Bitnami package
drupal
pkg:bitnami/drupal
Vulnerabilities (66)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2020-13670 | — | >= 8.8.0, < 8.8.10 | 8.8.10 | Feb 11, 2022 | Information Disclosure vulnerability in file module of Drupal Core allows an attacker to gain access to the file metadata of a permanent private file that they do not have access to by guessing the ID of the file. This issue affects: Drupal Core 8.8.x versions prior to 8.8.10; 8. | ||
| CVE-2020-13674 | — | >= 8.9.0, < 8.9.19 | 8.9.19 | Feb 11, 2022 | The QuickEdit module does not properly validate access to routes, which could allow cross-site request forgery under some circumstances and lead to possible data integrity issues. Sites are only affected if the QuickEdit module (which comes with the Standard profile) is installed | ||
| CVE-2020-13675 | — | >= 8.0.0, < 8.9.19 | 8.9.19 | Feb 11, 2022 | Drupal's JSON:API and REST/File modules allow file uploads through their HTTP APIs. The modules do not correctly run all file validation, which causes an access bypass vulnerability. An attacker might be able to upload files that bypass the file validation process implemented by | ||
| CVE-2020-13672 | — | < 7.80.0 | 7.80.0 | Feb 11, 2022 | Cross-site Scripting (XSS) vulnerability in Drupal core's sanitization API fails to properly filter cross-site scripting under certain circumstances. This issue affects: Drupal Core 9.1.x versions prior to 9.1.7; 9.0.x versions prior to 9.0.12; 8.9.x versions prior to 8.9.14; 7.x | ||
| CVE-2020-13669 | — | >= 8.8.0, < 8.8.10 | 8.8.10 | Feb 11, 2022 | Cross-site Scripting (XSS) vulnerability in ckeditor of Drupal Core allows attacker to inject XSS. This issue affects: Drupal Core 8.8.x versions prior to 8.8.10.; 8.9.x versions prior to 8.9.6; 9.0.x versions prior to 9.0.6. | ||
| CVE-2020-13668 | — | >= 8.8.0, < 8.8.10 | 8.8.10 | Feb 11, 2022 | Access Bypass vulnerability in Drupal Core allows for an attacker to leverage the way that HTML is rendered for affected forms in order to exploit the vulnerability. This issue affects: Drupal Core 8.8.x versions prior to 8.8.10; 8.9.x versions prior to 8.9.6; 9.0.x versions prio | ||
| CVE-2021-41165 | — | >= 8.9.0, < 8.9.20 | 8.9.20 | Nov 17, 2021 | CKEditor4 is an open source WYSIWYG HTML editor. In affected version a vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4. The vulnerability allowed to inject malformed comments HTML bypassing content sanitization, w | ||
| CVE-2021-41164 | — | >= 8.9.0, < 8.9.20 | 8.9.20 | Nov 17, 2021 | CKEditor4 is an open source WYSIWYG HTML editor. In affected versions a vulnerability has been discovered in the Advanced Content Filter (ACF) module and may affect all plugins used by CKEditor 4. The vulnerability allowed to inject malformed HTML bypassing content sanitization, | ||
| CVE-2021-41184 | — | >= 7.0.0, < 7.86.0 | 7.86.0 | Oct 26, 2021 | jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the `of` option of the `.position()` util from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the `of` option | ||
| CVE-2021-41183 | — | >= 7.0.0, < 7.86.0 | 7.86.0 | Oct 26, 2021 | jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of various `*Text` options of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. The values passed to various `*Text | ||
| CVE-2021-41182 | — | >= 7.0.0, < 7.86.0 | 7.86.0 | Oct 26, 2021 | jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the `altField` option of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the `altFi | ||
| CVE-2020-13688 | — | >= 8.8.0, < 8.8.10 | 8.8.10 | Jun 11, 2021 | Cross-site scripting vulnerability in l Drupal Core allows an attacker could leverage the way that HTML is rendered for affected forms in order to exploit the vulnerability. This issue affects: Drupal Core 8.8.X versions prior to 8.8.10; 8.9.X versions prior to 8.9.6; 9.0.X versi | ||
| CVE-2020-13663 | — | >= 7.0.0, < 7.72.0 | 7.72.0 | Jun 11, 2021 | Cross Site Request Forgery vulnerability in Drupal Core Form API does not properly handle certain form input from cross-site requests, which can lead to other vulnerabilities. | ||
| CVE-2021-33829 | — | >= 8.9.0, < 8.9.16 | 8.9.16 | Jun 9, 2021 | A cross-site scripting (XSS) vulnerability in the HTML Data Processor in CKEditor 4 4.14.0 through 4.16.x before 4.16.1 allows remote attackers to inject executable JavaScript code through a crafted comment because --!> is mishandled. | ||
| CVE-2020-13667 | — | >= 8.8.0, < 8.8.10 | 8.8.10 | May 17, 2021 | Access bypass vulnerability in of Drupal Core Workspaces allows an attacker to access data without correct permissions. The Workspaces module doesn't sufficiently check access permissions when switching workspaces, leading to an access bypass vulnerability. An attacker might be a | ||
| CVE-2020-13664 | — | >= 8.8.0, < 8.8.8 | 8.8.8 | May 5, 2021 | Arbitrary PHP code execution vulnerability in Drupal Core under certain circumstances. An attacker could trick an administrator into visiting a malicious site that could result in creating a carefully named directory on the file system. With this directory in place, an attacker c | ||
| CVE-2020-13662 | — | >= 7.0.0, < 7.70.1 | 7.70.1 | May 5, 2021 | Open Redirect vulnerability in Drupal Core allows a user to be tricked into visiting a specially crafted link which would redirect them to an arbitrary external URL. This issue affects: Drupal Drupal Core 7 version 7.70 and prior versions. | ||
| CVE-2020-13665 | — | >= 8.8.0, < 8.8.8 | 8.8.8 | May 5, 2021 | Access bypass vulnerability in Drupal Core allows JSON:API when JSON:API is in read/write mode. Only sites that have the read_only set to FALSE under jsonapi.settings config are vulnerable. This issue affects: Drupal Drupal Core 8.8.x versions prior to 8.8.8; 8.9.x versions prior | ||
| CVE-2020-13666 | — | >= 7.0.0, < 7.73.0 | 7.73.0 | May 5, 2021 | Cross-site scripting vulnerability in Drupal Core. Drupal AJAX API does not disable JSONP by default, allowing for an XSS attack. This issue affects: Drupal Drupal Core 7.x versions prior to 7.73; 8.8.x versions prior to 8.8.10; 8.9.x versions prior to 8.9.6; 9.0.x versions prior | ||
| CVE-2020-36193 | — | KEV | >= 7.0.0, < 7.78.0 | 7.78.0 | Jan 18, 2021 | Tar.php in Archive_Tar through 1.4.11 allows write operations with Directory Traversal due to inadequate checking of symbolic links, a related issue to CVE-2020-28948. |
- CVE-2020-13670Feb 11, 2022affected >= 8.8.0, < 8.8.10fixed 8.8.10
Information Disclosure vulnerability in file module of Drupal Core allows an attacker to gain access to the file metadata of a permanent private file that they do not have access to by guessing the ID of the file. This issue affects: Drupal Core 8.8.x versions prior to 8.8.10; 8.
- CVE-2020-13674Feb 11, 2022affected >= 8.9.0, < 8.9.19fixed 8.9.19
The QuickEdit module does not properly validate access to routes, which could allow cross-site request forgery under some circumstances and lead to possible data integrity issues. Sites are only affected if the QuickEdit module (which comes with the Standard profile) is installed
- CVE-2020-13675Feb 11, 2022affected >= 8.0.0, < 8.9.19fixed 8.9.19
Drupal's JSON:API and REST/File modules allow file uploads through their HTTP APIs. The modules do not correctly run all file validation, which causes an access bypass vulnerability. An attacker might be able to upload files that bypass the file validation process implemented by
- CVE-2020-13672Feb 11, 2022affected < 7.80.0fixed 7.80.0
Cross-site Scripting (XSS) vulnerability in Drupal core's sanitization API fails to properly filter cross-site scripting under certain circumstances. This issue affects: Drupal Core 9.1.x versions prior to 9.1.7; 9.0.x versions prior to 9.0.12; 8.9.x versions prior to 8.9.14; 7.x
- CVE-2020-13669Feb 11, 2022affected >= 8.8.0, < 8.8.10fixed 8.8.10
Cross-site Scripting (XSS) vulnerability in ckeditor of Drupal Core allows attacker to inject XSS. This issue affects: Drupal Core 8.8.x versions prior to 8.8.10.; 8.9.x versions prior to 8.9.6; 9.0.x versions prior to 9.0.6.
- CVE-2020-13668Feb 11, 2022affected >= 8.8.0, < 8.8.10fixed 8.8.10
Access Bypass vulnerability in Drupal Core allows for an attacker to leverage the way that HTML is rendered for affected forms in order to exploit the vulnerability. This issue affects: Drupal Core 8.8.x versions prior to 8.8.10; 8.9.x versions prior to 8.9.6; 9.0.x versions prio
- CVE-2021-41165Nov 17, 2021affected >= 8.9.0, < 8.9.20fixed 8.9.20
CKEditor4 is an open source WYSIWYG HTML editor. In affected version a vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4. The vulnerability allowed to inject malformed comments HTML bypassing content sanitization, w
- CVE-2021-41164Nov 17, 2021affected >= 8.9.0, < 8.9.20fixed 8.9.20
CKEditor4 is an open source WYSIWYG HTML editor. In affected versions a vulnerability has been discovered in the Advanced Content Filter (ACF) module and may affect all plugins used by CKEditor 4. The vulnerability allowed to inject malformed HTML bypassing content sanitization,
- CVE-2021-41184Oct 26, 2021affected >= 7.0.0, < 7.86.0fixed 7.86.0
jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the `of` option of the `.position()` util from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the `of` option
- CVE-2021-41183Oct 26, 2021affected >= 7.0.0, < 7.86.0fixed 7.86.0
jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of various `*Text` options of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. The values passed to various `*Text
- CVE-2021-41182Oct 26, 2021affected >= 7.0.0, < 7.86.0fixed 7.86.0
jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the `altField` option of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the `altFi
- CVE-2020-13688Jun 11, 2021affected >= 8.8.0, < 8.8.10fixed 8.8.10
Cross-site scripting vulnerability in l Drupal Core allows an attacker could leverage the way that HTML is rendered for affected forms in order to exploit the vulnerability. This issue affects: Drupal Core 8.8.X versions prior to 8.8.10; 8.9.X versions prior to 8.9.6; 9.0.X versi
- CVE-2020-13663Jun 11, 2021affected >= 7.0.0, < 7.72.0fixed 7.72.0
Cross Site Request Forgery vulnerability in Drupal Core Form API does not properly handle certain form input from cross-site requests, which can lead to other vulnerabilities.
- CVE-2021-33829Jun 9, 2021affected >= 8.9.0, < 8.9.16fixed 8.9.16
A cross-site scripting (XSS) vulnerability in the HTML Data Processor in CKEditor 4 4.14.0 through 4.16.x before 4.16.1 allows remote attackers to inject executable JavaScript code through a crafted comment because --!> is mishandled.
- CVE-2020-13667May 17, 2021affected >= 8.8.0, < 8.8.10fixed 8.8.10
Access bypass vulnerability in of Drupal Core Workspaces allows an attacker to access data without correct permissions. The Workspaces module doesn't sufficiently check access permissions when switching workspaces, leading to an access bypass vulnerability. An attacker might be a
- CVE-2020-13664May 5, 2021affected >= 8.8.0, < 8.8.8fixed 8.8.8
Arbitrary PHP code execution vulnerability in Drupal Core under certain circumstances. An attacker could trick an administrator into visiting a malicious site that could result in creating a carefully named directory on the file system. With this directory in place, an attacker c
- CVE-2020-13662May 5, 2021affected >= 7.0.0, < 7.70.1fixed 7.70.1
Open Redirect vulnerability in Drupal Core allows a user to be tricked into visiting a specially crafted link which would redirect them to an arbitrary external URL. This issue affects: Drupal Drupal Core 7 version 7.70 and prior versions.
- CVE-2020-13665May 5, 2021affected >= 8.8.0, < 8.8.8fixed 8.8.8
Access bypass vulnerability in Drupal Core allows JSON:API when JSON:API is in read/write mode. Only sites that have the read_only set to FALSE under jsonapi.settings config are vulnerable. This issue affects: Drupal Drupal Core 8.8.x versions prior to 8.8.8; 8.9.x versions prior
- CVE-2020-13666May 5, 2021affected >= 7.0.0, < 7.73.0fixed 7.73.0
Cross-site scripting vulnerability in Drupal Core. Drupal AJAX API does not disable JSONP by default, allowing for an XSS attack. This issue affects: Drupal Drupal Core 7.x versions prior to 7.73; 8.8.x versions prior to 8.8.10; 8.9.x versions prior to 8.9.6; 9.0.x versions prior
- affected >= 7.0.0, < 7.78.0fixed 7.78.0
Tar.php in Archive_Tar through 1.4.11 allows write operations with Directory Traversal due to inadequate checking of symbolic links, a related issue to CVE-2020-28948.
Page 3 of 4