CVE-2015-8766

Name of the Vulnerable Software and Affected Versions Symphony CMS versions prior to 2.6.4

Description The issue allows remote attackers to inject arbitrary web script or HTML via several parameters, including email sendmail[from name], email sendmail[from address], email smtp[from name], email smtp[from address], email smtp[host], email smtp[port], jit image manipulation[trusted external sites], and maintenance mode[ip whitelist], to the system/preferences endpoint.

Recommendations For Symphony CMS versions prior to 2.6.4, update to version 2.6.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the system/preferences endpoint until a patch is available. Avoid using the vulnerable parameters in the affected endpoint until the issue is resolved.