CVE-2015-8766
published 2016-01-08CVE-2015-8766: Multiple cross-site scripting (XSS) vulnerabilities in content/content.systempreferences.php in Symphony CMS before 2.6.4 allow remote attackers to inject…
PriorityP426medium6.1CVSS 3.0
AVNACLPRNUIRSCCLILAN
EPSS
1.77%
75.3th percentile
Multiple cross-site scripting (XSS) vulnerabilities in content/content.systempreferences.php in Symphony CMS before 2.6.4 allow remote attackers to inject arbitrary web script or HTML via the (1) email_sendmail[from_name], (2) email_sendmail[from_address], (3) email_smtp[from_name], (4) email_smtp[from_address], (5) email_smtp[host], (6) email_smtp[port], (7) jit_image_manipulation[trusted_external_sites], or (8) maintenance_mode[ip_whitelist] parameters to system/preferences.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| getsymphony | symphony | <= 2.6.3 | — |
| symphonycms | symphony-2 | >= 0 < 2.6.4 | 2.6.4 |
CVSS provenance
nvdv3.06.1MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Symphony CMS XSS Vulnerabilities
osv·2022-05-13
CVE-2015-8766 [MEDIUM] Symphony CMS XSS Vulnerabilities
Symphony CMS XSS Vulnerabilities
Multiple cross-site scripting (XSS) vulnerabilities in `content/content.systempreferences.php` in Symphony CMS before 2.6.4 allow remote attackers to inject arbitrary web script or HTML via the (1) `email_sendmail[from_name]`, (2) `email_sendmail[from_address]`, (3) `email_smtp[from_name]`, (4) `email_smtp[from_address]`, (5) `email_smtp[host]`, (6) `email_smtp[port]`, (7) `jit_image_manipulation[trusted_external_sites]`, or (8) `maintenance_mode[ip_whitelist]` parameters to system/preferences.
GHSA
Symphony CMS XSS Vulnerabilities
ghsa·2022-05-13
CVE-2015-8766 [MEDIUM] CWE-79 Symphony CMS XSS Vulnerabilities
Symphony CMS XSS Vulnerabilities
Multiple cross-site scripting (XSS) vulnerabilities in `content/content.systempreferences.php` in Symphony CMS before 2.6.4 allow remote attackers to inject arbitrary web script or HTML via the (1) `email_sendmail[from_name]`, (2) `email_sendmail[from_address]`, (3) `email_smtp[from_name]`, (4) `email_smtp[from_address]`, (5) `email_smtp[host]`, (6) `email_smtp[port]`, (7) `jit_image_manipulation[trusted_external_sites]`, or (8) `maintenance_mode[ip_whitelist]` parameters to system/preferences.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
http://seclists.org/fulldisclosure/2015/Dec/60http://www.getsymphony.com/download/releases/version/2.6.4/https://cybersecurityworks.com/zerodays/cve-2015-8766-getsymphoney.htmlhttps://github.com/symphonycms/symphony-2/commit/651e150091c61fb60ad1dff2bc2166185a83d9d6http://seclists.org/fulldisclosure/2015/Dec/60http://www.getsymphony.com/download/releases/version/2.6.4/https://cybersecurityworks.com/zerodays/cve-2015-8766-getsymphoney.htmlhttps://github.com/symphonycms/symphony-2/commit/651e150091c61fb60ad1dff2bc2166185a83d9d6
2016-01-08
Published