Search CVE reports
21 – 30 of 129 results
CVE-2021-32610
Medium prioritySome fixes available 11 of 13
In Archive_Tar before 1.4.14, symlinks can refer to targets outside of the extracted archive, a different vulnerability than CVE-2020-36193.
2 affected packages
drupal7, php-pear
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
drupal7 | Not in release | Not in release | Not in release | Not in release | Vulnerable |
php-pear | Fixed | Fixed | Fixed | Fixed | Fixed |
CVE-2020-13663
Medium priorityCross Site Request Forgery vulnerability in Drupal Core Form API does not properly handle certain form input from cross-site requests, which can lead to other vulnerabilities.
1 affected packages
drupal7
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
drupal7 | Not in release | Not in release | Not in release | Not in release | Vulnerable |
CVE-2020-13665
Medium priorityAccess bypass vulnerability in Drupal Core allows JSON:API when JSON:API is in read/write mode. Only sites that have the read_only set to FALSE under jsonapi.settings config are vulnerable. This issue affects: Drupal Drupal Core...
1 affected packages
drupal7
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
drupal7 | — | Not in release | Not in release | Not in release | Not affected |
CVE-2020-13664
Medium priorityArbitrary PHP code execution vulnerability in Drupal Core under certain circumstances. An attacker could trick an administrator into visiting a malicious site that could result in creating a carefully named directory on the file...
1 affected packages
drupal7
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
drupal7 | — | Not in release | Not in release | Not in release | Not affected |
CVE-2020-13662
Medium priorityOpen Redirect vulnerability in Drupal Core allows a user to be tricked into visiting a specially crafted link which would redirect them to an arbitrary external URL. This issue affects: Drupal Drupal Core 7 version 7.70 and prior versions.
1 affected packages
drupal7
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
drupal7 | Not in release | Not in release | Not in release | Not in release | Vulnerable |
CVE-2020-13666
Medium priorityCross-site scripting vulnerability in Drupal Core. Drupal AJAX API does not disable JSONP by default, allowing for an XSS attack. This issue affects: Drupal Drupal Core 7.x versions prior to 7.73; 8.8.x versions prior to 8.8.10;...
1 affected packages
drupal7
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
drupal7 | Not in release | Not in release | Not in release | Not in release | Vulnerable |
CVE-2020-13671
High priorityDrupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain...
1 affected packages
drupal7
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
drupal7 | Not in release | Not in release | Not in release | Not in release | Fixed |
CVE-2020-28949
High priorityArchive_Tar through 1.4.10 has :// filename sanitization only to address phar attacks, and thus any other stream-wrapper attack (such as file:// to overwrite files) can still succeed.
2 affected packages
drupal7, php-pear
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
drupal7 | Not in release | Not in release | Not in release | Not in release | Fixed |
php-pear | Fixed | Fixed | Fixed | Fixed | Fixed |
CVE-2020-28948
Medium priorityArchive_Tar through 1.4.10 allows an unserialization attack because phar: is blocked but PHAR: is not blocked.
2 affected packages
drupal7, php-pear
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
drupal7 | Not in release | Not in release | Not in release | Not in release | Fixed |
php-pear | Fixed | Fixed | Fixed | Fixed | Fixed |
CVE-2019-6342
Low priorityAn access bypass vulnerability exists when the experimental Workspaces module in Drupal 8 core is enabled. This can be mitigated by disabling the Workspaces module. It does not affect any release other than Drupal 8.7.4.
1 affected packages
drupal7
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
drupal7 | Not in release | Not in release | Not in release | Not in release | Vulnerable |