Drupal Core vulnerabilities

CVE-2022-25277 [HIGH] CWE-434 CVE-2022-25277: Drupal core sanitizes filenames with dangerous extensions upon upload (reference: SA-CORE-2020-012) Drupal core sanitizes filenames with dangerous extensions upon upload (reference: SA-CORE-2020-012) and strips leading and trailing dots from filenames to prevent uploading server configuration files (reference: SA-CORE-2019-010). However, the protections for these two vulnerabilities previously did not work correctly together. As a result, if the site

CVE-2022-25275 [HIGH] CVE-2022-25275: In some situations, the Image module does not correctly check access to image files not stored in th In some situations, the Image module does not correctly check access to image files not stored in the standard public files directory when generating derivative images using the image styles system. Access to a non-public file is checked only if it is stored in the "private" file system. However, some contributed modules provide additional file systems, or sc

CVE-2023-31250 [MEDIUM] CWE-863 CVE-2023-31250: The file download facility doesn't sufficiently sanitize file paths in certain situations. This may The file download facility doesn't sufficiently sanitize file paths in certain situations. This may result in users gaining access to private files that they should not have access to. Some sites may require configuration changes following this security release. Review the release notes for your Drupal version if you have issues accessing private fil

CVE-2022-25274 [MEDIUM] CWE-863 CVE-2022-25274: Drupal 9.3 implemented a generic entity access API for entity revisions. However, this API was not c Drupal 9.3 implemented a generic entity access API for entity revisions. However, this API was not completely integrated with existing permissions, resulting in some possible access bypass for users who have access to use revisions of content generally, but who do not have access to individual items of node and media content. This vulnerability only

CVE-2022-25276 [MEDIUM] CWE-79 CVE-2022-25276: The Media oEmbed iframe route does not properly validate the iframe domain setting, which allows emb The Media oEmbed iframe route does not properly validate the iframe domain setting, which allows embeds to be displayed in the context of the primary domain. Under certain circumstances, this could lead to cross-site scripting, leaked cookies, or other vulnerabilities.

CVE-2022-25278 [MEDIUM] CVE-2022-25278: Under certain circumstances, the Drupal core form API evaluates form element access incorrectly. Thi Under certain circumstances, the Drupal core form API evaluates form element access incorrectly. This may lead to a user being able to alter data they should not have access to. No forms provided by Drupal core are known to be vulnerable. However, forms added through contributed or custom modules or themes may be affected.

CVE-2022-39261 CVE-2022-39261: Drupal uses the [Twig](https://twig Drupal uses the [Twig](https://twig.symfony.com/) third-party library for content templating and sanitization. [Twig has released a security update](https://symfony.com/blog/twig-security-release-possibility-to-load-a-template-outside-a-configured-directory-when-using-the-filesystem-loader) that affects Drupal. Twig has rated the vulnerability as high severity. Drupal core's code extending Twig has also been updated to mitigate

CVE-2022-31042 CVE-2022-31042: *Updated 22:00 UTC 2022-06-10: Added steps to update without `drupal/core-recommended` *Updated 22:00 UTC 2022-06-10: Added steps to update without `drupal/core-recommended`.* Drupal uses the third-party Guzzle library for handling HTTP requests and responses to external services. Guzzle has released two security advisories: * [Failure to strip the Cookie header on change in host or HTTP downgrade](https://github.com/guzzle/guzzle/security/advisories/GHSA-f2wf-25

CVE-2022-29248 CVE-2022-29248: Drupal uses the third-party Guzzle library for handling HTTP requests and responses to external services Drupal uses the third-party Guzzle library for handling HTTP requests and responses to external services. [Guzzle has released a security update](https://github.com/guzzle/guzzle/security/advisories/GHSA-cwmx-hcrq-mhc3) which does not affect Drupal core, but may affect some contributed projects or custom code on Drupal sites. We are issuing this security adviso

CVE-2020-13665 [CRITICAL] CWE-863 Drupal Core Access bypass vulnerability Drupal Core Access bypass vulnerability Access bypass vulnerability in Drupal Core allows JSON:API when JSON:API is in read/write mode. Only sites that have the read_only set to FALSE under jsonapi.settings config are vulnerable. This issue affects: Drupal Drupal Core 8.8.x versions prior to 8.8.8; 8.9.x versions prior to 8.9.1; 9.0.x versions prior to 9.0.1.

CVE-2020-13663 [HIGH] CWE-352 Drupal Core Cross-Site Request Forgery (CSRF) vulnerability Drupal Core Cross-Site Request Forgery (CSRF) vulnerability Cross Site Request Forgery vulnerability in Drupal Core Form API does not properly handle certain form input from cross-site requests, which can lead to other vulnerabilities.

CVE-2020-13664 [HIGH] CWE-77 Drupal Core Arbitrary PHP code execution vulnerability Drupal Core Arbitrary PHP code execution vulnerability Arbitrary PHP code execution vulnerability in Drupal Core under certain circumstances. An attacker could trick an administrator into visiting a malicious site that could result in creating a carefully named directory on the file system. With this directory in place, an attacker could attempt to brute force a remote code execution vulnerability. Windows serve

CVE-2020-13662 [MEDIUM] CWE-601 Drupal Core Open Redirect vulnerability Drupal Core Open Redirect vulnerability Open Redirect vulnerability in Drupal Core allows a user to be tricked into visiting a specially crafted link which would redirect them to an arbitrary external URL. This issue affects: Drupal Drupal Core 7 version 7.70 and prior versions.

CVE-2020-13667 [MEDIUM] CWE-276 Drupal Core Access bypass vulnerability Drupal Core Access bypass vulnerability Access bypass vulnerability in of Drupal Core Workspaces allows an attacker to access data without correct permissions. The Workspaces module doesn't sufficiently check access permissions when switching workspaces, leading to an access bypass vulnerability. An attacker might be able to see content before the site owner intends people to see the content. This vulnerability is mitigated

CVE-2020-13666 [MEDIUM] CWE-79 Drupal Core Cross-site scripting vulnerability Drupal Core Cross-site scripting vulnerability Cross-site scripting vulnerability in Drupal Core. Drupal AJAX API does not disable JSONP by default, allowing for an XSS attack. This issue affects: Drupal Drupal Core 7.x versions prior to 7.73; 8.8.x versions prior to 8.8.10; 8.9.x versions prior to 8.9.6; 9.0.x versions prior to 9.0.6.

CVE-2019-6341 [MEDIUM] CWE-79 Drupal Cross Site Scripting (XSS) vulnerability Drupal Cross Site Scripting (XSS) vulnerability In Drupal 7 versions prior to 7.65; Drupal 8.6 versions prior to 8.6.13;Drupal 8.5 versions prior to 8.5.14. Under certain circumstances the File `module/subsystem` allows a malicious user to upload a file that can trigger a cross-site scripting (XSS) vulnerability.

CVE-2020-13688 [MEDIUM] CWE-79 Drupal Core Cross-site scripting vulnerability Drupal Core Cross-site scripting vulnerability Cross-site scripting vulnerability in Drupal Core allows an attacker could leverage the way that HTML is rendered for affected forms in order to exploit the vulnerability. This issue affects: Drupal Core 8.8.X versions prior to 8.8.10; 8.9.X versions prior to 8.9.6; 9.0.X versions prior to 9.0.6.

CVE-2016-3162 [HIGH] CWE-284 Drupal File upload access bypass and denial of service Drupal File upload access bypass and denial of service The File module in Drupal 7.x before 7.43 and 8.x before 8.0.4 allows remote authenticated users to bypass access restrictions and read, delete, or substitute a link to a file uploaded to an unprocessed form by leveraging permission to create content or comment and upload files.

CVE-2016-6211 [HIGH] CWE-269 Drupal Saving user accounts can sometimes grant the user all roles Drupal Saving user accounts can sometimes grant the user all roles The User module in Drupal 7.x before 7.44 allows remote authenticated users to gain privileges via vectors involving contributed or custom code that triggers a rebuild of the user profile form.

CVE-2016-3171 [HIGH] CWE-94 Drupal arbitrary code execution Drupal arbitrary code execution Drupal 6.x before 6.38, when used with PHP before 5.4.45, 5.5.x before 5.5.29, or 5.6.x before 5.6.13, might allow remote attackers to execute arbitrary code via vectors related to session data truncation.