Filtered by vendor Drupal
Subscribe
Total
834 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-41184 | 6 Drupal, Fedoraproject, Jqueryui and 3 more | 35 Drupal, Fedora, Jquery Ui and 32 more | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the `of` option of the `.position()` util from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the `of` option is now treated as a CSS selector. A workaround is to not accept the value of the `of` option from untrusted sources. | |||||
| CVE-2021-41183 | 7 Debian, Drupal, Fedoraproject and 4 more | 36 Debian Linux, Drupal, Fedora and 33 more | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of various `*Text` options of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. The values passed to various `*Text` options are now always treated as pure text, not HTML. A workaround is to not accept the value of the `*Text` options from untrusted sources. | |||||
| CVE-2021-41182 | 7 Debian, Drupal, Fedoraproject and 4 more | 37 Debian Linux, Drupal, Fedora and 34 more | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the `altField` option of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the `altField` option is now treated as a CSS selector. A workaround is to not accept the value of the `altField` option from untrusted sources. | |||||
| CVE-2021-41165 | 3 Ckeditor, Drupal, Oracle | 4 Ckeditor, Drupal, Banking Apis and 1 more | 2024-11-21 | 3.5 LOW | 8.2 HIGH |
| CKEditor4 is an open source WYSIWYG HTML editor. In affected version a vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4. The vulnerability allowed to inject malformed comments HTML bypassing content sanitization, which could result in executing JavaScript code. It affects all users using the CKEditor 4 at version < 4.17.0. The problem has been recognized and patched. The fix will be available in version 4.17.0. | |||||
| CVE-2021-41164 | 4 Ckeditor, Drupal, Fedoraproject and 1 more | 10 Ckeditor, Drupal, Fedora and 7 more | 2024-11-21 | 3.5 LOW | 8.2 HIGH |
| CKEditor4 is an open source WYSIWYG HTML editor. In affected versions a vulnerability has been discovered in the Advanced Content Filter (ACF) module and may affect all plugins used by CKEditor 4. The vulnerability allowed to inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code. It affects all users using the CKEditor 4 at version < 4.17.0. The problem has been recognized and patched. The fix will be available in version 4.17.0. | |||||
| CVE-2021-33829 | 4 Ckeditor, Debian, Drupal and 1 more | 4 Ckeditor, Debian Linux, Drupal and 1 more | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross-site scripting (XSS) vulnerability in the HTML Data Processor in CKEditor 4 4.14.0 through 4.16.x before 4.16.1 allows remote attackers to inject executable JavaScript code through a crafted comment because --!> is mishandled. | |||||
| CVE-2020-9281 | 4 Ckeditor, Drupal, Fedoraproject and 1 more | 11 Ckeditor, Drupal, Fedora and 8 more | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross-site scripting (XSS) vulnerability in the HTML Data Processor for CKEditor 4.0 before 4.14 allows remote attackers to inject arbitrary web script through a crafted "protected" comment (with the cke_protected syntax). | |||||
| CVE-2020-36193 | 4 Debian, Drupal, Fedoraproject and 1 more | 4 Debian Linux, Drupal, Fedora and 1 more | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Tar.php in Archive_Tar through 1.4.11 allows write operations with Directory Traversal due to inadequate checking of symbolic links, a related issue to CVE-2020-28948. | |||||
| CVE-2020-35191 | 1 Drupal | 1 Drupal Docker Images | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| The official drupal docker images before 8.5.10-fpm-alpine (Alpine specific) contain a blank password for a root user. System using the drupal docker container deployed by affected versions of the docker image may allow a remote attacker to achieve root access with a blank password. | |||||
| CVE-2020-28949 | 4 Debian, Drupal, Fedoraproject and 1 more | 4 Debian Linux, Drupal, Fedora and 1 more | 2024-11-21 | 6.8 MEDIUM | 7.8 HIGH |
| Archive_Tar through 1.4.10 has :// filename sanitization only to address phar attacks, and thus any other stream-wrapper attack (such as file:// to overwrite files) can still succeed. | |||||
| CVE-2020-28948 | 4 Debian, Drupal, Fedoraproject and 1 more | 4 Debian Linux, Drupal, Fedora and 1 more | 2024-11-21 | 6.8 MEDIUM | 7.8 HIGH |
| Archive_Tar through 1.4.10 allows an unserialization attack because phar: is blocked but PHAR: is not blocked. | |||||
| CVE-2020-13688 | 1 Drupal | 1 Drupal | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in l Drupal Core allows an attacker could leverage the way that HTML is rendered for affected forms in order to exploit the vulnerability. This issue affects: Drupal Core 8.8.X versions prior to 8.8.10; 8.9.X versions prior to 8.9.6; 9.0.X versions prior to 9.0.6. | |||||
| CVE-2020-13677 | 1 Drupal | 1 Drupal | 2024-11-21 | 4.3 MEDIUM | 7.5 HIGH |
| Under some circumstances, the Drupal core JSON:API module does not properly restrict access to certain content, which may result in unintended access bypass. Sites that do not have the JSON:API module enabled are not affected. | |||||
| CVE-2020-13676 | 1 Drupal | 1 Drupal | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| The QuickEdit module does not properly check access to fields in some circumstances, which can lead to unintended disclosure of field data. Sites are only affected if the QuickEdit module (which comes with the Standard profile) is installed. | |||||
| CVE-2020-13675 | 1 Drupal | 1 Drupal | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Drupal's JSON:API and REST/File modules allow file uploads through their HTTP APIs. The modules do not correctly run all file validation, which causes an access bypass vulnerability. An attacker might be able to upload files that bypass the file validation process implemented by modules on the site. | |||||
| CVE-2020-13674 | 1 Drupal | 1 Drupal | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| The QuickEdit module does not properly validate access to routes, which could allow cross-site request forgery under some circumstances and lead to possible data integrity issues. Sites are only affected if the QuickEdit module (which comes with the Standard profile) is installed. Removing the "access in-place editing" permission from untrusted users will not fully mitigate the vulnerability. | |||||
| CVE-2020-13673 | 1 Drupal | 1 Entity Embed | 2024-11-21 | 2.6 LOW | 6.1 MEDIUM |
| The Entity Embed module provides a filter to allow embedding entities in content fields. In certain circumstances, the filter could allow an unprivileged user to inject HTML into a page when it is accessed by a trusted user with permission to embed entities. In some cases, this could lead to cross-site scripting. | |||||
| CVE-2020-13672 | 1 Drupal | 1 Drupal | 2024-11-21 | 2.6 LOW | 6.1 MEDIUM |
| Cross-site Scripting (XSS) vulnerability in Drupal core's sanitization API fails to properly filter cross-site scripting under certain circumstances. This issue affects: Drupal Core 9.1.x versions prior to 9.1.7; 9.0.x versions prior to 9.0.12; 8.9.x versions prior to 8.9.14; 7.x versions prior to 7.80. | |||||
| CVE-2020-13671 | 2 Drupal, Fedoraproject | 2 Drupal, Fedora | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations. This issue affects: Drupal Drupal Core 9.0 versions prior to 9.0.8, 8.9 versions prior to 8.9.9, 8.8 versions prior to 8.8.11, and 7 versions prior to 7.74. | |||||
| CVE-2020-13670 | 1 Drupal | 1 Drupal | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Information Disclosure vulnerability in file module of Drupal Core allows an attacker to gain access to the file metadata of a permanent private file that they do not have access to by guessing the ID of the file. This issue affects: Drupal Core 8.8.x versions prior to 8.8.10; 8.9.x versions prior to 8.9.6; 9.0.x versions prior to 9.0.6. | |||||