Skip to content

Commit cfd34d1

Browse files
authored
feat: convert details property to markdown (#40)
The OSV specification requires that this field use markdown rather than HTML
1 parent 6d98820 commit cfd34d1

428 files changed

Lines changed: 516 additions & 426 deletions

File tree

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

advisories/access_code/osv-sa-contrib-2025-028.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,7 @@
88
],
99
"related": [],
1010
"summary": "",
11-
"details": "<p>This module enables users to log in using a short access code instead of providing a username/password combination.</p>\n<p>The module doesn't sufficiently protect against brute force attacks to guess a user's access code.</p>\n<p>This vulnerability is mitigated by the fact that access code based logins are off by default and only enabled for accounts that enable it. Sites could mitigate the issue without updating by:</p>\n<ol>\n<li>disabling the access code login method for critical accounts</li>\n<li>monitor and prevent brute force attacks in other ways (for example, with a Web Application Firewall)</li>\n</ol>",
11+
"details": "This module enables users to log in using a short access code instead of providing a username/password combination.\n\nThe module doesn't sufficiently protect against brute force attacks to guess a user's access code.\n\nThis vulnerability is mitigated by the fact that access code based logins are off by default and only enabled for accounts that enable it. Sites could mitigate the issue without updating by:\n\n1. disabling the access code login method for critical accounts\n2. monitor and prevent brute force attacks in other ways (for example, with a Web Application Firewall)",
1212
"affected": [
1313
{
1414
"package": {

advisories/acl/osv-sa-contrib-2023-034.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@
66
"aliases": [],
77
"related": [],
88
"summary": "",
9-
"details": "<p>The ACL module, short for Access Control Lists, is an API for other modules to create lists of users and give them access to nodes.</p>\n<p>The module processes user input in a way that could be unsafe. This can lead to Remote Code Execution via Object Injection.</p>\n<p>As this is an API module, it is only exploitable if a \"client\" module exposes the vulnerability. Details of some contributed client modules are given below. Custom modules using ACL could also expose the vulnerability.</p>\n<p>This vulnerability is mitigated by the fact that an attacker typically needs an \"admin\"-type permission provided by one of ACL's client modules.</p>\n<p>Known client modules include:</p>\n<ul>\n<li>Forum Access</li>\n<li>Flexi Access</li>\n<li>Content Access</li>\n</ul>\n<p>Coordinated Security Advisories are being released for those client modules that have Security coverage.</p>",
9+
"details": "The ACL module, short for Access Control Lists, is an API for other modules to create lists of users and give them access to nodes.\n\nThe module processes user input in a way that could be unsafe. This can lead to Remote Code Execution via Object Injection.\n\nAs this is an API module, it is only exploitable if a \"client\" module exposes the vulnerability. Details of some contributed client modules are given below. Custom modules using ACL could also expose the vulnerability.\n\nThis vulnerability is mitigated by the fact that an attacker typically needs an \"admin\"-type permission provided by one of ACL's client modules.\n\nKnown client modules include:\n\n* Forum Access\n* Flexi Access\n* Content Access\n\nCoordinated Security Advisories are being released for those client modules that have Security coverage.",
1010
"affected": [
1111
{
1212
"package": {

advisories/acquia_connector/osv-sa-contrib-2019-014.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@
66
"aliases": [],
77
"related": [],
88
"summary": "",
9-
"details": "<p>Acquia Connector facilitates sending certain telemetry data to Acquia for the purposes of analysis. The module automates the collection of site information to speed support communication and issue resolution. It is required for use with the Acquia Insight service.</p>\n<p>The module does not properly enforce access control in a specific case, which can lead to disclosing information.</p>\n<p>The vulnerability is mitigated by requiring the module diff feature to be enabled. This feature is enabled by default.</p>",
9+
"details": "Acquia Connector facilitates sending certain telemetry data to Acquia for the purposes of analysis. The module automates the collection of site information to speed support communication and issue resolution. It is required for use with the Acquia Insight service.\n\nThe module does not properly enforce access control in a specific case, which can lead to disclosing information.\n\nThe vulnerability is mitigated by requiring the module diff feature to be enabled. This feature is enabled by default.",
1010
"affected": [
1111
{
1212
"package": {

advisories/acquia_dam/osv-sa-contrib-2024-025.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,7 @@
88
],
99
"related": [],
1010
"summary": "",
11-
"details": "<p>Acquia DAM provides a connection to a third-party asset management system, allowing for images to be managed, linked to, and viewed from Drupal. In order for assets to be managed in Drupal, a site administrator must first authenticate the site to their DAM instance.</p>\n<p>The module doesn't sufficiently protect the ability to disconnect a site from DAM. While disconnected sites do not lose asset data in Drupal, it will prevent site editors from accessing the DAM until a site administrator re-authenticates the site. Some uncached media images may also fail to be fetched while disconnected.</p>",
11+
"details": "Acquia DAM provides a connection to a third-party asset management system, allowing for images to be managed, linked to, and viewed from Drupal. In order for assets to be managed in Drupal, a site administrator must first authenticate the site to their DAM instance.\n\nThe module doesn't sufficiently protect the ability to disconnect a site from DAM. While disconnected sites do not lose asset data in Drupal, it will prevent site editors from accessing the DAM until a site administrator re-authenticates the site. Some uncached media images may also fail to be fetched while disconnected.",
1212
"affected": [
1313
{
1414
"package": {

advisories/addtoany/osv-sa-contrib-2019-039.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@
66
"aliases": [],
77
"related": [],
88
"summary": "",
9-
"details": "<p>This module enables you to add social media share buttons on your website to its content and pages.</p>\n<p>The module doesn't sufficiently mark its administration permission restricted, allowing cross site scripting vulnerabilities to users who have access to its admin settings.</p>\n<p>This vulnerability is mitigated by the fact that an attacker must have a role with the permission \"administer addtoany\".</p>\n<p><em>This advisory was edited on March 25th to add the affected 8.x-1.11 release.</em></p>",
9+
"details": "This module enables you to add social media share buttons on your website to its content and pages.\n\nThe module doesn't sufficiently mark its administration permission restricted, allowing cross site scripting vulnerabilities to users who have access to its admin settings.\n\nThis vulnerability is mitigated by the fact that an attacker must have a role with the permission \"administer addtoany\".\n\n*This advisory was edited on March 25th to add the affected 8.x-1.11 release.*",
1010
"affected": [
1111
{
1212
"package": {

advisories/addtoany/osv-sa-contrib-2023-018.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@
66
"aliases": [],
77
"related": [],
88
"summary": "",
9-
"details": "<p>This module provides social media share &amp; follow buttons.</p>\n<p>The module doesn't sufficiently check access to a node when retrieving the label of an AddToAny block.</p>\n<p>This vulnerability is mitigated by the fact it requires the node ID to be passed via the route, requiring another module or specific configuration to provide this ID, as the /node/{id} page doesn't provide this value on an access denied.</p>",
9+
"details": "This module provides social media share & follow buttons.\n\nThe module doesn't sufficiently check access to a node when retrieving the label of an AddToAny block.\n\nThis vulnerability is mitigated by the fact it requires the node ID to be passed via the route, requiring another module or specific configuration to provide this ID, as the /node/{id} page doesn't provide this value on an access denied.",
1010
"affected": [
1111
{
1212
"package": {

advisories/addtoany/osv-sa-contrib-2023-019.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@
66
"aliases": [],
77
"related": [],
88
"summary": "",
9-
"details": "<p>This module provides social media share &amp; follow buttons.</p>\n<p>The module doesn't sufficiently restrict AddToAny block settings to users who have permission to administer AddToAny. This allows users with lower permission to configure malicious code leading to a Cross Site Scripting (XSS) vulnerability.</p>\n<p>This vulnerability is mitigated by the fact that an attacker must have a role with the permission \"administer blocks\".</p>",
9+
"details": "This module provides social media share & follow buttons.\n\nThe module doesn't sufficiently restrict AddToAny block settings to users who have permission to administer AddToAny. This allows users with lower permission to configure malicious code leading to a Cross Site Scripting (XSS) vulnerability.\n\nThis vulnerability is mitigated by the fact that an attacker must have a role with the permission \"administer blocks\".",
1010
"affected": [
1111
{
1212
"package": {

advisories/admin_toolbar/osv-sa-contrib-2021-025.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@
66
"aliases": [],
77
"related": [],
88
"summary": "",
9-
"details": "<p>The <em>Admin Toolbar</em> (<code class=\"language-php\">admin_toolbar</code>) module extends the default toolbar provided by Drupal Core with various features facilitating day-to-day editorial and administrative work.</p>\n<p>The <em>Admin Toolbar Search</em> sub-module of this module</p>\n<ul>\n<li>doesn't sanitize user input in certain cases, which leads to a Cross-Site-Scripting (XSS) vulnerability. An attacker that can create or edit certain entities, entity bundles or entity types may be able to exploit one or more Cross-Site-Scripting (XSS) vulnerabilities to target users with access to the <em>Admin Toolbar Search</em> search box, including site admins with privileged access.</li>\n<li>doesn't properly check access in certain cases, which may result in an information disclosure vulnerability of entity type and bundle labels.</li>\n</ul>\n<p>The vulnerability is mitigated by the facts, that:</p>\n<ul>\n<li>the <em>Admin Toolbar Search</em> sub-module must be enabled.</li>\n<li>an attacker must have one of several permissions, of which at least some are commonly only assigned to either editors, site builders or administrators.</li>\n<li>a targeted account must have permission to use the search box provided by the <em>Admin Toolbar Search</em> sub-module.</li>\n</ul>",
9+
"details": "The *Admin Toolbar* (`admin_toolbar`) module extends the default toolbar provided by Drupal Core with various features facilitating day-to-day editorial and administrative work.\n\nThe *Admin Toolbar Search* sub-module of this module\n\n* doesn't sanitize user input in certain cases, which leads to a Cross-Site-Scripting (XSS) vulnerability. An attacker that can create or edit certain entities, entity bundles or entity types may be able to exploit one or more Cross-Site-Scripting (XSS) vulnerabilities to target users with access to the *Admin Toolbar Search* search box, including site admins with privileged access.\n* doesn't properly check access in certain cases, which may result in an information disclosure vulnerability of entity type and bundle labels.\n\nThe vulnerability is mitigated by the facts, that:\n\n* the *Admin Toolbar Search* sub-module must be enabled.\n* an attacker must have one of several permissions, of which at least some are commonly only assigned to either editors, site builders or administrators.\n* a targeted account must have permission to use the search box provided by the *Admin Toolbar Search* sub-module.",
1010
"affected": [
1111
{
1212
"package": {

advisories/admin_toolbar_search/osv-sa-contrib-2022-008.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@
66
"aliases": [],
77
"related": [],
88
"summary": "",
9-
"details": "<p>The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: <a href=\"https://www.drupal.org/node/251466#procedure---own-project---unsupported\" rel=\"nofollow\">https://www.drupal.org/node/251466#procedure---own-project---unsupported</a></p>",
9+
"details": "The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: <https://www.drupal.org/node/251466#procedure---own-project---unsupported>",
1010
"affected": [
1111
{
1212
"package": {

advisories/adtego_siteintel/osv-sa-contrib-2018-039.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@
66
"aliases": [],
77
"related": [],
88
"summary": "",
9-
"details": "<p>The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: <a href=\"https://www.drupal.org/node/251466\" rel=\"nofollow\">https://www.drupal.org/node/251466</a>.</p>",
9+
"details": "The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: <https://www.drupal.org/node/251466>.",
1010
"affected": [
1111
{
1212
"package": {

0 commit comments

Comments
 (0)