Bitnami package
drupal
pkg:bitnami/drupal
Vulnerabilities (66)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-22362 | — | >= 9.3.6, < 10.2.6 | 10.2.6 | Jan 16, 2024 | Drupal contains a vulnerability with improper handling of structural elements. If this vulnerability is exploited, an attacker may be able to cause a denial-of-service (DoS) condition. | ||
| CVE-2023-5256 | — | >= 8.7.0, < 9.5.11 | 9.5.11 | Sep 28, 2023 | In certain scenarios, Drupal's JSON:API module will output error backtraces. With some configurations, this may cause sensitive information to be cached and made available to anonymous users, leading to privilege escalation. This vulnerability only affects sites with the JSON:AP | ||
| CVE-2023-31250 | — | >= 7.0.0, < 7.96.0 | 7.96.0 | Apr 26, 2023 | The file download facility doesn't sufficiently sanitize file paths in certain situations. This may result in users gaining access to private files that they should not have access to. Some sites may require configuration changes following this security release. Review the releas | ||
| CVE-2022-25278 | — | >= 8.0.0, < 9.3.19 | 9.3.19 | Apr 26, 2023 | Under certain circumstances, the Drupal core form API evaluates form element access incorrectly. This may lead to a user being able to alter data they should not have access to. No forms provided by Drupal core are known to be vulnerable. However, forms added through contributed | ||
| CVE-2022-25277 | — | >= 8.0.0, < 9.3.19 | 9.3.19 | Apr 26, 2023 | Drupal core sanitizes filenames with dangerous extensions upon upload (reference: SA-CORE-2020-012) and strips leading and trailing dots from filenames to prevent uploading server configuration files (reference: SA-CORE-2019-010). However, the protections for these two vulnerabil | ||
| CVE-2022-25276 | — | >= 9.3.0, < 9.3.19 | 9.3.19 | Apr 26, 2023 | The Media oEmbed iframe route does not properly validate the iframe domain setting, which allows embeds to be displayed in the context of the primary domain. Under certain circumstances, this could lead to cross-site scripting, leaked cookies, or other vulnerabilities. | ||
| CVE-2022-25275 | — | >= 7.0.0, < 7.91.0 | 7.91.0 | Apr 26, 2023 | In some situations, the Image module does not correctly check access to image files not stored in the standard public files directory when generating derivative images using the image styles system. Access to a non-public file is checked only if it is stored in the "private" file | ||
| CVE-2022-25274 | — | >= 9.3.0, < 9.3.12 | 9.3.12 | Apr 26, 2023 | Drupal 9.3 implemented a generic entity access API for entity revisions. However, this API was not completely integrated with existing permissions, resulting in some possible access bypass for users who have access to use revisions of content generally, but who do not have access | ||
| CVE-2022-25273 | — | >= 8.0.0, < 9.2.18 | 9.2.18 | Apr 26, 2023 | Drupal core's form API has a vulnerability where certain contributed or custom modules' forms may be vulnerable to improper input validation. This could allow an attacker to inject disallowed values or overwrite data. Affected forms are uncommon, but in certain cases an attacker | ||
| CVE-2022-39261 | — | >= 8.0.0, < 9.3.22 | 9.3.22 | Sep 28, 2022 | Twig is a template language for PHP. Versions 1.x prior to 1.44.7, 2.x prior to 2.15.3, and 3.x prior to 3.4.3 encounter an issue when the filesystem loader loads templates for which the name is a user input. It is possible to use the `source` or `include` statement to read arbit | ||
| CVE-2022-31043 | — | >= 9.2.0, < 9.2.21 | 9.2.21 | Jun 9, 2022 | Guzzle is an open source PHP HTTP client. In affected versions `Authorization` headers on requests are sensitive information. On making a request using the `https` scheme to a server which responds with a redirect to a URI with the `http` scheme, we should not forward the `Author | ||
| CVE-2022-31042 | — | >= 9.2.0, < 9.2.21 | 9.2.21 | Jun 9, 2022 | Guzzle is an open source PHP HTTP client. In affected versions the `Cookie` headers on requests are sensitive information. On making a request using the `https` scheme to a server which responds with a redirect to a URI with the `http` scheme, or on making a request to a server w | ||
| CVE-2022-29248 | — | >= 9.2.0, < 9.2.20 | 9.2.20 | May 25, 2022 | Guzzle is a PHP HTTP client. Guzzle prior to versions 6.5.6 and 7.4.3 contains a vulnerability with the cookie middleware. The vulnerability is that it is not checked if the cookie domain equals the domain of the server which sets the cookie via the Set-Cookie header, allowing a | ||
| CVE-2022-24775 | — | >= 8.0.0, < 9.2.16 | 9.2.16 | Mar 21, 2022 | guzzlehttp/psr7 is a PSR-7 HTTP message library. Versions prior to 1.8.4 and 2.1.1 are vulnerable to improper header parsing. An attacker could sneak in a new line character and pass untrusted values. The issue is patched in 1.8.4 and 2.1.1. There are currently no known workaroun | ||
| CVE-2022-24729 | — | >= 8.0.0, < 9.2.15 | 9.2.15 | Mar 16, 2022 | CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. CKEditor4 prior to version 4.18.0 contains a vulnerability in the `dialog` plugin. The vulnerability allows abuse of a dialog input validator regular expression, which can cause a significant performance drop r | ||
| CVE-2022-24728 | — | >= 8.0.0, < 9.2.15 | 9.2.15 | Mar 16, 2022 | CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4 prior to version 4.18.0. The vulnerability allows someone to inject malformed HTML bypassing | ||
| CVE-2022-25270 | — | >= 9.2.0, < 9.2.13 | 9.2.13 | Feb 16, 2022 | The Quick Edit module does not properly check entity access in some circumstances. This could result in users with the "access in-place editing" permission viewing some content they are are not authorized to access. Sites are only affected if the QuickEdit module (which comes wit | ||
| CVE-2022-25271 | — | >= 7.0.0, < 7.88.0 | 7.88.0 | Feb 16, 2022 | Drupal core's form API has a vulnerability where certain contributed or custom modules' forms may be vulnerable to improper input validation. This could allow an attacker to inject disallowed values or overwrite data. Affected forms are uncommon, but in certain cases an attacker | ||
| CVE-2020-13677 | — | >= 8.0.0, < 8.9.19 | 8.9.19 | Feb 11, 2022 | Under some circumstances, the Drupal core JSON:API module does not properly restrict access to certain content, which may result in unintended access bypass. Sites that do not have the JSON:API module enabled are not affected. | ||
| CVE-2020-13676 | — | >= 8.9.0, < 8.9.19 | 8.9.19 | Feb 11, 2022 | The QuickEdit module does not properly check access to fields in some circumstances, which can lead to unintended disclosure of field data. Sites are only affected if the QuickEdit module (which comes with the Standard profile) is installed. |
- CVE-2024-22362Jan 16, 2024affected >= 9.3.6, < 10.2.6fixed 10.2.6
Drupal contains a vulnerability with improper handling of structural elements. If this vulnerability is exploited, an attacker may be able to cause a denial-of-service (DoS) condition.
- CVE-2023-5256Sep 28, 2023affected >= 8.7.0, < 9.5.11fixed 9.5.11
In certain scenarios, Drupal's JSON:API module will output error backtraces. With some configurations, this may cause sensitive information to be cached and made available to anonymous users, leading to privilege escalation. This vulnerability only affects sites with the JSON:AP
- CVE-2023-31250Apr 26, 2023affected >= 7.0.0, < 7.96.0fixed 7.96.0
The file download facility doesn't sufficiently sanitize file paths in certain situations. This may result in users gaining access to private files that they should not have access to. Some sites may require configuration changes following this security release. Review the releas
- CVE-2022-25278Apr 26, 2023affected >= 8.0.0, < 9.3.19fixed 9.3.19
Under certain circumstances, the Drupal core form API evaluates form element access incorrectly. This may lead to a user being able to alter data they should not have access to. No forms provided by Drupal core are known to be vulnerable. However, forms added through contributed
- CVE-2022-25277Apr 26, 2023affected >= 8.0.0, < 9.3.19fixed 9.3.19
Drupal core sanitizes filenames with dangerous extensions upon upload (reference: SA-CORE-2020-012) and strips leading and trailing dots from filenames to prevent uploading server configuration files (reference: SA-CORE-2019-010). However, the protections for these two vulnerabil
- CVE-2022-25276Apr 26, 2023affected >= 9.3.0, < 9.3.19fixed 9.3.19
The Media oEmbed iframe route does not properly validate the iframe domain setting, which allows embeds to be displayed in the context of the primary domain. Under certain circumstances, this could lead to cross-site scripting, leaked cookies, or other vulnerabilities.
- CVE-2022-25275Apr 26, 2023affected >= 7.0.0, < 7.91.0fixed 7.91.0
In some situations, the Image module does not correctly check access to image files not stored in the standard public files directory when generating derivative images using the image styles system. Access to a non-public file is checked only if it is stored in the "private" file
- CVE-2022-25274Apr 26, 2023affected >= 9.3.0, < 9.3.12fixed 9.3.12
Drupal 9.3 implemented a generic entity access API for entity revisions. However, this API was not completely integrated with existing permissions, resulting in some possible access bypass for users who have access to use revisions of content generally, but who do not have access
- CVE-2022-25273Apr 26, 2023affected >= 8.0.0, < 9.2.18fixed 9.2.18
Drupal core's form API has a vulnerability where certain contributed or custom modules' forms may be vulnerable to improper input validation. This could allow an attacker to inject disallowed values or overwrite data. Affected forms are uncommon, but in certain cases an attacker
- CVE-2022-39261Sep 28, 2022affected >= 8.0.0, < 9.3.22fixed 9.3.22
Twig is a template language for PHP. Versions 1.x prior to 1.44.7, 2.x prior to 2.15.3, and 3.x prior to 3.4.3 encounter an issue when the filesystem loader loads templates for which the name is a user input. It is possible to use the `source` or `include` statement to read arbit
- CVE-2022-31043Jun 9, 2022affected >= 9.2.0, < 9.2.21fixed 9.2.21
Guzzle is an open source PHP HTTP client. In affected versions `Authorization` headers on requests are sensitive information. On making a request using the `https` scheme to a server which responds with a redirect to a URI with the `http` scheme, we should not forward the `Author
- CVE-2022-31042Jun 9, 2022affected >= 9.2.0, < 9.2.21fixed 9.2.21
Guzzle is an open source PHP HTTP client. In affected versions the `Cookie` headers on requests are sensitive information. On making a request using the `https` scheme to a server which responds with a redirect to a URI with the `http` scheme, or on making a request to a server w
- CVE-2022-29248May 25, 2022affected >= 9.2.0, < 9.2.20fixed 9.2.20
Guzzle is a PHP HTTP client. Guzzle prior to versions 6.5.6 and 7.4.3 contains a vulnerability with the cookie middleware. The vulnerability is that it is not checked if the cookie domain equals the domain of the server which sets the cookie via the Set-Cookie header, allowing a
- CVE-2022-24775Mar 21, 2022affected >= 8.0.0, < 9.2.16fixed 9.2.16
guzzlehttp/psr7 is a PSR-7 HTTP message library. Versions prior to 1.8.4 and 2.1.1 are vulnerable to improper header parsing. An attacker could sneak in a new line character and pass untrusted values. The issue is patched in 1.8.4 and 2.1.1. There are currently no known workaroun
- CVE-2022-24729Mar 16, 2022affected >= 8.0.0, < 9.2.15fixed 9.2.15
CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. CKEditor4 prior to version 4.18.0 contains a vulnerability in the `dialog` plugin. The vulnerability allows abuse of a dialog input validator regular expression, which can cause a significant performance drop r
- CVE-2022-24728Mar 16, 2022affected >= 8.0.0, < 9.2.15fixed 9.2.15
CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4 prior to version 4.18.0. The vulnerability allows someone to inject malformed HTML bypassing
- CVE-2022-25270Feb 16, 2022affected >= 9.2.0, < 9.2.13fixed 9.2.13
The Quick Edit module does not properly check entity access in some circumstances. This could result in users with the "access in-place editing" permission viewing some content they are are not authorized to access. Sites are only affected if the QuickEdit module (which comes wit
- CVE-2022-25271Feb 16, 2022affected >= 7.0.0, < 7.88.0fixed 7.88.0
Drupal core's form API has a vulnerability where certain contributed or custom modules' forms may be vulnerable to improper input validation. This could allow an attacker to inject disallowed values or overwrite data. Affected forms are uncommon, but in certain cases an attacker
- CVE-2020-13677Feb 11, 2022affected >= 8.0.0, < 8.9.19fixed 8.9.19
Under some circumstances, the Drupal core JSON:API module does not properly restrict access to certain content, which may result in unintended access bypass. Sites that do not have the JSON:API module enabled are not affected.
- CVE-2020-13676Feb 11, 2022affected >= 8.9.0, < 8.9.19fixed 8.9.19
The QuickEdit module does not properly check access to fields in some circumstances, which can lead to unintended disclosure of field data. Sites are only affected if the QuickEdit module (which comes with the Standard profile) is installed.
Page 2 of 4