{"url":"http://public2.vulnerablecode.io/api/packages/226818?format=json","purl":"pkg:composer/drupal/drupal@8.5.4","type":"composer","namespace":"drupal","name":"drupal","version":"8.5.4","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"10.2.11","latest_non_vulnerable_version":"11.0.8","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/54918?format=json","vulnerability_id":"VCID-2w1s-g91k-xuhj","summary":"Drupal Cross-Site Scripting (XSS) affecting CKEditor Third-party library\nThe Drupal project uses the CKEditor, library for WYSIWYG editing. CKEditor has released a security update that impacts Drupal.\n\nVulnerabilities are possible if Drupal is configured to allow use of the CKEditor library for WYSIWYG editing. An attacker that can create or edit content (even without access to CKEditor themselves) may be able to exploit one or more Cross-Site Scripting (XSS) vulnerabilities to target users with access to the WYSIWYG CKEditor, including site admins with privileged access.","references":[{"reference_url":"https://github.com/drupal/drupal","reference_id":"","reference_type":"","scores":[{"value":"4.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/drupal/drupal"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/2021-05-26.yaml","reference_id":"","reference_type":"","scores":[{"value":"4.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/2021-05-26.yaml"},{"reference_url":"https://www.drupal.org/sa-core-2021-005","reference_id":"","reference_type":"","scores":[{"value":"4.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.drupal.org/sa-core-2021-005"},{"reference_url":"https://github.com/advisories/GHSA-qf65-hph9-453r","reference_id":"GHSA-qf65-hph9-453r","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-qf65-hph9-453r"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/81455?format=json","purl":"pkg:composer/drupal/drupal@8.9.16","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3xk4-qwaq-5yaj"},{"vulnerability":"VCID-4p4c-7rdc-37fa"},{"vulnerability":"VCID-6x4v-da7x-uyhh"},{"vulnerability":"VCID-a7ss-tkb6-gkge"},{"vulnerability":"VCID-ard5-3cjv-1beu"},{"vulnerability":"VCID-b266-wste-eqh6"},{"vulnerability":"VCID-dyhz-g3nv-yuc3"},{"vulnerability":"VCID-egtv-y9w1-skgr"},{"vulnerability":"VCID-j7bj-atys-qfg3"},{"vulnerability":"VCID-qwge-qrwn-1faj"},{"vulnerability":"VCID-rd4g-h1j9-23cb"},{"vulnerability":"VCID-xv4d-ped2-4udz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@8.9.16"},{"url":"http://public2.vulnerablecode.io/api/packages/81456?format=json","purl":"pkg:composer/drupal/drupal@9.1.12","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3xk4-qwaq-5yaj"},{"vulnerability":"VCID-4p4c-7rdc-37fa"},{"vulnerability":"VCID-6x4v-da7x-uyhh"},{"vulnerability":"VCID-a7ss-tkb6-gkge"},{"vulnerability":"VCID-ard5-3cjv-1beu"},{"vulnerability":"VCID-b266-wste-eqh6"},{"vulnerability":"VCID-dyhz-g3nv-yuc3"},{"vulnerability":"VCID-egtv-y9w1-skgr"},{"vulnerability":"VCID-j7bj-atys-qfg3"},{"vulnerability":"VCID-qwge-qrwn-1faj"},{"vulnerability":"VCID-rd4g-h1j9-23cb"},{"vulnerability":"VCID-xv4d-ped2-4udz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@9.1.12"},{"url":"http://public2.vulnerablecode.io/api/packages/81457?format=json","purl":"pkg:composer/drupal/drupal@9.2.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2g67-a42m-qfbh"},{"vulnerability":"VCID-3xk4-qwaq-5yaj"},{"vulnerability":"VCID-4p4c-7rdc-37fa"},{"vulnerability":"VCID-5nbj-5x5a-93hz"},{"vulnerability":"VCID-6x4v-da7x-uyhh"},{"vulnerability":"VCID-9cr8-u5tp-yuc9"},{"vulnerability":"VCID-a7ss-tkb6-gkge"},{"vulnerability":"VCID-ard5-3cjv-1beu"},{"vulnerability":"VCID-b266-wste-eqh6"},{"vulnerability":"VCID-dyhz-g3nv-yuc3"},{"vulnerability":"VCID-egtv-y9w1-skgr"},{"vulnerability":"VCID-j7bj-atys-qfg3"},{"vulnerability":"VCID-qwge-qrwn-1faj"},{"vulnerability":"VCID-rd4g-h1j9-23cb"},{"vulnerability":"VCID-upk3-jyze-e3gx"},{"vulnerability":"VCID-xv4d-ped2-4udz"},{"vulnerability":"VCID-ydy1-x277-1fhj"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@9.2.4"}],"aliases":["GHSA-qf65-hph9-453r"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-2w1s-g91k-xuhj"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/42389?format=json","vulnerability_id":"VCID-31qy-vagp-83b6","summary":"Exposure of Resource to Wrong Sphere\nInformation Disclosure vulnerability in file module of Drupal Core allows an attacker to gain access to the file metadata of a permanent private file that they do not have access to by guessing the ID of the file. This issue affects: Drupal Core 8.8.x versions prior to 8.8.10; 8.9.x versions prior to 8.9.6; 9.0.x versions prior to 9.0.6.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-13670","reference_id":"","reference_type":"","scores":[{"value":"0.00427","scoring_system":"epss","scoring_elements":"0.62662","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00427","scoring_system":"epss","scoring_elements":"0.62706","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-13670"},{"reference_url":"https://github.com/drupal/core","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/drupal/core"},{"reference_url":"https://github.com/drupal/core/commit/f93a37b713b59f8d24e826bc74378099853eef3d","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/drupal/core/commit/f93a37b713b59f8d24e826bc74378099853eef3d"},{"reference_url":"https://www.drupal.org/sa-core-2020-011","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.drupal.org/sa-core-2020-011"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-13670","reference_id":"CVE-2020-13670","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-13670"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2020-13670.yaml","reference_id":"CVE-2020-13670.YAML","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2020-13670.yaml"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2020-13670.yaml","reference_id":"CVE-2020-13670.YAML","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2020-13670.yaml"},{"reference_url":"https://github.com/advisories/GHSA-mmjr-5q74-p3m4","reference_id":"GHSA-mmjr-5q74-p3m4","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-mmjr-5q74-p3m4"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/60641?format=json","purl":"pkg:composer/drupal/drupal@8.8.10","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2w1s-g91k-xuhj"},{"vulnerability":"VCID-3xk4-qwaq-5yaj"},{"vulnerability":"VCID-4p4c-7rdc-37fa"},{"vulnerability":"VCID-5jy9-mhbb-nuh7"},{"vulnerability":"VCID-6x4v-da7x-uyhh"},{"vulnerability":"VCID-9dfs-rpqy-6kfa"},{"vulnerability":"VCID-a7ss-tkb6-gkge"},{"vulnerability":"VCID-ard5-3cjv-1beu"},{"vulnerability":"VCID-b266-wste-eqh6"},{"vulnerability":"VCID-dyhz-g3nv-yuc3"},{"vulnerability":"VCID-egtv-y9w1-skgr"},{"vulnerability":"VCID-j7bj-atys-qfg3"},{"vulnerability":"VCID-qwge-qrwn-1faj"},{"vulnerability":"VCID-rd4g-h1j9-23cb"},{"vulnerability":"VCID-tpzm-u3qp-akc8"},{"vulnerability":"VCID-wsv7-je8g-sqet"},{"vulnerability":"VCID-xv4d-ped2-4udz"},{"vulnerability":"VCID-xz7z-trbh-j7dk"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@8.8.10"},{"url":"http://public2.vulnerablecode.io/api/packages/60642?format=json","purl":"pkg:composer/drupal/drupal@8.9.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2w1s-g91k-xuhj"},{"vulnerability":"VCID-3xk4-qwaq-5yaj"},{"vulnerability":"VCID-4p4c-7rdc-37fa"},{"vulnerability":"VCID-5jy9-mhbb-nuh7"},{"vulnerability":"VCID-67da-qxh5-aydx"},{"vulnerability":"VCID-6x4v-da7x-uyhh"},{"vulnerability":"VCID-9dfs-rpqy-6kfa"},{"vulnerability":"VCID-a7ss-tkb6-gkge"},{"vulnerability":"VCID-ard5-3cjv-1beu"},{"vulnerability":"VCID-b266-wste-eqh6"},{"vulnerability":"VCID-dyhz-g3nv-yuc3"},{"vulnerability":"VCID-egtv-y9w1-skgr"},{"vulnerability":"VCID-j7bj-atys-qfg3"},{"vulnerability":"VCID-qwge-qrwn-1faj"},{"vulnerability":"VCID-rd4g-h1j9-23cb"},{"vulnerability":"VCID-tpzm-u3qp-akc8"},{"vulnerability":"VCID-wsv7-je8g-sqet"},{"vulnerability":"VCID-xv4d-ped2-4udz"},{"vulnerability":"VCID-xz7z-trbh-j7dk"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@8.9.6"},{"url":"http://public2.vulnerablecode.io/api/packages/60643?format=json","purl":"pkg:composer/drupal/drupal@9.0.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2w1s-g91k-xuhj"},{"vulnerability":"VCID-3xk4-qwaq-5yaj"},{"vulnerability":"VCID-4p4c-7rdc-37fa"},{"vulnerability":"VCID-5jy9-mhbb-nuh7"},{"vulnerability":"VCID-67da-qxh5-aydx"},{"vulnerability":"VCID-6x4v-da7x-uyhh"},{"vulnerability":"VCID-9dfs-rpqy-6kfa"},{"vulnerability":"VCID-a7ss-tkb6-gkge"},{"vulnerability":"VCID-ard5-3cjv-1beu"},{"vulnerability":"VCID-b266-wste-eqh6"},{"vulnerability":"VCID-dyhz-g3nv-yuc3"},{"vulnerability":"VCID-egtv-y9w1-skgr"},{"vulnerability":"VCID-j7bj-atys-qfg3"},{"vulnerability":"VCID-qwge-qrwn-1faj"},{"vulnerability":"VCID-rd4g-h1j9-23cb"},{"vulnerability":"VCID-tpzm-u3qp-akc8"},{"vulnerability":"VCID-wsv7-je8g-sqet"},{"vulnerability":"VCID-xv4d-ped2-4udz"},{"vulnerability":"VCID-xz7z-trbh-j7dk"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@9.0.6"}],"aliases":["CVE-2020-13670","GHSA-mmjr-5q74-p3m4"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-31qy-vagp-83b6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/54828?format=json","vulnerability_id":"VCID-3dgm-qju3-aqh5","summary":"Drupal core Denial of Service\nA visit to install.php can cause cached data to become corrupted. This could cause a site to be impaired until caches are rebuilt.","references":[{"reference_url":"https://github.com/drupal/drupal","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/drupal/drupal"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/2019-12-18-1.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/2019-12-18-1.yaml"},{"reference_url":"https://www.drupal.org/sa-core-2019-009","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.drupal.org/sa-core-2019-009"},{"reference_url":"https://github.com/advisories/GHSA-w333-5f96-mjrr","reference_id":"GHSA-w333-5f96-mjrr","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-w333-5f96-mjrr"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/81361?format=json","purl":"pkg:composer/drupal/drupal@8.7.11","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2w1s-g91k-xuhj"},{"vulnerability":"VCID-31qy-vagp-83b6"},{"vulnerability":"VCID-3xk4-qwaq-5yaj"},{"vulnerability":"VCID-4p4c-7rdc-37fa"},{"vulnerability":"VCID-a7ss-tkb6-gkge"},{"vulnerability":"VCID-ard5-3cjv-1beu"},{"vulnerability":"VCID-avmn-kqky-83dd"},{"vulnerability":"VCID-dyhz-g3nv-yuc3"},{"vulnerability":"VCID-egtv-y9w1-skgr"},{"vulnerability":"VCID-j7bj-atys-qfg3"},{"vulnerability":"VCID-jed8-4cv5-6bcr"},{"vulnerability":"VCID-nacy-y1qt-5yhb"},{"vulnerability":"VCID-pxwv-fhy9-ckfm"},{"vulnerability":"VCID-rd4g-h1j9-23cb"},{"vulnerability":"VCID-tp81-dw6e-9qah"},{"vulnerability":"VCID-tpzm-u3qp-akc8"},{"vulnerability":"VCID-vjrr-h9sh-3bcu"},{"vulnerability":"VCID-wsv7-je8g-sqet"},{"vulnerability":"VCID-xz7z-trbh-j7dk"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@8.7.11"},{"url":"http://public2.vulnerablecode.io/api/packages/81362?format=json","purl":"pkg:composer/drupal/drupal@8.8.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2w1s-g91k-xuhj"},{"vulnerability":"VCID-31qy-vagp-83b6"},{"vulnerability":"VCID-3xk4-qwaq-5yaj"},{"vulnerability":"VCID-4p4c-7rdc-37fa"},{"vulnerability":"VCID-5jy9-mhbb-nuh7"},{"vulnerability":"VCID-6x4v-da7x-uyhh"},{"vulnerability":"VCID-9dfs-rpqy-6kfa"},{"vulnerability":"VCID-a7ss-tkb6-gkge"},{"vulnerability":"VCID-ard5-3cjv-1beu"},{"vulnerability":"VCID-avmn-kqky-83dd"},{"vulnerability":"VCID-b266-wste-eqh6"},{"vulnerability":"VCID-dyhz-g3nv-yuc3"},{"vulnerability":"VCID-egtv-y9w1-skgr"},{"vulnerability":"VCID-j7bj-atys-qfg3"},{"vulnerability":"VCID-jed8-4cv5-6bcr"},{"vulnerability":"VCID-nacy-y1qt-5yhb"},{"vulnerability":"VCID-pxwv-fhy9-ckfm"},{"vulnerability":"VCID-qwge-qrwn-1faj"},{"vulnerability":"VCID-rd4g-h1j9-23cb"},{"vulnerability":"VCID-sg4r-hncm-dqcq"},{"vulnerability":"VCID-tp81-dw6e-9qah"},{"vulnerability":"VCID-tpzm-u3qp-akc8"},{"vulnerability":"VCID-vjrr-h9sh-3bcu"},{"vulnerability":"VCID-wsv7-je8g-sqet"},{"vulnerability":"VCID-xv4d-ped2-4udz"},{"vulnerability":"VCID-xz7z-trbh-j7dk"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@8.8.1"}],"aliases":["GHSA-w333-5f96-mjrr"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-3dgm-qju3-aqh5"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/54877?format=json","vulnerability_id":"VCID-3qrs-sag2-v7g7","summary":"Drupal Core Insufficient Contextual Links validation leads to Remote Code Execution\nThe Contextual Links module doesn't sufficiently validate the requested contextual links.\nThis vulnerability is mitigated by the fact that an attacker must have a role with the permission \"access contextual links\".","references":[{"reference_url":"https://github.com/drupal/drupal","reference_id":"","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/drupal/drupal"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/2018-10-17-5.yaml","reference_id":"","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/2018-10-17-5.yaml"},{"reference_url":"https://www.drupal.org/sa-core-2018-006","reference_id":"","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.drupal.org/sa-core-2018-006"},{"reference_url":"https://github.com/advisories/GHSA-jjx7-8462-w4m4","reference_id":"GHSA-jjx7-8462-w4m4","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-jjx7-8462-w4m4"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/81346?format=json","purl":"pkg:composer/drupal/drupal@8.5.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2w1s-g91k-xuhj"},{"vulnerability":"VCID-31qy-vagp-83b6"},{"vulnerability":"VCID-3dgm-qju3-aqh5"},{"vulnerability":"VCID-3xk4-qwaq-5yaj"},{"vulnerability":"VCID-4p4c-7rdc-37fa"},{"vulnerability":"VCID-6c6t-kmb3-2qcm"},{"vulnerability":"VCID-7n8f-bdkf-sqfu"},{"vulnerability":"VCID-9nk8-dban-g7h9"},{"vulnerability":"VCID-a7ss-tkb6-gkge"},{"vulnerability":"VCID-ard5-3cjv-1beu"},{"vulnerability":"VCID-avmn-kqky-83dd"},{"vulnerability":"VCID-bndv-n7w9-43b4"},{"vulnerability":"VCID-dnc7-jg8m-8fh3"},{"vulnerability":"VCID-dyhz-g3nv-yuc3"},{"vulnerability":"VCID-e69p-v2ws-vufj"},{"vulnerability":"VCID-e8un-nbkk-cbf9"},{"vulnerability":"VCID-egtv-y9w1-skgr"},{"vulnerability":"VCID-eyew-pw17-ryfj"},{"vulnerability":"VCID-j7bj-atys-qfg3"},{"vulnerability":"VCID-n318-rcfy-uybg"},{"vulnerability":"VCID-nacy-y1qt-5yhb"},{"vulnerability":"VCID-nn8g-m52e-5kfe"},{"vulnerability":"VCID-pxwv-fhy9-ckfm"},{"vulnerability":"VCID-rd4g-h1j9-23cb"},{"vulnerability":"VCID-tbah-jrah-a3fg"},{"vulnerability":"VCID-tcan-28ga-j3h1"},{"vulnerability":"VCID-tpzm-u3qp-akc8"},{"vulnerability":"VCID-w3x8-db6e-kued"},{"vulnerability":"VCID-wsv7-je8g-sqet"},{"vulnerability":"VCID-wszp-2es5-z7fy"},{"vulnerability":"VCID-x34m-u169-1bce"},{"vulnerability":"VCID-xz7z-trbh-j7dk"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@8.5.8"},{"url":"http://public2.vulnerablecode.io/api/packages/56784?format=json","purl":"pkg:composer/drupal/drupal@8.6.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2w1s-g91k-xuhj"},{"vulnerability":"VCID-31qy-vagp-83b6"},{"vulnerability":"VCID-3dgm-qju3-aqh5"},{"vulnerability":"VCID-3xk4-qwaq-5yaj"},{"vulnerability":"VCID-4p4c-7rdc-37fa"},{"vulnerability":"VCID-6c6t-kmb3-2qcm"},{"vulnerability":"VCID-7n8f-bdkf-sqfu"},{"vulnerability":"VCID-9nk8-dban-g7h9"},{"vulnerability":"VCID-a7ss-tkb6-gkge"},{"vulnerability":"VCID-ard5-3cjv-1beu"},{"vulnerability":"VCID-avmn-kqky-83dd"},{"vulnerability":"VCID-dyhz-g3nv-yuc3"},{"vulnerability":"VCID-e69p-v2ws-vufj"},{"vulnerability":"VCID-e8un-nbkk-cbf9"},{"vulnerability":"VCID-egtv-y9w1-skgr"},{"vulnerability":"VCID-j7bj-atys-qfg3"},{"vulnerability":"VCID-n318-rcfy-uybg"},{"vulnerability":"VCID-nacy-y1qt-5yhb"},{"vulnerability":"VCID-pxwv-fhy9-ckfm"},{"vulnerability":"VCID-rd4g-h1j9-23cb"},{"vulnerability":"VCID-tbah-jrah-a3fg"},{"vulnerability":"VCID-tcan-28ga-j3h1"},{"vulnerability":"VCID-tpzm-u3qp-akc8"},{"vulnerability":"VCID-wsv7-je8g-sqet"},{"vulnerability":"VCID-wszp-2es5-z7fy"},{"vulnerability":"VCID-x34m-u169-1bce"},{"vulnerability":"VCID-xz7z-trbh-j7dk"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@8.6.2"}],"aliases":["GHSA-jjx7-8462-w4m4"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-3qrs-sag2-v7g7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/45051?format=json","vulnerability_id":"VCID-3xk4-qwaq-5yaj","summary":"Improper Access Control\nUnder certain circumstances, the Drupal core form API evaluates form element access incorrectly. This may lead to a user being able to alter data they should not have access to. No forms provided by Drupal core are known to be vulnerable. However, forms added through contributed or custom modules or themes may be affected.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-25278","reference_id":"","reference_type":"","scores":[{"value":"0.00479","scoring_system":"epss","scoring_elements":"0.6539","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00479","scoring_system":"epss","scoring_elements":"0.65441","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-25278"},{"reference_url":"https://github.com/drupal/core","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/drupal/core"},{"reference_url":"https://www.drupal.org/sa-core-2022-013","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-03T18:39:47Z/"}],"url":"https://www.drupal.org/sa-core-2022-013"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-25278","reference_id":"CVE-2022-25278","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-25278"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2022-25278.yaml","reference_id":"CVE-2022-25278.YAML","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2022-25278.yaml"},{"reference_url":"https://github.com/advisories/GHSA-cfh2-7f6h-3m85","reference_id":"GHSA-cfh2-7f6h-3m85","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-cfh2-7f6h-3m85"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/64971?format=json","purl":"pkg:composer/drupal/drupal@9.3.19","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4p4c-7rdc-37fa"},{"vulnerability":"VCID-6x4v-da7x-uyhh"},{"vulnerability":"VCID-b266-wste-eqh6"},{"vulnerability":"VCID-j7bj-atys-qfg3"},{"vulnerability":"VCID-qwge-qrwn-1faj"},{"vulnerability":"VCID-xv4d-ped2-4udz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@9.3.19"},{"url":"http://public2.vulnerablecode.io/api/packages/64972?format=json","purl":"pkg:composer/drupal/drupal@9.4.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4p4c-7rdc-37fa"},{"vulnerability":"VCID-6x4v-da7x-uyhh"},{"vulnerability":"VCID-b266-wste-eqh6"},{"vulnerability":"VCID-bge7-rqsx-gfee"},{"vulnerability":"VCID-j7bj-atys-qfg3"},{"vulnerability":"VCID-qwge-qrwn-1faj"},{"vulnerability":"VCID-xv4d-ped2-4udz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@9.4.3"}],"aliases":["CVE-2022-25278","GHSA-cfh2-7f6h-3m85"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-3xk4-qwaq-5yaj"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/55745?format=json","vulnerability_id":"VCID-4p4c-7rdc-37fa","summary":"Drupal Full Path Disclosure\n`core/authorize.php` in Drupal 11.x-dev allows Full Path Disclosure (even when error logging is None) if the value of `hash_salt` is `file_get_contents` of a file that does not exist.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-45440","reference_id":"","reference_type":"","scores":[{"value":"0.86689","scoring_system":"epss","scoring_elements":"0.9944","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-45440"},{"reference_url":"https://github.com/drupal/drupal","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/drupal/drupal"},{"reference_url":"https://github.com/github/advisory-database/pull/4827","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/github/advisory-database/pull/4827"},{"reference_url":"https://www.drupal.org/project/drupal/issues/3457781","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-29T13:18:23Z/"}],"url":"https://www.drupal.org/project/drupal/issues/3457781"},{"reference_url":"https://www.drupal.org/project/drupal/releases/10.2.9","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.drupal.org/project/drupal/releases/10.2.9"},{"reference_url":"https://www.drupal.org/project/drupal/releases/10.3.6","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.drupal.org/project/drupal/releases/10.3.6"},{"reference_url":"https://www.drupal.org/project/drupal/releases/11.0.5","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.drupal.org/project/drupal/releases/11.0.5"},{"reference_url":"https://www.exploit-db.com/exploits/52266","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.exploit-db.com/exploits/52266"},{"reference_url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/php/webapps/52266.py","reference_id":"CVE-2024-45440","reference_type":"exploit","scores":[],"url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/php/webapps/52266.py"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-45440","reference_id":"CVE-2024-45440","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-45440"},{"reference_url":"https://senscybersecurity.nl/CVE-2024-45440-Explained/","reference_id":"CVE-2024-45440-Explained","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-29T13:18:23Z/"}],"url":"https://senscybersecurity.nl/CVE-2024-45440-Explained/"},{"reference_url":"https://senscybersecurity.nl/CVE-2024-45440-Explained","reference_id":"CVE-2024-45440-EXPLAINED","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://senscybersecurity.nl/CVE-2024-45440-Explained"},{"reference_url":"https://github.com/advisories/GHSA-mg8j-w93w-xjgc","reference_id":"GHSA-mg8j-w93w-xjgc","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-mg8j-w93w-xjgc"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/82522?format=json","purl":"pkg:composer/drupal/drupal@10.2.9","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-6x4v-da7x-uyhh"},{"vulnerability":"VCID-b266-wste-eqh6"},{"vulnerability":"VCID-j7bj-atys-qfg3"},{"vulnerability":"VCID-qwge-qrwn-1faj"},{"vulnerability":"VCID-xv4d-ped2-4udz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@10.2.9"},{"url":"http://public2.vulnerablecode.io/api/packages/758701?format=json","purl":"pkg:composer/drupal/drupal@10.3.0-beta1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@10.3.0-beta1"},{"url":"http://public2.vulnerablecode.io/api/packages/82520?format=json","purl":"pkg:composer/drupal/drupal@10.3.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-6x4v-da7x-uyhh"},{"vulnerability":"VCID-b266-wste-eqh6"},{"vulnerability":"VCID-j7bj-atys-qfg3"},{"vulnerability":"VCID-qwge-qrwn-1faj"},{"vulnerability":"VCID-xv4d-ped2-4udz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@10.3.6"},{"url":"http://public2.vulnerablecode.io/api/packages/758704?format=json","purl":"pkg:composer/drupal/drupal@11.0.0-alpha1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@11.0.0-alpha1"},{"url":"http://public2.vulnerablecode.io/api/packages/82521?format=json","purl":"pkg:composer/drupal/drupal@11.0.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-b266-wste-eqh6"},{"vulnerability":"VCID-j7bj-atys-qfg3"},{"vulnerability":"VCID-qwge-qrwn-1faj"},{"vulnerability":"VCID-xv4d-ped2-4udz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@11.0.5"}],"aliases":["CVE-2024-45440","GHSA-mg8j-w93w-xjgc"],"risk_score":10.0,"exploitability":"2.0","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-4p4c-7rdc-37fa"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/40980?format=json","vulnerability_id":"VCID-6c6t-kmb3-2qcm","summary":"Cross-site Scripting\nIn Symfony, validation messages are not escaped, which can lead to XSS when user input is included.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-10909","reference_id":"","reference_type":"","scores":[{"value":"0.00355","scoring_system":"epss","scoring_elements":"0.58063","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00355","scoring_system":"epss","scoring_elements":"0.58114","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-10909"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14773","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14773"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19789","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19789"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19790","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19790"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10909","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10909"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10910","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10910"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10911","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10911"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10912","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10912"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10913","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10913"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2019-10909.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2019-10909.yaml"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2019-10909.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2019-10909.yaml"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/framework-bundle/CVE-2019-10909.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/framework-bundle/CVE-2019-10909.yaml"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2019-10909.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2019-10909.yaml"},{"reference_url":"https://github.com/symfony/symfony/commit/ab4d05358c3d0dd1a36fc8c306829f68e3dd84e2","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/symfony/symfony/commit/ab4d05358c3d0dd1a36fc8c306829f68e3dd84e2"},{"reference_url":"https://www.drupal.org/sa-core-2019-005","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.drupal.org/sa-core-2019-005"},{"reference_url":"https://www.synology.com/security/advisory/Synology_SA_19_19","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.synology.com/security/advisory/Synology_SA_19_19"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2019-10909","reference_id":"CVE-2019-10909","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-10909"},{"reference_url":"https://symfony.com/cve-2019-10909","reference_id":"CVE-2019-10909","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://symfony.com/cve-2019-10909"},{"reference_url":"https://symfony.com/blog/cve-2019-10909-escape-validation-messages-in-the-php-templating-engine","reference_id":"CVE-2019-10909-ESCAPE-VALIDATION-MESSAGES-IN-THE-PHP-TEMPLATING-ENGINE","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://symfony.com/blog/cve-2019-10909-escape-validation-messages-in-the-php-templating-engine"},{"reference_url":"https://github.com/advisories/GHSA-g996-q5r8-w7g2","reference_id":"GHSA-g996-q5r8-w7g2","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-g996-q5r8-w7g2"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/58016?format=json","purl":"pkg:composer/drupal/drupal@8.5.15","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2w1s-g91k-xuhj"},{"vulnerability":"VCID-31qy-vagp-83b6"},{"vulnerability":"VCID-3dgm-qju3-aqh5"},{"vulnerability":"VCID-3xk4-qwaq-5yaj"},{"vulnerability":"VCID-4p4c-7rdc-37fa"},{"vulnerability":"VCID-7n8f-bdkf-sqfu"},{"vulnerability":"VCID-a7ss-tkb6-gkge"},{"vulnerability":"VCID-ard5-3cjv-1beu"},{"vulnerability":"VCID-avmn-kqky-83dd"},{"vulnerability":"VCID-dyhz-g3nv-yuc3"},{"vulnerability":"VCID-egtv-y9w1-skgr"},{"vulnerability":"VCID-j7bj-atys-qfg3"},{"vulnerability":"VCID-n318-rcfy-uybg"},{"vulnerability":"VCID-nacy-y1qt-5yhb"},{"vulnerability":"VCID-pxwv-fhy9-ckfm"},{"vulnerability":"VCID-rd4g-h1j9-23cb"},{"vulnerability":"VCID-tcan-28ga-j3h1"},{"vulnerability":"VCID-tpzm-u3qp-akc8"},{"vulnerability":"VCID-wsv7-je8g-sqet"},{"vulnerability":"VCID-wszp-2es5-z7fy"},{"vulnerability":"VCID-xz7z-trbh-j7dk"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@8.5.15"},{"url":"http://public2.vulnerablecode.io/api/packages/58017?format=json","purl":"pkg:composer/drupal/drupal@8.6.15","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2w1s-g91k-xuhj"},{"vulnerability":"VCID-31qy-vagp-83b6"},{"vulnerability":"VCID-3dgm-qju3-aqh5"},{"vulnerability":"VCID-3xk4-qwaq-5yaj"},{"vulnerability":"VCID-4p4c-7rdc-37fa"},{"vulnerability":"VCID-7n8f-bdkf-sqfu"},{"vulnerability":"VCID-a7ss-tkb6-gkge"},{"vulnerability":"VCID-ard5-3cjv-1beu"},{"vulnerability":"VCID-avmn-kqky-83dd"},{"vulnerability":"VCID-dyhz-g3nv-yuc3"},{"vulnerability":"VCID-egtv-y9w1-skgr"},{"vulnerability":"VCID-j7bj-atys-qfg3"},{"vulnerability":"VCID-n318-rcfy-uybg"},{"vulnerability":"VCID-nacy-y1qt-5yhb"},{"vulnerability":"VCID-pxwv-fhy9-ckfm"},{"vulnerability":"VCID-rd4g-h1j9-23cb"},{"vulnerability":"VCID-tcan-28ga-j3h1"},{"vulnerability":"VCID-tpzm-u3qp-akc8"},{"vulnerability":"VCID-wsv7-je8g-sqet"},{"vulnerability":"VCID-wszp-2es5-z7fy"},{"vulnerability":"VCID-xz7z-trbh-j7dk"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@8.6.15"}],"aliases":["CVE-2019-10909","GHSA-g996-q5r8-w7g2"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-6c6t-kmb3-2qcm"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/54908?format=json","vulnerability_id":"VCID-73y5-3fud-9bac","summary":"Drupal Anonymous Open Redirect\nDrupal core and contributed modules frequently use a \"destination\" query string parameter in URLs to redirect users to a new destination after completing an action on the current page. Under certain circumstances, malicious users can use this parameter to construct a URL that will trick users into being redirected to a 3rd party website, thereby exposing the users to potential social engineering attacks.","references":[{"reference_url":"https://github.com/drupal/drupal","reference_id":"","reference_type":"","scores":[{"value":"5.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/drupal/drupal"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/2018-10-17-3.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/2018-10-17-3.yaml"},{"reference_url":"https://www.drupal.org/sa-core-2018-006","reference_id":"","reference_type":"","scores":[{"value":"5.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.drupal.org/sa-core-2018-006"},{"reference_url":"https://github.com/advisories/GHSA-x6v2-xmrq-574j","reference_id":"GHSA-x6v2-xmrq-574j","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-x6v2-xmrq-574j"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/81346?format=json","purl":"pkg:composer/drupal/drupal@8.5.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2w1s-g91k-xuhj"},{"vulnerability":"VCID-31qy-vagp-83b6"},{"vulnerability":"VCID-3dgm-qju3-aqh5"},{"vulnerability":"VCID-3xk4-qwaq-5yaj"},{"vulnerability":"VCID-4p4c-7rdc-37fa"},{"vulnerability":"VCID-6c6t-kmb3-2qcm"},{"vulnerability":"VCID-7n8f-bdkf-sqfu"},{"vulnerability":"VCID-9nk8-dban-g7h9"},{"vulnerability":"VCID-a7ss-tkb6-gkge"},{"vulnerability":"VCID-ard5-3cjv-1beu"},{"vulnerability":"VCID-avmn-kqky-83dd"},{"vulnerability":"VCID-bndv-n7w9-43b4"},{"vulnerability":"VCID-dnc7-jg8m-8fh3"},{"vulnerability":"VCID-dyhz-g3nv-yuc3"},{"vulnerability":"VCID-e69p-v2ws-vufj"},{"vulnerability":"VCID-e8un-nbkk-cbf9"},{"vulnerability":"VCID-egtv-y9w1-skgr"},{"vulnerability":"VCID-eyew-pw17-ryfj"},{"vulnerability":"VCID-j7bj-atys-qfg3"},{"vulnerability":"VCID-n318-rcfy-uybg"},{"vulnerability":"VCID-nacy-y1qt-5yhb"},{"vulnerability":"VCID-nn8g-m52e-5kfe"},{"vulnerability":"VCID-pxwv-fhy9-ckfm"},{"vulnerability":"VCID-rd4g-h1j9-23cb"},{"vulnerability":"VCID-tbah-jrah-a3fg"},{"vulnerability":"VCID-tcan-28ga-j3h1"},{"vulnerability":"VCID-tpzm-u3qp-akc8"},{"vulnerability":"VCID-w3x8-db6e-kued"},{"vulnerability":"VCID-wsv7-je8g-sqet"},{"vulnerability":"VCID-wszp-2es5-z7fy"},{"vulnerability":"VCID-x34m-u169-1bce"},{"vulnerability":"VCID-xz7z-trbh-j7dk"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@8.5.8"},{"url":"http://public2.vulnerablecode.io/api/packages/56784?format=json","purl":"pkg:composer/drupal/drupal@8.6.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2w1s-g91k-xuhj"},{"vulnerability":"VCID-31qy-vagp-83b6"},{"vulnerability":"VCID-3dgm-qju3-aqh5"},{"vulnerability":"VCID-3xk4-qwaq-5yaj"},{"vulnerability":"VCID-4p4c-7rdc-37fa"},{"vulnerability":"VCID-6c6t-kmb3-2qcm"},{"vulnerability":"VCID-7n8f-bdkf-sqfu"},{"vulnerability":"VCID-9nk8-dban-g7h9"},{"vulnerability":"VCID-a7ss-tkb6-gkge"},{"vulnerability":"VCID-ard5-3cjv-1beu"},{"vulnerability":"VCID-avmn-kqky-83dd"},{"vulnerability":"VCID-dyhz-g3nv-yuc3"},{"vulnerability":"VCID-e69p-v2ws-vufj"},{"vulnerability":"VCID-e8un-nbkk-cbf9"},{"vulnerability":"VCID-egtv-y9w1-skgr"},{"vulnerability":"VCID-j7bj-atys-qfg3"},{"vulnerability":"VCID-n318-rcfy-uybg"},{"vulnerability":"VCID-nacy-y1qt-5yhb"},{"vulnerability":"VCID-pxwv-fhy9-ckfm"},{"vulnerability":"VCID-rd4g-h1j9-23cb"},{"vulnerability":"VCID-tbah-jrah-a3fg"},{"vulnerability":"VCID-tcan-28ga-j3h1"},{"vulnerability":"VCID-tpzm-u3qp-akc8"},{"vulnerability":"VCID-wsv7-je8g-sqet"},{"vulnerability":"VCID-wszp-2es5-z7fy"},{"vulnerability":"VCID-x34m-u169-1bce"},{"vulnerability":"VCID-xz7z-trbh-j7dk"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@8.6.2"}],"aliases":["GHSA-x6v2-xmrq-574j"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-73y5-3fud-9bac"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/54864?format=json","vulnerability_id":"VCID-766t-bnd6-ckcb","summary":"Drupal Content moderation Access bypass\nIn some conditions, drupal content moderation fails to check a users access to use certain transitions, leading to an access bypass.","references":[{"reference_url":"https://github.com/drupal/drupal","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/drupal/drupal"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/2018-10-17-1.yaml","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/2018-10-17-1.yaml"},{"reference_url":"https://www.drupal.org/sa-core-2018-006","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.drupal.org/sa-core-2018-006"},{"reference_url":"https://github.com/advisories/GHSA-86xw-vmcx-9mj4","reference_id":"GHSA-86xw-vmcx-9mj4","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-86xw-vmcx-9mj4"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/81346?format=json","purl":"pkg:composer/drupal/drupal@8.5.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2w1s-g91k-xuhj"},{"vulnerability":"VCID-31qy-vagp-83b6"},{"vulnerability":"VCID-3dgm-qju3-aqh5"},{"vulnerability":"VCID-3xk4-qwaq-5yaj"},{"vulnerability":"VCID-4p4c-7rdc-37fa"},{"vulnerability":"VCID-6c6t-kmb3-2qcm"},{"vulnerability":"VCID-7n8f-bdkf-sqfu"},{"vulnerability":"VCID-9nk8-dban-g7h9"},{"vulnerability":"VCID-a7ss-tkb6-gkge"},{"vulnerability":"VCID-ard5-3cjv-1beu"},{"vulnerability":"VCID-avmn-kqky-83dd"},{"vulnerability":"VCID-bndv-n7w9-43b4"},{"vulnerability":"VCID-dnc7-jg8m-8fh3"},{"vulnerability":"VCID-dyhz-g3nv-yuc3"},{"vulnerability":"VCID-e69p-v2ws-vufj"},{"vulnerability":"VCID-e8un-nbkk-cbf9"},{"vulnerability":"VCID-egtv-y9w1-skgr"},{"vulnerability":"VCID-eyew-pw17-ryfj"},{"vulnerability":"VCID-j7bj-atys-qfg3"},{"vulnerability":"VCID-n318-rcfy-uybg"},{"vulnerability":"VCID-nacy-y1qt-5yhb"},{"vulnerability":"VCID-nn8g-m52e-5kfe"},{"vulnerability":"VCID-pxwv-fhy9-ckfm"},{"vulnerability":"VCID-rd4g-h1j9-23cb"},{"vulnerability":"VCID-tbah-jrah-a3fg"},{"vulnerability":"VCID-tcan-28ga-j3h1"},{"vulnerability":"VCID-tpzm-u3qp-akc8"},{"vulnerability":"VCID-w3x8-db6e-kued"},{"vulnerability":"VCID-wsv7-je8g-sqet"},{"vulnerability":"VCID-wszp-2es5-z7fy"},{"vulnerability":"VCID-x34m-u169-1bce"},{"vulnerability":"VCID-xz7z-trbh-j7dk"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@8.5.8"},{"url":"http://public2.vulnerablecode.io/api/packages/56784?format=json","purl":"pkg:composer/drupal/drupal@8.6.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2w1s-g91k-xuhj"},{"vulnerability":"VCID-31qy-vagp-83b6"},{"vulnerability":"VCID-3dgm-qju3-aqh5"},{"vulnerability":"VCID-3xk4-qwaq-5yaj"},{"vulnerability":"VCID-4p4c-7rdc-37fa"},{"vulnerability":"VCID-6c6t-kmb3-2qcm"},{"vulnerability":"VCID-7n8f-bdkf-sqfu"},{"vulnerability":"VCID-9nk8-dban-g7h9"},{"vulnerability":"VCID-a7ss-tkb6-gkge"},{"vulnerability":"VCID-ard5-3cjv-1beu"},{"vulnerability":"VCID-avmn-kqky-83dd"},{"vulnerability":"VCID-dyhz-g3nv-yuc3"},{"vulnerability":"VCID-e69p-v2ws-vufj"},{"vulnerability":"VCID-e8un-nbkk-cbf9"},{"vulnerability":"VCID-egtv-y9w1-skgr"},{"vulnerability":"VCID-j7bj-atys-qfg3"},{"vulnerability":"VCID-n318-rcfy-uybg"},{"vulnerability":"VCID-nacy-y1qt-5yhb"},{"vulnerability":"VCID-pxwv-fhy9-ckfm"},{"vulnerability":"VCID-rd4g-h1j9-23cb"},{"vulnerability":"VCID-tbah-jrah-a3fg"},{"vulnerability":"VCID-tcan-28ga-j3h1"},{"vulnerability":"VCID-tpzm-u3qp-akc8"},{"vulnerability":"VCID-wsv7-je8g-sqet"},{"vulnerability":"VCID-wszp-2es5-z7fy"},{"vulnerability":"VCID-x34m-u169-1bce"},{"vulnerability":"VCID-xz7z-trbh-j7dk"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@8.6.2"}],"aliases":["GHSA-86xw-vmcx-9mj4"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-766t-bnd6-ckcb"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/54922?format=json","vulnerability_id":"VCID-7n8f-bdkf-sqfu","summary":"Drupal core Access control bypass\nThe Media Library module has a security vulnerability whereby it doesn't sufficiently restrict access to media items in certain configurations.","references":[{"reference_url":"https://github.com/drupal/drupal","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/drupal/drupal"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/2019-12-18-3.yaml","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/2019-12-18-3.yaml"},{"reference_url":"https://www.drupal.org/sa-core-2019-011","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.drupal.org/sa-core-2019-011"},{"reference_url":"https://github.com/advisories/GHSA-5x28-3f32-x523","reference_id":"GHSA-5x28-3f32-x523","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-5x28-3f32-x523"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/81361?format=json","purl":"pkg:composer/drupal/drupal@8.7.11","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2w1s-g91k-xuhj"},{"vulnerability":"VCID-31qy-vagp-83b6"},{"vulnerability":"VCID-3xk4-qwaq-5yaj"},{"vulnerability":"VCID-4p4c-7rdc-37fa"},{"vulnerability":"VCID-a7ss-tkb6-gkge"},{"vulnerability":"VCID-ard5-3cjv-1beu"},{"vulnerability":"VCID-avmn-kqky-83dd"},{"vulnerability":"VCID-dyhz-g3nv-yuc3"},{"vulnerability":"VCID-egtv-y9w1-skgr"},{"vulnerability":"VCID-j7bj-atys-qfg3"},{"vulnerability":"VCID-jed8-4cv5-6bcr"},{"vulnerability":"VCID-nacy-y1qt-5yhb"},{"vulnerability":"VCID-pxwv-fhy9-ckfm"},{"vulnerability":"VCID-rd4g-h1j9-23cb"},{"vulnerability":"VCID-tp81-dw6e-9qah"},{"vulnerability":"VCID-tpzm-u3qp-akc8"},{"vulnerability":"VCID-vjrr-h9sh-3bcu"},{"vulnerability":"VCID-wsv7-je8g-sqet"},{"vulnerability":"VCID-xz7z-trbh-j7dk"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@8.7.11"},{"url":"http://public2.vulnerablecode.io/api/packages/81362?format=json","purl":"pkg:composer/drupal/drupal@8.8.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2w1s-g91k-xuhj"},{"vulnerability":"VCID-31qy-vagp-83b6"},{"vulnerability":"VCID-3xk4-qwaq-5yaj"},{"vulnerability":"VCID-4p4c-7rdc-37fa"},{"vulnerability":"VCID-5jy9-mhbb-nuh7"},{"vulnerability":"VCID-6x4v-da7x-uyhh"},{"vulnerability":"VCID-9dfs-rpqy-6kfa"},{"vulnerability":"VCID-a7ss-tkb6-gkge"},{"vulnerability":"VCID-ard5-3cjv-1beu"},{"vulnerability":"VCID-avmn-kqky-83dd"},{"vulnerability":"VCID-b266-wste-eqh6"},{"vulnerability":"VCID-dyhz-g3nv-yuc3"},{"vulnerability":"VCID-egtv-y9w1-skgr"},{"vulnerability":"VCID-j7bj-atys-qfg3"},{"vulnerability":"VCID-jed8-4cv5-6bcr"},{"vulnerability":"VCID-nacy-y1qt-5yhb"},{"vulnerability":"VCID-pxwv-fhy9-ckfm"},{"vulnerability":"VCID-qwge-qrwn-1faj"},{"vulnerability":"VCID-rd4g-h1j9-23cb"},{"vulnerability":"VCID-sg4r-hncm-dqcq"},{"vulnerability":"VCID-tp81-dw6e-9qah"},{"vulnerability":"VCID-tpzm-u3qp-akc8"},{"vulnerability":"VCID-vjrr-h9sh-3bcu"},{"vulnerability":"VCID-wsv7-je8g-sqet"},{"vulnerability":"VCID-xv4d-ped2-4udz"},{"vulnerability":"VCID-xz7z-trbh-j7dk"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@8.8.1"}],"aliases":["GHSA-5x28-3f32-x523"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-7n8f-bdkf-sqfu"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/43516?format=json","vulnerability_id":"VCID-9nk8-dban-g7h9","summary":"Drupal Core Remote Code Execution Vulnerability\nSome field types do not properly sanitize data from non-form sources in Drupal 8.5.x before 8.5.11 and Drupal 8.6.x before 8.6.10. This can lead to arbitrary PHP code execution in some cases. A site is only affected by this if one of the following conditions is met: The site has the Drupal 8 core RESTful Web Services (rest) module enabled and allows PATCH or POST requests, or the site has another web services module enabled, like JSON:API in Drupal 8, or Services or RESTful Web Services in Drupal 7. (Note: The Drupal 7 Services module itself does not require an update at this time, but you should apply other contributed updates associated with this advisory if Services is in use.)","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-6340","reference_id":"","reference_type":"","scores":[{"value":"0.9441","scoring_system":"epss","scoring_elements":"0.99979","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-6340"},{"reference_url":"https://github.com/drupal/drupal","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/drupal/drupal"},{"reference_url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-6340","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-6340"},{"reference_url":"https://www.drupal.org/sa-core-2019-003","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H"},{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Attend","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-02-07T12:38:47Z/"}],"url":"https://www.drupal.org/sa-core-2019-003"},{"reference_url":"https://www.exploit-db.com/exploits/46452","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.exploit-db.com/exploits/46452"},{"reference_url":"https://www.exploit-db.com/exploits/46459","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.exploit-db.com/exploits/46459"},{"reference_url":"https://www.exploit-db.com/exploits/46510","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.exploit-db.com/exploits/46510"},{"reference_url":"https://www.synology.com/security/advisory/Synology_SA_19_09","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H"},{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Attend","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-02-07T12:38:47Z/"}],"url":"https://www.synology.com/security/advisory/Synology_SA_19_09"},{"reference_url":"http://www.securityfocus.com/bid/107106","reference_id":"107106","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"Attend","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-02-07T12:38:47Z/"}],"url":"http://www.securityfocus.com/bid/107106"},{"reference_url":"https://www.exploit-db.com/exploits/46452/","reference_id":"46452","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"Attend","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-02-07T12:38:47Z/"}],"url":"https://www.exploit-db.com/exploits/46452/"},{"reference_url":"https://www.exploit-db.com/exploits/46459/","reference_id":"46459","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"Attend","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-02-07T12:38:47Z/"}],"url":"https://www.exploit-db.com/exploits/46459/"},{"reference_url":"https://www.exploit-db.com/exploits/46510/","reference_id":"46510","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"Attend","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-02-07T12:38:47Z/"}],"url":"https://www.exploit-db.com/exploits/46510/"},{"reference_url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/php/remote/46510.rb","reference_id":"CVE-2019-6340","reference_type":"exploit","scores":[],"url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/php/remote/46510.rb"},{"reference_url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/php/webapps/46452.txt","reference_id":"CVE-2019-6340","reference_type":"exploit","scores":[],"url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/php/webapps/46452.txt"},{"reference_url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/php/webapps/46459.py","reference_id":"CVE-2019-6340","reference_type":"exploit","scores":[],"url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/php/webapps/46459.py"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2019-6340","reference_id":"CVE-2019-6340","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-6340"},{"reference_url":"https://raw.githubusercontent.com/rapid7/metasploit-framework/6ff18828c0273b7170469939a49e4b063d561799/modules/exploits/unix/webapp/drupal_restws_unserialize.rb","reference_id":"CVE-2019-6340","reference_type":"exploit","scores":[],"url":"https://raw.githubusercontent.com/rapid7/metasploit-framework/6ff18828c0273b7170469939a49e4b063d561799/modules/exploits/unix/webapp/drupal_restws_unserialize.rb"},{"reference_url":"https://www.ambionics.io/blog/drupal8-rce","reference_id":"CVE-2019-6340","reference_type":"exploit","scores":[],"url":"https://www.ambionics.io/blog/drupal8-rce"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2019-6340.yaml","reference_id":"CVE-2019-6340.YAML","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2019-6340.yaml"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2019-6340.yaml","reference_id":"CVE-2019-6340.YAML","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2019-6340.yaml"},{"reference_url":"https://github.com/advisories/GHSA-3gx6-h57h-rm27","reference_id":"GHSA-3gx6-h57h-rm27","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3gx6-h57h-rm27"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/62773?format=json","purl":"pkg:composer/drupal/drupal@8.5.11","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2w1s-g91k-xuhj"},{"vulnerability":"VCID-31qy-vagp-83b6"},{"vulnerability":"VCID-3dgm-qju3-aqh5"},{"vulnerability":"VCID-3xk4-qwaq-5yaj"},{"vulnerability":"VCID-4p4c-7rdc-37fa"},{"vulnerability":"VCID-6c6t-kmb3-2qcm"},{"vulnerability":"VCID-7n8f-bdkf-sqfu"},{"vulnerability":"VCID-a7ss-tkb6-gkge"},{"vulnerability":"VCID-ard5-3cjv-1beu"},{"vulnerability":"VCID-avmn-kqky-83dd"},{"vulnerability":"VCID-dyhz-g3nv-yuc3"},{"vulnerability":"VCID-e69p-v2ws-vufj"},{"vulnerability":"VCID-egtv-y9w1-skgr"},{"vulnerability":"VCID-j7bj-atys-qfg3"},{"vulnerability":"VCID-n318-rcfy-uybg"},{"vulnerability":"VCID-nacy-y1qt-5yhb"},{"vulnerability":"VCID-pxwv-fhy9-ckfm"},{"vulnerability":"VCID-rd4g-h1j9-23cb"},{"vulnerability":"VCID-tbah-jrah-a3fg"},{"vulnerability":"VCID-tcan-28ga-j3h1"},{"vulnerability":"VCID-tpzm-u3qp-akc8"},{"vulnerability":"VCID-wsv7-je8g-sqet"},{"vulnerability":"VCID-wszp-2es5-z7fy"},{"vulnerability":"VCID-xz7z-trbh-j7dk"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@8.5.11"},{"url":"http://public2.vulnerablecode.io/api/packages/62774?format=json","purl":"pkg:composer/drupal/drupal@8.6.10","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2w1s-g91k-xuhj"},{"vulnerability":"VCID-31qy-vagp-83b6"},{"vulnerability":"VCID-3dgm-qju3-aqh5"},{"vulnerability":"VCID-3xk4-qwaq-5yaj"},{"vulnerability":"VCID-4p4c-7rdc-37fa"},{"vulnerability":"VCID-6c6t-kmb3-2qcm"},{"vulnerability":"VCID-7n8f-bdkf-sqfu"},{"vulnerability":"VCID-a7ss-tkb6-gkge"},{"vulnerability":"VCID-ard5-3cjv-1beu"},{"vulnerability":"VCID-avmn-kqky-83dd"},{"vulnerability":"VCID-dyhz-g3nv-yuc3"},{"vulnerability":"VCID-e69p-v2ws-vufj"},{"vulnerability":"VCID-egtv-y9w1-skgr"},{"vulnerability":"VCID-j7bj-atys-qfg3"},{"vulnerability":"VCID-n318-rcfy-uybg"},{"vulnerability":"VCID-nacy-y1qt-5yhb"},{"vulnerability":"VCID-pxwv-fhy9-ckfm"},{"vulnerability":"VCID-rd4g-h1j9-23cb"},{"vulnerability":"VCID-tbah-jrah-a3fg"},{"vulnerability":"VCID-tcan-28ga-j3h1"},{"vulnerability":"VCID-tpzm-u3qp-akc8"},{"vulnerability":"VCID-wsv7-je8g-sqet"},{"vulnerability":"VCID-wszp-2es5-z7fy"},{"vulnerability":"VCID-xz7z-trbh-j7dk"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@8.6.10"}],"aliases":["CVE-2019-6340","GHSA-3gx6-h57h-rm27"],"risk_score":10.0,"exploitability":"2.0","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-9nk8-dban-g7h9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/45048?format=json","vulnerability_id":"VCID-a7ss-tkb6-gkge","summary":"Improper access control\nIn some situations, the Image module does not correctly check access to image files not stored in the standard public files directory when generating derivative images using the image styles system. Access to a non-public file is checked only if it is stored in the \"private\" file system. However, some contributed modules provide additional file systems, or schemes, which may lead to this vulnerability. This vulnerability is mitigated by the fact that it only applies when the site sets (Drupal 9) $config['image.settings']['allow_insecure_derivatives'] or (Drupal 7) $conf['image_allow_insecure_derivatives'] to TRUE. The recommended and default setting is FALSE, and Drupal core does not provide a way to change that in the admin UI. Some sites may require configuration changes following this security release. Review the release notes for your Drupal version if you have issues accessing files or image styles after updating.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-25275","reference_id":"","reference_type":"","scores":[{"value":"0.00579","scoring_system":"epss","scoring_elements":"0.69245","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00579","scoring_system":"epss","scoring_elements":"0.69285","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-25275"},{"reference_url":"https://github.com/drupal/core","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/drupal/core"},{"reference_url":"https://github.com/drupal/core/commit/2d5f47fc8a166115f56c2330a81e83abe22445cf","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/drupal/core/commit/2d5f47fc8a166115f56c2330a81e83abe22445cf"},{"reference_url":"https://github.com/drupal/core/commit/e2fbf63700819cb470a1be425798f1a3f2020116","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/drupal/core/commit/e2fbf63700819cb470a1be425798f1a3f2020116"},{"reference_url":"https://www.drupal.org/sa-core-2022-012","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-02-03T18:45:46Z/"}],"url":"https://www.drupal.org/sa-core-2022-012"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-25275","reference_id":"CVE-2022-25275","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-25275"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2022-25275.yaml","reference_id":"CVE-2022-25275.YAML","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2022-25275.yaml"},{"reference_url":"https://github.com/advisories/GHSA-xh3v-6f9j-wxw3","reference_id":"GHSA-xh3v-6f9j-wxw3","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-xh3v-6f9j-wxw3"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/64971?format=json","purl":"pkg:composer/drupal/drupal@9.3.19","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4p4c-7rdc-37fa"},{"vulnerability":"VCID-6x4v-da7x-uyhh"},{"vulnerability":"VCID-b266-wste-eqh6"},{"vulnerability":"VCID-j7bj-atys-qfg3"},{"vulnerability":"VCID-qwge-qrwn-1faj"},{"vulnerability":"VCID-xv4d-ped2-4udz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@9.3.19"},{"url":"http://public2.vulnerablecode.io/api/packages/64972?format=json","purl":"pkg:composer/drupal/drupal@9.4.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4p4c-7rdc-37fa"},{"vulnerability":"VCID-6x4v-da7x-uyhh"},{"vulnerability":"VCID-b266-wste-eqh6"},{"vulnerability":"VCID-bge7-rqsx-gfee"},{"vulnerability":"VCID-j7bj-atys-qfg3"},{"vulnerability":"VCID-qwge-qrwn-1faj"},{"vulnerability":"VCID-xv4d-ped2-4udz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@9.4.3"}],"aliases":["CVE-2022-25275","GHSA-xh3v-6f9j-wxw3","GMS-2022-3362"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-a7ss-tkb6-gkge"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/54881?format=json","vulnerability_id":"VCID-aqxx-kd18-pqgm","summary":"Drupal External URL injection through URL aliases leading to Open Redirect\nThe path module in Drupal allows users with the 'administer paths' to create pretty URLs for content.\nIn certain circumstances the user can enter a particular path that triggers an open redirect to a malicious url.","references":[{"reference_url":"https://github.com/drupal/drupal","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/drupal/drupal"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/2018-10-17-2.yaml","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/2018-10-17-2.yaml"},{"reference_url":"https://www.drupal.org/sa-core-2018-006","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.drupal.org/sa-core-2018-006"},{"reference_url":"https://github.com/advisories/GHSA-r67r-42wx-c8r7","reference_id":"GHSA-r67r-42wx-c8r7","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-r67r-42wx-c8r7"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/81346?format=json","purl":"pkg:composer/drupal/drupal@8.5.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2w1s-g91k-xuhj"},{"vulnerability":"VCID-31qy-vagp-83b6"},{"vulnerability":"VCID-3dgm-qju3-aqh5"},{"vulnerability":"VCID-3xk4-qwaq-5yaj"},{"vulnerability":"VCID-4p4c-7rdc-37fa"},{"vulnerability":"VCID-6c6t-kmb3-2qcm"},{"vulnerability":"VCID-7n8f-bdkf-sqfu"},{"vulnerability":"VCID-9nk8-dban-g7h9"},{"vulnerability":"VCID-a7ss-tkb6-gkge"},{"vulnerability":"VCID-ard5-3cjv-1beu"},{"vulnerability":"VCID-avmn-kqky-83dd"},{"vulnerability":"VCID-bndv-n7w9-43b4"},{"vulnerability":"VCID-dnc7-jg8m-8fh3"},{"vulnerability":"VCID-dyhz-g3nv-yuc3"},{"vulnerability":"VCID-e69p-v2ws-vufj"},{"vulnerability":"VCID-e8un-nbkk-cbf9"},{"vulnerability":"VCID-egtv-y9w1-skgr"},{"vulnerability":"VCID-eyew-pw17-ryfj"},{"vulnerability":"VCID-j7bj-atys-qfg3"},{"vulnerability":"VCID-n318-rcfy-uybg"},{"vulnerability":"VCID-nacy-y1qt-5yhb"},{"vulnerability":"VCID-nn8g-m52e-5kfe"},{"vulnerability":"VCID-pxwv-fhy9-ckfm"},{"vulnerability":"VCID-rd4g-h1j9-23cb"},{"vulnerability":"VCID-tbah-jrah-a3fg"},{"vulnerability":"VCID-tcan-28ga-j3h1"},{"vulnerability":"VCID-tpzm-u3qp-akc8"},{"vulnerability":"VCID-w3x8-db6e-kued"},{"vulnerability":"VCID-wsv7-je8g-sqet"},{"vulnerability":"VCID-wszp-2es5-z7fy"},{"vulnerability":"VCID-x34m-u169-1bce"},{"vulnerability":"VCID-xz7z-trbh-j7dk"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@8.5.8"},{"url":"http://public2.vulnerablecode.io/api/packages/56784?format=json","purl":"pkg:composer/drupal/drupal@8.6.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2w1s-g91k-xuhj"},{"vulnerability":"VCID-31qy-vagp-83b6"},{"vulnerability":"VCID-3dgm-qju3-aqh5"},{"vulnerability":"VCID-3xk4-qwaq-5yaj"},{"vulnerability":"VCID-4p4c-7rdc-37fa"},{"vulnerability":"VCID-6c6t-kmb3-2qcm"},{"vulnerability":"VCID-7n8f-bdkf-sqfu"},{"vulnerability":"VCID-9nk8-dban-g7h9"},{"vulnerability":"VCID-a7ss-tkb6-gkge"},{"vulnerability":"VCID-ard5-3cjv-1beu"},{"vulnerability":"VCID-avmn-kqky-83dd"},{"vulnerability":"VCID-dyhz-g3nv-yuc3"},{"vulnerability":"VCID-e69p-v2ws-vufj"},{"vulnerability":"VCID-e8un-nbkk-cbf9"},{"vulnerability":"VCID-egtv-y9w1-skgr"},{"vulnerability":"VCID-j7bj-atys-qfg3"},{"vulnerability":"VCID-n318-rcfy-uybg"},{"vulnerability":"VCID-nacy-y1qt-5yhb"},{"vulnerability":"VCID-pxwv-fhy9-ckfm"},{"vulnerability":"VCID-rd4g-h1j9-23cb"},{"vulnerability":"VCID-tbah-jrah-a3fg"},{"vulnerability":"VCID-tcan-28ga-j3h1"},{"vulnerability":"VCID-tpzm-u3qp-akc8"},{"vulnerability":"VCID-wsv7-je8g-sqet"},{"vulnerability":"VCID-wszp-2es5-z7fy"},{"vulnerability":"VCID-x34m-u169-1bce"},{"vulnerability":"VCID-xz7z-trbh-j7dk"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@8.6.2"}],"aliases":["GHSA-r67r-42wx-c8r7"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-aqxx-kd18-pqgm"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/42761?format=json","vulnerability_id":"VCID-ard5-3cjv-1beu","summary":"Improper Input Validation\nguzzlehttp/psr7 is a PSR-7 HTTP message library used in drupal. Versions prior to 1.8.4 and 2.1.1 is vulnerable to improper header parsing. An attacker could sneak in a new line character and pass untrusted values.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-24775","reference_id":"","reference_type":"","scores":[{"value":"0.00931","scoring_system":"epss","scoring_elements":"0.76518","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00931","scoring_system":"epss","scoring_elements":"0.76489","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-24775"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24775","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24775"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/guzzlehttp/psr7/CVE-2022-24775.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/guzzlehttp/psr7/CVE-2022-24775.yaml"},{"reference_url":"https://github.com/guzzle/psr7","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/guzzle/psr7"},{"reference_url":"https://github.com/guzzle/psr7/pull/485/commits/e55afaa3fc138c89adf3b55a8ba20dc60d17f1f1","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:56:31Z/"}],"url":"https://github.com/guzzle/psr7/pull/485/commits/e55afaa3fc138c89adf3b55a8ba20dc60d17f1f1"},{"reference_url":"https://github.com/guzzle/psr7/pull/486/commits/9a96d9db668b485361ed9de7b5bf1e54895df1dc","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:56:31Z/"}],"url":"https://github.com/guzzle/psr7/pull/486/commits/9a96d9db668b485361ed9de7b5bf1e54895df1dc"},{"reference_url":"https://www.drupal.org/sa-core-2022-006","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:56:31Z/"}],"url":"https://www.drupal.org/sa-core-2022-006"},{"reference_url":"https://www.rfc-editor.org/rfc/rfc7230#section-3.2.4","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.rfc-editor.org/rfc/rfc7230#section-3.2.4"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1008236","reference_id":"1008236","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1008236"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24775","reference_id":"CVE-2022-24775","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24775"},{"reference_url":"https://github.com/advisories/GHSA-q7rv-6hp3-vh96","reference_id":"GHSA-q7rv-6hp3-vh96","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-q7rv-6hp3-vh96"},{"reference_url":"https://github.com/guzzle/psr7/security/advisories/GHSA-q7rv-6hp3-vh96","reference_id":"GHSA-q7rv-6hp3-vh96","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:56:31Z/"}],"url":"https://github.com/guzzle/psr7/security/advisories/GHSA-q7rv-6hp3-vh96"},{"reference_url":"https://usn.ubuntu.com/6670-1/","reference_id":"USN-6670-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/6670-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/61060?format=json","purl":"pkg:composer/drupal/drupal@9.2.16","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3xk4-qwaq-5yaj"},{"vulnerability":"VCID-4p4c-7rdc-37fa"},{"vulnerability":"VCID-5nbj-5x5a-93hz"},{"vulnerability":"VCID-6x4v-da7x-uyhh"},{"vulnerability":"VCID-a7ss-tkb6-gkge"},{"vulnerability":"VCID-b266-wste-eqh6"},{"vulnerability":"VCID-dyhz-g3nv-yuc3"},{"vulnerability":"VCID-egtv-y9w1-skgr"},{"vulnerability":"VCID-j7bj-atys-qfg3"},{"vulnerability":"VCID-qwge-qrwn-1faj"},{"vulnerability":"VCID-rd4g-h1j9-23cb"},{"vulnerability":"VCID-xv4d-ped2-4udz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@9.2.16"},{"url":"http://public2.vulnerablecode.io/api/packages/564246?format=json","purl":"pkg:composer/drupal/drupal@9.3.0-alpha1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3xk4-qwaq-5yaj"},{"vulnerability":"VCID-4p4c-7rdc-37fa"},{"vulnerability":"VCID-6x4v-da7x-uyhh"},{"vulnerability":"VCID-a7ss-tkb6-gkge"},{"vulnerability":"VCID-b266-wste-eqh6"},{"vulnerability":"VCID-dyhz-g3nv-yuc3"},{"vulnerability":"VCID-j7bj-atys-qfg3"},{"vulnerability":"VCID-qwge-qrwn-1faj"},{"vulnerability":"VCID-rd4g-h1j9-23cb"},{"vulnerability":"VCID-xv4d-ped2-4udz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@9.3.0-alpha1"},{"url":"http://public2.vulnerablecode.io/api/packages/61061?format=json","purl":"pkg:composer/drupal/drupal@9.3.9","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3xk4-qwaq-5yaj"},{"vulnerability":"VCID-4p4c-7rdc-37fa"},{"vulnerability":"VCID-5nbj-5x5a-93hz"},{"vulnerability":"VCID-6x4v-da7x-uyhh"},{"vulnerability":"VCID-a7ss-tkb6-gkge"},{"vulnerability":"VCID-b266-wste-eqh6"},{"vulnerability":"VCID-dyhz-g3nv-yuc3"},{"vulnerability":"VCID-egtv-y9w1-skgr"},{"vulnerability":"VCID-g1ew-tnk9-cuh7"},{"vulnerability":"VCID-j7bj-atys-qfg3"},{"vulnerability":"VCID-qwge-qrwn-1faj"},{"vulnerability":"VCID-rd4g-h1j9-23cb"},{"vulnerability":"VCID-xv4d-ped2-4udz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@9.3.9"},{"url":"http://public2.vulnerablecode.io/api/packages/564249?format=json","purl":"pkg:composer/drupal/drupal@10.0.0-alpha1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4p4c-7rdc-37fa"},{"vulnerability":"VCID-6x4v-da7x-uyhh"},{"vulnerability":"VCID-b266-wste-eqh6"},{"vulnerability":"VCID-j7bj-atys-qfg3"},{"vulnerability":"VCID-qwge-qrwn-1faj"},{"vulnerability":"VCID-xv4d-ped2-4udz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@10.0.0-alpha1"}],"aliases":["CVE-2022-24775","GHSA-q7rv-6hp3-vh96"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ard5-3cjv-1beu"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/42386?format=json","vulnerability_id":"VCID-avmn-kqky-83dd","summary":"Drupal core Cross-site Scripting (XSS) vulnerability in ckeditor\nCross-site Scripting (XSS) vulnerability in ckeditor of Drupal Core allows attacker to inject XSS. This issue affects: Drupal Core 8.8.x versions prior to 8.8.10.; 8.9.x versions prior to 8.9.6; 9.0.x versions prior to 9.0.6.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-13669","reference_id":"","reference_type":"","scores":[{"value":"0.00204","scoring_system":"epss","scoring_elements":"0.42349","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00204","scoring_system":"epss","scoring_elements":"0.42424","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-13669"},{"reference_url":"https://github.com/drupal/core","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/drupal/core"},{"reference_url":"https://www.drupal.org/sa-core-2020-010","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.drupal.org/sa-core-2020-010"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-13669","reference_id":"CVE-2020-13669","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-13669"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2020-13669.yaml","reference_id":"CVE-2020-13669.YAML","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2020-13669.yaml"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2020-13669.yaml","reference_id":"CVE-2020-13669.YAML","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2020-13669.yaml"},{"reference_url":"https://github.com/advisories/GHSA-c533-c843-67h8","reference_id":"GHSA-c533-c843-67h8","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-c533-c843-67h8"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/60641?format=json","purl":"pkg:composer/drupal/drupal@8.8.10","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2w1s-g91k-xuhj"},{"vulnerability":"VCID-3xk4-qwaq-5yaj"},{"vulnerability":"VCID-4p4c-7rdc-37fa"},{"vulnerability":"VCID-5jy9-mhbb-nuh7"},{"vulnerability":"VCID-6x4v-da7x-uyhh"},{"vulnerability":"VCID-9dfs-rpqy-6kfa"},{"vulnerability":"VCID-a7ss-tkb6-gkge"},{"vulnerability":"VCID-ard5-3cjv-1beu"},{"vulnerability":"VCID-b266-wste-eqh6"},{"vulnerability":"VCID-dyhz-g3nv-yuc3"},{"vulnerability":"VCID-egtv-y9w1-skgr"},{"vulnerability":"VCID-j7bj-atys-qfg3"},{"vulnerability":"VCID-qwge-qrwn-1faj"},{"vulnerability":"VCID-rd4g-h1j9-23cb"},{"vulnerability":"VCID-tpzm-u3qp-akc8"},{"vulnerability":"VCID-wsv7-je8g-sqet"},{"vulnerability":"VCID-xv4d-ped2-4udz"},{"vulnerability":"VCID-xz7z-trbh-j7dk"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@8.8.10"},{"url":"http://public2.vulnerablecode.io/api/packages/60642?format=json","purl":"pkg:composer/drupal/drupal@8.9.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2w1s-g91k-xuhj"},{"vulnerability":"VCID-3xk4-qwaq-5yaj"},{"vulnerability":"VCID-4p4c-7rdc-37fa"},{"vulnerability":"VCID-5jy9-mhbb-nuh7"},{"vulnerability":"VCID-67da-qxh5-aydx"},{"vulnerability":"VCID-6x4v-da7x-uyhh"},{"vulnerability":"VCID-9dfs-rpqy-6kfa"},{"vulnerability":"VCID-a7ss-tkb6-gkge"},{"vulnerability":"VCID-ard5-3cjv-1beu"},{"vulnerability":"VCID-b266-wste-eqh6"},{"vulnerability":"VCID-dyhz-g3nv-yuc3"},{"vulnerability":"VCID-egtv-y9w1-skgr"},{"vulnerability":"VCID-j7bj-atys-qfg3"},{"vulnerability":"VCID-qwge-qrwn-1faj"},{"vulnerability":"VCID-rd4g-h1j9-23cb"},{"vulnerability":"VCID-tpzm-u3qp-akc8"},{"vulnerability":"VCID-wsv7-je8g-sqet"},{"vulnerability":"VCID-xv4d-ped2-4udz"},{"vulnerability":"VCID-xz7z-trbh-j7dk"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@8.9.6"},{"url":"http://public2.vulnerablecode.io/api/packages/60643?format=json","purl":"pkg:composer/drupal/drupal@9.0.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2w1s-g91k-xuhj"},{"vulnerability":"VCID-3xk4-qwaq-5yaj"},{"vulnerability":"VCID-4p4c-7rdc-37fa"},{"vulnerability":"VCID-5jy9-mhbb-nuh7"},{"vulnerability":"VCID-67da-qxh5-aydx"},{"vulnerability":"VCID-6x4v-da7x-uyhh"},{"vulnerability":"VCID-9dfs-rpqy-6kfa"},{"vulnerability":"VCID-a7ss-tkb6-gkge"},{"vulnerability":"VCID-ard5-3cjv-1beu"},{"vulnerability":"VCID-b266-wste-eqh6"},{"vulnerability":"VCID-dyhz-g3nv-yuc3"},{"vulnerability":"VCID-egtv-y9w1-skgr"},{"vulnerability":"VCID-j7bj-atys-qfg3"},{"vulnerability":"VCID-qwge-qrwn-1faj"},{"vulnerability":"VCID-rd4g-h1j9-23cb"},{"vulnerability":"VCID-tpzm-u3qp-akc8"},{"vulnerability":"VCID-wsv7-je8g-sqet"},{"vulnerability":"VCID-xv4d-ped2-4udz"},{"vulnerability":"VCID-xz7z-trbh-j7dk"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@9.0.6"}],"aliases":["CVE-2020-13669","GHSA-c533-c843-67h8"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-avmn-kqky-83dd"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/40349?format=json","vulnerability_id":"VCID-bndv-n7w9-43b4","summary":"URL Redirection to Untrusted Site ('Open Redirect')\nAnonymous Open Redirect in drupal.","references":[{"reference_url":"https://www.drupal.org/sa-core-2018-006","reference_id":"","reference_type":"","scores":[],"url":"https://www.drupal.org/sa-core-2018-006"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/56784?format=json","purl":"pkg:composer/drupal/drupal@8.6.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2w1s-g91k-xuhj"},{"vulnerability":"VCID-31qy-vagp-83b6"},{"vulnerability":"VCID-3dgm-qju3-aqh5"},{"vulnerability":"VCID-3xk4-qwaq-5yaj"},{"vulnerability":"VCID-4p4c-7rdc-37fa"},{"vulnerability":"VCID-6c6t-kmb3-2qcm"},{"vulnerability":"VCID-7n8f-bdkf-sqfu"},{"vulnerability":"VCID-9nk8-dban-g7h9"},{"vulnerability":"VCID-a7ss-tkb6-gkge"},{"vulnerability":"VCID-ard5-3cjv-1beu"},{"vulnerability":"VCID-avmn-kqky-83dd"},{"vulnerability":"VCID-dyhz-g3nv-yuc3"},{"vulnerability":"VCID-e69p-v2ws-vufj"},{"vulnerability":"VCID-e8un-nbkk-cbf9"},{"vulnerability":"VCID-egtv-y9w1-skgr"},{"vulnerability":"VCID-j7bj-atys-qfg3"},{"vulnerability":"VCID-n318-rcfy-uybg"},{"vulnerability":"VCID-nacy-y1qt-5yhb"},{"vulnerability":"VCID-pxwv-fhy9-ckfm"},{"vulnerability":"VCID-rd4g-h1j9-23cb"},{"vulnerability":"VCID-tbah-jrah-a3fg"},{"vulnerability":"VCID-tcan-28ga-j3h1"},{"vulnerability":"VCID-tpzm-u3qp-akc8"},{"vulnerability":"VCID-wsv7-je8g-sqet"},{"vulnerability":"VCID-wszp-2es5-z7fy"},{"vulnerability":"VCID-x34m-u169-1bce"},{"vulnerability":"VCID-xz7z-trbh-j7dk"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@8.6.2"}],"aliases":["GMS-2018-60"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-bndv-n7w9-43b4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/40345?format=json","vulnerability_id":"VCID-dnc7-jg8m-8fh3","summary":"URL Redirection to Untrusted Site ('Open Redirect')\nExternal URL injection through URL aliases in drupal.","references":[{"reference_url":"https://www.drupal.org/sa-core-2018-006","reference_id":"","reference_type":"","scores":[],"url":"https://www.drupal.org/sa-core-2018-006"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/56784?format=json","purl":"pkg:composer/drupal/drupal@8.6.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2w1s-g91k-xuhj"},{"vulnerability":"VCID-31qy-vagp-83b6"},{"vulnerability":"VCID-3dgm-qju3-aqh5"},{"vulnerability":"VCID-3xk4-qwaq-5yaj"},{"vulnerability":"VCID-4p4c-7rdc-37fa"},{"vulnerability":"VCID-6c6t-kmb3-2qcm"},{"vulnerability":"VCID-7n8f-bdkf-sqfu"},{"vulnerability":"VCID-9nk8-dban-g7h9"},{"vulnerability":"VCID-a7ss-tkb6-gkge"},{"vulnerability":"VCID-ard5-3cjv-1beu"},{"vulnerability":"VCID-avmn-kqky-83dd"},{"vulnerability":"VCID-dyhz-g3nv-yuc3"},{"vulnerability":"VCID-e69p-v2ws-vufj"},{"vulnerability":"VCID-e8un-nbkk-cbf9"},{"vulnerability":"VCID-egtv-y9w1-skgr"},{"vulnerability":"VCID-j7bj-atys-qfg3"},{"vulnerability":"VCID-n318-rcfy-uybg"},{"vulnerability":"VCID-nacy-y1qt-5yhb"},{"vulnerability":"VCID-pxwv-fhy9-ckfm"},{"vulnerability":"VCID-rd4g-h1j9-23cb"},{"vulnerability":"VCID-tbah-jrah-a3fg"},{"vulnerability":"VCID-tcan-28ga-j3h1"},{"vulnerability":"VCID-tpzm-u3qp-akc8"},{"vulnerability":"VCID-wsv7-je8g-sqet"},{"vulnerability":"VCID-wszp-2es5-z7fy"},{"vulnerability":"VCID-x34m-u169-1bce"},{"vulnerability":"VCID-xz7z-trbh-j7dk"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@8.6.2"}],"aliases":["GMS-2018-59"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-dnc7-jg8m-8fh3"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/45050?format=json","vulnerability_id":"VCID-dyhz-g3nv-yuc3","summary":"Lack of domain validation in Druple core\nThe Media oEmbed iframe route does not properly validate the iframe domain setting, which allows embeds to be displayed in the context of the primary domain. Under certain circumstances, this could lead to cross-site scripting, leaked cookies, or other vulnerabilities.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-25276","reference_id":"","reference_type":"","scores":[{"value":"0.01831","scoring_system":"epss","scoring_elements":"0.83257","published_at":"2026-06-04T12:55:00Z"},{"value":"0.01831","scoring_system":"epss","scoring_elements":"0.83283","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-25276"},{"reference_url":"https://github.com/drupal/core","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/drupal/core"},{"reference_url":"https://www.drupal.org/sa-core-2022-015","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.drupal.org/sa-core-2022-015"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-25276","reference_id":"CVE-2022-25276","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-25276"},{"reference_url":"https://github.com/advisories/GHSA-4wfq-jc9h-vpcx","reference_id":"GHSA-4wfq-jc9h-vpcx","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-4wfq-jc9h-vpcx"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/64971?format=json","purl":"pkg:composer/drupal/drupal@9.3.19","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4p4c-7rdc-37fa"},{"vulnerability":"VCID-6x4v-da7x-uyhh"},{"vulnerability":"VCID-b266-wste-eqh6"},{"vulnerability":"VCID-j7bj-atys-qfg3"},{"vulnerability":"VCID-qwge-qrwn-1faj"},{"vulnerability":"VCID-xv4d-ped2-4udz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@9.3.19"},{"url":"http://public2.vulnerablecode.io/api/packages/64972?format=json","purl":"pkg:composer/drupal/drupal@9.4.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4p4c-7rdc-37fa"},{"vulnerability":"VCID-6x4v-da7x-uyhh"},{"vulnerability":"VCID-b266-wste-eqh6"},{"vulnerability":"VCID-bge7-rqsx-gfee"},{"vulnerability":"VCID-j7bj-atys-qfg3"},{"vulnerability":"VCID-qwge-qrwn-1faj"},{"vulnerability":"VCID-xv4d-ped2-4udz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@9.4.3"}],"aliases":["CVE-2022-25276","GHSA-4wfq-jc9h-vpcx"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-dyhz-g3nv-yuc3"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/40839?format=json","vulnerability_id":"VCID-e69p-v2ws-vufj","summary":"Cross-site Scripting\nUnder certain circumstances the File `module/subsystem` allows a malicious user to upload a file that can trigger a cross-site scripting (XSS) vulnerability.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-6341","reference_id":"","reference_type":"","scores":[{"value":"0.47079","scoring_system":"epss","scoring_elements":"0.97742","published_at":"2026-06-05T12:55:00Z"},{"value":"0.47079","scoring_system":"epss","scoring_elements":"0.97739","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-6341"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6341","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6341"},{"reference_url":"https://github.com/drupal/core","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/drupal/core"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2019-6341.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2019-6341.yaml"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2019-6341.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2019-6341.yaml"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2019/04/msg00003.html","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2019/04/msg00003.html"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IWHF4LALNBZCXMITWWVWKY3PNVYTM3N7","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IWHF4LALNBZCXMITWWVWKY3PNVYTM3N7"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P4KTET2PTSIS3ZZ4SGBRQEN6CCLV5SYX","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P4KTET2PTSIS3ZZ4SGBRQEN6CCLV5SYX"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QNTLCBAN6T7WYR5C4TNEYQD65IIR3V4P","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QNTLCBAN6T7WYR5C4TNEYQD65IIR3V4P"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y4SVTVIJ33XCFQ6X6XTVMQM3NPLP2WFS","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y4SVTVIJ33XCFQ6X6XTVMQM3NPLP2WFS"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IWHF4LALNBZCXMITWWVWKY3PNVYTM3N7","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IWHF4LALNBZCXMITWWVWKY3PNVYTM3N7"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P4KTET2PTSIS3ZZ4SGBRQEN6CCLV5SYX","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P4KTET2PTSIS3ZZ4SGBRQEN6CCLV5SYX"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QNTLCBAN6T7WYR5C4TNEYQD65IIR3V4P","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QNTLCBAN6T7WYR5C4TNEYQD65IIR3V4P"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y4SVTVIJ33XCFQ6X6XTVMQM3NPLP2WFS","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y4SVTVIJ33XCFQ6X6XTVMQM3NPLP2WFS"},{"reference_url":"https://www.drupal.org/sa-core-2019-004","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.drupal.org/sa-core-2019-004"},{"reference_url":"https://www.drupal.org/SA-CORE-2019-004","reference_id":"","reference_type":"","scores":[],"url":"https://www.drupal.org/SA-CORE-2019-004"},{"reference_url":"https://www.synology.com/security/advisory/Synology_SA_19_13","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.synology.com/security/advisory/Synology_SA_19_13"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2019-6341","reference_id":"CVE-2019-6341","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-6341"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/57660?format=json","purl":"pkg:composer/drupal/drupal@8.5.14","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2w1s-g91k-xuhj"},{"vulnerability":"VCID-31qy-vagp-83b6"},{"vulnerability":"VCID-3dgm-qju3-aqh5"},{"vulnerability":"VCID-3xk4-qwaq-5yaj"},{"vulnerability":"VCID-4p4c-7rdc-37fa"},{"vulnerability":"VCID-6c6t-kmb3-2qcm"},{"vulnerability":"VCID-7n8f-bdkf-sqfu"},{"vulnerability":"VCID-a7ss-tkb6-gkge"},{"vulnerability":"VCID-ard5-3cjv-1beu"},{"vulnerability":"VCID-avmn-kqky-83dd"},{"vulnerability":"VCID-dyhz-g3nv-yuc3"},{"vulnerability":"VCID-egtv-y9w1-skgr"},{"vulnerability":"VCID-j7bj-atys-qfg3"},{"vulnerability":"VCID-n318-rcfy-uybg"},{"vulnerability":"VCID-nacy-y1qt-5yhb"},{"vulnerability":"VCID-pxwv-fhy9-ckfm"},{"vulnerability":"VCID-rd4g-h1j9-23cb"},{"vulnerability":"VCID-tcan-28ga-j3h1"},{"vulnerability":"VCID-tpzm-u3qp-akc8"},{"vulnerability":"VCID-wsv7-je8g-sqet"},{"vulnerability":"VCID-wszp-2es5-z7fy"},{"vulnerability":"VCID-xz7z-trbh-j7dk"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@8.5.14"},{"url":"http://public2.vulnerablecode.io/api/packages/57661?format=json","purl":"pkg:composer/drupal/drupal@8.6.13","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2w1s-g91k-xuhj"},{"vulnerability":"VCID-31qy-vagp-83b6"},{"vulnerability":"VCID-3dgm-qju3-aqh5"},{"vulnerability":"VCID-3xk4-qwaq-5yaj"},{"vulnerability":"VCID-4p4c-7rdc-37fa"},{"vulnerability":"VCID-6c6t-kmb3-2qcm"},{"vulnerability":"VCID-7n8f-bdkf-sqfu"},{"vulnerability":"VCID-a7ss-tkb6-gkge"},{"vulnerability":"VCID-ard5-3cjv-1beu"},{"vulnerability":"VCID-avmn-kqky-83dd"},{"vulnerability":"VCID-dyhz-g3nv-yuc3"},{"vulnerability":"VCID-egtv-y9w1-skgr"},{"vulnerability":"VCID-j7bj-atys-qfg3"},{"vulnerability":"VCID-n318-rcfy-uybg"},{"vulnerability":"VCID-nacy-y1qt-5yhb"},{"vulnerability":"VCID-pxwv-fhy9-ckfm"},{"vulnerability":"VCID-rd4g-h1j9-23cb"},{"vulnerability":"VCID-tcan-28ga-j3h1"},{"vulnerability":"VCID-tpzm-u3qp-akc8"},{"vulnerability":"VCID-wsv7-je8g-sqet"},{"vulnerability":"VCID-wszp-2es5-z7fy"},{"vulnerability":"VCID-xz7z-trbh-j7dk"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@8.6.13"}],"aliases":["CVE-2019-6341","GHSA-cmmh-8mwp-gq5p"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-e69p-v2ws-vufj"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/40619?format=json","vulnerability_id":"VCID-e8un-nbkk-cbf9","summary":"Deserialization of Untrusted Data\nDrupal core uses the third-party PEAR `Archive_Tar` library. This library has released a security update which impacts some Drupal configurations. Refer to CVE-2018-1000888 for details.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-6338","reference_id":"","reference_type":"","scores":[{"value":"0.01047","scoring_system":"epss","scoring_elements":"0.77876","published_at":"2026-06-05T12:55:00Z"},{"value":"0.01047","scoring_system":"epss","scoring_elements":"0.77849","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-6338"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6338","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6338"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6339","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6339"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2019-6338.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2019-6338.yaml"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2019/02/msg00032.html","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2019/02/msg00032.html"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2019-6338","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-6338"},{"reference_url":"https://www.debian.org/security/2019/dsa-4370","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.debian.org/security/2019/dsa-4370"},{"reference_url":"https://www.drupal.org/sa-core-2019-001","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.drupal.org/sa-core-2019-001"},{"reference_url":"http://www.securityfocus.com/bid/106706","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.securityfocus.com/bid/106706"},{"reference_url":"https://github.com/advisories/GHSA-6rmq-x2hv-vxpp","reference_id":"GHSA-6rmq-x2hv-vxpp","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-6rmq-x2hv-vxpp"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/144122?format=json","purl":"pkg:composer/drupal/drupal@8.5.9","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2w1s-g91k-xuhj"},{"vulnerability":"VCID-31qy-vagp-83b6"},{"vulnerability":"VCID-3dgm-qju3-aqh5"},{"vulnerability":"VCID-3xk4-qwaq-5yaj"},{"vulnerability":"VCID-4p4c-7rdc-37fa"},{"vulnerability":"VCID-6c6t-kmb3-2qcm"},{"vulnerability":"VCID-7n8f-bdkf-sqfu"},{"vulnerability":"VCID-9nk8-dban-g7h9"},{"vulnerability":"VCID-a7ss-tkb6-gkge"},{"vulnerability":"VCID-ard5-3cjv-1beu"},{"vulnerability":"VCID-avmn-kqky-83dd"},{"vulnerability":"VCID-dyhz-g3nv-yuc3"},{"vulnerability":"VCID-e69p-v2ws-vufj"},{"vulnerability":"VCID-e8un-nbkk-cbf9"},{"vulnerability":"VCID-egtv-y9w1-skgr"},{"vulnerability":"VCID-j7bj-atys-qfg3"},{"vulnerability":"VCID-n318-rcfy-uybg"},{"vulnerability":"VCID-nacy-y1qt-5yhb"},{"vulnerability":"VCID-pxwv-fhy9-ckfm"},{"vulnerability":"VCID-rd4g-h1j9-23cb"},{"vulnerability":"VCID-tbah-jrah-a3fg"},{"vulnerability":"VCID-tcan-28ga-j3h1"},{"vulnerability":"VCID-tpzm-u3qp-akc8"},{"vulnerability":"VCID-wsv7-je8g-sqet"},{"vulnerability":"VCID-wszp-2es5-z7fy"},{"vulnerability":"VCID-x34m-u169-1bce"},{"vulnerability":"VCID-xz7z-trbh-j7dk"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@8.5.9"},{"url":"http://public2.vulnerablecode.io/api/packages/57348?format=json","purl":"pkg:composer/drupal/drupal@8.6.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2w1s-g91k-xuhj"},{"vulnerability":"VCID-31qy-vagp-83b6"},{"vulnerability":"VCID-3dgm-qju3-aqh5"},{"vulnerability":"VCID-3xk4-qwaq-5yaj"},{"vulnerability":"VCID-4p4c-7rdc-37fa"},{"vulnerability":"VCID-6c6t-kmb3-2qcm"},{"vulnerability":"VCID-7n8f-bdkf-sqfu"},{"vulnerability":"VCID-9nk8-dban-g7h9"},{"vulnerability":"VCID-a7ss-tkb6-gkge"},{"vulnerability":"VCID-ard5-3cjv-1beu"},{"vulnerability":"VCID-avmn-kqky-83dd"},{"vulnerability":"VCID-dyhz-g3nv-yuc3"},{"vulnerability":"VCID-e69p-v2ws-vufj"},{"vulnerability":"VCID-egtv-y9w1-skgr"},{"vulnerability":"VCID-j7bj-atys-qfg3"},{"vulnerability":"VCID-n318-rcfy-uybg"},{"vulnerability":"VCID-nacy-y1qt-5yhb"},{"vulnerability":"VCID-pxwv-fhy9-ckfm"},{"vulnerability":"VCID-rd4g-h1j9-23cb"},{"vulnerability":"VCID-tbah-jrah-a3fg"},{"vulnerability":"VCID-tcan-28ga-j3h1"},{"vulnerability":"VCID-tpzm-u3qp-akc8"},{"vulnerability":"VCID-wsv7-je8g-sqet"},{"vulnerability":"VCID-wszp-2es5-z7fy"},{"vulnerability":"VCID-xz7z-trbh-j7dk"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@8.6.6"}],"aliases":["CVE-2019-6338","GHSA-6rmq-x2hv-vxpp"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-e8un-nbkk-cbf9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/45057?format=json","vulnerability_id":"VCID-egtv-y9w1-skgr","summary":"Improper Input Validation\nDrupal core's form API has a vulnerability where certain contributed or custom modules' forms may be vulnerable to improper input validation. This could allow an attacker to inject disallowed values or overwrite data. Affected forms are uncommon, but in certain cases an attacker could alter critical or sensitive data.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-25273","reference_id":"","reference_type":"","scores":[{"value":"0.0047","scoring_system":"epss","scoring_elements":"0.64955","published_at":"2026-06-05T12:55:00Z"},{"value":"0.0047","scoring_system":"epss","scoring_elements":"0.64912","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-25273"},{"reference_url":"https://github.com/drupal/core","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/drupal/core"},{"reference_url":"https://www.drupal.org/sa-core-2022-008","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-02-03T19:19:11Z/"}],"url":"https://www.drupal.org/sa-core-2022-008"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-25273","reference_id":"CVE-2022-25273","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-25273"},{"reference_url":"https://github.com/advisories/GHSA-g36h-4jr6-qmm9","reference_id":"GHSA-g36h-4jr6-qmm9","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-g36h-4jr6-qmm9"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/64987?format=json","purl":"pkg:composer/drupal/drupal@9.2.18","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3xk4-qwaq-5yaj"},{"vulnerability":"VCID-4p4c-7rdc-37fa"},{"vulnerability":"VCID-5nbj-5x5a-93hz"},{"vulnerability":"VCID-6x4v-da7x-uyhh"},{"vulnerability":"VCID-a7ss-tkb6-gkge"},{"vulnerability":"VCID-b266-wste-eqh6"},{"vulnerability":"VCID-dyhz-g3nv-yuc3"},{"vulnerability":"VCID-j7bj-atys-qfg3"},{"vulnerability":"VCID-qwge-qrwn-1faj"},{"vulnerability":"VCID-rd4g-h1j9-23cb"},{"vulnerability":"VCID-xv4d-ped2-4udz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@9.2.18"},{"url":"http://public2.vulnerablecode.io/api/packages/64979?format=json","purl":"pkg:composer/drupal/drupal@9.3.12","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3xk4-qwaq-5yaj"},{"vulnerability":"VCID-4p4c-7rdc-37fa"},{"vulnerability":"VCID-5nbj-5x5a-93hz"},{"vulnerability":"VCID-6x4v-da7x-uyhh"},{"vulnerability":"VCID-a7ss-tkb6-gkge"},{"vulnerability":"VCID-b266-wste-eqh6"},{"vulnerability":"VCID-dyhz-g3nv-yuc3"},{"vulnerability":"VCID-j7bj-atys-qfg3"},{"vulnerability":"VCID-qwge-qrwn-1faj"},{"vulnerability":"VCID-rd4g-h1j9-23cb"},{"vulnerability":"VCID-xv4d-ped2-4udz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@9.3.12"}],"aliases":["CVE-2022-25273","GHSA-g36h-4jr6-qmm9"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-egtv-y9w1-skgr"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/40368?format=json","vulnerability_id":"VCID-eyew-pw17-ryfj","summary":"Improper Access Control in drupal.","references":[{"reference_url":"https://www.drupal.org/sa-core-2018-006","reference_id":"","reference_type":"","scores":[],"url":"https://www.drupal.org/sa-core-2018-006"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/56784?format=json","purl":"pkg:composer/drupal/drupal@8.6.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2w1s-g91k-xuhj"},{"vulnerability":"VCID-31qy-vagp-83b6"},{"vulnerability":"VCID-3dgm-qju3-aqh5"},{"vulnerability":"VCID-3xk4-qwaq-5yaj"},{"vulnerability":"VCID-4p4c-7rdc-37fa"},{"vulnerability":"VCID-6c6t-kmb3-2qcm"},{"vulnerability":"VCID-7n8f-bdkf-sqfu"},{"vulnerability":"VCID-9nk8-dban-g7h9"},{"vulnerability":"VCID-a7ss-tkb6-gkge"},{"vulnerability":"VCID-ard5-3cjv-1beu"},{"vulnerability":"VCID-avmn-kqky-83dd"},{"vulnerability":"VCID-dyhz-g3nv-yuc3"},{"vulnerability":"VCID-e69p-v2ws-vufj"},{"vulnerability":"VCID-e8un-nbkk-cbf9"},{"vulnerability":"VCID-egtv-y9w1-skgr"},{"vulnerability":"VCID-j7bj-atys-qfg3"},{"vulnerability":"VCID-n318-rcfy-uybg"},{"vulnerability":"VCID-nacy-y1qt-5yhb"},{"vulnerability":"VCID-pxwv-fhy9-ckfm"},{"vulnerability":"VCID-rd4g-h1j9-23cb"},{"vulnerability":"VCID-tbah-jrah-a3fg"},{"vulnerability":"VCID-tcan-28ga-j3h1"},{"vulnerability":"VCID-tpzm-u3qp-akc8"},{"vulnerability":"VCID-wsv7-je8g-sqet"},{"vulnerability":"VCID-wszp-2es5-z7fy"},{"vulnerability":"VCID-x34m-u169-1bce"},{"vulnerability":"VCID-xz7z-trbh-j7dk"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@8.6.2"}],"aliases":["GMS-2018-58"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-eyew-pw17-ryfj"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/56330?format=json","vulnerability_id":"VCID-j7bj-atys-qfg3","summary":"Drupal core Access bypass\nDrupal's uniqueness checking for certain user fields is inconsistent depending on the database engine and its collation. As a result, a user may be able to register with the same email address as another user. This may lead to data integrity issues. This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-55634","reference_id":"","reference_type":"","scores":[{"value":"0.01148","scoring_system":"epss","scoring_elements":"0.7884","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-55634"},{"reference_url":"https://github.com/drupal/core","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/drupal/core"},{"reference_url":"https://github.com/drupal/core/commit/7ae0e8f1824e15f8b2b06e4da09836250e85e934","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/drupal/core/commit/7ae0e8f1824e15f8b2b06e4da09836250e85e934"},{"reference_url":"https://www.drupal.org/sa-core-2024-004","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-12-11T16:38:29Z/"}],"url":"https://www.drupal.org/sa-core-2024-004"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-55634","reference_id":"CVE-2024-55634","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-55634"},{"reference_url":"https://github.com/advisories/GHSA-7cwc-fjqm-8vh8","reference_id":"GHSA-7cwc-fjqm-8vh8","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-7cwc-fjqm-8vh8"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/83493?format=json","purl":"pkg:composer/drupal/drupal@10.2.11","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@10.2.11"},{"url":"http://public2.vulnerablecode.io/api/packages/83494?format=json","purl":"pkg:composer/drupal/drupal@10.3.9","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@10.3.9"},{"url":"http://public2.vulnerablecode.io/api/packages/83496?format=json","purl":"pkg:composer/drupal/drupal@11.0.8","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@11.0.8"}],"aliases":["CVE-2024-55634","GHSA-7cwc-fjqm-8vh8"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-j7bj-atys-qfg3"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/54880?format=json","vulnerability_id":"VCID-n318-rcfy-uybg","summary":"Drupal Malicious file upload with filenames stating with dot\nDrupal 8 core's file_save_upload() function does not strip the leading and trailing dot ('.') from filenames, like Drupal 7 did.\n\nUsers with the ability to upload files with any extension in conjunction with contributed modules may be able to use this to upload system files such as .htaccess in order to bypass protections afforded by Drupal's default .htaccess file.\n\nAfter this fix, file_save_upload() now trims leading and trailing dots from filenames.","references":[{"reference_url":"https://github.com/drupal/drupal","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/drupal/drupal"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/2019-12-18-2.yaml","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/2019-12-18-2.yaml"},{"reference_url":"https://www.drupal.org/sa-core-2019-010","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.drupal.org/sa-core-2019-010"},{"reference_url":"https://github.com/advisories/GHSA-58xv-7h9r-mx3c","reference_id":"GHSA-58xv-7h9r-mx3c","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-58xv-7h9r-mx3c"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/81361?format=json","purl":"pkg:composer/drupal/drupal@8.7.11","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2w1s-g91k-xuhj"},{"vulnerability":"VCID-31qy-vagp-83b6"},{"vulnerability":"VCID-3xk4-qwaq-5yaj"},{"vulnerability":"VCID-4p4c-7rdc-37fa"},{"vulnerability":"VCID-a7ss-tkb6-gkge"},{"vulnerability":"VCID-ard5-3cjv-1beu"},{"vulnerability":"VCID-avmn-kqky-83dd"},{"vulnerability":"VCID-dyhz-g3nv-yuc3"},{"vulnerability":"VCID-egtv-y9w1-skgr"},{"vulnerability":"VCID-j7bj-atys-qfg3"},{"vulnerability":"VCID-jed8-4cv5-6bcr"},{"vulnerability":"VCID-nacy-y1qt-5yhb"},{"vulnerability":"VCID-pxwv-fhy9-ckfm"},{"vulnerability":"VCID-rd4g-h1j9-23cb"},{"vulnerability":"VCID-tp81-dw6e-9qah"},{"vulnerability":"VCID-tpzm-u3qp-akc8"},{"vulnerability":"VCID-vjrr-h9sh-3bcu"},{"vulnerability":"VCID-wsv7-je8g-sqet"},{"vulnerability":"VCID-xz7z-trbh-j7dk"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@8.7.11"},{"url":"http://public2.vulnerablecode.io/api/packages/81362?format=json","purl":"pkg:composer/drupal/drupal@8.8.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2w1s-g91k-xuhj"},{"vulnerability":"VCID-31qy-vagp-83b6"},{"vulnerability":"VCID-3xk4-qwaq-5yaj"},{"vulnerability":"VCID-4p4c-7rdc-37fa"},{"vulnerability":"VCID-5jy9-mhbb-nuh7"},{"vulnerability":"VCID-6x4v-da7x-uyhh"},{"vulnerability":"VCID-9dfs-rpqy-6kfa"},{"vulnerability":"VCID-a7ss-tkb6-gkge"},{"vulnerability":"VCID-ard5-3cjv-1beu"},{"vulnerability":"VCID-avmn-kqky-83dd"},{"vulnerability":"VCID-b266-wste-eqh6"},{"vulnerability":"VCID-dyhz-g3nv-yuc3"},{"vulnerability":"VCID-egtv-y9w1-skgr"},{"vulnerability":"VCID-j7bj-atys-qfg3"},{"vulnerability":"VCID-jed8-4cv5-6bcr"},{"vulnerability":"VCID-nacy-y1qt-5yhb"},{"vulnerability":"VCID-pxwv-fhy9-ckfm"},{"vulnerability":"VCID-qwge-qrwn-1faj"},{"vulnerability":"VCID-rd4g-h1j9-23cb"},{"vulnerability":"VCID-sg4r-hncm-dqcq"},{"vulnerability":"VCID-tp81-dw6e-9qah"},{"vulnerability":"VCID-tpzm-u3qp-akc8"},{"vulnerability":"VCID-vjrr-h9sh-3bcu"},{"vulnerability":"VCID-wsv7-je8g-sqet"},{"vulnerability":"VCID-xv4d-ped2-4udz"},{"vulnerability":"VCID-xz7z-trbh-j7dk"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@8.8.1"}],"aliases":["GHSA-58xv-7h9r-mx3c"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-n318-rcfy-uybg"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/42392?format=json","vulnerability_id":"VCID-nacy-y1qt-5yhb","summary":"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')\nAccess Bypass vulnerability in Drupal Core allows for an attacker to leverage the way that HTML is rendered for affected forms in order to exploit the vulnerability. This issue affects: Drupal Core 8.8.x versions prior to 8.8.10; 8.9.x versions prior to 8.9.6; 9.0.x versions prior to 9.0.6.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-13668","reference_id":"","reference_type":"","scores":[{"value":"0.00223","scoring_system":"epss","scoring_elements":"0.44935","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00223","scoring_system":"epss","scoring_elements":"0.45004","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-13668"},{"reference_url":"https://github.com/drupal/core","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/drupal/core"},{"reference_url":"https://github.com/drupal/core/commit/3184fa4b2f3b65b44884b5e858cdc7794d34b4c8","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/drupal/core/commit/3184fa4b2f3b65b44884b5e858cdc7794d34b4c8"},{"reference_url":"https://github.com/drupal/core/commit/58330ba58d1ac6f1a0a549e8dbde8a3e094bf4fb","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/drupal/core/commit/58330ba58d1ac6f1a0a549e8dbde8a3e094bf4fb"},{"reference_url":"https://github.com/drupal/core/commit/d4be028d81fb6b067513d788b60c3e6fc8fbd0a2","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/drupal/core/commit/d4be028d81fb6b067513d788b60c3e6fc8fbd0a2"},{"reference_url":"https://www.drupal.org/sa-core-2020-009","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.drupal.org/sa-core-2020-009"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-13668","reference_id":"CVE-2020-13668","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-13668"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2020-13668.yaml","reference_id":"CVE-2020-13668.YAML","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2020-13668.yaml"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2020-13668.yaml","reference_id":"CVE-2020-13668.YAML","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2020-13668.yaml"},{"reference_url":"https://github.com/advisories/GHSA-m6q5-wv4x-fv6h","reference_id":"GHSA-m6q5-wv4x-fv6h","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-m6q5-wv4x-fv6h"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/60641?format=json","purl":"pkg:composer/drupal/drupal@8.8.10","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2w1s-g91k-xuhj"},{"vulnerability":"VCID-3xk4-qwaq-5yaj"},{"vulnerability":"VCID-4p4c-7rdc-37fa"},{"vulnerability":"VCID-5jy9-mhbb-nuh7"},{"vulnerability":"VCID-6x4v-da7x-uyhh"},{"vulnerability":"VCID-9dfs-rpqy-6kfa"},{"vulnerability":"VCID-a7ss-tkb6-gkge"},{"vulnerability":"VCID-ard5-3cjv-1beu"},{"vulnerability":"VCID-b266-wste-eqh6"},{"vulnerability":"VCID-dyhz-g3nv-yuc3"},{"vulnerability":"VCID-egtv-y9w1-skgr"},{"vulnerability":"VCID-j7bj-atys-qfg3"},{"vulnerability":"VCID-qwge-qrwn-1faj"},{"vulnerability":"VCID-rd4g-h1j9-23cb"},{"vulnerability":"VCID-tpzm-u3qp-akc8"},{"vulnerability":"VCID-wsv7-je8g-sqet"},{"vulnerability":"VCID-xv4d-ped2-4udz"},{"vulnerability":"VCID-xz7z-trbh-j7dk"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@8.8.10"},{"url":"http://public2.vulnerablecode.io/api/packages/60642?format=json","purl":"pkg:composer/drupal/drupal@8.9.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2w1s-g91k-xuhj"},{"vulnerability":"VCID-3xk4-qwaq-5yaj"},{"vulnerability":"VCID-4p4c-7rdc-37fa"},{"vulnerability":"VCID-5jy9-mhbb-nuh7"},{"vulnerability":"VCID-67da-qxh5-aydx"},{"vulnerability":"VCID-6x4v-da7x-uyhh"},{"vulnerability":"VCID-9dfs-rpqy-6kfa"},{"vulnerability":"VCID-a7ss-tkb6-gkge"},{"vulnerability":"VCID-ard5-3cjv-1beu"},{"vulnerability":"VCID-b266-wste-eqh6"},{"vulnerability":"VCID-dyhz-g3nv-yuc3"},{"vulnerability":"VCID-egtv-y9w1-skgr"},{"vulnerability":"VCID-j7bj-atys-qfg3"},{"vulnerability":"VCID-qwge-qrwn-1faj"},{"vulnerability":"VCID-rd4g-h1j9-23cb"},{"vulnerability":"VCID-tpzm-u3qp-akc8"},{"vulnerability":"VCID-wsv7-je8g-sqet"},{"vulnerability":"VCID-xv4d-ped2-4udz"},{"vulnerability":"VCID-xz7z-trbh-j7dk"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@8.9.6"},{"url":"http://public2.vulnerablecode.io/api/packages/60643?format=json","purl":"pkg:composer/drupal/drupal@9.0.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2w1s-g91k-xuhj"},{"vulnerability":"VCID-3xk4-qwaq-5yaj"},{"vulnerability":"VCID-4p4c-7rdc-37fa"},{"vulnerability":"VCID-5jy9-mhbb-nuh7"},{"vulnerability":"VCID-67da-qxh5-aydx"},{"vulnerability":"VCID-6x4v-da7x-uyhh"},{"vulnerability":"VCID-9dfs-rpqy-6kfa"},{"vulnerability":"VCID-a7ss-tkb6-gkge"},{"vulnerability":"VCID-ard5-3cjv-1beu"},{"vulnerability":"VCID-b266-wste-eqh6"},{"vulnerability":"VCID-dyhz-g3nv-yuc3"},{"vulnerability":"VCID-egtv-y9w1-skgr"},{"vulnerability":"VCID-j7bj-atys-qfg3"},{"vulnerability":"VCID-qwge-qrwn-1faj"},{"vulnerability":"VCID-rd4g-h1j9-23cb"},{"vulnerability":"VCID-tpzm-u3qp-akc8"},{"vulnerability":"VCID-wsv7-je8g-sqet"},{"vulnerability":"VCID-xv4d-ped2-4udz"},{"vulnerability":"VCID-xz7z-trbh-j7dk"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@9.0.6"}],"aliases":["CVE-2020-13668","GHSA-m6q5-wv4x-fv6h"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-nacy-y1qt-5yhb"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/40347?format=json","vulnerability_id":"VCID-nn8g-m52e-5kfe","summary":"Code Injection\nInjection in `DefaultMailSystem::mail()`.","references":[{"reference_url":"https://www.drupal.org/sa-core-2018-006","reference_id":"","reference_type":"","scores":[],"url":"https://www.drupal.org/sa-core-2018-006"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/56784?format=json","purl":"pkg:composer/drupal/drupal@8.6.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2w1s-g91k-xuhj"},{"vulnerability":"VCID-31qy-vagp-83b6"},{"vulnerability":"VCID-3dgm-qju3-aqh5"},{"vulnerability":"VCID-3xk4-qwaq-5yaj"},{"vulnerability":"VCID-4p4c-7rdc-37fa"},{"vulnerability":"VCID-6c6t-kmb3-2qcm"},{"vulnerability":"VCID-7n8f-bdkf-sqfu"},{"vulnerability":"VCID-9nk8-dban-g7h9"},{"vulnerability":"VCID-a7ss-tkb6-gkge"},{"vulnerability":"VCID-ard5-3cjv-1beu"},{"vulnerability":"VCID-avmn-kqky-83dd"},{"vulnerability":"VCID-dyhz-g3nv-yuc3"},{"vulnerability":"VCID-e69p-v2ws-vufj"},{"vulnerability":"VCID-e8un-nbkk-cbf9"},{"vulnerability":"VCID-egtv-y9w1-skgr"},{"vulnerability":"VCID-j7bj-atys-qfg3"},{"vulnerability":"VCID-n318-rcfy-uybg"},{"vulnerability":"VCID-nacy-y1qt-5yhb"},{"vulnerability":"VCID-pxwv-fhy9-ckfm"},{"vulnerability":"VCID-rd4g-h1j9-23cb"},{"vulnerability":"VCID-tbah-jrah-a3fg"},{"vulnerability":"VCID-tcan-28ga-j3h1"},{"vulnerability":"VCID-tpzm-u3qp-akc8"},{"vulnerability":"VCID-wsv7-je8g-sqet"},{"vulnerability":"VCID-wszp-2es5-z7fy"},{"vulnerability":"VCID-x34m-u169-1bce"},{"vulnerability":"VCID-xz7z-trbh-j7dk"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@8.6.2"}],"aliases":["GMS-2018-61"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-nn8g-m52e-5kfe"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/54811?format=json","vulnerability_id":"VCID-pxwv-fhy9-ckfm","summary":"Drupal core uses a vulnerable Third-party library CKEditor\nThe Drupal project uses the third-party library [CKEditor](https://github.com/ckeditor/ckeditor4), which has released a [security improvement](https://ckeditor.com/blog/CKEditor-4.14-with-Paste-from-LibreOffice-released/#security-issues-fixed) that is needed to protect some Drupal configurations.\n\nVulnerabilities are possible if Drupal is configured to use the WYSIWYG CKEditor for your site's users. An attacker that can create or edit content may be able to exploit this Cross Site Scripting (XSS) vulnerability to target users with access to the WYSIWYG CKEditor, and this may include site admins with privileged access.\n\nThe latest versions of Drupal update CKEditor to 4.14 to mitigate the vulnerabilities.","references":[{"reference_url":"https://github.com/drupal/drupal","reference_id":"","reference_type":"","scores":[{"value":"4.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/drupal/drupal"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/2020-03-18.yaml","reference_id":"","reference_type":"","scores":[{"value":"4.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/2020-03-18.yaml"},{"reference_url":"https://www.drupal.org/sa-core-2020-001","reference_id":"","reference_type":"","scores":[{"value":"4.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.drupal.org/sa-core-2020-001"},{"reference_url":"https://github.com/advisories/GHSA-337w-fxpq-5m34","reference_id":"GHSA-337w-fxpq-5m34","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-337w-fxpq-5m34"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/76833?format=json","purl":"pkg:composer/drupal/drupal@8.7.12","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2w1s-g91k-xuhj"},{"vulnerability":"VCID-31qy-vagp-83b6"},{"vulnerability":"VCID-3xk4-qwaq-5yaj"},{"vulnerability":"VCID-4p4c-7rdc-37fa"},{"vulnerability":"VCID-a7ss-tkb6-gkge"},{"vulnerability":"VCID-ard5-3cjv-1beu"},{"vulnerability":"VCID-avmn-kqky-83dd"},{"vulnerability":"VCID-dyhz-g3nv-yuc3"},{"vulnerability":"VCID-egtv-y9w1-skgr"},{"vulnerability":"VCID-j7bj-atys-qfg3"},{"vulnerability":"VCID-jed8-4cv5-6bcr"},{"vulnerability":"VCID-nacy-y1qt-5yhb"},{"vulnerability":"VCID-rd4g-h1j9-23cb"},{"vulnerability":"VCID-tpzm-u3qp-akc8"},{"vulnerability":"VCID-vjrr-h9sh-3bcu"},{"vulnerability":"VCID-wsv7-je8g-sqet"},{"vulnerability":"VCID-xz7z-trbh-j7dk"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@8.7.12"},{"url":"http://public2.vulnerablecode.io/api/packages/76834?format=json","purl":"pkg:composer/drupal/drupal@8.8.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2w1s-g91k-xuhj"},{"vulnerability":"VCID-31qy-vagp-83b6"},{"vulnerability":"VCID-3xk4-qwaq-5yaj"},{"vulnerability":"VCID-4p4c-7rdc-37fa"},{"vulnerability":"VCID-5jy9-mhbb-nuh7"},{"vulnerability":"VCID-6x4v-da7x-uyhh"},{"vulnerability":"VCID-9dfs-rpqy-6kfa"},{"vulnerability":"VCID-a7ss-tkb6-gkge"},{"vulnerability":"VCID-ard5-3cjv-1beu"},{"vulnerability":"VCID-avmn-kqky-83dd"},{"vulnerability":"VCID-b266-wste-eqh6"},{"vulnerability":"VCID-dyhz-g3nv-yuc3"},{"vulnerability":"VCID-egtv-y9w1-skgr"},{"vulnerability":"VCID-j7bj-atys-qfg3"},{"vulnerability":"VCID-jed8-4cv5-6bcr"},{"vulnerability":"VCID-nacy-y1qt-5yhb"},{"vulnerability":"VCID-qwge-qrwn-1faj"},{"vulnerability":"VCID-rd4g-h1j9-23cb"},{"vulnerability":"VCID-sg4r-hncm-dqcq"},{"vulnerability":"VCID-tpzm-u3qp-akc8"},{"vulnerability":"VCID-vjrr-h9sh-3bcu"},{"vulnerability":"VCID-wsv7-je8g-sqet"},{"vulnerability":"VCID-xv4d-ped2-4udz"},{"vulnerability":"VCID-xz7z-trbh-j7dk"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@8.8.4"}],"aliases":["GHSA-337w-fxpq-5m34"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-pxwv-fhy9-ckfm"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/45056?format=json","vulnerability_id":"VCID-rd4g-h1j9-23cb","summary":"Unrestricted Upload of File with Dangerous Type\nDrupal core sanitizes filenames with dangerous extensions upon upload (reference: SA-CORE-2020-012) and strips leading and trailing dots from filenames to prevent uploading server configuration files (reference: SA-CORE-2019-010). However, the protections for these two vulnerabilities previously does not work correctly together. As a result, if the site were configured to allow the upload of files with an htaccess extension, these files' filenames would not be properly sanitized. This could allow bypassing the protections provided by Drupal core's default .htaccess files and possible remote code execution on Apache web servers. This issue is mitigated by the fact that it requires a field administrator to explicitly configure a file field to allow htaccess as an extension (a restricted permission), or a contributed module or custom code that overrides allowed file uploads.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-25277","reference_id":"","reference_type":"","scores":[{"value":"0.02448","scoring_system":"epss","scoring_elements":"0.85496","published_at":"2026-06-05T12:55:00Z"},{"value":"0.02448","scoring_system":"epss","scoring_elements":"0.85472","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-25277"},{"reference_url":"https://github.com/drupal/core","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/drupal/core"},{"reference_url":"https://github.com/drupal/core/commit/1cd1830d79f221cc8490f53c2bb487dd07094f17","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/drupal/core/commit/1cd1830d79f221cc8490f53c2bb487dd07094f17"},{"reference_url":"https://github.com/drupal/core/commit/5d464ea4407c50e40dcf6cb5ee376e7b8dd36f3a","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/drupal/core/commit/5d464ea4407c50e40dcf6cb5ee376e7b8dd36f3a"},{"reference_url":"https://www.drupal.org/sa-core-2022-014","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-02-03T18:41:13Z/"}],"url":"https://www.drupal.org/sa-core-2022-014"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-25277","reference_id":"CVE-2022-25277","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-25277"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2022-25277.yaml","reference_id":"CVE-2022-25277.YAML","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2022-25277.yaml"},{"reference_url":"https://github.com/advisories/GHSA-6955-67hm-vjjq","reference_id":"GHSA-6955-67hm-vjjq","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-6955-67hm-vjjq"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/64971?format=json","purl":"pkg:composer/drupal/drupal@9.3.19","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4p4c-7rdc-37fa"},{"vulnerability":"VCID-6x4v-da7x-uyhh"},{"vulnerability":"VCID-b266-wste-eqh6"},{"vulnerability":"VCID-j7bj-atys-qfg3"},{"vulnerability":"VCID-qwge-qrwn-1faj"},{"vulnerability":"VCID-xv4d-ped2-4udz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@9.3.19"},{"url":"http://public2.vulnerablecode.io/api/packages/64972?format=json","purl":"pkg:composer/drupal/drupal@9.4.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4p4c-7rdc-37fa"},{"vulnerability":"VCID-6x4v-da7x-uyhh"},{"vulnerability":"VCID-b266-wste-eqh6"},{"vulnerability":"VCID-bge7-rqsx-gfee"},{"vulnerability":"VCID-j7bj-atys-qfg3"},{"vulnerability":"VCID-qwge-qrwn-1faj"},{"vulnerability":"VCID-xv4d-ped2-4udz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@9.4.3"}],"aliases":["CVE-2022-25277","GHSA-6955-67hm-vjjq","GMS-2022-3361"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-rd4g-h1j9-23cb"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/40821?format=json","vulnerability_id":"VCID-tbah-jrah-a3fg","summary":"Cross-site Scripting vulnerability in drupal.","references":[{"reference_url":"https://www.drupal.org/sa-core-2019-004","reference_id":"","reference_type":"","scores":[],"url":"https://www.drupal.org/sa-core-2019-004"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/57615?format=json","purl":"pkg:composer/drupal/drupal@8.6.12","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2w1s-g91k-xuhj"},{"vulnerability":"VCID-31qy-vagp-83b6"},{"vulnerability":"VCID-3dgm-qju3-aqh5"},{"vulnerability":"VCID-3xk4-qwaq-5yaj"},{"vulnerability":"VCID-4p4c-7rdc-37fa"},{"vulnerability":"VCID-6c6t-kmb3-2qcm"},{"vulnerability":"VCID-7n8f-bdkf-sqfu"},{"vulnerability":"VCID-a7ss-tkb6-gkge"},{"vulnerability":"VCID-ard5-3cjv-1beu"},{"vulnerability":"VCID-avmn-kqky-83dd"},{"vulnerability":"VCID-dyhz-g3nv-yuc3"},{"vulnerability":"VCID-e69p-v2ws-vufj"},{"vulnerability":"VCID-egtv-y9w1-skgr"},{"vulnerability":"VCID-j7bj-atys-qfg3"},{"vulnerability":"VCID-n318-rcfy-uybg"},{"vulnerability":"VCID-nacy-y1qt-5yhb"},{"vulnerability":"VCID-pxwv-fhy9-ckfm"},{"vulnerability":"VCID-rd4g-h1j9-23cb"},{"vulnerability":"VCID-tcan-28ga-j3h1"},{"vulnerability":"VCID-tpzm-u3qp-akc8"},{"vulnerability":"VCID-wsv7-je8g-sqet"},{"vulnerability":"VCID-wszp-2es5-z7fy"},{"vulnerability":"VCID-xz7z-trbh-j7dk"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@8.6.12"}],"aliases":["GMS-2019-148"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-tbah-jrah-a3fg"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/54861?format=json","vulnerability_id":"VCID-tcan-28ga-j3h1","summary":"Drupal core Multiple vulnerabilities due to the use of the third-party library Archive_Tar\nThe Drupal project uses the third-party library [Archive_Tar](https://pear.php.net/package/Archive_Tar/), which has released a security improvement that is needed to protect some Drupal configurations.\n\nMultiple vulnerabilities are possible if Drupal is configured to allow .tar, .tar.gz, .bz2 or .tlz file uploads and processes them.\n\nThe latest versions of Drupal update Archive_Tar to 1.4.9 to mitigate the file processing vulnerabilities.","references":[{"reference_url":"https://github.com/drupal/drupal","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/drupal/drupal"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/2019-12-18-4.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/2019-12-18-4.yaml"},{"reference_url":"https://www.drupal.org/sa-core-2019-012","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.drupal.org/sa-core-2019-012"},{"reference_url":"https://github.com/advisories/GHSA-m9fv-whq2-6wmc","reference_id":"GHSA-m9fv-whq2-6wmc","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-m9fv-whq2-6wmc"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/81361?format=json","purl":"pkg:composer/drupal/drupal@8.7.11","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2w1s-g91k-xuhj"},{"vulnerability":"VCID-31qy-vagp-83b6"},{"vulnerability":"VCID-3xk4-qwaq-5yaj"},{"vulnerability":"VCID-4p4c-7rdc-37fa"},{"vulnerability":"VCID-a7ss-tkb6-gkge"},{"vulnerability":"VCID-ard5-3cjv-1beu"},{"vulnerability":"VCID-avmn-kqky-83dd"},{"vulnerability":"VCID-dyhz-g3nv-yuc3"},{"vulnerability":"VCID-egtv-y9w1-skgr"},{"vulnerability":"VCID-j7bj-atys-qfg3"},{"vulnerability":"VCID-jed8-4cv5-6bcr"},{"vulnerability":"VCID-nacy-y1qt-5yhb"},{"vulnerability":"VCID-pxwv-fhy9-ckfm"},{"vulnerability":"VCID-rd4g-h1j9-23cb"},{"vulnerability":"VCID-tp81-dw6e-9qah"},{"vulnerability":"VCID-tpzm-u3qp-akc8"},{"vulnerability":"VCID-vjrr-h9sh-3bcu"},{"vulnerability":"VCID-wsv7-je8g-sqet"},{"vulnerability":"VCID-xz7z-trbh-j7dk"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@8.7.11"},{"url":"http://public2.vulnerablecode.io/api/packages/81362?format=json","purl":"pkg:composer/drupal/drupal@8.8.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2w1s-g91k-xuhj"},{"vulnerability":"VCID-31qy-vagp-83b6"},{"vulnerability":"VCID-3xk4-qwaq-5yaj"},{"vulnerability":"VCID-4p4c-7rdc-37fa"},{"vulnerability":"VCID-5jy9-mhbb-nuh7"},{"vulnerability":"VCID-6x4v-da7x-uyhh"},{"vulnerability":"VCID-9dfs-rpqy-6kfa"},{"vulnerability":"VCID-a7ss-tkb6-gkge"},{"vulnerability":"VCID-ard5-3cjv-1beu"},{"vulnerability":"VCID-avmn-kqky-83dd"},{"vulnerability":"VCID-b266-wste-eqh6"},{"vulnerability":"VCID-dyhz-g3nv-yuc3"},{"vulnerability":"VCID-egtv-y9w1-skgr"},{"vulnerability":"VCID-j7bj-atys-qfg3"},{"vulnerability":"VCID-jed8-4cv5-6bcr"},{"vulnerability":"VCID-nacy-y1qt-5yhb"},{"vulnerability":"VCID-pxwv-fhy9-ckfm"},{"vulnerability":"VCID-qwge-qrwn-1faj"},{"vulnerability":"VCID-rd4g-h1j9-23cb"},{"vulnerability":"VCID-sg4r-hncm-dqcq"},{"vulnerability":"VCID-tp81-dw6e-9qah"},{"vulnerability":"VCID-tpzm-u3qp-akc8"},{"vulnerability":"VCID-vjrr-h9sh-3bcu"},{"vulnerability":"VCID-wsv7-je8g-sqet"},{"vulnerability":"VCID-xv4d-ped2-4udz"},{"vulnerability":"VCID-xz7z-trbh-j7dk"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@8.8.1"}],"aliases":["GHSA-m9fv-whq2-6wmc"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-tcan-28ga-j3h1"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/3853?format=json","vulnerability_id":"VCID-tpzm-u3qp-akc8","summary":"multiple issues","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-13672","reference_id":"","reference_type":"","scores":[{"value":"0.00555","scoring_system":"epss","scoring_elements":"0.6851","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00555","scoring_system":"epss","scoring_elements":"0.68469","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-13672"},{"reference_url":"https://github.com/drupal/core","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/drupal/core"},{"reference_url":"https://www.drupal.org/sa-core-2021-002","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.drupal.org/sa-core-2021-002"},{"reference_url":"https://security.archlinux.org/AVG-1463","reference_id":"AVG-1463","reference_type":"","scores":[{"value":"Critical","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-1463"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-13672","reference_id":"CVE-2020-13672","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-13672"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2020-13672.yaml","reference_id":"CVE-2020-13672.YAML","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2020-13672.yaml"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2020-13672.yaml","reference_id":"CVE-2020-13672.YAML","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2020-13672.yaml"},{"reference_url":"https://github.com/advisories/GHSA-3m36-mjwj-352c","reference_id":"GHSA-3m36-mjwj-352c","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3m36-mjwj-352c"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/60646?format=json","purl":"pkg:composer/drupal/drupal@8.9.14","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2w1s-g91k-xuhj"},{"vulnerability":"VCID-3xk4-qwaq-5yaj"},{"vulnerability":"VCID-4p4c-7rdc-37fa"},{"vulnerability":"VCID-6x4v-da7x-uyhh"},{"vulnerability":"VCID-a7ss-tkb6-gkge"},{"vulnerability":"VCID-ard5-3cjv-1beu"},{"vulnerability":"VCID-b266-wste-eqh6"},{"vulnerability":"VCID-dyhz-g3nv-yuc3"},{"vulnerability":"VCID-egtv-y9w1-skgr"},{"vulnerability":"VCID-j7bj-atys-qfg3"},{"vulnerability":"VCID-qwge-qrwn-1faj"},{"vulnerability":"VCID-rd4g-h1j9-23cb"},{"vulnerability":"VCID-xv4d-ped2-4udz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@8.9.14"},{"url":"http://public2.vulnerablecode.io/api/packages/60647?format=json","purl":"pkg:composer/drupal/drupal@9.0.12","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2w1s-g91k-xuhj"},{"vulnerability":"VCID-3xk4-qwaq-5yaj"},{"vulnerability":"VCID-4p4c-7rdc-37fa"},{"vulnerability":"VCID-6x4v-da7x-uyhh"},{"vulnerability":"VCID-a7ss-tkb6-gkge"},{"vulnerability":"VCID-ard5-3cjv-1beu"},{"vulnerability":"VCID-b266-wste-eqh6"},{"vulnerability":"VCID-dyhz-g3nv-yuc3"},{"vulnerability":"VCID-egtv-y9w1-skgr"},{"vulnerability":"VCID-j7bj-atys-qfg3"},{"vulnerability":"VCID-qwge-qrwn-1faj"},{"vulnerability":"VCID-rd4g-h1j9-23cb"},{"vulnerability":"VCID-xv4d-ped2-4udz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@9.0.12"},{"url":"http://public2.vulnerablecode.io/api/packages/60648?format=json","purl":"pkg:composer/drupal/drupal@9.1.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2w1s-g91k-xuhj"},{"vulnerability":"VCID-3xk4-qwaq-5yaj"},{"vulnerability":"VCID-4p4c-7rdc-37fa"},{"vulnerability":"VCID-6x4v-da7x-uyhh"},{"vulnerability":"VCID-a7ss-tkb6-gkge"},{"vulnerability":"VCID-ard5-3cjv-1beu"},{"vulnerability":"VCID-b266-wste-eqh6"},{"vulnerability":"VCID-dyhz-g3nv-yuc3"},{"vulnerability":"VCID-egtv-y9w1-skgr"},{"vulnerability":"VCID-j7bj-atys-qfg3"},{"vulnerability":"VCID-qwge-qrwn-1faj"},{"vulnerability":"VCID-rd4g-h1j9-23cb"},{"vulnerability":"VCID-xv4d-ped2-4udz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@9.1.7"}],"aliases":["CVE-2020-13672","GHSA-3m36-mjwj-352c"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-tpzm-u3qp-akc8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/54820?format=json","vulnerability_id":"VCID-vjz6-xgk6-mycf","summary":"Drupal core Remote Code Execution\nIn Drupal core, when sending email some variables were not being sanitized for shell arguments in `DefaultMailSystem::mail()`, which could lead to remote code execution.","references":[{"reference_url":"https://github.com/drupal/drupal","reference_id":"","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/drupal/drupal"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/2018-10-17-4.yaml","reference_id":"","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/2018-10-17-4.yaml"},{"reference_url":"https://www.drupal.org/sa-core-2018-006","reference_id":"","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.drupal.org/sa-core-2018-006"},{"reference_url":"https://github.com/advisories/GHSA-jf8c-36vw-98x4","reference_id":"GHSA-jf8c-36vw-98x4","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-jf8c-36vw-98x4"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/81346?format=json","purl":"pkg:composer/drupal/drupal@8.5.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2w1s-g91k-xuhj"},{"vulnerability":"VCID-31qy-vagp-83b6"},{"vulnerability":"VCID-3dgm-qju3-aqh5"},{"vulnerability":"VCID-3xk4-qwaq-5yaj"},{"vulnerability":"VCID-4p4c-7rdc-37fa"},{"vulnerability":"VCID-6c6t-kmb3-2qcm"},{"vulnerability":"VCID-7n8f-bdkf-sqfu"},{"vulnerability":"VCID-9nk8-dban-g7h9"},{"vulnerability":"VCID-a7ss-tkb6-gkge"},{"vulnerability":"VCID-ard5-3cjv-1beu"},{"vulnerability":"VCID-avmn-kqky-83dd"},{"vulnerability":"VCID-bndv-n7w9-43b4"},{"vulnerability":"VCID-dnc7-jg8m-8fh3"},{"vulnerability":"VCID-dyhz-g3nv-yuc3"},{"vulnerability":"VCID-e69p-v2ws-vufj"},{"vulnerability":"VCID-e8un-nbkk-cbf9"},{"vulnerability":"VCID-egtv-y9w1-skgr"},{"vulnerability":"VCID-eyew-pw17-ryfj"},{"vulnerability":"VCID-j7bj-atys-qfg3"},{"vulnerability":"VCID-n318-rcfy-uybg"},{"vulnerability":"VCID-nacy-y1qt-5yhb"},{"vulnerability":"VCID-nn8g-m52e-5kfe"},{"vulnerability":"VCID-pxwv-fhy9-ckfm"},{"vulnerability":"VCID-rd4g-h1j9-23cb"},{"vulnerability":"VCID-tbah-jrah-a3fg"},{"vulnerability":"VCID-tcan-28ga-j3h1"},{"vulnerability":"VCID-tpzm-u3qp-akc8"},{"vulnerability":"VCID-w3x8-db6e-kued"},{"vulnerability":"VCID-wsv7-je8g-sqet"},{"vulnerability":"VCID-wszp-2es5-z7fy"},{"vulnerability":"VCID-x34m-u169-1bce"},{"vulnerability":"VCID-xz7z-trbh-j7dk"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@8.5.8"},{"url":"http://public2.vulnerablecode.io/api/packages/56784?format=json","purl":"pkg:composer/drupal/drupal@8.6.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2w1s-g91k-xuhj"},{"vulnerability":"VCID-31qy-vagp-83b6"},{"vulnerability":"VCID-3dgm-qju3-aqh5"},{"vulnerability":"VCID-3xk4-qwaq-5yaj"},{"vulnerability":"VCID-4p4c-7rdc-37fa"},{"vulnerability":"VCID-6c6t-kmb3-2qcm"},{"vulnerability":"VCID-7n8f-bdkf-sqfu"},{"vulnerability":"VCID-9nk8-dban-g7h9"},{"vulnerability":"VCID-a7ss-tkb6-gkge"},{"vulnerability":"VCID-ard5-3cjv-1beu"},{"vulnerability":"VCID-avmn-kqky-83dd"},{"vulnerability":"VCID-dyhz-g3nv-yuc3"},{"vulnerability":"VCID-e69p-v2ws-vufj"},{"vulnerability":"VCID-e8un-nbkk-cbf9"},{"vulnerability":"VCID-egtv-y9w1-skgr"},{"vulnerability":"VCID-j7bj-atys-qfg3"},{"vulnerability":"VCID-n318-rcfy-uybg"},{"vulnerability":"VCID-nacy-y1qt-5yhb"},{"vulnerability":"VCID-pxwv-fhy9-ckfm"},{"vulnerability":"VCID-rd4g-h1j9-23cb"},{"vulnerability":"VCID-tbah-jrah-a3fg"},{"vulnerability":"VCID-tcan-28ga-j3h1"},{"vulnerability":"VCID-tpzm-u3qp-akc8"},{"vulnerability":"VCID-wsv7-je8g-sqet"},{"vulnerability":"VCID-wszp-2es5-z7fy"},{"vulnerability":"VCID-x34m-u169-1bce"},{"vulnerability":"VCID-xz7z-trbh-j7dk"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@8.6.2"}],"aliases":["GHSA-jf8c-36vw-98x4"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-vjz6-xgk6-mycf"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/40348?format=json","vulnerability_id":"VCID-w3x8-db6e-kued","summary":"Improper Access Control\nIn some conditions, content moderation fails to check a users access to use certain transitions, leading to an access bypass.","references":[{"reference_url":"https://www.drupal.org/sa-core-2018-006","reference_id":"","reference_type":"","scores":[],"url":"https://www.drupal.org/sa-core-2018-006"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/56784?format=json","purl":"pkg:composer/drupal/drupal@8.6.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2w1s-g91k-xuhj"},{"vulnerability":"VCID-31qy-vagp-83b6"},{"vulnerability":"VCID-3dgm-qju3-aqh5"},{"vulnerability":"VCID-3xk4-qwaq-5yaj"},{"vulnerability":"VCID-4p4c-7rdc-37fa"},{"vulnerability":"VCID-6c6t-kmb3-2qcm"},{"vulnerability":"VCID-7n8f-bdkf-sqfu"},{"vulnerability":"VCID-9nk8-dban-g7h9"},{"vulnerability":"VCID-a7ss-tkb6-gkge"},{"vulnerability":"VCID-ard5-3cjv-1beu"},{"vulnerability":"VCID-avmn-kqky-83dd"},{"vulnerability":"VCID-dyhz-g3nv-yuc3"},{"vulnerability":"VCID-e69p-v2ws-vufj"},{"vulnerability":"VCID-e8un-nbkk-cbf9"},{"vulnerability":"VCID-egtv-y9w1-skgr"},{"vulnerability":"VCID-j7bj-atys-qfg3"},{"vulnerability":"VCID-n318-rcfy-uybg"},{"vulnerability":"VCID-nacy-y1qt-5yhb"},{"vulnerability":"VCID-pxwv-fhy9-ckfm"},{"vulnerability":"VCID-rd4g-h1j9-23cb"},{"vulnerability":"VCID-tbah-jrah-a3fg"},{"vulnerability":"VCID-tcan-28ga-j3h1"},{"vulnerability":"VCID-tpzm-u3qp-akc8"},{"vulnerability":"VCID-wsv7-je8g-sqet"},{"vulnerability":"VCID-wszp-2es5-z7fy"},{"vulnerability":"VCID-x34m-u169-1bce"},{"vulnerability":"VCID-xz7z-trbh-j7dk"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@8.6.2"}],"aliases":["GMS-2018-62"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-w3x8-db6e-kued"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/41563?format=json","vulnerability_id":"VCID-wsv7-je8g-sqet","summary":"Drupal core Unrestricted Upload of File with Dangerous Type\nDrupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations. This issue affects: Drupal Drupal Core 9.0 versions prior to 9.0.8, 8.9 versions prior to 8.9.9, 8.8 versions prior to 8.8.11, and 7 versions prior to 7.74.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-13671","reference_id":"","reference_type":"","scores":[{"value":"0.04504","scoring_system":"epss","scoring_elements":"0.89338","published_at":"2026-06-05T12:55:00Z"},{"value":"0.04504","scoring_system":"epss","scoring_elements":"0.8932","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-13671"},{"reference_url":"https://github.com/drupal/core","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/drupal/core"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5KSFM672XW3X6BR7TVKRD63SLZGKK437","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5KSFM672XW3X6BR7TVKRD63SLZGKK437"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KWM4CTMEGAC4I2CHYNJVSROY4CVXVEUT","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KWM4CTMEGAC4I2CHYNJVSROY4CVXVEUT"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5KSFM672XW3X6BR7TVKRD63SLZGKK437","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5KSFM672XW3X6BR7TVKRD63SLZGKK437"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KWM4CTMEGAC4I2CHYNJVSROY4CVXVEUT","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KWM4CTMEGAC4I2CHYNJVSROY4CVXVEUT"},{"reference_url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-13671","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-13671"},{"reference_url":"https://www.drupal.org/sa-core-2020-012","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Attend","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-02-07T12:38:31Z/"}],"url":"https://www.drupal.org/sa-core-2020-012"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5KSFM672XW3X6BR7TVKRD63SLZGKK437/","reference_id":"5KSFM672XW3X6BR7TVKRD63SLZGKK437","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"Attend","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-02-07T12:38:31Z/"}],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5KSFM672XW3X6BR7TVKRD63SLZGKK437/"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-13671","reference_id":"CVE-2020-13671","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-13671"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2020-13671.yaml","reference_id":"CVE-2020-13671.YAML","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2020-13671.yaml"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2020-13671.yaml","reference_id":"CVE-2020-13671.YAML","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2020-13671.yaml"},{"reference_url":"https://github.com/advisories/GHSA-68jc-v27h-vhmw","reference_id":"GHSA-68jc-v27h-vhmw","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-68jc-v27h-vhmw"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KWM4CTMEGAC4I2CHYNJVSROY4CVXVEUT/","reference_id":"KWM4CTMEGAC4I2CHYNJVSROY4CVXVEUT","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"Attend","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-02-07T12:38:31Z/"}],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KWM4CTMEGAC4I2CHYNJVSROY4CVXVEUT/"},{"reference_url":"https://usn.ubuntu.com/6981-1/","reference_id":"USN-6981-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/6981-1/"},{"reference_url":"https://usn.ubuntu.com/6981-2/","reference_id":"USN-6981-2","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/6981-2/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/59241?format=json","purl":"pkg:composer/drupal/drupal@8.8.11","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2w1s-g91k-xuhj"},{"vulnerability":"VCID-3xk4-qwaq-5yaj"},{"vulnerability":"VCID-4p4c-7rdc-37fa"},{"vulnerability":"VCID-5jy9-mhbb-nuh7"},{"vulnerability":"VCID-6x4v-da7x-uyhh"},{"vulnerability":"VCID-9dfs-rpqy-6kfa"},{"vulnerability":"VCID-a7ss-tkb6-gkge"},{"vulnerability":"VCID-ard5-3cjv-1beu"},{"vulnerability":"VCID-b266-wste-eqh6"},{"vulnerability":"VCID-dyhz-g3nv-yuc3"},{"vulnerability":"VCID-egtv-y9w1-skgr"},{"vulnerability":"VCID-j7bj-atys-qfg3"},{"vulnerability":"VCID-qwge-qrwn-1faj"},{"vulnerability":"VCID-rd4g-h1j9-23cb"},{"vulnerability":"VCID-tpzm-u3qp-akc8"},{"vulnerability":"VCID-xv4d-ped2-4udz"},{"vulnerability":"VCID-xz7z-trbh-j7dk"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@8.8.11"},{"url":"http://public2.vulnerablecode.io/api/packages/59242?format=json","purl":"pkg:composer/drupal/drupal@8.9.9","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2w1s-g91k-xuhj"},{"vulnerability":"VCID-3xk4-qwaq-5yaj"},{"vulnerability":"VCID-4p4c-7rdc-37fa"},{"vulnerability":"VCID-5jy9-mhbb-nuh7"},{"vulnerability":"VCID-67da-qxh5-aydx"},{"vulnerability":"VCID-6x4v-da7x-uyhh"},{"vulnerability":"VCID-9dfs-rpqy-6kfa"},{"vulnerability":"VCID-a7ss-tkb6-gkge"},{"vulnerability":"VCID-ard5-3cjv-1beu"},{"vulnerability":"VCID-b266-wste-eqh6"},{"vulnerability":"VCID-dyhz-g3nv-yuc3"},{"vulnerability":"VCID-egtv-y9w1-skgr"},{"vulnerability":"VCID-j7bj-atys-qfg3"},{"vulnerability":"VCID-qwge-qrwn-1faj"},{"vulnerability":"VCID-rd4g-h1j9-23cb"},{"vulnerability":"VCID-tpzm-u3qp-akc8"},{"vulnerability":"VCID-xv4d-ped2-4udz"},{"vulnerability":"VCID-xz7z-trbh-j7dk"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@8.9.9"},{"url":"http://public2.vulnerablecode.io/api/packages/59243?format=json","purl":"pkg:composer/drupal/drupal@9.0.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2w1s-g91k-xuhj"},{"vulnerability":"VCID-3xk4-qwaq-5yaj"},{"vulnerability":"VCID-4p4c-7rdc-37fa"},{"vulnerability":"VCID-5jy9-mhbb-nuh7"},{"vulnerability":"VCID-67da-qxh5-aydx"},{"vulnerability":"VCID-6x4v-da7x-uyhh"},{"vulnerability":"VCID-9dfs-rpqy-6kfa"},{"vulnerability":"VCID-a7ss-tkb6-gkge"},{"vulnerability":"VCID-ard5-3cjv-1beu"},{"vulnerability":"VCID-b266-wste-eqh6"},{"vulnerability":"VCID-dyhz-g3nv-yuc3"},{"vulnerability":"VCID-egtv-y9w1-skgr"},{"vulnerability":"VCID-j7bj-atys-qfg3"},{"vulnerability":"VCID-qwge-qrwn-1faj"},{"vulnerability":"VCID-rd4g-h1j9-23cb"},{"vulnerability":"VCID-tpzm-u3qp-akc8"},{"vulnerability":"VCID-xv4d-ped2-4udz"},{"vulnerability":"VCID-xz7z-trbh-j7dk"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@9.0.8"}],"aliases":["CVE-2020-13671","GHSA-68jc-v27h-vhmw"],"risk_score":10.0,"exploitability":"2.0","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-wsv7-je8g-sqet"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/40969?format=json","vulnerability_id":"VCID-wszp-2es5-z7fy","summary":"Moderately critical - Third-party libraries - SA-CORE-2019-007\nThe `PharStreamWrapper` (aka `phar-stream-wrapper`) package does not prevent directory traversal, which allows attackers to bypass a deserialization protection mechanism, as demonstrated by a `phar:///path/bad.phar/../good.phar` URL.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-11831","reference_id":"","reference_type":"","scores":[{"value":"0.28615","scoring_system":"epss","scoring_elements":"0.96626","published_at":"2026-06-05T12:55:00Z"},{"value":"0.28615","scoring_system":"epss","scoring_elements":"0.96622","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-11831"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11831","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11831"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2019-11831.yaml","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2019-11831.yaml"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2019-11831.yaml","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2019-11831.yaml"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/phar-stream-wrapper/CVE-2019-11831.yaml","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/phar-stream-wrapper/CVE-2019-11831.yaml"},{"reference_url":"https://github.com/TYPO3/phar-stream-wrapper","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/TYPO3/phar-stream-wrapper"},{"reference_url":"https://github.com/TYPO3/phar-stream-wrapper/releases/tag/v2.1.1","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/TYPO3/phar-stream-wrapper/releases/tag/v2.1.1"},{"reference_url":"https://github.com/TYPO3/phar-stream-wrapper/releases/tag/v3.1.1","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/TYPO3/phar-stream-wrapper/releases/tag/v3.1.1"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2019/05/msg00029.html","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2019/05/msg00029.html"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/65ODQHDHWR74L6TCAPAQR5FQHG6MCXAW","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/65ODQHDHWR74L6TCAPAQR5FQHG6MCXAW"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QDJVUJPUW3RZ4746SC6BX4F4T6ZXNBH","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QDJVUJPUW3RZ4746SC6BX4F4T6ZXNBH"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AUEXS4HRI4XZ2DTZMWAVQBYBTFSJ34AR","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AUEXS4HRI4XZ2DTZMWAVQBYBTFSJ34AR"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E3NUKPG7V4QEM6QXRMHYR4ABFMW5MM2P","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E3NUKPG7V4QEM6QXRMHYR4ABFMW5MM2P"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U6JX7WR6DPMKCZQP7EYFACYXSGJ3K523","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U6JX7WR6DPMKCZQP7EYFACYXSGJ3K523"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z246UWBXBEKTQUDTLRJTC7XYBIO4IBE4","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z246UWBXBEKTQUDTLRJTC7XYBIO4IBE4"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/65ODQHDHWR74L6TCAPAQR5FQHG6MCXAW","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/65ODQHDHWR74L6TCAPAQR5FQHG6MCXAW"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/65ODQHDHWR74L6TCAPAQR5FQHG6MCXAW/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/65ODQHDHWR74L6TCAPAQR5FQHG6MCXAW/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QDJVUJPUW3RZ4746SC6BX4F4T6ZXNBH","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QDJVUJPUW3RZ4746SC6BX4F4T6ZXNBH"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QDJVUJPUW3RZ4746SC6BX4F4T6ZXNBH/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QDJVUJPUW3RZ4746SC6BX4F4T6ZXNBH/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AUEXS4HRI4XZ2DTZMWAVQBYBTFSJ34AR","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AUEXS4HRI4XZ2DTZMWAVQBYBTFSJ34AR"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AUEXS4HRI4XZ2DTZMWAVQBYBTFSJ34AR/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AUEXS4HRI4XZ2DTZMWAVQBYBTFSJ34AR/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E3NUKPG7V4QEM6QXRMHYR4ABFMW5MM2P","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E3NUKPG7V4QEM6QXRMHYR4ABFMW5MM2P"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E3NUKPG7V4QEM6QXRMHYR4ABFMW5MM2P/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E3NUKPG7V4QEM6QXRMHYR4ABFMW5MM2P/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U6JX7WR6DPMKCZQP7EYFACYXSGJ3K523","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U6JX7WR6DPMKCZQP7EYFACYXSGJ3K523"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U6JX7WR6DPMKCZQP7EYFACYXSGJ3K523/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U6JX7WR6DPMKCZQP7EYFACYXSGJ3K523/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z246UWBXBEKTQUDTLRJTC7XYBIO4IBE4","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z246UWBXBEKTQUDTLRJTC7XYBIO4IBE4"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z246UWBXBEKTQUDTLRJTC7XYBIO4IBE4/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z246UWBXBEKTQUDTLRJTC7XYBIO4IBE4/"},{"reference_url":"https://seclists.org/bugtraq/2019/May/36","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://seclists.org/bugtraq/2019/May/36"},{"reference_url":"https://typo3.org/security/advisory/typo3-psa-2019-007","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://typo3.org/security/advisory/typo3-psa-2019-007"},{"reference_url":"https://typo3.org/security/advisory/typo3-psa-2019-007/","reference_id":"","reference_type":"","scores":[],"url":"https://typo3.org/security/advisory/typo3-psa-2019-007/"},{"reference_url":"https://www.debian.org/security/2019/dsa-4445","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.debian.org/security/2019/dsa-4445"},{"reference_url":"https://www.drupal.org/sa-core-2019-007","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.drupal.org/sa-core-2019-007"},{"reference_url":"https://www.drupal.org/SA-CORE-2019-007","reference_id":"","reference_type":"","scores":[],"url":"https://www.drupal.org/SA-CORE-2019-007"},{"reference_url":"https://www.synology.com/security/advisory/Synology_SA_19_22","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.synology.com/security/advisory/Synology_SA_19_22"},{"reference_url":"http://www.securityfocus.com/bid/108302","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.securityfocus.com/bid/108302"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2019-11831","reference_id":"CVE-2019-11831","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-11831"},{"reference_url":"https://github.com/advisories/GHSA-xv7v-rf6g-xwrc","reference_id":"GHSA-xv7v-rf6g-xwrc","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-xv7v-rf6g-xwrc"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/57983?format=json","purl":"pkg:composer/drupal/drupal@8.6.16","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2w1s-g91k-xuhj"},{"vulnerability":"VCID-31qy-vagp-83b6"},{"vulnerability":"VCID-3dgm-qju3-aqh5"},{"vulnerability":"VCID-3xk4-qwaq-5yaj"},{"vulnerability":"VCID-4p4c-7rdc-37fa"},{"vulnerability":"VCID-7n8f-bdkf-sqfu"},{"vulnerability":"VCID-a7ss-tkb6-gkge"},{"vulnerability":"VCID-ard5-3cjv-1beu"},{"vulnerability":"VCID-avmn-kqky-83dd"},{"vulnerability":"VCID-dyhz-g3nv-yuc3"},{"vulnerability":"VCID-egtv-y9w1-skgr"},{"vulnerability":"VCID-j7bj-atys-qfg3"},{"vulnerability":"VCID-n318-rcfy-uybg"},{"vulnerability":"VCID-nacy-y1qt-5yhb"},{"vulnerability":"VCID-pxwv-fhy9-ckfm"},{"vulnerability":"VCID-rd4g-h1j9-23cb"},{"vulnerability":"VCID-tcan-28ga-j3h1"},{"vulnerability":"VCID-tpzm-u3qp-akc8"},{"vulnerability":"VCID-wsv7-je8g-sqet"},{"vulnerability":"VCID-xz7z-trbh-j7dk"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@8.6.16"},{"url":"http://public2.vulnerablecode.io/api/packages/57984?format=json","purl":"pkg:composer/drupal/drupal@8.7.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2w1s-g91k-xuhj"},{"vulnerability":"VCID-31qy-vagp-83b6"},{"vulnerability":"VCID-3dgm-qju3-aqh5"},{"vulnerability":"VCID-3xk4-qwaq-5yaj"},{"vulnerability":"VCID-4p4c-7rdc-37fa"},{"vulnerability":"VCID-7n8f-bdkf-sqfu"},{"vulnerability":"VCID-a7ss-tkb6-gkge"},{"vulnerability":"VCID-ard5-3cjv-1beu"},{"vulnerability":"VCID-avmn-kqky-83dd"},{"vulnerability":"VCID-dyhz-g3nv-yuc3"},{"vulnerability":"VCID-egtv-y9w1-skgr"},{"vulnerability":"VCID-j7bj-atys-qfg3"},{"vulnerability":"VCID-jed8-4cv5-6bcr"},{"vulnerability":"VCID-n318-rcfy-uybg"},{"vulnerability":"VCID-nacy-y1qt-5yhb"},{"vulnerability":"VCID-pxwv-fhy9-ckfm"},{"vulnerability":"VCID-rd4g-h1j9-23cb"},{"vulnerability":"VCID-tcan-28ga-j3h1"},{"vulnerability":"VCID-tp81-dw6e-9qah"},{"vulnerability":"VCID-tpzm-u3qp-akc8"},{"vulnerability":"VCID-vjrr-h9sh-3bcu"},{"vulnerability":"VCID-wsv7-je8g-sqet"},{"vulnerability":"VCID-xz7z-trbh-j7dk"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@8.7.1"}],"aliases":["CVE-2019-11831","GHSA-xv7v-rf6g-xwrc"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-wszp-2es5-z7fy"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/40621?format=json","vulnerability_id":"VCID-x34m-u169-1bce","summary":"Improper Input Validation\nA remote code execution vulnerability exists in PHP's built-in phar stream wrapper when performing file operations on an untrusted `phar://` URI. Some Drupal code (core, contrib, and custom) may be performing file operations on insufficiently validated user input, thereby being exposed to this vulnerability. This vulnerability is mitigated by the fact that such code paths typically require access to an administrative permission or an atypical configuration.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-6339","reference_id":"","reference_type":"","scores":[{"value":"0.76091","scoring_system":"epss","scoring_elements":"0.98939","published_at":"2026-06-04T12:55:00Z"},{"value":"0.76091","scoring_system":"epss","scoring_elements":"0.9894","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-6339"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6338","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6338"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6339","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6339"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2019-6339.yaml","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2019-6339.yaml"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2019-6339.yaml","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2019-6339.yaml"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2019/02/msg00004.html","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2019/02/msg00004.html"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2019-6339","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-6339"},{"reference_url":"https://www.debian.org/security/2019/dsa-4370","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.debian.org/security/2019/dsa-4370"},{"reference_url":"https://www.drupal.org/sa-core-2019-002","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.drupal.org/sa-core-2019-002"},{"reference_url":"https://github.com/advisories/GHSA-8cw5-rv98-5c46","reference_id":"GHSA-8cw5-rv98-5c46","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-8cw5-rv98-5c46"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/144122?format=json","purl":"pkg:composer/drupal/drupal@8.5.9","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2w1s-g91k-xuhj"},{"vulnerability":"VCID-31qy-vagp-83b6"},{"vulnerability":"VCID-3dgm-qju3-aqh5"},{"vulnerability":"VCID-3xk4-qwaq-5yaj"},{"vulnerability":"VCID-4p4c-7rdc-37fa"},{"vulnerability":"VCID-6c6t-kmb3-2qcm"},{"vulnerability":"VCID-7n8f-bdkf-sqfu"},{"vulnerability":"VCID-9nk8-dban-g7h9"},{"vulnerability":"VCID-a7ss-tkb6-gkge"},{"vulnerability":"VCID-ard5-3cjv-1beu"},{"vulnerability":"VCID-avmn-kqky-83dd"},{"vulnerability":"VCID-dyhz-g3nv-yuc3"},{"vulnerability":"VCID-e69p-v2ws-vufj"},{"vulnerability":"VCID-e8un-nbkk-cbf9"},{"vulnerability":"VCID-egtv-y9w1-skgr"},{"vulnerability":"VCID-j7bj-atys-qfg3"},{"vulnerability":"VCID-n318-rcfy-uybg"},{"vulnerability":"VCID-nacy-y1qt-5yhb"},{"vulnerability":"VCID-pxwv-fhy9-ckfm"},{"vulnerability":"VCID-rd4g-h1j9-23cb"},{"vulnerability":"VCID-tbah-jrah-a3fg"},{"vulnerability":"VCID-tcan-28ga-j3h1"},{"vulnerability":"VCID-tpzm-u3qp-akc8"},{"vulnerability":"VCID-wsv7-je8g-sqet"},{"vulnerability":"VCID-wszp-2es5-z7fy"},{"vulnerability":"VCID-x34m-u169-1bce"},{"vulnerability":"VCID-xz7z-trbh-j7dk"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@8.5.9"},{"url":"http://public2.vulnerablecode.io/api/packages/57348?format=json","purl":"pkg:composer/drupal/drupal@8.6.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2w1s-g91k-xuhj"},{"vulnerability":"VCID-31qy-vagp-83b6"},{"vulnerability":"VCID-3dgm-qju3-aqh5"},{"vulnerability":"VCID-3xk4-qwaq-5yaj"},{"vulnerability":"VCID-4p4c-7rdc-37fa"},{"vulnerability":"VCID-6c6t-kmb3-2qcm"},{"vulnerability":"VCID-7n8f-bdkf-sqfu"},{"vulnerability":"VCID-9nk8-dban-g7h9"},{"vulnerability":"VCID-a7ss-tkb6-gkge"},{"vulnerability":"VCID-ard5-3cjv-1beu"},{"vulnerability":"VCID-avmn-kqky-83dd"},{"vulnerability":"VCID-dyhz-g3nv-yuc3"},{"vulnerability":"VCID-e69p-v2ws-vufj"},{"vulnerability":"VCID-egtv-y9w1-skgr"},{"vulnerability":"VCID-j7bj-atys-qfg3"},{"vulnerability":"VCID-n318-rcfy-uybg"},{"vulnerability":"VCID-nacy-y1qt-5yhb"},{"vulnerability":"VCID-pxwv-fhy9-ckfm"},{"vulnerability":"VCID-rd4g-h1j9-23cb"},{"vulnerability":"VCID-tbah-jrah-a3fg"},{"vulnerability":"VCID-tcan-28ga-j3h1"},{"vulnerability":"VCID-tpzm-u3qp-akc8"},{"vulnerability":"VCID-wsv7-je8g-sqet"},{"vulnerability":"VCID-wszp-2es5-z7fy"},{"vulnerability":"VCID-xz7z-trbh-j7dk"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@8.6.6"}],"aliases":["CVE-2019-6339","GHSA-8cw5-rv98-5c46"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-x34m-u169-1bce"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/54816?format=json","vulnerability_id":"VCID-xz7z-trbh-j7dk","summary":"Drupal core Arbitrary PHP code execution\nThe Drupal project uses the PEAR Archive_Tar library. The PEAR Archive_Tar library has released a security update that impacts Drupal. For more information please see:\nCVE-2020-28948\nCVE-2020-28949\n\nMultiple vulnerabilities are possible if Drupal is configured to allow .tar, .tar.gz, .bz2, or .tlz file uploads and processes them.\n\nTo mitigate this issue, prevent untrusted users from uploading .tar, .tar.gz, .bz2, or .tlz files.","references":[{"reference_url":"https://github.com/drupal/drupal","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/drupal/drupal"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/2020-11-25.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/2020-11-25.yaml"},{"reference_url":"https://www.drupal.org/sa-core-2020-013","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.drupal.org/sa-core-2020-013"},{"reference_url":"https://github.com/advisories/GHSA-j66p-fvp2-fxhj","reference_id":"GHSA-j66p-fvp2-fxhj","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-j66p-fvp2-fxhj"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/79185?format=json","purl":"pkg:composer/drupal/drupal@8.8.12","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2w1s-g91k-xuhj"},{"vulnerability":"VCID-3xk4-qwaq-5yaj"},{"vulnerability":"VCID-4p4c-7rdc-37fa"},{"vulnerability":"VCID-6x4v-da7x-uyhh"},{"vulnerability":"VCID-a7ss-tkb6-gkge"},{"vulnerability":"VCID-ard5-3cjv-1beu"},{"vulnerability":"VCID-b266-wste-eqh6"},{"vulnerability":"VCID-dyhz-g3nv-yuc3"},{"vulnerability":"VCID-egtv-y9w1-skgr"},{"vulnerability":"VCID-j7bj-atys-qfg3"},{"vulnerability":"VCID-qwge-qrwn-1faj"},{"vulnerability":"VCID-rd4g-h1j9-23cb"},{"vulnerability":"VCID-tpzm-u3qp-akc8"},{"vulnerability":"VCID-xv4d-ped2-4udz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@8.8.12"},{"url":"http://public2.vulnerablecode.io/api/packages/79186?format=json","purl":"pkg:composer/drupal/drupal@8.9.10","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2w1s-g91k-xuhj"},{"vulnerability":"VCID-3xk4-qwaq-5yaj"},{"vulnerability":"VCID-4p4c-7rdc-37fa"},{"vulnerability":"VCID-67da-qxh5-aydx"},{"vulnerability":"VCID-6x4v-da7x-uyhh"},{"vulnerability":"VCID-a7ss-tkb6-gkge"},{"vulnerability":"VCID-ard5-3cjv-1beu"},{"vulnerability":"VCID-b266-wste-eqh6"},{"vulnerability":"VCID-dyhz-g3nv-yuc3"},{"vulnerability":"VCID-egtv-y9w1-skgr"},{"vulnerability":"VCID-j7bj-atys-qfg3"},{"vulnerability":"VCID-qwge-qrwn-1faj"},{"vulnerability":"VCID-rd4g-h1j9-23cb"},{"vulnerability":"VCID-tpzm-u3qp-akc8"},{"vulnerability":"VCID-xv4d-ped2-4udz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@8.9.10"},{"url":"http://public2.vulnerablecode.io/api/packages/79187?format=json","purl":"pkg:composer/drupal/drupal@9.0.9","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2w1s-g91k-xuhj"},{"vulnerability":"VCID-3xk4-qwaq-5yaj"},{"vulnerability":"VCID-4p4c-7rdc-37fa"},{"vulnerability":"VCID-67da-qxh5-aydx"},{"vulnerability":"VCID-6x4v-da7x-uyhh"},{"vulnerability":"VCID-a7ss-tkb6-gkge"},{"vulnerability":"VCID-ard5-3cjv-1beu"},{"vulnerability":"VCID-b266-wste-eqh6"},{"vulnerability":"VCID-dyhz-g3nv-yuc3"},{"vulnerability":"VCID-egtv-y9w1-skgr"},{"vulnerability":"VCID-j7bj-atys-qfg3"},{"vulnerability":"VCID-qwge-qrwn-1faj"},{"vulnerability":"VCID-rd4g-h1j9-23cb"},{"vulnerability":"VCID-tpzm-u3qp-akc8"},{"vulnerability":"VCID-xv4d-ped2-4udz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@9.0.9"}],"aliases":["GHSA-j66p-fvp2-fxhj"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-xz7z-trbh-j7dk"}],"fixing_vulnerabilities":[],"risk_score":"4.5","resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@8.5.4"}