Search for packages
| purl | pkg:composer/drupal/core-recommended@8.0.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-bcv4-ry3v-aaab
Aliases: CVE-2022-39261 GHSA-52m2-vc4m-jj33 |
Twig may load a template outside a configured directory when using the filesystem loader |
Affected by 6 other vulnerabilities. Affected by 6 other vulnerabilities. Affected by 6 other vulnerabilities. Affected by 6 other vulnerabilities. |
|
VCID-nzut-ru5h-7ydr
Aliases: CVE-2024-55634 GHSA-7cwc-fjqm-8vh8 |
Drupal core Access bypass Drupal's uniqueness checking for certain user fields is inconsistent depending on the database engine and its collation. As a result, a user may be able to register with the same email address as another user. This may lead to data integrity issues. This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-pk5w-rtgg-aaap
Aliases: CVE-2020-28948 GHSA-jh5x-hfhg-78jq |
Archive_Tar through 1.4.10 allows an unserialization attack because phar: is blocked but PHAR: is not blocked. |
Affected by 8 other vulnerabilities. Affected by 7 other vulnerabilities. Affected by 8 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-xmkr-w4ma-aaan
Aliases: CVE-2020-28949 GHSA-75c5-f4gw-38r9 |
Archive_Tar through 1.4.10 has :// filename sanitization only to address phar attacks, and thus any other stream-wrapper attack (such as file:// to overwrite files) can still succeed. |
Affected by 8 other vulnerabilities. Affected by 7 other vulnerabilities. Affected by 8 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-y3g8-ayqw-5fer
Aliases: CVE-2024-45440 GHSA-mg8j-w93w-xjgc |
core/authorize.php in Drupal 11.x-dev allows Full Path Disclosure (even when error logging is None) if the value of hash_salt is file_get_contents of a file that does not exist. |
Affected by 5 other vulnerabilities. Affected by 1 other vulnerability. Affected by 5 other vulnerabilities. Affected by 1 other vulnerability. Affected by 4 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-cnay-ga6u-aaar | Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations. This issue affects: Drupal Drupal Core 9.0 versions prior to 9.0.8, 8.9 versions prior to 8.9.9, 8.8 versions prior to 8.8.11, and 7 versions prior to 7.74. |
CVE-2020-13671
GHSA-68jc-v27h-vhmw |
| VCID-fhgh-jkwa-aaah | In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0. |
CVE-2020-11023
GHSA-jpcq-cgw6-v4j6 |
| VCID-j23h-3vqp-aaaq | Drupal core's form API has a vulnerability where certain contributed or custom modules' forms may be vulnerable to improper input validation. This could allow an attacker to inject disallowed values or overwrite data. Affected forms are uncommon, but in certain cases an attacker could alter critical or sensitive data. |
CVE-2022-25271
GHSA-fmfv-x8mp-5767 |
| VCID-kkd1-e4k1-aaam | In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0. |
CVE-2020-11022
GHSA-gxr4-xjj5-5px2 |
| VCID-p5dt-y7m6-aaaj | Cross-site scripting vulnerability in Drupal Core. Drupal AJAX API does not disable JSONP by default, allowing for an XSS attack. This issue affects: Drupal Drupal Core 7.x versions prior to 7.73; 8.8.x versions prior to 8.8.10; 8.9.x versions prior to 8.9.6; 9.0.x versions prior to 9.0.6. |
CVE-2020-13666
GHSA-8jj2-x2gc-ggm7 |
| VCID-rdb7-bn6u-aaaq | Open Redirect vulnerability in Drupal Core allows a user to be tricked into visiting a specially crafted link which would redirect them to an arbitrary external URL. This issue affects: Drupal Drupal Core 7 version 7.70 and prior versions. |
CVE-2020-13662
GHSA-gjqg-9rhv-qj67 |
| VCID-unxt-vez2-aaad | Tar.php in Archive_Tar through 1.4.11 allows write operations with Directory Traversal due to inadequate checking of symbolic links, a related issue to CVE-2020-28948. |
CVE-2020-36193
GHSA-rpw6-9xfx-jvcx |