VulnerableCode Package Details - pkg:composer/drupal/core@8.5.0-beta1

Vulnerabilities affecting this package (12)

Vulnerability	Summary	Fixed by
VCID-5jy9-mhbb-nuh7 Aliases: CVE-2020-28948 GHSA-jh5x-hfhg-78jq	Deserialization of Untrusted Data Archive_Tar allows an unserialization attack because phar: is blocked but PHAR: is not blocked.	8.9.10 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 9.0.0-alpha1 Affected by 0 other vulnerabilities. 9.0.9 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 9.1.0-alpha1 Affected by 0 other vulnerabilities.
VCID-6c6t-kmb3-2qcm Aliases: CVE-2019-10909 GHSA-g996-q5r8-w7g2	Cross-site Scripting In Symfony, validation messages are not escaped, which can lead to XSS when user input is included.	8.5.15 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 8.6.15 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-e12q-qavs-qybu Aliases: GMS-2019-147	Cross-site Scripting vulnerability in drupal.	8.6.12 Affected by 5 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-e8un-nbkk-cbf9 Aliases: CVE-2019-6338 GHSA-6rmq-x2hv-vxpp	Deserialization of Untrusted Data Drupal core uses the third-party PEAR `Archive_Tar` library. This library has released a security update which impacts some Drupal configurations. Refer to CVE-2018-1000888 for details.	8.6.6 Affected by 6 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-jrhg-3271-tqdy Aliases: GMS-2018-56	Improper Access Control In some conditions, content moderation fails to check a users access to use certain transitions, leading to an access bypass.	8.6.2 Affected by 8 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-myja-t33q-q3cv Aliases: GMS-2018-52	Improper Access Control in drupal.	8.6.2 Affected by 8 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-pgnc-fq4m-3kaz Aliases: GMS-2018-54	URL Redirection to Untrusted Site ('Open Redirect') Anonymous Open Redirect in drupal.	8.6.2 Affected by 8 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-qsuc-53pg-zkda Aliases: GMS-2018-55	Code Injection Injection in `DefaultMailSystem::mail()`.	8.6.2 Affected by 8 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-wszp-2es5-z7fy Aliases: CVE-2019-11831 GHSA-xv7v-rf6g-xwrc	Moderately critical - Third-party libraries - SA-CORE-2019-007 The `PharStreamWrapper` (aka `phar-stream-wrapper`) package does not prevent directory traversal, which allows attackers to bypass a deserialization protection mechanism, as demonstrated by a `phar:///path/bad.phar/../good.phar` URL.	8.6.16 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 8.7.1 Affected by 4 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-x34m-u169-1bce Aliases: CVE-2019-6339 GHSA-8cw5-rv98-5c46	Improper Input Validation A remote code execution vulnerability exists in PHP's built-in phar stream wrapper when performing file operations on an untrusted `phar://` URI. Some Drupal code (core, contrib, and custom) may be performing file operations on insufficiently validated user input, thereby being exposed to this vulnerability. This vulnerability is mitigated by the fact that such code paths typically require access to an administrative permission or an atypical configuration.	8.5.9 Affected by 8 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 8.6.6 Affected by 6 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-yygb-pp11-5udj Aliases: GMS-2018-53	URL Redirection to Untrusted Site ('Open Redirect') External URL injection through URL aliases in drupal.	8.6.2 Affected by 8 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-zvtm-9bd5-ufgy Aliases: SA-CORE-2018-003	XSS Vulnerability CKEditor, a third-party JavaScript library included in Drupal core, is affected by a cross-site scripting (XSS) vulnerability. It's possible to execute XSS inside CKEditor when using the `image2` plugin.	8.5.2 Affected by 13 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}

Next non-vulnerable version	8.8.12
Latest non-vulnerable version	11.2.8
Risk

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-04T20:41:33.383864+00:00	GitLab Importer	Affected by	VCID-5jy9-mhbb-nuh7	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/drupal/core/CVE-2020-28948.yml	38.6.0
2026-06-04T20:21:36.309970+00:00	GitLab Importer	Affected by	VCID-6c6t-kmb3-2qcm	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/drupal/core/CVE-2019-10909.yml	38.6.0
2026-06-04T20:21:27.900107+00:00	GitLab Importer	Affected by	VCID-wszp-2es5-z7fy	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/drupal/core/CVE-2019-11831.yml	38.6.0
2026-06-04T20:20:00.554973+00:00	GitLab Importer	Affected by	VCID-e12q-qavs-qybu	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/drupal/core/GMS-2019-147.yml	38.6.0
2026-06-04T20:18:28.761834+00:00	GitLab Importer	Affected by	VCID-x34m-u169-1bce	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/drupal/core/CVE-2019-6339.yml	38.6.0
2026-06-04T20:18:27.682263+00:00	GitLab Importer	Affected by	VCID-e8un-nbkk-cbf9	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/drupal/core/CVE-2019-6338.yml	38.6.0
2026-06-04T20:16:30.413346+00:00	GitLab Importer	Affected by	VCID-qsuc-53pg-zkda	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/drupal/core/GMS-2018-55.yml	38.6.0
2026-06-04T20:16:24.804153+00:00	GitLab Importer	Affected by	VCID-myja-t33q-q3cv	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/drupal/core/GMS-2018-52.yml	38.6.0
2026-06-04T20:16:23.834535+00:00	GitLab Importer	Affected by	VCID-pgnc-fq4m-3kaz	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/drupal/core/GMS-2018-54.yml	38.6.0
2026-06-04T20:16:18.687202+00:00	GitLab Importer	Affected by	VCID-yygb-pp11-5udj	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/drupal/core/GMS-2018-53.yml	38.6.0
2026-06-04T20:16:14.879331+00:00	GitLab Importer	Affected by	VCID-jrhg-3271-tqdy	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/drupal/core/GMS-2018-56.yml	38.6.0
2026-06-04T20:11:36.145780+00:00	GitLab Importer	Affected by	VCID-zvtm-9bd5-ufgy	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/drupal/core/SA-CORE-2018-003.yml	38.6.0