Bitnami package
drupal
pkg:bitnami/drupal
Vulnerabilities (66)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2020-13671 | — | KEV | >= 7.0.0, < 7.74.0 | 7.74.0 | Nov 20, 2020 | Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations. This issue affects: Drupal Drupal Core 9.0 ver | |
| CVE-2020-28948 | — | >= 7.0.0, < 7.75.0 | 7.75.0 | Nov 19, 2020 | Archive_Tar through 1.4.10 allows an unserialization attack because phar: is blocked but PHAR: is not blocked. | ||
| CVE-2020-28949 | — | KEV | >= 7.0.0, < 7.75.0 | 7.75.0 | Nov 19, 2020 | Archive_Tar through 1.4.10 has :// filename sanitization only to address phar attacks, and thus any other stream-wrapper attack (such as file:// to overwrite files) can still succeed. | |
| CVE-2020-11022 | Med | 6.9 | >= 7.0.0, < 7.70.0 | 7.70.0 | Apr 29, 2020 | In jQuery starting with 1.12.0 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0. | |
| CVE-2020-11023 | — | KEV | >= 7.0.0, < 7.70.0 | 7.70.0 | Apr 29, 2020 | In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This pro | |
| CVE-2020-9281 | — | >= 8.7.0, < 8.7.12 | 8.7.12 | Mar 7, 2020 | A cross-site scripting (XSS) vulnerability in the HTML Data Processor for CKEditor 4.0 before 4.14 allows remote attackers to inject arbitrary web script through a crafted "protected" comment (with the cke_protected syntax). |
- affected >= 7.0.0, < 7.74.0fixed 7.74.0
Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations. This issue affects: Drupal Drupal Core 9.0 ver
- CVE-2020-28948Nov 19, 2020affected >= 7.0.0, < 7.75.0fixed 7.75.0
Archive_Tar through 1.4.10 allows an unserialization attack because phar: is blocked but PHAR: is not blocked.
- affected >= 7.0.0, < 7.75.0fixed 7.75.0
Archive_Tar through 1.4.10 has :// filename sanitization only to address phar attacks, and thus any other stream-wrapper attack (such as file:// to overwrite files) can still succeed.
- affected >= 7.0.0, < 7.70.0fixed 7.70.0
In jQuery starting with 1.12.0 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
- affected >= 7.0.0, < 7.70.0fixed 7.70.0
In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This pro
- CVE-2020-9281Mar 7, 2020affected >= 8.7.0, < 8.7.12fixed 8.7.12
A cross-site scripting (XSS) vulnerability in the HTML Data Processor for CKEditor 4.0 before 4.14 allows remote attackers to inject arbitrary web script through a crafted "protected" comment (with the cke_protected syntax).
Page 4 of 4