{"url":"http://public2.vulnerablecode.io/api/packages/52630?format=json","purl":"pkg:composer/drupal/core@8.0.0","type":"composer","namespace":"drupal","name":"core","version":"8.0.0","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"8.0.4","latest_non_vulnerable_version":"11.2.8","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/40623?format=json","vulnerability_id":"VCID-2989-fmjz-nkby","summary":"Missing Authorization\nWhen creating a view, you can optionally use Ajax to update the displayed data via filter parameters. The views subsystem/module did not restrict access to the Ajax endpoint to only views configured to use Ajax. This is mitigated if you have access restrictions on the view. It is best practice to always include some form of access restrictions on all views, even if you are using another module to display them.","references":[{"reference_url":"https://www.drupal.org/SA-CORE-2017-004","reference_id":"","reference_type":"","scores":[],"url":"https://www.drupal.org/SA-CORE-2017-004"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/57331?format=json","purl":"pkg:composer/drupal/core@8.3.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@8.3.0"}],"aliases":["CVE-2017-6923"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-2989-fmjz-nkby"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/5227?format=json","vulnerability_id":"VCID-2fas-m6vh-myhc","summary":"multiple issues","references":[{"reference_url":"https://github.com/drupal/core/commit/7a9bef4b4750d79ab42498e459012cabe4c4bd8b","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/drupal/core/commit/7a9bef4b4750d79ab42498e459012cabe4c4bd8b"},{"reference_url":"https://www.drupal.org/sa-core-2021-010","reference_id":"","reference_type":"","scores":[],"url":"https://www.drupal.org/sa-core-2021-010"},{"reference_url":"https://security.archlinux.org/AVG-2407","reference_id":"AVG-2407","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2407"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-13677","reference_id":"CVE-2020-13677","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-13677"},{"reference_url":"https://github.com/advisories/GHSA-3xr3-phjp-g6p2","reference_id":"GHSA-3xr3-phjp-g6p2","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-3xr3-phjp-g6p2"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/60653?format=json","purl":"pkg:composer/drupal/core@8.9.19","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@8.9.19"},{"url":"http://public2.vulnerablecode.io/api/packages/60639?format=json","purl":"pkg:composer/drupal/core@9.1.13","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@9.1.13"},{"url":"http://public2.vulnerablecode.io/api/packages/60640?format=json","purl":"pkg:composer/drupal/core@9.2.6","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@9.2.6"}],"aliases":["CVE-2020-13677","GHSA-3xr3-phjp-g6p2"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-2fas-m6vh-myhc"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/5228?format=json","vulnerability_id":"VCID-2t34-82p3-73c3","summary":"multiple issues","references":[{"reference_url":"https://www.drupal.org/sa-core-2021-009","reference_id":"","reference_type":"","scores":[],"url":"https://www.drupal.org/sa-core-2021-009"},{"reference_url":"https://security.archlinux.org/AVG-2407","reference_id":"AVG-2407","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2407"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-13676","reference_id":"CVE-2020-13676","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-13676"},{"reference_url":"https://github.com/advisories/GHSA-qfhg-m6r8-xxpj","reference_id":"GHSA-qfhg-m6r8-xxpj","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-qfhg-m6r8-xxpj"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/60639?format=json","purl":"pkg:composer/drupal/core@9.1.13","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@9.1.13"},{"url":"http://public2.vulnerablecode.io/api/packages/60640?format=json","purl":"pkg:composer/drupal/core@9.2.6","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@9.2.6"}],"aliases":["CVE-2020-13676","GHSA-qfhg-m6r8-xxpj"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-2t34-82p3-73c3"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/42389?format=json","vulnerability_id":"VCID-31qy-vagp-83b6","summary":"Exposure of Resource to Wrong Sphere\nInformation Disclosure vulnerability in file module of Drupal Core allows an attacker to gain access to the file metadata of a permanent private file that they do not have access to by guessing the ID of the file. This issue affects: Drupal Core 8.8.x versions prior to 8.8.10; 8.9.x versions prior to 8.9.6; 9.0.x versions prior to 9.0.6.","references":[{"reference_url":"https://github.com/drupal/core/commit/f93a37b713b59f8d24e826bc74378099853eef3d","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/drupal/core/commit/f93a37b713b59f8d24e826bc74378099853eef3d"},{"reference_url":"https://www.drupal.org/sa-core-2020-011","reference_id":"","reference_type":"","scores":[],"url":"https://www.drupal.org/sa-core-2020-011"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-13670","reference_id":"CVE-2020-13670","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-13670"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2020-13670.yaml","reference_id":"CVE-2020-13670.YAML","reference_type":"","scores":[],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2020-13670.yaml"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2020-13670.yaml","reference_id":"CVE-2020-13670.YAML","reference_type":"","scores":[],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2020-13670.yaml"},{"reference_url":"https://github.com/advisories/GHSA-mmjr-5q74-p3m4","reference_id":"GHSA-mmjr-5q74-p3m4","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-mmjr-5q74-p3m4"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/60651?format=json","purl":"pkg:composer/drupal/core@8.9.6","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@8.9.6"},{"url":"http://public2.vulnerablecode.io/api/packages/60652?format=json","purl":"pkg:composer/drupal/core@9.0.6","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@9.0.6"}],"aliases":["CVE-2020-13670","GHSA-mmjr-5q74-p3m4"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-31qy-vagp-83b6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/45051?format=json","vulnerability_id":"VCID-3xk4-qwaq-5yaj","summary":"Improper Access Control\nUnder certain circumstances, the Drupal core form API evaluates form element access incorrectly. This may lead to a user being able to alter data they should not have access to. No forms provided by Drupal core are known to be vulnerable. However, forms added through contributed or custom modules or themes may be affected.","references":[{"reference_url":"https://www.drupal.org/sa-core-2022-013","reference_id":"","reference_type":"","scores":[],"url":"https://www.drupal.org/sa-core-2022-013"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-25278","reference_id":"CVE-2022-25278","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-25278"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2022-25278.yaml","reference_id":"CVE-2022-25278.YAML","reference_type":"","scores":[],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2022-25278.yaml"},{"reference_url":"https://github.com/advisories/GHSA-cfh2-7f6h-3m85","reference_id":"GHSA-cfh2-7f6h-3m85","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-cfh2-7f6h-3m85"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/64975?format=json","purl":"pkg:composer/drupal/core@9.3.19","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@9.3.19"},{"url":"http://public2.vulnerablecode.io/api/packages/64976?format=json","purl":"pkg:composer/drupal/core@9.4.3","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@9.4.3"}],"aliases":["CVE-2022-25278","GHSA-cfh2-7f6h-3m85"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-3xk4-qwaq-5yaj"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/39576?format=json","vulnerability_id":"VCID-4dpp-gg2v-q3et","summary":"Cross-site Scripting\nXSS vulnerabiltiy in drupal.","references":[{"reference_url":"https://www.drupal.org/sa-core-2018-003","reference_id":"","reference_type":"","scores":[],"url":"https://www.drupal.org/sa-core-2018-003"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/55214?format=json","purl":"pkg:composer/drupal/core@8.4.7","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@8.4.7"},{"url":"http://public2.vulnerablecode.io/api/packages/55215?format=json","purl":"pkg:composer/drupal/core@8.5.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@8.5.2"}],"aliases":["GMS-2018-51"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-4dpp-gg2v-q3et"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/38082?format=json","vulnerability_id":"VCID-56ze-2yw2-bfh8","summary":"Reflected file download vulnerability\nThe System module in Drupal might allow remote attackers to hijack the authentication of site administrators for requests that download and run files with arbitrary JSON-encoded content.","references":[{"reference_url":"https://www.drupal.org/SA-CORE-2016-001","reference_id":"","reference_type":"","scores":[],"url":"https://www.drupal.org/SA-CORE-2016-001"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/52631?format=json","purl":"pkg:composer/drupal/core@8.0.4","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@8.0.4"}],"aliases":["CVE-2016-3168"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-56ze-2yw2-bfh8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/38077?format=json","vulnerability_id":"VCID-5c5c-m7ba-kqct","summary":"Open redirect via double-encoded 'destination' parameter\nOpen redirect vulnerability in the `drupal_goto` function in Drupal allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a double-encoded URL in the `destination` parameter.","references":[{"reference_url":"https://www.drupal.org/SA-CORE-2016-001","reference_id":"","reference_type":"","scores":[],"url":"https://www.drupal.org/SA-CORE-2016-001"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/52631?format=json","purl":"pkg:composer/drupal/core@8.0.4","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@8.0.4"}],"aliases":["CVE-2016-3167"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-5c5c-m7ba-kqct"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/5230?format=json","vulnerability_id":"VCID-7v89-2sss-hfaz","summary":"multiple issues","references":[{"reference_url":"https://www.drupal.org/sa-core-2021-007","reference_id":"","reference_type":"","scores":[],"url":"https://www.drupal.org/sa-core-2021-007"},{"reference_url":"https://security.archlinux.org/AVG-2407","reference_id":"AVG-2407","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2407"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-13674","reference_id":"CVE-2020-13674","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-13674"},{"reference_url":"https://github.com/advisories/GHSA-j586-cj67-vg4p","reference_id":"GHSA-j586-cj67-vg4p","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-j586-cj67-vg4p"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/60639?format=json","purl":"pkg:composer/drupal/core@9.1.13","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@9.1.13"},{"url":"http://public2.vulnerablecode.io/api/packages/60640?format=json","purl":"pkg:composer/drupal/core@9.2.6","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@9.2.6"}],"aliases":["CVE-2020-13674","GHSA-j586-cj67-vg4p"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-7v89-2sss-hfaz"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/43516?format=json","vulnerability_id":"VCID-9nk8-dban-g7h9","summary":"Drupal Core Remote Code Execution Vulnerability\nSome field types do not properly sanitize data from non-form sources in Drupal 8.5.x before 8.5.11 and Drupal 8.6.x before 8.6.10. This can lead to arbitrary PHP code execution in some cases. A site is only affected by this if one of the following conditions is met: The site has the Drupal 8 core RESTful Web Services (rest) module enabled and allows PATCH or POST requests, or the site has another web services module enabled, like JSON:API in Drupal 8, or Services or RESTful Web Services in Drupal 7. (Note: The Drupal 7 Services module itself does not require an update at this time, but you should apply other contributed updates associated with this advisory if Services is in use.)","references":[{"reference_url":"https://github.com/drupal/drupal","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/drupal/drupal"},{"reference_url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-6340","reference_id":"","reference_type":"","scores":[],"url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-6340"},{"reference_url":"https://www.drupal.org/sa-core-2019-003","reference_id":"","reference_type":"","scores":[],"url":"https://www.drupal.org/sa-core-2019-003"},{"reference_url":"https://www.exploit-db.com/exploits/46452","reference_id":"","reference_type":"","scores":[],"url":"https://www.exploit-db.com/exploits/46452"},{"reference_url":"https://www.exploit-db.com/exploits/46459","reference_id":"","reference_type":"","scores":[],"url":"https://www.exploit-db.com/exploits/46459"},{"reference_url":"https://www.exploit-db.com/exploits/46510","reference_id":"","reference_type":"","scores":[],"url":"https://www.exploit-db.com/exploits/46510"},{"reference_url":"https://www.synology.com/security/advisory/Synology_SA_19_09","reference_id":"","reference_type":"","scores":[],"url":"https://www.synology.com/security/advisory/Synology_SA_19_09"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2019-6340","reference_id":"CVE-2019-6340","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-6340"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2019-6340.yaml","reference_id":"CVE-2019-6340.YAML","reference_type":"","scores":[],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2019-6340.yaml"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2019-6340.yaml","reference_id":"CVE-2019-6340.YAML","reference_type":"","scores":[],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2019-6340.yaml"},{"reference_url":"https://github.com/advisories/GHSA-3gx6-h57h-rm27","reference_id":"GHSA-3gx6-h57h-rm27","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-3gx6-h57h-rm27"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/62443?format=json","purl":"pkg:composer/drupal/core@8.5.11","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@8.5.11"},{"url":"http://public2.vulnerablecode.io/api/packages/62441?format=json","purl":"pkg:composer/drupal/core@8.6.10","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@8.6.10"}],"aliases":["CVE-2019-6340","GHSA-3gx6-h57h-rm27"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-9nk8-dban-g7h9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/48406?format=json","vulnerability_id":"VCID-a3s2-c4k2-4ufn","summary":"Use of Web Browser Cache Containing Sensitive Information vulnerability in Drupal Drupal core allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8, from 7.0 before 7.103.","references":[{"reference_url":"https://github.com/drupal/core","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/drupal/core"},{"reference_url":"https://www.drupal.org/sa-core-2025-008","reference_id":"","reference_type":"","scores":[],"url":"https://www.drupal.org/sa-core-2025-008"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-13083","reference_id":"CVE-2025-13083","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-13083"},{"reference_url":"https://github.com/advisories/GHSA-mhpg-hpj5-73r2","reference_id":"GHSA-mhpg-hpj5-73r2","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-mhpg-hpj5-73r2"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/71441?format=json","purl":"pkg:composer/drupal/core@10.4.9","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@10.4.9"},{"url":"http://public2.vulnerablecode.io/api/packages/71442?format=json","purl":"pkg:composer/drupal/core@10.5.6","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@10.5.6"},{"url":"http://public2.vulnerablecode.io/api/packages/71443?format=json","purl":"pkg:composer/drupal/core@11.1.9","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@11.1.9"},{"url":"http://public2.vulnerablecode.io/api/packages/71444?format=json","purl":"pkg:composer/drupal/core@11.2.8","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@11.2.8"}],"aliases":["CVE-2025-13083","GHSA-mhpg-hpj5-73r2"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-a3s2-c4k2-4ufn"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/4273?format=json","vulnerability_id":"VCID-a4u4-ga84-wyf9","summary":"arbitrary command execution","references":[{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7602","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7602"},{"reference_url":"https://github.com/drupal/core","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/drupal/core"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2018/04/msg00030.html","reference_id":"","reference_type":"","scores":[],"url":"https://lists.debian.org/debian-lts-announce/2018/04/msg00030.html"},{"reference_url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-7602","reference_id":"","reference_type":"","scores":[],"url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-7602"},{"reference_url":"https://www.debian.org/security/2018/dsa-4180","reference_id":"","reference_type":"","scores":[],"url":"https://www.debian.org/security/2018/dsa-4180"},{"reference_url":"https://www.drupal.org/sa-core-2018-004","reference_id":"","reference_type":"","scores":[],"url":"https://www.drupal.org/sa-core-2018-004"},{"reference_url":"https://www.exploit-db.com/exploits/44542","reference_id":"","reference_type":"","scores":[],"url":"https://www.exploit-db.com/exploits/44542"},{"reference_url":"https://www.exploit-db.com/exploits/44557","reference_id":"","reference_type":"","scores":[],"url":"https://www.exploit-db.com/exploits/44557"},{"reference_url":"https://security.archlinux.org/ASA-201804-10","reference_id":"ASA-201804-10","reference_type":"","scores":[],"url":"https://security.archlinux.org/ASA-201804-10"},{"reference_url":"https://security.archlinux.org/AVG-679","reference_id":"AVG-679","reference_type":"","scores":[{"value":"Critical","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-679"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2018-7602","reference_id":"CVE-2018-7602","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-7602"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2018-7602.yaml","reference_id":"CVE-2018-7602.YAML","reference_type":"","scores":[],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2018-7602.yaml"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2018-7602.yaml","reference_id":"CVE-2018-7602.YAML","reference_type":"","scores":[],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2018-7602.yaml"},{"reference_url":"https://github.com/advisories/GHSA-297x-j9pm-xjgg","reference_id":"GHSA-297x-j9pm-xjgg","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-297x-j9pm-xjgg"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/69863?format=json","purl":"pkg:composer/drupal/core@8.4.8","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@8.4.8"},{"url":"http://public2.vulnerablecode.io/api/packages/69864?format=json","purl":"pkg:composer/drupal/core@8.5.3","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@8.5.3"}],"aliases":["CVE-2018-7602","GHSA-297x-j9pm-xjgg"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-a4u4-ga84-wyf9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/45048?format=json","vulnerability_id":"VCID-a7ss-tkb6-gkge","summary":"Improper access control\nIn some situations, the Image module does not correctly check access to image files not stored in the standard public files directory when generating derivative images using the image styles system. Access to a non-public file is checked only if it is stored in the \"private\" file system. However, some contributed modules provide additional file systems, or schemes, which may lead to this vulnerability. This vulnerability is mitigated by the fact that it only applies when the site sets (Drupal 9) $config['image.settings']['allow_insecure_derivatives'] or (Drupal 7) $conf['image_allow_insecure_derivatives'] to TRUE. The recommended and default setting is FALSE, and Drupal core does not provide a way to change that in the admin UI. Some sites may require configuration changes following this security release. Review the release notes for your Drupal version if you have issues accessing files or image styles after updating.","references":[{"reference_url":"https://github.com/drupal/core/commit/2d5f47fc8a166115f56c2330a81e83abe22445cf","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/drupal/core/commit/2d5f47fc8a166115f56c2330a81e83abe22445cf"},{"reference_url":"https://github.com/drupal/core/commit/e2fbf63700819cb470a1be425798f1a3f2020116","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/drupal/core/commit/e2fbf63700819cb470a1be425798f1a3f2020116"},{"reference_url":"https://www.drupal.org/sa-core-2022-012","reference_id":"","reference_type":"","scores":[],"url":"https://www.drupal.org/sa-core-2022-012"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-25275","reference_id":"CVE-2022-25275","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-25275"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2022-25275.yaml","reference_id":"CVE-2022-25275.YAML","reference_type":"","scores":[],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2022-25275.yaml"},{"reference_url":"https://github.com/advisories/GHSA-xh3v-6f9j-wxw3","reference_id":"GHSA-xh3v-6f9j-wxw3","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-xh3v-6f9j-wxw3"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/64975?format=json","purl":"pkg:composer/drupal/core@9.3.19","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@9.3.19"},{"url":"http://public2.vulnerablecode.io/api/packages/64976?format=json","purl":"pkg:composer/drupal/core@9.4.3","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@9.4.3"}],"aliases":["CVE-2022-25275","GHSA-xh3v-6f9j-wxw3","GMS-2022-3362"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-a7ss-tkb6-gkge"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/40610?format=json","vulnerability_id":"VCID-ah3h-t9qa-gudr","summary":"Entity Access Bypass\nIn versions of Drupal 8 core ; There is a vulnerability in the entity access system that could allow unwanted access to view, create, update, or delete entities. This only affects entities that do not use or do not have UUIDs, and entities that have different access restrictions on different revisions of the same entity.","references":[{"reference_url":"https://www.drupal.org/forum/newsletters/security-advisories-for-drupal-core/2017-08-16/drupal-core-multiple","reference_id":"","reference_type":"","scores":[],"url":"https://www.drupal.org/forum/newsletters/security-advisories-for-drupal-core/2017-08-16/drupal-core-multiple"},{"reference_url":"https://www.drupal.org/SA-CORE-2017-004","reference_id":"","reference_type":"","scores":[],"url":"https://www.drupal.org/SA-CORE-2017-004"},{"reference_url":"http://www.securityfocus.com/bid/100368","reference_id":"","reference_type":"","scores":[],"url":"http://www.securityfocus.com/bid/100368"},{"reference_url":"http://www.securitytracker.com/id/1039200","reference_id":"","reference_type":"","scores":[],"url":"http://www.securitytracker.com/id/1039200"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-6925","reference_id":"CVE-2017-6925","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2017-6925"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/57329?format=json","purl":"pkg:composer/drupal/core@8.3.7","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@8.3.7"}],"aliases":["CVE-2017-6925"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ah3h-t9qa-gudr"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/42761?format=json","vulnerability_id":"VCID-ard5-3cjv-1beu","summary":"Improper Input Validation\nguzzlehttp/psr7 is a PSR-7 HTTP message library used in drupal. Versions prior to 1.8.4 and 2.1.1 is vulnerable to improper header parsing. An attacker could sneak in a new line character and pass untrusted values.","references":[{"reference_url":"https://github.com/guzzle/psr7/pull/485/commits/e55afaa3fc138c89adf3b55a8ba20dc60d17f1f1","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/guzzle/psr7/pull/485/commits/e55afaa3fc138c89adf3b55a8ba20dc60d17f1f1"},{"reference_url":"https://github.com/guzzle/psr7/pull/486/commits/9a96d9db668b485361ed9de7b5bf1e54895df1dc","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/guzzle/psr7/pull/486/commits/9a96d9db668b485361ed9de7b5bf1e54895df1dc"},{"reference_url":"https://www.drupal.org/sa-core-2022-006","reference_id":"","reference_type":"","scores":[],"url":"https://www.drupal.org/sa-core-2022-006"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24775","reference_id":"CVE-2022-24775","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24775"},{"reference_url":"https://github.com/advisories/GHSA-q7rv-6hp3-vh96","reference_id":"GHSA-q7rv-6hp3-vh96","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-q7rv-6hp3-vh96"},{"reference_url":"https://github.com/guzzle/psr7/security/advisories/GHSA-q7rv-6hp3-vh96","reference_id":"GHSA-q7rv-6hp3-vh96","reference_type":"","scores":[],"url":"https://github.com/guzzle/psr7/security/advisories/GHSA-q7rv-6hp3-vh96"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/61057?format=json","purl":"pkg:composer/drupal/core@9.2.16","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@9.2.16"},{"url":"http://public2.vulnerablecode.io/api/packages/61058?format=json","purl":"pkg:composer/drupal/core@9.3.9","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@9.3.9"}],"aliases":["CVE-2022-24775","GHSA-q7rv-6hp3-vh96"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ard5-3cjv-1beu"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/38210?format=json","vulnerability_id":"VCID-asm8-guag-b3ep","summary":"Information Exposure\nThe Views module in Drupal and the Views module might allow remote authenticated users to bypass intended access restrictions and obtain sensitive Statistics information via unspecified vectors.","references":[{"reference_url":"https://www.drupal.org/SA-CORE-2016-002","reference_id":"","reference_type":"","scores":[],"url":"https://www.drupal.org/SA-CORE-2016-002"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/52826?format=json","purl":"pkg:composer/drupal/core@8.1.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@8.1.0"}],"aliases":["CVE-2016-6212"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-asm8-guag-b3ep"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/42386?format=json","vulnerability_id":"VCID-avmn-kqky-83dd","summary":"Drupal core Cross-site Scripting (XSS) vulnerability in ckeditor\nCross-site Scripting (XSS) vulnerability in ckeditor of Drupal Core allows attacker to inject XSS. This issue affects: Drupal Core 8.8.x versions prior to 8.8.10.; 8.9.x versions prior to 8.9.6; 9.0.x versions prior to 9.0.6.","references":[{"reference_url":"https://github.com/drupal/core","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/drupal/core"},{"reference_url":"https://www.drupal.org/sa-core-2020-010","reference_id":"","reference_type":"","scores":[],"url":"https://www.drupal.org/sa-core-2020-010"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-13669","reference_id":"CVE-2020-13669","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-13669"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2020-13669.yaml","reference_id":"CVE-2020-13669.YAML","reference_type":"","scores":[],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2020-13669.yaml"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2020-13669.yaml","reference_id":"CVE-2020-13669.YAML","reference_type":"","scores":[],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2020-13669.yaml"},{"reference_url":"https://github.com/advisories/GHSA-c533-c843-67h8","reference_id":"GHSA-c533-c843-67h8","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-c533-c843-67h8"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/60658?format=json","purl":"pkg:composer/drupal/core@8.8.10","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@8.8.10"},{"url":"http://public2.vulnerablecode.io/api/packages/60651?format=json","purl":"pkg:composer/drupal/core@8.9.6","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@8.9.6"},{"url":"http://public2.vulnerablecode.io/api/packages/60652?format=json","purl":"pkg:composer/drupal/core@9.0.6","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@9.0.6"}],"aliases":["CVE-2020-13669","GHSA-c533-c843-67h8"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-avmn-kqky-83dd"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/38209?format=json","vulnerability_id":"VCID-ay6b-1a7z-qkas","summary":"Saving user accounts can sometimes grant the user all roles\nThe User module in Drupal allows remote authenticated users to gain privileges via vectors involving contributed or custom code that triggers a rebuild of the user profile form.","references":[{"reference_url":"https://www.drupal.org/SA-CORE-2016-002","reference_id":"","reference_type":"","scores":[],"url":"https://www.drupal.org/SA-CORE-2016-002"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/52826?format=json","purl":"pkg:composer/drupal/core@8.1.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@8.1.0"}],"aliases":["CVE-2016-6211"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ay6b-1a7z-qkas"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/38160?format=json","vulnerability_id":"VCID-bq2j-t19h-zyad","summary":"Improper Access Control\nPHP does not attempt to address RFC section namespace conflicts and therefore does not protect applications from the presence of untrusted client data in the `HTTP_PROXY` environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, as demonstrated by (1) an application that makes a getenv('HTTP_PROXY') call or (2) a CGI configuration of PHP, aka an `httpoxy` issue.","references":[{"reference_url":"http://lists.opensuse.org/opensuse-updates/2016-08/msg00003.html","reference_id":"","reference_type":"","scores":[],"url":"http://lists.opensuse.org/opensuse-updates/2016-08/msg00003.html"},{"reference_url":"http://rhn.redhat.com/errata/RHSA-2016-1609.html","reference_id":"","reference_type":"","scores":[],"url":"http://rhn.redhat.com/errata/RHSA-2016-1609.html"},{"reference_url":"http://rhn.redhat.com/errata/RHSA-2016-1610.html","reference_id":"","reference_type":"","scores":[],"url":"http://rhn.redhat.com/errata/RHSA-2016-1610.html"},{"reference_url":"http://rhn.redhat.com/errata/RHSA-2016-1611.html","reference_id":"","reference_type":"","scores":[],"url":"http://rhn.redhat.com/errata/RHSA-2016-1611.html"},{"reference_url":"http://rhn.redhat.com/errata/RHSA-2016-1612.html","reference_id":"","reference_type":"","scores":[],"url":"http://rhn.redhat.com/errata/RHSA-2016-1612.html"},{"reference_url":"http://rhn.redhat.com/errata/RHSA-2016-1613.html","reference_id":"","reference_type":"","scores":[],"url":"http://rhn.redhat.com/errata/RHSA-2016-1613.html"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1353794","reference_id":"","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1353794"},{"reference_url":"https://github.com/amphp/artax/commit/81254742812a5a9adf4b085f543f3f21daedcd97","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/amphp/artax/commit/81254742812a5a9adf4b085f543f3f21daedcd97"},{"reference_url":"https://github.com/amphp/artax/commit/b60cf493c9e577a3678865f620b1eb61ab3d7ca9","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/amphp/artax/commit/b60cf493c9e577a3678865f620b1eb61ab3d7ca9"},{"reference_url":"https://github.com/bugsnag/bugsnag-laravel/pull/143","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/bugsnag/bugsnag-laravel/pull/143"},{"reference_url":"https://github.com/bugsnag/bugsnag-laravel/pull/145","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/bugsnag/bugsnag-laravel/pull/145"},{"reference_url":"https://github.com/bugsnag/bugsnag-laravel/releases/tag/v2.0.2","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/bugsnag/bugsnag-laravel/releases/tag/v2.0.2"},{"reference_url":"https://github.com/guzzle/guzzle/blob/4.x/CHANGELOG.md#424-2016-07-18","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/guzzle/guzzle/blob/4.x/CHANGELOG.md#424-2016-07-18"},{"reference_url":"https://github.com/guzzle/guzzle/blob/5.3/CHANGELOG.md#531---2016-07-18","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/guzzle/guzzle/blob/5.3/CHANGELOG.md#531---2016-07-18"},{"reference_url":"https://github.com/guzzle/guzzle/blob/master/CHANGELOG.md#622---2016-10-08","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/guzzle/guzzle/blob/master/CHANGELOG.md#622---2016-10-08"},{"reference_url":"https://github.com/guzzle/guzzle/releases/tag/6.2.1","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/guzzle/guzzle/releases/tag/6.2.1"},{"reference_url":"https://github.com/humbug/file_get_contents/pull/23","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/humbug/file_get_contents/pull/23"},{"reference_url":"https://github.com/humbug/file_get_contents/pull/23/commits/848e8c282a863654e76bd958acfb57c81cb739b5","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/humbug/file_get_contents/pull/23/commits/848e8c282a863654e76bd958acfb57c81cb739b5"},{"reference_url":"https://github.com/humbug/file_get_contents/releases/tag/1.1.2","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/humbug/file_get_contents/releases/tag/1.1.2"},{"reference_url":"https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03770en_us","reference_id":"","reference_type":"","scores":[],"url":"https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03770en_us"},{"reference_url":"https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05320149","reference_id":"","reference_type":"","scores":[],"url":"https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05320149"},{"reference_url":"https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05333297","reference_id":"","reference_type":"","scores":[],"url":"https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05333297"},{"reference_url":"https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722","reference_id":"","reference_type":"","scores":[],"url":"https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722"},{"reference_url":"https://httpoxy.org/","reference_id":"","reference_type":"","scores":[],"url":"https://httpoxy.org/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7RMYXAVNYL2MOBJTFATE73TOVOEZYC5R/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7RMYXAVNYL2MOBJTFATE73TOVOEZYC5R/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GXFEIMZPSVGZQQAYIQ7U7DFVX3IBSDLF/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GXFEIMZPSVGZQQAYIQ7U7DFVX3IBSDLF/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KZOIUYZDBWNDDHC6XTOLZYRMRXZWTJCP/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KZOIUYZDBWNDDHC6XTOLZYRMRXZWTJCP/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7RMYXAVNYL2MOBJTFATE73TOVOEZYC5R/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7RMYXAVNYL2MOBJTFATE73TOVOEZYC5R/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GXFEIMZPSVGZQQAYIQ7U7DFVX3IBSDLF/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GXFEIMZPSVGZQQAYIQ7U7DFVX3IBSDLF/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KZOIUYZDBWNDDHC6XTOLZYRMRXZWTJCP/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KZOIUYZDBWNDDHC6XTOLZYRMRXZWTJCP/"},{"reference_url":"https://security.gentoo.org/glsa/201611-22","reference_id":"","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/201611-22"},{"reference_url":"https://twitter.com/asyncphp/status/755136084917583872","reference_id":"","reference_type":"","scores":[],"url":"https://twitter.com/asyncphp/status/755136084917583872"},{"reference_url":"https://typo3.org/security/advisory/typo3-core-sa-2016-019","reference_id":"","reference_type":"","scores":[],"url":"https://typo3.org/security/advisory/typo3-core-sa-2016-019"},{"reference_url":"https://www.drupal.org/SA-CORE-2016-003","reference_id":"","reference_type":"","scores":[],"url":"https://www.drupal.org/SA-CORE-2016-003"},{"reference_url":"http://www.debian.org/security/2016/dsa-3631","reference_id":"","reference_type":"","scores":[],"url":"http://www.debian.org/security/2016/dsa-3631"},{"reference_url":"http://www.kb.cert.org/vuls/id/797896","reference_id":"","reference_type":"","scores":[],"url":"http://www.kb.cert.org/vuls/id/797896"},{"reference_url":"http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html","reference_id":"","reference_type":"","scores":[],"url":"http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html"},{"reference_url":"http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html","reference_id":"","reference_type":"","scores":[],"url":"http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html"},{"reference_url":"http://www.oracle.com/technetwork/topics/security/linuxbulletinjul2016-3090544.html","reference_id":"","reference_type":"","scores":[],"url":"http://www.oracle.com/technetwork/topics/security/linuxbulletinjul2016-3090544.html"},{"reference_url":"http://www.securityfocus.com/bid/91821","reference_id":"","reference_type":"","scores":[],"url":"http://www.securityfocus.com/bid/91821"},{"reference_url":"http://www.securitytracker.com/id/1036335","reference_id":"","reference_type":"","scores":[],"url":"http://www.securitytracker.com/id/1036335"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2016-5385","reference_id":"CVE-2016-5385","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2016-5385"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/amphp/artax/CVE-2016-5385.yaml","reference_id":"CVE-2016-5385.YAML","reference_type":"","scores":[],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/amphp/artax/CVE-2016-5385.yaml"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/bugsnag/bugsnag-laravel/CVE-2016-5385.yaml","reference_id":"CVE-2016-5385.YAML","reference_type":"","scores":[],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/bugsnag/bugsnag-laravel/CVE-2016-5385.yaml"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2016-5385.yaml","reference_id":"CVE-2016-5385.YAML","reference_type":"","scores":[],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2016-5385.yaml"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2016-5385.yaml","reference_id":"CVE-2016-5385.YAML","reference_type":"","scores":[],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2016-5385.yaml"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/guzzlehttp/guzzle/CVE-2016-5385.yaml","reference_id":"CVE-2016-5385.YAML","reference_type":"","scores":[],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/guzzlehttp/guzzle/CVE-2016-5385.yaml"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/padraic/humbug_get_contents/CVE-2016-5385.yaml","reference_id":"CVE-2016-5385.YAML","reference_type":"","scores":[],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/padraic/humbug_get_contents/CVE-2016-5385.yaml"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2016-5385.yaml","reference_id":"CVE-2016-5385.YAML","reference_type":"","scores":[],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2016-5385.yaml"},{"reference_url":"https://github.com/advisories/GHSA-m6ch-gg5f-wxx3","reference_id":"GHSA-m6ch-gg5f-wxx3","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-m6ch-gg5f-wxx3"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/52826?format=json","purl":"pkg:composer/drupal/core@8.1.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@8.1.0"}],"aliases":["CVE-2016-5385","GHSA-m6ch-gg5f-wxx3"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-bq2j-t19h-zyad"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/5229?format=json","vulnerability_id":"VCID-dav9-pgdh-8yey","summary":"multiple issues","references":[{"reference_url":"https://www.drupal.org/sa-core-2021-008","reference_id":"","reference_type":"","scores":[],"url":"https://www.drupal.org/sa-core-2021-008"},{"reference_url":"https://security.archlinux.org/AVG-2407","reference_id":"AVG-2407","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2407"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-13675","reference_id":"CVE-2020-13675","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-13675"},{"reference_url":"https://github.com/advisories/GHSA-v8wr-r69p-mmwx","reference_id":"GHSA-v8wr-r69p-mmwx","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-v8wr-r69p-mmwx"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/60639?format=json","purl":"pkg:composer/drupal/core@9.1.13","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@9.1.13"},{"url":"http://public2.vulnerablecode.io/api/packages/60640?format=json","purl":"pkg:composer/drupal/core@9.2.6","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@9.2.6"}],"aliases":["CVE-2020-13675","GHSA-v8wr-r69p-mmwx"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-dav9-pgdh-8yey"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/45050?format=json","vulnerability_id":"VCID-dyhz-g3nv-yuc3","summary":"Lack of domain validation in Druple core\nThe Media oEmbed iframe route does not properly validate the iframe domain setting, which allows embeds to be displayed in the context of the primary domain. Under certain circumstances, this could lead to cross-site scripting, leaked cookies, or other vulnerabilities.","references":[{"reference_url":"https://www.drupal.org/sa-core-2022-015","reference_id":"","reference_type":"","scores":[],"url":"https://www.drupal.org/sa-core-2022-015"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-25276","reference_id":"CVE-2022-25276","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-25276"},{"reference_url":"https://github.com/advisories/GHSA-4wfq-jc9h-vpcx","reference_id":"GHSA-4wfq-jc9h-vpcx","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-4wfq-jc9h-vpcx"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/64975?format=json","purl":"pkg:composer/drupal/core@9.3.19","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@9.3.19"},{"url":"http://public2.vulnerablecode.io/api/packages/64976?format=json","purl":"pkg:composer/drupal/core@9.4.3","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@9.4.3"}],"aliases":["CVE-2022-25276","GHSA-4wfq-jc9h-vpcx"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-dyhz-g3nv-yuc3"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/40820?format=json","vulnerability_id":"VCID-e12q-qavs-qybu","summary":"Cross-site Scripting vulnerability in drupal.","references":[{"reference_url":"https://www.drupal.org/sa-core-2019-004","reference_id":"","reference_type":"","scores":[],"url":"https://www.drupal.org/sa-core-2019-004"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/57614?format=json","purl":"pkg:composer/drupal/core@8.6.12","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@8.6.12"}],"aliases":["GMS-2019-147"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-e12q-qavs-qybu"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/40619?format=json","vulnerability_id":"VCID-e8un-nbkk-cbf9","summary":"Deserialization of Untrusted Data\nDrupal core uses the third-party PEAR `Archive_Tar` library. This library has released a security update which impacts some Drupal configurations. Refer to CVE-2018-1000888 for details.","references":[{"reference_url":"https://www.drupal.org/sa-core-2019-001","reference_id":"","reference_type":"","scores":[],"url":"https://www.drupal.org/sa-core-2019-001"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/57349?format=json","purl":"pkg:composer/drupal/core@8.6.6","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@8.6.6"}],"aliases":["CVE-2019-6338"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-e8un-nbkk-cbf9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/45057?format=json","vulnerability_id":"VCID-egtv-y9w1-skgr","summary":"Improper Input Validation\nDrupal core's form API has a vulnerability where certain contributed or custom modules' forms may be vulnerable to improper input validation. This could allow an attacker to inject disallowed values or overwrite data. Affected forms are uncommon, but in certain cases an attacker could alter critical or sensitive data.","references":[{"reference_url":"https://www.drupal.org/sa-core-2022-008","reference_id":"","reference_type":"","scores":[],"url":"https://www.drupal.org/sa-core-2022-008"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-25273","reference_id":"CVE-2022-25273","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-25273"},{"reference_url":"https://github.com/advisories/GHSA-g36h-4jr6-qmm9","reference_id":"GHSA-g36h-4jr6-qmm9","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-g36h-4jr6-qmm9"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/64994?format=json","purl":"pkg:composer/drupal/core@9.2.18","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@9.2.18"},{"url":"http://public2.vulnerablecode.io/api/packages/64995?format=json","purl":"pkg:composer/drupal/core@9.3.12","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@9.3.12"}],"aliases":["CVE-2022-25273","GHSA-g36h-4jr6-qmm9"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-egtv-y9w1-skgr"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/40344?format=json","vulnerability_id":"VCID-jrhg-3271-tqdy","summary":"Improper Access Control\nIn some conditions, content moderation fails to check a users access to use certain transitions, leading to an access bypass.","references":[{"reference_url":"https://www.drupal.org/sa-core-2018-006","reference_id":"","reference_type":"","scores":[],"url":"https://www.drupal.org/sa-core-2018-006"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/56782?format=json","purl":"pkg:composer/drupal/core@8.6.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@8.6.2"}],"aliases":["GMS-2018-56"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-jrhg-3271-tqdy"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/48398?format=json","vulnerability_id":"VCID-kzrs-mrga-nyej","summary":"User Interface (UI) Misrepresentation of Critical Information vulnerability in Drupal Drupal core allows Content Spoofing. This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8.","references":[{"reference_url":"https://github.com/drupal/core","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/drupal/core"},{"reference_url":"https://www.drupal.org/sa-core-2025-007","reference_id":"","reference_type":"","scores":[],"url":"https://www.drupal.org/sa-core-2025-007"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-13082","reference_id":"CVE-2025-13082","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-13082"},{"reference_url":"https://github.com/advisories/GHSA-h89p-5896-f4q8","reference_id":"GHSA-h89p-5896-f4q8","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-h89p-5896-f4q8"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/71441?format=json","purl":"pkg:composer/drupal/core@10.4.9","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@10.4.9"},{"url":"http://public2.vulnerablecode.io/api/packages/71442?format=json","purl":"pkg:composer/drupal/core@10.5.6","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@10.5.6"},{"url":"http://public2.vulnerablecode.io/api/packages/71443?format=json","purl":"pkg:composer/drupal/core@11.1.9","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@11.1.9"},{"url":"http://public2.vulnerablecode.io/api/packages/71444?format=json","purl":"pkg:composer/drupal/core@11.2.8","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@11.2.8"}],"aliases":["CVE-2025-13082","GHSA-h89p-5896-f4q8"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-kzrs-mrga-nyej"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/40612?format=json","vulnerability_id":"VCID-mm13-6dhq-nqfb","summary":"Improper Privilege Management\nWhen using the REST API, users without the correct permission can post comments via REST that are approved even if the user does not have permission to post approved comments. This issue only affects sites that have the RESTful Web Services (rest) module enabled, the comment entity REST resource enabled, and where an attacker can access a user account on the site with permissions to post comments, or where anonymous users can post comments.","references":[{"reference_url":"https://www.drupal.org/SA-CORE-2017-004","reference_id":"","reference_type":"","scores":[],"url":"https://www.drupal.org/SA-CORE-2017-004"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/57331?format=json","purl":"pkg:composer/drupal/core@8.3.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@8.3.0"}],"aliases":["CVE-2017-6924"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-mm13-6dhq-nqfb"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/40364?format=json","vulnerability_id":"VCID-myja-t33q-q3cv","summary":"Improper Access Control in drupal.","references":[{"reference_url":"https://www.drupal.org/sa-core-2018-006","reference_id":"","reference_type":"","scores":[],"url":"https://www.drupal.org/sa-core-2018-006"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/56782?format=json","purl":"pkg:composer/drupal/core@8.6.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@8.6.2"}],"aliases":["GMS-2018-52"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-myja-t33q-q3cv"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/42392?format=json","vulnerability_id":"VCID-nacy-y1qt-5yhb","summary":"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')\nAccess Bypass vulnerability in Drupal Core allows for an attacker to leverage the way that HTML is rendered for affected forms in order to exploit the vulnerability. This issue affects: Drupal Core 8.8.x versions prior to 8.8.10; 8.9.x versions prior to 8.9.6; 9.0.x versions prior to 9.0.6.","references":[{"reference_url":"https://github.com/drupal/core/commit/3184fa4b2f3b65b44884b5e858cdc7794d34b4c8","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/drupal/core/commit/3184fa4b2f3b65b44884b5e858cdc7794d34b4c8"},{"reference_url":"https://github.com/drupal/core/commit/58330ba58d1ac6f1a0a549e8dbde8a3e094bf4fb","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/drupal/core/commit/58330ba58d1ac6f1a0a549e8dbde8a3e094bf4fb"},{"reference_url":"https://github.com/drupal/core/commit/d4be028d81fb6b067513d788b60c3e6fc8fbd0a2","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/drupal/core/commit/d4be028d81fb6b067513d788b60c3e6fc8fbd0a2"},{"reference_url":"https://www.drupal.org/sa-core-2020-009","reference_id":"","reference_type":"","scores":[],"url":"https://www.drupal.org/sa-core-2020-009"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-13668","reference_id":"CVE-2020-13668","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-13668"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2020-13668.yaml","reference_id":"CVE-2020-13668.YAML","reference_type":"","scores":[],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2020-13668.yaml"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2020-13668.yaml","reference_id":"CVE-2020-13668.YAML","reference_type":"","scores":[],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2020-13668.yaml"},{"reference_url":"https://github.com/advisories/GHSA-m6q5-wv4x-fv6h","reference_id":"GHSA-m6q5-wv4x-fv6h","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-m6q5-wv4x-fv6h"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/60658?format=json","purl":"pkg:composer/drupal/core@8.8.10","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@8.8.10"},{"url":"http://public2.vulnerablecode.io/api/packages/60651?format=json","purl":"pkg:composer/drupal/core@8.9.6","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@8.9.6"},{"url":"http://public2.vulnerablecode.io/api/packages/60652?format=json","purl":"pkg:composer/drupal/core@9.0.6","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@9.0.6"}],"aliases":["CVE-2020-13668","GHSA-m6q5-wv4x-fv6h"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-nacy-y1qt-5yhb"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/38080?format=json","vulnerability_id":"VCID-ng6g-hvc2-bkg4","summary":"Session data truncation can lead to unserialization of user provided data\nDrupal might allow remote attackers to execute arbitrary code via vectors related to session data truncation.","references":[{"reference_url":"https://www.drupal.org/SA-CORE-2016-001","reference_id":"","reference_type":"","scores":[],"url":"https://www.drupal.org/SA-CORE-2016-001"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/52631?format=json","purl":"pkg:composer/drupal/core@8.0.4","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@8.0.4"}],"aliases":["CVE-2016-3171"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ng6g-hvc2-bkg4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/48403?format=json","vulnerability_id":"VCID-p54u-b18k-jyft","summary":"Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal Drupal core allows Forceful Browsing. This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8.","references":[{"reference_url":"https://github.com/drupal/core","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/drupal/core"},{"reference_url":"https://www.drupal.org/sa-core-2025-005","reference_id":"","reference_type":"","scores":[],"url":"https://www.drupal.org/sa-core-2025-005"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-13080","reference_id":"CVE-2025-13080","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-13080"},{"reference_url":"https://github.com/advisories/GHSA-83v7-c2cf-p9c2","reference_id":"GHSA-83v7-c2cf-p9c2","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-83v7-c2cf-p9c2"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/71441?format=json","purl":"pkg:composer/drupal/core@10.4.9","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@10.4.9"},{"url":"http://public2.vulnerablecode.io/api/packages/71442?format=json","purl":"pkg:composer/drupal/core@10.5.6","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@10.5.6"},{"url":"http://public2.vulnerablecode.io/api/packages/71443?format=json","purl":"pkg:composer/drupal/core@11.1.9","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@11.1.9"},{"url":"http://public2.vulnerablecode.io/api/packages/71444?format=json","purl":"pkg:composer/drupal/core@11.2.8","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@11.2.8"}],"aliases":["CVE-2025-13080","GHSA-83v7-c2cf-p9c2"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-p54u-b18k-jyft"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/40362?format=json","vulnerability_id":"VCID-pgnc-fq4m-3kaz","summary":"URL Redirection to Untrusted Site ('Open Redirect')\nAnonymous Open Redirect in drupal.","references":[{"reference_url":"https://www.drupal.org/sa-core-2018-006","reference_id":"","reference_type":"","scores":[],"url":"https://www.drupal.org/sa-core-2018-006"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/56782?format=json","purl":"pkg:composer/drupal/core@8.6.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@8.6.2"}],"aliases":["GMS-2018-54"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-pgnc-fq4m-3kaz"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/4307?format=json","vulnerability_id":"VCID-pmmq-8s2m-h7dp","summary":"arbitrary code execution","references":[{"reference_url":"https://badpackets.net/over-100000-drupal-websites-vulnerable-to-drupalgeddon-2-cve-2018-7600","reference_id":"","reference_type":"","scores":[],"url":"https://badpackets.net/over-100000-drupal-websites-vulnerable-to-drupalgeddon-2-cve-2018-7600"},{"reference_url":"https://blog.appsecco.com/remote-code-execution-with-drupal-core-sa-core-2018-002-95e6ecc0c714","reference_id":"","reference_type":"","scores":[],"url":"https://blog.appsecco.com/remote-code-execution-with-drupal-core-sa-core-2018-002-95e6ecc0c714"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7600","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7600"},{"reference_url":"https://github.com/drupal/core","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/drupal/core"},{"reference_url":"https://greysec.net/showthread.php?tid=2912&pid=10561","reference_id":"","reference_type":"","scores":[],"url":"https://greysec.net/showthread.php?tid=2912&pid=10561"},{"reference_url":"https://groups.drupal.org/security/faq-2018-002","reference_id":"","reference_type":"","scores":[],"url":"https://groups.drupal.org/security/faq-2018-002"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2018/03/msg00028.html","reference_id":"","reference_type":"","scores":[],"url":"https://lists.debian.org/debian-lts-announce/2018/03/msg00028.html"},{"reference_url":"https://research.checkpoint.com/uncovering-drupalgeddon-2","reference_id":"","reference_type":"","scores":[],"url":"https://research.checkpoint.com/uncovering-drupalgeddon-2"},{"reference_url":"https://twitter.com/arancaytar/status/979090719003627521","reference_id":"","reference_type":"","scores":[],"url":"https://twitter.com/arancaytar/status/979090719003627521"},{"reference_url":"https://twitter.com/RicterZ/status/979567469726613504","reference_id":"","reference_type":"","scores":[],"url":"https://twitter.com/RicterZ/status/979567469726613504"},{"reference_url":"https://twitter.com/RicterZ/status/984495201354854401","reference_id":"","reference_type":"","scores":[],"url":"https://twitter.com/RicterZ/status/984495201354854401"},{"reference_url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-7600","reference_id":"","reference_type":"","scores":[],"url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-7600"},{"reference_url":"https://www.debian.org/security/2018/dsa-4156","reference_id":"","reference_type":"","scores":[],"url":"https://www.debian.org/security/2018/dsa-4156"},{"reference_url":"https://www.drupal.org/sa-core-2018-002","reference_id":"","reference_type":"","scores":[],"url":"https://www.drupal.org/sa-core-2018-002"},{"reference_url":"https://www.exploit-db.com/exploits/44448","reference_id":"","reference_type":"","scores":[],"url":"https://www.exploit-db.com/exploits/44448"},{"reference_url":"https://www.exploit-db.com/exploits/44449","reference_id":"","reference_type":"","scores":[],"url":"https://www.exploit-db.com/exploits/44449"},{"reference_url":"https://www.exploit-db.com/exploits/44482","reference_id":"","reference_type":"","scores":[],"url":"https://www.exploit-db.com/exploits/44482"},{"reference_url":"https://www.synology.com/support/security/Synology_SA_18_17","reference_id":"","reference_type":"","scores":[],"url":"https://www.synology.com/support/security/Synology_SA_18_17"},{"reference_url":"https://www.tenable.com/blog/critical-drupal-core-vulnerability-what-you-need-to-know","reference_id":"","reference_type":"","scores":[],"url":"https://www.tenable.com/blog/critical-drupal-core-vulnerability-what-you-need-to-know"},{"reference_url":"https://security.archlinux.org/ASA-201804-1","reference_id":"ASA-201804-1","reference_type":"","scores":[],"url":"https://security.archlinux.org/ASA-201804-1"},{"reference_url":"https://security.archlinux.org/AVG-665","reference_id":"AVG-665","reference_type":"","scores":[{"value":"Critical","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-665"},{"reference_url":"https://github.com/a2u/CVE-2018-7600","reference_id":"CVE-2018-7600","reference_type":"","scores":[],"url":"https://github.com/a2u/CVE-2018-7600"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2018-7600","reference_id":"CVE-2018-7600","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-7600"},{"reference_url":"https://github.com/g0rx/CVE-2018-7600-Drupal-RCE","reference_id":"CVE-2018-7600-DRUPAL-RCE","reference_type":"","scores":[],"url":"https://github.com/g0rx/CVE-2018-7600-Drupal-RCE"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2018-7600.yaml","reference_id":"CVE-2018-7600.YAML","reference_type":"","scores":[],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2018-7600.yaml"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2018-7600.yaml","reference_id":"CVE-2018-7600.YAML","reference_type":"","scores":[],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2018-7600.yaml"},{"reference_url":"https://github.com/advisories/GHSA-7fh9-933g-885p","reference_id":"GHSA-7fh9-933g-885p","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-7fh9-933g-885p"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/63076?format=json","purl":"pkg:composer/drupal/core@8.3.9","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@8.3.9"},{"url":"http://public2.vulnerablecode.io/api/packages/63077?format=json","purl":"pkg:composer/drupal/core@8.4.6","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@8.4.6"},{"url":"http://public2.vulnerablecode.io/api/packages/63078?format=json","purl":"pkg:composer/drupal/core@8.5.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@8.5.1"}],"aliases":["CVE-2018-7600","GHSA-7fh9-933g-885p"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-pmmq-8s2m-h7dp"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/38078?format=json","vulnerability_id":"VCID-pnme-dc73-efcb","summary":"Improper Access Control\nThe File module in Drupal allows remote authenticated users to bypass access restrictions and read, delete, or substitute a link to a file uploaded to an unprocessed form by leveraging permission to create content or comment and upload files.","references":[{"reference_url":"https://www.drupal.org/SA-CORE-2016-001","reference_id":"","reference_type":"","scores":[],"url":"https://www.drupal.org/SA-CORE-2016-001"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/52631?format=json","purl":"pkg:composer/drupal/core@8.0.4","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@8.0.4"}],"aliases":["CVE-2016-3162"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-pnme-dc73-efcb"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/40375?format=json","vulnerability_id":"VCID-qsuc-53pg-zkda","summary":"Code Injection\nInjection in `DefaultMailSystem::mail()`.","references":[{"reference_url":"https://www.drupal.org/sa-core-2018-006","reference_id":"","reference_type":"","scores":[],"url":"https://www.drupal.org/sa-core-2018-006"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/56782?format=json","purl":"pkg:composer/drupal/core@8.6.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@8.6.2"}],"aliases":["GMS-2018-55"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-qsuc-53pg-zkda"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/45056?format=json","vulnerability_id":"VCID-rd4g-h1j9-23cb","summary":"Unrestricted Upload of File with Dangerous Type\nDrupal core sanitizes filenames with dangerous extensions upon upload (reference: SA-CORE-2020-012) and strips leading and trailing dots from filenames to prevent uploading server configuration files (reference: SA-CORE-2019-010). However, the protections for these two vulnerabilities previously does not work correctly together. As a result, if the site were configured to allow the upload of files with an htaccess extension, these files' filenames would not be properly sanitized. This could allow bypassing the protections provided by Drupal core's default .htaccess files and possible remote code execution on Apache web servers. This issue is mitigated by the fact that it requires a field administrator to explicitly configure a file field to allow htaccess as an extension (a restricted permission), or a contributed module or custom code that overrides allowed file uploads.","references":[{"reference_url":"https://github.com/drupal/core/commit/1cd1830d79f221cc8490f53c2bb487dd07094f17","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/drupal/core/commit/1cd1830d79f221cc8490f53c2bb487dd07094f17"},{"reference_url":"https://github.com/drupal/core/commit/5d464ea4407c50e40dcf6cb5ee376e7b8dd36f3a","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/drupal/core/commit/5d464ea4407c50e40dcf6cb5ee376e7b8dd36f3a"},{"reference_url":"https://www.drupal.org/sa-core-2022-014","reference_id":"","reference_type":"","scores":[],"url":"https://www.drupal.org/sa-core-2022-014"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-25277","reference_id":"CVE-2022-25277","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-25277"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2022-25277.yaml","reference_id":"CVE-2022-25277.YAML","reference_type":"","scores":[],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2022-25277.yaml"},{"reference_url":"https://github.com/advisories/GHSA-6955-67hm-vjjq","reference_id":"GHSA-6955-67hm-vjjq","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-6955-67hm-vjjq"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/64975?format=json","purl":"pkg:composer/drupal/core@9.3.19","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@9.3.19"},{"url":"http://public2.vulnerablecode.io/api/packages/64976?format=json","purl":"pkg:composer/drupal/core@9.4.3","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@9.4.3"}],"aliases":["CVE-2022-25277","GHSA-6955-67hm-vjjq","GMS-2022-3361"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-rd4g-h1j9-23cb"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/38071?format=json","vulnerability_id":"VCID-rsc6-y1uv-6bfq","summary":"Information Exposure\nThe `have you forgotten your password` links in the User module in Drupal allow remote attackers to obtain sensitive username information by leveraging a configuration that permits using an email address to login and a module that permits logging in.","references":[{"reference_url":"https://www.drupal.org/SA-CORE-2016-001","reference_id":"","reference_type":"","scores":[],"url":"https://www.drupal.org/SA-CORE-2016-001"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/52631?format=json","purl":"pkg:composer/drupal/core@8.0.4","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@8.0.4"}],"aliases":["CVE-2016-3170"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-rsc6-y1uv-6bfq"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/47000?format=json","vulnerability_id":"VCID-t89y-c9hq-9bhk","summary":"Drupal core Denial of Service vulnerability\nThe Comment module allows users to reply to comments. In certain cases, an attacker could make comment reply requests that would trigger a denial of service (DOS).\n\nSites that do not use the Comment module are not affected.","references":[{"reference_url":"https://github.com/drupal/core/commit/2f76ac716ca8019bc60579fdfc8aa6cd65d57dff","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/drupal/core/commit/2f76ac716ca8019bc60579fdfc8aa6cd65d57dff"},{"reference_url":"https://github.com/drupal/core/commit/5e606b560ac4ecb08135f12b6165bbe0348346a0","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/drupal/core/commit/5e606b560ac4ecb08135f12b6165bbe0348346a0"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/2024-01-17.yaml","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/2024-01-17.yaml"},{"reference_url":"https://www.drupal.org/sa-core-2024-001","reference_id":"","reference_type":"","scores":[],"url":"https://www.drupal.org/sa-core-2024-001"},{"reference_url":"https://github.com/advisories/GHSA-6ccv-8fgf-cjpw","reference_id":"GHSA-6ccv-8fgf-cjpw","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-6ccv-8fgf-cjpw"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/68876?format=json","purl":"pkg:composer/drupal/core@10.1.8","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@10.1.8"},{"url":"http://public2.vulnerablecode.io/api/packages/68877?format=json","purl":"pkg:composer/drupal/core@10.2.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@10.2.2"}],"aliases":["GHSA-6ccv-8fgf-cjpw","GMS-2024-214"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-t89y-c9hq-9bhk"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/38079?format=json","vulnerability_id":"VCID-ta99-gcmk-2qc8","summary":"Brute force amplification attacks via XML-RPC\nThe XML-RPC system in Drupal might make it easier for remote attackers to conduct brute-force attacks via a large number of calls made at once to the same method.","references":[{"reference_url":"https://www.drupal.org/SA-CORE-2016-001","reference_id":"","reference_type":"","scores":[],"url":"https://www.drupal.org/SA-CORE-2016-001"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/52631?format=json","purl":"pkg:composer/drupal/core@8.0.4","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@8.0.4"}],"aliases":["CVE-2016-3163"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ta99-gcmk-2qc8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/3853?format=json","vulnerability_id":"VCID-tpzm-u3qp-akc8","summary":"multiple issues","references":[{"reference_url":"https://github.com/drupal/core","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/drupal/core"},{"reference_url":"https://www.drupal.org/sa-core-2021-002","reference_id":"","reference_type":"","scores":[],"url":"https://www.drupal.org/sa-core-2021-002"},{"reference_url":"https://security.archlinux.org/AVG-1463","reference_id":"AVG-1463","reference_type":"","scores":[{"value":"Critical","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-1463"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-13672","reference_id":"CVE-2020-13672","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-13672"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2020-13672.yaml","reference_id":"CVE-2020-13672.YAML","reference_type":"","scores":[],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2020-13672.yaml"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2020-13672.yaml","reference_id":"CVE-2020-13672.YAML","reference_type":"","scores":[],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2020-13672.yaml"},{"reference_url":"https://github.com/advisories/GHSA-3m36-mjwj-352c","reference_id":"GHSA-3m36-mjwj-352c","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-3m36-mjwj-352c"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/60655?format=json","purl":"pkg:composer/drupal/core@8.9.14","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@8.9.14"},{"url":"http://public2.vulnerablecode.io/api/packages/60656?format=json","purl":"pkg:composer/drupal/core@9.0.12","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@9.0.12"},{"url":"http://public2.vulnerablecode.io/api/packages/60657?format=json","purl":"pkg:composer/drupal/core@9.1.7","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@9.1.7"}],"aliases":["CVE-2020-13672","GHSA-3m36-mjwj-352c"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-tpzm-u3qp-akc8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/39447?format=json","vulnerability_id":"VCID-w4ks-ufnz-vfav","summary":"Cross-site Scripting\nA jQuery cross site scripting vulnerability is present when making Ajax requests to untrusted domains. This vulnerability is mitigated by the fact that it requires contributed or custom modules in order to exploit.","references":[{"reference_url":"https://www.drupal.org/SA-CORE-2018-001","reference_id":"","reference_type":"","scores":[],"url":"https://www.drupal.org/SA-CORE-2018-001"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/55107?format=json","purl":"pkg:composer/drupal/core@8.4.5","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@8.4.5"}],"aliases":["CVE-2017-6929"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-w4ks-ufnz-vfav"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/38072?format=json","vulnerability_id":"VCID-wapd-e3mu-sffn","summary":"HTTP header injection using line breaks\nCRLF injection vulnerability in the `drupal_set_header` function in Drupal allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks by leveraging a module that allows user-submitted data to appear in HTTP headers.","references":[{"reference_url":"https://www.drupal.org/SA-CORE-2016-001","reference_id":"","reference_type":"","scores":[],"url":"https://www.drupal.org/SA-CORE-2016-001"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/52631?format=json","purl":"pkg:composer/drupal/core@8.0.4","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@8.0.4"}],"aliases":["CVE-2016-3166"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-wapd-e3mu-sffn"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/41563?format=json","vulnerability_id":"VCID-wsv7-je8g-sqet","summary":"Drupal core Unrestricted Upload of File with Dangerous Type\nDrupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations. This issue affects: Drupal Drupal Core 9.0 versions prior to 9.0.8, 8.9 versions prior to 8.9.9, 8.8 versions prior to 8.8.11, and 7 versions prior to 7.74.","references":[{"reference_url":"https://github.com/drupal/core","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/drupal/core"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5KSFM672XW3X6BR7TVKRD63SLZGKK437","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5KSFM672XW3X6BR7TVKRD63SLZGKK437"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KWM4CTMEGAC4I2CHYNJVSROY4CVXVEUT","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KWM4CTMEGAC4I2CHYNJVSROY4CVXVEUT"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5KSFM672XW3X6BR7TVKRD63SLZGKK437","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5KSFM672XW3X6BR7TVKRD63SLZGKK437"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KWM4CTMEGAC4I2CHYNJVSROY4CVXVEUT","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KWM4CTMEGAC4I2CHYNJVSROY4CVXVEUT"},{"reference_url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-13671","reference_id":"","reference_type":"","scores":[],"url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-13671"},{"reference_url":"https://www.drupal.org/sa-core-2020-012","reference_id":"","reference_type":"","scores":[],"url":"https://www.drupal.org/sa-core-2020-012"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-13671","reference_id":"CVE-2020-13671","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-13671"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2020-13671.yaml","reference_id":"CVE-2020-13671.YAML","reference_type":"","scores":[],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2020-13671.yaml"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2020-13671.yaml","reference_id":"CVE-2020-13671.YAML","reference_type":"","scores":[],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2020-13671.yaml"},{"reference_url":"https://github.com/advisories/GHSA-68jc-v27h-vhmw","reference_id":"GHSA-68jc-v27h-vhmw","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-68jc-v27h-vhmw"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/59269?format=json","purl":"pkg:composer/drupal/core@8.8.11","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@8.8.11"},{"url":"http://public2.vulnerablecode.io/api/packages/59268?format=json","purl":"pkg:composer/drupal/core@8.9.9","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@8.9.9"},{"url":"http://public2.vulnerablecode.io/api/packages/59267?format=json","purl":"pkg:composer/drupal/core@9.0.8","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@9.0.8"}],"aliases":["CVE-2020-13671","GHSA-68jc-v27h-vhmw"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-wsv7-je8g-sqet"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/40969?format=json","vulnerability_id":"VCID-wszp-2es5-z7fy","summary":"Moderately critical - Third-party libraries - SA-CORE-2019-007\nThe `PharStreamWrapper` (aka `phar-stream-wrapper`) package does not prevent directory traversal, which allows attackers to bypass a deserialization protection mechanism, as demonstrated by a `phar:///path/bad.phar/../good.phar` URL.","references":[{"reference_url":"https://github.com/TYPO3/phar-stream-wrapper/releases/tag/v2.1.1","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/TYPO3/phar-stream-wrapper/releases/tag/v2.1.1"},{"reference_url":"https://github.com/TYPO3/phar-stream-wrapper/releases/tag/v3.1.1","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/TYPO3/phar-stream-wrapper/releases/tag/v3.1.1"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2019/05/msg00029.html","reference_id":"","reference_type":"","scores":[],"url":"https://lists.debian.org/debian-lts-announce/2019/05/msg00029.html"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/65ODQHDHWR74L6TCAPAQR5FQHG6MCXAW/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/65ODQHDHWR74L6TCAPAQR5FQHG6MCXAW/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QDJVUJPUW3RZ4746SC6BX4F4T6ZXNBH/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QDJVUJPUW3RZ4746SC6BX4F4T6ZXNBH/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AUEXS4HRI4XZ2DTZMWAVQBYBTFSJ34AR/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AUEXS4HRI4XZ2DTZMWAVQBYBTFSJ34AR/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E3NUKPG7V4QEM6QXRMHYR4ABFMW5MM2P/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E3NUKPG7V4QEM6QXRMHYR4ABFMW5MM2P/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U6JX7WR6DPMKCZQP7EYFACYXSGJ3K523/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U6JX7WR6DPMKCZQP7EYFACYXSGJ3K523/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z246UWBXBEKTQUDTLRJTC7XYBIO4IBE4/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z246UWBXBEKTQUDTLRJTC7XYBIO4IBE4/"},{"reference_url":"https://seclists.org/bugtraq/2019/May/36","reference_id":"","reference_type":"","scores":[],"url":"https://seclists.org/bugtraq/2019/May/36"},{"reference_url":"https://typo3.org/security/advisory/typo3-psa-2019-007/","reference_id":"","reference_type":"","scores":[],"url":"https://typo3.org/security/advisory/typo3-psa-2019-007/"},{"reference_url":"https://www.debian.org/security/2019/dsa-4445","reference_id":"","reference_type":"","scores":[],"url":"https://www.debian.org/security/2019/dsa-4445"},{"reference_url":"https://www.drupal.org/sa-core-2019-007","reference_id":"","reference_type":"","scores":[],"url":"https://www.drupal.org/sa-core-2019-007"},{"reference_url":"https://www.drupal.org/SA-CORE-2019-007","reference_id":"","reference_type":"","scores":[],"url":"https://www.drupal.org/SA-CORE-2019-007"},{"reference_url":"https://www.synology.com/security/advisory/Synology_SA_19_22","reference_id":"","reference_type":"","scores":[],"url":"https://www.synology.com/security/advisory/Synology_SA_19_22"},{"reference_url":"http://www.securityfocus.com/bid/108302","reference_id":"","reference_type":"","scores":[],"url":"http://www.securityfocus.com/bid/108302"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2019-11831","reference_id":"CVE-2019-11831","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-11831"},{"reference_url":"https://github.com/advisories/GHSA-xv7v-rf6g-xwrc","reference_id":"GHSA-xv7v-rf6g-xwrc","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-xv7v-rf6g-xwrc"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/57979?format=json","purl":"pkg:composer/drupal/core@8.6.16","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@8.6.16"},{"url":"http://public2.vulnerablecode.io/api/packages/57980?format=json","purl":"pkg:composer/drupal/core@8.7.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@8.7.1"}],"aliases":["CVE-2019-11831","GHSA-xv7v-rf6g-xwrc"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-wszp-2es5-z7fy"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/40621?format=json","vulnerability_id":"VCID-x34m-u169-1bce","summary":"Improper Input Validation\nA remote code execution vulnerability exists in PHP's built-in phar stream wrapper when performing file operations on an untrusted `phar://` URI. Some Drupal code (core, contrib, and custom) may be performing file operations on insufficiently validated user input, thereby being exposed to this vulnerability. This vulnerability is mitigated by the fact that such code paths typically require access to an administrative permission or an atypical configuration.","references":[{"reference_url":"https://www.drupal.org/sa-core-2019-002","reference_id":"","reference_type":"","scores":[],"url":"https://www.drupal.org/sa-core-2019-002"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/57349?format=json","purl":"pkg:composer/drupal/core@8.6.6","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@8.6.6"}],"aliases":["CVE-2019-6339"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-x34m-u169-1bce"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/39582?format=json","vulnerability_id":"VCID-y1nb-prqc-suaj","summary":"Cross-site Scripting\nCross-site scripting (XSS) vulnerability in the Enhanced Image plugin for CKEditor.","references":[{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2018-9861","reference_id":"CVE-2018-9861","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-9861"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/55214?format=json","purl":"pkg:composer/drupal/core@8.4.7","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@8.4.7"},{"url":"http://public2.vulnerablecode.io/api/packages/55215?format=json","purl":"pkg:composer/drupal/core@8.5.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@8.5.2"}],"aliases":["CVE-2018-9861"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-y1nb-prqc-suaj"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/48411?format=json","vulnerability_id":"VCID-yq4q-hydz-vuga","summary":"Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection. This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8.","references":[{"reference_url":"https://github.com/drupal/core","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/drupal/core"},{"reference_url":"https://www.drupal.org/sa-core-2025-006","reference_id":"","reference_type":"","scores":[],"url":"https://www.drupal.org/sa-core-2025-006"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-13081","reference_id":"CVE-2025-13081","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-13081"},{"reference_url":"https://github.com/advisories/GHSA-m6vv-vcj8-w8m7","reference_id":"GHSA-m6vv-vcj8-w8m7","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-m6vv-vcj8-w8m7"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/71441?format=json","purl":"pkg:composer/drupal/core@10.4.9","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@10.4.9"},{"url":"http://public2.vulnerablecode.io/api/packages/71442?format=json","purl":"pkg:composer/drupal/core@10.5.6","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@10.5.6"},{"url":"http://public2.vulnerablecode.io/api/packages/71443?format=json","purl":"pkg:composer/drupal/core@11.1.9","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@11.1.9"},{"url":"http://public2.vulnerablecode.io/api/packages/71444?format=json","purl":"pkg:composer/drupal/core@11.2.8","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@11.2.8"}],"aliases":["CVE-2025-13081","GHSA-m6vv-vcj8-w8m7"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-yq4q-hydz-vuga"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/40351?format=json","vulnerability_id":"VCID-yygb-pp11-5udj","summary":"URL Redirection to Untrusted Site ('Open Redirect')\nExternal URL injection through URL aliases in drupal.","references":[{"reference_url":"https://www.drupal.org/sa-core-2018-006","reference_id":"","reference_type":"","scores":[],"url":"https://www.drupal.org/sa-core-2018-006"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/56782?format=json","purl":"pkg:composer/drupal/core@8.6.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@8.6.2"}],"aliases":["GMS-2018-53"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-yygb-pp11-5udj"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/39450?format=json","vulnerability_id":"VCID-zqer-y4s4-hqhy","summary":"URL Redirection to Untrusted Site (Open Redirect)\nDrupal core has an external link injection vulnerability when the language switcher block is used. A similar vulnerability exists in various custom and contributed modules. This vulnerability could allow an attacker to trick users into unwillingly navigating to an external site.","references":[{"reference_url":"https://www.drupal.org/SA-CORE-2018-001","reference_id":"","reference_type":"","scores":[],"url":"https://www.drupal.org/SA-CORE-2018-001"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/55107?format=json","purl":"pkg:composer/drupal/core@8.4.5","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@8.4.5"}],"aliases":["CVE-2017-6932"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-zqer-y4s4-hqhy"}],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/42433?format=json","vulnerability_id":"VCID-2g67-a42m-qfbh","summary":"Improper Input Validation\nDrupal core's form API has a vulnerability where certain contributed or custom modules' forms may be vulnerable to improper input validation. This could allow an attacker to inject disallowed values or overwrite data. Affected forms are uncommon, but in certain cases an attacker could alter critical or sensitive data.","references":[{"reference_url":"https://www.drupal.org/sa-core-2022-003","reference_id":"","reference_type":"","scores":[],"url":"https://www.drupal.org/sa-core-2022-003"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-25271","reference_id":"CVE-2022-25271","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-25271"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/52630?format=json","purl":"pkg:composer/drupal/core@8.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2989-fmjz-nkby"},{"vulnerability":"VCID-2fas-m6vh-myhc"},{"vulnerability":"VCID-2t34-82p3-73c3"},{"vulnerability":"VCID-31qy-vagp-83b6"},{"vulnerability":"VCID-3xk4-qwaq-5yaj"},{"vulnerability":"VCID-4dpp-gg2v-q3et"},{"vulnerability":"VCID-56ze-2yw2-bfh8"},{"vulnerability":"VCID-5c5c-m7ba-kqct"},{"vulnerability":"VCID-7v89-2sss-hfaz"},{"vulnerability":"VCID-9nk8-dban-g7h9"},{"vulnerability":"VCID-a3s2-c4k2-4ufn"},{"vulnerability":"VCID-a4u4-ga84-wyf9"},{"vulnerability":"VCID-a7ss-tkb6-gkge"},{"vulnerability":"VCID-ah3h-t9qa-gudr"},{"vulnerability":"VCID-ard5-3cjv-1beu"},{"vulnerability":"VCID-asm8-guag-b3ep"},{"vulnerability":"VCID-avmn-kqky-83dd"},{"vulnerability":"VCID-ay6b-1a7z-qkas"},{"vulnerability":"VCID-bq2j-t19h-zyad"},{"vulnerability":"VCID-dav9-pgdh-8yey"},{"vulnerability":"VCID-dyhz-g3nv-yuc3"},{"vulnerability":"VCID-e12q-qavs-qybu"},{"vulnerability":"VCID-e8un-nbkk-cbf9"},{"vulnerability":"VCID-egtv-y9w1-skgr"},{"vulnerability":"VCID-jrhg-3271-tqdy"},{"vulnerability":"VCID-kzrs-mrga-nyej"},{"vulnerability":"VCID-mm13-6dhq-nqfb"},{"vulnerability":"VCID-myja-t33q-q3cv"},{"vulnerability":"VCID-nacy-y1qt-5yhb"},{"vulnerability":"VCID-ng6g-hvc2-bkg4"},{"vulnerability":"VCID-p54u-b18k-jyft"},{"vulnerability":"VCID-pgnc-fq4m-3kaz"},{"vulnerability":"VCID-pmmq-8s2m-h7dp"},{"vulnerability":"VCID-pnme-dc73-efcb"},{"vulnerability":"VCID-qsuc-53pg-zkda"},{"vulnerability":"VCID-rd4g-h1j9-23cb"},{"vulnerability":"VCID-rsc6-y1uv-6bfq"},{"vulnerability":"VCID-t89y-c9hq-9bhk"},{"vulnerability":"VCID-ta99-gcmk-2qc8"},{"vulnerability":"VCID-tpzm-u3qp-akc8"},{"vulnerability":"VCID-w4ks-ufnz-vfav"},{"vulnerability":"VCID-wapd-e3mu-sffn"},{"vulnerability":"VCID-wsv7-je8g-sqet"},{"vulnerability":"VCID-wszp-2es5-z7fy"},{"vulnerability":"VCID-x34m-u169-1bce"},{"vulnerability":"VCID-y1nb-prqc-suaj"},{"vulnerability":"VCID-yq4q-hydz-vuga"},{"vulnerability":"VCID-yygb-pp11-5udj"},{"vulnerability":"VCID-zqer-y4s4-hqhy"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@8.0.0"},{"url":"http://public2.vulnerablecode.io/api/packages/60697?format=json","purl":"pkg:composer/drupal/core@9.2.13","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@9.2.13"},{"url":"http://public2.vulnerablecode.io/api/packages/60698?format=json","purl":"pkg:composer/drupal/core@9.3.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-r1hd-d39y-syhj"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@9.3.6"}],"aliases":["CVE-2022-25271"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-2g67-a42m-qfbh"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/39448?format=json","vulnerability_id":"VCID-6rtn-zphz-sydn","summary":"Incorrect Permission Assignment for Critical Resource\nWhen using Drupal's private file system, Drupal will check to make sure a user has access to a file before allowing the user to view or download it. This check fails under certain conditions in which one module is trying to grant access to the file and another is trying to deny it, leading to an access bypass vulnerability. This vulnerability is mitigated by the fact that it only occurs for unusual site configurations.","references":[{"reference_url":"https://www.debian.org/security/2018/dsa-4123","reference_id":"","reference_type":"","scores":[],"url":"https://www.debian.org/security/2018/dsa-4123"},{"reference_url":"https://www.drupal.org/sa-core-2018-001","reference_id":"","reference_type":"","scores":[],"url":"https://www.drupal.org/sa-core-2018-001"},{"reference_url":"https://www.drupal.org/SA-CORE-2018-001","reference_id":"","reference_type":"","scores":[],"url":"https://www.drupal.org/SA-CORE-2018-001"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-6928","reference_id":"CVE-2017-6928","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2017-6928"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/52630?format=json","purl":"pkg:composer/drupal/core@8.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2989-fmjz-nkby"},{"vulnerability":"VCID-2fas-m6vh-myhc"},{"vulnerability":"VCID-2t34-82p3-73c3"},{"vulnerability":"VCID-31qy-vagp-83b6"},{"vulnerability":"VCID-3xk4-qwaq-5yaj"},{"vulnerability":"VCID-4dpp-gg2v-q3et"},{"vulnerability":"VCID-56ze-2yw2-bfh8"},{"vulnerability":"VCID-5c5c-m7ba-kqct"},{"vulnerability":"VCID-7v89-2sss-hfaz"},{"vulnerability":"VCID-9nk8-dban-g7h9"},{"vulnerability":"VCID-a3s2-c4k2-4ufn"},{"vulnerability":"VCID-a4u4-ga84-wyf9"},{"vulnerability":"VCID-a7ss-tkb6-gkge"},{"vulnerability":"VCID-ah3h-t9qa-gudr"},{"vulnerability":"VCID-ard5-3cjv-1beu"},{"vulnerability":"VCID-asm8-guag-b3ep"},{"vulnerability":"VCID-avmn-kqky-83dd"},{"vulnerability":"VCID-ay6b-1a7z-qkas"},{"vulnerability":"VCID-bq2j-t19h-zyad"},{"vulnerability":"VCID-dav9-pgdh-8yey"},{"vulnerability":"VCID-dyhz-g3nv-yuc3"},{"vulnerability":"VCID-e12q-qavs-qybu"},{"vulnerability":"VCID-e8un-nbkk-cbf9"},{"vulnerability":"VCID-egtv-y9w1-skgr"},{"vulnerability":"VCID-jrhg-3271-tqdy"},{"vulnerability":"VCID-kzrs-mrga-nyej"},{"vulnerability":"VCID-mm13-6dhq-nqfb"},{"vulnerability":"VCID-myja-t33q-q3cv"},{"vulnerability":"VCID-nacy-y1qt-5yhb"},{"vulnerability":"VCID-ng6g-hvc2-bkg4"},{"vulnerability":"VCID-p54u-b18k-jyft"},{"vulnerability":"VCID-pgnc-fq4m-3kaz"},{"vulnerability":"VCID-pmmq-8s2m-h7dp"},{"vulnerability":"VCID-pnme-dc73-efcb"},{"vulnerability":"VCID-qsuc-53pg-zkda"},{"vulnerability":"VCID-rd4g-h1j9-23cb"},{"vulnerability":"VCID-rsc6-y1uv-6bfq"},{"vulnerability":"VCID-t89y-c9hq-9bhk"},{"vulnerability":"VCID-ta99-gcmk-2qc8"},{"vulnerability":"VCID-tpzm-u3qp-akc8"},{"vulnerability":"VCID-w4ks-ufnz-vfav"},{"vulnerability":"VCID-wapd-e3mu-sffn"},{"vulnerability":"VCID-wsv7-je8g-sqet"},{"vulnerability":"VCID-wszp-2es5-z7fy"},{"vulnerability":"VCID-x34m-u169-1bce"},{"vulnerability":"VCID-y1nb-prqc-suaj"},{"vulnerability":"VCID-yq4q-hydz-vuga"},{"vulnerability":"VCID-yygb-pp11-5udj"},{"vulnerability":"VCID-zqer-y4s4-hqhy"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@8.0.0"}],"aliases":["CVE-2017-6928"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-6rtn-zphz-sydn"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/30634?format=json","vulnerability_id":"VCID-84eq-cq89-9qhm","summary":"Modification of Assumed-Immutable Data (MAID)\nPrototype pollution attack through jQuery $.extend","references":[{"reference_url":"https://access.redhat.com/errata/RHBA-2019:1570","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHBA-2019:1570"},{"reference_url":"https://access.redhat.com/errata/RHSA-2019:1456","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2019:1456"},{"reference_url":"https://access.redhat.com/errata/RHSA-2019:2587","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2019:2587"},{"reference_url":"https://access.redhat.com/errata/RHSA-2019:3023","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2019:3023"},{"reference_url":"https://access.redhat.com/errata/RHSA-2019:3024","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2019:3024"},{"reference_url":"https://backdropcms.org/security/backdrop-sa-core-2019-009","reference_id":"","reference_type":"","scores":[],"url":"https://backdropcms.org/security/backdrop-sa-core-2019-009"},{"reference_url":"https://blog.jquery.com/2019/04/10/jquery-3-4-0-released","reference_id":"","reference_type":"","scores":[],"url":"https://blog.jquery.com/2019/04/10/jquery-3-4-0-released"},{"reference_url":"https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/","reference_id":"","reference_type":"","scores":[],"url":"https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/"},{"reference_url":"https://github.com/django/django/commit/34ec52269ade54af31a021b12969913129571a3f","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/django/django/commit/34ec52269ade54af31a021b12969913129571a3f"},{"reference_url":"https://github.com/django/django/commit/95649bc08547a878cebfa1d019edec8cb1b80829","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/django/django/commit/95649bc08547a878cebfa1d019edec8cb1b80829"},{"reference_url":"https://github.com/django/django/commit/baaf187a4e354bf3976c51e2c83a0d2f8ee6e6ad","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/django/django/commit/baaf187a4e354bf3976c51e2c83a0d2f8ee6e6ad"},{"reference_url":"https://github.com/jquery/jquery","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/jquery/jquery"},{"reference_url":"https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b"},{"reference_url":"https://github.com/jquery/jquery/pull/4333","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/jquery/jquery/pull/4333"},{"reference_url":"https://github.com/maximebf/php-debugbar/commit/847216e60544258c881f2733d699bbcfeefac0fc","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/maximebf/php-debugbar/commit/847216e60544258c881f2733d699bbcfeefac0fc"},{"reference_url":"https://github.com/maximebf/php-debugbar/issues/447","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/maximebf/php-debugbar/issues/447"},{"reference_url":"https://github.com/rails/jquery-rails/blob/master/CHANGELOG.md#434","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/rails/jquery-rails/blob/master/CHANGELOG.md#434"},{"reference_url":"https://hackerone.com/reports/454365","reference_id":"","reference_type":"","scores":[{"value":"5.6","scoring_system":"cvssv3","scoring_elements":""}],"url":"https://hackerone.com/reports/454365"},{"reference_url":"https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44601","reference_id":"","reference_type":"","scores":[],"url":"https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44601"},{"reference_url":"https://lists.apache.org/thread.html/08720ef215ee7ab3386c05a1a90a7d1c852bf0706f176a7816bf65fc@%3Ccommits.airflow.apache.org%3E","reference_id":"","reference_type":"","scores":[],"url":"https://lists.apache.org/thread.html/08720ef215ee7ab3386c05a1a90a7d1c852bf0706f176a7816bf65fc@%3Ccommits.airflow.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/08720ef215ee7ab3386c05a1a90a7d1c852bf0706f176a7816bf65fc%40%3Ccommits.airflow.apache.org%3E","reference_id":"","reference_type":"","scores":[],"url":"https://lists.apache.org/thread.html/08720ef215ee7ab3386c05a1a90a7d1c852bf0706f176a7816bf65fc%40%3Ccommits.airflow.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E","reference_id":"","reference_type":"","scores":[],"url":"https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E","reference_id":"","reference_type":"","scores":[],"url":"https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/5928aa293e39d248266472210c50f176cac1535220f2486e6a7fa844@%3Ccommits.airflow.apache.org%3E","reference_id":"","reference_type":"","scores":[],"url":"https://lists.apache.org/thread.html/5928aa293e39d248266472210c50f176cac1535220f2486e6a7fa844@%3Ccommits.airflow.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/5928aa293e39d248266472210c50f176cac1535220f2486e6a7fa844%40%3Ccommits.airflow.apache.org%3E","reference_id":"","reference_type":"","scores":[],"url":"https://lists.apache.org/thread.html/5928aa293e39d248266472210c50f176cac1535220f2486e6a7fa844%40%3Ccommits.airflow.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/6097cdbd6f0a337bedd9bb5cc441b2d525ff002a96531de367e4259f@%3Ccommits.airflow.apache.org%3E","reference_id":"","reference_type":"","scores":[],"url":"https://lists.apache.org/thread.html/6097cdbd6f0a337bedd9bb5cc441b2d525ff002a96531de367e4259f@%3Ccommits.airflow.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/6097cdbd6f0a337bedd9bb5cc441b2d525ff002a96531de367e4259f%40%3Ccommits.airflow.apache.org%3E","reference_id":"","reference_type":"","scores":[],"url":"https://lists.apache.org/thread.html/6097cdbd6f0a337bedd9bb5cc441b2d525ff002a96531de367e4259f%40%3Ccommits.airflow.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/88fb0362fd40e5b605ea8149f63241537b8b6fb5bfa315391fc5cbb7@%3Ccommits.airflow.apache.org%3E","reference_id":"","reference_type":"","scores":[],"url":"https://lists.apache.org/thread.html/88fb0362fd40e5b605ea8149f63241537b8b6fb5bfa315391fc5cbb7@%3Ccommits.airflow.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/88fb0362fd40e5b605ea8149f63241537b8b6fb5bfa315391fc5cbb7%40%3Ccommits.airflow.apache.org%3E","reference_id":"","reference_type":"","scores":[],"url":"https://lists.apache.org/thread.html/88fb0362fd40e5b605ea8149f63241537b8b6fb5bfa315391fc5cbb7%40%3Ccommits.airflow.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E","reference_id":"","reference_type":"","scores":[],"url":"https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E","reference_id":"","reference_type":"","scores":[],"url":"https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/b736d0784cf02f5a30fbb4c5902762a15ad6d47e17e2c5a17b7d6205@%3Ccommits.airflow.apache.org%3E","reference_id":"","reference_type":"","scores":[],"url":"https://lists.apache.org/thread.html/b736d0784cf02f5a30fbb4c5902762a15ad6d47e17e2c5a17b7d6205@%3Ccommits.airflow.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/b736d0784cf02f5a30fbb4c5902762a15ad6d47e17e2c5a17b7d6205%40%3Ccommits.airflow.apache.org%3E","reference_id":"","reference_type":"","scores":[],"url":"https://lists.apache.org/thread.html/b736d0784cf02f5a30fbb4c5902762a15ad6d47e17e2c5a17b7d6205%40%3Ccommits.airflow.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/ba79cf1658741e9f146e4c59b50aee56656ea95d841d358d006c18b6@%3Ccommits.roller.apache.org%3E","reference_id":"","reference_type":"","scores":[],"url":"https://lists.apache.org/thread.html/ba79cf1658741e9f146e4c59b50aee56656ea95d841d358d006c18b6@%3Ccommits.roller.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/ba79cf1658741e9f146e4c59b50aee56656ea95d841d358d006c18b6%40%3Ccommits.roller.apache.org%3E","reference_id":"","reference_type":"","scores":[],"url":"https://lists.apache.org/thread.html/ba79cf1658741e9f146e4c59b50aee56656ea95d841d358d006c18b6%40%3Ccommits.roller.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E","reference_id":"","reference_type":"","scores":[],"url":"https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3%40%3Ccommits.nifi.apache.org%3E","reference_id":"","reference_type":"","scores":[],"url":"https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3%40%3Ccommits.nifi.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E","reference_id":"","reference_type":"","scores":[],"url":"https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E","reference_id":"","reference_type":"","scores":[],"url":"https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r2041a75d3fc09dec55adfd95d598b38d22715303f65c997c054844c9@%3Cissues.flink.apache.org%3E","reference_id":"","reference_type":"","scores":[],"url":"https://lists.apache.org/thread.html/r2041a75d3fc09dec55adfd95d598b38d22715303f65c997c054844c9@%3Cissues.flink.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r2041a75d3fc09dec55adfd95d598b38d22715303f65c997c054844c9%40%3Cissues.flink.apache.org%3E","reference_id":"","reference_type":"","scores":[],"url":"https://lists.apache.org/thread.html/r2041a75d3fc09dec55adfd95d598b38d22715303f65c997c054844c9%40%3Cissues.flink.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r2baacab6e0acb5a2092eb46ae04fd6c3e8277b4fd79b1ffb7f3254fa@%3Cissues.flink.apache.org%3E","reference_id":"","reference_type":"","scores":[],"url":"https://lists.apache.org/thread.html/r2baacab6e0acb5a2092eb46ae04fd6c3e8277b4fd79b1ffb7f3254fa@%3Cissues.flink.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r2baacab6e0acb5a2092eb46ae04fd6c3e8277b4fd79b1ffb7f3254fa%40%3Cissues.flink.apache.org%3E","reference_id":"","reference_type":"","scores":[],"url":"https://lists.apache.org/thread.html/r2baacab6e0acb5a2092eb46ae04fd6c3e8277b4fd79b1ffb7f3254fa%40%3Cissues.flink.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r38f0d1aa3c923c22977fe7376508f030f22e22c1379fbb155bf29766@%3Cdev.syncope.apache.org%3E","reference_id":"","reference_type":"","scores":[],"url":"https://lists.apache.org/thread.html/r38f0d1aa3c923c22977fe7376508f030f22e22c1379fbb155bf29766@%3Cdev.syncope.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r38f0d1aa3c923c22977fe7376508f030f22e22c1379fbb155bf29766%40%3Cdev.syncope.apache.org%3E","reference_id":"","reference_type":"","scores":[],"url":"https://lists.apache.org/thread.html/r38f0d1aa3c923c22977fe7376508f030f22e22c1379fbb155bf29766%40%3Cdev.syncope.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r41b5bfe009c845f67d4f68948cc9419ac2d62e287804aafd72892b08@%3Cissues.flink.apache.org%3E","reference_id":"","reference_type":"","scores":[],"url":"https://lists.apache.org/thread.html/r41b5bfe009c845f67d4f68948cc9419ac2d62e287804aafd72892b08@%3Cissues.flink.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r41b5bfe009c845f67d4f68948cc9419ac2d62e287804aafd72892b08%40%3Cissues.flink.apache.org%3E","reference_id":"","reference_type":"","scores":[],"url":"https://lists.apache.org/thread.html/r41b5bfe009c845f67d4f68948cc9419ac2d62e287804aafd72892b08%40%3Cissues.flink.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r7aac081cbddb6baa24b75e74abf0929bf309b176755a53e3ed810355@%3Cdev.flink.apache.org%3E","reference_id":"","reference_type":"","scores":[],"url":"https://lists.apache.org/thread.html/r7aac081cbddb6baa24b75e74abf0929bf309b176755a53e3ed810355@%3Cdev.flink.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r7aac081cbddb6baa24b75e74abf0929bf309b176755a53e3ed810355%40%3Cdev.flink.apache.org%3E","reference_id":"","reference_type":"","scores":[],"url":"https://lists.apache.org/thread.html/r7aac081cbddb6baa24b75e74abf0929bf309b176755a53e3ed810355%40%3Cdev.flink.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r7d64895cc4dff84d0becfc572b20c0e4bf9bfa7b10c6f5f73e783734@%3Cdev.storm.apache.org%3E","reference_id":"","reference_type":"","scores":[],"url":"https://lists.apache.org/thread.html/r7d64895cc4dff84d0becfc572b20c0e4bf9bfa7b10c6f5f73e783734@%3Cdev.storm.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r7d64895cc4dff84d0becfc572b20c0e4bf9bfa7b10c6f5f73e783734%40%3Cdev.storm.apache.org%3E","reference_id":"","reference_type":"","scores":[],"url":"https://lists.apache.org/thread.html/r7d64895cc4dff84d0becfc572b20c0e4bf9bfa7b10c6f5f73e783734%40%3Cdev.storm.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r7e8ebccb7c022e41295f6fdb7b971209b83702339f872ddd8cf8bf73@%3Cissues.flink.apache.org%3E","reference_id":"","reference_type":"","scores":[],"url":"https://lists.apache.org/thread.html/r7e8ebccb7c022e41295f6fdb7b971209b83702339f872ddd8cf8bf73@%3Cissues.flink.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r7e8ebccb7c022e41295f6fdb7b971209b83702339f872ddd8cf8bf73%40%3Cissues.flink.apache.org%3E","reference_id":"","reference_type":"","scores":[],"url":"https://lists.apache.org/thread.html/r7e8ebccb7c022e41295f6fdb7b971209b83702339f872ddd8cf8bf73%40%3Cissues.flink.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/rac25da84ecdcd36f6de5ad0d255f4e967209bbbebddb285e231da37d@%3Cissues.flink.apache.org%3E","reference_id":"","reference_type":"","scores":[],"url":"https://lists.apache.org/thread.html/rac25da84ecdcd36f6de5ad0d255f4e967209bbbebddb285e231da37d@%3Cissues.flink.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/rac25da84ecdcd36f6de5ad0d255f4e967209bbbebddb285e231da37d%40%3Cissues.flink.apache.org%3E","reference_id":"","reference_type":"","scores":[],"url":"https://lists.apache.org/thread.html/rac25da84ecdcd36f6de5ad0d255f4e967209bbbebddb285e231da37d%40%3Cissues.flink.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E","reference_id":"","reference_type":"","scores":[],"url":"https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b%40%3Ccommits.nifi.apache.org%3E","reference_id":"","reference_type":"","scores":[],"url":"https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b%40%3Ccommits.nifi.apache.org%3E"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2019/05/msg00006.html","reference_id":"","reference_type":"","scores":[],"url":"https://lists.debian.org/debian-lts-announce/2019/05/msg00006.html"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2019/05/msg00029.html","reference_id":"","reference_type":"","scores":[],"url":"https://lists.debian.org/debian-lts-announce/2019/05/msg00029.html"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2020/02/msg00024.html","reference_id":"","reference_type":"","scores":[],"url":"https://lists.debian.org/debian-lts-announce/2020/02/msg00024.html"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html","reference_id":"","reference_type":"","scores":[],"url":"https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4UOAZIFCSZ3ENEFOR5IXX6NFAD3HV7FA","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4UOAZIFCSZ3ENEFOR5IXX6NFAD3HV7FA"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5IABSKTYZ5JUGL735UKGXL5YPRYOPUYI","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5IABSKTYZ5JUGL735UKGXL5YPRYOPUYI"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KYH3OAGR2RTCHRA5NOKX2TES7SNQMWGO","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KYH3OAGR2RTCHRA5NOKX2TES7SNQMWGO"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QV3PKZC3PQCO3273HAT76PAQZFBEO4KP","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QV3PKZC3PQCO3273HAT76PAQZFBEO4KP"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RLXRX23725JL366CNZGJZ7AQQB7LHQ6F","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RLXRX23725JL366CNZGJZ7AQQB7LHQ6F"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WZW27UCJ5CYFL4KFFFMYMIBNMIU2ALG5","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WZW27UCJ5CYFL4KFFFMYMIBNMIU2ALG5"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4UOAZIFCSZ3ENEFOR5IXX6NFAD3HV7FA","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4UOAZIFCSZ3ENEFOR5IXX6NFAD3HV7FA"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5IABSKTYZ5JUGL735UKGXL5YPRYOPUYI","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5IABSKTYZ5JUGL735UKGXL5YPRYOPUYI"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KYH3OAGR2RTCHRA5NOKX2TES7SNQMWGO","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KYH3OAGR2RTCHRA5NOKX2TES7SNQMWGO"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QV3PKZC3PQCO3273HAT76PAQZFBEO4KP","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QV3PKZC3PQCO3273HAT76PAQZFBEO4KP"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RLXRX23725JL366CNZGJZ7AQQB7LHQ6F","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RLXRX23725JL366CNZGJZ7AQQB7LHQ6F"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WZW27UCJ5CYFL4KFFFMYMIBNMIU2ALG5","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WZW27UCJ5CYFL4KFFFMYMIBNMIU2ALG5"},{"reference_url":"https://seclists.org/bugtraq/2019/Apr/32","reference_id":"","reference_type":"","scores":[],"url":"https://seclists.org/bugtraq/2019/Apr/32"},{"reference_url":"https://seclists.org/bugtraq/2019/Jun/12","reference_id":"","reference_type":"","scores":[],"url":"https://seclists.org/bugtraq/2019/Jun/12"},{"reference_url":"https://seclists.org/bugtraq/2019/May/18","reference_id":"","reference_type":"","scores":[],"url":"https://seclists.org/bugtraq/2019/May/18"},{"reference_url":"https://security.netapp.com/advisory/ntap-20190919-0001","reference_id":"","reference_type":"","scores":[],"url":"https://security.netapp.com/advisory/ntap-20190919-0001"},{"reference_url":"https://security.snyk.io/vuln/SNYK-DOTNET-JQUERY-450226","reference_id":"","reference_type":"","scores":[],"url":"https://security.snyk.io/vuln/SNYK-DOTNET-JQUERY-450226"},{"reference_url":"https://snyk.io/vuln/SNYK-JS-JQUERY-174006","reference_id":"","reference_type":"","scores":[],"url":"https://snyk.io/vuln/SNYK-JS-JQUERY-174006"},{"reference_url":"https://supportportal.juniper.net/s/article/2021-07-Security-Bulletin-Junos-OS-Multiple-J-Web-vulnerabilities-resolved-in-Junos-OS-21-2R1","reference_id":"","reference_type":"","scores":[],"url":"https://supportportal.juniper.net/s/article/2021-07-Security-Bulletin-Junos-OS-Multiple-J-Web-vulnerabilities-resolved-in-Junos-OS-21-2R1"},{"reference_url":"https://web.archive.org/web/20190824065237/http://www.securityfocus.com/bid/108023","reference_id":"","reference_type":"","scores":[],"url":"https://web.archive.org/web/20190824065237/http://www.securityfocus.com/bid/108023"},{"reference_url":"https://www.debian.org/security/2019/dsa-4434","reference_id":"","reference_type":"","scores":[],"url":"https://www.debian.org/security/2019/dsa-4434"},{"reference_url":"https://www.debian.org/security/2019/dsa-4460","reference_id":"","reference_type":"","scores":[],"url":"https://www.debian.org/security/2019/dsa-4460"},{"reference_url":"https://www.djangoproject.com/weblog/2019/jun/03/security-releases","reference_id":"","reference_type":"","scores":[],"url":"https://www.djangoproject.com/weblog/2019/jun/03/security-releases"},{"reference_url":"https://www.drupal.org/sa-core-2019-006","reference_id":"","reference_type":"","scores":[],"url":"https://www.drupal.org/sa-core-2019-006"},{"reference_url":"https://www.oracle.com/security-alerts/cpuapr2020.html","reference_id":"","reference_type":"","scores":[],"url":"https://www.oracle.com/security-alerts/cpuapr2020.html"},{"reference_url":"https://www.oracle.com/security-alerts/cpuApr2021.html","reference_id":"","reference_type":"","scores":[],"url":"https://www.oracle.com/security-alerts/cpuApr2021.html"},{"reference_url":"https://www.oracle.com/security-alerts/cpujan2020.html","reference_id":"","reference_type":"","scores":[],"url":"https://www.oracle.com/security-alerts/cpujan2020.html"},{"reference_url":"https://www.oracle.com/security-alerts/cpujan2021.html","reference_id":"","reference_type":"","scores":[],"url":"https://www.oracle.com/security-alerts/cpujan2021.html"},{"reference_url":"https://www.oracle.com/security-alerts/cpujan2022.html","reference_id":"","reference_type":"","scores":[],"url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"reference_url":"https://www.oracle.com/security-alerts/cpujul2020.html","reference_id":"","reference_type":"","scores":[],"url":"https://www.oracle.com/security-alerts/cpujul2020.html"},{"reference_url":"https://www.oracle.com//security-alerts/cpujul2021.html","reference_id":"","reference_type":"","scores":[],"url":"https://www.oracle.com//security-alerts/cpujul2021.html"},{"reference_url":"https://www.oracle.com/security-alerts/cpuoct2020.html","reference_id":"","reference_type":"","scores":[],"url":"https://www.oracle.com/security-alerts/cpuoct2020.html"},{"reference_url":"https://www.oracle.com/security-alerts/cpuoct2021.html","reference_id":"","reference_type":"","scores":[],"url":"https://www.oracle.com/security-alerts/cpuoct2021.html"},{"reference_url":"https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html","reference_id":"","reference_type":"","scores":[],"url":"https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"},{"reference_url":"https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html","reference_id":"","reference_type":"","scores":[],"url":"https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"},{"reference_url":"https://www.privacy-wise.com/mitigating-cve-2019-11358-in-old-versions-of-jquery","reference_id":"","reference_type":"","scores":[],"url":"https://www.privacy-wise.com/mitigating-cve-2019-11358-in-old-versions-of-jquery"},{"reference_url":"https://www.synology.com/security/advisory/Synology_SA_19_19","reference_id":"","reference_type":"","scores":[],"url":"https://www.synology.com/security/advisory/Synology_SA_19_19"},{"reference_url":"https://www.tenable.com/security/tns-2019-08","reference_id":"","reference_type":"","scores":[],"url":"https://www.tenable.com/security/tns-2019-08"},{"reference_url":"https://www.tenable.com/security/tns-2020-02","reference_id":"","reference_type":"","scores":[],"url":"https://www.tenable.com/security/tns-2020-02"},{"reference_url":"http://www.securityfocus.com/bid/108023","reference_id":"","reference_type":"","scores":[],"url":"http://www.securityfocus.com/bid/108023"},{"reference_url":"https://github.com/nodejs/security-wg/blob/main/vuln/npm/496.json","reference_id":"496","reference_type":"","scores":[{"value":"5.6","scoring_system":"cvssv3","scoring_elements":""}],"url":"https://github.com/nodejs/security-wg/blob/main/vuln/npm/496.json"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2019-11358","reference_id":"CVE-2019-11358","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-11358"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/jquery-rails/CVE-2019-11358.yml","reference_id":"CVE-2019-11358.YML","reference_type":"","scores":[],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/jquery-rails/CVE-2019-11358.yml"},{"reference_url":"https://github.com/advisories/GHSA-6c3j-c64m-qhgq","reference_id":"GHSA-6c3j-c64m-qhgq","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-6c3j-c64m-qhgq"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/52630?format=json","purl":"pkg:composer/drupal/core@8.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2989-fmjz-nkby"},{"vulnerability":"VCID-2fas-m6vh-myhc"},{"vulnerability":"VCID-2t34-82p3-73c3"},{"vulnerability":"VCID-31qy-vagp-83b6"},{"vulnerability":"VCID-3xk4-qwaq-5yaj"},{"vulnerability":"VCID-4dpp-gg2v-q3et"},{"vulnerability":"VCID-56ze-2yw2-bfh8"},{"vulnerability":"VCID-5c5c-m7ba-kqct"},{"vulnerability":"VCID-7v89-2sss-hfaz"},{"vulnerability":"VCID-9nk8-dban-g7h9"},{"vulnerability":"VCID-a3s2-c4k2-4ufn"},{"vulnerability":"VCID-a4u4-ga84-wyf9"},{"vulnerability":"VCID-a7ss-tkb6-gkge"},{"vulnerability":"VCID-ah3h-t9qa-gudr"},{"vulnerability":"VCID-ard5-3cjv-1beu"},{"vulnerability":"VCID-asm8-guag-b3ep"},{"vulnerability":"VCID-avmn-kqky-83dd"},{"vulnerability":"VCID-ay6b-1a7z-qkas"},{"vulnerability":"VCID-bq2j-t19h-zyad"},{"vulnerability":"VCID-dav9-pgdh-8yey"},{"vulnerability":"VCID-dyhz-g3nv-yuc3"},{"vulnerability":"VCID-e12q-qavs-qybu"},{"vulnerability":"VCID-e8un-nbkk-cbf9"},{"vulnerability":"VCID-egtv-y9w1-skgr"},{"vulnerability":"VCID-jrhg-3271-tqdy"},{"vulnerability":"VCID-kzrs-mrga-nyej"},{"vulnerability":"VCID-mm13-6dhq-nqfb"},{"vulnerability":"VCID-myja-t33q-q3cv"},{"vulnerability":"VCID-nacy-y1qt-5yhb"},{"vulnerability":"VCID-ng6g-hvc2-bkg4"},{"vulnerability":"VCID-p54u-b18k-jyft"},{"vulnerability":"VCID-pgnc-fq4m-3kaz"},{"vulnerability":"VCID-pmmq-8s2m-h7dp"},{"vulnerability":"VCID-pnme-dc73-efcb"},{"vulnerability":"VCID-qsuc-53pg-zkda"},{"vulnerability":"VCID-rd4g-h1j9-23cb"},{"vulnerability":"VCID-rsc6-y1uv-6bfq"},{"vulnerability":"VCID-t89y-c9hq-9bhk"},{"vulnerability":"VCID-ta99-gcmk-2qc8"},{"vulnerability":"VCID-tpzm-u3qp-akc8"},{"vulnerability":"VCID-w4ks-ufnz-vfav"},{"vulnerability":"VCID-wapd-e3mu-sffn"},{"vulnerability":"VCID-wsv7-je8g-sqet"},{"vulnerability":"VCID-wszp-2es5-z7fy"},{"vulnerability":"VCID-x34m-u169-1bce"},{"vulnerability":"VCID-y1nb-prqc-suaj"},{"vulnerability":"VCID-yq4q-hydz-vuga"},{"vulnerability":"VCID-yygb-pp11-5udj"},{"vulnerability":"VCID-zqer-y4s4-hqhy"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@8.0.0"},{"url":"http://public2.vulnerablecode.io/api/packages/57855?format=json","purl":"pkg:composer/drupal/core@8.5.15","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@8.5.15"},{"url":"http://public2.vulnerablecode.io/api/packages/57856?format=json","purl":"pkg:composer/drupal/core@8.6.15","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@8.6.15"}],"aliases":["CVE-2019-11358","GHSA-6c3j-c64m-qhgq"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-84eq-cq89-9qhm"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/40839?format=json","vulnerability_id":"VCID-e69p-v2ws-vufj","summary":"Cross-site Scripting\nUnder certain circumstances the File `module/subsystem` allows a malicious user to upload a file that can trigger a cross-site scripting (XSS) vulnerability.","references":[{"reference_url":"https://www.drupal.org/sa-core-2019-004","reference_id":"","reference_type":"","scores":[],"url":"https://www.drupal.org/sa-core-2019-004"},{"reference_url":"https://www.drupal.org/SA-CORE-2019-004","reference_id":"","reference_type":"","scores":[],"url":"https://www.drupal.org/SA-CORE-2019-004"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2019-6341","reference_id":"CVE-2019-6341","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-6341"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/52630?format=json","purl":"pkg:composer/drupal/core@8.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2989-fmjz-nkby"},{"vulnerability":"VCID-2fas-m6vh-myhc"},{"vulnerability":"VCID-2t34-82p3-73c3"},{"vulnerability":"VCID-31qy-vagp-83b6"},{"vulnerability":"VCID-3xk4-qwaq-5yaj"},{"vulnerability":"VCID-4dpp-gg2v-q3et"},{"vulnerability":"VCID-56ze-2yw2-bfh8"},{"vulnerability":"VCID-5c5c-m7ba-kqct"},{"vulnerability":"VCID-7v89-2sss-hfaz"},{"vulnerability":"VCID-9nk8-dban-g7h9"},{"vulnerability":"VCID-a3s2-c4k2-4ufn"},{"vulnerability":"VCID-a4u4-ga84-wyf9"},{"vulnerability":"VCID-a7ss-tkb6-gkge"},{"vulnerability":"VCID-ah3h-t9qa-gudr"},{"vulnerability":"VCID-ard5-3cjv-1beu"},{"vulnerability":"VCID-asm8-guag-b3ep"},{"vulnerability":"VCID-avmn-kqky-83dd"},{"vulnerability":"VCID-ay6b-1a7z-qkas"},{"vulnerability":"VCID-bq2j-t19h-zyad"},{"vulnerability":"VCID-dav9-pgdh-8yey"},{"vulnerability":"VCID-dyhz-g3nv-yuc3"},{"vulnerability":"VCID-e12q-qavs-qybu"},{"vulnerability":"VCID-e8un-nbkk-cbf9"},{"vulnerability":"VCID-egtv-y9w1-skgr"},{"vulnerability":"VCID-jrhg-3271-tqdy"},{"vulnerability":"VCID-kzrs-mrga-nyej"},{"vulnerability":"VCID-mm13-6dhq-nqfb"},{"vulnerability":"VCID-myja-t33q-q3cv"},{"vulnerability":"VCID-nacy-y1qt-5yhb"},{"vulnerability":"VCID-ng6g-hvc2-bkg4"},{"vulnerability":"VCID-p54u-b18k-jyft"},{"vulnerability":"VCID-pgnc-fq4m-3kaz"},{"vulnerability":"VCID-pmmq-8s2m-h7dp"},{"vulnerability":"VCID-pnme-dc73-efcb"},{"vulnerability":"VCID-qsuc-53pg-zkda"},{"vulnerability":"VCID-rd4g-h1j9-23cb"},{"vulnerability":"VCID-rsc6-y1uv-6bfq"},{"vulnerability":"VCID-t89y-c9hq-9bhk"},{"vulnerability":"VCID-ta99-gcmk-2qc8"},{"vulnerability":"VCID-tpzm-u3qp-akc8"},{"vulnerability":"VCID-w4ks-ufnz-vfav"},{"vulnerability":"VCID-wapd-e3mu-sffn"},{"vulnerability":"VCID-wsv7-je8g-sqet"},{"vulnerability":"VCID-wszp-2es5-z7fy"},{"vulnerability":"VCID-x34m-u169-1bce"},{"vulnerability":"VCID-y1nb-prqc-suaj"},{"vulnerability":"VCID-yq4q-hydz-vuga"},{"vulnerability":"VCID-yygb-pp11-5udj"},{"vulnerability":"VCID-zqer-y4s4-hqhy"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@8.0.0"},{"url":"http://public2.vulnerablecode.io/api/packages/57654?format=json","purl":"pkg:composer/drupal/core@8.5.14","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@8.5.14"},{"url":"http://public2.vulnerablecode.io/api/packages/57655?format=json","purl":"pkg:composer/drupal/core@8.6.13","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@8.6.13"}],"aliases":["CVE-2019-6341"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-e69p-v2ws-vufj"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/38261?format=json","vulnerability_id":"VCID-ey9c-4yhy-3qa5","summary":"URL Redirection to Untrusted Site (Open Redirect)\nConfirmation forms in Drupal make it easier for remote authenticated users to conduct open redirect attacks via unspecified vectors.","references":[{"reference_url":"https://www.drupal.org/SA-CORE-2016-005","reference_id":"","reference_type":"","scores":[],"url":"https://www.drupal.org/SA-CORE-2016-005"},{"reference_url":"http://www.securityfocus.com/bid/94367","reference_id":"","reference_type":"","scores":[],"url":"http://www.securityfocus.com/bid/94367"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2016-9451","reference_id":"CVE-2016-9451","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2016-9451"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/52630?format=json","purl":"pkg:composer/drupal/core@8.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2989-fmjz-nkby"},{"vulnerability":"VCID-2fas-m6vh-myhc"},{"vulnerability":"VCID-2t34-82p3-73c3"},{"vulnerability":"VCID-31qy-vagp-83b6"},{"vulnerability":"VCID-3xk4-qwaq-5yaj"},{"vulnerability":"VCID-4dpp-gg2v-q3et"},{"vulnerability":"VCID-56ze-2yw2-bfh8"},{"vulnerability":"VCID-5c5c-m7ba-kqct"},{"vulnerability":"VCID-7v89-2sss-hfaz"},{"vulnerability":"VCID-9nk8-dban-g7h9"},{"vulnerability":"VCID-a3s2-c4k2-4ufn"},{"vulnerability":"VCID-a4u4-ga84-wyf9"},{"vulnerability":"VCID-a7ss-tkb6-gkge"},{"vulnerability":"VCID-ah3h-t9qa-gudr"},{"vulnerability":"VCID-ard5-3cjv-1beu"},{"vulnerability":"VCID-asm8-guag-b3ep"},{"vulnerability":"VCID-avmn-kqky-83dd"},{"vulnerability":"VCID-ay6b-1a7z-qkas"},{"vulnerability":"VCID-bq2j-t19h-zyad"},{"vulnerability":"VCID-dav9-pgdh-8yey"},{"vulnerability":"VCID-dyhz-g3nv-yuc3"},{"vulnerability":"VCID-e12q-qavs-qybu"},{"vulnerability":"VCID-e8un-nbkk-cbf9"},{"vulnerability":"VCID-egtv-y9w1-skgr"},{"vulnerability":"VCID-jrhg-3271-tqdy"},{"vulnerability":"VCID-kzrs-mrga-nyej"},{"vulnerability":"VCID-mm13-6dhq-nqfb"},{"vulnerability":"VCID-myja-t33q-q3cv"},{"vulnerability":"VCID-nacy-y1qt-5yhb"},{"vulnerability":"VCID-ng6g-hvc2-bkg4"},{"vulnerability":"VCID-p54u-b18k-jyft"},{"vulnerability":"VCID-pgnc-fq4m-3kaz"},{"vulnerability":"VCID-pmmq-8s2m-h7dp"},{"vulnerability":"VCID-pnme-dc73-efcb"},{"vulnerability":"VCID-qsuc-53pg-zkda"},{"vulnerability":"VCID-rd4g-h1j9-23cb"},{"vulnerability":"VCID-rsc6-y1uv-6bfq"},{"vulnerability":"VCID-t89y-c9hq-9bhk"},{"vulnerability":"VCID-ta99-gcmk-2qc8"},{"vulnerability":"VCID-tpzm-u3qp-akc8"},{"vulnerability":"VCID-w4ks-ufnz-vfav"},{"vulnerability":"VCID-wapd-e3mu-sffn"},{"vulnerability":"VCID-wsv7-je8g-sqet"},{"vulnerability":"VCID-wszp-2es5-z7fy"},{"vulnerability":"VCID-x34m-u169-1bce"},{"vulnerability":"VCID-y1nb-prqc-suaj"},{"vulnerability":"VCID-yq4q-hydz-vuga"},{"vulnerability":"VCID-yygb-pp11-5udj"},{"vulnerability":"VCID-zqer-y4s4-hqhy"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@8.0.0"}],"aliases":["CVE-2016-9451"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ey9c-4yhy-3qa5"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/38070?format=json","vulnerability_id":"VCID-mscp-wvvx-zfh3","summary":"Saving user accounts can sometimes grant the user all roles\nThe User module in Drupal allows remote attackers to gain privileges by leveraging contributed or custom code that calls the `user_save` function with an explicit category and loads all roles into the array.","references":[{"reference_url":"https://www.drupal.org/SA-CORE-2016-001","reference_id":"","reference_type":"","scores":[],"url":"https://www.drupal.org/SA-CORE-2016-001"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2016-3169","reference_id":"CVE-2016-3169","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2016-3169"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/52630?format=json","purl":"pkg:composer/drupal/core@8.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2989-fmjz-nkby"},{"vulnerability":"VCID-2fas-m6vh-myhc"},{"vulnerability":"VCID-2t34-82p3-73c3"},{"vulnerability":"VCID-31qy-vagp-83b6"},{"vulnerability":"VCID-3xk4-qwaq-5yaj"},{"vulnerability":"VCID-4dpp-gg2v-q3et"},{"vulnerability":"VCID-56ze-2yw2-bfh8"},{"vulnerability":"VCID-5c5c-m7ba-kqct"},{"vulnerability":"VCID-7v89-2sss-hfaz"},{"vulnerability":"VCID-9nk8-dban-g7h9"},{"vulnerability":"VCID-a3s2-c4k2-4ufn"},{"vulnerability":"VCID-a4u4-ga84-wyf9"},{"vulnerability":"VCID-a7ss-tkb6-gkge"},{"vulnerability":"VCID-ah3h-t9qa-gudr"},{"vulnerability":"VCID-ard5-3cjv-1beu"},{"vulnerability":"VCID-asm8-guag-b3ep"},{"vulnerability":"VCID-avmn-kqky-83dd"},{"vulnerability":"VCID-ay6b-1a7z-qkas"},{"vulnerability":"VCID-bq2j-t19h-zyad"},{"vulnerability":"VCID-dav9-pgdh-8yey"},{"vulnerability":"VCID-dyhz-g3nv-yuc3"},{"vulnerability":"VCID-e12q-qavs-qybu"},{"vulnerability":"VCID-e8un-nbkk-cbf9"},{"vulnerability":"VCID-egtv-y9w1-skgr"},{"vulnerability":"VCID-jrhg-3271-tqdy"},{"vulnerability":"VCID-kzrs-mrga-nyej"},{"vulnerability":"VCID-mm13-6dhq-nqfb"},{"vulnerability":"VCID-myja-t33q-q3cv"},{"vulnerability":"VCID-nacy-y1qt-5yhb"},{"vulnerability":"VCID-ng6g-hvc2-bkg4"},{"vulnerability":"VCID-p54u-b18k-jyft"},{"vulnerability":"VCID-pgnc-fq4m-3kaz"},{"vulnerability":"VCID-pmmq-8s2m-h7dp"},{"vulnerability":"VCID-pnme-dc73-efcb"},{"vulnerability":"VCID-qsuc-53pg-zkda"},{"vulnerability":"VCID-rd4g-h1j9-23cb"},{"vulnerability":"VCID-rsc6-y1uv-6bfq"},{"vulnerability":"VCID-t89y-c9hq-9bhk"},{"vulnerability":"VCID-ta99-gcmk-2qc8"},{"vulnerability":"VCID-tpzm-u3qp-akc8"},{"vulnerability":"VCID-w4ks-ufnz-vfav"},{"vulnerability":"VCID-wapd-e3mu-sffn"},{"vulnerability":"VCID-wsv7-je8g-sqet"},{"vulnerability":"VCID-wszp-2es5-z7fy"},{"vulnerability":"VCID-x34m-u169-1bce"},{"vulnerability":"VCID-y1nb-prqc-suaj"},{"vulnerability":"VCID-yq4q-hydz-vuga"},{"vulnerability":"VCID-yygb-pp11-5udj"},{"vulnerability":"VCID-zqer-y4s4-hqhy"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@8.0.0"}],"aliases":["CVE-2016-3169"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-mscp-wvvx-zfh3"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/38076?format=json","vulnerability_id":"VCID-s5qd-cpvc-c3cd","summary":"Improper Access Control\nThe Form API in Drupal ignores access restrictions on submit buttons, which might allow remote attackers to bypass intended access restrictions by leveraging permission to submit a form with a button that has `#access` set to `FALSE` in the server-side form definition.","references":[{"reference_url":"https://www.drupal.org/SA-CORE-2016-001","reference_id":"","reference_type":"","scores":[],"url":"https://www.drupal.org/SA-CORE-2016-001"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2016-3165","reference_id":"CVE-2016-3165","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2016-3165"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/52630?format=json","purl":"pkg:composer/drupal/core@8.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2989-fmjz-nkby"},{"vulnerability":"VCID-2fas-m6vh-myhc"},{"vulnerability":"VCID-2t34-82p3-73c3"},{"vulnerability":"VCID-31qy-vagp-83b6"},{"vulnerability":"VCID-3xk4-qwaq-5yaj"},{"vulnerability":"VCID-4dpp-gg2v-q3et"},{"vulnerability":"VCID-56ze-2yw2-bfh8"},{"vulnerability":"VCID-5c5c-m7ba-kqct"},{"vulnerability":"VCID-7v89-2sss-hfaz"},{"vulnerability":"VCID-9nk8-dban-g7h9"},{"vulnerability":"VCID-a3s2-c4k2-4ufn"},{"vulnerability":"VCID-a4u4-ga84-wyf9"},{"vulnerability":"VCID-a7ss-tkb6-gkge"},{"vulnerability":"VCID-ah3h-t9qa-gudr"},{"vulnerability":"VCID-ard5-3cjv-1beu"},{"vulnerability":"VCID-asm8-guag-b3ep"},{"vulnerability":"VCID-avmn-kqky-83dd"},{"vulnerability":"VCID-ay6b-1a7z-qkas"},{"vulnerability":"VCID-bq2j-t19h-zyad"},{"vulnerability":"VCID-dav9-pgdh-8yey"},{"vulnerability":"VCID-dyhz-g3nv-yuc3"},{"vulnerability":"VCID-e12q-qavs-qybu"},{"vulnerability":"VCID-e8un-nbkk-cbf9"},{"vulnerability":"VCID-egtv-y9w1-skgr"},{"vulnerability":"VCID-jrhg-3271-tqdy"},{"vulnerability":"VCID-kzrs-mrga-nyej"},{"vulnerability":"VCID-mm13-6dhq-nqfb"},{"vulnerability":"VCID-myja-t33q-q3cv"},{"vulnerability":"VCID-nacy-y1qt-5yhb"},{"vulnerability":"VCID-ng6g-hvc2-bkg4"},{"vulnerability":"VCID-p54u-b18k-jyft"},{"vulnerability":"VCID-pgnc-fq4m-3kaz"},{"vulnerability":"VCID-pmmq-8s2m-h7dp"},{"vulnerability":"VCID-pnme-dc73-efcb"},{"vulnerability":"VCID-qsuc-53pg-zkda"},{"vulnerability":"VCID-rd4g-h1j9-23cb"},{"vulnerability":"VCID-rsc6-y1uv-6bfq"},{"vulnerability":"VCID-t89y-c9hq-9bhk"},{"vulnerability":"VCID-ta99-gcmk-2qc8"},{"vulnerability":"VCID-tpzm-u3qp-akc8"},{"vulnerability":"VCID-w4ks-ufnz-vfav"},{"vulnerability":"VCID-wapd-e3mu-sffn"},{"vulnerability":"VCID-wsv7-je8g-sqet"},{"vulnerability":"VCID-wszp-2es5-z7fy"},{"vulnerability":"VCID-x34m-u169-1bce"},{"vulnerability":"VCID-y1nb-prqc-suaj"},{"vulnerability":"VCID-yq4q-hydz-vuga"},{"vulnerability":"VCID-yygb-pp11-5udj"},{"vulnerability":"VCID-zqer-y4s4-hqhy"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@8.0.0"}],"aliases":["CVE-2016-3165"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-s5qd-cpvc-c3cd"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@8.0.0"}