024-50342

1 symfony/validator —— v5.4.40 +

low CVE-2024-50343: Incorrect response from Validator when input ends with ` `

Affected versions : >=2.0.0,<3.0.0|>=3.0.0,<4.0.0|>=4.0.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.43|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.11|>=7.0.0,<7.1.0|>=7.1.0,<7.1.4
Patched versions : 5.4.43 6.4.11 7.1.4 5.4.43 6.4.11 7.1.4
https://symfony.com/cve-2024-50343

Reported 8/30/24

CVE-2024-50343

1 symfony/security-http —— v5.4.40 +

high CVE-2024-51996: Authentication Bypass via persisted RememberMe cookie

Affected versions : >=5.3.0,<5.4.0|>=5.4.0,<5.4.47|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.15|>=7.0.0,<7.1.0|>=7.1.0,<7.1.8
Patched versions : 5.4.47 6.4.15 7.1.8
https://symfony.com/cve-2024-51996

Reported 11/13/24

CVE-2024-51996

2 ibexa/http-cache —— v4.6.7 +

high BREACH vulnerability in varnish VCL and vhost templates

Reported 11/28/24

IBEXA-SA-2024-006

medium ibexa/http-cache affected by Breach with Varnish VCL

Affected versions : >=4.6.0,<4.6.14
Patched versions : 4.6.14
https://github.com/advisories/GHSA-fh7v-q458-7vmw

Reported 12/2/24

2 ibexa/post-install —— v4.6.7 +

high BREACH vulnerability in varnish VCL and vhost templates

Reported 11/28/24

IBEXA-SA-2024-006

medium ibexa/post-install affected by Breach with Varnish VCL

Affected versions : >=4.6.0,<4.6.14|>=1.0.0,<1.0.16
Patched versions : 1.0.16 4.6.14
https://github.com/advisories/GHSA-4h8f-c635-25p7

Reported 12/2/24

2 ibexa/admin-ui-assets —— v4.6.7 +

high XSS vulnerabilities in back office

Affected versions : v4.6.0,v4.6.20
Patched versions : v4.6.21
https://developers.ibexa.co/security-advisories/ibexa-sa-2025-003-xss-vulnerabilities-in-back-office

Reported 6/11/25

IBEXA-SA-2025-003

medium Ibexa Admin UI assets XSS vulnerabilities in back office

Affected versions : >=4.6.0-alpha1,<4.6.21
Patched versions : 4.6.21
https://github.com/advisories/GHSA-vhgq-r8gx-5fpv

Reported 6/13/25

Php

23 PHP —— 8.3.8 +

critical In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, uncontrolled long string inputs to ldap_escape() function on 32-bit systems can cause an integer overflow, resulting in an out-of-bounds write.

* [https://github.com/php/php-src/security/advisories/GHSA-5hqh-c84r-qjcv](https://github.com/php/php-src/security/advisories/GHSA-5hqh-c84r-qjcv)

Reported 11/24/24

CVE-2024-11236

critical In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when parsing HTTP redirect in the response to an HTTP request, there is currently limit on the location value size caused by limited size of the location buffer to 1024. However as per RFC9110, the limit is recommended to be 8000. This may lead to incorrect URL truncation and redirecting to a wrong location.

* [https://github.com/php/php-src/security/advisories/GHSA-52jp-hrpf-2jff](https://github.com/php/php-src/security/advisories/GHSA-52jp-hrpf-2jff)
* [https://security.netapp.com/advisory/ntap-20250523-0005/](https://security.netapp.com/advisory/ntap-20250523-0005/)

Reported 3/30/25

CVE-2025-1861

high In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, due to an error in convert.quoted-printable-decode filter certain data can lead to buffer overread by one byte, which can in certain circumstances lead to crashes or disclose content of other memory areas.

* [https://github.com/php/php-src/security/advisories/GHSA-r977-prxv-hc43](https://github.com/php/php-src/security/advisories/GHSA-r977-prxv-hc43)

Reported 11/24/24

CVE-2024-11233

high In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, when using streams with configured proxy and "request_fulluri" option, the URI is not properly sanitized which can lead to HTTP request smuggling and allow the attacker to use the proxy to perform arbitrary HTTP requests originating from the server, thus potentially gaining access to resources not normally available to the external user.

* [https://github.com/php/php-src/security/advisories/GHSA-c5f2-jwm7-mmq2](https://github.com/php/php-src/security/advisories/GHSA-c5f2-jwm7-mmq2)

Reported 11/24/24

CVE-2024-11234

high In PHP versions 8.3.* before 8.3.19 and 8.4.* before 8.4.5, a code sequence involving __set handler or ??= operator and exceptions can lead to a use-after-free vulnerability. If the third party can control the memory layout leading to this, for example by supplying specially crafted inputs to the script, it could lead to remote code execution.

Affected versions : 8.3.0|8.3.18,8.4.0|8.4.5
Patched versions :
* [https://github.com/php/php-src/security/advisories/GHSA-rwp7-7vc6-8477](https://github.com/php/php-src/security/advisories/GHSA-rwp7-7vc6-8477)
* [https://github.com/php/php-src/security/advisories/GHSA-rwp7-7vc6-8477](https://github.com/php/php-src/security/advisories/GHSA-rwp7-7vc6-8477)

Reported 4/4/25

CVE-2024-11235

high In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, when using a certain non-standard configurations of Windows codepages, the fixes for CVE-2024-4577 https://github.com/advisories/GHSA-vxpp-6299-mxw3 may still be bypassed and the same command injection related to Windows "Best Fit" codepage behavior can be achieved. This may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc.

* [https://github.com/php/php-src/security/advisories/GHSA-p99j-rfp4-xqvq](https://github.com/php/php-src/security/advisories/GHSA-p99j-rfp4-xqvq)

Reported 10/8/24

CVE-2024-8926

high In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, HTTP_REDIRECT_STATUS variable is used to check whether or not CGI binary is being run by the HTTP server. However, in certain scenarios, the content of this variable can be controlled by the request submitter via HTTP headers, which can lead to cgi.force_redirect option not being correctly applied. In certain configurations this may lead to arbitrary file inclusion in PHP.

* [https://github.com/php/php-src/security/advisories/GHSA-94p6-54jq-9mwp](https://github.com/php/php-src/security/advisories/GHSA-94p6-54jq-9mwp)

Reported 10/8/24

CVE-2024-8927

high In PHP versions:8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1, the getimagesize() function may leak uninitialized heap memory into the APPn segments (e.g., APP1) when reading images in multi-chunk mode (such as via php://filter). This occurs due to a bug in php_read_stream_all_chunks() that overwrites the buffer without advancing the pointer, leaving tail bytes uninitialized. This may lead to information disclosure of sensitive heap data and affect the confidentiality of the target server.

* [https://github.com/php/php-src/security/advisories/GHSA-3237-qqm7-mfv7](https://github.com/php/php-src/security/advisories/GHSA-3237-qqm7-mfv7)

Reported 12/27/25

CVE-2025-14177

high In PHP versions:8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1, a heap buffer overflow occurs in array_merge() when the total element count of packed arrays exceeds 32-bit limits or HT_MAX_SIZE, due to an integer overflow in the precomputation of element counts using zend_hash_num_elements(). This may lead to memory corruption or crashes and affect the integrity and availability of the target server.

* [https://github.com/php/php-src/security/advisories/GHSA-h96m-rvf9-jgm2](https://github.com/php/php-src/security/advisories/GHSA-h96m-rvf9-jgm2)

Reported 12/27/25

CVE-2025-14178

high In PHP versions 8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1 when using the PDO PostgreSQL driver with PDO::ATTR_EMULATE_PREPARES enabled, an invalid character sequence (such as \x99) in a prepared statement parameter may cause the quoting function PQescapeStringConn to return NULL, leading to a null pointer dereference in pdo_parse_params() function. This may lead to crashes (segmentation fault) and affect the availability of the target server.

* [https://github.com/php/php-src/security/advisories/GHSA-8xr5-qppj-gvwj](https://github.com/php/php-src/security/advisories/GHSA-8xr5-qppj-gvwj)

Reported 12/27/25

CVE-2025-14180

high In PHP versions:8.1.* before 8.1.33, 8.2.* before 8.2.29, 8.3.* before 8.3.23, 8.4.* pgsql and pdo_pgsql escaping functions do not check if the underlying quoting functions returned errors. This could cause crashes if Postgres server rejects the string as invalid.

* [https://github.com/php/php-src/security/advisories/GHSA-hrwm-9436-5mv3](https://github.com/php/php-src/security/advisories/GHSA-hrwm-9436-5mv3)

Reported 7/13/25

CVE-2025-1735

high In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when user-supplied headers are sent, the insufficient validation of the end-of-line characters may prevent certain headers from being sent or lead to certain headers be misinterpreted.

* [https://github.com/php/php-src/security/advisories/GHSA-hgf5-96fm-v528](https://github.com/php/php-src/security/advisories/GHSA-hgf5-96fm-v528)
* [https://security.netapp.com/advisory/ntap-20250523-0006/](https://security.netapp.com/advisory/ntap-20250523-0006/)

Reported 3/30/25

CVE-2025-1736

medium The parse_str function in (1) PHP, (2) Hardened-PHP, and (3) Suhosin, when called without a second parameter, might allow remote attackers to overwrite arbitrary variables by specifying variable names and values in the string to be parsed. NOTE: it is not clear whether this is a design limitation of the function or a bug in PHP, although it is likely to be regarded as a bug in Hardened-PHP and Suhosin.

* [http://osvdb.org/39834](http://osvdb.org/39834)
* [http://securityreason.com/securityalert/2800](http://securityreason.com/securityalert/2800)
* [http://www.acid-root.new.fr/advisories/14070612.txt](http://www.acid-root.new.fr/advisories/14070612.txt)
* [http://www.securityfocus.com/archive/1/471178/100/0/threaded](http://www.securityfocus.com/archive/1/471178/100/0/threaded)
* [http://www.securityfocus.com/archive/1/471204/100/0/threaded](http://www.securityfocus.com/archive/1/471204/100/0/threaded)
* [http://www.securityfocus.com/archive/1/471275/100/0/threaded](http://www.securityfocus.com/archive/1/471275/100/0/threaded)
* [https://exchange.xforce.ibmcloud.com/vulnerabilities/34836](https://exchange.xforce.ibmcloud.com/vulnerabilities/34836)

Reported 6/13/07

CVE-2007-3205

medium In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, erroneous parsing of multipart form data contained in an HTTP POST request could lead to legitimate data not being processed. This could lead to malicious attacker able to control part of the submitted data being able to exclude portion of other data, potentially leading to erroneous application behavior.

* [https://github.com/php/php-src/security/advisories/GHSA-9pqp-7h25-4f32](https://github.com/php/php-src/security/advisories/GHSA-9pqp-7h25-4f32)

Reported 10/8/24

CVE-2024-8925

medium In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when requesting a HTTP resource using the DOM or SimpleXML extensions, the wrong content-type header is used to determine the charset when the requested resource performs a redirect. This may cause the resulting document to be parsed incorrectly or bypass validations.

Affected versions : 8.1.0|8.1.31,8.2.0|8.2.27,8.3.0|8.3.18,8.4.0|8.4.4
Patched versions :
* [https://github.com/php/php-src/security/advisories/GHSA-p3x9-6h7p-cgfc](https://github.com/php/php-src/security/advisories/GHSA-p3x9-6h7p-cgfc)
* [https://github.com/php/php-src/security/advisories/GHSA-p3x9-6h7p-cgfc](https://github.com/php/php-src/security/advisories/GHSA-p3x9-6h7p-cgfc)

Reported 3/30/25

CVE-2025-1219

medium In PHP versions:8.1.* before 8.1.33, 8.2.* before 8.2.29, 8.3.* before 8.3.23, 8.4.* before 8.4.10 some functions like fsockopen() lack validation that the hostname supplied does not contain null characters. This may lead to other functions like parse_url() treat the hostname in different way, thus opening way to security problems if the user code implements access checks before access using such functions.

* [https://github.com/php/php-src/security/advisories/GHSA-3cr5-j632-f35r](https://github.com/php/php-src/security/advisories/GHSA-3cr5-j632-f35r)
* [https://github.com/php/php-src/security/advisories/GHSA-3cr5-j632-f35r](https://github.com/php/php-src/security/advisories/GHSA-3cr5-j632-f35r)

Reported 7/13/25

CVE-2025-1220

medium In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when receiving headers from HTTP server, the headers missing a colon (:) are treated as valid headers even though they are not. This may confuse applications into accepting invalid headers.

* [https://github.com/php/php-src/security/advisories/GHSA-pcmh-g36c-qc44](https://github.com/php/php-src/security/advisories/GHSA-pcmh-g36c-qc44)
* [https://security.netapp.com/advisory/ntap-20250523-0009/](https://security.netapp.com/advisory/ntap-20250523-0009/)

Reported 3/30/25

CVE-2025-1734

low In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, when using PHP-FPM SAPI and it is configured to catch workers output through catch_workers_output = yes, it may be possible to pollute the final log or remove up to 4 characters from the log messages by manipulating log message content. Additionally, if PHP-FPM is configured to use syslog output, it may be possible to further remove log data using the same vulnerability.

* [https://github.com/php/php-src/security/advisories/GHSA-865w-9rf3-2wh5](https://github.com/php/php-src/security/advisories/GHSA-865w-9rf3-2wh5)

Reported 10/8/24

CVE-2024-9026

low In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when http request module parses HTTP response obtained from a server, folded headers are parsed incorrectly, which may lead to misinterpreting the response and using incorrect headers, MIME types, etc.

Affected versions : 8.1.0|8.1.31,8.2.0|8.2.27,8.3.0|8.3.18,8.4.0|8.4.4
Patched versions :
* [https://github.com/php/php-src/security/advisories/GHSA-v8xr-gpvj-cx9g](https://github.com/php/php-src/security/advisories/GHSA-v8xr-gpvj-cx9g)
* [https://github.com/php/php-src/security/advisories/GHSA-v8xr-gpvj-cx9g](https://github.com/php/php-src/security/advisories/GHSA-v8xr-gpvj-cx9g)

Reported 3/29/25

CVE-2025-1217

unassigned A command inject vulnerability allows an attacker to perform command injection on Windows applications that indirectly depend on the CreateProcess function when the specific conditions are satisfied.

* [https://flatt.tech/research/posts/batbadbut-you-cant-securely-execute-commands-on-windows/](https://flatt.tech/research/posts/batbadbut-you-cant-securely-execute-commands-on-windows/)
* [https://flatt.tech/research/posts/batbadbut-you-cant-securely-execute-commands-on-windows/](https://flatt.tech/research/posts/batbadbut-you-cant-securely-execute-commands-on-windows/)
* [https://kb.cert.org/vuls/id/123335](https://kb.cert.org/vuls/id/123335)
* [https://kb.cert.org/vuls/id/123335](https://kb.cert.org/vuls/id/123335)
* [https://learn.microsoft.com/en-us/archive/blogs/twistylittlepassagesallalike/everyone-quotes-command-line-arguments-the-wrong-way](https://learn.microsoft.com/en-us/archive/blogs/twistylittlepassagesallalike/everyone-quotes-command-line-arguments-the-wrong-way)
* [https://learn.microsoft.com/en-us/archive/blogs/twistylittlepassagesallalike/everyone-quotes-command-line-arguments-the-wrong-way](https://learn.microsoft.com/en-us/archive/blogs/twistylittlepassagesallalike/everyone-quotes-command-line-arguments-the-wrong-way)
* [https://www.cve.org/CVERecord?id=CVE-2024-1874](https://www.cve.org/CVERecord?id=CVE-2024-1874)
* [https://www.cve.org/CVERecord?id=CVE-2024-1874](https://www.cve.org/CVERecord?id=CVE-2024-1874)
* [https://www.cve.org/CVERecord?id=CVE-2024-22423](https://www.cve.org/CVERecord?id=CVE-2024-22423)
* [https://www.cve.org/CVERecord?id=CVE-2024-22423](https://www.cve.org/CVERecord?id=CVE-2024-22423)
* [https://www.cve.org/CVERecord?id=CVE-2024-24576](https://www.cve.org/CVERecord?id=CVE-2024-24576)
* [https://www.cve.org/CVERecord?id=CVE-2024-24576](https://www.cve.org/CVERecord?id=CVE-2024-24576)
* [https://www.kb.cert.org/vuls/id/123335](https://www.kb.cert.org/vuls/id/123335)
* [https://www.kb.cert.org/vuls/id/123335](https://www.kb.cert.org/vuls/id/123335)

Reported 4/10/24

CVE-2024-3566

unassigned In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, a hostile MySQL server can cause the client to disclose the content of its heap containing data from other SQL requests and possible other data belonging to different users of the same server.

* [https://github.com/php/php-src/security/advisories/GHSA-h35g-vwh6-m678](https://github.com/php/php-src/security/advisories/GHSA-h35g-vwh6-m678)
* [https://security.netapp.com/advisory/ntap-20250110-0008/](https://security.netapp.com/advisory/ntap-20250110-0008/)

Reported 11/22/24

CVE-2024-8929

unassigned In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, uncontrolled long string inputs to ldap_escape() function on 32-bit systems can cause an integer overflow, resulting in an out-of-bounds write.

* [https://github.com/php/php-src/security/advisories/GHSA-g665-fm4p-vhff](https://github.com/php/php-src/security/advisories/GHSA-g665-fm4p-vhff)
* [https://security.netapp.com/advisory/ntap-20250110-0009/](https://security.netapp.com/advisory/ntap-20250110-0009/)

Reported 11/22/24

CVE-2024-8932

unassigned In PHP versions:8.1.* before 8.1.33, 8.2.* before 8.2.29, 8.3.* before 8.3.23, 8.4.* before 8.4.10 when parsing XML data in SOAP extensions, overly large (>2Gb) XML namespace prefix may lead to null pointer dereference. This may lead to crashes and affect the availability of the target server.

* [https://github.com/php/php-src/security/advisories/GHSA-453j-q27h-5p8x](https://github.com/php/php-src/security/advisories/GHSA-453j-q27h-5p8x)
* [https://github.com/php/php-src/security/advisories/GHSA-453j-q27h-5p8x](https://github.com/php/php-src/security/advisories/GHSA-453j-q27h-5p8x)

Reported 7/13/25

CVE-2025-6491

6 abandonned packages has been found

Abandoned package	Suggested replacement
sensio/framework-extra-bundle	Symfony
php-http/message-factory	psr/http-factory
platformsh/symfonyflex-bridge	None
swiftmailer/swiftmailer	symfony/mailer
symfony/swiftmailer-bundle	symfony/mailer
php-http/guzzle6-adapter	guzzlehttp/guzzle or php-http/guzzle7-adapter

Summary Possible update

Your version is Ibexa 4.6

Your version is Symfony 5.4

Your version is Php 7.4

Badge

[![Vulnerabilities](https://audit.security.code-rhapsodie.fr/badge/018fdea7-1ba2-7bdf-abab-51452e155926?type=vulnerabilities)](https://audit.security.code-rhapsodie.fr/en/project/018fdea7-1ba2-7bdf-abab-51452e155926)

[![Vulnerabilities](https://audit.security.code-rhapsodie.fr/badge/018fdea7-1ba2-7bdf-abab-51452e155926?type=vulnerabilities&version=little)](https://audit.security.code-rhapsodie.fr/en/project/018fdea7-1ba2-7bdf-abab-51452e155926)

[![Abandonned](https://audit.security.code-rhapsodie.fr/badge/018fdea7-1ba2-7bdf-abab-51452e155926?type=abandonned)](https://audit.security.code-rhapsodie.fr/en/project/018fdea7-1ba2-7bdf-abab-51452e155926)

[![Abandonned](https://audit.security.code-rhapsodie.fr/badge/018fdea7-1ba2-7bdf-abab-51452e155926?type=abandonned&version=little)](https://audit.security.code-rhapsodie.fr/en/project/018fdea7-1ba2-7bdf-abab-51452e155926)