CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-39094
https://notcve.org/view.php?id=CVE-2024-39094
20 Aug 2024 — Friendica 2024.03 is vulnerable to Cross Site Scripting (XSS) in settings/profile via the homepage, xmpp, and matrix parameters. • https://friendi.ca/2024/08/17/friendica-2024-08-released •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-27730
https://notcve.org/view.php?id=CVE-2024-27730
15 Aug 2024 — Insecure Permissions vulnerability in Friendica v.2023.12 allows a remote attacker to obtain sensitive information and execute arbitrary code via the cid parameter of the calendar event feature. • https://leo.oliver.nz/posts/2024/05/friendica-cve-disclosures • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-27731
https://notcve.org/view.php?id=CVE-2024-27731
15 Aug 2024 — Cross Site Scripting vulnerability in Friendica v.2023.12 allows a remote attacker to obtain sensitive information via the lack of file type filtering in the file attachment parameter. • https://leo.oliver.nz/posts/2024/05/friendica-cve-disclosures • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-27728
https://notcve.org/view.php?id=CVE-2024-27728
15 Aug 2024 — Cross Site Scripting vulnerability in Friendica v.2023.12 allows a remote attacker to obtain sensitive information via the text parameter of the babel debug feature. • https://leo.oliver.nz/posts/2024/05/friendica-cve-disclosures • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-27729
https://notcve.org/view.php?id=CVE-2024-27729
15 Aug 2024 — Cross Site Scripting vulnerability in Friendica v.2023.12 allows a remote attacker to obtain sensitive information via the location parameter of the calendar event feature. • https://leo.oliver.nz/posts/2024/05/friendica-cve-disclosures • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-26495
https://notcve.org/view.php?id=CVE-2024-26495
03 Apr 2024 — Cross Site Scripting (XSS) vulnerability in Friendica versions after v.2023.12, allows a remote attacker to execute arbitrary code and obtain sensitive information via the BBCode tags in the post content and post comments function. La vulnerabilidad de Cross Site Scripting (XSS) en las versiones de Friendica posteriores a la v.2023.12 permite a un atacante remoto ejecutar código arbitrario y obtener información confidencial a través de las etiquetas BBCode en el contenido de la publicación y en la función d... • https://github.com/friendica/friendica/issues/13884 •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-25864
https://notcve.org/view.php?id=CVE-2024-25864
03 Apr 2024 — Server Side Request Forgery (SSRF) vulnerability in Friendica versions after v.2023.12, allows a remote attacker to execute arbitrary code and obtain sensitive information via the fpostit.php component. La vulnerabilidad de Server Side Request Forgery (SSRF) en las versiones de Friendica posteriores a la v.2023.12 permite a un atacante remoto ejecutar código arbitrario y obtener información confidencial a través del componente fpostit.php. • https://github.com/friendica/friendica/issues/13877 •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2021-30141
https://notcve.org/view.php?id=CVE-2021-30141
05 Apr 2021 — Module/Settings/UserExport.php in Friendica through 2021.01 allows settings/userexport to be used by anonymous users, as demonstrated by an attempted access to an array offset on a value of type null, and excessive memory consumption. NOTE: the vendor states "the feature still requires a valid authentication cookie even if the route is accessible to non-logged users. ** EN DISPUTA ** El archivo Module/Settings/UserExport.php en Friendica versiones hasta 2021.01, permite que settings/userexport sea usado por... • https://github.com/friendica/friendica/issues/10110 • CWE-401: Missing Release of Memory after Effective Lifetime •