{"url":"http://public2.vulnerablecode.io/api/packages/740370?format=json","purl":"pkg:composer/neos/flow@2.3.6","type":"composer","namespace":"neos","name":"flow","version":"2.3.6","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"2.3.16","latest_non_vulnerable_version":"4.0.6","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/54932?format=json","vulnerability_id":"VCID-bq83-tngb-yfhw","summary":"Neos Flow Arbitrary file upload and XML External Entity processing\nIt has been discovered that Flow 3.0.0 allows arbitrary file uploads, inlcuding server-side scripts, posing the risk of attacks. If those scripts are executed by the server when accessed through their public URL, anything not blocked through other means is possible (information disclosure, placement of backdoors, data removal, …).\n\nNote: The upload of files is only possible if the application built on Flow provides means to do so, and whether or not the upload of files poses a risk is dependent on the system setup. If uploaded script files are not executed by the server, there is no risk. In versions prior to 3.0.0 the upload of files with the extension php was blocked.\n\nIn Flow 2.3.0 to 2.3.6 a potential XML External Entity processing vulnerability has been discovered in the MediaTypeConverter.","references":[{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/neos/flow/2015-11-23.yaml","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/neos/flow/2015-11-23.yaml"},{"reference_url":"https://github.com/neos/flow","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/neos/flow"},{"reference_url":"https://www.neos.io/blog/flow-sa-2015-001.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.neos.io/blog/flow-sa-2015-001.html"},{"reference_url":"https://github.com/advisories/GHSA-5vv7-j593-mgjc","reference_id":"GHSA-5vv7-j593-mgjc","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-5vv7-j593-mgjc"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/81478?format=json","purl":"pkg:composer/neos/flow@2.3.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-vvz5-5vuk-t3cm"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/neos/flow@2.3.7"},{"url":"http://public2.vulnerablecode.io/api/packages/81479?format=json","purl":"pkg:composer/neos/flow@3.0.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-vvz5-5vuk-t3cm"},{"vulnerability":"VCID-xfcd-uacz-1qck"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/neos/flow@3.0.1"}],"aliases":["GHSA-5vv7-j593-mgjc"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-bq83-tngb-yfhw"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/54929?format=json","vulnerability_id":"VCID-vvz5-5vuk-t3cm","summary":"Time-Based Information Disclosure Vulnerability in Flow\nThe PersistedUsernamePasswordProvider was prone to a information disclosure of account existance based on timing attacks as the hashing of passwords was only done in case an account was found. We changed the core so that the provider always does a password comparison in case credentials were submitted at all.","references":[{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/neos/flow/2016-11-01.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/neos/flow/2016-11-01.yaml"},{"reference_url":"https://github.com/neos/flow","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/neos/flow"},{"reference_url":"https://www.neos.io/blog/flow-sa-2016-001.html","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.neos.io/blog/flow-sa-2016-001.html"},{"reference_url":"https://github.com/advisories/GHSA-6pq8-67pw-j6hw","reference_id":"GHSA-6pq8-67pw-j6hw","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-6pq8-67pw-j6hw"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/81472?format=json","purl":"pkg:composer/neos/flow@2.3.16","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/neos/flow@2.3.16"},{"url":"http://public2.vulnerablecode.io/api/packages/81473?format=json","purl":"pkg:composer/neos/flow@3.0.10","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-xfcd-uacz-1qck"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/neos/flow@3.0.10"},{"url":"http://public2.vulnerablecode.io/api/packages/81474?format=json","purl":"pkg:composer/neos/flow@3.1.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-xfcd-uacz-1qck"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/neos/flow@3.1.7"},{"url":"http://public2.vulnerablecode.io/api/packages/81475?format=json","purl":"pkg:composer/neos/flow@3.2.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-xfcd-uacz-1qck"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/neos/flow@3.2.7"},{"url":"http://public2.vulnerablecode.io/api/packages/81476?format=json","purl":"pkg:composer/neos/flow@3.3.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-xfcd-uacz-1qck"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/neos/flow@3.3.5"}],"aliases":["GHSA-6pq8-67pw-j6hw"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-vvz5-5vuk-t3cm"}],"fixing_vulnerabilities":[],"risk_score":"3.1","resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/neos/flow@2.3.6"}