Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:composer/drupal/drupal@8.1.10
Typecomposer
Namespacedrupal
Namedrupal
Version8.1.10
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version8.2.2
Latest_non_vulnerable_version10.0.8
Affected_by_vulnerabilities
0
url VCID-ks17-b29e-73au
vulnerability_id VCID-ks17-b29e-73au
summary 
Access Bypass
This is a critical access bypass vulnerability in Drupal.
references
0
reference_url https://groups.drupal.org/node/516645
reference_id
reference_type
scores
url https://groups.drupal.org/node/516645
1
reference_url https://www.drupal.org/SA-CORE-2017-002
reference_id
reference_type
scores
url https://www.drupal.org/SA-CORE-2017-002
2
reference_url http://www.securityfocus.com/bid/97941
reference_id
reference_type
scores
url http://www.securityfocus.com/bid/97941
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2017-6919
reference_id CVE-2017-6919
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2017-6919
fixed_packages
0
url pkg:composer/drupal/drupal@8.2.8
purl pkg:composer/drupal/drupal@8.2.8
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@8.2.8
1
url pkg:composer/drupal/drupal@8.3.1
purl pkg:composer/drupal/drupal@8.3.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@8.3.1
aliases CVE-2017-6919
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ks17-b29e-73au
1
url VCID-tbk2-zprq-27c8
vulnerability_id VCID-tbk2-zprq-27c8
summary 
Remote code execution
A 3rd party development library including with Drupal 8 development dependencies is vulnerable to remote code execution. This is mitigated by the default .htaccess protection against PHP execution, and the fact that Composer development dependencies aren't normal installed. You might be vulnerable to this if you are running a version of Drupal. To be sure you aren’t vulnerable, you can remove the /vendor/phpunit directory from the site root of your production deployments.
references
0
reference_url https://www.drupal.org/SA-2017-001
reference_id
reference_type
scores
url https://www.drupal.org/SA-2017-001
1
reference_url http://www.securityfocus.com/bid/96919
reference_id
reference_type
scores
url http://www.securityfocus.com/bid/96919
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2017-6381
reference_id CVE-2017-6381
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2017-6381
fixed_packages
0
url pkg:composer/drupal/drupal@8.2.2
purl pkg:composer/drupal/drupal@8.2.2
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@8.2.2
aliases CVE-2017-6381
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-tbk2-zprq-27c8
Fixing_vulnerabilities
0
url VCID-8qd6-8ckc-h3g5
vulnerability_id VCID-8qd6-8ckc-h3g5
summary 
Unprivileged access to "Administer comments"
Users who have rights to edit a node can set the visibility on comments for that node. This should be restricted to those who have the administer comments permission.
references
0
reference_url https://www.drupal.org/SA-CORE-2016-004
reference_id
reference_type
scores
url https://www.drupal.org/SA-CORE-2016-004
fixed_packages
0
url pkg:composer/drupal/drupal@8.1.10
purl pkg:composer/drupal/drupal@8.1.10
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-ks17-b29e-73au
1
vulnerability VCID-tbk2-zprq-27c8
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@8.1.10
aliases CVE-2016-7570
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-8qd6-8ckc-h3g5
1
url VCID-jb63-xjup-1khv
vulnerability_id VCID-jb63-xjup-1khv
summary 
Unprivileged access to config export
The `system.temporary` route allows the download of a full config export. The full config export should be limited to those with "Export configuration" permission.
references
0
reference_url https://www.drupal.org/SA-CORE-2016-004
reference_id
reference_type
scores
url https://www.drupal.org/SA-CORE-2016-004
fixed_packages
0
url pkg:composer/drupal/drupal@8.1.10
purl pkg:composer/drupal/drupal@8.1.10
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-ks17-b29e-73au
1
vulnerability VCID-tbk2-zprq-27c8
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@8.1.10
aliases CVE-2016-7572
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-jb63-xjup-1khv
2
url VCID-ughj-q27r-yfe2
vulnerability_id VCID-ughj-q27r-yfe2
summary 
Cross-site Scripting in HTTP exceptions
An attacker can create a specially crafted url, which can execute arbitrary code in the victim’s browser if loaded. Drupal is not properly sanitizing an exception.
references
0
reference_url https://www.drupal.org/SA-CORE-2016-004
reference_id
reference_type
scores
url https://www.drupal.org/SA-CORE-2016-004
fixed_packages
0
url pkg:composer/drupal/drupal@8.1.10
purl pkg:composer/drupal/drupal@8.1.10
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-ks17-b29e-73au
1
vulnerability VCID-tbk2-zprq-27c8
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@8.1.10
aliases CVE-2016-7571
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ughj-q27r-yfe2
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@8.1.10