Search for packages
| purl | pkg:composer/drupal/core@7.0.0 |
| Tags | Ghost |
| Next non-vulnerable version | 10.4.0-beta1 |
| Latest non-vulnerable version | 11.1.0-beta1 |
| Risk | 10.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-26et-mv1c-aaag
Aliases: CVE-2022-25275 GHSA-xh3v-6f9j-wxw3 GMS-2022-3362 |
Drupal core Information Disclosure vulnerability |
Affected by 0 other vulnerabilities. Affected by 15 other vulnerabilities. Affected by 15 other vulnerabilities. |
|
VCID-35zf-t4ak-aaae
Aliases: CVE-2019-11831 GHSA-xv7v-rf6g-xwrc |
The PharStreamWrapper (aka phar-stream-wrapper) package 2.x before 2.1.1 and 3.x before 3.1.1 for TYPO3 does not prevent directory traversal, which allows attackers to bypass a deserialization protection mechanism, as demonstrated by a phar:///path/bad.phar/../good.phar URL. |
Affected by 0 other vulnerabilities. Affected by 36 other vulnerabilities. Affected by 40 other vulnerabilities. |
|
VCID-38qq-7tuc-aaad
Aliases: CVE-2023-31250 GHSA-8849-cv9f-vccm |
Access bypass in Drupal core |
Affected by 0 other vulnerabilities. Affected by 13 other vulnerabilities. Affected by 13 other vulnerabilities. Affected by 14 other vulnerabilities. |
|
VCID-3vvp-6wh9-aaam
Aliases: CVE-2019-6339 GHSA-8cw5-rv98-5c46 |
Arbitrary PHP code execution in Drupal |
Affected by 0 other vulnerabilities. Affected by 42 other vulnerabilities. |
|
VCID-4pjz-5ytr-aaag
Aliases: CVE-2019-6338 GHSA-6rmq-x2hv-vxpp |
Vulnerable third party libraries in certain configurations of Symfony |
Affected by 42 other vulnerabilities. |
|
VCID-539x-pa7r-aaaf
Aliases: CVE-2018-7600 GHSA-7fh9-933g-885p |
Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations. |
Affected by 0 other vulnerabilities. Affected by 68 other vulnerabilities. Affected by 57 other vulnerabilities. Affected by 56 other vulnerabilities. Affected by 57 other vulnerabilities. |
|
VCID-58wx-mazy-aaap
Aliases: CVE-2016-6211 GHSA-frqf-9qr4-6vxf |
Saving user accounts can sometimes grant the user all roles The User module in Drupal allows remote authenticated users to gain privileges via vectors involving contributed or custom code that triggers a rebuild of the user profile form. |
Affected by 1 other vulnerability. Affected by 81 other vulnerabilities. |
|
VCID-74fe-zgpr-aaab
Aliases: GHSA-98h9-727m-44qv |
Drupal core Multiple vulnerabilities due to the use of the third-party library Archive_Tar |
Affected by 0 other vulnerabilities. Affected by 36 other vulnerabilities. Affected by 46 other vulnerabilities. |
|
VCID-7s25-1pn3-aaaa
Aliases: CVE-2021-33829 GHSA-rgx6-rjj4-c388 |
A cross-site scripting (XSS) vulnerability in the HTML Data Processor in CKEditor 4 4.14.0 through 4.16.x before 4.16.1 allows remote attackers to inject executable JavaScript code through a crafted comment because --!> is mishandled. |
Affected by 0 other vulnerabilities. Affected by 27 other vulnerabilities. Affected by 23 other vulnerabilities. Affected by 28 other vulnerabilities. |
|
VCID-7u6e-ceud-aaap
Aliases: CVE-2011-2687 GHSA-96vx-qf28-6f8m |
Drupal 7.x before 7.3 allows remote attackers to bypass intended node_access restrictions via vectors related to a listing that shows nodes but lacks a JOIN clause for the node table. |
Affected by 0 other vulnerabilities. |
|
VCID-ar7v-kp7q-aaaj
Aliases: CVE-2019-6340 GHSA-3gx6-h57h-rm27 |
Improper Input Validation Some field types do not properly sanitize data from non-form sources in Drupal. This can lead to arbitrary PHP code execution in some cases. |
Affected by 0 other vulnerabilities. Affected by 41 other vulnerabilities. |
|
VCID-azrn-adcp-aaas
Aliases: GHSA-6gf6-24h2-66j4 |
Drupal core Open Redirect vulnerability |
Affected by 1 other vulnerability. |
|
VCID-cnay-ga6u-aaar
Aliases: CVE-2020-13671 GHSA-68jc-v27h-vhmw |
Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations. This issue affects: Drupal Drupal Core 9.0 versions prior to 9.0.8, 8.9 versions prior to 8.9.9, 8.8 versions prior to 8.8.11, and 7 versions prior to 7.74. |
Affected by 0 other vulnerabilities. Affected by 32 other vulnerabilities. Affected by 33 other vulnerabilities. Affected by 29 other vulnerabilities. |
|
VCID-d53w-5nj5-aaaf
Aliases: CVE-2019-6341 GHSA-cmmh-8mwp-gq5p |
In Drupal 7 versions prior to 7.65; Drupal 8.6 versions prior to 8.6.13;Drupal 8.5 versions prior to 8.5.14. Under certain circumstances the File module/subsystem allows a malicious user to upload a file that can trigger a cross-site scripting (XSS) vulnerability. |
Affected by 0 other vulnerabilities. Affected by 89 other vulnerabilities. Affected by 39 other vulnerabilities. Affected by 39 other vulnerabilities. |
|
VCID-d5b5-6j54-aaas
Aliases: CVE-2016-3164 GHSA-836p-6p4j-35cg |
Open redirect via path manipulation Drupal might allow remote attackers to conduct open redirect attacks by leveraging (1) custom code or (2) a form shown on an error page, related to path manipulation. |
Affected by 0 other vulnerabilities. Affected by 84 other vulnerabilities. |
|
VCID-dn1c-md6b-aaab
Aliases: CVE-2016-9451 GHSA-66gr-xrcf-8jpq |
URL Redirection to Untrusted Site (Open Redirect) Confirmation forms in Drupal make it easier for remote authenticated users to conduct open redirect attacks via unspecified vectors. |
Affected by 0 other vulnerabilities. Affected by 89 other vulnerabilities. Affected by 74 other vulnerabilities. |
|
VCID-dwc5-nygz-aaan
Aliases: CVE-2017-6928 GHSA-66mv-q8r2-hj8w |
Incorrect Permission Assignment for Critical Resource When using Drupal's private file system, Drupal will check to make sure a user has access to a file before allowing the user to view or download it. This check fails under certain conditions in which one module is trying to grant access to the file and another is trying to deny it, leading to an access bypass vulnerability. This vulnerability is mitigated by the fact that it only occurs for unusual site configurations. |
Affected by 0 other vulnerabilities. Affected by 89 other vulnerabilities. |
|
VCID-edah-2a2p-aaam
Aliases: 2019-03-20 |
Cross-site Scripting vulnerability in drupal. |
Affected by 40 other vulnerabilities. |
|
VCID-evjz-sadt-aaaj
Aliases: GHSA-gxxj-g9v8-w28p |
Drupal core Arbitrary PHP code execution |
Affected by 0 other vulnerabilities. Affected by 29 other vulnerabilities. Affected by 30 other vulnerabilities. Affected by 26 other vulnerabilities. |
|
VCID-exc6-n24q-aaaf
Aliases: CVE-2016-3163 GHSA-h3r9-pjmr-f938 |
Brute force amplification attacks via XML-RPC The XML-RPC system in Drupal might make it easier for remote attackers to conduct brute-force attacks via a large number of calls made at once to the same method. |
Affected by 0 other vulnerabilities. Affected by 84 other vulnerabilities. |
|
VCID-fcuw-cqny-aaae
Aliases: CVE-2017-6926 GHSA-2p28-5mvp-2j2r |
Comment reply form allows access to restricted content Users with permission to post comments are able to view content and comments they do not have access to, and are also able to add comments to this content. This vulnerability is mitigated by the fact that the comment system must be enabled and the attacker must have permission to post comments. |
Affected by 0 other vulnerabilities. Affected by 58 other vulnerabilities. |
|
VCID-fhgh-jkwa-aaah
Aliases: CVE-2020-11023 GHSA-jpcq-cgw6-v4j6 |
In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0. |
Affected by 89 other vulnerabilities. Affected by 32 other vulnerabilities. Affected by 32 other vulnerabilities. Affected by 42 other vulnerabilities. Affected by 30 other vulnerabilities. |
|
VCID-j23h-3vqp-aaaq
Aliases: CVE-2022-25271 GHSA-fmfv-x8mp-5767 |
Drupal core's form API has a vulnerability where certain contributed or custom modules' forms may be vulnerable to improper input validation. This could allow an attacker to inject disallowed values or overwrite data. Affected forms are uncommon, but in certain cases an attacker could alter critical or sensitive data. |
Affected by 0 other vulnerabilities. Affected by 22 other vulnerabilities. Affected by 24 other vulnerabilities. |
|
VCID-kkd1-e4k1-aaam
Aliases: CVE-2020-11022 GHSA-gxr4-xjj5-5px2 |
In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0. |
Affected by 89 other vulnerabilities. Affected by 32 other vulnerabilities. Affected by 32 other vulnerabilities. Affected by 42 other vulnerabilities. Affected by 30 other vulnerabilities. |
|
VCID-n4xy-1371-aaab
Aliases: CVE-2016-3168 GHSA-qqxc-cppg-4xp8 |
Reflected file download vulnerability The System module in Drupal might allow remote attackers to hijack the authentication of site administrators for requests that download and run files with arbitrary JSON-encoded content. |
Affected by 0 other vulnerabilities. Affected by 84 other vulnerabilities. |
|
VCID-nmnf-at11-aaag
Aliases: CVE-2017-6922 GHSA-58f3-cx8p-h8jg |
Files uploaded by anonymous users accessed by other users Private files that have been uploaded by an anonymous user but not permanently attached to content on the site should only be visible to the anonymous user that uploaded them, rather than all anonymous users. Drupal core does not provide this protection, allowing an access bypass vulnerability to occur. This issue is mitigated by the fact that in order to be affected, the site must allow anonymous users to upload files into a private file system. |
Affected by 0 other vulnerabilities. Affected by 67 other vulnerabilities. |
|
VCID-p5dt-y7m6-aaaj
Aliases: CVE-2020-13666 GHSA-8jj2-x2gc-ggm7 |
Cross-site scripting vulnerability in Drupal Core. Drupal AJAX API does not disable JSONP by default, allowing for an XSS attack. This issue affects: Drupal Drupal Core 7.x versions prior to 7.73; 8.8.x versions prior to 8.8.10; 8.9.x versions prior to 8.9.6; 9.0.x versions prior to 9.0.6. |
Affected by 0 other vulnerabilities. Affected by 33 other vulnerabilities. Affected by 34 other vulnerabilities. Affected by 30 other vulnerabilities. |
|
VCID-pk5w-rtgg-aaap
Aliases: CVE-2020-28948 GHSA-jh5x-hfhg-78jq |
Archive_Tar through 1.4.10 allows an unserialization attack because phar: is blocked but PHAR: is not blocked. |
Affected by 30 other vulnerabilities. Affected by 22 other vulnerabilities. Affected by 26 other vulnerabilities. Affected by 23 other vulnerabilities. |
|
VCID-prpe-f8kr-aaam
Aliases: CVE-2020-13672 GHSA-3m36-mjwj-352c |
Cross-site Scripting (XSS) vulnerability in Drupal core's sanitization API fails to properly filter cross-site scripting under certain circumstances. This issue affects: Drupal Core 9.1.x versions prior to 9.1.7; 9.0.x versions prior to 9.0.12; 8.9.x versions prior to 8.9.14; 7.x versions prior to 7.80. |
Affected by 0 other vulnerabilities. Affected by 28 other vulnerabilities. Affected by 24 other vulnerabilities. Affected by 29 other vulnerabilities. |
|
VCID-raxq-bt8x-aaam
Aliases: CVE-2016-3162 GHSA-w2pj-c8x5-jvg2 |
Improper Access Control The File module in Drupal allows remote authenticated users to bypass access restrictions and read, delete, or substitute a link to a file uploaded to an unprocessed form by leveraging permission to create content or comment and upload files. |
Affected by 0 other vulnerabilities. Affected by 84 other vulnerabilities. |
|
VCID-rdb7-bn6u-aaaq
Aliases: CVE-2020-13662 GHSA-gjqg-9rhv-qj67 |
Open Redirect vulnerability in Drupal Core allows a user to be tricked into visiting a specially crafted link which would redirect them to an arbitrary external URL. This issue affects: Drupal Drupal Core 7 version 7.70 and prior versions. |
Affected by 89 other vulnerabilities. |
|
VCID-rm92-evce-aaaa
Aliases: CVE-2016-3170 GHSA-pqv4-xgqh-j8vh |
Information Exposure The `have you forgotten your password` links in the User module in Drupal allow remote attackers to obtain sensitive username information by leveraging a configuration that permits using an email address to login and a module that permits logging in. |
Affected by 0 other vulnerabilities. Affected by 84 other vulnerabilities. |
|
VCID-rnsu-dzsx-aaaf
Aliases: GHSA-6mgp-v5cm-ghg5 |
Drupal core Remote Code Execution |
Affected by 0 other vulnerabilities. Affected by 49 other vulnerabilities. Affected by 44 other vulnerabilities. |
|
VCID-rwya-unp6-aaaa
Aliases: 2018-10-17-4 |
Code Injection Injection in `DefaultMailSystem::mail()`. |
Affected by 44 other vulnerabilities. |
|
VCID-sdrj-zubv-aaak
Aliases: CVE-2020-13663 GHSA-m648-hpf8-qcjw |
Cross Site Request Forgery vulnerability in Drupal Core Form API does not properly handle certain form input from cross-site requests, which can lead to other vulnerabilities. |
Affected by 0 other vulnerabilities. Affected by 89 other vulnerabilities. Affected by 39 other vulnerabilities. Affected by 40 other vulnerabilities. Affected by 36 other vulnerabilities. |
|
VCID-sexy-1ad2-aaab
Aliases: CVE-2017-6927 GHSA-585j-5449-mf5m |
JavaScript cross-site scripting prevention is incomplete Drupal has a Drupal.checkPlain() JavaScript function which is used to escape potentially dangerous text before outputting it to HTML (as JavaScript output is not auto-escaped by either Drupal 7 or Drupal 8). This function does not correctly handle all methods of injecting malicious HTML, leading to a cross-site scripting vulnerability under certain circumstances. The PHP functions which Drupal provides for HTML escaping are not affected. |
Affected by 0 other vulnerabilities. Affected by 58 other vulnerabilities. |
|
VCID-sm3n-jw2y-aaad
Aliases: 2018-10-17-2 |
URL Redirection to Untrusted Site ('Open Redirect') External URL injection through URL aliases in drupal. |
Affected by 44 other vulnerabilities. |
|
VCID-snyd-uvt1-aaac
Aliases: CVE-2017-6929 GHSA-5vpr-v24w-mmjj |
Cross-site Scripting A jQuery cross site scripting vulnerability is present when making Ajax requests to untrusted domains. This vulnerability is mitigated by the fact that it requires contributed or custom modules in order to exploit. |
Affected by 0 other vulnerabilities. Affected by 58 other vulnerabilities. |
|
VCID-svtf-jzyy-cbg8
Aliases: CVE-2024-55638 GHSA-gvf2-2f4g-jqf4 |
Drupal core contains a potential PHP Object Injection vulnerability that (if combined with another exploit) could lead to Remote Code Execution. It is not directly exploitable. This issue is mitigated by the fact that in order for it to be exploitable, a separate vulnerability must be present to allow an attacker to pass unsafe input to `unserialize()`. There are no such known exploits in Drupal core. To help protect against this potential vulnerability, some additional checks have been added to Drupal core's database code. If you use a third-party database driver, check the release notes for additional configuration steps that may be required in certain cases. This issue affects Drupal Core: from 7.0 before 7.102, from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9. |
Affected by 0 other vulnerabilities. Affected by 4 other vulnerabilities. Affected by 4 other vulnerabilities. |
|
VCID-t73t-tzz5-aaaa
Aliases: CVE-2017-6932 GHSA-wm86-w3cf-h6vm |
URL Redirection to Untrusted Site (Open Redirect) Drupal core has an external link injection vulnerability when the language switcher block is used. A similar vulnerability exists in various custom and contributed modules. This vulnerability could allow an attacker to trick users into unwillingly navigating to an external site. |
Affected by 0 other vulnerabilities. Affected by 58 other vulnerabilities. |
|
VCID-tmu9-vjgy-aaab
Aliases: CVE-2018-7602 GHSA-297x-j9pm-xjgg |
A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being compromised. This vulnerability is related to Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002. Both SA-CORE-2018-002 and this vulnerability are being exploited in the wild. |
Affected by 0 other vulnerabilities. Affected by 53 other vulnerabilities. Affected by 54 other vulnerabilities. |
|
VCID-tv97-anfg-aaam
Aliases: CVE-2019-11358 GHSA-6c3j-c64m-qhgq |
jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype. |
Affected by 89 other vulnerabilities. Affected by 37 other vulnerabilities. Affected by 37 other vulnerabilities. |
|
VCID-unxt-vez2-aaad
Aliases: CVE-2020-36193 GHSA-rpw6-9xfx-jvcx |
Tar.php in Archive_Tar through 1.4.11 allows write operations with Directory Traversal due to inadequate checking of symbolic links, a related issue to CVE-2020-28948. |
Affected by 0 other vulnerabilities. Affected by 29 other vulnerabilities. Affected by 22 other vulnerabilities. Affected by 25 other vulnerabilities. Affected by 23 other vulnerabilities. Affected by 30 other vulnerabilities. |
|
VCID-vwxc-s4kb-aaag
Aliases: GHSA-7f4f-p7mq-p4fv |
Drupal External URL injection through URL aliases leading to Open Redirect |
Affected by 0 other vulnerabilities. Affected by 49 other vulnerabilities. Affected by 44 other vulnerabilities. |
|
VCID-xmkr-w4ma-aaan
Aliases: CVE-2020-28949 GHSA-75c5-f4gw-38r9 |
Archive_Tar through 1.4.10 has :// filename sanitization only to address phar attacks, and thus any other stream-wrapper attack (such as file:// to overwrite files) can still succeed. |
Affected by 0 other vulnerabilities. Affected by 29 other vulnerabilities. Affected by 30 other vulnerabilities. Affected by 30 other vulnerabilities. Affected by 22 other vulnerabilities. Affected by 26 other vulnerabilities. Affected by 23 other vulnerabilities. |
|
VCID-y9vf-63fm-aaad
Aliases: CVE-2016-3169 GHSA-q3p9-8728-wq7x |
Saving user accounts can sometimes grant the user all roles The User module in Drupal allows remote attackers to gain privileges by leveraging contributed or custom code that calls the `user_save` function with an explicit category and loads all roles into the array. |
Affected by 0 other vulnerabilities. Affected by 89 other vulnerabilities. |
|
VCID-zjga-wdx7-aaan
Aliases: CVE-2016-9449 GHSA-p745-347h-hjfw |
Unprivileged access to taxonomy terms Modules wishing to restrict access to taxonomy terms may be incompatible with queries generated both by Drupal core as well as those generated by contributed modules like Entity Reference. As a result, information on taxonomy terms may be disclosed to unprivileged users. |
Affected by 0 other vulnerabilities. Affected by 74 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||