Drupal Core vulnerabilities

CVE-2020-13665 [CRITICAL] CVE-2020-13665: Access bypass vulnerability in Drupal Core allows JSON:API when JSON:API is in read/write mode. Only Access bypass vulnerability in Drupal Core allows JSON:API when JSON:API is in read/write mode. Only sites that have the read_only set to FALSE under jsonapi.settings config are vulnerable. This issue affects: Drupal Drupal Core 8.8.x versions prior to 8.8.8; 8.9.x versions prior to 8.9.1; 9.0.x versions prior to 9.0.1.

CVE-2020-13664 [HIGH] CWE-77 CVE-2020-13664: Arbitrary PHP code execution vulnerability in Drupal Core under certain circumstances. An attacker c Arbitrary PHP code execution vulnerability in Drupal Core under certain circumstances. An attacker could trick an administrator into visiting a malicious site that could result in creating a carefully named directory on the file system. With this directory in place, an attacker could attempt to brute force a remote code execution vulnerability. Windows

CVE-2020-13662 [MEDIUM] CWE-601 CVE-2020-13662: Open Redirect vulnerability in Drupal Core allows a user to be tricked into visiting a specially cra Open Redirect vulnerability in Drupal Core allows a user to be tricked into visiting a specially crafted link which would redirect them to an arbitrary external URL. This issue affects: Drupal Drupal Core 7 version 7.70 and prior versions.

CVE-2020-13666 [MEDIUM] CWE-79 CVE-2020-13666: Cross-site scripting vulnerability in Drupal Core. Drupal AJAX API does not disable JSONP by default Cross-site scripting vulnerability in Drupal Core. Drupal AJAX API does not disable JSONP by default, allowing for an XSS attack. This issue affects: Drupal Drupal Core 7.x versions prior to 7.73; 8.8.x versions prior to 8.8.10; 8.9.x versions prior to 8.9.6; 9.0.x versions prior to 9.0.6.

CVE-2020-13671 [HIGH] CWE-434 CVE-2020-13671: Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations. This issue affects: Drupal Drupal Core 9.0 versions prior to 9.0.8, 8.9 versions prior to 8.9.9, 8.8 versions prior to 8

CVE-2019-6342 [CRITICAL] CVE-2019-6342: An access bypass vulnerability exists when the experimental Workspaces module in Drupal 8 core is en An access bypass vulnerability exists when the experimental Workspaces module in Drupal 8 core is enabled. This can be mitigated by disabling the Workspaces module. It does not affect any release other than Drupal 8.7.4.

CVE-2019-6341 [MEDIUM] CWE-79 CVE-2019-6341: In Drupal 7 versions prior to 7.65; Drupal 8.6 versions prior to 8.6.13;Drupal 8.5 versions prior to In Drupal 7 versions prior to 7.65; Drupal 8.6 versions prior to 8.6.13;Drupal 8.5 versions prior to 8.5.14. Under certain circumstances the File module/subsystem allows a malicious user to upload a file that can trigger a cross-site scripting (XSS) vulnerability.

CVE-2019-6340 [HIGH] CWE-502 CVE-2019-6340: Some field types do not properly sanitize data from non-form sources in Drupal 8.5.x before 8.5.11 a Some field types do not properly sanitize data from non-form sources in Drupal 8.5.x before 8.5.11 and Drupal 8.6.x before 8.6.10. This can lead to arbitrary PHP code execution in some cases. A site is only affected by this if one of the following conditions is met: The site has the Drupal 8 core RESTful Web Services (rest) module enabled and allows PAT

CVE-2019-6339 [CRITICAL] CWE-20 CVE-2019-6339: In Drupal Core versions 7.x prior to 7.62, 8.6.x prior to 8.6.6 and 8.5.x prior to 8.5.9; A remote c In Drupal Core versions 7.x prior to 7.62, 8.6.x prior to 8.6.6 and 8.5.x prior to 8.5.9; A remote code execution vulnerability exists in PHP's built-in phar stream wrapper when performing file operations on an untrusted phar:// URI. Some Drupal code (core, contrib, and custom) may be performing file operations on insufficiently validated user input,

CVE-2019-6338 [HIGH] third-party PEAR Archive_Tar library updates third-party PEAR Archive_Tar library updates In Drupal Core versions 7.x prior to 7.62, 8.6.x prior to 8.6.6 and 8.5.x prior to 8.5.9; Drupal core uses the third-party PEAR Archive_Tar library. This library has released a security update which impacts some Drupal configurations. Refer to CVE-2018-1000888 for details

CVE-2017-6922 [MEDIUM] CWE-552 CVE-2017-6922: In Drupal core 8.x prior to 8.3.4 and Drupal core 7.x prior to 7.56; Private files that have been up In Drupal core 8.x prior to 8.3.4 and Drupal core 7.x prior to 7.56; Private files that have been uploaded by an anonymous user but not permanently attached to content on the site should only be visible to the anonymous user that uploaded them, rather than all anonymous users. Drupal core did not previously provide this protection, allowing an access

CVE-2017-6923 [MEDIUM] CWE-862 CVE-2017-6923: In Drupal 8.x prior to 8.3.7 When creating a view, you can optionally use Ajax to update the display In Drupal 8.x prior to 8.3.7 When creating a view, you can optionally use Ajax to update the displayed data via filter parameters. The views subsystem/module did not restrict access to the Ajax endpoint to only views configured to use Ajax. This is mitigated if you have access restrictions on the view. It is best practice to always include some form o

CVE-2017-6924 [HIGH] CWE-269 CVE-2017-6924: In Drupal 8 prior to 8.3.7; When using the REST API, users without the correct permission can post c In Drupal 8 prior to 8.3.7; When using the REST API, users without the correct permission can post comments via REST that are approved even if the user does not have permission to post approved comments. This issue only affects sites that have the RESTful Web Services (rest) module enabled, the comment entity REST resource enabled, and where an attacker

CVE-2017-6921 [MEDIUM] CWE-20 CVE-2017-6921: In Drupal 8 prior to 8.3.4; The file REST resource does not properly validate some fields when manip In Drupal 8 prior to 8.3.4; The file REST resource does not properly validate some fields when manipulating files. A site is only affected by this if the site has the RESTful Web Services (rest) module enabled, the file REST resource is enabled and allows PATCH requests, and an attacker can get or register a user account on the site with permissions to

CVE-2018-1000888 [HIGH] CWE-502 CVE-2018-1000888: PEAR Archive_Tar version 1.4.3 and earlier contains a CWE-502, CWE-915 vulnerability in the Archive_ PEAR Archive_Tar version 1.4.3 and earlier contains a CWE-502, CWE-915 vulnerability in the Archive_Tar class. There are several file operations with `$v_header['filename']` as parameter (such as file_exists, is_file, is_dir, etc). When extract is called without a specific prefix path, we can trigger unserialization by crafting a tar file with `ph

CVE-2017-6379 [HIGH] CWE-352 CVE-2017-6379: Some administrative paths in Drupal 8.2.x before 8.2.7 did not include protection for CSRF. This wou Some administrative paths in Drupal 8.2.x before 8.2.7 did not include protection for CSRF. This would allow an attacker to disable some blocks on a site. This issue is mitigated by the fact that users would have to know the block ID.

CVE-2017-6381 [HIGH] CWE-829 CVE-2017-6381: A 3rd party development library including with Drupal 8 development dependencies is vulnerable to re A 3rd party development library including with Drupal 8 development dependencies is vulnerable to remote code execution. This is mitigated by the default .htaccess protection against PHP execution, and the fact that Composer development dependencies aren't normal installed. You might be vulnerable to this if you are running a version of Drupal before 8.

CVE-2017-6377 [HIGH] CWE-863 CVE-2017-6377: When adding a private file via the editor in Drupal 8.2.x before 8.2.7, the editor will not correctl When adding a private file via the editor in Drupal 8.2.x before 8.2.7, the editor will not correctly check access for the file being attached, resulting in an access bypass.