Search for packages
| purl | pkg:composer/drupal/drupal@8.4.0-rc2 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-26et-mv1c-aaag
Aliases: CVE-2022-25275 GHSA-xh3v-6f9j-wxw3 GMS-2022-3362 |
Drupal core Information Disclosure vulnerability |
Affected by 8 other vulnerabilities. Affected by 9 other vulnerabilities. |
|
VCID-2bng-kza3-aaaj
Aliases: GHSA-j66p-fvp2-fxhj |
Drupal core Arbitrary PHP code execution |
Affected by 19 other vulnerabilities. Affected by 20 other vulnerabilities. Affected by 20 other vulnerabilities. |
|
VCID-35zf-t4ak-aaae
Aliases: CVE-2019-11831 GHSA-xv7v-rf6g-xwrc |
The PharStreamWrapper (aka phar-stream-wrapper) package 2.x before 2.1.1 and 3.x before 3.1.1 for TYPO3 does not prevent directory traversal, which allows attackers to bypass a deserialization protection mechanism, as demonstrated by a phar:///path/bad.phar/../good.phar URL. |
Affected by 26 other vulnerabilities. Affected by 29 other vulnerabilities. |
|
VCID-3nb4-kd7q-aaak
Aliases: CVE-2022-25277 GHSA-6955-67hm-vjjq GMS-2022-3361 |
Drupal core arbitrary PHP code execution |
Affected by 8 other vulnerabilities. Affected by 9 other vulnerabilities. |
|
VCID-3vvp-6wh9-aaam
Aliases: CVE-2019-6339 GHSA-8cw5-rv98-5c46 |
Arbitrary PHP code execution in Drupal |
Affected by 33 other vulnerabilities. Affected by 31 other vulnerabilities. |
|
VCID-3yhr-5thb-aaan
Aliases: GHSA-337w-fxpq-5m34 |
Drupal core uses a vulnerable Third-party library CKEditor |
Affected by 23 other vulnerabilities. Affected by 33 other vulnerabilities. |
|
VCID-4pjz-5ytr-aaag
Aliases: CVE-2019-6338 GHSA-6rmq-x2hv-vxpp |
Vulnerable third party libraries in certain configurations of Symfony |
Affected by 33 other vulnerabilities. Affected by 31 other vulnerabilities. |
|
VCID-539x-pa7r-aaaf
Aliases: CVE-2018-7600 GHSA-7fh9-933g-885p |
Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations. |
Affected by 46 other vulnerabilities. Affected by 46 other vulnerabilities. |
|
VCID-621d-xgjn-aaaq
Aliases: SA-CORE-2018-003 |
XSS Vulnerability CKEditor, a third-party JavaScript library included in Drupal core, is affected by a cross-site scripting (XSS) vulnerability. It's possible to execute XSS inside CKEditor when using the `image2` plugin. |
Affected by 44 other vulnerabilities. Affected by 44 other vulnerabilities. |
|
VCID-6dwy-xd5r-aaae
Aliases: 2018-04-18 |
Cross-site Scripting XSS vulnerabiltiy in drupal. |
Affected by 44 other vulnerabilities. Affected by 46 other vulnerabilities. Affected by 44 other vulnerabilities. |
|
VCID-6xgv-e6y2-aaaj
Aliases: CVE-2020-13668 GHSA-m6q5-wv4x-fv6h |
Cross-site Scripting in Drupal Core |
Affected by 23 other vulnerabilities. Affected by 24 other vulnerabilities. Affected by 24 other vulnerabilities. |
|
VCID-7s25-1pn3-aaaa
Aliases: CVE-2021-33829 GHSA-rgx6-rjj4-c388 |
A cross-site scripting (XSS) vulnerability in the HTML Data Processor in CKEditor 4 4.14.0 through 4.16.x before 4.16.1 allows remote attackers to inject executable JavaScript code through a crafted comment because --!> is mishandled. |
Affected by 16 other vulnerabilities. Affected by 17 other vulnerabilities. Affected by 17 other vulnerabilities. |
|
VCID-7y3q-9y2y-aaam
Aliases: 2018-10-17-1 |
Improper Access Control in drupal. |
Affected by 33 other vulnerabilities. |
|
VCID-7y7x-t3r4-aaaq
Aliases: GHSA-5x28-3f32-x523 |
Drupal core Access control bypass |
Affected by 25 other vulnerabilities. Affected by 35 other vulnerabilities. |
|
VCID-93jg-mswc-aaan
Aliases: 2018-10-17-5 |
Improper Access Control In some conditions, content moderation fails to check a users access to use certain transitions, leading to an access bypass. |
Affected by 33 other vulnerabilities. |
|
VCID-ar7v-kp7q-aaaj
Aliases: CVE-2019-6340 GHSA-3gx6-h57h-rm27 |
Improper Input Validation Some field types do not properly sanitize data from non-form sources in Drupal. This can lead to arbitrary PHP code execution in some cases. |
Affected by 30 other vulnerabilities. |
|
VCID-bcv4-ry3v-aaab
Aliases: CVE-2022-39261 GHSA-52m2-vc4m-jj33 |
Twig may load a template outside a configured directory when using the filesystem loader |
Affected by 7 other vulnerabilities. Affected by 7 other vulnerabilities. Affected by 8 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-cgr1-77ur-aaar
Aliases: CVE-2022-25273 GHSA-g36h-4jr6-qmm9 |
Improper input validation in Drupal core |
Affected by 13 other vulnerabilities. Affected by 13 other vulnerabilities. |
|
VCID-cnay-ga6u-aaar
Aliases: CVE-2020-13671 GHSA-68jc-v27h-vhmw |
Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations. This issue affects: Drupal Drupal Core 9.0 versions prior to 9.0.8, 8.9 versions prior to 8.9.9, 8.8 versions prior to 8.8.11, and 7 versions prior to 7.74. |
Affected by 22 other vulnerabilities. Affected by 19 other vulnerabilities. Affected by 23 other vulnerabilities. Affected by 16 other vulnerabilities. Affected by 23 other vulnerabilities. |
|
VCID-d53w-5nj5-aaaf
Aliases: CVE-2019-6341 GHSA-cmmh-8mwp-gq5p |
In Drupal 7 versions prior to 7.65; Drupal 8.6 versions prior to 8.6.13;Drupal 8.5 versions prior to 8.5.14. Under certain circumstances the File module/subsystem allows a malicious user to upload a file that can trigger a cross-site scripting (XSS) vulnerability. |
Affected by 28 other vulnerabilities. Affected by 28 other vulnerabilities. |
|
VCID-dax7-4j13-aaam
Aliases: GHSA-x6v2-xmrq-574j |
Drupal Anonymous Open Redirect |
Affected by 38 other vulnerabilities. Affected by 33 other vulnerabilities. |
|
VCID-dhq8-q9ju-aaab
Aliases: GHSA-58xv-7h9r-mx3c |
Drupal Malicious file upload with filenames stating with dot |
Affected by 25 other vulnerabilities. Affected by 35 other vulnerabilities. |
|
VCID-dwc5-nygz-aaan
Aliases: CVE-2017-6928 GHSA-66mv-q8r2-hj8w |
Incorrect Permission Assignment for Critical Resource When using Drupal's private file system, Drupal will check to make sure a user has access to a file before allowing the user to view or download it. This check fails under certain conditions in which one module is trying to grant access to the file and another is trying to deny it, leading to an access bypass vulnerability. This vulnerability is mitigated by the fact that it only occurs for unusual site configurations. |
Affected by 48 other vulnerabilities. |
|
VCID-edah-2a2p-aaam
Aliases: 2019-03-20 |
Cross-site Scripting vulnerability in drupal. |
Affected by 29 other vulnerabilities. |
|
VCID-edhm-1e5u-aaag
Aliases: CVE-2018-9861 GHSA-g78h-pf65-46rv |
Cross-site Scripting Cross-site scripting (XSS) vulnerability in the Enhanced Image plugin for CKEditor. |
Affected by 44 other vulnerabilities. Affected by 44 other vulnerabilities. |
|
VCID-esfj-nun2-aaar
Aliases: CVE-2022-24728 GHSA-4fc4-4p5g-6w89 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CKEditor4 is an open source what-you-see-is-what-you-get HTML editor used by drupal. A vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4 prior to version 4.18.0. The vulnerability allows someone to inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code. This problem has been patched in version 4.18.0. There are currently no known workarounds. |
Affected by 15 other vulnerabilities. Affected by 12 other vulnerabilities. Affected by 16 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-fcuw-cqny-aaae
Aliases: CVE-2017-6926 GHSA-2p28-5mvp-2j2r |
Comment reply form allows access to restricted content Users with permission to post comments are able to view content and comments they do not have access to, and are also able to add comments to this content. This vulnerability is mitigated by the fact that the comment system must be enabled and the attacker must have permission to post comments. |
Affected by 48 other vulnerabilities. |
|
VCID-ga8h-xve8-aaae
Aliases: CVE-2022-25276 GHSA-4wfq-jc9h-vpcx |
Lack of domain validation in Druple core |
Affected by 8 other vulnerabilities. Affected by 9 other vulnerabilities. |
|
VCID-gfse-6nvz-aaap
Aliases: GHSA-r67r-42wx-c8r7 |
Drupal External URL injection through URL aliases leading to Open Redirect |
Affected by 38 other vulnerabilities. Affected by 33 other vulnerabilities. |
|
VCID-gpjf-d56d-aaaj
Aliases: GHSA-w333-5f96-mjrr |
Drupal core Denial of Service |
Affected by 25 other vulnerabilities. Affected by 35 other vulnerabilities. |
|
VCID-mxdp-kn3v-aaab
Aliases: CVE-2019-10909 GHSA-g996-q5r8-w7g2 |
Escape validation messages in the PHP templating engine |
Affected by 27 other vulnerabilities. Affected by 27 other vulnerabilities. |
|
VCID-nzut-ru5h-7ydr
Aliases: CVE-2024-55634 GHSA-7cwc-fjqm-8vh8 |
Drupal core Access bypass Drupal's uniqueness checking for certain user fields is inconsistent depending on the database engine and its collation. As a result, a user may be able to register with the same email address as another user. This may lead to data integrity issues. This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-prpe-f8kr-aaam
Aliases: CVE-2020-13672 GHSA-3m36-mjwj-352c |
Cross-site Scripting (XSS) vulnerability in Drupal core's sanitization API fails to properly filter cross-site scripting under certain circumstances. This issue affects: Drupal Core 9.1.x versions prior to 9.1.7; 9.0.x versions prior to 9.0.12; 8.9.x versions prior to 8.9.14; 7.x versions prior to 7.80. |
Affected by 18 other vulnerabilities. Affected by 18 other vulnerabilities. Affected by 18 other vulnerabilities. |
|
VCID-ptqv-hsav-aaaq
Aliases: 2018-10-17-3 |
URL Redirection to Untrusted Site ('Open Redirect') Anonymous Open Redirect in drupal. |
Affected by 33 other vulnerabilities. |
|
VCID-q428-p8hs-aaaa
Aliases: CVE-2022-25278 GHSA-cfh2-7f6h-3m85 |
Access bypass in Drupal Core |
Affected by 8 other vulnerabilities. Affected by 9 other vulnerabilities. |
|
VCID-r8jq-7x4r-aaaq
Aliases: GHSA-wxfg-253g-m7r4 |
Drupal core Open Redirect vulnerability | There are no reported fixed by versions. |
|
VCID-rpk4-gxm8-aaab
Aliases: CVE-2022-24775 GHSA-q7rv-6hp3-vh96 |
Improper Input Validation in guzzlehttp/psr7 |
Affected by 14 other vulnerabilities. Affected by 12 other vulnerabilities. Affected by 15 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-rvk8-qcrh-aaar
Aliases: CVE-2020-13669 GHSA-c533-c843-67h8 |
Cross-site Scripting (XSS) vulnerability in ckeditor of Drupal Core allows attacker to inject XSS. This issue affects: Drupal Core 8.8.x versions prior to 8.8.10.; 8.9.x versions prior to 8.9.6; 9.0.x versions prior to 9.0.6. |
Affected by 23 other vulnerabilities. Affected by 24 other vulnerabilities. Affected by 24 other vulnerabilities. |
|
VCID-rwya-unp6-aaaa
Aliases: 2018-10-17-4 |
Code Injection Injection in `DefaultMailSystem::mail()`. |
Affected by 33 other vulnerabilities. |
|
VCID-rze1-6p9t-aaae
Aliases: GHSA-m9fv-whq2-6wmc |
Drupal core Multiple vulnerabilities due to the use of the third-party library Archive_Tar |
Affected by 25 other vulnerabilities. Affected by 35 other vulnerabilities. |
|
VCID-s8py-wjxc-aaag
Aliases: CVE-2020-13670 GHSA-mmjr-5q74-p3m4 |
Exposure of Resource to Wrong Sphere in Drupal Core |
Affected by 23 other vulnerabilities. Affected by 24 other vulnerabilities. Affected by 24 other vulnerabilities. |
|
VCID-sdrj-zubv-aaak
Aliases: CVE-2020-13663 GHSA-m648-hpf8-qcjw |
Cross Site Request Forgery vulnerability in Drupal Core Form API does not properly handle certain form input from cross-site requests, which can lead to other vulnerabilities. |
Affected by 28 other vulnerabilities. Affected by 29 other vulnerabilities. Affected by 29 other vulnerabilities. |
|
VCID-sexy-1ad2-aaab
Aliases: CVE-2017-6927 GHSA-585j-5449-mf5m |
JavaScript cross-site scripting prevention is incomplete Drupal has a Drupal.checkPlain() JavaScript function which is used to escape potentially dangerous text before outputting it to HTML (as JavaScript output is not auto-escaped by either Drupal 7 or Drupal 8). This function does not correctly handle all methods of injecting malicious HTML, leading to a cross-site scripting vulnerability under certain circumstances. The PHP functions which Drupal provides for HTML escaping are not affected. |
Affected by 48 other vulnerabilities. |
|
VCID-sm3n-jw2y-aaad
Aliases: 2018-10-17-2 |
URL Redirection to Untrusted Site ('Open Redirect') External URL injection through URL aliases in drupal. |
Affected by 33 other vulnerabilities. |
|
VCID-snyd-uvt1-aaac
Aliases: CVE-2017-6929 GHSA-5vpr-v24w-mmjj |
Cross-site Scripting A jQuery cross site scripting vulnerability is present when making Ajax requests to untrusted domains. This vulnerability is mitigated by the fact that it requires contributed or custom modules in order to exploit. |
Affected by 48 other vulnerabilities. |
|
VCID-t73t-tzz5-aaaa
Aliases: CVE-2017-6932 GHSA-wm86-w3cf-h6vm |
URL Redirection to Untrusted Site (Open Redirect) Drupal core has an external link injection vulnerability when the language switcher block is used. A similar vulnerability exists in various custom and contributed modules. This vulnerability could allow an attacker to trick users into unwillingly navigating to an external site. |
Affected by 48 other vulnerabilities. |
|
VCID-tmu9-vjgy-aaab
Aliases: CVE-2018-7602 GHSA-297x-j9pm-xjgg |
A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being compromised. This vulnerability is related to Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002. Both SA-CORE-2018-002 and this vulnerability are being exploited in the wild. |
Affected by 43 other vulnerabilities. Affected by 43 other vulnerabilities. |
|
VCID-u5jw-wwpt-aaab
Aliases: GHSA-qf65-hph9-453r |
Drupal Cross-Site Scripting (XSS) affecting CKEditor Third-party library |
Affected by 16 other vulnerabilities. Affected by 16 other vulnerabilities. Affected by 21 other vulnerabilities. |
|
VCID-uzqp-mr6h-aaaa
Aliases: GHSA-jf8c-36vw-98x4 |
Drupal core Remote Code Execution |
Affected by 38 other vulnerabilities. Affected by 33 other vulnerabilities. |
|
VCID-v7k7-r3h5-aaar
Aliases: CVE-2017-6930 GHSA-3327-jr93-7hq3 |
Language fallback can be incorrect on multilingual sites with node access restrictions When using node access controls with a multilingual site, Drupal marks the untranslated version of a node as the default fallback for access queries. This fallback is used for languages that do not yet have a translated version of the created node. This can result in an access bypass vulnerability. This issue is mitigated by the fact that it only applies to sites that a) use the Content Translation module; and b) use a node access module such as Domain Access which implement hook_node_access_records(). Note that the update will mark the node access tables as needing a rebuild, which will take a long time on sites with a large number of nodes. |
Affected by 48 other vulnerabilities. |
|
VCID-x95g-fxr5-aaas
Aliases: GHSA-86xw-vmcx-9mj4 |
Drupal Content moderation Access bypass |
Affected by 38 other vulnerabilities. Affected by 33 other vulnerabilities. |
|
VCID-y3g8-ayqw-5fer
Aliases: CVE-2024-45440 GHSA-mg8j-w93w-xjgc |
core/authorize.php in Drupal 11.x-dev allows Full Path Disclosure (even when error logging is None) if the value of hash_salt is file_get_contents of a file that does not exist. |
Affected by 5 other vulnerabilities. Affected by 1 other vulnerability. Affected by 5 other vulnerabilities. Affected by 2 other vulnerabilities. Affected by 4 other vulnerabilities. |
|
VCID-ypm1-1edv-aaag
Aliases: GHSA-jjx7-8462-w4m4 |
Drupal Core Insufficient Contextual Links validation leads to Remote Code Execution |
Affected by 38 other vulnerabilities. Affected by 33 other vulnerabilities. |
|
VCID-z2pc-nq4m-aaas
Aliases: CVE-2022-24729 GHSA-f6rf-9m92-x2hh |
Improper Input Validation CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. CKEditor4 prior to version 4.18.0 contains a vulnerability in the `dialog` plugin. The vulnerability allows abuse of a dialog input validator regular expression, which can cause a significant performance drop resulting in a browser tab freeze. A patch is available in version 4.18.0. There are currently no known workarounds. |
Affected by 15 other vulnerabilities. Affected by 12 other vulnerabilities. Affected by 16 other vulnerabilities. Affected by 7 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||