VulnerableCode Package Details - pkg:composer/drupal/core-recommended@8.2.3

Staging Environment: Content and features may be unstable or change without notice.

Search for packages

Package details: pkg:composer/drupal/core-recommended@8.2.3

Essentials
History (13)

purl	pkg:composer/drupal/core-recommended@8.2.3

Next non-vulnerable version	10.2.11
Latest non-vulnerable version	11.0.8
Risk	10.0

Vulnerabilities affecting this package (5)

Vulnerability	Summary	Fixed by
VCID-gbz5-5frj-hber Aliases: CVE-2020-28949 GHSA-75c5-f4gw-38r9	Multiple vulnerabilities through filename manipulation in Archive_Tar Archive_Tar through 1.4.10 has `://` filename sanitization only to address phar attacks, and thus any other stream-wrapper attack (such as `file://` to overwrite files) can still succeed. See: https://github.com/pear/Archive_Tar/issues/33	8.9.10 Affected by 8 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 9.0.0-alpha1 Affected by 7 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 9.0.9 Affected by 8 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 9.1.0-alpha1 Affected by 7 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-u4w3-usvb-jyf6 Aliases: CVE-2024-45440 GHSA-mg8j-w93w-xjgc	Drupal Full Path Disclosure `core/authorize.php` in Drupal 11.x-dev allows Full Path Disclosure (even when error logging is None) if the value of `hash_salt` is `file_get_contents` of a file that does not exist.	10.2.9 Affected by 5 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 10.3.0-beta1 Affected by 0 other vulnerabilities. 10.3.6 Affected by 5 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 11.0.0-alpha1 Affected by 0 other vulnerabilities. 11.0.5 Affected by 4 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-ummk-h11z-bkaj Aliases: CVE-2022-39261 GHSA-52m2-vc4m-jj33	Twig may load a template outside a configured directory when using the filesystem loader # Description When using the filesystem loader to load templates for which the name is a user input, it is possible to use the `source` or `include` statement to read arbitrary files from outside the templates directory when using a namespace like `@somewhere/../some.file` (in such a case, validation is bypassed). # Resolution We fixed validation for such template names. Even if the 1.x branch is not maintained anymore, a new version has been released. # Credits We would like to thank Dariusz Tytko for reporting the issue and Fabien Potencier for fixing the issue.	9.3.22 Affected by 6 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 9.4.0-alpha1 Affected by 6 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 9.4.7 Affected by 6 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 9.5.0-beta1 Affected by 6 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-v9v6-ae3e-g3hk Aliases: CVE-2020-28948 GHSA-jh5x-hfhg-78jq	Deserialization of Untrusted Data in Archive_Tar Archive_Tar through 1.4.10 allows an unserialization attack because `phar:` is blocked but `PHAR:` is not blocked. See: https://github.com/pear/Archive_Tar/issues/33	8.9.10 Affected by 8 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 9.0.0-alpha1 Affected by 7 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 9.0.9 Affected by 8 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 9.1.0-alpha1 Affected by 7 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-vevm-4sfk-f7gq Aliases: CVE-2024-55634 GHSA-7cwc-fjqm-8vh8	Drupal core Access bypass Drupal's uniqueness checking for certain user fields is inconsistent depending on the database engine and its collation. As a result, a user may be able to register with the same email address as another user. This may lead to data integrity issues. This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8.	10.2.11 Affected by 0 other vulnerabilities. 10.3.9 Affected by 0 other vulnerabilities. 11.0.8 Affected by 0 other vulnerabilities.

Vulnerabilities fixed by this package (0)

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-12T00:35:20.282078+00:00	GitLab Importer	Affected by	VCID-vevm-4sfk-f7gq	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/drupal/core-recommended/CVE-2024-55634.yml	38.3.0
2026-04-12T00:24:53.729320+00:00	GitLab Importer	Affected by	VCID-u4w3-usvb-jyf6	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/drupal/core-recommended/CVE-2024-45440.yml	38.3.0
2026-04-11T23:28:03.702966+00:00	GitLab Importer	Affected by	VCID-ummk-h11z-bkaj	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/drupal/core-recommended/CVE-2022-39261.yml	38.3.0
2026-04-11T22:26:22.399153+00:00	GitLab Importer	Affected by	VCID-gbz5-5frj-hber	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/drupal/core-recommended/CVE-2020-28949.yml	38.3.0
2026-04-11T22:26:18.847575+00:00	GitLab Importer	Affected by	VCID-v9v6-ae3e-g3hk	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/drupal/core-recommended/CVE-2020-28948.yml	38.3.0
2026-04-03T00:43:07.395091+00:00	GitLab Importer	Affected by	VCID-vevm-4sfk-f7gq	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/drupal/core-recommended/CVE-2024-55634.yml	38.1.0
2026-04-03T00:32:29.322013+00:00	GitLab Importer	Affected by	VCID-u4w3-usvb-jyf6	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/drupal/core-recommended/CVE-2024-45440.yml	38.1.0
2026-04-02T23:33:52.903511+00:00	GitLab Importer	Affected by	VCID-ummk-h11z-bkaj	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/drupal/core-recommended/CVE-2022-39261.yml	38.1.0
2026-04-02T22:38:06.849292+00:00	GitLab Importer	Affected by	VCID-gbz5-5frj-hber	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/drupal/core-recommended/CVE-2020-28949.yml	38.1.0
2026-04-02T22:38:03.703439+00:00	GitLab Importer	Affected by	VCID-v9v6-ae3e-g3hk	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/drupal/core-recommended/CVE-2020-28948.yml	38.1.0
2026-04-01T17:55:48.831399+00:00	GitLab Importer	Affected by	VCID-ummk-h11z-bkaj	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/drupal/core-recommended/CVE-2022-39261.yml	38.0.0
2026-04-01T16:55:31.979074+00:00	GitLab Importer	Affected by	VCID-gbz5-5frj-hber	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/drupal/core-recommended/CVE-2020-28949.yml	38.0.0
2026-04-01T16:55:28.497839+00:00	GitLab Importer	Affected by	VCID-v9v6-ae3e-g3hk	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/drupal/core-recommended/CVE-2020-28948.yml	38.0.0