CVE-2015-8766
MEDIUMSymphony < 2.6.3 - XSS
Title source: ruleDescription
Multiple cross-site scripting (XSS) vulnerabilities in content/content.systempreferences.php in Symphony CMS before 2.6.4 allow remote attackers to inject arbitrary web script or HTML via the (1) email_sendmail[from_name], (2) email_sendmail[from_address], (3) email_smtp[from_name], (4) email_smtp[from_address], (5) email_smtp[host], (6) email_smtp[port], (7) jit_image_manipulation[trusted_external_sites], or (8) maintenance_mode[ip_whitelist] parameters to system/preferences.
References (4)
Scores
CVSS v3
6.1
EPSS
0.0027
EPSS Percentile
50.4%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Classification
CWE
CWE-79
Status
draft
Affected Products (2)
getsymphony/symphony
< 2.6.3
symphonycms/symphony-2
< 2.6.4Packagist
Timeline
Published
Jan 08, 2016
Tracked Since
Feb 18, 2026