Packagist (Composer) package
drupal/core
pkg:composer/drupal/core
Vulnerabilities (91)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2022-25277 | — | >= 8.0.0, < 9.3.19 | 9.3.19 | Apr 26, 2023 | Drupal core sanitizes filenames with dangerous extensions upon upload (reference: SA-CORE-2020-012) and strips leading and trailing dots from filenames to prevent uploading server configuration files (reference: SA-CORE-2019-010). However, the protections for these two vulnerabil | ||
| CVE-2022-25276 | — | >= 8.0.0, < 9.3.19 | 9.3.19 | Apr 26, 2023 | The Media oEmbed iframe route does not properly validate the iframe domain setting, which allows embeds to be displayed in the context of the primary domain. Under certain circumstances, this could lead to cross-site scripting, leaked cookies, or other vulnerabilities. | ||
| CVE-2022-25275 | — | >= 7.0.0, < 7.91 | 7.91 | Apr 26, 2023 | In some situations, the Image module does not correctly check access to image files not stored in the standard public files directory when generating derivative images using the image styles system. Access to a non-public file is checked only if it is stored in the "private" file | ||
| CVE-2022-25274 | — | >= 9.3.0, < 9.3.12 | 9.3.12 | Apr 26, 2023 | Drupal 9.3 implemented a generic entity access API for entity revisions. However, this API was not completely integrated with existing permissions, resulting in some possible access bypass for users who have access to use revisions of content generally, but who do not have access | ||
| CVE-2022-25273 | — | >= 8.0.0, < 9.2.18 | 9.2.18 | Apr 26, 2023 | Drupal core's form API has a vulnerability where certain contributed or custom modules' forms may be vulnerable to improper input validation. This could allow an attacker to inject disallowed values or overwrite data. Affected forms are uncommon, but in certain cases an attacker | ||
| CVE-2022-25270 | — | >= 9.3.0, < 9.3.6 | 9.3.6 | Feb 16, 2022 | The Quick Edit module does not properly check entity access in some circumstances. This could result in users with the "access in-place editing" permission viewing some content they are are not authorized to access. Sites are only affected if the QuickEdit module (which comes wit | ||
| CVE-2022-25271 | — | >= 9.3.0, < 9.3.6 | 9.3.6 | Feb 16, 2022 | Drupal core's form API has a vulnerability where certain contributed or custom modules' forms may be vulnerable to improper input validation. This could allow an attacker to inject disallowed values or overwrite data. Affected forms are uncommon, but in certain cases an attacker | ||
| CVE-2020-13677 | — | >= 8.0.0, < 8.9.19 | 8.9.19 | Feb 11, 2022 | Under some circumstances, the Drupal core JSON:API module does not properly restrict access to certain content, which may result in unintended access bypass. Sites that do not have the JSON:API module enabled are not affected. | ||
| CVE-2020-13676 | — | >= 8.0.0, < 8.9.19 | 8.9.19 | Feb 11, 2022 | The QuickEdit module does not properly check access to fields in some circumstances, which can lead to unintended disclosure of field data. Sites are only affected if the QuickEdit module (which comes with the Standard profile) is installed. | ||
| CVE-2020-13670 | — | >= 8.0.0, < 8.8.10 | 8.8.10 | Feb 11, 2022 | Information Disclosure vulnerability in file module of Drupal Core allows an attacker to gain access to the file metadata of a permanent private file that they do not have access to by guessing the ID of the file. This issue affects: Drupal Core 8.8.x versions prior to 8.8.10; 8. | ||
| CVE-2020-13674 | — | >= 8.0.0, < 8.9.19 | 8.9.19 | Feb 11, 2022 | The QuickEdit module does not properly validate access to routes, which could allow cross-site request forgery under some circumstances and lead to possible data integrity issues. Sites are only affected if the QuickEdit module (which comes with the Standard profile) is installed | ||
| CVE-2020-13675 | — | >= 8.0.0, < 8.9.19 | 8.9.19 | Feb 11, 2022 | Drupal's JSON:API and REST/File modules allow file uploads through their HTTP APIs. The modules do not correctly run all file validation, which causes an access bypass vulnerability. An attacker might be able to upload files that bypass the file validation process implemented by | ||
| CVE-2020-13672 | — | >= 7.0.0, < 7.80 | 7.80 | Feb 11, 2022 | Cross-site Scripting (XSS) vulnerability in Drupal core's sanitization API fails to properly filter cross-site scripting under certain circumstances. This issue affects: Drupal Core 9.1.x versions prior to 9.1.7; 9.0.x versions prior to 9.0.12; 8.9.x versions prior to 8.9.14; 7.x | ||
| CVE-2020-13669 | — | >= 8.0.0, < 8.8.10 | 8.8.10 | Feb 11, 2022 | Cross-site Scripting (XSS) vulnerability in ckeditor of Drupal Core allows attacker to inject XSS. This issue affects: Drupal Core 8.8.x versions prior to 8.8.10.; 8.9.x versions prior to 8.9.6; 9.0.x versions prior to 9.0.6. | ||
| CVE-2020-13668 | — | >= 8.0.0, < 8.8.10 | 8.8.10 | Feb 11, 2022 | Access Bypass vulnerability in Drupal Core allows for an attacker to leverage the way that HTML is rendered for affected forms in order to exploit the vulnerability. This issue affects: Drupal Core 8.8.x versions prior to 8.8.10; 8.9.x versions prior to 8.9.6; 9.0.x versions prio | ||
| CVE-2020-13688 | — | >= 8.8.0, < 8.8.10 | 8.8.10 | Jun 11, 2021 | Cross-site scripting vulnerability in l Drupal Core allows an attacker could leverage the way that HTML is rendered for affected forms in order to exploit the vulnerability. This issue affects: Drupal Core 8.8.X versions prior to 8.8.10; 8.9.X versions prior to 8.9.6; 9.0.X versi | ||
| CVE-2020-13663 | — | >= 8.9.0, < 8.9.1 | 8.9.1 | Jun 11, 2021 | Cross Site Request Forgery vulnerability in Drupal Core Form API does not properly handle certain form input from cross-site requests, which can lead to other vulnerabilities. | ||
| CVE-2021-33829 | — | >= 7.0.0, < 7.80 | 7.80 | Jun 9, 2021 | A cross-site scripting (XSS) vulnerability in the HTML Data Processor in CKEditor 4 4.14.0 through 4.16.x before 4.16.1 allows remote attackers to inject executable JavaScript code through a crafted comment because --!> is mishandled. | ||
| CVE-2020-13667 | — | >= 8.8.0, < 8.8.10 | 8.8.10 | May 17, 2021 | Access bypass vulnerability in of Drupal Core Workspaces allows an attacker to access data without correct permissions. The Workspaces module doesn't sufficiently check access permissions when switching workspaces, leading to an access bypass vulnerability. An attacker might be a | ||
| CVE-2020-13664 | — | >= 8.8.0, < 8.8.8 | 8.8.8 | May 5, 2021 | Arbitrary PHP code execution vulnerability in Drupal Core under certain circumstances. An attacker could trick an administrator into visiting a malicious site that could result in creating a carefully named directory on the file system. With this directory in place, an attacker c |
- CVE-2022-25277Apr 26, 2023affected >= 8.0.0, < 9.3.19fixed 9.3.19
Drupal core sanitizes filenames with dangerous extensions upon upload (reference: SA-CORE-2020-012) and strips leading and trailing dots from filenames to prevent uploading server configuration files (reference: SA-CORE-2019-010). However, the protections for these two vulnerabil
- CVE-2022-25276Apr 26, 2023affected >= 8.0.0, < 9.3.19fixed 9.3.19
The Media oEmbed iframe route does not properly validate the iframe domain setting, which allows embeds to be displayed in the context of the primary domain. Under certain circumstances, this could lead to cross-site scripting, leaked cookies, or other vulnerabilities.
- CVE-2022-25275Apr 26, 2023affected >= 7.0.0, < 7.91fixed 7.91
In some situations, the Image module does not correctly check access to image files not stored in the standard public files directory when generating derivative images using the image styles system. Access to a non-public file is checked only if it is stored in the "private" file
- CVE-2022-25274Apr 26, 2023affected >= 9.3.0, < 9.3.12fixed 9.3.12
Drupal 9.3 implemented a generic entity access API for entity revisions. However, this API was not completely integrated with existing permissions, resulting in some possible access bypass for users who have access to use revisions of content generally, but who do not have access
- CVE-2022-25273Apr 26, 2023affected >= 8.0.0, < 9.2.18fixed 9.2.18
Drupal core's form API has a vulnerability where certain contributed or custom modules' forms may be vulnerable to improper input validation. This could allow an attacker to inject disallowed values or overwrite data. Affected forms are uncommon, but in certain cases an attacker
- CVE-2022-25270Feb 16, 2022affected >= 9.3.0, < 9.3.6fixed 9.3.6
The Quick Edit module does not properly check entity access in some circumstances. This could result in users with the "access in-place editing" permission viewing some content they are are not authorized to access. Sites are only affected if the QuickEdit module (which comes wit
- CVE-2022-25271Feb 16, 2022affected >= 9.3.0, < 9.3.6fixed 9.3.6
Drupal core's form API has a vulnerability where certain contributed or custom modules' forms may be vulnerable to improper input validation. This could allow an attacker to inject disallowed values or overwrite data. Affected forms are uncommon, but in certain cases an attacker
- CVE-2020-13677Feb 11, 2022affected >= 8.0.0, < 8.9.19fixed 8.9.19
Under some circumstances, the Drupal core JSON:API module does not properly restrict access to certain content, which may result in unintended access bypass. Sites that do not have the JSON:API module enabled are not affected.
- CVE-2020-13676Feb 11, 2022affected >= 8.0.0, < 8.9.19fixed 8.9.19
The QuickEdit module does not properly check access to fields in some circumstances, which can lead to unintended disclosure of field data. Sites are only affected if the QuickEdit module (which comes with the Standard profile) is installed.
- CVE-2020-13670Feb 11, 2022affected >= 8.0.0, < 8.8.10fixed 8.8.10
Information Disclosure vulnerability in file module of Drupal Core allows an attacker to gain access to the file metadata of a permanent private file that they do not have access to by guessing the ID of the file. This issue affects: Drupal Core 8.8.x versions prior to 8.8.10; 8.
- CVE-2020-13674Feb 11, 2022affected >= 8.0.0, < 8.9.19fixed 8.9.19
The QuickEdit module does not properly validate access to routes, which could allow cross-site request forgery under some circumstances and lead to possible data integrity issues. Sites are only affected if the QuickEdit module (which comes with the Standard profile) is installed
- CVE-2020-13675Feb 11, 2022affected >= 8.0.0, < 8.9.19fixed 8.9.19
Drupal's JSON:API and REST/File modules allow file uploads through their HTTP APIs. The modules do not correctly run all file validation, which causes an access bypass vulnerability. An attacker might be able to upload files that bypass the file validation process implemented by
- CVE-2020-13672Feb 11, 2022affected >= 7.0.0, < 7.80fixed 7.80
Cross-site Scripting (XSS) vulnerability in Drupal core's sanitization API fails to properly filter cross-site scripting under certain circumstances. This issue affects: Drupal Core 9.1.x versions prior to 9.1.7; 9.0.x versions prior to 9.0.12; 8.9.x versions prior to 8.9.14; 7.x
- CVE-2020-13669Feb 11, 2022affected >= 8.0.0, < 8.8.10fixed 8.8.10
Cross-site Scripting (XSS) vulnerability in ckeditor of Drupal Core allows attacker to inject XSS. This issue affects: Drupal Core 8.8.x versions prior to 8.8.10.; 8.9.x versions prior to 8.9.6; 9.0.x versions prior to 9.0.6.
- CVE-2020-13668Feb 11, 2022affected >= 8.0.0, < 8.8.10fixed 8.8.10
Access Bypass vulnerability in Drupal Core allows for an attacker to leverage the way that HTML is rendered for affected forms in order to exploit the vulnerability. This issue affects: Drupal Core 8.8.x versions prior to 8.8.10; 8.9.x versions prior to 8.9.6; 9.0.x versions prio
- CVE-2020-13688Jun 11, 2021affected >= 8.8.0, < 8.8.10fixed 8.8.10
Cross-site scripting vulnerability in l Drupal Core allows an attacker could leverage the way that HTML is rendered for affected forms in order to exploit the vulnerability. This issue affects: Drupal Core 8.8.X versions prior to 8.8.10; 8.9.X versions prior to 8.9.6; 9.0.X versi
- CVE-2020-13663Jun 11, 2021affected >= 8.9.0, < 8.9.1fixed 8.9.1
Cross Site Request Forgery vulnerability in Drupal Core Form API does not properly handle certain form input from cross-site requests, which can lead to other vulnerabilities.
- CVE-2021-33829Jun 9, 2021affected >= 7.0.0, < 7.80fixed 7.80
A cross-site scripting (XSS) vulnerability in the HTML Data Processor in CKEditor 4 4.14.0 through 4.16.x before 4.16.1 allows remote attackers to inject executable JavaScript code through a crafted comment because --!> is mishandled.
- CVE-2020-13667May 17, 2021affected >= 8.8.0, < 8.8.10fixed 8.8.10
Access bypass vulnerability in of Drupal Core Workspaces allows an attacker to access data without correct permissions. The Workspaces module doesn't sufficiently check access permissions when switching workspaces, leading to an access bypass vulnerability. An attacker might be a
- CVE-2020-13664May 5, 2021affected >= 8.8.0, < 8.8.8fixed 8.8.8
Arbitrary PHP code execution vulnerability in Drupal Core under certain circumstances. An attacker could trick an administrator into visiting a malicious site that could result in creating a carefully named directory on the file system. With this directory in place, an attacker c
Page 2 of 5