Search for packages
| purl | pkg:composer/drupal/core-recommended@9.2.7 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1nf6-3q5b-gqfm
Aliases: CVE-2024-55636 GHSA-938f-5r4f-h65v |
Drupal core contains a potential PHP Object Injection vulnerability that (if combined with another exploit) could lead to Artbitrary File Deletion. It is not directly exploitable. This issue is mitigated by the fact that in order to be exploitable, a separate vulnerability must be present that allows an attacker to pass unsafe input to `unserialize()`. There are no such known exploits in Drupal core. To help protect against this vulnerability, types have been added to properties in some of Drupal core's classes. If an application extends those classes, the same types may need to be specified on the subclass to avoid a `TypeError`. This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-2s8m-ujzb-skd1
Aliases: CVE-2024-55637 GHSA-w6rx-9g2x-mg5g |
Drupal core contains a potential PHP Object Injection vulnerability that (if combined with another exploit) could lead to Remote Code Execution. It is not directly exploitable. This issue is mitigated by the fact that in order for it to be exploitable, a separate vulnerability must be present to allow an attacker to pass unsafe input to `unserialize()`. There are no such known exploits in Drupal core. To help protect against this potential vulnerability, types have been added to properties in some of Drupal core's classes. If an application extends those classes, the same types may need to be specified on the subclass to avoid a `TypeError`. This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-674z-nf4t-b7ez
Aliases: CVE-2022-29248 GHSA-cwmx-hcrq-mhc3 |
Cross-domain cookie leakage in Guzzle ### Impact Previous version of Guzzle contain a vulnerability with the cookie middleware. The vulnerability is that it is not checked if the cookie domain equals the domain of the server which sets the cookie via the `Set-Cookie` header, allowing a malicious server to set cookies for unrelated domains. For example an attacker at `www.example.com` might set a session cookie for `api.example.net`, logging the Guzzle client into their account and retrieving private API requests from the security log of their account. Note that our cookie middleware is disabled by default, so most library consumers will not be affected by this issue. Only those who manually add the cookie middleware to the handler stack or construct the client with `['cookies' => true]` are affected. Moreover, those who do not use the same Guzzle client to call multiple domains and have disabled redirect forwarding are not affected by this vulnerability. ### Patches Affected Guzzle 7 users should upgrade to Guzzle 7.4.3 as soon as possible. Affected users using any earlier series of Guzzle should upgrade to Guzzle 6.5.6 or 7.4.3. ### Workarounds If you do not need support for cookies, turn off the cookie middleware. It is already off by default, but if you have turned it on and no longer need it, turn it off. ### References * [RFC6265 Section 5.3](https://datatracker.ietf.org/doc/html/rfc6265#section-5.3) * [RFC9110 Section 15.4](https://www.rfc-editor.org/rfc/rfc9110.html#name-redirection-3xx) ### For more information If you have any questions or comments about this advisory, please get in touch with us in `#guzzle` on the [PHP HTTP Slack](https://php-http.slack.com/). Do not report additional security advisories in that public channel, however - please follow our [vulnerability reporting process](https://github.com/guzzle/guzzle/security/policy). |
Affected by 7 other vulnerabilities. Affected by 7 other vulnerabilities. Affected by 7 other vulnerabilities. Affected by 6 other vulnerabilities. |
|
VCID-b4yh-gyrx-3yhh
Aliases: CVE-2022-25270 GHSA-73q4-j324-2qcc |
Incorrect Authorization The Quick Edit module does not properly check entity access in some circumstances. This could result in users with the "access in-place editing" permission viewing some content they are are not authorized to access. Sites are only affected if the QuickEdit module (which comes with the Standard profile) is installed. |
Affected by 8 other vulnerabilities. Affected by 8 other vulnerabilities. |
|
VCID-q4qx-7s1y-q3hc
Aliases: CVE-2024-12393 GHSA-8mvq-8h2v-j9vf |
Drupal Core Cross-Site Scripting (XSS) Drupal uses JavaScript to render status messages in some cases and configurations. In certain situations, the status messages are not adequately sanitized. This issue affects Drupal Core: from 8.8.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-rdgr-yuu7-xkey
Aliases: CVE-2024-55638 GHSA-gvf2-2f4g-jqf4 |
Drupal core contains a potential PHP Object Injection vulnerability that (if combined with another exploit) could lead to Remote Code Execution. It is not directly exploitable. This issue is mitigated by the fact that in order for it to be exploitable, a separate vulnerability must be present to allow an attacker to pass unsafe input to `unserialize()`. There are no such known exploits in Drupal core. To help protect against this potential vulnerability, some additional checks have been added to Drupal core's database code. If you use a third-party database driver, check the release notes for additional configuration steps that may be required in certain cases. This issue affects Drupal Core: from 7.0 before 7.102, from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-u4w3-usvb-jyf6
Aliases: CVE-2024-45440 GHSA-mg8j-w93w-xjgc |
Drupal Full Path Disclosure `core/authorize.php` in Drupal 11.x-dev allows Full Path Disclosure (even when error logging is None) if the value of `hash_salt` is `file_get_contents` of a file that does not exist. |
Affected by 5 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 5 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 4 other vulnerabilities. |
|
VCID-ummk-h11z-bkaj
Aliases: CVE-2022-39261 GHSA-52m2-vc4m-jj33 |
Twig may load a template outside a configured directory when using the filesystem loader # Description When using the filesystem loader to load templates for which the name is a user input, it is possible to use the `source` or `include` statement to read arbitrary files from outside the templates directory when using a namespace like `@somewhere/../some.file` (in such a case, validation is bypassed). # Resolution We fixed validation for such template names. Even if the 1.x branch is not maintained anymore, a new version has been released. # Credits We would like to thank Dariusz Tytko for reporting the issue and Fabien Potencier for fixing the issue. |
Affected by 6 other vulnerabilities. Affected by 6 other vulnerabilities. Affected by 6 other vulnerabilities. Affected by 6 other vulnerabilities. |
|
VCID-vevm-4sfk-f7gq
Aliases: CVE-2024-55634 GHSA-7cwc-fjqm-8vh8 |
Drupal core Access bypass Drupal's uniqueness checking for certain user fields is inconsistent depending on the database engine and its collation. As a result, a user may be able to register with the same email address as another user. This may lead to data integrity issues. This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-zw3u-6ue7-efdf
Aliases: CVE-2022-25271 GHSA-fmfv-x8mp-5767 |
Improper Input Validation Drupal core's form API has a vulnerability where certain contributed or custom modules' forms may be vulnerable to improper input validation. This could allow an attacker to inject disallowed values or overwrite data. Affected forms are uncommon, but in certain cases an attacker could alter critical or sensitive data. |
Affected by 8 other vulnerabilities. Affected by 8 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||