{"url":"http://public2.vulnerablecode.io/api/packages/59238?format=json","purl":"pkg:composer/drupal/drupal@8.9.0","type":"composer","namespace":"drupal","name":"drupal","version":"8.9.0","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"8.9.13","latest_non_vulnerable_version":"11.0.8","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/42389?format=json","vulnerability_id":"VCID-31qy-vagp-83b6","summary":"Exposure of Resource to Wrong Sphere\nInformation Disclosure vulnerability in file module of Drupal Core allows an attacker to gain access to the file metadata of a permanent private file that they do not have access to by guessing the ID of the file. This issue affects: Drupal Core 8.8.x versions prior to 8.8.10; 8.9.x versions prior to 8.9.6; 9.0.x versions prior to 9.0.6.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-13670","reference_id":"","reference_type":"","scores":[{"value":"0.00427","scoring_system":"epss","scoring_elements":"0.62662","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-13670"},{"reference_url":"https://github.com/drupal/core","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/drupal/core"},{"reference_url":"https://github.com/drupal/core/commit/f93a37b713b59f8d24e826bc74378099853eef3d","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/drupal/core/commit/f93a37b713b59f8d24e826bc74378099853eef3d"},{"reference_url":"https://www.drupal.org/sa-core-2020-011","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.drupal.org/sa-core-2020-011"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-13670","reference_id":"CVE-2020-13670","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-13670"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2020-13670.yaml","reference_id":"CVE-2020-13670.YAML","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2020-13670.yaml"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2020-13670.yaml","reference_id":"CVE-2020-13670.YAML","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2020-13670.yaml"},{"reference_url":"https://github.com/advisories/GHSA-mmjr-5q74-p3m4","reference_id":"GHSA-mmjr-5q74-p3m4","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-mmjr-5q74-p3m4"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/60642?format=json","purl":"pkg:composer/drupal/drupal@8.9.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5jy9-mhbb-nuh7"},{"vulnerability":"VCID-67da-qxh5-aydx"},{"vulnerability":"VCID-9dfs-rpqy-6kfa"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@8.9.6"},{"url":"http://public2.vulnerablecode.io/api/packages/60643?format=json","purl":"pkg:composer/drupal/drupal@9.0.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5jy9-mhbb-nuh7"},{"vulnerability":"VCID-67da-qxh5-aydx"},{"vulnerability":"VCID-9dfs-rpqy-6kfa"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@9.0.6"}],"aliases":["CVE-2020-13670","GHSA-mmjr-5q74-p3m4"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-31qy-vagp-83b6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/53806?format=json","vulnerability_id":"VCID-5jy9-mhbb-nuh7","summary":"Deserialization of Untrusted Data\nArchive_Tar allows an unserialization attack because phar: is blocked but PHAR: is not blocked.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-28948.json","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-28948.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-28948","reference_id":"","reference_type":"","scores":[{"value":"0.76873","scoring_system":"epss","scoring_elements":"0.98975","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-28948"},{"reference_url":"https://github.com/pear/Archive_Tar","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pear/Archive_Tar"},{"reference_url":"https://github.com/pear/Archive_Tar/commit/0670a05fdab997036a3fc3ef113b8f5922e574da","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pear/Archive_Tar/commit/0670a05fdab997036a3fc3ef113b8f5922e574da"},{"reference_url":"https://github.com/pear/Archive_Tar/issues/33","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pear/Archive_Tar/issues/33"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2020/11/msg00045.html","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2020/11/msg00045.html"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/42GPGVVFTLJYAKRI75IVB5R45NYQGEUR","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/42GPGVVFTLJYAKRI75IVB5R45NYQGEUR"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4V35LBRM6HBCXBVCITKQ4UEBTXO2EG7B","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4V35LBRM6HBCXBVCITKQ4UEBTXO2EG7B"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5KSFM672XW3X6BR7TVKRD63SLZGKK437","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5KSFM672XW3X6BR7TVKRD63SLZGKK437"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KWM4CTMEGAC4I2CHYNJVSROY4CVXVEUT","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KWM4CTMEGAC4I2CHYNJVSROY4CVXVEUT"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NBYZSHYTIOBK6V7C4N7TP6KIKCRKLVWP","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NBYZSHYTIOBK6V7C4N7TP6KIKCRKLVWP"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VJQQYDAOWHD6RDITDRPHFW7WY6BS3V5N","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VJQQYDAOWHD6RDITDRPHFW7WY6BS3V5N"},{"reference_url":"https://security.gentoo.org/glsa/202101-23","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.gentoo.org/glsa/202101-23"},{"reference_url":"https://www.debian.org/security/2020/dsa-4817","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.debian.org/security/2020/dsa-4817"},{"reference_url":"https://www.drupal.org/sa-core-2020-013","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.drupal.org/sa-core-2020-013"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1904001","reference_id":"1904001","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1904001"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=976108","reference_id":"976108","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=976108"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-28948","reference_id":"CVE-2020-28948","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-28948"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:6541","reference_id":"RHSA-2022:6541","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:6541"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:6542","reference_id":"RHSA-2022:6542","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:6542"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:7340","reference_id":"RHSA-2022:7340","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:7340"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/79186?format=json","purl":"pkg:composer/drupal/drupal@8.9.10","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-67da-qxh5-aydx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@8.9.10"},{"url":"http://public2.vulnerablecode.io/api/packages/249842?format=json","purl":"pkg:composer/drupal/drupal@9.0.0-alpha1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@9.0.0-alpha1"},{"url":"http://public2.vulnerablecode.io/api/packages/79187?format=json","purl":"pkg:composer/drupal/drupal@9.0.9","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-67da-qxh5-aydx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@9.0.9"},{"url":"http://public2.vulnerablecode.io/api/packages/280830?format=json","purl":"pkg:composer/drupal/drupal@9.1.0-alpha1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@9.1.0-alpha1"}],"aliases":["CVE-2020-28948","GHSA-jh5x-hfhg-78jq"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-5jy9-mhbb-nuh7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/3852?format=json","vulnerability_id":"VCID-67da-qxh5-aydx","summary":"multiple issues","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-36193.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-36193.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-36193","reference_id":"","reference_type":"","scores":[{"value":"0.71148","scoring_system":"epss","scoring_elements":"0.9873","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-36193"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36193","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36193"},{"reference_url":"https://github.com/pear/Archive_Tar","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pear/Archive_Tar"},{"reference_url":"https://github.com/pear/Archive_Tar/commit/cde460582ff389404b5b3ccb59374e9b389de916","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pear/Archive_Tar/commit/cde460582ff389404b5b3ccb59374e9b389de916"},{"reference_url":"https://github.com/pear/Archive_Tar/issues/35","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pear/Archive_Tar/issues/35"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2021/01/msg00018.html","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2021/01/msg00018.html"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2021/04/msg00007.html","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2021/04/msg00007.html"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/42GPGVVFTLJYAKRI75IVB5R45NYQGEUR","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/42GPGVVFTLJYAKRI75IVB5R45NYQGEUR"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FOZNK4FIIV7FSFCJNNFWMJZTTV7NFJV2","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FOZNK4FIIV7FSFCJNNFWMJZTTV7NFJV2"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VJQQYDAOWHD6RDITDRPHFW7WY6BS3V5N","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VJQQYDAOWHD6RDITDRPHFW7WY6BS3V5N"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YKD5WEFA4WT6AVTMRAYBNXZNLWZHM7FH","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YKD5WEFA4WT6AVTMRAYBNXZNLWZHM7FH"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/42GPGVVFTLJYAKRI75IVB5R45NYQGEUR","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/42GPGVVFTLJYAKRI75IVB5R45NYQGEUR"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FOZNK4FIIV7FSFCJNNFWMJZTTV7NFJV2","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FOZNK4FIIV7FSFCJNNFWMJZTTV7NFJV2"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VJQQYDAOWHD6RDITDRPHFW7WY6BS3V5N","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VJQQYDAOWHD6RDITDRPHFW7WY6BS3V5N"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YKD5WEFA4WT6AVTMRAYBNXZNLWZHM7FH","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YKD5WEFA4WT6AVTMRAYBNXZNLWZHM7FH"},{"reference_url":"https://security.gentoo.org/glsa/202101-23","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.gentoo.org/glsa/202101-23"},{"reference_url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-36193","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-36193"},{"reference_url":"https://www.debian.org/security/2021/dsa-4894","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.debian.org/security/2021/dsa-4894"},{"reference_url":"https://www.drupal.org/sa-core-2021-001","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.drupal.org/sa-core-2021-001"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1942961","reference_id":"1942961","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1942961"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=980428","reference_id":"980428","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=980428"},{"reference_url":"https://security.archlinux.org/ASA-202102-7","reference_id":"ASA-202102-7","reference_type":"","scores":[],"url":"https://security.archlinux.org/ASA-202102-7"},{"reference_url":"https://security.archlinux.org/AVG-1463","reference_id":"AVG-1463","reference_type":"","scores":[{"value":"Critical","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-1463"},{"reference_url":"https://security.archlinux.org/AVG-1464","reference_id":"AVG-1464","reference_type":"","scores":[{"value":"Medium","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-1464"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-36193","reference_id":"CVE-2020-36193","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-36193"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/pear/archive_tar/CVE-2020-36193.yaml","reference_id":"CVE-2020-36193.YAML","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/pear/archive_tar/CVE-2020-36193.yaml"},{"reference_url":"https://github.com/advisories/GHSA-rpw6-9xfx-jvcx","reference_id":"GHSA-rpw6-9xfx-jvcx","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-rpw6-9xfx-jvcx"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:6541","reference_id":"RHSA-2022:6541","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:6541"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:6542","reference_id":"RHSA-2022:6542","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:6542"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:7340","reference_id":"RHSA-2022:7340","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:7340"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/79559?format=json","purl":"pkg:composer/drupal/drupal@8.9.13","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@8.9.13"},{"url":"http://public2.vulnerablecode.io/api/packages/249842?format=json","purl":"pkg:composer/drupal/drupal@9.0.0-alpha1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@9.0.0-alpha1"},{"url":"http://public2.vulnerablecode.io/api/packages/79560?format=json","purl":"pkg:composer/drupal/drupal@9.0.11","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@9.0.11"},{"url":"http://public2.vulnerablecode.io/api/packages/280830?format=json","purl":"pkg:composer/drupal/drupal@9.1.0-alpha1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@9.1.0-alpha1"},{"url":"http://public2.vulnerablecode.io/api/packages/79561?format=json","purl":"pkg:composer/drupal/drupal@9.1.3","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@9.1.3"}],"aliases":["CVE-2020-36193","GHSA-rpw6-9xfx-jvcx"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-67da-qxh5-aydx"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/53808?format=json","vulnerability_id":"VCID-9dfs-rpqy-6kfa","summary":"Injection Vulnerability\narchive_tar has `://` filename sanitization only to address phar attacks, and thus any other stream-wrapper attack (such as `file://` to overwrite files) can still succeed.","references":[{"reference_url":"http://packetstormsecurity.com/files/161095/PEAR-Archive_Tar-Arbitrary-File-Write.html","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://packetstormsecurity.com/files/161095/PEAR-Archive_Tar-Arbitrary-File-Write.html"},{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-28949.json","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-28949.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-28949","reference_id":"","reference_type":"","scores":[{"value":"0.93364","scoring_system":"epss","scoring_elements":"0.99822","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-28949"},{"reference_url":"https://github.com/pear/Archive_Tar","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pear/Archive_Tar"},{"reference_url":"https://github.com/pear/Archive_Tar/commit/0670a05fdab997036a3fc3ef113b8f5922e574da","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pear/Archive_Tar/commit/0670a05fdab997036a3fc3ef113b8f5922e574da"},{"reference_url":"https://github.com/pear/Archive_Tar/issues/33","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pear/Archive_Tar/issues/33"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2020/11/msg00045.html","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2020/11/msg00045.html"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/42GPGVVFTLJYAKRI75IVB5R45NYQGEUR","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/42GPGVVFTLJYAKRI75IVB5R45NYQGEUR"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4V35LBRM6HBCXBVCITKQ4UEBTXO2EG7B","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4V35LBRM6HBCXBVCITKQ4UEBTXO2EG7B"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5KSFM672XW3X6BR7TVKRD63SLZGKK437","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5KSFM672XW3X6BR7TVKRD63SLZGKK437"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KWM4CTMEGAC4I2CHYNJVSROY4CVXVEUT","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KWM4CTMEGAC4I2CHYNJVSROY4CVXVEUT"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NBYZSHYTIOBK6V7C4N7TP6KIKCRKLVWP","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NBYZSHYTIOBK6V7C4N7TP6KIKCRKLVWP"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VJQQYDAOWHD6RDITDRPHFW7WY6BS3V5N","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VJQQYDAOWHD6RDITDRPHFW7WY6BS3V5N"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/42GPGVVFTLJYAKRI75IVB5R45NYQGEUR","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/42GPGVVFTLJYAKRI75IVB5R45NYQGEUR"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4V35LBRM6HBCXBVCITKQ4UEBTXO2EG7B","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4V35LBRM6HBCXBVCITKQ4UEBTXO2EG7B"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5KSFM672XW3X6BR7TVKRD63SLZGKK437","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5KSFM672XW3X6BR7TVKRD63SLZGKK437"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KWM4CTMEGAC4I2CHYNJVSROY4CVXVEUT","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KWM4CTMEGAC4I2CHYNJVSROY4CVXVEUT"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NBYZSHYTIOBK6V7C4N7TP6KIKCRKLVWP","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NBYZSHYTIOBK6V7C4N7TP6KIKCRKLVWP"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VJQQYDAOWHD6RDITDRPHFW7WY6BS3V5N","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VJQQYDAOWHD6RDITDRPHFW7WY6BS3V5N"},{"reference_url":"https://security.gentoo.org/glsa/202101-23","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.gentoo.org/glsa/202101-23"},{"reference_url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-28949","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-28949"},{"reference_url":"https://www.debian.org/security/2020/dsa-4817","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.debian.org/security/2020/dsa-4817"},{"reference_url":"https://www.drupal.org/sa-core-2020-013","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.drupal.org/sa-core-2020-013"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1910323","reference_id":"1910323","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1910323"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=976108","reference_id":"976108","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=976108"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-28949","reference_id":"CVE-2020-28949","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-28949"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/pear/archive_tar/CVE-2020-28949.yaml","reference_id":"CVE-2020-28949.YAML","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/pear/archive_tar/CVE-2020-28949.yaml"},{"reference_url":"https://github.com/advisories/GHSA-75c5-f4gw-38r9","reference_id":"GHSA-75c5-f4gw-38r9","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-75c5-f4gw-38r9"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:6541","reference_id":"RHSA-2022:6541","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:6541"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:6542","reference_id":"RHSA-2022:6542","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:6542"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:7340","reference_id":"RHSA-2022:7340","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:7340"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/79186?format=json","purl":"pkg:composer/drupal/drupal@8.9.10","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-67da-qxh5-aydx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@8.9.10"},{"url":"http://public2.vulnerablecode.io/api/packages/249842?format=json","purl":"pkg:composer/drupal/drupal@9.0.0-alpha1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@9.0.0-alpha1"},{"url":"http://public2.vulnerablecode.io/api/packages/79187?format=json","purl":"pkg:composer/drupal/drupal@9.0.9","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-67da-qxh5-aydx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@9.0.9"},{"url":"http://public2.vulnerablecode.io/api/packages/280830?format=json","purl":"pkg:composer/drupal/drupal@9.1.0-alpha1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@9.1.0-alpha1"}],"aliases":["CVE-2020-28949","GHSA-75c5-f4gw-38r9"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-9dfs-rpqy-6kfa"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/42386?format=json","vulnerability_id":"VCID-avmn-kqky-83dd","summary":"Drupal core Cross-site Scripting (XSS) vulnerability in ckeditor\nCross-site Scripting (XSS) vulnerability in ckeditor of Drupal Core allows attacker to inject XSS. This issue affects: Drupal Core 8.8.x versions prior to 8.8.10.; 8.9.x versions prior to 8.9.6; 9.0.x versions prior to 9.0.6.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-13669","reference_id":"","reference_type":"","scores":[{"value":"0.00204","scoring_system":"epss","scoring_elements":"0.42349","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-13669"},{"reference_url":"https://github.com/drupal/core","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/drupal/core"},{"reference_url":"https://www.drupal.org/sa-core-2020-010","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.drupal.org/sa-core-2020-010"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-13669","reference_id":"CVE-2020-13669","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-13669"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2020-13669.yaml","reference_id":"CVE-2020-13669.YAML","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2020-13669.yaml"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2020-13669.yaml","reference_id":"CVE-2020-13669.YAML","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2020-13669.yaml"},{"reference_url":"https://github.com/advisories/GHSA-c533-c843-67h8","reference_id":"GHSA-c533-c843-67h8","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-c533-c843-67h8"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/60642?format=json","purl":"pkg:composer/drupal/drupal@8.9.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5jy9-mhbb-nuh7"},{"vulnerability":"VCID-67da-qxh5-aydx"},{"vulnerability":"VCID-9dfs-rpqy-6kfa"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@8.9.6"},{"url":"http://public2.vulnerablecode.io/api/packages/60643?format=json","purl":"pkg:composer/drupal/drupal@9.0.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5jy9-mhbb-nuh7"},{"vulnerability":"VCID-67da-qxh5-aydx"},{"vulnerability":"VCID-9dfs-rpqy-6kfa"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@9.0.6"}],"aliases":["CVE-2020-13669","GHSA-c533-c843-67h8"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-avmn-kqky-83dd"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/42392?format=json","vulnerability_id":"VCID-nacy-y1qt-5yhb","summary":"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')\nAccess Bypass vulnerability in Drupal Core allows for an attacker to leverage the way that HTML is rendered for affected forms in order to exploit the vulnerability. This issue affects: Drupal Core 8.8.x versions prior to 8.8.10; 8.9.x versions prior to 8.9.6; 9.0.x versions prior to 9.0.6.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-13668","reference_id":"","reference_type":"","scores":[{"value":"0.00223","scoring_system":"epss","scoring_elements":"0.44935","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-13668"},{"reference_url":"https://github.com/drupal/core","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/drupal/core"},{"reference_url":"https://github.com/drupal/core/commit/3184fa4b2f3b65b44884b5e858cdc7794d34b4c8","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/drupal/core/commit/3184fa4b2f3b65b44884b5e858cdc7794d34b4c8"},{"reference_url":"https://github.com/drupal/core/commit/58330ba58d1ac6f1a0a549e8dbde8a3e094bf4fb","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/drupal/core/commit/58330ba58d1ac6f1a0a549e8dbde8a3e094bf4fb"},{"reference_url":"https://github.com/drupal/core/commit/d4be028d81fb6b067513d788b60c3e6fc8fbd0a2","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/drupal/core/commit/d4be028d81fb6b067513d788b60c3e6fc8fbd0a2"},{"reference_url":"https://www.drupal.org/sa-core-2020-009","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.drupal.org/sa-core-2020-009"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-13668","reference_id":"CVE-2020-13668","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-13668"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2020-13668.yaml","reference_id":"CVE-2020-13668.YAML","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2020-13668.yaml"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2020-13668.yaml","reference_id":"CVE-2020-13668.YAML","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2020-13668.yaml"},{"reference_url":"https://github.com/advisories/GHSA-m6q5-wv4x-fv6h","reference_id":"GHSA-m6q5-wv4x-fv6h","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-m6q5-wv4x-fv6h"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/60642?format=json","purl":"pkg:composer/drupal/drupal@8.9.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5jy9-mhbb-nuh7"},{"vulnerability":"VCID-67da-qxh5-aydx"},{"vulnerability":"VCID-9dfs-rpqy-6kfa"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@8.9.6"},{"url":"http://public2.vulnerablecode.io/api/packages/60643?format=json","purl":"pkg:composer/drupal/drupal@9.0.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5jy9-mhbb-nuh7"},{"vulnerability":"VCID-67da-qxh5-aydx"},{"vulnerability":"VCID-9dfs-rpqy-6kfa"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@9.0.6"}],"aliases":["CVE-2020-13668","GHSA-m6q5-wv4x-fv6h"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-nacy-y1qt-5yhb"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/54438?format=json","vulnerability_id":"VCID-sg4r-hncm-dqcq","summary":"Cross-site Scripting\nA cross-site scripting vulnerability exists in Drupal Core. Drupal AJAX API does not disable JSONP by default, allowing for an XSS attack.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-13666","reference_id":"","reference_type":"","scores":[{"value":"0.00509","scoring_system":"epss","scoring_elements":"0.66703","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-13666"},{"reference_url":"https://github.com/drupal/core","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/drupal/core"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2020-13666.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2020-13666.yaml"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2020-13666.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2020-13666.yaml"},{"reference_url":"https://www.drupal.org/sa-core-2020-007","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.drupal.org/sa-core-2020-007"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-13666","reference_id":"CVE-2020-13666","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-13666"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/60642?format=json","purl":"pkg:composer/drupal/drupal@8.9.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5jy9-mhbb-nuh7"},{"vulnerability":"VCID-67da-qxh5-aydx"},{"vulnerability":"VCID-9dfs-rpqy-6kfa"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@8.9.6"},{"url":"http://public2.vulnerablecode.io/api/packages/60643?format=json","purl":"pkg:composer/drupal/drupal@9.0.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5jy9-mhbb-nuh7"},{"vulnerability":"VCID-67da-qxh5-aydx"},{"vulnerability":"VCID-9dfs-rpqy-6kfa"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@9.0.6"}],"aliases":["CVE-2020-13666","GHSA-8jj2-x2gc-ggm7"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-sg4r-hncm-dqcq"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/41563?format=json","vulnerability_id":"VCID-wsv7-je8g-sqet","summary":"Drupal core Unrestricted Upload of File with Dangerous Type\nDrupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations. This issue affects: Drupal Drupal Core 9.0 versions prior to 9.0.8, 8.9 versions prior to 8.9.9, 8.8 versions prior to 8.8.11, and 7 versions prior to 7.74.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-13671","reference_id":"","reference_type":"","scores":[{"value":"0.04504","scoring_system":"epss","scoring_elements":"0.8932","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-13671"},{"reference_url":"https://github.com/drupal/core","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/drupal/core"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5KSFM672XW3X6BR7TVKRD63SLZGKK437","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5KSFM672XW3X6BR7TVKRD63SLZGKK437"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KWM4CTMEGAC4I2CHYNJVSROY4CVXVEUT","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KWM4CTMEGAC4I2CHYNJVSROY4CVXVEUT"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5KSFM672XW3X6BR7TVKRD63SLZGKK437","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5KSFM672XW3X6BR7TVKRD63SLZGKK437"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KWM4CTMEGAC4I2CHYNJVSROY4CVXVEUT","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KWM4CTMEGAC4I2CHYNJVSROY4CVXVEUT"},{"reference_url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-13671","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-13671"},{"reference_url":"https://www.drupal.org/sa-core-2020-012","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.drupal.org/sa-core-2020-012"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-13671","reference_id":"CVE-2020-13671","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-13671"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2020-13671.yaml","reference_id":"CVE-2020-13671.YAML","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2020-13671.yaml"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2020-13671.yaml","reference_id":"CVE-2020-13671.YAML","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2020-13671.yaml"},{"reference_url":"https://github.com/advisories/GHSA-68jc-v27h-vhmw","reference_id":"GHSA-68jc-v27h-vhmw","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-68jc-v27h-vhmw"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/59242?format=json","purl":"pkg:composer/drupal/drupal@8.9.9","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5jy9-mhbb-nuh7"},{"vulnerability":"VCID-67da-qxh5-aydx"},{"vulnerability":"VCID-9dfs-rpqy-6kfa"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@8.9.9"},{"url":"http://public2.vulnerablecode.io/api/packages/59243?format=json","purl":"pkg:composer/drupal/drupal@9.0.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5jy9-mhbb-nuh7"},{"vulnerability":"VCID-67da-qxh5-aydx"},{"vulnerability":"VCID-9dfs-rpqy-6kfa"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@9.0.8"}],"aliases":["CVE-2020-13671","GHSA-68jc-v27h-vhmw"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-wsv7-je8g-sqet"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/54816?format=json","vulnerability_id":"VCID-xz7z-trbh-j7dk","summary":"Drupal core Arbitrary PHP code execution\nThe Drupal project uses the PEAR Archive_Tar library. The PEAR Archive_Tar library has released a security update that impacts Drupal. For more information please see:\nCVE-2020-28948\nCVE-2020-28949\n\nMultiple vulnerabilities are possible if Drupal is configured to allow .tar, .tar.gz, .bz2, or .tlz file uploads and processes them.\n\nTo mitigate this issue, prevent untrusted users from uploading .tar, .tar.gz, .bz2, or .tlz files.","references":[{"reference_url":"https://github.com/drupal/drupal","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/drupal/drupal"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/2020-11-25.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/2020-11-25.yaml"},{"reference_url":"https://www.drupal.org/sa-core-2020-013","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.drupal.org/sa-core-2020-013"},{"reference_url":"https://github.com/advisories/GHSA-j66p-fvp2-fxhj","reference_id":"GHSA-j66p-fvp2-fxhj","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-j66p-fvp2-fxhj"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/79186?format=json","purl":"pkg:composer/drupal/drupal@8.9.10","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-67da-qxh5-aydx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@8.9.10"},{"url":"http://public2.vulnerablecode.io/api/packages/79187?format=json","purl":"pkg:composer/drupal/drupal@9.0.9","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-67da-qxh5-aydx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@9.0.9"}],"aliases":["GHSA-j66p-fvp2-fxhj"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-xz7z-trbh-j7dk"}],"fixing_vulnerabilities":[],"risk_score":"4.5","resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@8.9.0"}