MidnightBSD

Advisories for phoenixframework

CVE-2017-1000163 MEDIUM

The Phoenix Framework versions 1.0.0 through 1.0.4, 1.1.0 through 1.1.6, 1.2.0, 1.2.2 and 1.3.0-rc.0 are vulnerable to unvalidated URL redirection, which may result in phishing or social engineering attacks.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-601,

Products Affected

Vendor Product Version
phoenixframework phoenix 1.2.0
phoenixframework phoenix 1.0.3
phoenixframework phoenix 1.1.3
phoenixframework phoenix 1.1.1
phoenixframework phoenix 1.0.4
phoenixframework phoenix 1.1.6
phoenixframework phoenix 1.0.0
phoenixframework phoenix 1.1.2
phoenixframework phoenix 1.1.4
phoenixframework phoenix 1.2.2
phoenixframework phoenix 1.0.1
phoenixframework phoenix 1.0.2
phoenixframework phoenix 1.1.5
phoenixframework phoenix 1.3.0-rc.0
phoenixframework phoenix 1.1.0
CVE-2021-46871

tag.ex in Phoenix Phoenix.HTML (aka phoenix_html) before 3.0.4 allows XSS in HEEx class attributes.

Products Affected

Vendor Product Version
phoenixframework phoenix_html *
CVE-2022-42975

socket/transport.ex in Phoenix before 1.6.14 mishandles check_origin wildcarding. NOTE: LiveView applications are unaffected by default because of the presence of a LiveView CSRF token.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N 3.9 3.6

Products Affected

Vendor Product Version
phoenixframework phoenix *