Search for packages
| purl | pkg:deb/debian/drupal7@7.52-1~bpo8%2B1 |
| Next non-vulnerable version | 7.52-2+deb9u11 |
| Latest non-vulnerable version | 7.52-2+deb9u11 |
| Risk | 10.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-16dd-ffqv-wygn
Aliases: CVE-2017-6922 GHSA-58f3-cx8p-h8jg |
Drupal core access bypass vulnerability In Drupal core 8.x prior to 8.3.4 and Drupal core 7.x prior to 7.56; Private files that have been uploaded by an anonymous user but not permanently attached to content on the site should only be visible to the anonymous user that uploaded them, rather than all anonymous users. Drupal core did not previously provide this protection, allowing an access bypass vulnerability to occur. This issue is mitigated by the fact that in order to be affected, the site must allow anonymous users to upload files into a private file system. |
Affected by 0 other vulnerabilities. |
|
VCID-5u4z-kd71-s7gf
Aliases: CVE-2020-13662 GHSA-gjqg-9rhv-qj67 |
Open Redirect vulnerability in Drupal Core allows a user to be tricked into visiting a specially crafted link which would redirect them to an arbitrary external URL. This issue affects: Drupal Drupal Core 7 version 7.70 and prior versions. |
Affected by 0 other vulnerabilities. |
|
VCID-6t29-8tt9-m7hp
Aliases: CVE-2019-6341 GHSA-cmmh-8mwp-gq5p |
In Drupal 7 versions prior to 7.65; Drupal 8.6 versions prior to 8.6.13;Drupal 8.5 versions prior to 8.5.14. Under certain circumstances the File module/subsystem allows a malicious user to upload a file that can trigger a cross-site scripting (XSS) vulnerability. |
Affected by 0 other vulnerabilities. |
|
VCID-7b3c-7vac-v7aj
Aliases: CVE-2018-7602 GHSA-297x-j9pm-xjgg |
Drupal Core Remote Code Execution Vulnerability A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being compromised. This vulnerability is related to Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002. Both SA-CORE-2018-002 and this vulnerability are being exploited in the wild. |
Affected by 0 other vulnerabilities. |
|
VCID-7wup-zkhw-9uhx
Aliases: CVE-2019-6339 GHSA-8cw5-rv98-5c46 |
Arbitrary PHP code execution in Drupal In Drupal Core versions 7.x prior to 7.62, 8.6.x prior to 8.6.6, and 8.5.x prior to 8.5.9; A remote code execution vulnerability exists in PHP's built-in phar stream wrapper when performing file operations on an untrusted phar:// URI. Some Drupal code (core, contrib, and custom) may be performing file operations on insufficiently validated user input, thereby being exposed to this vulnerability. This vulnerability is mitigated by the fact that such code paths typically require access to an administrative permission or an atypical configuration. |
Affected by 0 other vulnerabilities. |
|
VCID-bemx-6h1j-37ej
Aliases: CVE-2019-11831 GHSA-xv7v-rf6g-xwrc |
Directory Traversal in typo3/phar-stream-wrapper The PharStreamWrapper (aka phar-stream-wrapper) package 2.x before 2.1.1 and 3.x before 3.1.1 for TYPO3 does not prevent directory traversal, which allows attackers to bypass a deserialization protection mechanism, as demonstrated by a phar:///path/bad.phar/../good.phar URL. |
Affected by 0 other vulnerabilities. |
|
VCID-djr8-k9kb-6ua1
Aliases: CVE-2018-7600 GHSA-7fh9-933g-885p |
Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations. |
Affected by 0 other vulnerabilities. |
|
VCID-ek5c-u2d4-hqef
Aliases: CVE-2019-6338 GHSA-6rmq-x2hv-vxpp |
Drupal core third-party PEAR Archive_Tar library is vulnerable to Deserialization of Untrusted Data In Drupal Core versions 7.x prior to 7.62, 8.6.x prior to 8.6.6 and 8.5.x prior to 8.5.9; Drupal core uses the third-party PEAR Archive_Tar library. This library has released a security update which impacts some Drupal configurations. Refer to CVE-2018-1000888 for details |
Affected by 0 other vulnerabilities. |
|
VCID-eryf-r46x-2faw
Aliases: DSA-4323-1 drupal7 |
security update |
Affected by 0 other vulnerabilities. |
|
VCID-kh2e-q8be-hbhw
Aliases: CVE-2017-6928 GHSA-66mv-q8r2-hj8w |
Drupal access bypass vulnerability Drupal core 7.x versions before 7.57 when using Drupal's private file system, Drupal will check to make sure a user has access to a file before allowing the user to view or download it. This check fails under certain conditions in which one module is trying to grant access to the file and another is trying to deny it, leading to an access bypass vulnerability. This vulnerability is mitigated by the fact that it only occurs for unusual site configurations. |
Affected by 0 other vulnerabilities. |
|
VCID-m8j1-6daq-fyf8
Aliases: CVE-2020-11023 GHSA-jpcq-cgw6-v4j6 |
Potential XSS vulnerability in jQuery ## Impact Passing HTML containing `<option>` elements from untrusted sources - even after sanitizing them - to one of jQuery's DOM manipulation methods (i.e. `.html()`, `.append()`, and others) may execute untrusted code. ## Workarounds To workaround this issue without upgrading, use DOMPurify with its `SAFE_FOR_JQUERY` option to sanitize the HTML string before passing it to a jQuery method. |
Affected by 0 other vulnerabilities. |
|
VCID-neqa-12se-9uab
Aliases: CVE-2019-11358 GHSA-6c3j-c64m-qhgq |
Modification of Assumed-Immutable Data (MAID) Prototype pollution attack through jQuery $.extend |
Affected by 0 other vulnerabilities. |
|
VCID-p5w6-thtz-fbf7
Aliases: CVE-2017-6927 GHSA-585j-5449-mf5m |
Drupal cross-site scripting vulnerability Drupal 8.4.x versions before 8.4.5 and Drupal 7.x versions before 7.57 has a Drupal.checkPlain() JavaScript function which is used to escape potentially dangerous text before outputting it to HTML (as JavaScript output does not typically go through Twig autoescaping). This function does not correctly handle all methods of injecting malicious HTML, leading to a cross-site scripting vulnerability under certain circumstances. The PHP functions which Drupal provides for HTML escaping are not affected. |
Affected by 0 other vulnerabilities. |
|
VCID-rra7-aq48-b3b7
Aliases: CVE-2017-6929 GHSA-5vpr-v24w-mmjj |
Drupal cross site scripting vulnerability A jQuery cross site scripting vulnerability is present when making Ajax requests to untrusted domains. This vulnerability is mitigated by the fact that it requires contributed or custom modules in order to exploit. For Drupal 8, this vulnerability was already fixed in Drupal 8.4.0 in the Drupal core upgrade to jQuery 3. For Drupal 7, it is fixed in the current release (Drupal 7.57) for jQuery 1.4.4 (the version that ships with Drupal 7 core) as well as for other newer versions of jQuery that might be used on the site, for example using the jQuery Update module. |
Affected by 0 other vulnerabilities. |
|
VCID-thtt-r6fa-nybk
Aliases: CVE-2017-6932 GHSA-wm86-w3cf-h6vm |
Drupal external link injection vulnerability Drupal core 7.x versions before 7.57 has an external link injection vulnerability when the language switcher block is used. A similar vulnerability exists in various custom and contributed modules. This vulnerability could allow an attacker to trick users into unwillingly navigating to an external site. |
Affected by 0 other vulnerabilities. |
|
VCID-uhze-gqqq-4bd2
Aliases: CVE-2020-11022 GHSA-gxr4-xjj5-5px2 |
Potential XSS vulnerability in jQuery ### Impact Passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. `.html()`, `.append()`, and others) may execute untrusted code. ### Patches This problem is patched in jQuery 3.5.0. ### Workarounds To workaround the issue without upgrading, adding the following to your code: ```js jQuery.htmlPrefilter = function( html ) { return html; }; ``` You need to use at least jQuery 1.12/2.2 or newer to be able to apply this workaround. ### References https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/ https://jquery.com/upgrade-guide/3.5/ ### For more information If you have any questions or comments about this advisory, search for a relevant issue in [the jQuery repo](https://github.com/jquery/jquery/issues). If you don't find an answer, open a new issue." |
Affected by 0 other vulnerabilities. |
|
VCID-xajy-d6xq-skfk
Aliases: CVE-2020-13663 GHSA-m648-hpf8-qcjw |
Cross Site Request Forgery vulnerability in Drupal Core Form API does not properly handle certain form input from cross-site requests, which can lead to other vulnerabilities. |
Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||