diff --git a/advisories/access_code/DRUPAL-CONTRIB-2025-028.json b/advisories/access_code/DRUPAL-CONTRIB-2025-028.json new file mode 100644 index 00000000..5246cdc2 --- /dev/null +++ b/advisories/access_code/DRUPAL-CONTRIB-2025-028.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2025-028", + "modified": "2025-04-02T17:02:32.000Z", + "published": "2025-04-02T17:02:32.000Z", + "aliases": [ + "CVE-2025-3129" + ], + "details": "This module enables users to log in using a short access code instead of providing a username/password combination.\n\nThe module doesn't sufficiently protect against brute force attacks to guess a user's access code.\n\nThis vulnerability is mitigated by the fact that access code based logins are off by default and only enabled for accounts that enable it. Sites could mitigate the issue without updating by:\n\n1. disabling the access code login method for critical accounts\n2. monitor and prevent brute force attacks in other ways (for example, with a Web Application Firewall)", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/access_code" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.0.4" + } + ], + "database_specific": { + "constraint": "<2.0.4" + } + } + ], + "database_specific": { + "affected_versions": "<2.0.4" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2025-028" + } + ], + "credits": [ + { + "name": "Marcin Maruszewski (marcin maruszewski)", + "contact": [ + "https://www.drupal.org/u/marcin-maruszewski" + ] + } + ] +} diff --git a/advisories/access_code/DSA-CONTRIB-2025-028.json b/advisories/access_code/DSA-CONTRIB-2025-028.json deleted file mode 100644 index 22f3c5fe..00000000 --- a/advisories/access_code/DSA-CONTRIB-2025-028.json +++ /dev/null @@ -1,52 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2025-028", - "modified": "2025-04-02T17:02:32.000Z", - "published": "2025-04-02T17:02:32.000Z", - "aliases": [ - "CVE-2025-3129" - ], - "details": "This module enables users to log in using a short access code instead of providing a username/password combination.\n\nThe module doesn't sufficiently protect against brute force attacks to guess a user's access code.\n\nThis vulnerability is mitigated by the fact that access code based logins are off by default and only enabled for accounts that enable it. Sites could mitigate the issue without updating by:\n\n1. disabling the access code login method for critical accounts\n2. monitor and prevent brute force attacks in other ways (for example, with a Web Application Firewall)", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/access_code" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "2.0.4" - } - ], - "database_specific": { - "constraint": "<2.0.4" - } - } - ], - "database_specific": { - "affected_versions": "<2.0.4" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2025-028" - } - ], - "credits": [ - { - "name": "Marcin Maruszewski (marcin maruszewski)", - "contact": [ - "https://www.drupal.org/u/marcin-maruszewski" - ] - } - ] -} diff --git a/advisories/acl/DRUPAL-CONTRIB-2023-034.json b/advisories/acl/DRUPAL-CONTRIB-2023-034.json new file mode 100644 index 00000000..fd1edca8 --- /dev/null +++ b/advisories/acl/DRUPAL-CONTRIB-2023-034.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2023-034", + "modified": "2023-08-23T18:45:47.000Z", + "published": "2023-08-23T14:51:16.000Z", + "aliases": [], + "details": "The ACL module, short for Access Control Lists, is an API for other modules to create lists of users and give them access to nodes.\n\nThe module processes user input in a way that could be unsafe. This can lead to Remote Code Execution via Object Injection.\n\nAs this is an API module, it is only exploitable if a \"client\" module exposes the vulnerability. Details of some contributed client modules are given below. Custom modules using ACL could also expose the vulnerability.\n\nThis vulnerability is mitigated by the fact that an attacker typically needs an \"admin\"-type permission provided by one of ACL's client modules.\n\nKnown client modules include:\n\n* Forum Access\n* Flexi Access\n* Content Access\n\nCoordinated Security Advisories are being released for those client modules that have Security coverage.", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/acl" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.0.0" + } + ], + "database_specific": { + "constraint": "<1.0.0" + } + } + ], + "database_specific": { + "affected_versions": "<1.0.0" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2023-034" + } + ], + "credits": [ + { + "name": "Drew Webber", + "contact": [ + "https://www.drupal.org/user/255969" + ] + }, + { + "name": "Samuel Mortenson", + "contact": [ + "https://www.drupal.org/user/2582268" + ] + } + ] +} diff --git a/advisories/acl/DSA-CONTRIB-2023-034.json b/advisories/acl/DSA-CONTRIB-2023-034.json deleted file mode 100644 index 264436f0..00000000 --- a/advisories/acl/DSA-CONTRIB-2023-034.json +++ /dev/null @@ -1,56 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2023-034", - "modified": "2023-08-23T18:45:47.000Z", - "published": "2023-08-23T14:51:16.000Z", - "aliases": [], - "details": "The ACL module, short for Access Control Lists, is an API for other modules to create lists of users and give them access to nodes.\n\nThe module processes user input in a way that could be unsafe. This can lead to Remote Code Execution via Object Injection.\n\nAs this is an API module, it is only exploitable if a \"client\" module exposes the vulnerability. Details of some contributed client modules are given below. Custom modules using ACL could also expose the vulnerability.\n\nThis vulnerability is mitigated by the fact that an attacker typically needs an \"admin\"-type permission provided by one of ACL's client modules.\n\nKnown client modules include:\n\n* Forum Access\n* Flexi Access\n* Content Access\n\nCoordinated Security Advisories are being released for those client modules that have Security coverage.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/acl" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "1.0.0" - } - ], - "database_specific": { - "constraint": "<1.0.0" - } - } - ], - "database_specific": { - "affected_versions": "<1.0.0" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2023-034" - } - ], - "credits": [ - { - "name": "Drew Webber", - "contact": [ - "https://www.drupal.org/user/255969" - ] - }, - { - "name": "Samuel Mortenson", - "contact": [ - "https://www.drupal.org/user/2582268" - ] - } - ] -} diff --git a/advisories/acquia_connector/DRUPAL-CONTRIB-2019-014.json b/advisories/acquia_connector/DRUPAL-CONTRIB-2019-014.json new file mode 100644 index 00000000..f729dd6c --- /dev/null +++ b/advisories/acquia_connector/DRUPAL-CONTRIB-2019-014.json @@ -0,0 +1,50 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2019-014", + "modified": "2023-08-11T19:23:01.000Z", + "published": "2019-02-06T18:13:19.000Z", + "aliases": [], + "details": "Acquia Connector facilitates sending certain telemetry data to Acquia for the purposes of analysis. The module automates the collection of site information to speed support communication and issue resolution. It is required for use with the Acquia Insight service.\n\nThe module does not properly enforce access control in a specific case, which can lead to disclosing information.\n\nThe vulnerability is mitigated by requiring the module diff feature to be enabled. This feature is enabled by default.", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/acquia_connector" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.16.0" + } + ], + "database_specific": { + "constraint": "<1.16.0" + } + } + ], + "database_specific": { + "affected_versions": "<1.16.0" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2019-014" + } + ], + "credits": [ + { + "name": "Samuel Mortenson", + "contact": [ + "https://www.drupal.org/user/2582268" + ] + } + ] +} diff --git a/advisories/acquia_connector/DSA-CONTRIB-2019-014.json b/advisories/acquia_connector/DSA-CONTRIB-2019-014.json deleted file mode 100644 index 953a2699..00000000 --- a/advisories/acquia_connector/DSA-CONTRIB-2019-014.json +++ /dev/null @@ -1,50 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2019-014", - "modified": "2023-08-11T19:23:01.000Z", - "published": "2019-02-06T18:13:19.000Z", - "aliases": [], - "details": "Acquia Connector facilitates sending certain telemetry data to Acquia for the purposes of analysis. The module automates the collection of site information to speed support communication and issue resolution. It is required for use with the Acquia Insight service.\n\nThe module does not properly enforce access control in a specific case, which can lead to disclosing information.\n\nThe vulnerability is mitigated by requiring the module diff feature to be enabled. This feature is enabled by default.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/acquia_connector" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "1.16.0" - } - ], - "database_specific": { - "constraint": "<1.16.0" - } - } - ], - "database_specific": { - "affected_versions": "<1.16.0" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2019-014" - } - ], - "credits": [ - { - "name": "Samuel Mortenson", - "contact": [ - "https://www.drupal.org/user/2582268" - ] - } - ] -} diff --git a/advisories/acquia_dam/DRUPAL-CONTRIB-2024-025.json b/advisories/acquia_dam/DRUPAL-CONTRIB-2024-025.json new file mode 100644 index 00000000..b6e5c4e2 --- /dev/null +++ b/advisories/acquia_dam/DRUPAL-CONTRIB-2024-025.json @@ -0,0 +1,67 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2024-025", + "modified": "2025-02-20T19:13:15.000Z", + "published": "2024-06-05T16:45:02.000Z", + "aliases": [ + "CVE-2024-13261" + ], + "details": "Acquia DAM provides a connection to a third-party asset management system, allowing for images to be managed, linked to, and viewed from Drupal. In order for assets to be managed in Drupal, a site administrator must first authenticate the site to their DAM instance.\n\nThe module doesn't sufficiently protect the ability to disconnect a site from DAM. While disconnected sites do not lose asset data in Drupal, it will prevent site editors from accessing the DAM until a site administrator re-authenticates the site. Some uncached media images may also fail to be fetched while disconnected.", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/acquia_dam" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.0.13" + } + ], + "database_specific": { + "constraint": "<1.0.13" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "1.1.0-beta1" + }, + { + "fixed": "1.1.0-beta3" + } + ], + "database_specific": { + "constraint": ">=1.1.0-beta1 <1.1.0-beta3" + } + } + ], + "database_specific": { + "affected_versions": "<1.0.13 || >=1.1.0-beta1 <1.1.0-beta3", + "patched": true + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2024-025" + } + ], + "credits": [ + { + "name": "Matt Glaman", + "contact": [ + "https://www.drupal.org/user/2416470" + ] + } + ] +} diff --git a/advisories/acquia_dam/DSA-CONTRIB-2024-025.json b/advisories/acquia_dam/DSA-CONTRIB-2024-025.json deleted file mode 100644 index 20e1a56d..00000000 --- a/advisories/acquia_dam/DSA-CONTRIB-2024-025.json +++ /dev/null @@ -1,67 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2024-025", - "modified": "2025-02-20T19:13:15.000Z", - "published": "2024-06-05T16:45:02.000Z", - "aliases": [ - "CVE-2024-13261" - ], - "details": "Acquia DAM provides a connection to a third-party asset management system, allowing for images to be managed, linked to, and viewed from Drupal. In order for assets to be managed in Drupal, a site administrator must first authenticate the site to their DAM instance.\n\nThe module doesn't sufficiently protect the ability to disconnect a site from DAM. While disconnected sites do not lose asset data in Drupal, it will prevent site editors from accessing the DAM until a site administrator re-authenticates the site. Some uncached media images may also fail to be fetched while disconnected.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/acquia_dam" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "1.0.13" - } - ], - "database_specific": { - "constraint": "<1.0.13" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "1.1.0-beta1" - }, - { - "fixed": "1.1.0-beta3" - } - ], - "database_specific": { - "constraint": ">=1.1.0-beta1 <1.1.0-beta3" - } - } - ], - "database_specific": { - "affected_versions": "<1.0.13 || >=1.1.0-beta1 <1.1.0-beta3", - "patched": true - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2024-025" - } - ], - "credits": [ - { - "name": "Matt Glaman", - "contact": [ - "https://www.drupal.org/user/2416470" - ] - } - ] -} diff --git a/advisories/addtoany/DRUPAL-CONTRIB-2019-039.json b/advisories/addtoany/DRUPAL-CONTRIB-2019-039.json new file mode 100644 index 00000000..144b83f8 --- /dev/null +++ b/advisories/addtoany/DRUPAL-CONTRIB-2019-039.json @@ -0,0 +1,50 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2019-039", + "modified": "2023-08-11T18:43:25.000Z", + "published": "2019-03-20T13:26:14.000Z", + "aliases": [], + "details": "This module enables you to add social media share buttons on your website to its content and pages.\n\nThe module doesn't sufficiently mark its administration permission restricted, allowing cross site scripting vulnerabilities to users who have access to its admin settings.\n\nThis vulnerability is mitigated by the fact that an attacker must have a role with the permission \"administer addtoany\".\n\n*This advisory was edited on March 25th to add the affected 8.x-1.11 release.*", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/addtoany" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.11.0" + } + ], + "database_specific": { + "constraint": "<1.11.0" + } + } + ], + "database_specific": { + "affected_versions": "<1.11.0" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2019-039" + } + ], + "credits": [ + { + "name": "Balazs Janos Tatar", + "contact": [ + "https://www.drupal.org/user/649590" + ] + } + ] +} diff --git a/advisories/addtoany/DRUPAL-CONTRIB-2023-018.json b/advisories/addtoany/DRUPAL-CONTRIB-2023-018.json new file mode 100644 index 00000000..06be29af --- /dev/null +++ b/advisories/addtoany/DRUPAL-CONTRIB-2023-018.json @@ -0,0 +1,64 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2023-018", + "modified": "2023-08-10T13:56:48.000Z", + "published": "2023-05-31T13:20:43.000Z", + "aliases": [], + "details": "This module provides social media share & follow buttons.\n\nThe module doesn't sufficiently check access to a node when retrieving the label of an AddToAny block.\n\nThis vulnerability is mitigated by the fact it requires the node ID to be passed via the route, requiring another module or specific configuration to provide this ID, as the /node/{id} page doesn't provide this value on an access denied.", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/addtoany" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.21.0" + } + ], + "database_specific": { + "constraint": "<1.21.0" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.0.0" + }, + { + "fixed": "2.0.4" + } + ], + "database_specific": { + "constraint": ">=2.0.0 <2.0.4" + } + } + ], + "database_specific": { + "affected_versions": "<1.21.0 || >=2.0.0 <2.0.4" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2023-018" + } + ], + "credits": [ + { + "name": "Mitch Portier", + "contact": [ + "https://www.drupal.org/user/2284182" + ] + } + ] +} diff --git a/advisories/addtoany/DRUPAL-CONTRIB-2023-019.json b/advisories/addtoany/DRUPAL-CONTRIB-2023-019.json new file mode 100644 index 00000000..5cf48f7f --- /dev/null +++ b/advisories/addtoany/DRUPAL-CONTRIB-2023-019.json @@ -0,0 +1,64 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2023-019", + "modified": "2023-08-10T13:56:55.000Z", + "published": "2023-05-31T13:22:44.000Z", + "aliases": [], + "details": "This module provides social media share & follow buttons.\n\nThe module doesn't sufficiently restrict AddToAny block settings to users who have permission to administer AddToAny. This allows users with lower permission to configure malicious code leading to a Cross Site Scripting (XSS) vulnerability.\n\nThis vulnerability is mitigated by the fact that an attacker must have a role with the permission \"administer blocks\".", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/addtoany" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.21.0" + } + ], + "database_specific": { + "constraint": "<1.21.0" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.0.0" + }, + { + "fixed": "2.0.4" + } + ], + "database_specific": { + "constraint": ">=2.0.0 <2.0.4" + } + } + ], + "database_specific": { + "affected_versions": "<1.21.0 || >=2.0.0 <2.0.4" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2023-019" + } + ], + "credits": [ + { + "name": "Mitch Portier", + "contact": [ + "https://www.drupal.org/user/2284182" + ] + } + ] +} diff --git a/advisories/addtoany/DSA-CONTRIB-2019-039.json b/advisories/addtoany/DSA-CONTRIB-2019-039.json deleted file mode 100644 index 8e161bbc..00000000 --- a/advisories/addtoany/DSA-CONTRIB-2019-039.json +++ /dev/null @@ -1,50 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2019-039", - "modified": "2023-08-11T18:43:25.000Z", - "published": "2019-03-20T13:26:14.000Z", - "aliases": [], - "details": "This module enables you to add social media share buttons on your website to its content and pages.\n\nThe module doesn't sufficiently mark its administration permission restricted, allowing cross site scripting vulnerabilities to users who have access to its admin settings.\n\nThis vulnerability is mitigated by the fact that an attacker must have a role with the permission \"administer addtoany\".\n\n*This advisory was edited on March 25th to add the affected 8.x-1.11 release.*", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/addtoany" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "1.11.0" - } - ], - "database_specific": { - "constraint": "<1.11.0" - } - } - ], - "database_specific": { - "affected_versions": "<1.11.0" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2019-039" - } - ], - "credits": [ - { - "name": "Balazs Janos Tatar", - "contact": [ - "https://www.drupal.org/user/649590" - ] - } - ] -} diff --git a/advisories/addtoany/DSA-CONTRIB-2023-018.json b/advisories/addtoany/DSA-CONTRIB-2023-018.json deleted file mode 100644 index 868f7ea0..00000000 --- a/advisories/addtoany/DSA-CONTRIB-2023-018.json +++ /dev/null @@ -1,64 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2023-018", - "modified": "2023-08-10T13:56:48.000Z", - "published": "2023-05-31T13:20:43.000Z", - "aliases": [], - "details": "This module provides social media share & follow buttons.\n\nThe module doesn't sufficiently check access to a node when retrieving the label of an AddToAny block.\n\nThis vulnerability is mitigated by the fact it requires the node ID to be passed via the route, requiring another module or specific configuration to provide this ID, as the /node/{id} page doesn't provide this value on an access denied.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/addtoany" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "1.21.0" - } - ], - "database_specific": { - "constraint": "<1.21.0" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "2.0.0" - }, - { - "fixed": "2.0.4" - } - ], - "database_specific": { - "constraint": ">=2.0.0 <2.0.4" - } - } - ], - "database_specific": { - "affected_versions": "<1.21.0 || >=2.0.0 <2.0.4" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2023-018" - } - ], - "credits": [ - { - "name": "Mitch Portier", - "contact": [ - "https://www.drupal.org/user/2284182" - ] - } - ] -} diff --git a/advisories/addtoany/DSA-CONTRIB-2023-019.json b/advisories/addtoany/DSA-CONTRIB-2023-019.json deleted file mode 100644 index 4a23d8cb..00000000 --- a/advisories/addtoany/DSA-CONTRIB-2023-019.json +++ /dev/null @@ -1,64 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2023-019", - "modified": "2023-08-10T13:56:55.000Z", - "published": "2023-05-31T13:22:44.000Z", - "aliases": [], - "details": "This module provides social media share & follow buttons.\n\nThe module doesn't sufficiently restrict AddToAny block settings to users who have permission to administer AddToAny. This allows users with lower permission to configure malicious code leading to a Cross Site Scripting (XSS) vulnerability.\n\nThis vulnerability is mitigated by the fact that an attacker must have a role with the permission \"administer blocks\".", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/addtoany" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "1.21.0" - } - ], - "database_specific": { - "constraint": "<1.21.0" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "2.0.0" - }, - { - "fixed": "2.0.4" - } - ], - "database_specific": { - "constraint": ">=2.0.0 <2.0.4" - } - } - ], - "database_specific": { - "affected_versions": "<1.21.0 || >=2.0.0 <2.0.4" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2023-019" - } - ], - "credits": [ - { - "name": "Mitch Portier", - "contact": [ - "https://www.drupal.org/user/2284182" - ] - } - ] -} diff --git a/advisories/admin_audit_trail/DRUPAL-CONTRIB-2025-068.json b/advisories/admin_audit_trail/DRUPAL-CONTRIB-2025-068.json new file mode 100644 index 00000000..7ecea735 --- /dev/null +++ b/advisories/admin_audit_trail/DRUPAL-CONTRIB-2025-068.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2025-068", + "modified": "2025-05-21T17:29:14.000Z", + "published": "2025-05-21T17:29:14.000Z", + "aliases": [ + "CVE-2025-48448" + ], + "details": "The Admin Audit Trail module tracks logs of specific events that you'd like to review. When the submodule Admin Audit Trail: User Authentication is enabled, it logs user authentication events (login, logout, and password reset requests).\n\nThe module does not sufficiently limit some large values before logging the data.", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/admin_audit_trail" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.0.5" + } + ], + "database_specific": { + "constraint": "<1.0.5" + } + } + ], + "database_specific": { + "affected_versions": "<1.0.5" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2025-068" + } + ], + "credits": [ + { + "name": "Scott Phillips (scottatdrake)", + "contact": [ + "https://www.drupal.org/u/scottatdrake" + ] + } + ] +} diff --git a/advisories/admin_audit_trail/DSA-CONTRIB-2025-068.json b/advisories/admin_audit_trail/DSA-CONTRIB-2025-068.json deleted file mode 100644 index d4d74e8e..00000000 --- a/advisories/admin_audit_trail/DSA-CONTRIB-2025-068.json +++ /dev/null @@ -1,52 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2025-068", - "modified": "2025-05-21T17:29:14.000Z", - "published": "2025-05-21T17:29:14.000Z", - "aliases": [ - "CVE-2025-48448" - ], - "details": "The Admin Audit Trail module tracks logs of specific events that you'd like to review. When the submodule Admin Audit Trail: User Authentication is enabled, it logs user authentication events (login, logout, and password reset requests).\n\nThe module does not sufficiently limit some large values before logging the data.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/admin_audit_trail" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "1.0.5" - } - ], - "database_specific": { - "constraint": "<1.0.5" - } - } - ], - "database_specific": { - "affected_versions": "<1.0.5" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2025-068" - } - ], - "credits": [ - { - "name": "Scott Phillips (scottatdrake)", - "contact": [ - "https://www.drupal.org/u/scottatdrake" - ] - } - ] -} diff --git a/advisories/admin_toolbar/DRUPAL-CONTRIB-2021-025.json b/advisories/admin_toolbar/DRUPAL-CONTRIB-2021-025.json new file mode 100644 index 00000000..2e94f336 --- /dev/null +++ b/advisories/admin_toolbar/DRUPAL-CONTRIB-2021-025.json @@ -0,0 +1,78 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2021-025", + "modified": "2023-08-11T16:59:37.000Z", + "published": "2021-08-25T14:36:25.000Z", + "aliases": [], + "details": "The *Admin Toolbar* (`admin_toolbar`) module extends the default toolbar provided by Drupal Core with various features facilitating day-to-day editorial and administrative work.\n\nThe *Admin Toolbar Search* sub-module of this module\n\n* doesn't sanitize user input in certain cases, which leads to a Cross-Site-Scripting (XSS) vulnerability. An attacker that can create or edit certain entities, entity bundles or entity types may be able to exploit one or more Cross-Site-Scripting (XSS) vulnerabilities to target users with access to the *Admin Toolbar Search* search box, including site admins with privileged access.\n* doesn't properly check access in certain cases, which may result in an information disclosure vulnerability of entity type and bundle labels.\n\nThe vulnerability is mitigated by the facts, that:\n\n* the *Admin Toolbar Search* sub-module must be enabled.\n* an attacker must have one of several permissions, of which at least some are commonly only assigned to either editors, site builders or administrators.\n* a targeted account must have permission to use the search box provided by the *Admin Toolbar Search* sub-module.", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/admin_toolbar" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.5.0" + } + ], + "database_specific": { + "constraint": "<2.5.0" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "3.0.0" + }, + { + "last_affected": "3.0.0" + } + ], + "database_specific": { + "constraint": "3.0.0" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "3.0.1" + }, + { + "last_affected": "3.0.1" + } + ], + "database_specific": { + "constraint": "3.0.1" + } + } + ], + "database_specific": { + "affected_versions": "<2.5.0 || 3.0.0 || 3.0.1" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2021-025" + } + ], + "credits": [ + { + "name": "Patrick Fey", + "contact": [ + "https://www.drupal.org/user/998680" + ] + } + ] +} diff --git a/advisories/admin_toolbar/DSA-CONTRIB-2021-025.json b/advisories/admin_toolbar/DSA-CONTRIB-2021-025.json deleted file mode 100644 index fbf9a151..00000000 --- a/advisories/admin_toolbar/DSA-CONTRIB-2021-025.json +++ /dev/null @@ -1,78 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2021-025", - "modified": "2023-08-11T16:59:37.000Z", - "published": "2021-08-25T14:36:25.000Z", - "aliases": [], - "details": "The *Admin Toolbar* (`admin_toolbar`) module extends the default toolbar provided by Drupal Core with various features facilitating day-to-day editorial and administrative work.\n\nThe *Admin Toolbar Search* sub-module of this module\n\n* doesn't sanitize user input in certain cases, which leads to a Cross-Site-Scripting (XSS) vulnerability. An attacker that can create or edit certain entities, entity bundles or entity types may be able to exploit one or more Cross-Site-Scripting (XSS) vulnerabilities to target users with access to the *Admin Toolbar Search* search box, including site admins with privileged access.\n* doesn't properly check access in certain cases, which may result in an information disclosure vulnerability of entity type and bundle labels.\n\nThe vulnerability is mitigated by the facts, that:\n\n* the *Admin Toolbar Search* sub-module must be enabled.\n* an attacker must have one of several permissions, of which at least some are commonly only assigned to either editors, site builders or administrators.\n* a targeted account must have permission to use the search box provided by the *Admin Toolbar Search* sub-module.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/admin_toolbar" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "2.5.0" - } - ], - "database_specific": { - "constraint": "<2.5.0" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "3.0.0" - }, - { - "last_affected": "3.0.0" - } - ], - "database_specific": { - "constraint": "3.0.0" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "3.0.1" - }, - { - "last_affected": "3.0.1" - } - ], - "database_specific": { - "constraint": "3.0.1" - } - } - ], - "database_specific": { - "affected_versions": "<2.5.0 || 3.0.0 || 3.0.1" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2021-025" - } - ], - "credits": [ - { - "name": "Patrick Fey", - "contact": [ - "https://www.drupal.org/user/998680" - ] - } - ] -} diff --git a/advisories/admin_toolbar_search/DRUPAL-CONTRIB-2022-008.json b/advisories/admin_toolbar_search/DRUPAL-CONTRIB-2022-008.json new file mode 100644 index 00000000..3d31a4a9 --- /dev/null +++ b/advisories/admin_toolbar_search/DRUPAL-CONTRIB-2022-008.json @@ -0,0 +1,40 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2022-008", + "modified": "2023-08-11T14:01:01.000Z", + "published": "2022-01-25T18:36:22.000Z", + "aliases": [], + "details": "The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: ", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/admin_toolbar_search" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + } + ], + "database_specific": { + "constraint": "*" + } + } + ], + "database_specific": { + "affected_versions": "*" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2022-008" + } + ], + "credits": [] +} diff --git a/advisories/admin_toolbar_search/DSA-CONTRIB-2022-008.json b/advisories/admin_toolbar_search/DSA-CONTRIB-2022-008.json deleted file mode 100644 index 8b0bfefd..00000000 --- a/advisories/admin_toolbar_search/DSA-CONTRIB-2022-008.json +++ /dev/null @@ -1,40 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2022-008", - "modified": "2023-08-11T14:01:01.000Z", - "published": "2022-01-25T18:36:22.000Z", - "aliases": [], - "details": "The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: ", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/admin_toolbar_search" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - } - ], - "database_specific": { - "constraint": "*" - } - } - ], - "database_specific": { - "affected_versions": "*" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2022-008" - } - ], - "credits": [] -} diff --git a/advisories/adtego_siteintel/DRUPAL-CONTRIB-2018-039.json b/advisories/adtego_siteintel/DRUPAL-CONTRIB-2018-039.json new file mode 100644 index 00000000..a3ee8e6d --- /dev/null +++ b/advisories/adtego_siteintel/DRUPAL-CONTRIB-2018-039.json @@ -0,0 +1,47 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2018-039", + "modified": "2023-08-11T21:29:11.000Z", + "published": "2018-06-06T13:01:46.000Z", + "aliases": [], + "details": "The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: .", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/adtego_siteintel" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + } + ], + "database_specific": { + "constraint": "*" + } + } + ], + "database_specific": { + "affected_versions": "*" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2018-039" + } + ], + "credits": [ + { + "name": "Jean-Francois Hovinne", + "contact": [ + "https://www.drupal.org/u/jfhovinne" + ] + } + ] +} diff --git a/advisories/adtego_siteintel/DSA-CONTRIB-2018-039.json b/advisories/adtego_siteintel/DSA-CONTRIB-2018-039.json deleted file mode 100644 index 980b432a..00000000 --- a/advisories/adtego_siteintel/DSA-CONTRIB-2018-039.json +++ /dev/null @@ -1,47 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2018-039", - "modified": "2023-08-11T21:29:11.000Z", - "published": "2018-06-06T13:01:46.000Z", - "aliases": [], - "details": "The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: .", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/adtego_siteintel" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - } - ], - "database_specific": { - "constraint": "*" - } - } - ], - "database_specific": { - "affected_versions": "*" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2018-039" - } - ], - "credits": [ - { - "name": "Jean-Francois Hovinne", - "contact": [ - "https://www.drupal.org/u/jfhovinne" - ] - } - ] -} diff --git a/advisories/adv_varnish/DRUPAL-CONTRIB-2024-033.json b/advisories/adv_varnish/DRUPAL-CONTRIB-2024-033.json new file mode 100644 index 00000000..4efc4cde --- /dev/null +++ b/advisories/adv_varnish/DRUPAL-CONTRIB-2024-033.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2024-033", + "modified": "2025-02-20T19:24:02.000Z", + "published": "2024-08-28T15:32:41.000Z", + "aliases": [ + "CVE-2024-13269" + ], + "details": "This module enables you to cache pages for logged in users at the Varnish level.\n\nThe Varnish bin names may be guessable when no hashing noise configuration is set on the module configuration page, which would ultimately allow any user to view cached pages that were intended for other roles when guessing such a bin name.", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/adv_varnish" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "4.0.11" + } + ], + "database_specific": { + "constraint": "<4.0.11" + } + } + ], + "database_specific": { + "affected_versions": "<4.0.11" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2024-033" + } + ], + "credits": [ + { + "name": "Heine Deelstra", + "contact": [ + "https://www.drupal.org/user/17943" + ] + } + ] +} diff --git a/advisories/adv_varnish/DSA-CONTRIB-2024-033.json b/advisories/adv_varnish/DSA-CONTRIB-2024-033.json deleted file mode 100644 index 80b82490..00000000 --- a/advisories/adv_varnish/DSA-CONTRIB-2024-033.json +++ /dev/null @@ -1,52 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2024-033", - "modified": "2025-02-20T19:24:02.000Z", - "published": "2024-08-28T15:32:41.000Z", - "aliases": [ - "CVE-2024-13269" - ], - "details": "This module enables you to cache pages for logged in users at the Varnish level.\n\nThe Varnish bin names may be guessable when no hashing noise configuration is set on the module configuration page, which would ultimately allow any user to view cached pages that were intended for other roles when guessing such a bin name.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/adv_varnish" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "4.0.11" - } - ], - "database_specific": { - "constraint": "<4.0.11" - } - } - ], - "database_specific": { - "affected_versions": "<4.0.11" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2024-033" - } - ], - "credits": [ - { - "name": "Heine Deelstra", - "contact": [ - "https://www.drupal.org/user/17943" - ] - } - ] -} diff --git a/advisories/advanced_file_destination/DRUPAL-CONTRIB-2025-057.json b/advisories/advanced_file_destination/DRUPAL-CONTRIB-2025-057.json new file mode 100644 index 00000000..6ed15b38 --- /dev/null +++ b/advisories/advanced_file_destination/DRUPAL-CONTRIB-2025-057.json @@ -0,0 +1,47 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2025-057", + "modified": "2025-05-14T19:39:43.000Z", + "published": "2025-05-14T18:04:31.000Z", + "aliases": [], + "details": "The Advanced File Destination module enhances file upload management in Drupal by allowing users to choose and create custom directories during file uploads.\n\nThe module has multiple vulnerabilities that were reported through the Drupal Security Team's coordinated vulnerability process. The project maintainer did not follow the terms and conditions for hosting projects on drupal.org that are opted into security coverage, so the module is losing its security coverage. The private issues may be made public at the discretion of the reporter and maintainer.", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/advanced_file_destination" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + } + ], + "database_specific": { + "constraint": "*" + } + } + ], + "database_specific": { + "affected_versions": "*" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2025-057" + } + ], + "credits": [ + { + "name": "Conrad Lara (cmlara)", + "contact": [ + "https://www.drupal.org/u/cmlara" + ] + } + ] +} diff --git a/advisories/advanced_file_destination/DSA-CONTRIB-2025-057.json b/advisories/advanced_file_destination/DSA-CONTRIB-2025-057.json deleted file mode 100644 index e552ae1e..00000000 --- a/advisories/advanced_file_destination/DSA-CONTRIB-2025-057.json +++ /dev/null @@ -1,47 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2025-057", - "modified": "2025-05-14T19:39:43.000Z", - "published": "2025-05-14T18:04:31.000Z", - "aliases": [], - "details": "The Advanced File Destination module enhances file upload management in Drupal by allowing users to choose and create custom directories during file uploads.\n\nThe module has multiple vulnerabilities that were reported through the Drupal Security Team's coordinated vulnerability process. The project maintainer did not follow the terms and conditions for hosting projects on drupal.org that are opted into security coverage, so the module is losing its security coverage. The private issues may be made public at the discretion of the reporter and maintainer.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/advanced_file_destination" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - } - ], - "database_specific": { - "constraint": "*" - } - } - ], - "database_specific": { - "affected_versions": "*" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2025-057" - } - ], - "credits": [ - { - "name": "Conrad Lara (cmlara)", - "contact": [ - "https://www.drupal.org/u/cmlara" - ] - } - ] -} diff --git a/advisories/advanced_pwa/DRUPAL-CONTRIB-2024-017.json b/advisories/advanced_pwa/DRUPAL-CONTRIB-2024-017.json new file mode 100644 index 00000000..3eaf805a --- /dev/null +++ b/advisories/advanced_pwa/DRUPAL-CONTRIB-2024-017.json @@ -0,0 +1,58 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2024-017", + "modified": "2025-02-20T18:44:32.000Z", + "published": "2024-04-24T13:16:40.000Z", + "aliases": [ + "CVE-2024-13253" + ], + "details": "Progressive web applications are web applications that load like regular web pages or websites but can offer the user functionality such as working offline, push notifications, and device hardware access traditionally available only to native applications.\n\nThis module doesn't sufficiently protect access to the settings form, allowing an unauthorized malicious user to view and modify the module settings.", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/advanced_pwa" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.5.0" + } + ], + "database_specific": { + "constraint": "<1.5.0" + } + } + ], + "database_specific": { + "affected_versions": "<1.5.0" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2024-017" + } + ], + "credits": [ + { + "name": "Andre Groendijk", + "contact": [ + "https://www.drupal.org/user/3734548" + ] + }, + { + "name": "Matthew Grasmick", + "contact": [ + "https://www.drupal.org/user/455714" + ] + } + ] +} diff --git a/advisories/advanced_pwa/DSA-CONTRIB-2024-017.json b/advisories/advanced_pwa/DSA-CONTRIB-2024-017.json deleted file mode 100644 index 8c7ad82c..00000000 --- a/advisories/advanced_pwa/DSA-CONTRIB-2024-017.json +++ /dev/null @@ -1,58 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2024-017", - "modified": "2025-02-20T18:44:32.000Z", - "published": "2024-04-24T13:16:40.000Z", - "aliases": [ - "CVE-2024-13253" - ], - "details": "Progressive web applications are web applications that load like regular web pages or websites but can offer the user functionality such as working offline, push notifications, and device hardware access traditionally available only to native applications.\n\nThis module doesn't sufficiently protect access to the settings form, allowing an unauthorized malicious user to view and modify the module settings.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/advanced_pwa" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "1.5.0" - } - ], - "database_specific": { - "constraint": "<1.5.0" - } - } - ], - "database_specific": { - "affected_versions": "<1.5.0" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2024-017" - } - ], - "credits": [ - { - "name": "Andre Groendijk", - "contact": [ - "https://www.drupal.org/user/3734548" - ] - }, - { - "name": "Matthew Grasmick", - "contact": [ - "https://www.drupal.org/user/455714" - ] - } - ] -} diff --git a/advisories/ai/DRUPAL-CONTRIB-2025-003.json b/advisories/ai/DRUPAL-CONTRIB-2025-003.json new file mode 100644 index 00000000..74d0559a --- /dev/null +++ b/advisories/ai/DRUPAL-CONTRIB-2025-003.json @@ -0,0 +1,53 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2025-003", + "modified": "2025-03-31T22:03:43.000Z", + "published": "2025-01-15T15:58:05.000Z", + "aliases": [ + "CVE-2025-31677" + ], + "details": "The Drupal AI module provides a framework for easily integrating Artificial Intelligence on any Drupal site using any kind of AI (from multiple vendors). The sub-modules AI Chatbot and AI Assistants API allow users to interact with the Drupal site via a 'chat' interface.\n\nThe AI Chatbot module doesn't protect against Cross Site Request Forgeries in the Deepchat chatbot. This could allow an attacker to craft a scenario that can forge a request on behalf of a privileged user. When combined with the AI Search submodule, this could result in the AI Assistant exposing indexed data that the attacker should not have access to. When combined with the external AI Agent module, this could result in the AI Assistant exposing and allowing modification of site configuration of fields, content types, and vocabularies. Sites with custom built agents, with more privileged access, could be at greater risk from an exploit of this vulnerability.\n\nThis vulnerability is mitigated by:\n\n* The targeted user needs to have an active session with a role with the \"access deepchat api\" permission and permission to assistants.\n* To extract data, the target site must have a permissive CORS policy allowing the attacking site to read the result of a cross origin request.\n* To modify data, the targeted user must have permission to use the configured agents.", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/ai" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "1.0.0" + }, + { + "fixed": "1.0.2" + } + ], + "database_specific": { + "constraint": ">=1.0.0 <1.0.2" + } + } + ], + "database_specific": { + "affected_versions": ">=1.0.0 <1.0.2", + "patched": true + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2025-003" + } + ], + "credits": [ + { + "name": "Marcus Johansson", + "contact": [ + "https://www.drupal.org/user/385947" + ] + } + ] +} diff --git a/advisories/ai/DRUPAL-CONTRIB-2025-004.json b/advisories/ai/DRUPAL-CONTRIB-2025-004.json new file mode 100644 index 00000000..faecd4bf --- /dev/null +++ b/advisories/ai/DRUPAL-CONTRIB-2025-004.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2025-004", + "modified": "2025-05-29T18:26:44.000Z", + "published": "2025-01-22T16:50:12.000Z", + "aliases": [ + "CVE-2025-31678" + ], + "details": "The AI logging sub-module enables you to log AI requests and responses for debugging and auditing purposes.\n\nThe module doesn't sufficiently check for access to view the preview listing of the logs. Full log details are correctly protected, and API keys are never logged.\n\nThis vulnerability is mitigated by the fact that it only affects sites using the AI Logging sub-module with 'Log requests' enabled in the AI Logging configuration page.", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/ai" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.0.3" + } + ], + "database_specific": { + "constraint": "<1.0.3" + } + } + ], + "database_specific": { + "affected_versions": "<1.0.3" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2025-004" + } + ], + "credits": [ + { + "name": "Mingsong", + "contact": [ + "https://www.drupal.org/user/2986445" + ] + } + ] +} diff --git a/advisories/ai/DRUPAL-CONTRIB-2025-021.json b/advisories/ai/DRUPAL-CONTRIB-2025-021.json new file mode 100644 index 00000000..953bcf52 --- /dev/null +++ b/advisories/ai/DRUPAL-CONTRIB-2025-021.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2025-021", + "modified": "2025-03-31T22:06:37.000Z", + "published": "2025-03-05T17:18:25.000Z", + "aliases": [ + "CVE-2025-31692" + ], + "details": "The AI Automators module (a submodule of AI) enables you to create different automated tasks that fills out field data using LLM outputs.\n\nThe module doesn't sufficiently sanitize input before passing it to the underlying shell as part of a command for execution, allowing an attacker to run arbitrary commands.\n\nThe vulnerability exists in optional Automator Types which are part of the optional AI Automators (sub)module.\n\nThe AI module is included in Drupal CMS.", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/ai" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.0.5" + } + ], + "database_specific": { + "constraint": "<1.0.5" + } + } + ], + "database_specific": { + "affected_versions": "<1.0.5" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2025-021" + } + ], + "credits": [ + { + "name": "Drew Webber (mcdruid)", + "contact": [ + "https://www.drupal.org/u/mcdruid" + ] + } + ] +} diff --git a/advisories/ai/DRUPAL-CONTRIB-2025-022.json b/advisories/ai/DRUPAL-CONTRIB-2025-022.json new file mode 100644 index 00000000..16a0d482 --- /dev/null +++ b/advisories/ai/DRUPAL-CONTRIB-2025-022.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2025-022", + "modified": "2025-03-31T22:06:45.000Z", + "published": "2025-03-05T17:27:19.000Z", + "aliases": [ + "CVE-2025-31693" + ], + "details": "The AI Automators module (a submodule of AI) enables you to create different automated tasks that fills out a field data using LLM outputs.\n\nThe module contains a potential PHP Object Injection vulnerability that (if combined with another exploit) could lead to Arbitrary File Deletion. It may be possible to escalate this attack to Remote Code Execution. It is not directly exploitable.\n\nThis issue is mitigated by the fact that for it to be exploitable, a separate vulnerability must be present to allow an attacker to pass unsafe input to `unserialize()`. The potential vulnerability exists in optional Automator Types which are part of the optional AI Automators (sub)module.\n\nThe AI module is included in Drupal CMS.", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/ai" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.0.5" + } + ], + "database_specific": { + "constraint": "<1.0.5" + } + } + ], + "database_specific": { + "affected_versions": "<1.0.5" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2025-022" + } + ], + "credits": [ + { + "name": "Drew Webber (mcdruid)", + "contact": [ + "https://www.drupal.org/u/mcdruid" + ] + } + ] +} diff --git a/advisories/ai/DSA-CONTRIB-2025-003.json b/advisories/ai/DSA-CONTRIB-2025-003.json deleted file mode 100644 index e112b76a..00000000 --- a/advisories/ai/DSA-CONTRIB-2025-003.json +++ /dev/null @@ -1,53 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2025-003", - "modified": "2025-03-31T22:03:43.000Z", - "published": "2025-01-15T15:58:05.000Z", - "aliases": [ - "CVE-2025-31677" - ], - "details": "The Drupal AI module provides a framework for easily integrating Artificial Intelligence on any Drupal site using any kind of AI (from multiple vendors). The sub-modules AI Chatbot and AI Assistants API allow users to interact with the Drupal site via a 'chat' interface.\n\nThe AI Chatbot module doesn't protect against Cross Site Request Forgeries in the Deepchat chatbot. This could allow an attacker to craft a scenario that can forge a request on behalf of a privileged user. When combined with the AI Search submodule, this could result in the AI Assistant exposing indexed data that the attacker should not have access to. When combined with the external AI Agent module, this could result in the AI Assistant exposing and allowing modification of site configuration of fields, content types, and vocabularies. Sites with custom built agents, with more privileged access, could be at greater risk from an exploit of this vulnerability.\n\nThis vulnerability is mitigated by:\n\n* The targeted user needs to have an active session with a role with the \"access deepchat api\" permission and permission to assistants.\n* To extract data, the target site must have a permissive CORS policy allowing the attacking site to read the result of a cross origin request.\n* To modify data, the targeted user must have permission to use the configured agents.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/ai" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "1.0.0" - }, - { - "fixed": "1.0.2" - } - ], - "database_specific": { - "constraint": ">=1.0.0 <1.0.2" - } - } - ], - "database_specific": { - "affected_versions": ">=1.0.0 <1.0.2", - "patched": true - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2025-003" - } - ], - "credits": [ - { - "name": "Marcus Johansson", - "contact": [ - "https://www.drupal.org/user/385947" - ] - } - ] -} diff --git a/advisories/ai/DSA-CONTRIB-2025-004.json b/advisories/ai/DSA-CONTRIB-2025-004.json deleted file mode 100644 index a0ca7747..00000000 --- a/advisories/ai/DSA-CONTRIB-2025-004.json +++ /dev/null @@ -1,52 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2025-004", - "modified": "2025-05-29T18:26:44.000Z", - "published": "2025-01-22T16:50:12.000Z", - "aliases": [ - "CVE-2025-31678" - ], - "details": "The AI logging sub-module enables you to log AI requests and responses for debugging and auditing purposes.\n\nThe module doesn't sufficiently check for access to view the preview listing of the logs. Full log details are correctly protected, and API keys are never logged.\n\nThis vulnerability is mitigated by the fact that it only affects sites using the AI Logging sub-module with 'Log requests' enabled in the AI Logging configuration page.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/ai" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "1.0.3" - } - ], - "database_specific": { - "constraint": "<1.0.3" - } - } - ], - "database_specific": { - "affected_versions": "<1.0.3" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2025-004" - } - ], - "credits": [ - { - "name": "Mingsong", - "contact": [ - "https://www.drupal.org/user/2986445" - ] - } - ] -} diff --git a/advisories/ai/DSA-CONTRIB-2025-021.json b/advisories/ai/DSA-CONTRIB-2025-021.json deleted file mode 100644 index 0b27ea1d..00000000 --- a/advisories/ai/DSA-CONTRIB-2025-021.json +++ /dev/null @@ -1,52 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2025-021", - "modified": "2025-03-31T22:06:37.000Z", - "published": "2025-03-05T17:18:25.000Z", - "aliases": [ - "CVE-2025-31692" - ], - "details": "The AI Automators module (a submodule of AI) enables you to create different automated tasks that fills out field data using LLM outputs.\n\nThe module doesn't sufficiently sanitize input before passing it to the underlying shell as part of a command for execution, allowing an attacker to run arbitrary commands.\n\nThe vulnerability exists in optional Automator Types which are part of the optional AI Automators (sub)module.\n\nThe AI module is included in Drupal CMS.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/ai" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "1.0.5" - } - ], - "database_specific": { - "constraint": "<1.0.5" - } - } - ], - "database_specific": { - "affected_versions": "<1.0.5" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2025-021" - } - ], - "credits": [ - { - "name": "Drew Webber (mcdruid)", - "contact": [ - "https://www.drupal.org/u/mcdruid" - ] - } - ] -} diff --git a/advisories/ai/DSA-CONTRIB-2025-022.json b/advisories/ai/DSA-CONTRIB-2025-022.json deleted file mode 100644 index 770b3a6b..00000000 --- a/advisories/ai/DSA-CONTRIB-2025-022.json +++ /dev/null @@ -1,52 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2025-022", - "modified": "2025-03-31T22:06:45.000Z", - "published": "2025-03-05T17:27:19.000Z", - "aliases": [ - "CVE-2025-31693" - ], - "details": "The AI Automators module (a submodule of AI) enables you to create different automated tasks that fills out a field data using LLM outputs.\n\nThe module contains a potential PHP Object Injection vulnerability that (if combined with another exploit) could lead to Arbitrary File Deletion. It may be possible to escalate this attack to Remote Code Execution. It is not directly exploitable.\n\nThis issue is mitigated by the fact that for it to be exploitable, a separate vulnerability must be present to allow an attacker to pass unsafe input to `unserialize()`. The potential vulnerability exists in optional Automator Types which are part of the optional AI Automators (sub)module.\n\nThe AI module is included in Drupal CMS.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/ai" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "1.0.5" - } - ], - "database_specific": { - "constraint": "<1.0.5" - } - } - ], - "database_specific": { - "affected_versions": "<1.0.5" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2025-022" - } - ], - "credits": [ - { - "name": "Drew Webber (mcdruid)", - "contact": [ - "https://www.drupal.org/u/mcdruid" - ] - } - ] -} diff --git a/advisories/ai_seo_link_advisor/DRUPAL-CONTRIB-2025-095.json b/advisories/ai_seo_link_advisor/DRUPAL-CONTRIB-2025-095.json new file mode 100644 index 00000000..fa8a08ac --- /dev/null +++ b/advisories/ai_seo_link_advisor/DRUPAL-CONTRIB-2025-095.json @@ -0,0 +1,58 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2025-095", + "modified": "2025-08-06T16:50:43.000Z", + "published": "2025-08-06T16:50:43.000Z", + "aliases": [ + "CVE-2025-8675" + ], + "details": "This module enables you to provide SEO analysis and recommendations for a given URL.\n\nThe module doesn't sufficiently sanitize user-supplied URLs, leading to a Server-side request forgery (SSRF) vulnerability.\n\nThis vulnerability is mitigated by the fact that an attacker must have a role with the permission \"access seo analyzer\".", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/ai_seo_link_advisor" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.0.6" + } + ], + "database_specific": { + "constraint": "<1.0.6" + } + } + ], + "database_specific": { + "affected_versions": "<1.0.6" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2025-095" + } + ], + "credits": [ + { + "name": "Alberto Cocchiara (bigbabert)", + "contact": [ + "https://www.drupal.org/u/bigbabert" + ] + }, + { + "name": "Conrad Lara (cmlara)", + "contact": [ + "https://www.drupal.org/u/cmlara" + ] + } + ] +} diff --git a/advisories/ai_seo_link_advisor/DSA-CONTRIB-2025-095.json b/advisories/ai_seo_link_advisor/DSA-CONTRIB-2025-095.json deleted file mode 100644 index be474f4d..00000000 --- a/advisories/ai_seo_link_advisor/DSA-CONTRIB-2025-095.json +++ /dev/null @@ -1,58 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2025-095", - "modified": "2025-08-06T16:50:43.000Z", - "published": "2025-08-06T16:50:43.000Z", - "aliases": [ - "CVE-2025-8675" - ], - "details": "This module enables you to provide SEO analysis and recommendations for a given URL.\n\nThe module doesn't sufficiently sanitize user-supplied URLs, leading to a Server-side request forgery (SSRF) vulnerability.\n\nThis vulnerability is mitigated by the fact that an attacker must have a role with the permission \"access seo analyzer\".", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/ai_seo_link_advisor" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "1.0.6" - } - ], - "database_specific": { - "constraint": "<1.0.6" - } - } - ], - "database_specific": { - "affected_versions": "<1.0.6" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2025-095" - } - ], - "credits": [ - { - "name": "Alberto Cocchiara (bigbabert)", - "contact": [ - "https://www.drupal.org/u/bigbabert" - ] - }, - { - "name": "Conrad Lara (cmlara)", - "contact": [ - "https://www.drupal.org/u/cmlara" - ] - } - ] -} diff --git a/advisories/all_extensions/DRUPAL-CONTRIB-2024-075.json b/advisories/all_extensions/DRUPAL-CONTRIB-2024-075.json new file mode 100644 index 00000000..6c9b481b --- /dev/null +++ b/advisories/all_extensions/DRUPAL-CONTRIB-2024-075.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2024-075", + "modified": "2025-02-20T20:08:28.000Z", + "published": "2024-12-11T14:31:11.000Z", + "aliases": [ + "CVE-2024-13311" + ], + "details": "The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: [https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...](https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-maintainer-of-a-project-that-is-unsupported-for-security-reasons)", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/all_extensions" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + } + ], + "database_specific": { + "constraint": "*" + } + } + ], + "database_specific": { + "affected_versions": "*" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2024-075" + } + ], + "credits": [] +} diff --git a/advisories/all_extensions/DSA-CONTRIB-2024-075.json b/advisories/all_extensions/DSA-CONTRIB-2024-075.json deleted file mode 100644 index 48c23fab..00000000 --- a/advisories/all_extensions/DSA-CONTRIB-2024-075.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2024-075", - "modified": "2025-02-20T20:08:28.000Z", - "published": "2024-12-11T14:31:11.000Z", - "aliases": [ - "CVE-2024-13311" - ], - "details": "The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: [https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...](https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-maintainer-of-a-project-that-is-unsupported-for-security-reasons)", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/all_extensions" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - } - ], - "database_specific": { - "constraint": "*" - } - } - ], - "database_specific": { - "affected_versions": "*" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2024-075" - } - ], - "credits": [] -} diff --git a/advisories/alogin/DRUPAL-CONTRIB-2025-009.json b/advisories/alogin/DRUPAL-CONTRIB-2025-009.json new file mode 100644 index 00000000..133a52fa --- /dev/null +++ b/advisories/alogin/DRUPAL-CONTRIB-2025-009.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2025-009", + "modified": "2025-03-31T22:04:22.000Z", + "published": "2025-01-29T16:54:02.000Z", + "aliases": [ + "CVE-2025-31681" + ], + "details": "This module allows a site to setup two factor authentication via QR code using authenticator applications on mobile devices including phones.\n\nThe module does not properly protect its custom paths, allowing one user to access a different user's two factor configuration.", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/alogin" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.0.6" + } + ], + "database_specific": { + "constraint": "<2.0.6" + } + } + ], + "database_specific": { + "affected_versions": "<2.0.6" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2025-009" + } + ], + "credits": [ + { + "name": "Ahmed Raza", + "contact": [ + "https://www.drupal.org/user/3007075" + ] + } + ] +} diff --git a/advisories/alogin/DSA-CONTRIB-2025-009.json b/advisories/alogin/DSA-CONTRIB-2025-009.json deleted file mode 100644 index 94b4c009..00000000 --- a/advisories/alogin/DSA-CONTRIB-2025-009.json +++ /dev/null @@ -1,52 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2025-009", - "modified": "2025-03-31T22:04:22.000Z", - "published": "2025-01-29T16:54:02.000Z", - "aliases": [ - "CVE-2025-31681" - ], - "details": "This module allows a site to setup two factor authentication via QR code using authenticator applications on mobile devices including phones.\n\nThe module does not properly protect its custom paths, allowing one user to access a different user's two factor configuration.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/alogin" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "2.0.6" - } - ], - "database_specific": { - "constraint": "<2.0.6" - } - } - ], - "database_specific": { - "affected_versions": "<2.0.6" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2025-009" - } - ], - "credits": [ - { - "name": "Ahmed Raza", - "contact": [ - "https://www.drupal.org/user/3007075" - ] - } - ] -} diff --git a/advisories/anonymousredirect/DRUPAL-CONTRIB-2022-005.json b/advisories/anonymousredirect/DRUPAL-CONTRIB-2022-005.json new file mode 100644 index 00000000..33e2b6b9 --- /dev/null +++ b/advisories/anonymousredirect/DRUPAL-CONTRIB-2022-005.json @@ -0,0 +1,40 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2022-005", + "modified": "2023-08-11T14:03:48.000Z", + "published": "2022-01-25T18:35:09.000Z", + "aliases": [], + "details": "The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: ", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/anonymousredirect" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + } + ], + "database_specific": { + "constraint": "*" + } + } + ], + "database_specific": { + "affected_versions": "*" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2022-005" + } + ], + "credits": [] +} diff --git a/advisories/anonymousredirect/DSA-CONTRIB-2022-005.json b/advisories/anonymousredirect/DSA-CONTRIB-2022-005.json deleted file mode 100644 index 36215bb6..00000000 --- a/advisories/anonymousredirect/DSA-CONTRIB-2022-005.json +++ /dev/null @@ -1,40 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2022-005", - "modified": "2023-08-11T14:03:48.000Z", - "published": "2022-01-25T18:35:09.000Z", - "aliases": [], - "details": "The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: ", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/anonymousredirect" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - } - ], - "database_specific": { - "constraint": "*" - } - } - ], - "database_specific": { - "affected_versions": "*" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2022-005" - } - ], - "credits": [] -} diff --git a/advisories/apigee_edge/DRUPAL-CONTRIB-2020-028.json b/advisories/apigee_edge/DRUPAL-CONTRIB-2020-028.json new file mode 100644 index 00000000..76b31d97 --- /dev/null +++ b/advisories/apigee_edge/DRUPAL-CONTRIB-2020-028.json @@ -0,0 +1,50 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2020-028", + "modified": "2023-08-11T17:49:38.000Z", + "published": "2020-07-22T18:48:10.000Z", + "aliases": [], + "details": "The Apigee Edge module allows connecting a Drupal site to Apigee Edge in order to build a developer portal. It contains an \"Apigee Edge Teams\" submodule that provides shared app functionality by allowing developers to be organized into teams.\n\nThe \"Apigee Edge Teams\" submodule has an information disclosure vulnerability. The \"Add team member\" form displays an email autocomplete field which can expose the email addresses of other accounts in the system.\n\nThis vulnerability is mitigated by the fact that to have access to the form, the site must have the Apigee Edge Teams submodule enabled, and the user must have a team role that has the \"Manage team members\" permission. (Note that team roles and permissions are not related to Drupal core roles and permissions).", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/apigee_edge" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.12.0" + } + ], + "database_specific": { + "constraint": "<1.12.0" + } + } + ], + "database_specific": { + "affected_versions": "<1.12.0" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2020-028" + } + ], + "credits": [ + { + "name": "Arlina Espinoza Rhoton", + "contact": [ + "https://www.drupal.org/user/1055344" + ] + } + ] +} diff --git a/advisories/apigee_edge/DRUPAL-CONTRIB-2021-020.json b/advisories/apigee_edge/DRUPAL-CONTRIB-2021-020.json new file mode 100644 index 00000000..4ed4e252 --- /dev/null +++ b/advisories/apigee_edge/DRUPAL-CONTRIB-2021-020.json @@ -0,0 +1,50 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2021-020", + "modified": "2023-08-11T17:11:13.000Z", + "published": "2021-06-30T16:39:06.000Z", + "aliases": [], + "details": "The Apigee Edge module allows connecting a Drupal site to Apigee Edge in order to build a developer portal.\n\nThe module did not properly validate user access for data creation in certain circumstances.", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/apigee_edge" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.12.0" + } + ], + "database_specific": { + "constraint": "<1.12.0" + } + } + ], + "database_specific": { + "affected_versions": "<1.12.0" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2021-020" + } + ], + "credits": [ + { + "name": "trebde", + "contact": [ + "https://www.drupal.org/user/3629605" + ] + } + ] +} diff --git a/advisories/apigee_edge/DRUPAL-CONTRIB-2022-045.json b/advisories/apigee_edge/DRUPAL-CONTRIB-2022-045.json new file mode 100644 index 00000000..452a0f28 --- /dev/null +++ b/advisories/apigee_edge/DRUPAL-CONTRIB-2022-045.json @@ -0,0 +1,64 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2022-045", + "modified": "2023-08-10T21:35:00.000Z", + "published": "2022-05-25T17:03:55.000Z", + "aliases": [], + "details": "The Apigee Edge module allows connecting a Drupal site to Apigee X / Edge in order to build a developer portal. The developers (user) can view API keys for their respective Apps.\n\nThe module discloses information by allowing attackers to view cached information of API Keys from the browser cache for a limited time frame after the user login on the same computer.", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/apigee_edge" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.26.0" + } + ], + "database_specific": { + "constraint": "<1.26.0" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.0.0" + }, + { + "fixed": "2.0.3" + } + ], + "database_specific": { + "constraint": ">=2.0.0 <2.0.3" + } + } + ], + "database_specific": { + "affected_versions": "<1.26.0 || >=2.0.0 <2.0.3" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2022-045" + } + ], + "credits": [ + { + "name": "Dezs\u0151 BICZ\u00d3", + "contact": [ + "https://www.drupal.org/user/315522" + ] + } + ] +} diff --git a/advisories/apigee_edge/DRUPAL-CONTRIB-2023-005.json b/advisories/apigee_edge/DRUPAL-CONTRIB-2023-005.json new file mode 100644 index 00000000..058ff05d --- /dev/null +++ b/advisories/apigee_edge/DRUPAL-CONTRIB-2023-005.json @@ -0,0 +1,64 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2023-005", + "modified": "2023-08-10T14:23:38.000Z", + "published": "2023-02-01T16:13:42.000Z", + "aliases": [], + "details": "The Apigee Edge module allows connecting a Drupal site to Apigee X / Edge in order to build a developer portal.\n\nPrevious module versions did not support entity query level access checking, which could have led to information disclosure or access bypass in various places.", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/apigee_edge" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.27.0" + } + ], + "database_specific": { + "constraint": "<1.27.0" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.0.0" + }, + { + "fixed": "2.0.8" + } + ], + "database_specific": { + "constraint": ">=2.0.0 <2.0.8" + } + } + ], + "database_specific": { + "affected_versions": "<1.27.0 || >=2.0.0 <2.0.8" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2023-005" + } + ], + "credits": [ + { + "name": "Dezs\u0151 Bicz\u00f3", + "contact": [ + "https://www.drupal.org/user/315522" + ] + } + ] +} diff --git a/advisories/apigee_edge/DSA-CONTRIB-2020-028.json b/advisories/apigee_edge/DSA-CONTRIB-2020-028.json deleted file mode 100644 index 51ac4964..00000000 --- a/advisories/apigee_edge/DSA-CONTRIB-2020-028.json +++ /dev/null @@ -1,50 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2020-028", - "modified": "2023-08-11T17:49:38.000Z", - "published": "2020-07-22T18:48:10.000Z", - "aliases": [], - "details": "The Apigee Edge module allows connecting a Drupal site to Apigee Edge in order to build a developer portal. It contains an \"Apigee Edge Teams\" submodule that provides shared app functionality by allowing developers to be organized into teams.\n\nThe \"Apigee Edge Teams\" submodule has an information disclosure vulnerability. The \"Add team member\" form displays an email autocomplete field which can expose the email addresses of other accounts in the system.\n\nThis vulnerability is mitigated by the fact that to have access to the form, the site must have the Apigee Edge Teams submodule enabled, and the user must have a team role that has the \"Manage team members\" permission. (Note that team roles and permissions are not related to Drupal core roles and permissions).", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/apigee_edge" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "1.12.0" - } - ], - "database_specific": { - "constraint": "<1.12.0" - } - } - ], - "database_specific": { - "affected_versions": "<1.12.0" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2020-028" - } - ], - "credits": [ - { - "name": "Arlina Espinoza Rhoton", - "contact": [ - "https://www.drupal.org/user/1055344" - ] - } - ] -} diff --git a/advisories/apigee_edge/DSA-CONTRIB-2021-020.json b/advisories/apigee_edge/DSA-CONTRIB-2021-020.json deleted file mode 100644 index 09a4f467..00000000 --- a/advisories/apigee_edge/DSA-CONTRIB-2021-020.json +++ /dev/null @@ -1,50 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2021-020", - "modified": "2023-08-11T17:11:13.000Z", - "published": "2021-06-30T16:39:06.000Z", - "aliases": [], - "details": "The Apigee Edge module allows connecting a Drupal site to Apigee Edge in order to build a developer portal.\n\nThe module did not properly validate user access for data creation in certain circumstances.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/apigee_edge" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "1.12.0" - } - ], - "database_specific": { - "constraint": "<1.12.0" - } - } - ], - "database_specific": { - "affected_versions": "<1.12.0" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2021-020" - } - ], - "credits": [ - { - "name": "trebde", - "contact": [ - "https://www.drupal.org/user/3629605" - ] - } - ] -} diff --git a/advisories/apigee_edge/DSA-CONTRIB-2022-045.json b/advisories/apigee_edge/DSA-CONTRIB-2022-045.json deleted file mode 100644 index dc22791d..00000000 --- a/advisories/apigee_edge/DSA-CONTRIB-2022-045.json +++ /dev/null @@ -1,64 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2022-045", - "modified": "2023-08-10T21:35:00.000Z", - "published": "2022-05-25T17:03:55.000Z", - "aliases": [], - "details": "The Apigee Edge module allows connecting a Drupal site to Apigee X / Edge in order to build a developer portal. The developers (user) can view API keys for their respective Apps.\n\nThe module discloses information by allowing attackers to view cached information of API Keys from the browser cache for a limited time frame after the user login on the same computer.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/apigee_edge" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "1.26.0" - } - ], - "database_specific": { - "constraint": "<1.26.0" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "2.0.0" - }, - { - "fixed": "2.0.3" - } - ], - "database_specific": { - "constraint": ">=2.0.0 <2.0.3" - } - } - ], - "database_specific": { - "affected_versions": "<1.26.0 || >=2.0.0 <2.0.3" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2022-045" - } - ], - "credits": [ - { - "name": "Dezs\u0151 BICZ\u00d3", - "contact": [ - "https://www.drupal.org/user/315522" - ] - } - ] -} diff --git a/advisories/apigee_edge/DSA-CONTRIB-2023-005.json b/advisories/apigee_edge/DSA-CONTRIB-2023-005.json deleted file mode 100644 index 28e233b7..00000000 --- a/advisories/apigee_edge/DSA-CONTRIB-2023-005.json +++ /dev/null @@ -1,64 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2023-005", - "modified": "2023-08-10T14:23:38.000Z", - "published": "2023-02-01T16:13:42.000Z", - "aliases": [], - "details": "The Apigee Edge module allows connecting a Drupal site to Apigee X / Edge in order to build a developer portal.\n\nPrevious module versions did not support entity query level access checking, which could have led to information disclosure or access bypass in various places.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/apigee_edge" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "1.27.0" - } - ], - "database_specific": { - "constraint": "<1.27.0" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "2.0.0" - }, - { - "fixed": "2.0.8" - } - ], - "database_specific": { - "constraint": ">=2.0.0 <2.0.8" - } - } - ], - "database_specific": { - "affected_versions": "<1.27.0 || >=2.0.0 <2.0.8" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2023-005" - } - ], - "credits": [ - { - "name": "Dezs\u0151 Bicz\u00f3", - "contact": [ - "https://www.drupal.org/user/315522" - ] - } - ] -} diff --git a/advisories/baguettebox/DRUPAL-CONTRIB-2025-034.json b/advisories/baguettebox/DRUPAL-CONTRIB-2025-034.json new file mode 100644 index 00000000..12a32371 --- /dev/null +++ b/advisories/baguettebox/DRUPAL-CONTRIB-2025-034.json @@ -0,0 +1,66 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2025-034", + "modified": "2025-05-29T18:24:01.000Z", + "published": "2025-04-16T16:24:49.000Z", + "aliases": [ + "CVE-2025-3733" + ], + "details": "The baguetteBox.js module provides integration with baguetteBox.js library.\n\nThe module doesn't sufficiently sanitize user-supplied text values leading to a cross site scripting vulnerability.", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/baguettebox" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.0.4" + } + ], + "database_specific": { + "constraint": "<2.0.4" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "3.0.0" + }, + { + "fixed": "3.0.1" + } + ], + "database_specific": { + "constraint": ">=3.0.0 <3.0.1" + } + } + ], + "database_specific": { + "affected_versions": "<2.0.4 || >=3.0.0 <3.0.1" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2025-034" + } + ], + "credits": [ + { + "name": "Pierre Rudloff (prudloff)", + "contact": [ + "https://www.drupal.org/u/prudloff" + ] + } + ] +} diff --git a/advisories/baguettebox/DSA-CONTRIB-2025-034.json b/advisories/baguettebox/DSA-CONTRIB-2025-034.json deleted file mode 100644 index 86f40c02..00000000 --- a/advisories/baguettebox/DSA-CONTRIB-2025-034.json +++ /dev/null @@ -1,66 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2025-034", - "modified": "2025-05-29T18:24:01.000Z", - "published": "2025-04-16T16:24:49.000Z", - "aliases": [ - "CVE-2025-3733" - ], - "details": "The baguetteBox.js module provides integration with baguetteBox.js library.\n\nThe module doesn't sufficiently sanitize user-supplied text values leading to a cross site scripting vulnerability.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/baguettebox" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "2.0.4" - } - ], - "database_specific": { - "constraint": "<2.0.4" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "3.0.0" - }, - { - "fixed": "3.0.1" - } - ], - "database_specific": { - "constraint": ">=3.0.0 <3.0.1" - } - } - ], - "database_specific": { - "affected_versions": "<2.0.4 || >=3.0.0 <3.0.1" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2025-034" - } - ], - "credits": [ - { - "name": "Pierre Rudloff (prudloff)", - "contact": [ - "https://www.drupal.org/u/prudloff" - ] - } - ] -} diff --git a/advisories/baidu_analytics/DRUPAL-CONTRIB-2018-029.json b/advisories/baidu_analytics/DRUPAL-CONTRIB-2018-029.json new file mode 100644 index 00000000..b0b38807 --- /dev/null +++ b/advisories/baidu_analytics/DRUPAL-CONTRIB-2018-029.json @@ -0,0 +1,47 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2018-029", + "modified": "2023-08-11T21:34:46.000Z", + "published": "2018-05-23T13:59:35.000Z", + "aliases": [], + "details": "The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read: .\n\nThe security team marks all unsupported modules critical by default.", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/baidu_analytics" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + } + ], + "database_specific": { + "constraint": "*" + } + } + ], + "database_specific": { + "affected_versions": "*" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2018-029" + } + ], + "credits": [ + { + "name": "Mark Shropshire", + "contact": [ + "https://www.drupal.org/user/14767" + ] + } + ] +} diff --git a/advisories/baidu_analytics/DSA-CONTRIB-2018-029.json b/advisories/baidu_analytics/DSA-CONTRIB-2018-029.json deleted file mode 100644 index 84a85c91..00000000 --- a/advisories/baidu_analytics/DSA-CONTRIB-2018-029.json +++ /dev/null @@ -1,47 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2018-029", - "modified": "2023-08-11T21:34:46.000Z", - "published": "2018-05-23T13:59:35.000Z", - "aliases": [], - "details": "The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read: .\n\nThe security team marks all unsupported modules critical by default.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/baidu_analytics" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - } - ], - "database_specific": { - "constraint": "*" - } - } - ], - "database_specific": { - "affected_versions": "*" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2018-029" - } - ], - "credits": [ - { - "name": "Mark Shropshire", - "contact": [ - "https://www.drupal.org/user/14767" - ] - } - ] -} diff --git a/advisories/bat/DRUPAL-CONTRIB-2019-074.json b/advisories/bat/DRUPAL-CONTRIB-2019-074.json new file mode 100644 index 00000000..164366e3 --- /dev/null +++ b/advisories/bat/DRUPAL-CONTRIB-2019-074.json @@ -0,0 +1,50 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2019-074", + "modified": "2023-08-11T18:28:44.000Z", + "published": "2019-10-16T16:09:20.000Z", + "aliases": [], + "details": "The Bat module provides a foundation through which a wide range of availability management, reservation and booking use cases can be addressed.\n\nThe routes used to view events don't sufficiently guard access for non-privileged users. Specifically, a user with the 'View own' permission for bat events can view others' events as well.", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/bat" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.2.0" + } + ], + "database_specific": { + "constraint": "<1.2.0" + } + } + ], + "database_specific": { + "affected_versions": "<1.2.0" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2019-074" + } + ], + "credits": [ + { + "name": "Jelle Sebreghts", + "contact": [ + "https://www.drupal.org/user/829198" + ] + } + ] +} diff --git a/advisories/bat/DSA-CONTRIB-2019-074.json b/advisories/bat/DSA-CONTRIB-2019-074.json deleted file mode 100644 index d47385c5..00000000 --- a/advisories/bat/DSA-CONTRIB-2019-074.json +++ /dev/null @@ -1,50 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2019-074", - "modified": "2023-08-11T18:28:44.000Z", - "published": "2019-10-16T16:09:20.000Z", - "aliases": [], - "details": "The Bat module provides a foundation through which a wide range of availability management, reservation and booking use cases can be addressed.\n\nThe routes used to view events don't sufficiently guard access for non-privileged users. Specifically, a user with the 'View own' permission for bat events can view others' events as well.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/bat" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "1.2.0" - } - ], - "database_specific": { - "constraint": "<1.2.0" - } - } - ], - "database_specific": { - "affected_versions": "<1.2.0" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2019-074" - } - ], - "credits": [ - { - "name": "Jelle Sebreghts", - "contact": [ - "https://www.drupal.org/user/829198" - ] - } - ] -} diff --git a/advisories/better_social_sharing_buttons/DRUPAL-CONTRIB-2023-006.json b/advisories/better_social_sharing_buttons/DRUPAL-CONTRIB-2023-006.json new file mode 100644 index 00000000..9441b822 --- /dev/null +++ b/advisories/better_social_sharing_buttons/DRUPAL-CONTRIB-2023-006.json @@ -0,0 +1,50 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2023-006", + "modified": "2023-08-10T14:22:32.000Z", + "published": "2023-03-01T15:15:08.000Z", + "aliases": [], + "details": "This module enables you to add social sharing buttons to a site.\n\nThe module doesn't sufficiently sanitize the weight and ratio values entered in the module or block configuration.\n\nThis vulnerability is mitigated by the fact that an attacker must have a role with the permission \"administer blocks\".", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/better_social_sharing_buttons" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "4.0.3" + } + ], + "database_specific": { + "constraint": "<4.0.3" + } + } + ], + "database_specific": { + "affected_versions": "<4.0.3" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2023-006" + } + ], + "credits": [ + { + "name": "cydave", + "contact": [ + "https://www.drupal.org/user/3751740" + ] + } + ] +} diff --git a/advisories/better_social_sharing_buttons/DSA-CONTRIB-2023-006.json b/advisories/better_social_sharing_buttons/DSA-CONTRIB-2023-006.json deleted file mode 100644 index d59816d0..00000000 --- a/advisories/better_social_sharing_buttons/DSA-CONTRIB-2023-006.json +++ /dev/null @@ -1,50 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2023-006", - "modified": "2023-08-10T14:22:32.000Z", - "published": "2023-03-01T15:15:08.000Z", - "aliases": [], - "details": "This module enables you to add social sharing buttons to a site.\n\nThe module doesn't sufficiently sanitize the weight and ratio values entered in the module or block configuration.\n\nThis vulnerability is mitigated by the fact that an attacker must have a role with the permission \"administer blocks\".", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/better_social_sharing_buttons" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "4.0.3" - } - ], - "database_specific": { - "constraint": "<4.0.3" - } - } - ], - "database_specific": { - "affected_versions": "<4.0.3" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2023-006" - } - ], - "credits": [ - { - "name": "cydave", - "contact": [ - "https://www.drupal.org/user/3751740" - ] - } - ] -} diff --git a/advisories/block_attributes/DRUPAL-CONTRIB-2025-090.json b/advisories/block_attributes/DRUPAL-CONTRIB-2025-090.json new file mode 100644 index 00000000..eebbccbb --- /dev/null +++ b/advisories/block_attributes/DRUPAL-CONTRIB-2025-090.json @@ -0,0 +1,66 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2025-090", + "modified": "2025-07-16T16:46:26.000Z", + "published": "2025-07-16T16:46:26.000Z", + "aliases": [ + "CVE-2025-7715" + ], + "details": "This module allows you to define custom attributes for a block. You can specify an attribute name to be added to the block in a predefined format.\n\nThe module does not sufficiently validate the provided attributes, which makes it possible to insert JavaScript event attributes such as `onmouseover`, `onkeyup`, etc. These attributes can execute JavaScript code when the page is rendered, leading to cross-site scripting (XSS) vulnerabilities.\n\nThis vulnerability is partially mitigated by the requirement to manually add the specific attributes and corresponding JavaScript code to the form after the attribute has been created.", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/block_attributes" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.1.0" + } + ], + "database_specific": { + "constraint": "<1.1.0" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.0.0" + }, + { + "fixed": "2.0.1" + } + ], + "database_specific": { + "constraint": ">=2.0.0 <2.0.1" + } + } + ], + "database_specific": { + "affected_versions": "<1.1.0 || >=2.0.0 <2.0.1" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2025-090" + } + ], + "credits": [ + { + "name": "Pierre Rudloff (prudloff)", + "contact": [ + "https://www.drupal.org/u/prudloff" + ] + } + ] +} diff --git a/advisories/block_attributes/DSA-CONTRIB-2025-090.json b/advisories/block_attributes/DSA-CONTRIB-2025-090.json deleted file mode 100644 index 54833caa..00000000 --- a/advisories/block_attributes/DSA-CONTRIB-2025-090.json +++ /dev/null @@ -1,66 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2025-090", - "modified": "2025-07-16T16:46:26.000Z", - "published": "2025-07-16T16:46:26.000Z", - "aliases": [ - "CVE-2025-7715" - ], - "details": "This module allows you to define custom attributes for a block. You can specify an attribute name to be added to the block in a predefined format.\n\nThe module does not sufficiently validate the provided attributes, which makes it possible to insert JavaScript event attributes such as `onmouseover`, `onkeyup`, etc. These attributes can execute JavaScript code when the page is rendered, leading to cross-site scripting (XSS) vulnerabilities.\n\nThis vulnerability is partially mitigated by the requirement to manually add the specific attributes and corresponding JavaScript code to the form after the attribute has been created.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/block_attributes" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "1.1.0" - } - ], - "database_specific": { - "constraint": "<1.1.0" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "2.0.0" - }, - { - "fixed": "2.0.1" - } - ], - "database_specific": { - "constraint": ">=2.0.0 <2.0.1" - } - } - ], - "database_specific": { - "affected_versions": "<1.1.0 || >=2.0.0 <2.0.1" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2025-090" - } - ], - "credits": [ - { - "name": "Pierre Rudloff (prudloff)", - "contact": [ - "https://www.drupal.org/u/prudloff" - ] - } - ] -} diff --git a/advisories/block_class/DRUPAL-CONTRIB-2025-043.json b/advisories/block_class/DRUPAL-CONTRIB-2025-043.json new file mode 100644 index 00000000..68daec63 --- /dev/null +++ b/advisories/block_class/DRUPAL-CONTRIB-2025-043.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2025-043", + "modified": "2025-04-23T16:59:01.000Z", + "published": "2025-04-23T16:59:01.000Z", + "aliases": [ + "CVE-2025-3902" + ], + "details": "Block Class enables you to add custom attributes to blocks.\n\nThe module did not sufficiently sanitize custom attribute input, allowing for potential XSS attacks when malicious JavaScript was injected as a custom attribute.\n\nThis vulnerability is mitigated by the fact that an attacker must have a role with the permission \"administer block classes\".", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/block_class" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.0.0" + }, + { + "fixed": "4.0.1" + } + ], + "database_specific": { + "constraint": ">=4.0.0 <4.0.1" + } + } + ], + "database_specific": { + "affected_versions": ">=4.0.0 <4.0.1" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2025-043" + } + ], + "credits": [ + { + "name": "Ivo Van Geertruyen (mr.baileys)", + "contact": [ + "https://www.drupal.org/u/mrbaileys" + ] + } + ] +} diff --git a/advisories/block_class/DSA-CONTRIB-2025-043.json b/advisories/block_class/DSA-CONTRIB-2025-043.json deleted file mode 100644 index 450b65ee..00000000 --- a/advisories/block_class/DSA-CONTRIB-2025-043.json +++ /dev/null @@ -1,52 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2025-043", - "modified": "2025-04-23T16:59:01.000Z", - "published": "2025-04-23T16:59:01.000Z", - "aliases": [ - "CVE-2025-3902" - ], - "details": "Block Class enables you to add custom attributes to blocks.\n\nThe module did not sufficiently sanitize custom attribute input, allowing for potential XSS attacks when malicious JavaScript was injected as a custom attribute.\n\nThis vulnerability is mitigated by the fact that an attacker must have a role with the permission \"administer block classes\".", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/block_class" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "4.0.0" - }, - { - "fixed": "4.0.1" - } - ], - "database_specific": { - "constraint": ">=4.0.0 <4.0.1" - } - } - ], - "database_specific": { - "affected_versions": ">=4.0.0 <4.0.1" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2025-043" - } - ], - "credits": [ - { - "name": "Ivo Van Geertruyen (mr.baileys)", - "contact": [ - "https://www.drupal.org/u/mrbaileys" - ] - } - ] -} diff --git a/advisories/block_content_revision_ui/DRUPAL-CONTRIB-2021-017.json b/advisories/block_content_revision_ui/DRUPAL-CONTRIB-2021-017.json new file mode 100644 index 00000000..01345777 --- /dev/null +++ b/advisories/block_content_revision_ui/DRUPAL-CONTRIB-2021-017.json @@ -0,0 +1,50 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2021-017", + "modified": "2023-08-11T17:09:04.000Z", + "published": "2021-06-16T16:15:21.000Z", + "aliases": [], + "details": "This module provides a revision UI to Block Content entities.\n\nThe module doesn't sufficiently respect access restrictions to certain entities when used in conjunction with specific modules.\n\nThis vulnerability is mitigated by the fact that an attacker must have a role with any of the permissions provided by Block Content Revision UI, and another affected module must be enabled.", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/block_content_revision_ui" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.127.1" + } + ], + "database_specific": { + "constraint": "<2.127.1" + } + } + ], + "database_specific": { + "affected_versions": "<2.127.1" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2021-017" + } + ], + "credits": [ + { + "name": "Michael Strelan", + "contact": [ + "https://www.drupal.org/user/314289" + ] + } + ] +} diff --git a/advisories/block_content_revision_ui/DRUPAL-CONTRIB-2021-022.json b/advisories/block_content_revision_ui/DRUPAL-CONTRIB-2021-022.json new file mode 100644 index 00000000..af17933f --- /dev/null +++ b/advisories/block_content_revision_ui/DRUPAL-CONTRIB-2021-022.json @@ -0,0 +1,50 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2021-022", + "modified": "2023-08-11T17:12:21.000Z", + "published": "2021-06-30T16:46:21.000Z", + "aliases": [], + "details": "This module provides a revision UI for Block Content entities.\n\nThe module doesn't sufficiently respect access restrictions to certain entities when used in conjunction with specific modules.\n\nThis vulnerability is mitigated by the fact that an attacker must have a role with any of the permissions provided by Block Content Revision UI, and another affected module must be enabled.", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/block_content_revision_ui" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.127.2" + } + ], + "database_specific": { + "constraint": "<2.127.2" + } + } + ], + "database_specific": { + "affected_versions": "<2.127.2" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2021-022" + } + ], + "credits": [ + { + "name": "Adam", + "contact": [ + "https://www.drupal.org/user/1036766" + ] + } + ] +} diff --git a/advisories/block_content_revision_ui/DSA-CONTRIB-2021-017.json b/advisories/block_content_revision_ui/DSA-CONTRIB-2021-017.json deleted file mode 100644 index 851dadb2..00000000 --- a/advisories/block_content_revision_ui/DSA-CONTRIB-2021-017.json +++ /dev/null @@ -1,50 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2021-017", - "modified": "2023-08-11T17:09:04.000Z", - "published": "2021-06-16T16:15:21.000Z", - "aliases": [], - "details": "This module provides a revision UI to Block Content entities.\n\nThe module doesn't sufficiently respect access restrictions to certain entities when used in conjunction with specific modules.\n\nThis vulnerability is mitigated by the fact that an attacker must have a role with any of the permissions provided by Block Content Revision UI, and another affected module must be enabled.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/block_content_revision_ui" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "2.127.1" - } - ], - "database_specific": { - "constraint": "<2.127.1" - } - } - ], - "database_specific": { - "affected_versions": "<2.127.1" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2021-017" - } - ], - "credits": [ - { - "name": "Michael Strelan", - "contact": [ - "https://www.drupal.org/user/314289" - ] - } - ] -} diff --git a/advisories/block_content_revision_ui/DSA-CONTRIB-2021-022.json b/advisories/block_content_revision_ui/DSA-CONTRIB-2021-022.json deleted file mode 100644 index f22cb60a..00000000 --- a/advisories/block_content_revision_ui/DSA-CONTRIB-2021-022.json +++ /dev/null @@ -1,50 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2021-022", - "modified": "2023-08-11T17:12:21.000Z", - "published": "2021-06-30T16:46:21.000Z", - "aliases": [], - "details": "This module provides a revision UI for Block Content entities.\n\nThe module doesn't sufficiently respect access restrictions to certain entities when used in conjunction with specific modules.\n\nThis vulnerability is mitigated by the fact that an attacker must have a role with any of the permissions provided by Block Content Revision UI, and another affected module must be enabled.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/block_content_revision_ui" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "2.127.2" - } - ], - "database_specific": { - "constraint": "<2.127.2" - } - } - ], - "database_specific": { - "affected_versions": "<2.127.2" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2021-022" - } - ], - "credits": [ - { - "name": "Adam", - "contact": [ - "https://www.drupal.org/user/1036766" - ] - } - ] -} diff --git a/advisories/block_permissions/DRUPAL-CONTRIB-2024-046.json b/advisories/block_permissions/DRUPAL-CONTRIB-2024-046.json new file mode 100644 index 00000000..92f63940 --- /dev/null +++ b/advisories/block_permissions/DRUPAL-CONTRIB-2024-046.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2024-046", + "modified": "2025-02-20T19:26:30.000Z", + "published": "2024-10-09T15:48:11.000Z", + "aliases": [ + "CVE-2024-13282" + ], + "details": "This module enables you to manage blocks from specific modules in the specific themes.\n\nThe module doesn't sufficiently check permissions under the scenario when a block is added using the form \"/admin/structure/block/add/{plugin\\_id}/{theme}\" (route \"block.admin\\_add\"). The attacker can add the block to the theme where they can't manage blocks.\n\nThis vulnerability is mitigated by the fact that an attacker must have a role with the permission \"administer blocks provided by [provider]\".", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/block_permissions" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "1.0.0" + }, + { + "fixed": "1.2.0" + } + ], + "database_specific": { + "constraint": ">=1.0.0 <1.2.0" + } + } + ], + "database_specific": { + "affected_versions": ">=1.0.0 <1.2.0" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2024-046" + } + ], + "credits": [ + { + "name": "Francesco Sardara", + "contact": [ + "https://www.drupal.org/user/2353864" + ] + } + ] +} diff --git a/advisories/block_permissions/DSA-CONTRIB-2024-046.json b/advisories/block_permissions/DSA-CONTRIB-2024-046.json deleted file mode 100644 index d55ca5d8..00000000 --- a/advisories/block_permissions/DSA-CONTRIB-2024-046.json +++ /dev/null @@ -1,52 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2024-046", - "modified": "2025-02-20T19:26:30.000Z", - "published": "2024-10-09T15:48:11.000Z", - "aliases": [ - "CVE-2024-13282" - ], - "details": "This module enables you to manage blocks from specific modules in the specific themes.\n\nThe module doesn't sufficiently check permissions under the scenario when a block is added using the form \"/admin/structure/block/add/{plugin\\_id}/{theme}\" (route \"block.admin\\_add\"). The attacker can add the block to the theme where they can't manage blocks.\n\nThis vulnerability is mitigated by the fact that an attacker must have a role with the permission \"administer blocks provided by [provider]\".", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/block_permissions" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "1.0.0" - }, - { - "fixed": "1.2.0" - } - ], - "database_specific": { - "constraint": ">=1.0.0 <1.2.0" - } - } - ], - "database_specific": { - "affected_versions": ">=1.0.0 <1.2.0" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2024-046" - } - ], - "credits": [ - { - "name": "Francesco Sardara", - "contact": [ - "https://www.drupal.org/user/2353864" - ] - } - ] -} diff --git a/advisories/bookable_calendar/DRUPAL-CONTRIB-2025-070.json b/advisories/bookable_calendar/DRUPAL-CONTRIB-2025-070.json new file mode 100644 index 00000000..e1b823a9 --- /dev/null +++ b/advisories/bookable_calendar/DRUPAL-CONTRIB-2025-070.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2025-070", + "modified": "2025-05-29T18:17:25.000Z", + "published": "2025-05-28T17:41:20.000Z", + "aliases": [ + "CVE-2025-48916" + ], + "details": "This module enables you to setup a repeating date rule that users can \"book\" different dates, allowing you to let users register for a variety of different things like conference rooms or guitar lessons.\n\nThis module has a permission of \"view booking\" and \"view booking contact\" which allows you to view them regardless of whether you own them or not. Due to bad naming of the permissions it's likely admins have configured those to users that shouldn't have them.\n\nThis vulnerability is mitigated by the fact that an attacker must have a role with the permission \"view booking\" or \"view booking contact\".", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/bookable_calendar" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.2.13" + } + ], + "database_specific": { + "constraint": "<2.2.13" + } + } + ], + "database_specific": { + "affected_versions": "<2.2.13" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2025-070" + } + ], + "credits": [ + { + "name": "Ludo Hartzema (absoludo)", + "contact": [ + "https://www.drupal.org/u/absoludo" + ] + } + ] +} diff --git a/advisories/bookable_calendar/DSA-CONTRIB-2025-070.json b/advisories/bookable_calendar/DSA-CONTRIB-2025-070.json deleted file mode 100644 index f7b3d799..00000000 --- a/advisories/bookable_calendar/DSA-CONTRIB-2025-070.json +++ /dev/null @@ -1,52 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2025-070", - "modified": "2025-05-29T18:17:25.000Z", - "published": "2025-05-28T17:41:20.000Z", - "aliases": [ - "CVE-2025-48916" - ], - "details": "This module enables you to setup a repeating date rule that users can \"book\" different dates, allowing you to let users register for a variety of different things like conference rooms or guitar lessons.\n\nThis module has a permission of \"view booking\" and \"view booking contact\" which allows you to view them regardless of whether you own them or not. Due to bad naming of the permissions it's likely admins have configured those to users that shouldn't have them.\n\nThis vulnerability is mitigated by the fact that an attacker must have a role with the permission \"view booking\" or \"view booking contact\".", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/bookable_calendar" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "2.2.13" - } - ], - "database_specific": { - "constraint": "<2.2.13" - } - } - ], - "database_specific": { - "affected_versions": "<2.2.13" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2025-070" - } - ], - "credits": [ - { - "name": "Ludo Hartzema (absoludo)", - "contact": [ - "https://www.drupal.org/u/absoludo" - ] - } - ] -} diff --git a/advisories/bootstrap/DRUPAL-CONTRIB-2018-074.json b/advisories/bootstrap/DRUPAL-CONTRIB-2018-074.json new file mode 100644 index 00000000..1b410095 --- /dev/null +++ b/advisories/bootstrap/DRUPAL-CONTRIB-2018-074.json @@ -0,0 +1,50 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2018-074", + "modified": "2023-08-11T21:15:17.000Z", + "published": "2018-11-28T17:32:56.000Z", + "aliases": [], + "details": "This base theme bridges the gap between Drupal and the Bootstrap Framework.\n\nThe theme doesn't sufficiently filter valid targets under the scenario of opening modals, popovers, and tooltips.\n\nThis vulnerability is mitigated by the fact that an attacker must already have the ability to either:\n\n1. Edit/save custom content that supplies a value for the `data-target` attribute by injecting malicious code.\n2. Inject custom markup onto the page that further exploits the `data-target` attribute by injecting malicious code. This method of attack is highly unlikely if they already have this level of access.\n\nNote: while the base-theme does not provide either of these opportunities to do this out-of-the-box; a custom sub-theme may, however, be susceptible if it didn't sanitize or filter user provided input for XSS properly.", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/bootstrap" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "3.14.0" + } + ], + "database_specific": { + "constraint": "<3.14.0" + } + } + ], + "database_specific": { + "affected_versions": "<3.14.0" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2018-074" + } + ], + "credits": [ + { + "name": "Gomez_in_the_South", + "contact": [ + "https://www.drupal.org/user/153735" + ] + } + ] +} diff --git a/advisories/bootstrap/DSA-CONTRIB-2018-074.json b/advisories/bootstrap/DSA-CONTRIB-2018-074.json deleted file mode 100644 index c1cc4ce5..00000000 --- a/advisories/bootstrap/DSA-CONTRIB-2018-074.json +++ /dev/null @@ -1,50 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2018-074", - "modified": "2023-08-11T21:15:17.000Z", - "published": "2018-11-28T17:32:56.000Z", - "aliases": [], - "details": "This base theme bridges the gap between Drupal and the Bootstrap Framework.\n\nThe theme doesn't sufficiently filter valid targets under the scenario of opening modals, popovers, and tooltips.\n\nThis vulnerability is mitigated by the fact that an attacker must already have the ability to either:\n\n1. Edit/save custom content that supplies a value for the `data-target` attribute by injecting malicious code.\n2. Inject custom markup onto the page that further exploits the `data-target` attribute by injecting malicious code. This method of attack is highly unlikely if they already have this level of access.\n\nNote: while the base-theme does not provide either of these opportunities to do this out-of-the-box; a custom sub-theme may, however, be susceptible if it didn't sanitize or filter user provided input for XSS properly.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/bootstrap" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "3.14.0" - } - ], - "database_specific": { - "constraint": "<3.14.0" - } - } - ], - "database_specific": { - "affected_versions": "<3.14.0" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2018-074" - } - ], - "credits": [ - { - "name": "Gomez_in_the_South", - "contact": [ - "https://www.drupal.org/user/153735" - ] - } - ] -} diff --git a/advisories/bootstrap_site_alert/DRUPAL-CONTRIB-2025-042.json b/advisories/bootstrap_site_alert/DRUPAL-CONTRIB-2025-042.json new file mode 100644 index 00000000..4437f1d6 --- /dev/null +++ b/advisories/bootstrap_site_alert/DRUPAL-CONTRIB-2025-042.json @@ -0,0 +1,72 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2025-042", + "modified": "2025-04-23T16:58:51.000Z", + "published": "2025-04-23T16:58:51.000Z", + "aliases": [ + "CVE-2025-3901" + ], + "details": "This module enables you to put a site wide bootstrap themed alert message on the top of every page.\n\nThe module doesn't sufficiently filter text input when leading to a possible XSS attacks.\n\nThis vulnerability is mitigated by the fact that an attacker must have a role with the permission \"administer bootstrap site alerts\".", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/bootstrap_site_alert" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.13.0" + } + ], + "database_specific": { + "constraint": "<1.13.0" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "3.0.0" + }, + { + "fixed": "3.0.4" + } + ], + "database_specific": { + "constraint": ">=3.0.0 <3.0.4" + } + } + ], + "database_specific": { + "affected_versions": "<1.13.0 || >=3.0.0 <3.0.4" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2025-042" + } + ], + "credits": [ + { + "name": "Elijah Byrd (elibyrd)", + "contact": [ + "https://www.drupal.org/u/elibyrd" + ] + }, + { + "name": "Mitch Portier (arkener)", + "contact": [ + "https://www.drupal.org/u/arkener" + ] + } + ] +} diff --git a/advisories/bootstrap_site_alert/DSA-CONTRIB-2025-042.json b/advisories/bootstrap_site_alert/DSA-CONTRIB-2025-042.json deleted file mode 100644 index 735578ab..00000000 --- a/advisories/bootstrap_site_alert/DSA-CONTRIB-2025-042.json +++ /dev/null @@ -1,72 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2025-042", - "modified": "2025-04-23T16:58:51.000Z", - "published": "2025-04-23T16:58:51.000Z", - "aliases": [ - "CVE-2025-3901" - ], - "details": "This module enables you to put a site wide bootstrap themed alert message on the top of every page.\n\nThe module doesn't sufficiently filter text input when leading to a possible XSS attacks.\n\nThis vulnerability is mitigated by the fact that an attacker must have a role with the permission \"administer bootstrap site alerts\".", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/bootstrap_site_alert" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "1.13.0" - } - ], - "database_specific": { - "constraint": "<1.13.0" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "3.0.0" - }, - { - "fixed": "3.0.4" - } - ], - "database_specific": { - "constraint": ">=3.0.0 <3.0.4" - } - } - ], - "database_specific": { - "affected_versions": "<1.13.0 || >=3.0.0 <3.0.4" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2025-042" - } - ], - "credits": [ - { - "name": "Elijah Byrd (elibyrd)", - "contact": [ - "https://www.drupal.org/u/elibyrd" - ] - }, - { - "name": "Mitch Portier (arkener)", - "contact": [ - "https://www.drupal.org/u/arkener" - ] - } - ] -} diff --git a/advisories/browser_back_button/DRUPAL-CONTRIB-2024-072.json b/advisories/browser_back_button/DRUPAL-CONTRIB-2024-072.json new file mode 100644 index 00000000..d2e7d893 --- /dev/null +++ b/advisories/browser_back_button/DRUPAL-CONTRIB-2024-072.json @@ -0,0 +1,58 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2024-072", + "modified": "2025-02-20T20:08:00.000Z", + "published": "2024-12-11T07:44:40.000Z", + "aliases": [ + "CVE-2024-13308" + ], + "details": "This module provides a block that renders a link providing the functionality of a browser's back button.\n\nThe module does not sufficiently escape text entered by an administrator, resulting in a cross scripting vulnerability.\n\nThis vulnerability is mitigated by the fact that an attacker must have a role with the permission \"administer blocks\".", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/browser_back_button" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "1.0.0" + }, + { + "fixed": "2.0.2" + } + ], + "database_specific": { + "constraint": ">=1.0.0 <2.0.2" + } + } + ], + "database_specific": { + "affected_versions": ">=1.0.0 <2.0.2" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2024-072" + } + ], + "credits": [ + { + "name": "Mitch Portier", + "contact": [ + "https://www.drupal.org/user/2284182" + ] + }, + { + "name": "Patrick Fey", + "contact": [ + "https://www.drupal.org/user/998680" + ] + } + ] +} diff --git a/advisories/browser_back_button/DSA-CONTRIB-2024-072.json b/advisories/browser_back_button/DSA-CONTRIB-2024-072.json deleted file mode 100644 index 310e0ec4..00000000 --- a/advisories/browser_back_button/DSA-CONTRIB-2024-072.json +++ /dev/null @@ -1,58 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2024-072", - "modified": "2025-02-20T20:08:00.000Z", - "published": "2024-12-11T07:44:40.000Z", - "aliases": [ - "CVE-2024-13308" - ], - "details": "This module provides a block that renders a link providing the functionality of a browser's back button.\n\nThe module does not sufficiently escape text entered by an administrator, resulting in a cross scripting vulnerability.\n\nThis vulnerability is mitigated by the fact that an attacker must have a role with the permission \"administer blocks\".", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/browser_back_button" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "1.0.0" - }, - { - "fixed": "2.0.2" - } - ], - "database_specific": { - "constraint": ">=1.0.0 <2.0.2" - } - } - ], - "database_specific": { - "affected_versions": ">=1.0.0 <2.0.2" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2024-072" - } - ], - "credits": [ - { - "name": "Mitch Portier", - "contact": [ - "https://www.drupal.org/user/2284182" - ] - }, - { - "name": "Patrick Fey", - "contact": [ - "https://www.drupal.org/user/998680" - ] - } - ] -} diff --git a/advisories/bugsnag/DRUPAL-CONTRIB-2019-081.json b/advisories/bugsnag/DRUPAL-CONTRIB-2019-081.json new file mode 100644 index 00000000..5493c8f6 --- /dev/null +++ b/advisories/bugsnag/DRUPAL-CONTRIB-2019-081.json @@ -0,0 +1,40 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2019-081", + "modified": "2023-08-11T18:22:08.000Z", + "published": "2019-11-13T18:04:58.000Z", + "aliases": [], + "details": "The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: ", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/bugsnag" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + } + ], + "database_specific": { + "constraint": "*" + } + } + ], + "database_specific": { + "affected_versions": "*" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2019-081" + } + ], + "credits": [] +} diff --git a/advisories/bugsnag/DSA-CONTRIB-2019-081.json b/advisories/bugsnag/DSA-CONTRIB-2019-081.json deleted file mode 100644 index f080dd50..00000000 --- a/advisories/bugsnag/DSA-CONTRIB-2019-081.json +++ /dev/null @@ -1,40 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2019-081", - "modified": "2023-08-11T18:22:08.000Z", - "published": "2019-11-13T18:04:58.000Z", - "aliases": [], - "details": "The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: ", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/bugsnag" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - } - ], - "database_specific": { - "constraint": "*" - } - } - ], - "database_specific": { - "affected_versions": "*" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2019-081" - } - ], - "credits": [] -} diff --git a/advisories/business_responsive_theme/DRUPAL-CONTRIB-2022-013.json b/advisories/business_responsive_theme/DRUPAL-CONTRIB-2022-013.json new file mode 100644 index 00000000..ab75413a --- /dev/null +++ b/advisories/business_responsive_theme/DRUPAL-CONTRIB-2022-013.json @@ -0,0 +1,43 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2022-013", + "modified": "2024-01-25T20:19:13.000Z", + "published": "2022-01-25T18:37:38.000Z", + "aliases": [], + "details": "The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: ", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/business_responsive_theme" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.0.3" + } + ], + "database_specific": { + "constraint": "<2.0.3" + } + } + ], + "database_specific": { + "affected_versions": "<2.0.3" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2022-013" + } + ], + "credits": [] +} diff --git a/advisories/business_responsive_theme/DSA-CONTRIB-2022-013.json b/advisories/business_responsive_theme/DSA-CONTRIB-2022-013.json deleted file mode 100644 index 4d9b3185..00000000 --- a/advisories/business_responsive_theme/DSA-CONTRIB-2022-013.json +++ /dev/null @@ -1,43 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2022-013", - "modified": "2024-01-25T20:19:13.000Z", - "published": "2022-01-25T18:37:38.000Z", - "aliases": [], - "details": "The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: ", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/business_responsive_theme" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "2.0.3" - } - ], - "database_specific": { - "constraint": "<2.0.3" - } - } - ], - "database_specific": { - "affected_versions": "<2.0.3" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2022-013" - } - ], - "credits": [] -} diff --git a/advisories/cache_utility/DRUPAL-CONTRIB-2025-019.json b/advisories/cache_utility/DRUPAL-CONTRIB-2025-019.json new file mode 100644 index 00000000..9add0008 --- /dev/null +++ b/advisories/cache_utility/DRUPAL-CONTRIB-2025-019.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2025-019", + "modified": "2025-03-31T22:06:12.000Z", + "published": "2025-02-26T18:35:11.000Z", + "aliases": [ + "CVE-2025-31690" + ], + "details": "The Cache Utility module provides an ability to view status and flush various caches.\n\nThe module doesn't sufficiently protect against Cross Site Request Forgery (CSRF) attacks by validating user identity and intent when flushing a cache.", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/cache_utility" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.2.1" + } + ], + "database_specific": { + "constraint": "<1.2.1" + } + } + ], + "database_specific": { + "affected_versions": "<1.2.1" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2025-019" + } + ], + "credits": [ + { + "name": "Pierre Rudloff (prudloff)", + "contact": [ + "https://www.drupal.org/u/prudloff" + ] + } + ] +} diff --git a/advisories/cache_utility/DSA-CONTRIB-2025-019.json b/advisories/cache_utility/DSA-CONTRIB-2025-019.json deleted file mode 100644 index 50288ea3..00000000 --- a/advisories/cache_utility/DSA-CONTRIB-2025-019.json +++ /dev/null @@ -1,52 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2025-019", - "modified": "2025-03-31T22:06:12.000Z", - "published": "2025-02-26T18:35:11.000Z", - "aliases": [ - "CVE-2025-31690" - ], - "details": "The Cache Utility module provides an ability to view status and flush various caches.\n\nThe module doesn't sufficiently protect against Cross Site Request Forgery (CSRF) attacks by validating user identity and intent when flushing a cache.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/cache_utility" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "1.2.1" - } - ], - "database_specific": { - "constraint": "<1.2.1" - } - } - ], - "database_specific": { - "affected_versions": "<1.2.1" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2025-019" - } - ], - "credits": [ - { - "name": "Pierre Rudloff (prudloff)", - "contact": [ - "https://www.drupal.org/u/prudloff" - ] - } - ] -} diff --git a/advisories/civicccookiecontrol/DRUPAL-CONTRIB-2023-021.json b/advisories/civicccookiecontrol/DRUPAL-CONTRIB-2023-021.json new file mode 100644 index 00000000..4f48e709 --- /dev/null +++ b/advisories/civicccookiecontrol/DRUPAL-CONTRIB-2023-021.json @@ -0,0 +1,50 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2023-021", + "modified": "2023-08-10T13:53:57.000Z", + "published": "2023-06-21T17:03:14.000Z", + "aliases": [], + "details": "CivicCookieControl is a module that can help make a website compliant with EU and UK cookie legislation.\n\nThe Civic GovUK Cookie Control module does not sufficiently sanitize the configuration resulting in a Cross-Site Scripting (XSS) vulnerability.\n\nThis vulnerability is mitigated by the fact that the attacker must have a role with the \"Administer Civic Cookie Control\" permission.", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/civicccookiecontrol" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "4.4.13" + } + ], + "database_specific": { + "constraint": "<4.4.13" + } + } + ], + "database_specific": { + "affected_versions": "<4.4.13" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2023-021" + } + ], + "credits": [ + { + "name": "Mitch Portier", + "contact": [ + "https://www.drupal.org/user/2284182" + ] + } + ] +} diff --git a/advisories/civicccookiecontrol/DSA-CONTRIB-2023-021.json b/advisories/civicccookiecontrol/DSA-CONTRIB-2023-021.json deleted file mode 100644 index e69bc0a3..00000000 --- a/advisories/civicccookiecontrol/DSA-CONTRIB-2023-021.json +++ /dev/null @@ -1,50 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2023-021", - "modified": "2023-08-10T13:53:57.000Z", - "published": "2023-06-21T17:03:14.000Z", - "aliases": [], - "details": "CivicCookieControl is a module that can help make a website compliant with EU and UK cookie legislation.\n\nThe Civic GovUK Cookie Control module does not sufficiently sanitize the configuration resulting in a Cross-Site Scripting (XSS) vulnerability.\n\nThis vulnerability is mitigated by the fact that the attacker must have a role with the \"Administer Civic Cookie Control\" permission.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/civicccookiecontrol" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "4.4.13" - } - ], - "database_specific": { - "constraint": "<4.4.13" - } - } - ], - "database_specific": { - "affected_versions": "<4.4.13" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2023-021" - } - ], - "credits": [ - { - "name": "Mitch Portier", - "contact": [ - "https://www.drupal.org/user/2284182" - ] - } - ] -} diff --git a/advisories/ckeditor5_youtube/DRUPAL-CONTRIB-2025-081.json b/advisories/ckeditor5_youtube/DRUPAL-CONTRIB-2025-081.json new file mode 100644 index 00000000..4a53ff76 --- /dev/null +++ b/advisories/ckeditor5_youtube/DRUPAL-CONTRIB-2025-081.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2025-081", + "modified": "2025-06-26T18:17:29.000Z", + "published": "2025-06-25T18:42:06.000Z", + "aliases": [ + "CVE-2025-6674" + ], + "details": "The CKEditor5 Youtube module enhances content creation in Drupal by seamlessly integrating YouTube video embedding into the CKEditor 5 text editor.\n\nThe module doesn't sufficiently validate iframe sources under the scenario where a user embeds a video using the CKEditor YouTube integration leading to a Cross-site Scripting (XSS) vulnerabiity. \nThis vulnerability is mitigated by the fact that an attacker must have a role with necessary permissions to use CKEditor Youtube embed button.", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/ckeditor5_youtube" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.0.4" + } + ], + "database_specific": { + "constraint": "<1.0.4" + } + } + ], + "database_specific": { + "affected_versions": "<1.0.4" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2025-081" + } + ], + "credits": [ + { + "name": "nico.b", + "contact": [ + "https://www.drupal.org/u/nicob" + ] + } + ] +} diff --git a/advisories/ckeditor5_youtube/DSA-CONTRIB-2025-081.json b/advisories/ckeditor5_youtube/DSA-CONTRIB-2025-081.json deleted file mode 100644 index 4396a309..00000000 --- a/advisories/ckeditor5_youtube/DSA-CONTRIB-2025-081.json +++ /dev/null @@ -1,52 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2025-081", - "modified": "2025-06-26T18:17:29.000Z", - "published": "2025-06-25T18:42:06.000Z", - "aliases": [ - "CVE-2025-6674" - ], - "details": "The CKEditor5 Youtube module enhances content creation in Drupal by seamlessly integrating YouTube video embedding into the CKEditor 5 text editor.\n\nThe module doesn't sufficiently validate iframe sources under the scenario where a user embeds a video using the CKEditor YouTube integration leading to a Cross-site Scripting (XSS) vulnerabiity. \nThis vulnerability is mitigated by the fact that an attacker must have a role with necessary permissions to use CKEditor Youtube embed button.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/ckeditor5_youtube" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "1.0.4" - } - ], - "database_specific": { - "constraint": "<1.0.4" - } - } - ], - "database_specific": { - "affected_versions": "<1.0.4" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2025-081" - } - ], - "credits": [ - { - "name": "nico.b", - "contact": [ - "https://www.drupal.org/u/nicob" - ] - } - ] -} diff --git a/advisories/ckeditor_lts/DRUPAL-CONTRIB-2024-009.json b/advisories/ckeditor_lts/DRUPAL-CONTRIB-2024-009.json new file mode 100644 index 00000000..06033c0e --- /dev/null +++ b/advisories/ckeditor_lts/DRUPAL-CONTRIB-2024-009.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2024-009", + "modified": "2025-02-20T18:37:01.000Z", + "published": "2024-02-14T19:31:10.000Z", + "aliases": [ + "CVE-2024-13245" + ], + "details": "The CKEditor 4 LTS - WYSIWYG HTML editor module uses the CKEditor library for WYSIWYG editing. CKEditor has released a [security update](https://ckeditor.com/cke4/release/CKEditor-4.24.0-LTS) that on certain configurations may impact the Drupal module that bundles and integrates this code.\n\nThe vulnerability is mitigated by the fact it requires:\n\n1. [full-page editing](https://ckeditor.com/docs/ckeditor4/latest/features/fullpage.html) mode is enabled\n2. or CDATA elements in Advanced Content Filtering configuration (defaults to script and style elements) are enabled.\n3. An attacker must have a permission with access to the CKEditor instance.\n\nFor more information, see CKEditor's security advisory: \n[CVE-2024-24815](https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-fq6h-4g8v-qqvm): Cross-site scripting (XSS) vulnerability caused by incorrect CDATA detection", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/ckeditor_lts" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "1.0.0" + }, + { + "fixed": "1.0.1" + } + ], + "database_specific": { + "constraint": ">=1.0.0 <1.0.1" + } + } + ], + "database_specific": { + "affected_versions": ">=1.0.0 <1.0.1" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2024-009" + } + ], + "credits": [ + { + "name": "Juraj Nemec", + "contact": [ + "https://www.drupal.org/user/272316" + ] + } + ] +} diff --git a/advisories/ckeditor_lts/DSA-CONTRIB-2024-009.json b/advisories/ckeditor_lts/DSA-CONTRIB-2024-009.json deleted file mode 100644 index 364adc83..00000000 --- a/advisories/ckeditor_lts/DSA-CONTRIB-2024-009.json +++ /dev/null @@ -1,52 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2024-009", - "modified": "2025-02-20T18:37:01.000Z", - "published": "2024-02-14T19:31:10.000Z", - "aliases": [ - "CVE-2024-13245" - ], - "details": "The CKEditor 4 LTS - WYSIWYG HTML editor module uses the CKEditor library for WYSIWYG editing. CKEditor has released a [security update](https://ckeditor.com/cke4/release/CKEditor-4.24.0-LTS) that on certain configurations may impact the Drupal module that bundles and integrates this code.\n\nThe vulnerability is mitigated by the fact it requires:\n\n1. [full-page editing](https://ckeditor.com/docs/ckeditor4/latest/features/fullpage.html) mode is enabled\n2. or CDATA elements in Advanced Content Filtering configuration (defaults to script and style elements) are enabled.\n3. An attacker must have a permission with access to the CKEditor instance.\n\nFor more information, see CKEditor's security advisory: \n[CVE-2024-24815](https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-fq6h-4g8v-qqvm): Cross-site scripting (XSS) vulnerability caused by incorrect CDATA detection", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/ckeditor_lts" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "1.0.0" - }, - { - "fixed": "1.0.1" - } - ], - "database_specific": { - "constraint": ">=1.0.0 <1.0.1" - } - } - ], - "database_specific": { - "affected_versions": ">=1.0.0 <1.0.1" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2024-009" - } - ], - "credits": [ - { - "name": "Juraj Nemec", - "contact": [ - "https://www.drupal.org/user/272316" - ] - } - ] -} diff --git a/advisories/ckeditor_uploadimage/DRUPAL-CONTRIB-2018-014.json b/advisories/ckeditor_uploadimage/DRUPAL-CONTRIB-2018-014.json new file mode 100644 index 00000000..c48b4076 --- /dev/null +++ b/advisories/ckeditor_uploadimage/DRUPAL-CONTRIB-2018-014.json @@ -0,0 +1,50 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2018-014", + "modified": "2023-08-11T21:43:18.000Z", + "published": "2018-02-21T19:04:59.000Z", + "aliases": [], + "details": "This module enables you to drag and drop or paste images into CKEditor. \nThe module does not sufficiently verify users permissions, which leads to anonymous users being able to upload files to the server.", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/ckeditor_uploadimage" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.5.0" + } + ], + "database_specific": { + "constraint": "<1.5.0" + } + } + ], + "database_specific": { + "affected_versions": "<1.5.0" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2018-014" + } + ], + "credits": [ + { + "name": "Jean-Francois Hovinne", + "contact": [ + "https://www.drupal.org/user/77723" + ] + } + ] +} diff --git a/advisories/ckeditor_uploadimage/DSA-CONTRIB-2018-014.json b/advisories/ckeditor_uploadimage/DSA-CONTRIB-2018-014.json deleted file mode 100644 index cdbd081d..00000000 --- a/advisories/ckeditor_uploadimage/DSA-CONTRIB-2018-014.json +++ /dev/null @@ -1,50 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2018-014", - "modified": "2023-08-11T21:43:18.000Z", - "published": "2018-02-21T19:04:59.000Z", - "aliases": [], - "details": "This module enables you to drag and drop or paste images into CKEditor. \nThe module does not sufficiently verify users permissions, which leads to anonymous users being able to upload files to the server.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/ckeditor_uploadimage" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "1.5.0" - } - ], - "database_specific": { - "constraint": "<1.5.0" - } - } - ], - "database_specific": { - "affected_versions": "<1.5.0" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2018-014" - } - ], - "credits": [ - { - "name": "Jean-Francois Hovinne", - "contact": [ - "https://www.drupal.org/user/77723" - ] - } - ] -} diff --git a/advisories/cleantalk/DRUPAL-CONTRIB-2019-010.json b/advisories/cleantalk/DRUPAL-CONTRIB-2019-010.json new file mode 100644 index 00000000..788a7adb --- /dev/null +++ b/advisories/cleantalk/DRUPAL-CONTRIB-2019-010.json @@ -0,0 +1,50 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2019-010", + "modified": "2023-08-11T19:00:18.000Z", + "published": "2019-01-23T18:22:41.000Z", + "aliases": [], + "details": "Anti-spam module by CleanTalk to protect your Drupal sites from spambot registration and spam comments publications thru comment and contact forms.\n\nThis module does not sufficiently filter submitted content in certain circumstances.", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/cleantalk" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.7.0" + } + ], + "database_specific": { + "constraint": "<2.7.0" + } + } + ], + "database_specific": { + "affected_versions": "<2.7.0" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2019-010" + } + ], + "credits": [ + { + "name": "Michael Prasuhn", + "contact": [ + "https://www.drupal.org/user/62496" + ] + } + ] +} diff --git a/advisories/cleantalk/DRUPAL-CONTRIB-2022-032.json b/advisories/cleantalk/DRUPAL-CONTRIB-2022-032.json new file mode 100644 index 00000000..e7b029a7 --- /dev/null +++ b/advisories/cleantalk/DRUPAL-CONTRIB-2022-032.json @@ -0,0 +1,70 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2022-032", + "modified": "2023-08-10T21:41:21.000Z", + "published": "2022-03-30T18:23:29.000Z", + "aliases": [], + "details": "This module provides integration with the CleanTalk spam protection service.\n\nThe module does not properly filter data in certain circumstances.\n\n**Update: 2022-03-31 - fix release node links**", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/cleantalk" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "4.15.0" + } + ], + "database_specific": { + "constraint": "<4.15.0" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "9.1.0" + }, + { + "fixed": "9.1.21" + } + ], + "database_specific": { + "constraint": ">=9.1.0 <9.1.21" + } + } + ], + "database_specific": { + "affected_versions": "<4.15.0 || >=9.1.0 <9.1.21" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2022-032" + } + ], + "credits": [ + { + "name": "Glomberg", + "contact": [ + "https://www.drupal.org/user/3624869" + ] + }, + { + "name": "Heine", + "contact": [ + "https://www.drupal.org/user/17943" + ] + } + ] +} diff --git a/advisories/cleantalk/DSA-CONTRIB-2019-010.json b/advisories/cleantalk/DSA-CONTRIB-2019-010.json deleted file mode 100644 index 12bc8eaf..00000000 --- a/advisories/cleantalk/DSA-CONTRIB-2019-010.json +++ /dev/null @@ -1,50 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2019-010", - "modified": "2023-08-11T19:00:18.000Z", - "published": "2019-01-23T18:22:41.000Z", - "aliases": [], - "details": "Anti-spam module by CleanTalk to protect your Drupal sites from spambot registration and spam comments publications thru comment and contact forms.\n\nThis module does not sufficiently filter submitted content in certain circumstances.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/cleantalk" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "2.7.0" - } - ], - "database_specific": { - "constraint": "<2.7.0" - } - } - ], - "database_specific": { - "affected_versions": "<2.7.0" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2019-010" - } - ], - "credits": [ - { - "name": "Michael Prasuhn", - "contact": [ - "https://www.drupal.org/user/62496" - ] - } - ] -} diff --git a/advisories/cleantalk/DSA-CONTRIB-2022-032.json b/advisories/cleantalk/DSA-CONTRIB-2022-032.json deleted file mode 100644 index c18f2475..00000000 --- a/advisories/cleantalk/DSA-CONTRIB-2022-032.json +++ /dev/null @@ -1,70 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2022-032", - "modified": "2023-08-10T21:41:21.000Z", - "published": "2022-03-30T18:23:29.000Z", - "aliases": [], - "details": "This module provides integration with the CleanTalk spam protection service.\n\nThe module does not properly filter data in certain circumstances.\n\n**Update: 2022-03-31 - fix release node links**", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/cleantalk" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "4.15.0" - } - ], - "database_specific": { - "constraint": "<4.15.0" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "9.1.0" - }, - { - "fixed": "9.1.21" - } - ], - "database_specific": { - "constraint": ">=9.1.0 <9.1.21" - } - } - ], - "database_specific": { - "affected_versions": "<4.15.0 || >=9.1.0 <9.1.21" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2022-032" - } - ], - "credits": [ - { - "name": "Glomberg", - "contact": [ - "https://www.drupal.org/user/3624869" - ] - }, - { - "name": "Heine", - "contact": [ - "https://www.drupal.org/user/17943" - ] - } - ] -} diff --git a/advisories/coffee/DRUPAL-CONTRIB-2024-011.json b/advisories/coffee/DRUPAL-CONTRIB-2024-011.json new file mode 100644 index 00000000..23a46a76 --- /dev/null +++ b/advisories/coffee/DRUPAL-CONTRIB-2024-011.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2024-011", + "modified": "2025-02-20T19:10:16.000Z", + "published": "2024-02-28T18:14:40.000Z", + "aliases": [ + "CVE-2024-13247" + ], + "details": "The Coffee module helps you to navigate through the Drupal admin menus faster with a shortcut popup.\n\nThe module doesn't sufficiently escape menu names when displaying them in the popup, thereby exposing a XSS vulnerability.\n\nThis vulnerability is mitigated by the fact that an attacker must have a role with the permission \"Administer menus and menu links\".", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/coffee" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.4.0" + } + ], + "database_specific": { + "constraint": "<1.4.0" + } + } + ], + "database_specific": { + "affected_versions": "<1.4.0" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2024-011" + } + ], + "credits": [ + { + "name": "Patrick Fey", + "contact": [ + "https://www.drupal.org/user/998680" + ] + } + ] +} diff --git a/advisories/coffee/DSA-CONTRIB-2024-011.json b/advisories/coffee/DSA-CONTRIB-2024-011.json deleted file mode 100644 index 4b59437b..00000000 --- a/advisories/coffee/DSA-CONTRIB-2024-011.json +++ /dev/null @@ -1,52 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2024-011", - "modified": "2025-02-20T19:10:16.000Z", - "published": "2024-02-28T18:14:40.000Z", - "aliases": [ - "CVE-2024-13247" - ], - "details": "The Coffee module helps you to navigate through the Drupal admin menus faster with a shortcut popup.\n\nThe module doesn't sufficiently escape menu names when displaying them in the popup, thereby exposing a XSS vulnerability.\n\nThis vulnerability is mitigated by the fact that an attacker must have a role with the permission \"Administer menus and menu links\".", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/coffee" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "1.4.0" - } - ], - "database_specific": { - "constraint": "<1.4.0" - } - } - ], - "database_specific": { - "affected_versions": "<1.4.0" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2024-011" - } - ], - "credits": [ - { - "name": "Patrick Fey", - "contact": [ - "https://www.drupal.org/user/998680" - ] - } - ] -} diff --git a/advisories/cog/DRUPAL-CONTRIB-2022-018.json b/advisories/cog/DRUPAL-CONTRIB-2022-018.json new file mode 100644 index 00000000..d18b8d90 --- /dev/null +++ b/advisories/cog/DRUPAL-CONTRIB-2022-018.json @@ -0,0 +1,40 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2022-018", + "modified": "2023-08-11T13:46:46.000Z", + "published": "2022-01-25T18:39:50.000Z", + "aliases": [], + "details": "The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: ", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/cog" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + } + ], + "database_specific": { + "constraint": "*" + } + } + ], + "database_specific": { + "affected_versions": "*" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2022-018" + } + ], + "credits": [] +} diff --git a/advisories/cog/DSA-CONTRIB-2022-018.json b/advisories/cog/DSA-CONTRIB-2022-018.json deleted file mode 100644 index a240110b..00000000 --- a/advisories/cog/DSA-CONTRIB-2022-018.json +++ /dev/null @@ -1,40 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2022-018", - "modified": "2023-08-11T13:46:46.000Z", - "published": "2022-01-25T18:39:50.000Z", - "aliases": [], - "details": "The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: ", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/cog" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - } - ], - "database_specific": { - "constraint": "*" - } - } - ], - "database_specific": { - "affected_versions": "*" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2022-018" - } - ], - "credits": [] -} diff --git a/advisories/colorbox/DRUPAL-CONTRIB-2025-041.json b/advisories/colorbox/DRUPAL-CONTRIB-2025-041.json new file mode 100644 index 00000000..2318c8d1 --- /dev/null +++ b/advisories/colorbox/DRUPAL-CONTRIB-2025-041.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2025-041", + "modified": "2025-05-29T18:23:44.000Z", + "published": "2025-04-23T16:58:39.000Z", + "aliases": [ + "CVE-2025-3900" + ], + "details": "Colorbox is a module that allows Images, and iframed or inline content to be displayed in a modal above the current page.\n\nThe Colorbox module doesn't sufficiently sanitize data attributes before opening modals.\n\nThis vulnerability is mitigated by the fact that an attacker must have a role with permission to enter HTML tags containing specific data attributes.", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/colorbox" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.1.3" + } + ], + "database_specific": { + "constraint": "<2.1.3" + } + } + ], + "database_specific": { + "affected_versions": "<2.1.3" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2025-041" + } + ], + "credits": [ + { + "name": "Pierre Rudloff (prudloff)", + "contact": [ + "https://www.drupal.org/u/prudloff" + ] + } + ] +} diff --git a/advisories/colorbox/DSA-CONTRIB-2025-041.json b/advisories/colorbox/DSA-CONTRIB-2025-041.json deleted file mode 100644 index 8419f978..00000000 --- a/advisories/colorbox/DSA-CONTRIB-2025-041.json +++ /dev/null @@ -1,52 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2025-041", - "modified": "2025-05-29T18:23:44.000Z", - "published": "2025-04-23T16:58:39.000Z", - "aliases": [ - "CVE-2025-3900" - ], - "details": "Colorbox is a module that allows Images, and iframed or inline content to be displayed in a modal above the current page.\n\nThe Colorbox module doesn't sufficiently sanitize data attributes before opening modals.\n\nThis vulnerability is mitigated by the fact that an attacker must have a role with permission to enter HTML tags containing specific data attributes.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/colorbox" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "2.1.3" - } - ], - "database_specific": { - "constraint": "<2.1.3" - } - } - ], - "database_specific": { - "affected_versions": "<2.1.3" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2025-041" - } - ], - "credits": [ - { - "name": "Pierre Rudloff (prudloff)", - "contact": [ - "https://www.drupal.org/u/prudloff" - ] - } - ] -} diff --git a/advisories/colorbox_node/DRUPAL-CONTRIB-2022-030.json b/advisories/colorbox_node/DRUPAL-CONTRIB-2022-030.json new file mode 100644 index 00000000..a441cc03 --- /dev/null +++ b/advisories/colorbox_node/DRUPAL-CONTRIB-2022-030.json @@ -0,0 +1,40 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2022-030", + "modified": "2023-08-10T21:37:13.000Z", + "published": "2022-03-23T16:36:10.000Z", + "aliases": [], + "details": "The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: \n\n*This module was unsupported on 2022-01-26, however, the SA was missed in publishing them at that time.*", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/colorbox_node" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + } + ], + "database_specific": { + "constraint": "*" + } + } + ], + "database_specific": { + "affected_versions": "*" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2022-030" + } + ], + "credits": [] +} diff --git a/advisories/colorbox_node/DSA-CONTRIB-2022-030.json b/advisories/colorbox_node/DSA-CONTRIB-2022-030.json deleted file mode 100644 index f32e3b77..00000000 --- a/advisories/colorbox_node/DSA-CONTRIB-2022-030.json +++ /dev/null @@ -1,40 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2022-030", - "modified": "2023-08-10T21:37:13.000Z", - "published": "2022-03-23T16:36:10.000Z", - "aliases": [], - "details": "The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: \n\n*This module was unsupported on 2022-01-26, however, the SA was missed in publishing them at that time.*", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/colorbox_node" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - } - ], - "database_specific": { - "constraint": "*" - } - } - ], - "database_specific": { - "affected_versions": "*" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2022-030" - } - ], - "credits": [] -} diff --git a/advisories/commerce/DRUPAL-CONTRIB-2018-057.json b/advisories/commerce/DRUPAL-CONTRIB-2018-057.json new file mode 100644 index 00000000..ca674af6 --- /dev/null +++ b/advisories/commerce/DRUPAL-CONTRIB-2018-057.json @@ -0,0 +1,50 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2018-057", + "modified": "2023-08-11T21:25:35.000Z", + "published": "2018-08-29T16:26:33.000Z", + "aliases": [], + "details": "This module enables you to build eCommerce websites and applications with Drupal.\n\nThe module doesn't sufficiently check access for some of its entity types.", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/commerce" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.9.0" + } + ], + "database_specific": { + "constraint": "<2.9.0" + } + } + ], + "database_specific": { + "affected_versions": "<2.9.0" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2018-057" + } + ], + "credits": [ + { + "name": "Samuel Mortenson", + "contact": [ + "https://www.drupal.org/user/2582268" + ] + } + ] +} diff --git a/advisories/commerce/DRUPAL-CONTRIB-2020-020.json b/advisories/commerce/DRUPAL-CONTRIB-2020-020.json new file mode 100644 index 00000000..85d18a73 --- /dev/null +++ b/advisories/commerce/DRUPAL-CONTRIB-2020-020.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2020-020", + "modified": "2023-08-11T17:51:01.000Z", + "published": "2020-05-27T15:32:52.000Z", + "aliases": [], + "details": "Drupal Commerce is used to build eCommerce websites and applications. It's possible to configure commerce to permit orders by anonymous users. In this configuration, customers who do not choose to create an account upon checkout completion remain anonymous, and the resulting orders are never assigned an owner.\n\nWhen anonymous users are granted the \"View own orders\" permission, they are able to see any such anonymous order via direct navigation to its view page. The module does not include extra access control necessary to ensure anonymous users are only able to view their own previously placed orders.\n\nThis vulnerability is mitigated by the fact that a site must be configured to permit anonymous checkout and an attacker must be an anonymous user with the permission \"View own orders\".", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/commerce" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.18.0" + } + ], + "database_specific": { + "constraint": "<2.18.0" + } + } + ], + "database_specific": { + "affected_versions": "<2.18.0" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2020-020" + } + ], + "credits": [ + { + "name": "Honza Pobo\u0159il", + "contact": [ + "https://www.drupal.org/user/123612" + ] + }, + { + "name": "Joe Kersey", + "contact": [ + "https://www.drupal.org/user/2229066" + ] + } + ] +} diff --git a/advisories/commerce/DRUPAL-CONTRIB-2021-032.json b/advisories/commerce/DRUPAL-CONTRIB-2021-032.json new file mode 100644 index 00000000..f428f641 --- /dev/null +++ b/advisories/commerce/DRUPAL-CONTRIB-2021-032.json @@ -0,0 +1,50 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2021-032", + "modified": "2023-08-11T17:04:59.000Z", + "published": "2021-09-22T16:51:57.000Z", + "aliases": [], + "details": "This module provides a system for building an ecommerce solution in their Drupal site.\n\nThe module doesn't sufficiently verify access to profile data in certain circumstances.\n\nThis vulnerability is mitigated by the fact that an attacker must have permission to perform the checkout operation.", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/commerce" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.27.0" + } + ], + "database_specific": { + "constraint": "<2.27.0" + } + } + ], + "database_specific": { + "affected_versions": "<2.27.0" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2021-032" + } + ], + "credits": [ + { + "name": "Sasanka Jandhyala", + "contact": [ + "https://www.drupal.org/user/3541248" + ] + } + ] +} diff --git a/advisories/commerce/DSA-CONTRIB-2018-057.json b/advisories/commerce/DSA-CONTRIB-2018-057.json deleted file mode 100644 index acaba55b..00000000 --- a/advisories/commerce/DSA-CONTRIB-2018-057.json +++ /dev/null @@ -1,50 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2018-057", - "modified": "2023-08-11T21:25:35.000Z", - "published": "2018-08-29T16:26:33.000Z", - "aliases": [], - "details": "This module enables you to build eCommerce websites and applications with Drupal.\n\nThe module doesn't sufficiently check access for some of its entity types.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/commerce" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "2.9.0" - } - ], - "database_specific": { - "constraint": "<2.9.0" - } - } - ], - "database_specific": { - "affected_versions": "<2.9.0" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2018-057" - } - ], - "credits": [ - { - "name": "Samuel Mortenson", - "contact": [ - "https://www.drupal.org/user/2582268" - ] - } - ] -} diff --git a/advisories/commerce/DSA-CONTRIB-2020-020.json b/advisories/commerce/DSA-CONTRIB-2020-020.json deleted file mode 100644 index 269dc277..00000000 --- a/advisories/commerce/DSA-CONTRIB-2020-020.json +++ /dev/null @@ -1,56 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2020-020", - "modified": "2023-08-11T17:51:01.000Z", - "published": "2020-05-27T15:32:52.000Z", - "aliases": [], - "details": "Drupal Commerce is used to build eCommerce websites and applications. It's possible to configure commerce to permit orders by anonymous users. In this configuration, customers who do not choose to create an account upon checkout completion remain anonymous, and the resulting orders are never assigned an owner.\n\nWhen anonymous users are granted the \"View own orders\" permission, they are able to see any such anonymous order via direct navigation to its view page. The module does not include extra access control necessary to ensure anonymous users are only able to view their own previously placed orders.\n\nThis vulnerability is mitigated by the fact that a site must be configured to permit anonymous checkout and an attacker must be an anonymous user with the permission \"View own orders\".", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/commerce" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "2.18.0" - } - ], - "database_specific": { - "constraint": "<2.18.0" - } - } - ], - "database_specific": { - "affected_versions": "<2.18.0" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2020-020" - } - ], - "credits": [ - { - "name": "Honza Pobo\u0159il", - "contact": [ - "https://www.drupal.org/user/123612" - ] - }, - { - "name": "Joe Kersey", - "contact": [ - "https://www.drupal.org/user/2229066" - ] - } - ] -} diff --git a/advisories/commerce/DSA-CONTRIB-2021-032.json b/advisories/commerce/DSA-CONTRIB-2021-032.json deleted file mode 100644 index 75e28622..00000000 --- a/advisories/commerce/DSA-CONTRIB-2021-032.json +++ /dev/null @@ -1,50 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2021-032", - "modified": "2023-08-11T17:04:59.000Z", - "published": "2021-09-22T16:51:57.000Z", - "aliases": [], - "details": "This module provides a system for building an ecommerce solution in their Drupal site.\n\nThe module doesn't sufficiently verify access to profile data in certain circumstances.\n\nThis vulnerability is mitigated by the fact that an attacker must have permission to perform the checkout operation.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/commerce" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "2.27.0" - } - ], - "database_specific": { - "constraint": "<2.27.0" - } - } - ], - "database_specific": { - "affected_versions": "<2.27.0" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2021-032" - } - ], - "credits": [ - { - "name": "Sasanka Jandhyala", - "contact": [ - "https://www.drupal.org/user/3541248" - ] - } - ] -} diff --git a/advisories/commerce_alphabank_redirect/DRUPAL-CONTRIB-2025-067.json b/advisories/commerce_alphabank_redirect/DRUPAL-CONTRIB-2025-067.json new file mode 100644 index 00000000..b86e431e --- /dev/null +++ b/advisories/commerce_alphabank_redirect/DRUPAL-CONTRIB-2025-067.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2025-067", + "modified": "2025-05-21T17:28:55.000Z", + "published": "2025-05-21T17:28:55.000Z", + "aliases": [ + "CVE-2025-48446" + ], + "details": "This module enables you to pay for Commerce order to an environment provided and secured by the bank\n\nThe module doesn't sufficiently verify the payment status on canceled orders. An attacker can issue a specially crafted request to update the order status to completed.", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/commerce_alphabank_redirect" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.0.3" + } + ], + "database_specific": { + "constraint": "<1.0.3" + } + } + ], + "database_specific": { + "affected_versions": "<1.0.3" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2025-067" + } + ], + "credits": [ + { + "name": "Marios Tsalkidis (silios)", + "contact": [ + "https://www.drupal.org/u/silios" + ] + } + ] +} diff --git a/advisories/commerce_alphabank_redirect/DSA-CONTRIB-2025-067.json b/advisories/commerce_alphabank_redirect/DSA-CONTRIB-2025-067.json deleted file mode 100644 index 9208de49..00000000 --- a/advisories/commerce_alphabank_redirect/DSA-CONTRIB-2025-067.json +++ /dev/null @@ -1,52 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2025-067", - "modified": "2025-05-21T17:28:55.000Z", - "published": "2025-05-21T17:28:55.000Z", - "aliases": [ - "CVE-2025-48446" - ], - "details": "This module enables you to pay for Commerce order to an environment provided and secured by the bank\n\nThe module doesn't sufficiently verify the payment status on canceled orders. An attacker can issue a specially crafted request to update the order status to completed.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/commerce_alphabank_redirect" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "1.0.3" - } - ], - "database_specific": { - "constraint": "<1.0.3" - } - } - ], - "database_specific": { - "affected_versions": "<1.0.3" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2025-067" - } - ], - "credits": [ - { - "name": "Marios Tsalkidis (silios)", - "contact": [ - "https://www.drupal.org/u/silios" - ] - } - ] -} diff --git a/advisories/commerce_elavon/DRUPAL-CONTRIB-2022-053.json b/advisories/commerce_elavon/DRUPAL-CONTRIB-2022-053.json new file mode 100644 index 00000000..7e702f49 --- /dev/null +++ b/advisories/commerce_elavon/DRUPAL-CONTRIB-2022-053.json @@ -0,0 +1,50 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2022-053", + "modified": "2023-08-10T19:26:24.000Z", + "published": "2022-08-24T18:21:02.000Z", + "aliases": [], + "details": "This module enables you to accept payments from the Elavon payment provider.\n\nThe module doesn't sufficiently verify that it's communicating with the correct server when using the **Elavon (On-site)** payment gateway, which could lead to leaking valid payment details as well as accepting invalid payment details.\n\nThis vulnerability is mitigated by the fact that an attacker must be able to spoof the Elavon DNS received by your site.", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/commerce_elavon" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.3.0" + } + ], + "database_specific": { + "constraint": "<2.3.0" + } + } + ], + "database_specific": { + "affected_versions": "<2.3.0" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2022-053" + } + ], + "credits": [ + { + "name": "Andy Fowlston", + "contact": [ + "https://www.drupal.org/user/220112" + ] + } + ] +} diff --git a/advisories/commerce_elavon/DSA-CONTRIB-2022-053.json b/advisories/commerce_elavon/DSA-CONTRIB-2022-053.json deleted file mode 100644 index fe7c3aa2..00000000 --- a/advisories/commerce_elavon/DSA-CONTRIB-2022-053.json +++ /dev/null @@ -1,50 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2022-053", - "modified": "2023-08-10T19:26:24.000Z", - "published": "2022-08-24T18:21:02.000Z", - "aliases": [], - "details": "This module enables you to accept payments from the Elavon payment provider.\n\nThe module doesn't sufficiently verify that it's communicating with the correct server when using the **Elavon (On-site)** payment gateway, which could lead to leaking valid payment details as well as accepting invalid payment details.\n\nThis vulnerability is mitigated by the fact that an attacker must be able to spoof the Elavon DNS received by your site.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/commerce_elavon" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "2.3.0" - } - ], - "database_specific": { - "constraint": "<2.3.0" - } - } - ], - "database_specific": { - "affected_versions": "<2.3.0" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2022-053" - } - ], - "credits": [ - { - "name": "Andy Fowlston", - "contact": [ - "https://www.drupal.org/user/220112" - ] - } - ] -} diff --git a/advisories/commerce_eurobank_redirect/DRUPAL-CONTRIB-2025-066.json b/advisories/commerce_eurobank_redirect/DRUPAL-CONTRIB-2025-066.json new file mode 100644 index 00000000..23f28841 --- /dev/null +++ b/advisories/commerce_eurobank_redirect/DRUPAL-CONTRIB-2025-066.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2025-066", + "modified": "2025-05-21T17:28:47.000Z", + "published": "2025-05-21T17:28:47.000Z", + "aliases": [ + "CVE-2025-48445" + ], + "details": "This module enables you to pay for Commerce order to an environment provided and secured by the bank\n\nThe module doesn't sufficiently verify the payment status on canceled orders. An attacker can issue a specially crafted request to update the order status to completed.", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/commerce_eurobank_redirect" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.1.1" + } + ], + "database_specific": { + "constraint": "<2.1.1" + } + } + ], + "database_specific": { + "affected_versions": "<2.1.1" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2025-066" + } + ], + "credits": [ + { + "name": "Marios Tsalkidis (silios)", + "contact": [ + "https://www.drupal.org/u/silios" + ] + } + ] +} diff --git a/advisories/commerce_eurobank_redirect/DSA-CONTRIB-2025-066.json b/advisories/commerce_eurobank_redirect/DSA-CONTRIB-2025-066.json deleted file mode 100644 index 3eaa6bb6..00000000 --- a/advisories/commerce_eurobank_redirect/DSA-CONTRIB-2025-066.json +++ /dev/null @@ -1,52 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2025-066", - "modified": "2025-05-21T17:28:47.000Z", - "published": "2025-05-21T17:28:47.000Z", - "aliases": [ - "CVE-2025-48445" - ], - "details": "This module enables you to pay for Commerce order to an environment provided and secured by the bank\n\nThe module doesn't sufficiently verify the payment status on canceled orders. An attacker can issue a specially crafted request to update the order status to completed.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/commerce_eurobank_redirect" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "2.1.1" - } - ], - "database_specific": { - "constraint": "<2.1.1" - } - } - ], - "database_specific": { - "affected_versions": "<2.1.1" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2025-066" - } - ], - "credits": [ - { - "name": "Marios Tsalkidis (silios)", - "contact": [ - "https://www.drupal.org/u/silios" - ] - } - ] -} diff --git a/advisories/commerce_ingenico/DRUPAL-CONTRIB-2019-089.json b/advisories/commerce_ingenico/DRUPAL-CONTRIB-2019-089.json new file mode 100644 index 00000000..d124edad --- /dev/null +++ b/advisories/commerce_ingenico/DRUPAL-CONTRIB-2019-089.json @@ -0,0 +1,40 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2019-089", + "modified": "2023-08-11T18:14:07.000Z", + "published": "2019-11-13T18:10:23.000Z", + "aliases": [], + "details": "The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: ", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/commerce_ingenico" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + } + ], + "database_specific": { + "constraint": "*" + } + } + ], + "database_specific": { + "affected_versions": "*" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2019-089" + } + ], + "credits": [] +} diff --git a/advisories/commerce_ingenico/DSA-CONTRIB-2019-089.json b/advisories/commerce_ingenico/DSA-CONTRIB-2019-089.json deleted file mode 100644 index 14d8730c..00000000 --- a/advisories/commerce_ingenico/DSA-CONTRIB-2019-089.json +++ /dev/null @@ -1,40 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2019-089", - "modified": "2023-08-11T18:14:07.000Z", - "published": "2019-11-13T18:10:23.000Z", - "aliases": [], - "details": "The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: ", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/commerce_ingenico" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - } - ], - "database_specific": { - "constraint": "*" - } - } - ], - "database_specific": { - "affected_versions": "*" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2019-089" - } - ], - "credits": [] -} diff --git a/advisories/commerce_view_receipt/DRUPAL-CONTRIB-2024-021.json b/advisories/commerce_view_receipt/DRUPAL-CONTRIB-2024-021.json new file mode 100644 index 00000000..f1d95a6b --- /dev/null +++ b/advisories/commerce_view_receipt/DRUPAL-CONTRIB-2024-021.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2024-021", + "modified": "2025-02-20T19:14:35.000Z", + "published": "2024-05-22T16:21:55.000Z", + "aliases": [ + "CVE-2024-13257" + ], + "details": "The Commerce View Receipts module enables you to view commerce order receipts in the browser.\n\nThe module doesn't sufficiently check access permissions, allowing an unauthorised user to view the private information of other customers.", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/commerce_view_receipt" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.0.3" + } + ], + "database_specific": { + "constraint": "<1.0.3" + } + } + ], + "database_specific": { + "affected_versions": "<1.0.3" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2024-021" + } + ], + "credits": [ + { + "name": "Norman K\u00e4mper-Leymann", + "contact": [ + "https://www.drupal.org/user/2482808" + ] + } + ] +} diff --git a/advisories/commerce_view_receipt/DSA-CONTRIB-2024-021.json b/advisories/commerce_view_receipt/DSA-CONTRIB-2024-021.json deleted file mode 100644 index 050ac1ad..00000000 --- a/advisories/commerce_view_receipt/DSA-CONTRIB-2024-021.json +++ /dev/null @@ -1,52 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2024-021", - "modified": "2025-02-20T19:14:35.000Z", - "published": "2024-05-22T16:21:55.000Z", - "aliases": [ - "CVE-2024-13257" - ], - "details": "The Commerce View Receipts module enables you to view commerce order receipts in the browser.\n\nThe module doesn't sufficiently check access permissions, allowing an unauthorised user to view the private information of other customers.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/commerce_view_receipt" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "1.0.3" - } - ], - "database_specific": { - "constraint": "<1.0.3" - } - } - ], - "database_specific": { - "affected_versions": "<1.0.3" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2024-021" - } - ], - "credits": [ - { - "name": "Norman K\u00e4mper-Leymann", - "contact": [ - "https://www.drupal.org/user/2482808" - ] - } - ] -} diff --git a/advisories/config_pages/DRUPAL-CONTRIB-2023-037.json b/advisories/config_pages/DRUPAL-CONTRIB-2023-037.json new file mode 100644 index 00000000..6ce47be2 --- /dev/null +++ b/advisories/config_pages/DRUPAL-CONTRIB-2023-037.json @@ -0,0 +1,50 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2023-037", + "modified": "2023-08-23T18:29:48.000Z", + "published": "2023-08-23T16:54:32.000Z", + "aliases": [], + "details": "This module enables you to build administrative pages for managing configuration objects, which may then be used elsewhere in the site.\n\nThe module doesn't sufficiently validate access when the JSONAPI module is also installed.\n\nThis vulnerability is mitigated by the fact that it only affects sites when the JSONAPI module is installed.", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/config_pages" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.9.0" + } + ], + "database_specific": { + "constraint": "<2.9.0" + } + } + ], + "database_specific": { + "affected_versions": "<2.9.0" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2023-037" + } + ], + "credits": [ + { + "name": "Nate Andersen", + "contact": [ + "https://www.drupal.org/user/471638" + ] + } + ] +} diff --git a/advisories/config_pages/DRUPAL-CONTRIB-2025-093.json b/advisories/config_pages/DRUPAL-CONTRIB-2025-093.json new file mode 100644 index 00000000..937dc861 --- /dev/null +++ b/advisories/config_pages/DRUPAL-CONTRIB-2025-093.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2025-093", + "modified": "2025-07-30T16:30:44.000Z", + "published": "2025-07-30T16:30:44.000Z", + "aliases": [ + "CVE-2025-8361" + ], + "details": "This module enables you to access an edit page for a config page.\n\nThe module doesn't sufficiently check the access permissions (`hook_ENTITY_TYPE_access()` wasn't taken into account).\n\nThis vulnerability is mitigated by the fact that an attacker must have a role with the permission \"edit ID config page\" and that it only affects sites that have access restricted via the `hook_ENTITY_TYPE_access()` hook.", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/config_pages" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.18.0" + } + ], + "database_specific": { + "constraint": "<2.18.0" + } + } + ], + "database_specific": { + "affected_versions": "<2.18.0" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2025-093" + } + ], + "credits": [ + { + "name": "Pierre Rudloff (prudloff)", + "contact": [ + "https://www.drupal.org/u/prudloff" + ] + } + ] +} diff --git a/advisories/config_pages/DSA-CONTRIB-2023-037.json b/advisories/config_pages/DSA-CONTRIB-2023-037.json deleted file mode 100644 index 023b2062..00000000 --- a/advisories/config_pages/DSA-CONTRIB-2023-037.json +++ /dev/null @@ -1,50 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2023-037", - "modified": "2023-08-23T18:29:48.000Z", - "published": "2023-08-23T16:54:32.000Z", - "aliases": [], - "details": "This module enables you to build administrative pages for managing configuration objects, which may then be used elsewhere in the site.\n\nThe module doesn't sufficiently validate access when the JSONAPI module is also installed.\n\nThis vulnerability is mitigated by the fact that it only affects sites when the JSONAPI module is installed.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/config_pages" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "2.9.0" - } - ], - "database_specific": { - "constraint": "<2.9.0" - } - } - ], - "database_specific": { - "affected_versions": "<2.9.0" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2023-037" - } - ], - "credits": [ - { - "name": "Nate Andersen", - "contact": [ - "https://www.drupal.org/user/471638" - ] - } - ] -} diff --git a/advisories/config_pages/DSA-CONTRIB-2025-093.json b/advisories/config_pages/DSA-CONTRIB-2025-093.json deleted file mode 100644 index 8f90a1c5..00000000 --- a/advisories/config_pages/DSA-CONTRIB-2025-093.json +++ /dev/null @@ -1,52 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2025-093", - "modified": "2025-07-30T16:30:44.000Z", - "published": "2025-07-30T16:30:44.000Z", - "aliases": [ - "CVE-2025-8361" - ], - "details": "This module enables you to access an edit page for a config page.\n\nThe module doesn't sufficiently check the access permissions (`hook_ENTITY_TYPE_access()` wasn't taken into account).\n\nThis vulnerability is mitigated by the fact that an attacker must have a role with the permission \"edit ID config page\" and that it only affects sites that have access restricted via the `hook_ENTITY_TYPE_access()` hook.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/config_pages" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "2.18.0" - } - ], - "database_specific": { - "constraint": "<2.18.0" - } - } - ], - "database_specific": { - "affected_versions": "<2.18.0" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2025-093" - } - ], - "credits": [ - { - "name": "Pierre Rudloff (prudloff)", - "contact": [ - "https://www.drupal.org/u/prudloff" - ] - } - ] -} diff --git a/advisories/config_pages_viewer/DRUPAL-CONTRIB-2025-086.json b/advisories/config_pages_viewer/DRUPAL-CONTRIB-2025-086.json new file mode 100644 index 00000000..107efbaa --- /dev/null +++ b/advisories/config_pages_viewer/DRUPAL-CONTRIB-2025-086.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2025-086", + "modified": "2025-07-02T17:37:13.000Z", + "published": "2025-07-02T17:37:13.000Z", + "aliases": [ + "CVE-2025-7031" + ], + "details": "This module enables you to use [config\\_pages](https://www.drupal.org/project/config_pages) as a content entity.\n\nThe module doesn't check permission or entity access before rendering config\\_pages content.", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/config_pages_viewer" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.0.4" + } + ], + "database_specific": { + "constraint": "<1.0.4" + } + } + ], + "database_specific": { + "affected_versions": "<1.0.4" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2025-086" + } + ], + "credits": [ + { + "name": "Pierre Rudloff (prudloff)", + "contact": [ + "https://www.drupal.org/u/prudloff" + ] + } + ] +} diff --git a/advisories/config_pages_viewer/DSA-CONTRIB-2025-086.json b/advisories/config_pages_viewer/DSA-CONTRIB-2025-086.json deleted file mode 100644 index 972861f6..00000000 --- a/advisories/config_pages_viewer/DSA-CONTRIB-2025-086.json +++ /dev/null @@ -1,52 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2025-086", - "modified": "2025-07-02T17:37:13.000Z", - "published": "2025-07-02T17:37:13.000Z", - "aliases": [ - "CVE-2025-7031" - ], - "details": "This module enables you to use [config\\_pages](https://www.drupal.org/project/config_pages) as a content entity.\n\nThe module doesn't check permission or entity access before rendering config\\_pages content.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/config_pages_viewer" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "1.0.4" - } - ], - "database_specific": { - "constraint": "<1.0.4" - } - } - ], - "database_specific": { - "affected_versions": "<1.0.4" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2025-086" - } - ], - "credits": [ - { - "name": "Pierre Rudloff (prudloff)", - "contact": [ - "https://www.drupal.org/u/prudloff" - ] - } - ] -} diff --git a/advisories/config_perms/DRUPAL-CONTRIB-2017-083.json b/advisories/config_perms/DRUPAL-CONTRIB-2017-083.json new file mode 100644 index 00000000..57796174 --- /dev/null +++ b/advisories/config_perms/DRUPAL-CONTRIB-2017-083.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2017-083", + "modified": "2023-08-21T13:31:18.000Z", + "published": "2017-11-08T17:22:08.000Z", + "aliases": [], + "details": "Custom Permissions is a lightweight module that allows permissions to be created and managed through an administrative form.\n\nWhen this module is in use, any user who is able to perform an action which rebuilds some of Drupal's caches can trigger a scenario in which certain pages protected by this module's custom permissions temporarily lose those custom access controls, thereby leading to an access bypass vulnerability.", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/config_perms" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.1.0" + } + ], + "database_specific": { + "constraint": "<1.1.0" + } + } + ], + "database_specific": { + "affected_versions": "<1.1.0" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2017-083" + } + ], + "credits": [ + { + "name": "David Rothstein", + "contact": [ + "https://www.drupal.org/user/124982" + ] + }, + { + "name": "Michael Koza", + "contact": [ + "https://www.drupal.org/user/2110062" + ] + } + ] +} diff --git a/advisories/config_perms/DRUPAL-CONTRIB-2019-055.json b/advisories/config_perms/DRUPAL-CONTRIB-2019-055.json new file mode 100644 index 00000000..dcc40468 --- /dev/null +++ b/advisories/config_perms/DRUPAL-CONTRIB-2019-055.json @@ -0,0 +1,50 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2019-055", + "modified": "2023-08-11T18:39:41.000Z", + "published": "2019-07-10T16:30:00.000Z", + "aliases": [], + "details": "This module enables you to add and manage additional custom permissions through the administration UI.\n\nThe module doesn't sufficiently check for the proper access permissions to this page.\n\nThis vulnerability is mitigated by the fact that an attacker must know the route of the Custom Permissions administration form though this is easily known.", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/config_perms" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.2.0" + } + ], + "database_specific": { + "constraint": "<1.2.0" + } + } + ], + "database_specific": { + "affected_versions": "<1.2.0" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2019-055" + } + ], + "credits": [ + { + "name": "Mohammed Razem", + "contact": [ + "https://www.drupal.org/user/255384" + ] + } + ] +} diff --git a/advisories/config_perms/DSA-CONTRIB-2017-083.json b/advisories/config_perms/DSA-CONTRIB-2017-083.json deleted file mode 100644 index b35fa4a8..00000000 --- a/advisories/config_perms/DSA-CONTRIB-2017-083.json +++ /dev/null @@ -1,56 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2017-083", - "modified": "2023-08-21T13:31:18.000Z", - "published": "2017-11-08T17:22:08.000Z", - "aliases": [], - "details": "Custom Permissions is a lightweight module that allows permissions to be created and managed through an administrative form.\n\nWhen this module is in use, any user who is able to perform an action which rebuilds some of Drupal's caches can trigger a scenario in which certain pages protected by this module's custom permissions temporarily lose those custom access controls, thereby leading to an access bypass vulnerability.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/config_perms" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "1.1.0" - } - ], - "database_specific": { - "constraint": "<1.1.0" - } - } - ], - "database_specific": { - "affected_versions": "<1.1.0" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2017-083" - } - ], - "credits": [ - { - "name": "David Rothstein", - "contact": [ - "https://www.drupal.org/user/124982" - ] - }, - { - "name": "Michael Koza", - "contact": [ - "https://www.drupal.org/user/2110062" - ] - } - ] -} diff --git a/advisories/config_perms/DSA-CONTRIB-2019-055.json b/advisories/config_perms/DSA-CONTRIB-2019-055.json deleted file mode 100644 index 22e483e8..00000000 --- a/advisories/config_perms/DSA-CONTRIB-2019-055.json +++ /dev/null @@ -1,50 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2019-055", - "modified": "2023-08-11T18:39:41.000Z", - "published": "2019-07-10T16:30:00.000Z", - "aliases": [], - "details": "This module enables you to add and manage additional custom permissions through the administration UI.\n\nThe module doesn't sufficiently check for the proper access permissions to this page.\n\nThis vulnerability is mitigated by the fact that an attacker must know the route of the Custom Permissions administration form though this is easily known.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/config_perms" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "1.2.0" - } - ], - "database_specific": { - "constraint": "<1.2.0" - } - } - ], - "database_specific": { - "affected_versions": "<1.2.0" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2019-055" - } - ], - "credits": [ - { - "name": "Mohammed Razem", - "contact": [ - "https://www.drupal.org/user/255384" - ] - } - ] -} diff --git a/advisories/config_split/DRUPAL-CONTRIB-2025-017.json b/advisories/config_split/DRUPAL-CONTRIB-2025-017.json new file mode 100644 index 00000000..765c9d31 --- /dev/null +++ b/advisories/config_split/DRUPAL-CONTRIB-2025-017.json @@ -0,0 +1,66 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2025-017", + "modified": "2025-03-31T22:05:40.000Z", + "published": "2025-02-12T17:38:22.000Z", + "aliases": [ + "CVE-2025-31688" + ], + "details": "This module enables you to create super sets of configuration and enable them conditionally, for example have some modules installed only in some environments.\n\nThe module does not use Cross Site Request Forgery (CSRF) tokens to protect routes for enabling or disabling a split.\n\nThis vulnerability is mitigated by the fact that an attacker must know the machine name of a split and deceive a user with the permission to modify it. \nThe status only takes effect when exporting the configuration (1.x and 2.x) or importing the configuration (1.x only) and the status is not fixed via configuration override, which is the typical setup.", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/config_split" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.10.0" + } + ], + "database_specific": { + "constraint": "<1.10.0" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.0.0" + }, + { + "fixed": "2.0.2" + } + ], + "database_specific": { + "constraint": ">=2.0.0 <2.0.2" + } + } + ], + "database_specific": { + "affected_versions": "<1.10.0 || >=2.0.0 <2.0.2" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2025-017" + } + ], + "credits": [ + { + "name": "Eric Smith (ericgsmith)", + "contact": [ + "https://www.drupal.org/u/ericgsmith" + ] + } + ] +} diff --git a/advisories/config_split/DSA-CONTRIB-2025-017.json b/advisories/config_split/DSA-CONTRIB-2025-017.json deleted file mode 100644 index b8ff1375..00000000 --- a/advisories/config_split/DSA-CONTRIB-2025-017.json +++ /dev/null @@ -1,66 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2025-017", - "modified": "2025-03-31T22:05:40.000Z", - "published": "2025-02-12T17:38:22.000Z", - "aliases": [ - "CVE-2025-31688" - ], - "details": "This module enables you to create super sets of configuration and enable them conditionally, for example have some modules installed only in some environments.\n\nThe module does not use Cross Site Request Forgery (CSRF) tokens to protect routes for enabling or disabling a split.\n\nThis vulnerability is mitigated by the fact that an attacker must know the machine name of a split and deceive a user with the permission to modify it. \nThe status only takes effect when exporting the configuration (1.x and 2.x) or importing the configuration (1.x only) and the status is not fixed via configuration override, which is the typical setup.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/config_split" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "1.10.0" - } - ], - "database_specific": { - "constraint": "<1.10.0" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "2.0.0" - }, - { - "fixed": "2.0.2" - } - ], - "database_specific": { - "constraint": ">=2.0.0 <2.0.2" - } - } - ], - "database_specific": { - "affected_versions": "<1.10.0 || >=2.0.0 <2.0.2" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2025-017" - } - ], - "credits": [ - { - "name": "Eric Smith (ericgsmith)", - "contact": [ - "https://www.drupal.org/u/ericgsmith" - ] - } - ] -} diff --git a/advisories/config_terms/DRUPAL-CONTRIB-2022-047.json b/advisories/config_terms/DRUPAL-CONTRIB-2022-047.json new file mode 100644 index 00000000..0ef1cefc --- /dev/null +++ b/advisories/config_terms/DRUPAL-CONTRIB-2022-047.json @@ -0,0 +1,51 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2022-047", + "modified": "2023-08-10T21:35:49.000Z", + "published": "2022-06-29T17:25:39.000Z", + "aliases": [], + "details": "This module enables you to create and manage a version of taxonomy based on configuration entities instead of content. This allows the terms, vocabularies, and their structure to be exported, imported, and managed as site configuration.\n\nThe module doesn't sufficiently check access for the edit and delete operations. Users with \"access content\" permission can edit or delete any term. The edit form may expose term data that users could not otherwise see, since there is no term view route by default.\n\nThis vulnerability is slightly mitigated by the fact that an attacker must have a role with the permission \"access content\", so may not be accessible to anonymous users on all sites.", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/config_terms" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.6.0" + } + ], + "database_specific": { + "constraint": "<1.6.0" + } + } + ], + "database_specific": { + "affected_versions": "<1.6.0", + "patched": true + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2022-047" + } + ], + "credits": [ + { + "name": "Emil Johnsson", + "contact": [ + "https://www.drupal.org/user/1868992" + ] + } + ] +} diff --git a/advisories/config_terms/DSA-CONTRIB-2022-047.json b/advisories/config_terms/DSA-CONTRIB-2022-047.json deleted file mode 100644 index 586fbb57..00000000 --- a/advisories/config_terms/DSA-CONTRIB-2022-047.json +++ /dev/null @@ -1,51 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2022-047", - "modified": "2023-08-10T21:35:49.000Z", - "published": "2022-06-29T17:25:39.000Z", - "aliases": [], - "details": "This module enables you to create and manage a version of taxonomy based on configuration entities instead of content. This allows the terms, vocabularies, and their structure to be exported, imported, and managed as site configuration.\n\nThe module doesn't sufficiently check access for the edit and delete operations. Users with \"access content\" permission can edit or delete any term. The edit form may expose term data that users could not otherwise see, since there is no term view route by default.\n\nThis vulnerability is slightly mitigated by the fact that an attacker must have a role with the permission \"access content\", so may not be accessible to anonymous users on all sites.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/config_terms" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "1.6.0" - } - ], - "database_specific": { - "constraint": "<1.6.0" - } - } - ], - "database_specific": { - "affected_versions": "<1.6.0", - "patched": true - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2022-047" - } - ], - "credits": [ - { - "name": "Emil Johnsson", - "contact": [ - "https://www.drupal.org/user/1868992" - ] - } - ] -} diff --git a/advisories/config_update/DRUPAL-CONTRIB-2017-091.json b/advisories/config_update/DRUPAL-CONTRIB-2017-091.json new file mode 100644 index 00000000..57104220 --- /dev/null +++ b/advisories/config_update/DRUPAL-CONTRIB-2017-091.json @@ -0,0 +1,50 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2017-091", + "modified": "2023-08-21T13:26:56.000Z", + "published": "2017-12-06T18:44:03.000Z", + "aliases": [], + "details": "The Configuration Update Reports sub-module in the Configuration Update module project enables you to run reports to see what configuration on your site differs from the configuration distributed by a module, theme, or installation profile, and to revert, delete, or import configuration.\n\nThis module doesn't sufficiently protect the Import operation, thereby exposing a Cross Site Request Forgery (CSRF) vulnerability which can be exploited by unprivileged users to trick an administrator into unwanted import of configuration.\n\nThis vulnerability is mitigated by the fact that only configuration items distributed with a module, theme, or installation profile that is currently installed and enabled on the site can be imported, not arbitrary configuration values.", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/config_update" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.5.0" + } + ], + "database_specific": { + "constraint": "<1.5" + } + } + ], + "database_specific": { + "affected_versions": "<1.5" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2017-091" + } + ], + "credits": [ + { + "name": "Jean-Francois Hovinne", + "contact": [ + "https://www.drupal.org/u/jfhovinne" + ] + } + ] +} diff --git a/advisories/config_update/DSA-CONTRIB-2017-091.json b/advisories/config_update/DSA-CONTRIB-2017-091.json deleted file mode 100644 index 13275e87..00000000 --- a/advisories/config_update/DSA-CONTRIB-2017-091.json +++ /dev/null @@ -1,50 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2017-091", - "modified": "2023-08-21T13:26:56.000Z", - "published": "2017-12-06T18:44:03.000Z", - "aliases": [], - "details": "The Configuration Update Reports sub-module in the Configuration Update module project enables you to run reports to see what configuration on your site differs from the configuration distributed by a module, theme, or installation profile, and to revert, delete, or import configuration.\n\nThis module doesn't sufficiently protect the Import operation, thereby exposing a Cross Site Request Forgery (CSRF) vulnerability which can be exploited by unprivileged users to trick an administrator into unwanted import of configuration.\n\nThis vulnerability is mitigated by the fact that only configuration items distributed with a module, theme, or installation profile that is currently installed and enabled on the site can be imported, not arbitrary configuration values.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/config_update" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "1.5.0" - } - ], - "database_specific": { - "constraint": "<1.5" - } - } - ], - "database_specific": { - "affected_versions": "<1.5" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2017-091" - } - ], - "credits": [ - { - "name": "Jean-Francois Hovinne", - "contact": [ - "https://www.drupal.org/u/jfhovinne" - ] - } - ] -} diff --git a/advisories/consent_popup/DRUPAL-CONTRIB-2023-017.json b/advisories/consent_popup/DRUPAL-CONTRIB-2023-017.json new file mode 100644 index 00000000..6d0c1e78 --- /dev/null +++ b/advisories/consent_popup/DRUPAL-CONTRIB-2023-017.json @@ -0,0 +1,50 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2023-017", + "modified": "2023-08-10T13:57:22.000Z", + "published": "2023-05-31T13:18:52.000Z", + "aliases": [], + "details": "The Consent Popup provides a configurable popup that requires acceptance of a question before the visitor can continue, typically used for age consent.\n\nThe module doesn't sufficiently sanitizes the text on the block leading to a cross site scripting (XSS) vulnerability.\n\nThis vulnerability is mitigated by the fact that an attacker must have a role with the permission to create blocks.", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/consent_popup" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.0.3" + } + ], + "database_specific": { + "constraint": "<1.0.3" + } + } + ], + "database_specific": { + "affected_versions": "<1.0.3" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2023-017" + } + ], + "credits": [ + { + "name": "Mitch Portier", + "contact": [ + "https://www.drupal.org/user/2284182" + ] + } + ] +} diff --git a/advisories/consent_popup/DSA-CONTRIB-2023-017.json b/advisories/consent_popup/DSA-CONTRIB-2023-017.json deleted file mode 100644 index 82612c6e..00000000 --- a/advisories/consent_popup/DSA-CONTRIB-2023-017.json +++ /dev/null @@ -1,50 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2023-017", - "modified": "2023-08-10T13:57:22.000Z", - "published": "2023-05-31T13:18:52.000Z", - "aliases": [], - "details": "The Consent Popup provides a configurable popup that requires acceptance of a question before the visitor can continue, typically used for age consent.\n\nThe module doesn't sufficiently sanitizes the text on the block leading to a cross site scripting (XSS) vulnerability.\n\nThis vulnerability is mitigated by the fact that an attacker must have a role with the permission to create blocks.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/consent_popup" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "1.0.3" - } - ], - "database_specific": { - "constraint": "<1.0.3" - } - } - ], - "database_specific": { - "affected_versions": "<1.0.3" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2023-017" - } - ], - "credits": [ - { - "name": "Mitch Portier", - "contact": [ - "https://www.drupal.org/user/2284182" - ] - } - ] -} diff --git a/advisories/content_entity_clone/DRUPAL-CONTRIB-2024-035.json b/advisories/content_entity_clone/DRUPAL-CONTRIB-2024-035.json new file mode 100644 index 00000000..8065c691 --- /dev/null +++ b/advisories/content_entity_clone/DRUPAL-CONTRIB-2024-035.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2024-035", + "modified": "2025-02-20T19:23:27.000Z", + "published": "2024-09-04T15:40:44.000Z", + "aliases": [ + "CVE-2024-13271" + ], + "details": "This module enables you to \"clone\" a content entity, i.e. to create a new content pre-filled with data from another entity of the same type and bundle.\n\nThe module doesn't properly check the user access to the original entity, allowing users to create a new entity (they have permission to create) pre-filled with content from another entity of the same type and bundle that they would normally not have access to.\n\nThis vulnerability is mitigated by the fact that an attacker must have the permission to create content of the type of the entity to clone.", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/content_entity_clone" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.0.4" + } + ], + "database_specific": { + "constraint": "<1.0.4" + } + } + ], + "database_specific": { + "affected_versions": "<1.0.4" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2024-035" + } + ], + "credits": [ + { + "name": "Vojislav Jovanovic", + "contact": [ + "https://www.drupal.org/user/92189" + ] + } + ] +} diff --git a/advisories/content_entity_clone/DSA-CONTRIB-2024-035.json b/advisories/content_entity_clone/DSA-CONTRIB-2024-035.json deleted file mode 100644 index 8c250b70..00000000 --- a/advisories/content_entity_clone/DSA-CONTRIB-2024-035.json +++ /dev/null @@ -1,52 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2024-035", - "modified": "2025-02-20T19:23:27.000Z", - "published": "2024-09-04T15:40:44.000Z", - "aliases": [ - "CVE-2024-13271" - ], - "details": "This module enables you to \"clone\" a content entity, i.e. to create a new content pre-filled with data from another entity of the same type and bundle.\n\nThe module doesn't properly check the user access to the original entity, allowing users to create a new entity (they have permission to create) pre-filled with content from another entity of the same type and bundle that they would normally not have access to.\n\nThis vulnerability is mitigated by the fact that an attacker must have the permission to create content of the type of the entity to clone.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/content_entity_clone" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "1.0.4" - } - ], - "database_specific": { - "constraint": "<1.0.4" - } - } - ], - "database_specific": { - "affected_versions": "<1.0.4" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2024-035" - } - ], - "credits": [ - { - "name": "Vojislav Jovanovic", - "contact": [ - "https://www.drupal.org/user/92189" - ] - } - ] -} diff --git a/advisories/content_moderation_notifications/DRUPAL-CONTRIB-2023-047.json b/advisories/content_moderation_notifications/DRUPAL-CONTRIB-2023-047.json new file mode 100644 index 00000000..2dd4aa0c --- /dev/null +++ b/advisories/content_moderation_notifications/DRUPAL-CONTRIB-2023-047.json @@ -0,0 +1,50 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2023-047", + "modified": "2023-09-28T21:17:46.000Z", + "published": "2023-09-27T16:33:34.000Z", + "aliases": [], + "details": "This module enables notifications to be sent to all users of a particular role, or to the content's author when a piece of content is transitioned from one state to another via core's content\\_moderation module.\n\nThe module doesn't sufficiently check access to content when sending notifications. \nThis vulnerability is mitigated by the fact that an attacker must have been assigned to receive notifications for the given content. Additionally, only data sent in the email is visible, so the attacker cannot access the content on the site.", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/content_moderation_notifications" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "3.0.0" + }, + { + "fixed": "3.6.0" + } + ], + "database_specific": { + "constraint": ">=3.0.0 <3.6.0" + } + } + ], + "database_specific": { + "affected_versions": ">=3.0.0 <3.6.0" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2023-047" + } + ], + "credits": [ + { + "name": "lucasantunes", + "contact": [ + "https://www.drupal.org/user/3603448" + ] + } + ] +} diff --git a/advisories/content_moderation_notifications/DSA-CONTRIB-2023-047.json b/advisories/content_moderation_notifications/DSA-CONTRIB-2023-047.json deleted file mode 100644 index f8428d18..00000000 --- a/advisories/content_moderation_notifications/DSA-CONTRIB-2023-047.json +++ /dev/null @@ -1,50 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2023-047", - "modified": "2023-09-28T21:17:46.000Z", - "published": "2023-09-27T16:33:34.000Z", - "aliases": [], - "details": "This module enables notifications to be sent to all users of a particular role, or to the content's author when a piece of content is transitioned from one state to another via core's content\\_moderation module.\n\nThe module doesn't sufficiently check access to content when sending notifications. \nThis vulnerability is mitigated by the fact that an attacker must have been assigned to receive notifications for the given content. Additionally, only data sent in the email is visible, so the attacker cannot access the content on the site.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/content_moderation_notifications" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "3.0.0" - }, - { - "fixed": "3.6.0" - } - ], - "database_specific": { - "constraint": ">=3.0.0 <3.6.0" - } - } - ], - "database_specific": { - "affected_versions": ">=3.0.0 <3.6.0" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2023-047" - } - ], - "credits": [ - { - "name": "lucasantunes", - "contact": [ - "https://www.drupal.org/user/3603448" - ] - } - ] -} diff --git a/advisories/cookiebot_gtm/DRUPAL-CONTRIB-2024-055.json b/advisories/cookiebot_gtm/DRUPAL-CONTRIB-2024-055.json new file mode 100644 index 00000000..b7365884 --- /dev/null +++ b/advisories/cookiebot_gtm/DRUPAL-CONTRIB-2024-055.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2024-055", + "modified": "2025-02-20T20:05:30.000Z", + "published": "2024-10-30T17:07:09.000Z", + "aliases": [ + "CVE-2024-13289" + ], + "details": "This module makes it possible for you to integrate Cookiebot and Google Tag Manager in a fast and simple way.\n\nThe module doesn't sufficiently filter for malicious script leading to a persistent cross site scripting (XSS) vulnerability.", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/cookiebot_gtm" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.0.18" + } + ], + "database_specific": { + "constraint": "<1.0.18" + } + } + ], + "database_specific": { + "affected_versions": "<1.0.18" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2024-055" + } + ], + "credits": [ + { + "name": "Pierre Rudloff", + "contact": [ + "https://www.drupal.org/user/3611858" + ] + } + ] +} diff --git a/advisories/cookiebot_gtm/DSA-CONTRIB-2024-055.json b/advisories/cookiebot_gtm/DSA-CONTRIB-2024-055.json deleted file mode 100644 index 4ee9a567..00000000 --- a/advisories/cookiebot_gtm/DSA-CONTRIB-2024-055.json +++ /dev/null @@ -1,52 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2024-055", - "modified": "2025-02-20T20:05:30.000Z", - "published": "2024-10-30T17:07:09.000Z", - "aliases": [ - "CVE-2024-13289" - ], - "details": "This module makes it possible for you to integrate Cookiebot and Google Tag Manager in a fast and simple way.\n\nThe module doesn't sufficiently filter for malicious script leading to a persistent cross site scripting (XSS) vulnerability.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/cookiebot_gtm" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "1.0.18" - } - ], - "database_specific": { - "constraint": "<1.0.18" - } - } - ], - "database_specific": { - "affected_versions": "<1.0.18" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2024-055" - } - ], - "credits": [ - { - "name": "Pierre Rudloff", - "contact": [ - "https://www.drupal.org/user/3611858" - ] - } - ] -} diff --git a/advisories/cookies/DRUPAL-CONTRIB-2025-049.json b/advisories/cookies/DRUPAL-CONTRIB-2025-049.json new file mode 100644 index 00000000..601f0d0a --- /dev/null +++ b/advisories/cookies/DRUPAL-CONTRIB-2025-049.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2025-049", + "modified": "2025-05-29T18:20:00.000Z", + "published": "2025-05-07T17:06:36.000Z", + "aliases": [ + "CVE-2025-47703" + ], + "details": "The COOKIES module protects users from executing JavaScript code provided by third parties, e.g., to display ads or track user data without consent.\n\nThe cookies\\_asset\\_injector module (a sub-module of the COOKiES module) also allows inline JavaScript to be included in consent management. However, this does not adequately check whether the provided JavaScript code originates from authorized users.\n\nA potential attacker would at least need permission to create and publish HTML (e.g. content or comments).", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/cookies" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.2.14" + } + ], + "database_specific": { + "constraint": "<1.2.14" + } + } + ], + "database_specific": { + "affected_versions": "<1.2.14" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2025-049" + } + ], + "credits": [ + { + "name": "Pierre Rudloff (prudloff)", + "contact": [ + "https://www.drupal.org/u/prudloff" + ] + } + ] +} diff --git a/advisories/cookies/DRUPAL-CONTRIB-2025-075.json b/advisories/cookies/DRUPAL-CONTRIB-2025-075.json new file mode 100644 index 00000000..d4a6037a --- /dev/null +++ b/advisories/cookies/DRUPAL-CONTRIB-2025-075.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2025-075", + "modified": "2025-05-29T18:16:19.000Z", + "published": "2025-05-28T17:45:37.000Z", + "aliases": [ + "CVE-2025-48914" + ], + "details": "This module provides a format filter, which allows you to \"disable\" certain HTML elements (e.g. remove their src attribute) specified by the user. These elements will be enabled again, once the COOKiES banner is accepted.\n\nThe module doesn't sufficiently check whether to convert \"data-src\" attributes to \"src\" when their value might contain malicious content under the scenario, that module specific classes are set on the HTML element.\n\nThis vulnerability is mitigated by the fact that the site must have the COOKiES filter submodule enabled and an attacker must have the correct permissions to have a specific HTML element display for all users, and this HTML element needs to have three concise classes set.", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/cookies" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.2.15" + } + ], + "database_specific": { + "constraint": "<1.2.15" + } + } + ], + "database_specific": { + "affected_versions": "<1.2.15" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2025-075" + } + ], + "credits": [ + { + "name": "Pierre Rudloff (prudloff)", + "contact": [ + "https://www.drupal.org/u/prudloff" + ] + } + ] +} diff --git a/advisories/cookies/DRUPAL-CONTRIB-2025-076.json b/advisories/cookies/DRUPAL-CONTRIB-2025-076.json new file mode 100644 index 00000000..79ce756c --- /dev/null +++ b/advisories/cookies/DRUPAL-CONTRIB-2025-076.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2025-076", + "modified": "2025-05-29T18:15:56.000Z", + "published": "2025-05-28T17:46:09.000Z", + "aliases": [ + "CVE-2025-48915" + ], + "details": "The COOKIES module protects users from executing JavaScript code provided by third parties, e.g., to display ads or track user data without consent.\n\nEach sub-module allows to include a specific third party service in the consent management, by controlling the execution of javascript. However, this does not adequately check whether the provided JavaScript code originates from authorized users.\n\nA potential attacker would at least need permission to create and publish HTML (e.g. content or comments).", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/cookies" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.2.15" + } + ], + "database_specific": { + "constraint": "<1.2.15" + } + } + ], + "database_specific": { + "affected_versions": "<1.2.15" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2025-076" + } + ], + "credits": [ + { + "name": "Pierre Rudloff (prudloff)", + "contact": [ + "https://www.drupal.org/u/prudloff" + ] + } + ] +} diff --git a/advisories/cookies/DRUPAL-CONTRIB-2025-092.json b/advisories/cookies/DRUPAL-CONTRIB-2025-092.json new file mode 100644 index 00000000..7db21a66 --- /dev/null +++ b/advisories/cookies/DRUPAL-CONTRIB-2025-092.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2025-092", + "modified": "2025-07-23T17:10:19.000Z", + "published": "2025-07-23T17:10:19.000Z", + "aliases": [ + "CVE-2025-8092" + ], + "details": "This module allows you to manage video media items using the COOKiES module (disabling external video elements). These elements will be enabled again, once the COOKiES banner is accepted.\n\nThe module doesn't sufficiently check whether to convert \"data-src\" attributes to \"src\" when their value might contain malicious content under the scenario, that module specific classes are set on the HTML element.\n\nThis vulnerability is mitigated by the fact that an attacker must have the correct permissions to have a specific HTML element display for all users, and this HTML element needs to have a specific class set.", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/cookies" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.2.16" + } + ], + "database_specific": { + "constraint": "<1.2.16" + } + } + ], + "database_specific": { + "affected_versions": "<1.2.16" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2025-092" + } + ], + "credits": [ + { + "name": "Pierre Rudloff (prudloff)", + "contact": [ + "https://www.drupal.org/u/prudloff" + ] + } + ] +} diff --git a/advisories/cookies/DSA-CONTRIB-2025-049.json b/advisories/cookies/DSA-CONTRIB-2025-049.json deleted file mode 100644 index 90b117f4..00000000 --- a/advisories/cookies/DSA-CONTRIB-2025-049.json +++ /dev/null @@ -1,52 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2025-049", - "modified": "2025-05-29T18:20:00.000Z", - "published": "2025-05-07T17:06:36.000Z", - "aliases": [ - "CVE-2025-47703" - ], - "details": "The COOKIES module protects users from executing JavaScript code provided by third parties, e.g., to display ads or track user data without consent.\n\nThe cookies\\_asset\\_injector module (a sub-module of the COOKiES module) also allows inline JavaScript to be included in consent management. However, this does not adequately check whether the provided JavaScript code originates from authorized users.\n\nA potential attacker would at least need permission to create and publish HTML (e.g. content or comments).", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/cookies" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "1.2.14" - } - ], - "database_specific": { - "constraint": "<1.2.14" - } - } - ], - "database_specific": { - "affected_versions": "<1.2.14" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2025-049" - } - ], - "credits": [ - { - "name": "Pierre Rudloff (prudloff)", - "contact": [ - "https://www.drupal.org/u/prudloff" - ] - } - ] -} diff --git a/advisories/cookies/DSA-CONTRIB-2025-075.json b/advisories/cookies/DSA-CONTRIB-2025-075.json deleted file mode 100644 index dbb560fb..00000000 --- a/advisories/cookies/DSA-CONTRIB-2025-075.json +++ /dev/null @@ -1,52 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2025-075", - "modified": "2025-05-29T18:16:19.000Z", - "published": "2025-05-28T17:45:37.000Z", - "aliases": [ - "CVE-2025-48914" - ], - "details": "This module provides a format filter, which allows you to \"disable\" certain HTML elements (e.g. remove their src attribute) specified by the user. These elements will be enabled again, once the COOKiES banner is accepted.\n\nThe module doesn't sufficiently check whether to convert \"data-src\" attributes to \"src\" when their value might contain malicious content under the scenario, that module specific classes are set on the HTML element.\n\nThis vulnerability is mitigated by the fact that the site must have the COOKiES filter submodule enabled and an attacker must have the correct permissions to have a specific HTML element display for all users, and this HTML element needs to have three concise classes set.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/cookies" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "1.2.15" - } - ], - "database_specific": { - "constraint": "<1.2.15" - } - } - ], - "database_specific": { - "affected_versions": "<1.2.15" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2025-075" - } - ], - "credits": [ - { - "name": "Pierre Rudloff (prudloff)", - "contact": [ - "https://www.drupal.org/u/prudloff" - ] - } - ] -} diff --git a/advisories/cookies/DSA-CONTRIB-2025-076.json b/advisories/cookies/DSA-CONTRIB-2025-076.json deleted file mode 100644 index 98f53053..00000000 --- a/advisories/cookies/DSA-CONTRIB-2025-076.json +++ /dev/null @@ -1,52 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2025-076", - "modified": "2025-05-29T18:15:56.000Z", - "published": "2025-05-28T17:46:09.000Z", - "aliases": [ - "CVE-2025-48915" - ], - "details": "The COOKIES module protects users from executing JavaScript code provided by third parties, e.g., to display ads or track user data without consent.\n\nEach sub-module allows to include a specific third party service in the consent management, by controlling the execution of javascript. However, this does not adequately check whether the provided JavaScript code originates from authorized users.\n\nA potential attacker would at least need permission to create and publish HTML (e.g. content or comments).", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/cookies" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "1.2.15" - } - ], - "database_specific": { - "constraint": "<1.2.15" - } - } - ], - "database_specific": { - "affected_versions": "<1.2.15" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2025-076" - } - ], - "credits": [ - { - "name": "Pierre Rudloff (prudloff)", - "contact": [ - "https://www.drupal.org/u/prudloff" - ] - } - ] -} diff --git a/advisories/cookies/DSA-CONTRIB-2025-092.json b/advisories/cookies/DSA-CONTRIB-2025-092.json deleted file mode 100644 index ac883ac7..00000000 --- a/advisories/cookies/DSA-CONTRIB-2025-092.json +++ /dev/null @@ -1,52 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2025-092", - "modified": "2025-07-23T17:10:19.000Z", - "published": "2025-07-23T17:10:19.000Z", - "aliases": [ - "CVE-2025-8092" - ], - "details": "This module allows you to manage video media items using the COOKiES module (disabling external video elements). These elements will be enabled again, once the COOKiES banner is accepted.\n\nThe module doesn't sufficiently check whether to convert \"data-src\" attributes to \"src\" when their value might contain malicious content under the scenario, that module specific classes are set on the HTML element.\n\nThis vulnerability is mitigated by the fact that an attacker must have the correct permissions to have a specific HTML element display for all users, and this HTML element needs to have a specific class set.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/cookies" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "1.2.16" - } - ], - "database_specific": { - "constraint": "<1.2.16" - } - } - ], - "database_specific": { - "affected_versions": "<1.2.16" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2025-092" - } - ], - "credits": [ - { - "name": "Pierre Rudloff (prudloff)", - "contact": [ - "https://www.drupal.org/u/prudloff" - ] - } - ] -} diff --git a/advisories/cookies_addons/DRUPAL-CONTRIB-2025-087.json b/advisories/cookies_addons/DRUPAL-CONTRIB-2025-087.json new file mode 100644 index 00000000..d1813a8c --- /dev/null +++ b/advisories/cookies_addons/DRUPAL-CONTRIB-2025-087.json @@ -0,0 +1,53 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2025-087", + "modified": "2025-07-09T16:37:27.000Z", + "published": "2025-07-09T16:37:27.000Z", + "aliases": [ + "CVE-2025-7392" + ], + "details": "This module provides a format filter, which allows you to \"disable\" iframes (e.g. remove their src attribute) specified by the user. These elements will be enabled again, once the Cookies banner is accepted.\n\nThe module doesn't sufficiently filter user-supplied content when their value might contain malicious content leading to a Cross-site Scripting (XSS) vulnerability.\n\nThis vulnerability is mitigated by the fact that the site must have the Cookies Addons Embed Iframe submodule enabled and an attacker must have the correct permissions to use a text field with a text format that allows iframes to be used.", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/cookies_addons" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "1.0.0" + }, + { + "fixed": "1.2.4" + } + ], + "database_specific": { + "constraint": ">=1.0.0 <1.2.4" + } + } + ], + "database_specific": { + "affected_versions": ">=1.0.0 <1.2.4", + "patched": true + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2025-087" + } + ], + "credits": [ + { + "name": "Pierre Rudloff (prudloff)", + "contact": [ + "https://www.drupal.org/u/prudloff" + ] + } + ] +} diff --git a/advisories/cookies_addons/DSA-CONTRIB-2025-087.json b/advisories/cookies_addons/DSA-CONTRIB-2025-087.json deleted file mode 100644 index 19825717..00000000 --- a/advisories/cookies_addons/DSA-CONTRIB-2025-087.json +++ /dev/null @@ -1,53 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2025-087", - "modified": "2025-07-09T16:37:27.000Z", - "published": "2025-07-09T16:37:27.000Z", - "aliases": [ - "CVE-2025-7392" - ], - "details": "This module provides a format filter, which allows you to \"disable\" iframes (e.g. remove their src attribute) specified by the user. These elements will be enabled again, once the Cookies banner is accepted.\n\nThe module doesn't sufficiently filter user-supplied content when their value might contain malicious content leading to a Cross-site Scripting (XSS) vulnerability.\n\nThis vulnerability is mitigated by the fact that the site must have the Cookies Addons Embed Iframe submodule enabled and an attacker must have the correct permissions to use a text field with a text format that allows iframes to be used.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/cookies_addons" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "1.0.0" - }, - { - "fixed": "1.2.4" - } - ], - "database_specific": { - "constraint": ">=1.0.0 <1.2.4" - } - } - ], - "database_specific": { - "affected_versions": ">=1.0.0 <1.2.4", - "patched": true - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2025-087" - } - ], - "credits": [ - { - "name": "Pierre Rudloff (prudloff)", - "contact": [ - "https://www.drupal.org/u/prudloff" - ] - } - ] -} diff --git a/advisories/core/DRUPAL-CORE-2018-001.json b/advisories/core/DRUPAL-CORE-2018-001.json new file mode 100644 index 00000000..7ce82a01 --- /dev/null +++ b/advisories/core/DRUPAL-CORE-2018-001.json @@ -0,0 +1,100 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CORE-2018-001", + "modified": "2022-08-21T19:44:07.000Z", + "published": "2018-02-21T17:10:55.000Z", + "aliases": [], + "details": "This security advisory fixes multiple vulnerabilities in both Drupal 7 and Drupal 8. See below for a list.\n\n#### Comment reply form allows access to restricted content - Critical - Drupal 8 - CVE-2017-6926\n\nUsers with permission to post comments are able to view content and comments they do not have access to, and are also able to add comments to this content.\n\nThis vulnerability is mitigated by the fact that the comment system must be enabled and the attacker must have permission to post comments.\n\n#### JavaScript cross-site scripting prevention is incomplete - Critical - Drupal 7 and Drupal 8 - CVE-2017-6927\n\nDrupal has a `Drupal.checkPlain()` JavaScript function which is used to escape potentially dangerous text before outputting it to HTML (as JavaScript output is not auto-escaped by either Drupal 7 or Drupal 8). This function does not correctly handle all methods of injecting malicious HTML, leading to a cross-site scripting vulnerability under certain circumstances.\n\nThe PHP functions which Drupal provides for HTML escaping are not affected.\n\n#### Private file access bypass - Moderately Critical - Drupal 7 - CVE-2017-6928\n\nWhen using Drupal's private file system, Drupal will check to make sure a user has access to a file before allowing the user to view or download it. This check fails under certain conditions in which one module is trying to grant access to the file and another is trying to deny it, leading to an access bypass vulnerability.\n\nThis vulnerability is mitigated by the fact that it only occurs for unusual site configurations.\n\n#### jQuery vulnerability with untrusted domains - Moderately Critical - Drupal 7 - CVE-2017-6929\n\nA jQuery cross site scripting vulnerability is present when making Ajax requests to untrusted domains (the CVE for this issue in jQuery is CVE-2015-9251). This vulnerability is mitigated by the fact that it requires contributed or custom modules in order to exploit.\n\nFor Drupal 8, this vulnerability was already fixed in Drupal 8.4.0 in the Drupal core upgrade to jQuery 3. For Drupal 7, it is fixed in the current release (Drupal 7.57) for jQuery 1.4.4 (the version that ships with Drupal 7 core) as well as for other newer versions of jQuery that might be used on the site, for example using the [jQuery Update module](https://www.drupal.org/project/jquery_update).\n\n#### Language fallback can be incorrect on multilingual sites with node access restrictions - Moderately Critical - Drupal 8 - CVE-2017-6930\n\nWhen using node access controls with a multilingual site, Drupal marks the untranslated version of a node as the default fallback for access queries. This fallback is used for languages that do not yet have a translated version of the created node. This can result in an access bypass vulnerability.\n\nThis issue is mitigated by the fact that it only applies to sites that a) use the Content Translation module; and b) use a node access module such as Domain Access which implement `hook_node_access_records()`.\n\n*Note that the update will mark the node access tables as needing a rebuild, which will take a long time on sites with a large number of nodes.*\n\n#### Settings Tray access bypass - Moderately Critical - Drupal 8 - CVE-2017-6931\n\nThe Settings Tray module has a vulnerability that allows users to update certain data that they do not have the permissions for.\n\nIf you have implemented a Settings Tray form in contrib or a custom module, the correct access checks should be added. This release fixes the only two implementations in core, but does not harden against other such bypasses.\n\nThis vulnerability can be mitigated by disabling the Settings Tray module.\n\n#### External link injection on 404 pages when linking to the current page - Less Critical - Drupal 7 - CVE-2017-6932\n\nDrupal core has an external link injection vulnerability when the language switcher block is used. A similar vulnerability exists in various custom and contributed modules. This vulnerability could allow an attacker to trick users into unwillingly navigating to an external site.", + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "drupal/core" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "7.0.0" + }, + { + "fixed": "7.57.0" + } + ], + "database_specific": { + "constraint": ">=7.0 <7.57" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.0.0" + }, + { + "fixed": "8.4.5" + } + ], + "database_specific": { + "constraint": ">= 8.0.0 <8.4.5" + } + } + ], + "database_specific": { + "affected_versions": ">=7.0 <7.57 || >= 8.0.0 <8.4.5" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-core-2018-001" + } + ], + "credits": [ + { + "name": "Anders Olsson", + "contact": [ + "https://www.drupal.org/user/855656" + ] + }, + { + "name": "David Rothstein", + "contact": [ + "https://www.drupal.org/user/124982" + ] + }, + { + "name": "Grant Gaudet", + "contact": [ + "https://www.drupal.org/user/360002" + ] + }, + { + "name": "Ivan", + "contact": [ + "https://www.drupal.org/user/556138" + ] + }, + { + "name": "Ken Rickard", + "contact": [ + "https://www.drupal.org/user/20975" + ] + }, + { + "name": "Ted Bowman", + "contact": [ + "https://www.drupal.org/user/240860" + ] + }, + { + "name": "will c", + "contact": [ + "https://www.drupal.org/user/2610796" + ] + } + ] +} diff --git a/advisories/core/DRUPAL-CORE-2018-002.json b/advisories/core/DRUPAL-CORE-2018-002.json new file mode 100644 index 00000000..62f9b5a6 --- /dev/null +++ b/advisories/core/DRUPAL-CORE-2018-002.json @@ -0,0 +1,94 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CORE-2018-002", + "modified": "2022-08-21T19:48:41.000Z", + "published": "2018-03-28T18:14:10.000Z", + "aliases": [ + "CVE-2018-7600" + ], + "details": "A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised.\n\nThe security team has written an [FAQ](https://groups.drupal.org/security/faq-2018-002) about this issue.\n\n*Edited 2020, February 13 to fix links to patch files.*", + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "drupal/core" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "7.0.0" + }, + { + "fixed": "7.58.0" + } + ], + "database_specific": { + "constraint": ">=7.0 <7.58" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.0.0" + }, + { + "fixed": "8.3.9" + } + ], + "database_specific": { + "constraint": ">= 8.0.0 <8.3.9" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.4.0" + }, + { + "fixed": "8.4.6" + } + ], + "database_specific": { + "constraint": ">=8.4.0 <8.4.6" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.5.0" + }, + { + "fixed": "8.5.1" + } + ], + "database_specific": { + "constraint": ">=8.5.0 <8.5.1" + } + } + ], + "database_specific": { + "affected_versions": ">=7.0 <7.58 || >= 8.0.0 <8.3.9 || >=8.4.0 <8.4.6 || >=8.5.0 <8.5.1" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-core-2018-002" + } + ], + "credits": [ + { + "name": "Jasper Mattsson", + "contact": [ + "https://www.drupal.org/u/Jasu_M" + ] + } + ] +} diff --git a/advisories/core/DRUPAL-CORE-2018-003.json b/advisories/core/DRUPAL-CORE-2018-003.json new file mode 100644 index 00000000..21968bec --- /dev/null +++ b/advisories/core/DRUPAL-CORE-2018-003.json @@ -0,0 +1,66 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CORE-2018-003", + "modified": "2022-08-21T19:47:01.000Z", + "published": "2018-04-18T15:34:09.000Z", + "aliases": [ + "CVE-2018-9861" + ], + "details": "CKEditor, a third-party JavaScript library included in Drupal core, has [fixed a cross-site scripting (XSS) vulnerability](https://ckeditor.com/blog/CKEditor-4.9.2-with-a-security-patch-released/). The vulnerability stemmed from the fact that it was possible to execute XSS inside CKEditor when using the `image2` plugin (which Drupal 8 core also uses).\n\nWe would like to thank the CKEditor team for patching the vulnerability and coordinating the fix and release process, and matching the Drupal core security window.", + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "drupal/core" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.0.0" + }, + { + "fixed": "8.4.7" + } + ], + "database_specific": { + "constraint": ">= 8.0.0 <8.4.7" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.5.0" + }, + { + "fixed": "8.5.2" + } + ], + "database_specific": { + "constraint": ">=8.5.0 <8.5.2" + } + } + ], + "database_specific": { + "affected_versions": ">= 8.0.0 <8.4.7 || >=8.5.0 <8.5.2" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-core-2018-003" + } + ], + "credits": [ + { + "name": "Kyaw Min Thein", + "contact": [ + "https://www.drupal.org/user/3560461" + ] + } + ] +} diff --git a/advisories/core/DRUPAL-CORE-2018-004.json b/advisories/core/DRUPAL-CORE-2018-004.json new file mode 100644 index 00000000..b170b411 --- /dev/null +++ b/advisories/core/DRUPAL-CORE-2018-004.json @@ -0,0 +1,98 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CORE-2018-004", + "modified": "2022-08-21T19:46:05.000Z", + "published": "2018-04-25T16:13:58.000Z", + "aliases": [ + "CVE-2018-7602" + ], + "details": "A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being compromised. This vulnerability is related to [Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002](/sa-core-2018-002). Both SA-CORE-2018-002 and this vulnerability are being exploited in the wild.\n\n*Updated \u2014 this vulnerability is being exploited in the wild.*", + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "drupal/core" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "7.0.0" + }, + { + "fixed": "7.59.0" + } + ], + "database_specific": { + "constraint": ">=7.0 <7.59" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.0.0" + }, + { + "fixed": "8.4.8" + } + ], + "database_specific": { + "constraint": ">= 8.0.0 <8.4.8" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.5.0" + }, + { + "fixed": "8.5.3" + } + ], + "database_specific": { + "constraint": ">=8.5.0 <8.5.3" + } + } + ], + "database_specific": { + "affected_versions": ">=7.0 <7.59 || >= 8.0.0 <8.4.8 || >=8.5.0 <8.5.3" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-core-2018-004" + } + ], + "credits": [ + { + "name": "Alex Pott", + "contact": [ + "https://www.drupal.org/user/157725" + ] + }, + { + "name": "David Rothstein", + "contact": [ + "https://www.drupal.org/user/124982" + ] + }, + { + "name": "Heine Deelstra", + "contact": [ + "https://www.drupal.org/user/17943" + ] + }, + { + "name": "Jasper Mattsson", + "contact": [ + "https://www.drupal.org/user/521118" + ] + } + ] +} diff --git a/advisories/core/DRUPAL-CORE-2019-001.json b/advisories/core/DRUPAL-CORE-2019-001.json new file mode 100644 index 00000000..c4ba16b2 --- /dev/null +++ b/advisories/core/DRUPAL-CORE-2019-001.json @@ -0,0 +1,86 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CORE-2019-001", + "modified": "2022-08-21T19:42:50.000Z", + "published": "2019-01-16T17:17:11.000Z", + "aliases": [ + "CVE-2019-6338" + ], + "details": "Drupal core uses the third-party PEAR Archive\\_Tar library. This library has released a security update which impacts some Drupal configurations. Refer to [CVE-2018-1000888](https://nvd.nist.gov/vuln/detail/CVE-2018-1000888) for details.", + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "drupal/core" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "7.0.0" + }, + { + "fixed": "7.62.0" + } + ], + "database_specific": { + "constraint": ">=7.0 <7.62" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.0.0" + }, + { + "fixed": "8.5.9" + } + ], + "database_specific": { + "constraint": ">= 8.0.0 <8.5.9" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.6.0" + }, + { + "fixed": "8.6.6" + } + ], + "database_specific": { + "constraint": ">=8.6.0 <8.6.6" + } + } + ], + "database_specific": { + "affected_versions": ">=7.0 <7.62 || >= 8.0.0 <8.5.9 || >=8.6.0 <8.6.6" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-core-2019-001" + } + ], + "credits": [ + { + "name": "Ayesh Karunaratne", + "contact": [ + "https://www.drupal.org/user/796148" + ] + }, + { + "name": "farisv", + "contact": [ + "https://www.drupal.org/u/farisv" + ] + } + ] +} diff --git a/advisories/core/DRUPAL-CORE-2019-002.json b/advisories/core/DRUPAL-CORE-2019-002.json new file mode 100644 index 00000000..c9b1e124 --- /dev/null +++ b/advisories/core/DRUPAL-CORE-2019-002.json @@ -0,0 +1,86 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CORE-2019-002", + "modified": "2022-08-21T19:41:44.000Z", + "published": "2019-01-16T17:17:12.000Z", + "aliases": [ + "CVE-2019-6339" + ], + "details": "A remote code execution vulnerability exists in PHP's built-in phar stream wrapper when performing file operations on an untrusted phar:// URI.\n\nSome Drupal code (core, contrib, and custom) may be performing file operations on insufficiently validated user input, thereby being exposed to this vulnerability.\n\nThis vulnerability is mitigated by the fact that such code paths typically require access to an administrative permission or an atypical configuration.", + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "drupal/core" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "7.0.0" + }, + { + "fixed": "7.62.0" + } + ], + "database_specific": { + "constraint": ">=7.0 <7.62" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.0.0" + }, + { + "fixed": "8.5.9" + } + ], + "database_specific": { + "constraint": ">= 8.0.0 <8.5.9" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.6.0" + }, + { + "fixed": "8.6.6" + } + ], + "database_specific": { + "constraint": ">=8.6.0 <8.6.6" + } + } + ], + "database_specific": { + "affected_versions": ">=7.0 <7.62 || >= 8.0.0 <8.5.9 || >=8.6.0 <8.6.6" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-core-2019-002" + } + ], + "credits": [ + { + "name": "Greg Knaddison", + "contact": [ + "https://www.drupal.org/user/36762" + ] + }, + { + "name": "Sam Thomas", + "contact": [ + "https://www.drupal.org/u/jazzy2fives" + ] + } + ] +} diff --git a/advisories/core/DRUPAL-CORE-2019-003.json b/advisories/core/DRUPAL-CORE-2019-003.json new file mode 100644 index 00000000..c913879d --- /dev/null +++ b/advisories/core/DRUPAL-CORE-2019-003.json @@ -0,0 +1,66 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CORE-2019-003", + "modified": "2022-08-21T19:40:55.000Z", + "published": "2019-02-20T19:18:48.000Z", + "aliases": [ + "CVE-2019-6340" + ], + "details": "Some field types do not properly sanitize data from non-form sources. This can lead to arbitrary PHP code execution in some cases.\n\nA site is only affected by this if one of the following conditions is met:\n\n* The site has the Drupal 8 core RESTful Web Services (rest) module enabled and allows **GET**, PATCH or POST requests, or\n* the site has another web services module enabled, like [JSON:API](https://www.drupal.org/project/jsonapi) in Drupal 8, or [Services](https://www.drupal.org/project/services) or [RESTful Web Services](https://www.drupal.org/project/restws) in Drupal 7.\n\n(*Note: The Drupal 7 Services module itself does not require an update at this time, but you should still apply other contributed updates associated with this advisory if Services is in use.*)\n\nUpdates\n-------\n\n* **2019-02-22**: Updated risk score given new information; see [PSA-2019-02-22](https://www.drupal.org/psa-2019-02-22). The security risk score has been updated to 23/25 as there are now known exploits in the wild. In addition, any enabled REST resource end-point, **even if it only accepts GET requests**, is also vulnerable. Note this does not include REST exports from Views module.", + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "drupal/core" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.0.0" + }, + { + "fixed": "8.5.11" + } + ], + "database_specific": { + "constraint": ">= 8.0.0 <8.5.11" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.6.0" + }, + { + "fixed": "8.6.10" + } + ], + "database_specific": { + "constraint": ">=8.6.0 <8.6.10" + } + } + ], + "database_specific": { + "affected_versions": ">= 8.0.0 <8.5.11 || >=8.6.0 <8.6.10" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-core-2019-003" + } + ], + "credits": [ + { + "name": "Samuel Mortenson", + "contact": [ + "https://www.drupal.org/user/2582268" + ] + } + ] +} diff --git a/advisories/core/DRUPAL-CORE-2019-004.json b/advisories/core/DRUPAL-CORE-2019-004.json new file mode 100644 index 00000000..99fdbde1 --- /dev/null +++ b/advisories/core/DRUPAL-CORE-2019-004.json @@ -0,0 +1,80 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CORE-2019-004", + "modified": "2022-08-21T19:40:19.000Z", + "published": "2019-03-20T16:08:16.000Z", + "aliases": [ + "CVE-2019-6341" + ], + "details": "Under certain circumstances the File module/subsystem allows a malicious user to upload a file that can trigger a cross-site scripting (XSS) vulnerability.", + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "drupal/core" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "7.0.0" + }, + { + "fixed": "7.65.0" + } + ], + "database_specific": { + "constraint": ">=7.0 <7.65" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.0.0" + }, + { + "fixed": "8.5.14" + } + ], + "database_specific": { + "constraint": ">= 8.0.0 <8.5.14" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.6.0" + }, + { + "fixed": "8.6.13" + } + ], + "database_specific": { + "constraint": ">=8.6.0 <8.6.13" + } + } + ], + "database_specific": { + "affected_versions": ">=7.0 <7.65 || >= 8.0.0 <8.5.14 || >=8.6.0 <8.6.13" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-core-2019-004" + } + ], + "credits": [ + { + "name": "Sam Thomas", + "contact": [ + "https://www.drupal.org/u/jazzy2fives" + ] + } + ] +} diff --git a/advisories/core/DRUPAL-CORE-2019-005.json b/advisories/core/DRUPAL-CORE-2019-005.json new file mode 100644 index 00000000..173efa36 --- /dev/null +++ b/advisories/core/DRUPAL-CORE-2019-005.json @@ -0,0 +1,64 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CORE-2019-005", + "modified": "2022-08-21T19:39:25.000Z", + "published": "2019-04-17T20:29:05.000Z", + "aliases": [], + "details": "This security release fixes third-party dependencies included in or required by Drupal core.\n\n* [CVE-2019-10909: Escape validation messages in the PHP templating engine](https://symfony.com/blog/cve-2019-10909-escape-validation-messages-in-the-php-templating-engine). From that advisory: \n > Validation messages were not escaped when using the form theme of the PHP templating engine which, when validation messages may contain user input, could result in an XSS.\n* [CVE-2019-10910: Check service IDs are valid](https://symfony.com/blog/cve-2019-10910-check-service-ids-are-valid). From that advisory:\n > Service IDs derived from unfiltered user input could result in the execution of any arbitrary code, resulting in possible remote code execution.\n* [CVE-2019-10911: Add a separator in the remember me cookie hash](https://symfony.com/blog/cve-2019-10911-add-a-separator-in-the-remember-me-cookie-hash). From that advisory:\n > This fixes situations where part of an expiry time in a cookie could be considered part of the username, or part of the username could be considered part of the expiry time. An attacker could modify the remember me cookie and authenticate as a different user. This attack is only possible if remember me functionality is enabled and the two users share a password hash or the password hashes (e.g. UserInterface::getPassword()) are null for all users (which is valid if passwords are checked by an external system, e.g. an SSO).", + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "drupal/core" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.0.0" + }, + { + "fixed": "8.5.15" + } + ], + "database_specific": { + "constraint": ">= 8.0.0 <8.5.15" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.6.0" + }, + { + "fixed": "8.6.15" + } + ], + "database_specific": { + "constraint": ">=8.6.0 <8.6.15" + } + } + ], + "database_specific": { + "affected_versions": ">= 8.0.0 <8.5.15 || >=8.6.0 <8.6.15" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-core-2019-005" + } + ], + "credits": [ + { + "name": "Michael Cullum", + "contact": [ + "https://www.drupal.org/user/2706987" + ] + } + ] +} diff --git a/advisories/core/DRUPAL-CORE-2019-006.json b/advisories/core/DRUPAL-CORE-2019-006.json new file mode 100644 index 00000000..0646b33d --- /dev/null +++ b/advisories/core/DRUPAL-CORE-2019-006.json @@ -0,0 +1,86 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CORE-2019-006", + "modified": "2022-08-21T19:38:49.000Z", + "published": "2019-04-17T20:30:56.000Z", + "aliases": [ + "CVE-2019-11358" + ], + "details": "The jQuery project released version 3.4.0, and as part of that, disclosed a security vulnerability that affects all prior versions. As described in their [release notes](https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/):\n\n> jQuery 3.4.0 includes a fix for some unintended behavior when using jQuery.extend(true, {}, ...). If an unsanitized source object contained an enumerable \\_\\_proto\\_\\_ property, it could extend the native Object.prototype. This fix is included in jQuery 3.4.0, but patch diffs exist to patch previous jQuery versions.\n\nIt's possible that this vulnerability is exploitable with some Drupal modules. As a precaution, this Drupal security release backports the fix to jQuery.extend(), without making any other changes to the jQuery version that is included in Drupal core (3.2.1 for Drupal 8 and 1.4.4 for Drupal 7) or running on the site via some other module such as [jQuery Update](https://www.drupal.org/project/jquery_update).\n\n*2019-04-22, edited to add CVE.*", + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "drupal/core" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "7.0.0" + }, + { + "fixed": "7.66.0" + } + ], + "database_specific": { + "constraint": ">=7.0 <7.66" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.0.0" + }, + { + "fixed": "8.5.15" + } + ], + "database_specific": { + "constraint": ">= 8.0.0 <8.5.15" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.6.0" + }, + { + "fixed": "8.6.15" + } + ], + "database_specific": { + "constraint": ">=8.6.0 <8.6.15" + } + } + ], + "database_specific": { + "affected_versions": ">=7.0 <7.66 || >= 8.0.0 <8.5.15 || >=8.6.0 <8.6.15" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-core-2019-006" + } + ], + "credits": [ + { + "name": "dtv_rb", + "contact": [ + "https://www.drupal.org/user/3528196" + ] + }, + { + "name": "xjm", + "contact": [ + "https://www.drupal.org/user/65776" + ] + } + ] +} diff --git a/advisories/core/DRUPAL-CORE-2019-007.json b/advisories/core/DRUPAL-CORE-2019-007.json new file mode 100644 index 00000000..87bb039d --- /dev/null +++ b/advisories/core/DRUPAL-CORE-2019-007.json @@ -0,0 +1,80 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CORE-2019-007", + "modified": "2022-08-21T19:30:38.000Z", + "published": "2019-05-08T16:56:58.000Z", + "aliases": [ + "CVE-2019-11831" + ], + "details": "This security release fixes third-party dependencies included in or required by Drupal core. As described in [TYPO3-PSA-2019-007: By-passing protection of Phar Stream Wrapper Interceptor](https://typo3.org/security/advisory/typo3-psa-2019-007/):\n\n> In order to intercept file invocations like file\\_exists or stat on compromised Phar archives the base name has to be determined and checked before allowing to be handled by PHP Phar stream handling. [...]\n>\n> The current implementation is vulnerable to path traversal leading to scenarios where the Phar archive to be assessed is not the actual (compromised) file.\n\nThe known vulnerability in Drupal core requires the \"administer themes\" permission. However, additional vulnerabilities may exist in contributed or custom modules, so site should still update even if they do not grant this permission.", + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "drupal/core" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "7.0.0" + }, + { + "fixed": "7.67.0" + } + ], + "database_specific": { + "constraint": ">=7.0 <7.67" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.0.0" + }, + { + "fixed": "8.6.16" + } + ], + "database_specific": { + "constraint": ">= 8.0.0 <8.6.16" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.7.0" + }, + { + "fixed": "8.7.1" + } + ], + "database_specific": { + "constraint": ">=8.7.0 <8.7.1" + } + } + ], + "database_specific": { + "affected_versions": ">=7.0 <7.67 || >= 8.0.0 <8.6.16 || >=8.7.0 <8.7.1" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-core-2019-007" + } + ], + "credits": [ + { + "name": "Daniel Le Gall", + "contact": [ + "https://www.drupal.org/user/3606561" + ] + } + ] +} diff --git a/advisories/core/DRUPAL-CORE-2019-008.json b/advisories/core/DRUPAL-CORE-2019-008.json new file mode 100644 index 00000000..bdee96db --- /dev/null +++ b/advisories/core/DRUPAL-CORE-2019-008.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CORE-2019-008", + "modified": "2025-02-25T00:02:32.000Z", + "published": "2019-07-17T16:05:11.000Z", + "aliases": [ + "CVE-2019-6342" + ], + "details": "In Drupal 8.7.4, when the [experimental](https://www.drupal.org/core/experimental#beta) Workspaces module is enabled, an access bypass condition is created.\n\nThis can be mitigated by disabling the Workspaces module. It does not affect any release other than Drupal 8.7.4.\n\nDrupal 8.7.3 and earlier, Drupal 8.6.x and earlier, and Drupal 7.x are **not** affected.", + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "drupal/core" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.7.4" + }, + { + "fixed": "8.7.5" + } + ], + "database_specific": { + "constraint": ">=8.7.4 <8.7.5" + } + } + ], + "database_specific": { + "affected_versions": ">=8.7.4 <8.7.5" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-core-2019-008" + } + ], + "credits": [ + { + "name": "Dave Botsch", + "contact": [ + "https://www.drupal.org/user/3534164" + ] + } + ] +} diff --git a/advisories/core/DRUPAL-CORE-2019-009.json b/advisories/core/DRUPAL-CORE-2019-009.json new file mode 100644 index 00000000..88325693 --- /dev/null +++ b/advisories/core/DRUPAL-CORE-2019-009.json @@ -0,0 +1,64 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CORE-2019-009", + "modified": "2022-08-21T19:27:05.000Z", + "published": "2019-12-18T18:01:37.000Z", + "aliases": [], + "details": "A visit to `install.php` can cause cached data to become corrupted. This could cause a site to be impaired until caches are rebuilt.", + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "drupal/core" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.0.0" + }, + { + "fixed": "8.7.11" + } + ], + "database_specific": { + "constraint": ">= 8.0.0 <8.7.11" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.8.0" + }, + { + "fixed": "8.8.1" + } + ], + "database_specific": { + "constraint": ">= 8.8.0 <8.8.1" + } + } + ], + "database_specific": { + "affected_versions": ">= 8.0.0 <8.7.11 || >= 8.8.0 <8.8.1" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-core-2019-009" + } + ], + "credits": [ + { + "name": "Drew Webber", + "contact": [ + "https://www.drupal.org/user/255969" + ] + } + ] +} diff --git a/advisories/core/DRUPAL-CORE-2019-010.json b/advisories/core/DRUPAL-CORE-2019-010.json new file mode 100644 index 00000000..2ce3a137 --- /dev/null +++ b/advisories/core/DRUPAL-CORE-2019-010.json @@ -0,0 +1,82 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CORE-2019-010", + "modified": "2022-08-21T19:26:37.000Z", + "published": "2019-12-18T18:07:15.000Z", + "aliases": [], + "details": "Drupal 8 core's `file_save_upload()` function does not strip the leading and trailing dot ('.') from filenames, like Drupal 7 did.\n\nUsers with the ability to upload files with any extension in conjunction with contributed modules may be able to use this to upload system files such as .htaccess in order to bypass protections afforded by Drupal's default .htaccess file.\n\nAfter this fix, `file_save_upload()` now trims leading and trailing dots from filenames.", + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "drupal/core" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.0.0" + }, + { + "fixed": "8.7.11" + } + ], + "database_specific": { + "constraint": ">= 8.0.0 <8.7.11" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.8.0" + }, + { + "fixed": "8.8.1" + } + ], + "database_specific": { + "constraint": ">= 8.8.0 <8.8.1" + } + } + ], + "database_specific": { + "affected_versions": ">= 8.0.0 <8.7.11 || >= 8.8.0 <8.8.1" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-core-2019-010" + } + ], + "credits": [ + { + "name": "Dan Reif", + "contact": [ + "https://www.drupal.org/user/454444" + ] + }, + { + "name": "Filipe Reis", + "contact": [ + "https://www.drupal.org/user/3521501" + ] + }, + { + "name": "Rohit Kapur", + "contact": [ + "https://www.drupal.org/user/3623849" + ] + }, + { + "name": "mramydnei", + "contact": [ + "https://www.drupal.org/user/3529990" + ] + } + ] +} diff --git a/advisories/core/DRUPAL-CORE-2019-011.json b/advisories/core/DRUPAL-CORE-2019-011.json new file mode 100644 index 00000000..6ceddabe --- /dev/null +++ b/advisories/core/DRUPAL-CORE-2019-011.json @@ -0,0 +1,64 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CORE-2019-011", + "modified": "2022-08-21T19:25:28.000Z", + "published": "2019-12-18T18:16:54.000Z", + "aliases": [], + "details": "The Media Library module has a security vulnerability whereby it doesn't sufficiently restrict access to media items in certain configurations.", + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "drupal/core" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.0.0" + }, + { + "fixed": "8.7.11" + } + ], + "database_specific": { + "constraint": ">= 8.0.0 <8.7.11" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.8.0" + }, + { + "fixed": "8.8.1" + } + ], + "database_specific": { + "constraint": ">= 8.8.0 <8.8.1" + } + } + ], + "database_specific": { + "affected_versions": ">= 8.0.0 <8.7.11 || >= 8.8.0 <8.8.1" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-core-2019-011" + } + ], + "credits": [ + { + "name": "Adam G-H", + "contact": [ + "https://www.drupal.org/user/205645" + ] + } + ] +} diff --git a/advisories/core/DRUPAL-CORE-2019-012.json b/advisories/core/DRUPAL-CORE-2019-012.json new file mode 100644 index 00000000..d2e5abee --- /dev/null +++ b/advisories/core/DRUPAL-CORE-2019-012.json @@ -0,0 +1,78 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CORE-2019-012", + "modified": "2022-08-21T19:20:53.000Z", + "published": "2019-12-18T18:30:18.000Z", + "aliases": [], + "details": "The Drupal project uses the third-party library [Archive\\_Tar](https://pear.php.net/package/Archive_Tar/), which has released a security improvement that is needed to protect some Drupal configurations.\n\nMultiple vulnerabilities are possible if Drupal is configured to allow `.tar`, `.tar.gz`, `.bz2` or `.tlz` file uploads and processes them.\n\nThe latest versions of Drupal update `Archive_Tar` to 1.4.9 to mitigate the file processing vulnerabilities.\n\n*Edited to clarify the nature of the upstream release.*", + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "drupal/core" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "7.0.0" + }, + { + "fixed": "7.69.0" + } + ], + "database_specific": { + "constraint": ">=7.0 <7.69" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.0.0" + }, + { + "fixed": "8.7.11" + } + ], + "database_specific": { + "constraint": ">= 8.0.0 <8.7.11" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.8.0" + }, + { + "fixed": "8.8.1" + } + ], + "database_specific": { + "constraint": ">= 8.8.0 <8.8.1" + } + } + ], + "database_specific": { + "affected_versions": ">=7.0 <7.69 || >= 8.0.0 <8.7.11 || >= 8.8.0 <8.8.1" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-core-2019-012" + } + ], + "credits": [ + { + "name": "Jasper Mattsson", + "contact": [ + "https://www.drupal.org/user/521118" + ] + } + ] +} diff --git a/advisories/core/DRUPAL-CORE-2020-001.json b/advisories/core/DRUPAL-CORE-2020-001.json new file mode 100644 index 00000000..076062bc --- /dev/null +++ b/advisories/core/DRUPAL-CORE-2020-001.json @@ -0,0 +1,57 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CORE-2020-001", + "modified": "2022-08-21T19:15:20.000Z", + "published": "2020-03-18T17:07:36.000Z", + "aliases": [], + "details": "The Drupal project uses the third-party library [CKEditor](https://github.com/ckeditor/ckeditor4), which has released a [security improvement](https://ckeditor.com/blog/CKEditor-4.14-with-Paste-from-LibreOffice-released/#security-issues-fixed) that is needed to protect some Drupal configurations.\n\nVulnerabilities are possible if Drupal is configured to use the WYSIWYG CKEditor for your site's users. An attacker that can create or edit content may be able to exploit this Cross Site Scripting (XSS) vulnerability to target users with access to the WYSIWYG CKEditor, and this may include site admins with privileged access.\n\nThe latest versions of Drupal update CKEditor to 4.14 to mitigate the vulnerabilities.", + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "drupal/core" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.0.0" + }, + { + "fixed": "8.7.12" + } + ], + "database_specific": { + "constraint": ">= 8.0.0 <8.7.12" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.8.0" + }, + { + "fixed": "8.8.4" + } + ], + "database_specific": { + "constraint": ">= 8.8.0 <8.8.4" + } + } + ], + "database_specific": { + "affected_versions": ">= 8.0.0 <8.7.12 || >= 8.8.0 <8.8.4" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-core-2020-001" + } + ], + "credits": [] +} diff --git a/advisories/core/DRUPAL-CORE-2020-002.json b/advisories/core/DRUPAL-CORE-2020-002.json new file mode 100644 index 00000000..6f2def83 --- /dev/null +++ b/advisories/core/DRUPAL-CORE-2020-002.json @@ -0,0 +1,84 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CORE-2020-002", + "modified": "2022-08-21T19:19:09.000Z", + "published": "2020-05-20T15:18:53.000Z", + "aliases": [], + "details": "The jQuery project released version 3.5.0, and as part of that, disclosed two security vulnerabilities that affect all prior versions. As mentioned in the [jQuery blog](https://blog.jquery.com/2020/05/04/jquery-3-5-1-released-fixing-a-regression/), both are\n\n> [...] security issues in jQuery\u2019s DOM manipulation methods, as in `.html()`, `.append()`, and the others. Security advisories for both of these issues have been published on GitHub.\n\nThose advisories are:\n\n* [CVE-2020-11022](https://github.com/jquery/jquery/security/advisories/GHSA-gxr4-xjj5-5px2)\n* [CVE-2020-11023](https://github.com/jquery/jquery/security/advisories/GHSA-jpcq-cgw6-v4j6)\n\nThese vulnerabilities may be exploitable on some Drupal sites. This Drupal security release backports the fixes to the relevant jQuery functions, without making any other changes to the jQuery version that is included in Drupal core or running on the site via some other module such as [jQuery Update](https://www.drupal.org/project/jquery_update). It is not necessary to update jquery\\_update on Drupal 7 sites that have the module installed.\n\nBackwards-compatibility code has also been added to minimize regressions to Drupal sites that might rely on jQuery's prior behavior. With jQuery 3.5, incorrect self-closing HTML tags in JavaScript for elements where end tags are normally required will encounter [a change in what jQuery returns or inserts](https://jquery.com/upgrade-guide/3.5/#description-of-the-change). To minimize that disruption in 8.8.x and earlier, this security release retains jQuery's prior behavior for most safe tags. There may still be regressions for edge cases, including invalidly self-closed [custom elements](https://html.spec.whatwg.org/multipage/custom-elements.html) on Internet Explorer.\n\n(Note: the backwards compatibility layer will not be included in the upcoming Drupal 8.9 and 9.0 releases, so Drupal 8 and 9 modules, themes, and sites should correct tags in JavaScript to properly use closing tags.)\n\nIf you find a [regression](https://en.wikipedia.org/wiki/Software_regression) caused by the jQuery changes, please report it in [Drupal core's issue queue](https://www.drupal.org/project/issues/drupal) (or that of the relevant contrib project). However, if you believe you have found a security issue, please [report it privately to the Drupal Security Team](https://www.drupal.org/security-team/report-issue).", + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "drupal/core" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "7.0.0" + }, + { + "fixed": "7.70.0" + } + ], + "database_specific": { + "constraint": ">=7.0 <7.70" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.0.0" + }, + { + "fixed": "8.7.14" + } + ], + "database_specific": { + "constraint": ">= 8.0.0 <8.7.14" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.8.0" + }, + { + "fixed": "8.8.6" + } + ], + "database_specific": { + "constraint": ">= 8.8.0 <8.8.6" + } + } + ], + "database_specific": { + "affected_versions": ">=7.0 <7.70 || >= 8.0.0 <8.7.14 || >= 8.8.0 <8.8.6" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-core-2020-002" + } + ], + "credits": [ + { + "name": "Drew Webber", + "contact": [ + "https://www.drupal.org/user/255969" + ] + }, + { + "name": "Emerson Jair Reis Oliveira da Silva", + "contact": [ + "https://www.drupal.org/user/3580914" + ] + } + ] +} diff --git a/advisories/core/DRUPAL-CORE-2020-003.json b/advisories/core/DRUPAL-CORE-2020-003.json new file mode 100644 index 00000000..bdb4ef5b --- /dev/null +++ b/advisories/core/DRUPAL-CORE-2020-003.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CORE-2020-003", + "modified": "2022-08-21T19:13:36.000Z", + "published": "2020-05-20T15:22:09.000Z", + "aliases": [ + "CVE-2020-13662 " + ], + "details": "Drupal 7 has an Open Redirect vulnerability. For example, a user could be tricked into visiting a specially crafted link which would redirect them to an arbitrary external URL.\n\nThe vulnerability is caused by insufficient validation of the `destination` query parameter in the `drupal_goto()` function.\n\nOther versions of Drupal core are not vulnerable.", + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "drupal/core" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "7.0.0" + }, + { + "fixed": "7.70.0" + } + ], + "database_specific": { + "constraint": ">=7.0 <7.70" + } + } + ], + "database_specific": { + "affected_versions": ">=7.0 <7.70" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-core-2020-003" + } + ], + "credits": [ + { + "name": "vortfu", + "contact": [ + "https://www.drupal.org/user/3638636" + ] + } + ] +} diff --git a/advisories/core/DRUPAL-CORE-2020-004.json b/advisories/core/DRUPAL-CORE-2020-004.json new file mode 100644 index 00000000..9c0d0faf --- /dev/null +++ b/advisories/core/DRUPAL-CORE-2020-004.json @@ -0,0 +1,100 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CORE-2020-004", + "modified": "2022-08-21T19:12:56.000Z", + "published": "2020-06-17T18:03:06.000Z", + "aliases": [ + "CVE-2020-13663" + ], + "details": "The Drupal core Form API does not properly handle certain form input from cross-site requests, which can lead to other vulnerabilities.", + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "drupal/core" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "7.0.0" + }, + { + "fixed": "7.72.0" + } + ], + "database_specific": { + "constraint": ">=7.0 <7.72" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.0.0" + }, + { + "fixed": "8.8.8" + } + ], + "database_specific": { + "constraint": ">= 8.0.0 <8.8.8" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.9.0" + }, + { + "fixed": "8.9.1" + } + ], + "database_specific": { + "constraint": ">= 8.9.0 <8.9.1" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "9.0.0" + }, + { + "fixed": "9.0.1" + } + ], + "database_specific": { + "constraint": ">=9.0.0 <9.0.1" + } + } + ], + "database_specific": { + "affected_versions": ">=7.0 <7.72 || >= 8.0.0 <8.8.8 || >= 8.9.0 <8.9.1 || >=9.0.0 <9.0.1" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-core-2020-004" + } + ], + "credits": [ + { + "name": "Dor Tumarkin", + "contact": [ + "https://www.drupal.org/user/3648639" + ] + }, + { + "name": "Samuel Mortenson", + "contact": [ + "https://www.drupal.org/user/2582268" + ] + } + ] +} diff --git a/advisories/core/DRUPAL-CORE-2020-005.json b/advisories/core/DRUPAL-CORE-2020-005.json new file mode 100644 index 00000000..ff8a7e55 --- /dev/null +++ b/advisories/core/DRUPAL-CORE-2020-005.json @@ -0,0 +1,86 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CORE-2020-005", + "modified": "2022-08-21T19:11:59.000Z", + "published": "2020-06-17T18:06:23.000Z", + "aliases": [ + "CVE-2020-13664" + ], + "details": "Drupal 8 and 9 have a remote code execution vulnerability under certain circumstances.\n\nAn attacker could trick an administrator into visiting a malicious site that could result in creating a carefully named directory on the file system. With this directory in place, an attacker could attempt to brute force a remote code execution vulnerability.\n\nWindows servers are most likely to be affected.", + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "drupal/core" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.0.0" + }, + { + "fixed": "8.8.8" + } + ], + "database_specific": { + "constraint": ">= 8.0.0 <8.8.8" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.9.0" + }, + { + "fixed": "8.9.1" + } + ], + "database_specific": { + "constraint": ">= 8.9.0 <8.9.1" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "9.0.0" + }, + { + "fixed": "9.0.1" + } + ], + "database_specific": { + "constraint": ">=9.0.0 <9.0.1" + } + } + ], + "database_specific": { + "affected_versions": ">= 8.0.0 <8.8.8 || >= 8.9.0 <8.9.1 || >=9.0.0 <9.0.1" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-core-2020-005" + } + ], + "credits": [ + { + "name": "Lorenzo G", + "contact": [ + "https://www.drupal.org/user/3644903" + ] + }, + { + "name": "Sam Thomas", + "contact": [ + "https://www.drupal.org/user/3603418" + ] + } + ] +} diff --git a/advisories/core/DRUPAL-CORE-2020-006.json b/advisories/core/DRUPAL-CORE-2020-006.json new file mode 100644 index 00000000..03d10b76 --- /dev/null +++ b/advisories/core/DRUPAL-CORE-2020-006.json @@ -0,0 +1,80 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CORE-2020-006", + "modified": "2022-08-21T19:11:31.000Z", + "published": "2020-06-17T18:10:58.000Z", + "aliases": [ + "CVE-2020-13665 " + ], + "details": "JSON:API PATCH requests may bypass validation for certain fields.\n\nBy default, JSON:API works in a read-only mode which makes it impossible to exploit the vulnerability. Only sites that have the `read_only` set to `FALSE` under `jsonapi.settings` config are vulnerable.", + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "drupal/core" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.0.0" + }, + { + "fixed": "8.8.8" + } + ], + "database_specific": { + "constraint": ">= 8.0.0 <8.8.8" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.9.0" + }, + { + "fixed": "8.9.1" + } + ], + "database_specific": { + "constraint": ">= 8.9.0 <8.9.1" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "9.0.0" + }, + { + "fixed": "9.0.1" + } + ], + "database_specific": { + "constraint": ">=9.0.0 <9.0.1" + } + } + ], + "database_specific": { + "affected_versions": ">= 8.0.0 <8.8.8 || >= 8.9.0 <8.9.1 || >=9.0.0 <9.0.1" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-core-2020-006" + } + ], + "credits": [ + { + "name": "Sergii Bondarenko", + "contact": [ + "https://www.drupal.org/user/2802285" + ] + } + ] +} diff --git a/advisories/core/DRUPAL-CORE-2020-007.json b/advisories/core/DRUPAL-CORE-2020-007.json new file mode 100644 index 00000000..7d1ac36a --- /dev/null +++ b/advisories/core/DRUPAL-CORE-2020-007.json @@ -0,0 +1,94 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CORE-2020-007", + "modified": "2022-08-21T19:10:51.000Z", + "published": "2020-09-16T15:48:49.000Z", + "aliases": [ + "CVE-2020-13666" + ], + "details": "The Drupal AJAX API does not disable JSONP by default, which can lead to cross-site scripting.", + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "drupal/core" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "7.0.0" + }, + { + "fixed": "7.73.0" + } + ], + "database_specific": { + "constraint": ">=7.0 <7.73" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.0.0" + }, + { + "fixed": "8.8.10" + } + ], + "database_specific": { + "constraint": ">= 8.0.0 <8.8.10" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.9.0" + }, + { + "fixed": "8.9.6" + } + ], + "database_specific": { + "constraint": ">= 8.9.0 <8.9.6" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "9.0.0" + }, + { + "fixed": "9.0.6" + } + ], + "database_specific": { + "constraint": ">=9.0.0 <9.0.6" + } + } + ], + "database_specific": { + "affected_versions": ">=7.0 <7.73 || >= 8.0.0 <8.8.10 || >= 8.9.0 <8.9.6 || >=9.0.0 <9.0.6" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-core-2020-007" + } + ], + "credits": [ + { + "name": "Samuel Mortenson", + "contact": [ + "https://www.drupal.org/user/2582268" + ] + } + ] +} diff --git a/advisories/core/DRUPAL-CORE-2020-008.json b/advisories/core/DRUPAL-CORE-2020-008.json new file mode 100644 index 00000000..d916f314 --- /dev/null +++ b/advisories/core/DRUPAL-CORE-2020-008.json @@ -0,0 +1,80 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CORE-2020-008", + "modified": "2022-08-21T19:08:18.000Z", + "published": "2020-09-16T16:32:12.000Z", + "aliases": [ + "CVE-2020-13667" + ], + "details": "The experimental Workspaces module allows you to create multiple workspaces on your site in which draft content can be edited before being published to the live workspace.\n\nThe Workspaces module doesn't sufficiently check access permissions when switching workspaces, leading to an access bypass vulnerability. An attacker might be able to see content before the site owner intends people to see the content.\n\nThis vulnerability is mitigated by the fact that sites are only vulnerable if they have installed the experimental Workspaces module.", + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "drupal/core" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.0.0" + }, + { + "fixed": "8.8.10" + } + ], + "database_specific": { + "constraint": ">= 8.0.0 <8.8.10" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.9.0" + }, + { + "fixed": "8.9.6" + } + ], + "database_specific": { + "constraint": ">= 8.9.0 <8.9.6" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "9.0.0" + }, + { + "fixed": "9.0.6" + } + ], + "database_specific": { + "constraint": ">=9.0.0 <9.0.6" + } + } + ], + "database_specific": { + "affected_versions": ">= 8.0.0 <8.8.10 || >= 8.9.0 <8.9.6 || >=9.0.0 <9.0.6" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-core-2020-008" + } + ], + "credits": [ + { + "name": "Andrei Mateescu", + "contact": [ + "https://www.drupal.org/user/729614" + ] + } + ] +} diff --git a/advisories/core/DRUPAL-CORE-2020-009.json b/advisories/core/DRUPAL-CORE-2020-009.json new file mode 100644 index 00000000..d1ac809e --- /dev/null +++ b/advisories/core/DRUPAL-CORE-2020-009.json @@ -0,0 +1,110 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CORE-2020-009", + "modified": "2022-08-21T19:09:38.000Z", + "published": "2020-09-16T16:11:00.000Z", + "aliases": [ + "CVE-2020-13688" + ], + "details": "Drupal 8 and 9 have a reflected cross-site scripting (XSS) vulnerability under certain circumstances.\n\nAn attacker could leverage the way that HTML is rendered for affected forms in order to exploit the vulnerability.", + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "drupal/core" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.0.0" + }, + { + "fixed": "8.8.10" + } + ], + "database_specific": { + "constraint": ">= 8.0.0 <8.8.10" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.9.0" + }, + { + "fixed": "8.9.6" + } + ], + "database_specific": { + "constraint": ">= 8.9.0 <8.9.6" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "9.0.0" + }, + { + "fixed": "9.0.6" + } + ], + "database_specific": { + "constraint": ">=9.0.0 <9.0.6" + } + } + ], + "database_specific": { + "affected_versions": ">= 8.0.0 <8.8.10 || >= 8.9.0 <8.9.6 || >=9.0.0 <9.0.6" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-core-2020-009" + } + ], + "credits": [ + { + "name": "Alejandro Garza", + "contact": [ + "https://www.drupal.org/user/153120" + ] + }, + { + "name": "Drew Webber", + "contact": [ + "https://www.drupal.org/user/255969" + ] + }, + { + "name": "Marc Addeo", + "contact": [ + "https://www.drupal.org/user/3312527" + ] + }, + { + "name": "Nathan Dentzau", + "contact": [ + "https://www.drupal.org/user/3444913" + ] + }, + { + "name": "Nuno Ramos", + "contact": [ + "https://www.drupal.org/user/3522063" + ] + }, + { + "name": "markwittens", + "contact": [ + "https://www.drupal.org/user/567198" + ] + } + ] +} diff --git a/advisories/core/DRUPAL-CORE-2020-010.json b/advisories/core/DRUPAL-CORE-2020-010.json new file mode 100644 index 00000000..1e239413 --- /dev/null +++ b/advisories/core/DRUPAL-CORE-2020-010.json @@ -0,0 +1,80 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CORE-2020-010", + "modified": "2022-08-21T19:09:00.000Z", + "published": "2020-09-16T16:31:01.000Z", + "aliases": [ + "CVE-2020-13669" + ], + "details": "Drupal core's built-in CKEditor image caption functionality is vulnerable to XSS.", + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "drupal/core" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.0.0" + }, + { + "fixed": "8.8.10" + } + ], + "database_specific": { + "constraint": ">= 8.0.0 <8.8.10" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.9.0" + }, + { + "fixed": "8.9.6" + } + ], + "database_specific": { + "constraint": ">= 8.9.0 <8.9.6" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "9.0.0" + }, + { + "fixed": "9.0.6" + } + ], + "database_specific": { + "constraint": ">=9.0.0 <9.0.6" + } + } + ], + "database_specific": { + "affected_versions": ">= 8.0.0 <8.8.10 || >= 8.9.0 <8.9.6 || >=9.0.0 <9.0.6" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-core-2020-010" + } + ], + "credits": [ + { + "name": "Dor Tumarkin", + "contact": [ + "https://www.drupal.org/user/3648639" + ] + } + ] +} diff --git a/advisories/core/DRUPAL-CORE-2020-011.json b/advisories/core/DRUPAL-CORE-2020-011.json new file mode 100644 index 00000000..e3e4d4a2 --- /dev/null +++ b/advisories/core/DRUPAL-CORE-2020-011.json @@ -0,0 +1,110 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CORE-2020-011", + "modified": "2022-08-21T19:07:45.000Z", + "published": "2020-09-16T16:45:26.000Z", + "aliases": [ + "CVE-2020-13670" + ], + "details": "A vulnerability exists in the File module which allows an attacker to gain access to the file metadata of a permanent private file that they do not have access to by guessing the ID of the file.", + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "drupal/core" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.0.0" + }, + { + "fixed": "8.8.10" + } + ], + "database_specific": { + "constraint": ">= 8.0.0 <8.8.10" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.9.0" + }, + { + "fixed": "8.9.6" + } + ], + "database_specific": { + "constraint": ">= 8.9.0 <8.9.6" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "9.0.0" + }, + { + "fixed": "9.0.6" + } + ], + "database_specific": { + "constraint": ">=9.0.0 <9.0.6" + } + } + ], + "database_specific": { + "affected_versions": ">= 8.0.0 <8.8.10 || >= 8.9.0 <8.9.6 || >=9.0.0 <9.0.6" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-core-2020-011" + } + ], + "credits": [ + { + "name": "David Rothstein", + "contact": [ + "https://www.drupal.org/user/124982" + ] + }, + { + "name": "Ivan", + "contact": [ + "https://www.drupal.org/user/556138" + ] + }, + { + "name": "Mori Sugimoto", + "contact": [ + "https://www.drupal.org/user/82971" + ] + }, + { + "name": "elarlang", + "contact": [ + "https://www.drupal.org/user/3583903" + ] + }, + { + "name": "kyk", + "contact": [ + "https://www.drupal.org/user/29822" + ] + }, + { + "name": "njbooher", + "contact": [ + "https://www.drupal.org/u/njbooher" + ] + } + ] +} diff --git a/advisories/core/DRUPAL-CORE-2020-012.json b/advisories/core/DRUPAL-CORE-2020-012.json new file mode 100644 index 00000000..1aca0e61 --- /dev/null +++ b/advisories/core/DRUPAL-CORE-2020-012.json @@ -0,0 +1,118 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CORE-2020-012", + "modified": "2022-08-21T19:06:52.000Z", + "published": "2020-11-18T17:18:31.000Z", + "aliases": [ + "CVE-2020-13671" + ], + "details": "*Update November 18: Documented longer list of dangerous file extensions*\n\nDrupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations.", + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "drupal/core" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "7.0.0" + }, + { + "fixed": "7.74.0" + } + ], + "database_specific": { + "constraint": ">=7.0 <7.74" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.0.0" + }, + { + "fixed": "8.8.11" + } + ], + "database_specific": { + "constraint": ">= 8.0.0 <8.8.11" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.9.0" + }, + { + "fixed": "8.9.9" + } + ], + "database_specific": { + "constraint": ">= 8.9.0 <8.9.9" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "9.0.0" + }, + { + "fixed": "9.0.8" + } + ], + "database_specific": { + "constraint": ">=9.0.0 <9.0.8" + } + } + ], + "database_specific": { + "affected_versions": ">=7.0 <7.74 || >= 8.0.0 <8.8.11 || >= 8.9.0 <8.9.9 || >=9.0.0 <9.0.8" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-core-2020-012" + } + ], + "credits": [ + { + "name": "Derek Wright", + "contact": [ + "https://www.drupal.org/user/46549" + ] + }, + { + "name": "Fr\u00e9d\u00e9ric G. Marand", + "contact": [ + "https://www.drupal.org/user/27985" + ] + }, + { + "name": "Mark Ferree", + "contact": [ + "https://www.drupal.org/user/76245" + ] + }, + { + "name": "Samuel Mortenson", + "contact": [ + "https://www.drupal.org/user/2582268" + ] + }, + { + "name": "ufku", + "contact": [ + "https://www.drupal.org/user/9910" + ] + } + ] +} diff --git a/advisories/core/DRUPAL-CORE-2020-013.json b/advisories/core/DRUPAL-CORE-2020-013.json new file mode 100644 index 00000000..14c39df4 --- /dev/null +++ b/advisories/core/DRUPAL-CORE-2020-013.json @@ -0,0 +1,95 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CORE-2020-013", + "modified": "2022-08-21T19:06:25.000Z", + "published": "2020-11-25T23:57:48.000Z", + "aliases": [ + "CVE-2020-28949", + "CVE-2020-28948" + ], + "details": "The Drupal project uses the PEAR Archive\\_Tar library. The PEAR Archive\\_Tar library has released a security update that impacts Drupal. For more information please see:\n\n* [CVE-2020-28948](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28948)\n* [CVE-2020-28949](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28949)\n\nMultiple vulnerabilities are possible if Drupal is configured to allow `.tar`, `.tar.gz`, `.bz2`, or `.tlz` file uploads and processes them.\n\n**To mitigate this issue, prevent untrusted users from uploading `.tar`, `.tar.gz`, `.bz2`, or `.tlz` files.**\n\nThis is a different issue than [SA-CORE-2019-012](https://www.drupal.org/sa-core-2019-012). Similar configuration changes may mitigate the problem until you are able to patch.", + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "drupal/core" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "7.0.0" + }, + { + "fixed": "7.75.0" + } + ], + "database_specific": { + "constraint": ">=7.0 <7.75" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.0.0" + }, + { + "fixed": "8.8.12" + } + ], + "database_specific": { + "constraint": ">= 8.0.0 <8.8.12" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.9.0" + }, + { + "fixed": "8.9.10" + } + ], + "database_specific": { + "constraint": ">= 8.9.0 <8.9.10" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "9.0.0" + }, + { + "fixed": "9.0.9" + } + ], + "database_specific": { + "constraint": ">=9.0.0 <9.0.9" + } + } + ], + "database_specific": { + "affected_versions": ">=7.0 <7.75 || >= 8.0.0 <8.8.12 || >= 8.9.0 <8.9.10 || >=9.0.0 <9.0.9" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-core-2020-013" + } + ], + "credits": [ + { + "name": "Luke Stewart", + "contact": [ + "https://www.drupal.org/user/3564081" + ] + } + ] +} diff --git a/advisories/core/DRUPAL-CORE-2021-001.json b/advisories/core/DRUPAL-CORE-2021-001.json new file mode 100644 index 00000000..6b1db428 --- /dev/null +++ b/advisories/core/DRUPAL-CORE-2021-001.json @@ -0,0 +1,110 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CORE-2021-001", + "modified": "2022-08-21T19:04:14.000Z", + "published": "2021-01-20T17:10:55.000Z", + "aliases": [], + "details": "The Drupal project uses the pear Archive\\_Tar library, which has released a security update that impacts Drupal. For more information please see:\n\n* [CVE-2020-36193](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36193)\n\nExploits may be possible if Drupal is configured to allow `.tar`, `.tar.gz`, `.bz2`, or `.tlz` file uploads and processes them.", + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "drupal/core" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "7.0.0" + }, + { + "fixed": "7.78.0" + } + ], + "database_specific": { + "constraint": ">=7.0 <7.78" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.0.0" + }, + { + "fixed": "8.9.13" + } + ], + "database_specific": { + "constraint": ">= 8.0.0 <8.9.13" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "9.0.0" + }, + { + "fixed": "9.0.11" + } + ], + "database_specific": { + "constraint": ">= 9.0.0 <9.0.11" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "9.1.0" + }, + { + "fixed": "9.1.3" + } + ], + "database_specific": { + "constraint": ">=9.1.0 <9.1.3" + } + } + ], + "database_specific": { + "affected_versions": ">=7.0 <7.78 || >= 8.0.0 <8.9.13 || >= 9.0.0 <9.0.11 || >=9.1.0 <9.1.3" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-core-2021-001" + } + ], + "credits": [ + { + "name": "Jonathan Danaher", + "contact": [ + "https://www.drupal.org/user/1771466" + ] + }, + { + "name": "Kim Pepper", + "contact": [ + "https://www.drupal.org/user/370574" + ] + }, + { + "name": "Richard Sheppard", + "contact": [ + "https://www.drupal.org/user/55284" + ] + }, + { + "name": "Stephen Cross", + "contact": [ + "https://www.drupal.org/user/2485138" + ] + } + ] +} diff --git a/advisories/core/DRUPAL-CORE-2021-002.json b/advisories/core/DRUPAL-CORE-2021-002.json new file mode 100644 index 00000000..7070302d --- /dev/null +++ b/advisories/core/DRUPAL-CORE-2021-002.json @@ -0,0 +1,94 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CORE-2021-002", + "modified": "2022-08-21T19:03:20.000Z", + "published": "2021-04-21T15:58:22.000Z", + "aliases": [ + "CVE-2020-13672" + ], + "details": "Drupal core's sanitization API fails to properly filter cross-site scripting under certain circumstances.\n\nNot all sites and users are affected, but configuration changes to prevent the exploit might be impractical and will vary between sites. Therefore, we recommend all sites update to this release as soon as possible.", + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "drupal/core" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "7.0.0" + }, + { + "fixed": "7.80.0" + } + ], + "database_specific": { + "constraint": ">=7.0 <7.80" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.0.0" + }, + { + "fixed": "8.9.14" + } + ], + "database_specific": { + "constraint": ">= 8.0.0 <8.9.14" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "9.0.0" + }, + { + "fixed": "9.0.12" + } + ], + "database_specific": { + "constraint": ">= 9.0.0 <9.0.12" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "9.1.0" + }, + { + "fixed": "9.1.7" + } + ], + "database_specific": { + "constraint": ">=9.1.0 <9.1.7" + } + } + ], + "database_specific": { + "affected_versions": ">=7.0 <7.80 || >= 8.0.0 <8.9.14 || >= 9.0.0 <9.0.12 || >=9.1.0 <9.1.7" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-core-2021-002" + } + ], + "credits": [ + { + "name": "Jasper Mattsson", + "contact": [ + "https://www.drupal.org/user/521118" + ] + } + ] +} diff --git a/advisories/core/DRUPAL-CORE-2021-003.json b/advisories/core/DRUPAL-CORE-2021-003.json new file mode 100644 index 00000000..78a836a0 --- /dev/null +++ b/advisories/core/DRUPAL-CORE-2021-003.json @@ -0,0 +1,80 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CORE-2021-003", + "modified": "2022-08-21T19:01:54.000Z", + "published": "2021-05-26T18:33:55.000Z", + "aliases": [ + "CVE-2021-33829" + ], + "details": "**Update: 2021-06-11: Added CVE-2021-33829 identifier**\n\nDrupal core uses the third-party CKEditor library. This library has an error in parsing HTML that could lead to an XSS attack. CKEditor 4.16.1 and later include the fix.\n\nUpdate: 2021-06-11: More details are available on [CKEditor's blog](https://ckeditor.com/blog/ckeditor-4.16.1-with-accessibility-enhancements/#improvements-for-comments-in-html-parser).\n\nUsers of the CKEditor library via means other than Drupal core should update their 3rd party code (e.g. the WYSIWYG module for Drupal 7). The Drupal Security Team policy is not to alert for issues affecting 3rd party libraries unless those are shipped with Drupal core. See [DRUPAL-SA-PSA-2016-004 for more details](https://www.drupal.org/psa-2016-004).\n\nThis issue is mitigated by the fact that it only affects sites with CKEditor enabled.", + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "drupal/core" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.0.0" + }, + { + "fixed": "8.9.16" + } + ], + "database_specific": { + "constraint": ">= 8.0.0 <8.9.16" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "9.0.0" + }, + { + "fixed": "9.0.14" + } + ], + "database_specific": { + "constraint": ">= 9.0.0 <9.0.14" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "9.1.0" + }, + { + "fixed": "9.1.9" + } + ], + "database_specific": { + "constraint": ">=9.1.0 <9.1.9" + } + } + ], + "database_specific": { + "affected_versions": ">= 8.0.0 <8.9.16 || >= 9.0.0 <9.0.14 || >=9.1.0 <9.1.9" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-core-2021-003" + } + ], + "credits": [ + { + "name": "Or Sahar", + "contact": [ + "https://www.drupal.org/user/3676145" + ] + } + ] +} diff --git a/advisories/core/DRUPAL-CORE-2021-004.json b/advisories/core/DRUPAL-CORE-2021-004.json new file mode 100644 index 00000000..edafcd3c --- /dev/null +++ b/advisories/core/DRUPAL-CORE-2021-004.json @@ -0,0 +1,94 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CORE-2021-004", + "modified": "2022-08-21T19:00:32.000Z", + "published": "2021-07-21T15:59:27.000Z", + "aliases": [ + "CVE-2021-32610" + ], + "details": "The Drupal project uses the pear Archive\\_Tar library, which has released a security update that impacts Drupal.\n\nThe vulnerability is mitigated by the fact that Drupal core's use of the Archive\\_Tar library is not vulnerable, as it does not permit symlinks.\n\nExploitation may be possible if contrib or custom code uses the library to extract tar archives (for example .tar, .tar.gz, .bz2, or .tlz) which come from a potentially untrusted source.\n\nThis advisory is not covered by [Drupal Steward](/steward).", + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "drupal/core" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "7.0.0" + }, + { + "fixed": "7.82.0" + } + ], + "database_specific": { + "constraint": ">=7.0 <7.82" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.0.0" + }, + { + "fixed": "8.9.17" + } + ], + "database_specific": { + "constraint": ">= 8.0.0 <8.9.17" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "9.1.0" + }, + { + "fixed": "9.1.11" + } + ], + "database_specific": { + "constraint": ">= 9.1.0 <9.1.11" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "9.2.0" + }, + { + "fixed": "9.2.2" + } + ], + "database_specific": { + "constraint": ">=9.2.0 <9.2.2" + } + } + ], + "database_specific": { + "affected_versions": ">=7.0 <7.82 || >= 8.0.0 <8.9.17 || >= 9.1.0 <9.1.11 || >=9.2.0 <9.2.2" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-core-2021-004" + } + ], + "credits": [ + { + "name": "Drew Webber", + "contact": [ + "https://www.drupal.org/user/255969" + ] + } + ] +} diff --git a/advisories/core/DRUPAL-CORE-2021-005.json b/advisories/core/DRUPAL-CORE-2021-005.json new file mode 100644 index 00000000..8acb84aa --- /dev/null +++ b/advisories/core/DRUPAL-CORE-2021-005.json @@ -0,0 +1,78 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CORE-2021-005", + "modified": "2022-08-21T18:59:16.000Z", + "published": "2021-08-12T18:08:50.000Z", + "aliases": [], + "details": "The Drupal project uses the [CKEditor](https://github.com/ckeditor/ckeditor4), library for WYSIWYG editing. CKEditor has released [a security update that impacts Drupal](https://ckeditor.com/blog/ckeditor-4.16.2-with-browser-improvements-and-security-fixes/).\n\nVulnerabilities are possible if Drupal is configured to allow use of the CKEditor library for WYSIWYG editing. An attacker that can create or edit content (even without access to CKEditor themselves) may be able to exploit one or more Cross-Site Scripting (XSS) vulnerabilities to target users with access to the WYSIWYG CKEditor, including site admins with privileged access.\n\nFor more information, see [CKEditor's announcement of the release](https://ckeditor.com/blog/ckeditor-4.16.2-with-browser-improvements-and-security-fixes/).\n\nThis advisory is not covered by [Drupal Steward](/steward).", + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "drupal/core" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.0.0" + }, + { + "fixed": "8.9.18" + } + ], + "database_specific": { + "constraint": ">= 8.0.0 <8.9.18" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "9.1.0" + }, + { + "fixed": "9.1.12" + } + ], + "database_specific": { + "constraint": ">= 9.1.0 <9.1.12" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "9.2.0" + }, + { + "fixed": "9.2.4" + } + ], + "database_specific": { + "constraint": ">=9.2.0 <9.2.4" + } + } + ], + "database_specific": { + "affected_versions": ">= 8.0.0 <8.9.18 || >= 9.1.0 <9.1.12 || >=9.2.0 <9.2.4" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-core-2021-005" + } + ], + "credits": [ + { + "name": "Krzysztof Krzton", + "contact": [ + "https://www.drupal.org/user/3618903" + ] + } + ] +} diff --git a/advisories/core/DRUPAL-CORE-2021-006.json b/advisories/core/DRUPAL-CORE-2021-006.json new file mode 100644 index 00000000..ce88191d --- /dev/null +++ b/advisories/core/DRUPAL-CORE-2021-006.json @@ -0,0 +1,80 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CORE-2021-006", + "modified": "2022-08-21T18:58:15.000Z", + "published": "2021-09-15T15:18:26.000Z", + "aliases": [ + "CVE-2020-13673" + ], + "details": "The Drupal core Media module allows embedding internal and external media in content fields. In certain circumstances, the filter could allow an unprivileged user to inject HTML into a page when it is accessed by a trusted user with permission to embed media. In some cases, this could lead to cross-site scripting.\n\nThis advisory is not covered by [Drupal Steward](/steward).\n\nAlso see [Entity Embed - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2021-028](https://www.drupal.org/sa-contrib-2021-028) which addresses a similar vulnerability for that module.\n\n*Updated 18:15 UTC to clarify text.*", + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "drupal/core" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.0.0" + }, + { + "fixed": "8.9.19" + } + ], + "database_specific": { + "constraint": ">= 8.0.0 <8.9.19" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "9.1.0" + }, + { + "fixed": "9.1.13" + } + ], + "database_specific": { + "constraint": ">= 9.1.0 <9.1.13" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "9.2.0" + }, + { + "fixed": "9.2.6" + } + ], + "database_specific": { + "constraint": ">=9.2.0 <9.2.6" + } + } + ], + "database_specific": { + "affected_versions": ">= 8.0.0 <8.9.19 || >= 9.1.0 <9.1.13 || >=9.2.0 <9.2.6" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-core-2021-006" + } + ], + "credits": [ + { + "name": "Aaron Zinck", + "contact": [ + "https://www.drupal.org/user/518662" + ] + } + ] +} diff --git a/advisories/core/DRUPAL-CORE-2021-007.json b/advisories/core/DRUPAL-CORE-2021-007.json new file mode 100644 index 00000000..a7e8bfea --- /dev/null +++ b/advisories/core/DRUPAL-CORE-2021-007.json @@ -0,0 +1,80 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CORE-2021-007", + "modified": "2022-08-21T18:57:29.000Z", + "published": "2021-09-15T15:20:39.000Z", + "aliases": [ + "CVE-2020-13674" + ], + "details": "The QuickEdit module does not properly validate access to routes, which could allow cross-site request forgery under some circumstances and lead to possible data integrity issues.\n\nSites are only affected if the QuickEdit module (which comes with the Standard profile) is installed. Removing the \"access in-place editing\" permission from untrusted users **will not** fully mitigate the vulnerability.\n\nThis advisory is not covered by [Drupal Steward](/steward).", + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "drupal/core" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.0.0" + }, + { + "fixed": "8.9.19" + } + ], + "database_specific": { + "constraint": ">= 8.0.0 <8.9.19" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "9.1.0" + }, + { + "fixed": "9.1.13" + } + ], + "database_specific": { + "constraint": ">= 9.1.0 <9.1.13" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "9.2.0" + }, + { + "fixed": "9.2.6" + } + ], + "database_specific": { + "constraint": ">=9.2.0 <9.2.6" + } + } + ], + "database_specific": { + "affected_versions": ">= 8.0.0 <8.9.19 || >= 9.1.0 <9.1.13 || >=9.2.0 <9.2.6" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-core-2021-007" + } + ], + "credits": [ + { + "name": "Samuel Mortenson", + "contact": [ + "https://www.drupal.org/user/2582268" + ] + } + ] +} diff --git a/advisories/core/DRUPAL-CORE-2021-008.json b/advisories/core/DRUPAL-CORE-2021-008.json new file mode 100644 index 00000000..d93859e0 --- /dev/null +++ b/advisories/core/DRUPAL-CORE-2021-008.json @@ -0,0 +1,80 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CORE-2021-008", + "modified": "2022-08-21T18:57:18.000Z", + "published": "2021-09-15T15:22:27.000Z", + "aliases": [ + "CVE-2020-13675" + ], + "details": "Drupal's JSON:API and REST/File modules allow file uploads through their HTTP APIs. The modules do not correctly run all file validation, which causes an access bypass vulnerability. An attacker might be able to upload files that bypass the file validation process implemented by modules on the site.\n\nThis vulnerability is mitigated by three factors:\n\n1. The JSON:API or REST File upload modules must be enabled on the site.\n2. An attacker must have access to a file upload via JSON:API or REST.\n3. The site must employ a file validation module.\n\nThis advisory is not covered by [Drupal Steward](/steward).\n\nAlso see [GraphQL - Moderately critical - Access bypass - SA-CONTRIB-2021-029](https://www.drupal.org/sa-contrib-2021-029) which addresses a similar vulnerability for that module.", + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "drupal/core" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.0.0" + }, + { + "fixed": "8.9.19" + } + ], + "database_specific": { + "constraint": ">= 8.0.0 <8.9.19" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "9.1.0" + }, + { + "fixed": "9.1.13" + } + ], + "database_specific": { + "constraint": ">= 9.1.0 <9.1.13" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "9.2.0" + }, + { + "fixed": "9.2.6" + } + ], + "database_specific": { + "constraint": ">=9.2.0 <9.2.6" + } + } + ], + "database_specific": { + "affected_versions": ">= 8.0.0 <8.9.19 || >= 9.1.0 <9.1.13 || >=9.2.0 <9.2.6" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-core-2021-008" + } + ], + "credits": [ + { + "name": "Klaus Purer", + "contact": [ + "https://www.drupal.org/user/262198" + ] + } + ] +} diff --git a/advisories/core/DRUPAL-CORE-2021-009.json b/advisories/core/DRUPAL-CORE-2021-009.json new file mode 100644 index 00000000..6c17fa3e --- /dev/null +++ b/advisories/core/DRUPAL-CORE-2021-009.json @@ -0,0 +1,80 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CORE-2021-009", + "modified": "2022-08-21T18:57:01.000Z", + "published": "2021-09-15T15:23:43.000Z", + "aliases": [ + "CVE-2020-13676" + ], + "details": "The QuickEdit module does not properly check access to fields in some circumstances, which can lead to unintended disclosure of field data.\n\nSites are only affected if the QuickEdit module (which comes with the Standard profile) is installed.\n\nThis advisory is not covered by [Drupal Steward](/steward).", + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "drupal/core" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.0.0" + }, + { + "fixed": "8.9.19" + } + ], + "database_specific": { + "constraint": ">= 8.0.0 <8.9.19" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "9.1.0" + }, + { + "fixed": "9.1.13" + } + ], + "database_specific": { + "constraint": ">= 9.1.0 <9.1.13" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "9.2.0" + }, + { + "fixed": "9.2.6" + } + ], + "database_specific": { + "constraint": ">=9.2.0 <9.2.6" + } + } + ], + "database_specific": { + "affected_versions": ">= 8.0.0 <8.9.19 || >= 9.1.0 <9.1.13 || >=9.2.0 <9.2.6" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-core-2021-009" + } + ], + "credits": [ + { + "name": "Greg Watson", + "contact": [ + "https://www.drupal.org/user/2212910" + ] + } + ] +} diff --git a/advisories/core/DRUPAL-CORE-2021-010.json b/advisories/core/DRUPAL-CORE-2021-010.json new file mode 100644 index 00000000..aed0e16b --- /dev/null +++ b/advisories/core/DRUPAL-CORE-2021-010.json @@ -0,0 +1,80 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CORE-2021-010", + "modified": "2022-08-21T18:56:18.000Z", + "published": "2021-09-15T15:25:10.000Z", + "aliases": [ + "CVE-2020-13677" + ], + "details": "Under some circumstances, the Drupal core JSON:API module does not properly restrict access to certain content, which may result in unintended access bypass.\n\nSites that do not have the JSON:API module enabled are not affected.\n\nThis advisory is not covered by [Drupal Steward](/steward).", + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "drupal/core" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.0.0" + }, + { + "fixed": "8.9.19" + } + ], + "database_specific": { + "constraint": ">= 8.0.0 <8.9.19" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "9.1.0" + }, + { + "fixed": "9.1.13" + } + ], + "database_specific": { + "constraint": ">= 9.1.0 <9.1.13" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "9.2.0" + }, + { + "fixed": "9.2.6" + } + ], + "database_specific": { + "constraint": ">=9.2.0 <9.2.6" + } + } + ], + "database_specific": { + "affected_versions": ">= 8.0.0 <8.9.19 || >= 9.1.0 <9.1.13 || >=9.2.0 <9.2.6" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-core-2021-010" + } + ], + "credits": [ + { + "name": "Brad Jones", + "contact": [ + "https://www.drupal.org/user/405824" + ] + } + ] +} diff --git a/advisories/core/DRUPAL-CORE-2021-011.json b/advisories/core/DRUPAL-CORE-2021-011.json new file mode 100644 index 00000000..2f8432fb --- /dev/null +++ b/advisories/core/DRUPAL-CORE-2021-011.json @@ -0,0 +1,78 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CORE-2021-011", + "modified": "2022-08-21T18:55:20.000Z", + "published": "2021-11-17T21:28:49.000Z", + "aliases": [], + "details": "The Drupal project uses the [CKEditor](https://github.com/ckeditor/ckeditor4) library for WYSIWYG editing. CKEditor has released [a security update that impacts Drupal](https://ckeditor.com/cke4/release/CKEditor-4.17.0), along with a [hotfix for that update](https://ckeditor.com/cke4/release/CKEditor-4.17.1).\n\nVulnerabilities are possible if Drupal is configured to allow use of the CKEditor library for WYSIWYG editing. An attacker that can create or edit content (even without access to CKEditor themselves) may be able to exploit one or more Cross-Site Scripting (XSS) vulnerabilities to target users with access to the WYSIWYG CKEditor, including site admins with privileged access.\n\nFor more information, see CKEditor's security advisories:\n\n* [CVE-2021-41165: HTML comments vulnerability allowing to execute JavaScript code](https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-7h26-63m7-qhf2)\n* [CVE-2021-41164: Advanced Content Filter (ACF) vulnerability allowing to execute JavaScript code using malformed HTML](https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-pvmx-g8h5-cprj)\n\nThis advisory is not covered by [Drupal Steward](/steward).", + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "drupal/core" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.0.0" + }, + { + "fixed": "8.9.20" + } + ], + "database_specific": { + "constraint": ">= 8.0.0 <8.9.20" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "9.1.0" + }, + { + "fixed": "9.1.14" + } + ], + "database_specific": { + "constraint": ">= 9.1.0 <9.1.14" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "9.2.0" + }, + { + "fixed": "9.2.9" + } + ], + "database_specific": { + "constraint": ">=9.2.0 <9.2.9" + } + } + ], + "database_specific": { + "affected_versions": ">= 8.0.0 <8.9.20 || >= 9.1.0 <9.1.14 || >=9.2.0 <9.2.9" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-core-2021-011" + } + ], + "credits": [ + { + "name": "Jacek Bogda\u0144ski", + "contact": [ + "https://www.drupal.org/user/3683355" + ] + } + ] +} diff --git a/advisories/core/DRUPAL-CORE-2022-001.json b/advisories/core/DRUPAL-CORE-2022-001.json new file mode 100644 index 00000000..0ae1a2a6 --- /dev/null +++ b/advisories/core/DRUPAL-CORE-2022-001.json @@ -0,0 +1,78 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CORE-2022-001", + "modified": "2022-08-21T18:53:57.000Z", + "published": "2022-01-19T17:20:38.000Z", + "aliases": [], + "details": "jQuery UI is a third-party library used by Drupal. This library was previously thought to be end-of-life.\n\nLate in 2021, jQuery UI announced that they would be continuing development, and released a [jQuery UI 1.13.0](https://blog.jqueryui.com/2021/10/jquery-ui-1-13-0-released/) version. As part of this 1.13.0 update, they disclosed the following security issue that may affect Drupal 9 and 7:\n\n* CVE-2021-41184: [XSS in the `of` option of the `.position()` util](https://github.com/jquery/jquery-ui/security/advisories/GHSA-gpqq-952q-5327)\n\nIt is possible that this vulnerability is exploitable with some Drupal modules. As a precaution, this Drupal security release applies the fix for the above cross-site description issue, without making any of the other changes to the jQuery version that is included in Drupal.\n\nThis advisory is not covered by [Drupal Steward](/steward).", + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "drupal/core" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "7.0.0" + }, + { + "fixed": "7.86.0" + } + ], + "database_specific": { + "constraint": ">=7.0 <7.86" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.0.0" + }, + { + "fixed": "9.2.11" + } + ], + "database_specific": { + "constraint": ">= 8.0.0 <9.2.11" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "9.3.0" + }, + { + "fixed": "9.3.3" + } + ], + "database_specific": { + "constraint": ">= 9.3.0 <9.3.3" + } + } + ], + "database_specific": { + "affected_versions": ">=7.0 <7.86 || >= 8.0.0 <9.2.11 || >= 9.3.0 <9.3.3" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-core-2022-001" + } + ], + "credits": [ + { + "name": "Lauri Eskola", + "contact": [ + "https://www.drupal.org/user/1078742" + ] + } + ] +} diff --git a/advisories/core/DRUPAL-CORE-2022-002.json b/advisories/core/DRUPAL-CORE-2022-002.json new file mode 100644 index 00000000..786c35d6 --- /dev/null +++ b/advisories/core/DRUPAL-CORE-2022-002.json @@ -0,0 +1,51 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CORE-2022-002", + "modified": "2022-08-21T18:53:10.000Z", + "published": "2022-01-19T17:27:57.000Z", + "aliases": [], + "details": "jQuery UI is a third-party library used by Drupal. This library was previously thought to be end-of-life.\n\nLate in 2021, jQuery UI announced that they would be continuing development, and released a [jQuery UI 1.13.0](https://blog.jqueryui.com/2021/10/jquery-ui-1-13-0-released/) version. In addition to the issue covered by [SA-CORE-2022-001](/sa-core-2022-001), further security vulnerabilities disclosed in jQuery UI 1.13.0 may affect Drupal 7 only:\n\n* CVE-2021-41182: [XSS in the altField option of the Datepicker widget](https://github.com/jquery/jquery-ui/security/advisories/GHSA-9gj3-hwp5-pmwc)\n* CVE-2021-41183: [XSS in \\*Text options of the Datepicker widget](https://github.com/jquery/jquery-ui/security/advisories/GHSA-j7qv-pgf6-hvh4)\n\nFurthermore, other vulnerabilities listed below were previously unaddressed in the version of jQuery UI included in Drupal 7 or in the [jQuery Update](/project/jquery_update) module:\n\n* CVE-2016-7103: [XSS in closeText option of Dialog](https://nvd.nist.gov/vuln/detail/CVE-2016-7103)\n* CVE-2010-5312: [XSS in the title option of Dialog](https://nvd.nist.gov/vuln/detail/CVE-2010-5312) (applicable only to the jQuery UI version included in D7 core)\n\nIt is possible that these vulnerabilities are exploitable via contributed Drupal modules or custom code. As a precaution, this Drupal security release applies the fix for the above cross-site scripting issues, without making other changes to the jQuery UI version that is included in Drupal.\n\nThis advisory is not covered by [Drupal Steward](/steward).\n\n### Important note regarding the jQuery Update contrib module\n\nThese backport fixes in D7 have also been tested with the version of jQuery UI provided by the most recent releases of the jQuery Update module (jQuery UI 1.10.2) and the fixes confirmed. Therefore, there is no accompanying security release for jQuery Update.\n\nHowever, in early 2022 the currently supported release of jQuery Update (7.x-2.7 from 2015) will be deprecated and replaced by a new release from the 7.x-4.x branch. The stable release from that branch will then be the only release considered by Drupal Security Team when new jQuery security issues arise.\n\nPlease check the [jQuery Update project page](/project/jquery_update) for more details, and for announcements when the changes are made to supported releases.", + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "drupal/core" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "7.0.0" + }, + { + "last_affected": "7.86.0" + } + ], + "database_specific": { + "constraint": ">=7.0 <=7.86" + } + } + ], + "database_specific": { + "affected_versions": ">=7.0 <=7.86", + "patched": true + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-core-2022-002" + } + ], + "credits": [ + { + "name": "Lauri Eskola", + "contact": [ + "https://www.drupal.org/user/1078742" + ] + } + ] +} diff --git a/advisories/core/DRUPAL-CORE-2022-003.json b/advisories/core/DRUPAL-CORE-2022-003.json new file mode 100644 index 00000000..77c6fe95 --- /dev/null +++ b/advisories/core/DRUPAL-CORE-2022-003.json @@ -0,0 +1,80 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CORE-2022-003", + "modified": "2022-08-21T18:52:28.000Z", + "published": "2022-02-16T16:43:20.000Z", + "aliases": [ + "CVE-2022-25271" + ], + "details": "Drupal core's form API has a vulnerability where certain contributed or custom modules' forms may be vulnerable to improper input validation. This could allow an attacker to inject disallowed values or overwrite data. Affected forms are uncommon, but in certain cases an attacker could alter critical or sensitive data.\n\nThis advisory is not covered by [Drupal Steward](/steward).", + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "drupal/core" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "7.0.0" + }, + { + "fixed": "7.88.0" + } + ], + "database_specific": { + "constraint": ">=7.0 <7.88" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.0.0" + }, + { + "fixed": "9.2.13" + } + ], + "database_specific": { + "constraint": ">= 8.0.0 <9.2.13" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "9.3.0" + }, + { + "fixed": "9.3.6" + } + ], + "database_specific": { + "constraint": ">= 9.3.0 <9.3.6" + } + } + ], + "database_specific": { + "affected_versions": ">=7.0 <7.88 || >= 8.0.0 <9.2.13 || >= 9.3.0 <9.3.6" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-core-2022-003" + } + ], + "credits": [ + { + "name": "Fabian Iwand", + "contact": [ + "https://www.drupal.org/user/1632364" + ] + } + ] +} diff --git a/advisories/core/DRUPAL-CORE-2022-004.json b/advisories/core/DRUPAL-CORE-2022-004.json new file mode 100644 index 00000000..59c89469 --- /dev/null +++ b/advisories/core/DRUPAL-CORE-2022-004.json @@ -0,0 +1,66 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CORE-2022-004", + "modified": "2022-08-21T18:51:53.000Z", + "published": "2022-02-16T16:46:24.000Z", + "aliases": [ + "CVE-2022-25270" + ], + "details": "The Quick Edit module does not properly check entity access in some circumstances. This could result in users with the \"access in-place editing\" permission viewing some content they are are not authorized to access.\n\nSites are only affected if the QuickEdit module (which comes with the Standard profile) is installed.\n\nAlso see [Quick Edit - Moderately critical - Information disclosure - SA-CONTRIB-2022-025](https://www.drupal.org/sa-contrib-2022-025) which addresses the same vulnerability for the contributed module.\n\nThis advisory is not covered by [Drupal Steward](/steward).", + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "drupal/core" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.0.0" + }, + { + "fixed": "9.2.13" + } + ], + "database_specific": { + "constraint": ">= 8.0.0 <9.2.13" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "9.3.0" + }, + { + "fixed": "9.3.6" + } + ], + "database_specific": { + "constraint": ">= 9.3.0 <9.3.6" + } + } + ], + "database_specific": { + "affected_versions": " >= 8.0.0 <9.2.13 || >= 9.3.0 <9.3.6" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-core-2022-004" + } + ], + "credits": [ + { + "name": "Samuel Mortenson", + "contact": [ + "https://www.drupal.org/user/2582268" + ] + } + ] +} diff --git a/advisories/core/DRUPAL-CORE-2022-005.json b/advisories/core/DRUPAL-CORE-2022-005.json new file mode 100644 index 00000000..bfef101f --- /dev/null +++ b/advisories/core/DRUPAL-CORE-2022-005.json @@ -0,0 +1,67 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CORE-2022-005", + "modified": "2022-08-21T18:48:49.000Z", + "published": "2022-03-16T16:10:34.000Z", + "aliases": [ + "CVE-2022-24728", + "CVE-2022-24729" + ], + "details": "The Drupal project uses the [CKEditor](https://github.com/ckeditor/ckeditor4) library for WYSIWYG editing. CKEditor has released [a security update that impacts Drupal](https://ckeditor.com/blog/ckeditor-4.18.0-browser-bugfix-and-security-patches/).\n\nVulnerabilities are possible if Drupal is configured to allow use of the CKEditor library for WYSIWYG editing. An attacker that can create or edit content (even without access to CKEditor themselves) may be able to exploit one or more Cross-Site Scripting (XSS) vulnerabilities to target users with access to the WYSIWYG CKEditor, including site admins with privileged access.\n\nFor more information, see CKEditor's security advisories:\n\n* [CVE-2022-24728: HTML processing vulnerability allowing to execute JavaScript code](https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-4fc4-4p5g-6w89)\n* [CVE-2022-24729: Regular expression Denial of Service in dialog plugin](https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-f6rf-9m92-x2hh)\n\nThis advisory is not covered by [Drupal Steward](/steward).", + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "drupal/core" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.0.0" + }, + { + "fixed": "9.2.15" + } + ], + "database_specific": { + "constraint": ">= 8.0.0 <9.2.15" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "9.3.0" + }, + { + "fixed": "9.3.8" + } + ], + "database_specific": { + "constraint": ">= 9.3.0 <9.3.8" + } + } + ], + "database_specific": { + "affected_versions": " >= 8.0.0 <9.2.15 || >= 9.3.0 <9.3.8" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-core-2022-005" + } + ], + "credits": [ + { + "name": "Jacek Bogda\u0144ski", + "contact": [ + "https://www.drupal.org/user/3683355" + ] + } + ] +} diff --git a/advisories/core/DRUPAL-CORE-2022-006.json b/advisories/core/DRUPAL-CORE-2022-006.json new file mode 100644 index 00000000..33a291fc --- /dev/null +++ b/advisories/core/DRUPAL-CORE-2022-006.json @@ -0,0 +1,72 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CORE-2022-006", + "modified": "2022-08-21T18:48:04.000Z", + "published": "2022-03-21T21:39:35.000Z", + "aliases": [ + "CVE-2022-24775" + ], + "details": "Drupal uses the third-party Guzzle library for handling HTTP requests and responses to external services. [Guzzle has released a security update](https://github.com/guzzle/psr7/security/advisories/GHSA-q7rv-6hp3-vh96) which may affect some Drupal sites.\n\nWe are issuing this security advisory outside our regular [Drupal security release window schedule](https://www.drupal.org/node/1173280) since Guzzle has already published information about the vulnerability, and vulnerabilities might exist with core, contributed modules, or custom modules that use Guzzle for outgoing requests. Guzzle has rated this vulnerability as low-risk.\n\nThis advisory is not covered by Drupal Steward.", + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "drupal/core" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.0.0" + }, + { + "fixed": "9.2.16" + } + ], + "database_specific": { + "constraint": ">= 8.0.0 <9.2.16" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "9.3.0" + }, + { + "fixed": "9.3.9" + } + ], + "database_specific": { + "constraint": ">= 9.3.0 <9.3.9" + } + } + ], + "database_specific": { + "affected_versions": " >= 8.0.0 <9.2.16 || >= 9.3.0 <9.3.9" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-core-2022-006" + } + ], + "credits": [ + { + "name": "Damien McKenna", + "contact": [ + "https://www.drupal.org/user/108450" + ] + }, + { + "name": "Jeroen Tubex", + "contact": [ + "https://www.drupal.org/user/2228934" + ] + } + ] +} diff --git a/advisories/core/DRUPAL-CORE-2022-008.json b/advisories/core/DRUPAL-CORE-2022-008.json new file mode 100644 index 00000000..7d780e60 --- /dev/null +++ b/advisories/core/DRUPAL-CORE-2022-008.json @@ -0,0 +1,66 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CORE-2022-008", + "modified": "2022-08-21T18:46:33.000Z", + "published": "2022-04-20T15:04:23.000Z", + "aliases": [ + "CVE-2022-25273" + ], + "details": "Drupal core's form API has a vulnerability where certain contributed or custom modules' forms may be vulnerable to improper input validation. This could allow an attacker to inject disallowed values or overwrite data. Affected forms are uncommon, but in certain cases an attacker could alter critical or sensitive data.\n\nWe do not know of affected forms within core itself, but contributed and custom project forms could be affected. Installing this update will fix those forms.\n\nThis advisory is not covered by [Drupal Steward](/steward).", + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "drupal/core" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.0.0" + }, + { + "fixed": "9.2.18" + } + ], + "database_specific": { + "constraint": ">= 8.0.0 <9.2.18" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "9.3.0" + }, + { + "fixed": "9.3.12" + } + ], + "database_specific": { + "constraint": ">= 9.3.0 <9.3.12" + } + } + ], + "database_specific": { + "affected_versions": " >= 8.0.0 <9.2.18 || >= 9.3.0 <9.3.12" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-core-2022-008" + } + ], + "credits": [ + { + "name": "Dezs\u0151 BICZ\u00d3", + "contact": [ + "https://www.drupal.org/user/315522" + ] + } + ] +} diff --git a/advisories/core/DRUPAL-CORE-2022-009.json b/advisories/core/DRUPAL-CORE-2022-009.json new file mode 100644 index 00000000..fb374d5d --- /dev/null +++ b/advisories/core/DRUPAL-CORE-2022-009.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CORE-2022-009", + "modified": "2022-08-21T18:45:59.000Z", + "published": "2022-04-20T15:07:29.000Z", + "aliases": [ + "CVE-2022-25274" + ], + "details": "Drupal 9.3 implemented a generic entity access API for entity revisions. However, this API was not completely integrated with existing permissions, resulting in some possible access bypass for users who have access to use revisions of content generally, but who do not have access to individual items of node and media content.\n\nThis vulnerability only affects sites using Drupal's revision system.\n\nThis advisory is not covered by [Drupal Steward](/steward).", + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "drupal/core" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "9.3.0" + }, + { + "fixed": "9.3.12" + } + ], + "database_specific": { + "constraint": ">= 9.3.0 <9.3.12" + } + } + ], + "database_specific": { + "affected_versions": ">= 9.3.0 <9.3.12" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-core-2022-009" + } + ], + "credits": [ + { + "name": "Kristiaan Van den Eynde", + "contact": [ + "https://www.drupal.org/user/1345130" + ] + } + ] +} diff --git a/advisories/core/DRUPAL-CORE-2022-010.json b/advisories/core/DRUPAL-CORE-2022-010.json new file mode 100644 index 00000000..fc249571 --- /dev/null +++ b/advisories/core/DRUPAL-CORE-2022-010.json @@ -0,0 +1,72 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CORE-2022-010", + "modified": "2022-08-21T18:45:29.000Z", + "published": "2022-05-25T19:39:01.000Z", + "aliases": [ + "CVE-2022-29248" + ], + "details": "Drupal uses the third-party Guzzle library for handling HTTP requests and responses to external services. [Guzzle has released a security update](https://github.com/guzzle/guzzle/security/advisories/GHSA-cwmx-hcrq-mhc3) which does not affect Drupal core, but may affect some contributed projects or custom code on Drupal sites.\n\nWe are issuing this security advisory outside our regular [Drupal security release window schedule](https://www.drupal.org/node/1173280) since Guzzle has already published information about the vulnerability, and vulnerabilities might exist in contributed modules or custom modules that use Guzzle for outgoing requests. Guzzle has rated this vulnerability as high-risk.\n\nThis advisory is not covered by Drupal Steward.", + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "drupal/core" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.0.0" + }, + { + "fixed": "9.2.20" + } + ], + "database_specific": { + "constraint": ">= 8.0.0 <9.2.20" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "9.3.0" + }, + { + "fixed": "9.3.14" + } + ], + "database_specific": { + "constraint": ">= 9.3.0 <9.3.14" + } + } + ], + "database_specific": { + "affected_versions": " >= 8.0.0 <9.2.20 || >= 9.3.0 <9.3.14" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-core-2022-010" + } + ], + "credits": [ + { + "name": "Dezs\u0151 BICZ\u00d3", + "contact": [ + "https://www.drupal.org/user/315522" + ] + }, + { + "name": "mayela", + "contact": [ + "https://www.drupal.org/user/3351026" + ] + } + ] +} diff --git a/advisories/core/DRUPAL-CORE-2022-011.json b/advisories/core/DRUPAL-CORE-2022-011.json new file mode 100644 index 00000000..0c3e4588 --- /dev/null +++ b/advisories/core/DRUPAL-CORE-2022-011.json @@ -0,0 +1,79 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CORE-2022-011", + "modified": "2022-08-21T18:43:31.000Z", + "published": "2022-06-10T19:39:02.000Z", + "aliases": [ + "CVE-2022-31042", + "CVE-2022-31043" + ], + "details": "*Updated 22:00 UTC 2022-06-10: Added steps to update without `drupal/core-recommended`.*\n\nDrupal uses the third-party Guzzle library for handling HTTP requests and responses to external services. Guzzle has released two security advisories:\n\n* [Failure to strip the Cookie header on change in host or HTTP downgrade](https://github.com/guzzle/guzzle/security/advisories/GHSA-f2wf-25xc-69c9)\n* [Fix failure to strip Authorization header on HTTP downgrade](https://github.com/guzzle/guzzle/security/advisories/GHSA-w248-ffj2-4v5q)\n\nThese do not affect Drupal core, but may affect some contributed projects or custom code on Drupal sites.\n\nWe are issuing this security advisory outside our regular [Drupal security release window schedule](https://www.drupal.org/node/1173280) since Guzzle has already published information about the vulnerabilities, and vulnerabilities might exist in contributed modules or custom modules that use Guzzle for outgoing requests. Guzzle has rated these vulnerabilities as high-risk.\n\nThis advisory is not covered by Drupal Steward.", + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "drupal/core" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.0.0" + }, + { + "fixed": "9.2.21" + } + ], + "database_specific": { + "constraint": ">= 8.0.0 <9.2.21" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "9.3.0" + }, + { + "fixed": "9.3.16" + } + ], + "database_specific": { + "constraint": ">= 9.3.0 <9.3.16" + } + } + ], + "database_specific": { + "affected_versions": ">= 8.0.0 <9.2.21 || >= 9.3.0 <9.3.16" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-core-2022-011" + } + ], + "credits": [ + { + "name": "GHaddon", + "contact": [ + "https://www.drupal.org/user/1507580" + ] + }, + { + "name": "Jeroen Tubex", + "contact": [ + "https://www.drupal.org/user/2228934" + ] + }, + { + "name": "Yasen Ivanov", + "contact": [ + "https://www.drupal.org/user/3513564" + ] + } + ] +} diff --git a/advisories/core/DRUPAL-CORE-2022-012.json b/advisories/core/DRUPAL-CORE-2022-012.json new file mode 100644 index 00000000..4c1106ca --- /dev/null +++ b/advisories/core/DRUPAL-CORE-2022-012.json @@ -0,0 +1,86 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CORE-2022-012", + "modified": "2022-08-21T18:23:29.000Z", + "published": "2022-07-20T15:34:05.000Z", + "aliases": [ + "CVE-2022-25275" + ], + "details": "In some situations, the Image module does not correctly check access to image files not stored in the standard public files directory when generating derivative images using the image styles system.\n\nAccess to a non-public file is checked only if it is stored in the \"private\" file system. However, some contributed modules provide additional file systems, or schemes, which may lead to this vulnerability.\n\nThis vulnerability is mitigated by the fact that it only applies when the site sets (Drupal 9) `$config['image.settings']['allow_insecure_derivatives']` or (Drupal 7) `$conf['image_allow_insecure_derivatives']` to TRUE. The recommended and default setting is FALSE, and Drupal core does not provide a way to change that in the admin UI.\n\nSome sites may require configuration changes following this security release. Review the release notes for your Drupal version if you have issues accessing files or image styles after updating.", + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "drupal/core" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "7.0.0" + }, + { + "fixed": "7.91.0" + } + ], + "database_specific": { + "constraint": ">=7.0 <7.91" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.0.0" + }, + { + "fixed": "9.3.19" + } + ], + "database_specific": { + "constraint": ">= 8.0.0 <9.3.19" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "9.4.0" + }, + { + "fixed": "9.4.3" + } + ], + "database_specific": { + "constraint": ">= 9.4.0 <9.4.3" + } + } + ], + "database_specific": { + "affected_versions": ">=7.0 <7.91 || >= 8.0.0 <9.3.19 || >= 9.4.0 <9.4.3" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-core-2022-012" + } + ], + "credits": [ + { + "name": "Conrad Lara", + "contact": [ + "https://www.drupal.org/user/1790054" + ] + }, + { + "name": "Guy Elsmore-Paddock", + "contact": [ + "https://www.drupal.org/user/156932" + ] + } + ] +} diff --git a/advisories/core/DRUPAL-CORE-2022-013.json b/advisories/core/DRUPAL-CORE-2022-013.json new file mode 100644 index 00000000..b9f72c2a --- /dev/null +++ b/advisories/core/DRUPAL-CORE-2022-013.json @@ -0,0 +1,72 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CORE-2022-013", + "modified": "2025-01-21T04:17:41.000Z", + "published": "2022-07-20T15:35:43.000Z", + "aliases": [ + "CVE-2022-25278" + ], + "details": "Under certain circumstances, the Drupal core form API evaluates form element access incorrectly. This may lead to a user being able to alter data they should not have access to.\n\nNo forms provided by Drupal core are known to be vulnerable. However, forms added through contributed or custom modules or themes may be affected.\n\nThis advisory is not covered by [Drupal Steward](/steward).", + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "drupal/core" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.0.0" + }, + { + "fixed": "9.3.19" + } + ], + "database_specific": { + "constraint": ">= 8.0.0 <9.3.19" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "9.4.0" + }, + { + "fixed": "9.4.3" + } + ], + "database_specific": { + "constraint": ">= 9.4.0 <9.4.3" + } + } + ], + "database_specific": { + "affected_versions": ">= 8.0.0 <9.3.19 || >= 9.4.0 <9.4.3" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-core-2022-013" + } + ], + "credits": [ + { + "name": "Pierre Rudloff", + "contact": [ + "https://www.drupal.org/user/3611858" + ] + }, + { + "name": "Ted Bowman", + "contact": [ + "https://www.drupal.org/user/240860" + ] + } + ] +} diff --git a/advisories/core/DRUPAL-CORE-2022-014.json b/advisories/core/DRUPAL-CORE-2022-014.json new file mode 100644 index 00000000..23920f00 --- /dev/null +++ b/advisories/core/DRUPAL-CORE-2022-014.json @@ -0,0 +1,66 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CORE-2022-014", + "modified": "2022-08-21T18:22:47.000Z", + "published": "2022-07-20T15:40:05.000Z", + "aliases": [ + "CVE-2022-25277" + ], + "details": "*Updated 2022-07-20 19:45 UTC to indicate that this only affects Apache web servers.*\n\nDrupal core sanitizes filenames with dangerous extensions upon upload (reference: [SA-CORE-2020-012](https://www.drupal.org/sa-core-2020-012)) and strips leading and trailing dots from filenames to prevent uploading server configuration files (reference: [SA-CORE-2019-010](https://www.drupal.org/sa-core-2019-010)).\n\nHowever, the protections for these two vulnerabilities previously did not work correctly together. As a result, if the site were configured to allow the upload of files with an `htaccess` extension, these files' filenames would not be properly sanitized. This could allow bypassing the protections provided by Drupal core's default `.htaccess` files and possible remote code execution on Apache web servers.\n\nThis issue is mitigated by the fact that it requires a field administrator to explicitly configure a file field to allow `htaccess` as an extension (a restricted permission), or a contributed module or custom code that overrides allowed file uploads.", + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "drupal/core" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.0.0" + }, + { + "fixed": "9.3.19" + } + ], + "database_specific": { + "constraint": ">= 8.0.0 <9.3.19" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "9.4.0" + }, + { + "fixed": "9.4.3" + } + ], + "database_specific": { + "constraint": ">= 9.4.0 <9.4.3" + } + } + ], + "database_specific": { + "affected_versions": ">= 8.0.0 <9.3.19 || >= 9.4.0 <9.4.3" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-core-2022-014" + } + ], + "credits": [ + { + "name": "Elar Lang", + "contact": [ + "https://www.drupal.org/user/3583903" + ] + } + ] +} diff --git a/advisories/core/DRUPAL-CORE-2022-015.json b/advisories/core/DRUPAL-CORE-2022-015.json new file mode 100644 index 00000000..d163d57d --- /dev/null +++ b/advisories/core/DRUPAL-CORE-2022-015.json @@ -0,0 +1,66 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CORE-2022-015", + "modified": "2022-08-21T18:22:56.000Z", + "published": "2022-07-20T15:41:37.000Z", + "aliases": [ + "CVE-2022-25276" + ], + "details": "The Media oEmbed iframe route does not properly validate the iframe domain setting, which allows embeds to be displayed in the context of the primary domain. Under certain circumstances, this could lead to cross-site scripting, leaked cookies, or other vulnerabilities.\n\nThis advisory is not covered by [Drupal Steward](/steward).", + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "drupal/core" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.0.0" + }, + { + "fixed": "9.3.19" + } + ], + "database_specific": { + "constraint": ">= 8.0.0 <9.3.19" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "9.4.0" + }, + { + "fixed": "9.4.3" + } + ], + "database_specific": { + "constraint": ">= 9.4.0 <9.4.3" + } + } + ], + "database_specific": { + "affected_versions": ">= 8.0.0 <9.3.19 || >= 9.4.0 <9.4.3" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-core-2022-015" + } + ], + "credits": [ + { + "name": "Heine", + "contact": [ + "https://www.drupal.org/user/17943" + ] + } + ] +} diff --git a/advisories/core/DRUPAL-CORE-2022-016.json b/advisories/core/DRUPAL-CORE-2022-016.json new file mode 100644 index 00000000..748c562d --- /dev/null +++ b/advisories/core/DRUPAL-CORE-2022-016.json @@ -0,0 +1,84 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CORE-2022-016", + "modified": "2022-09-29T21:45:51.000Z", + "published": "2022-09-28T16:24:08.000Z", + "aliases": [ + "CVE-2022-39261" + ], + "details": "Drupal uses the [Twig](https://twig.symfony.com/) third-party library for content templating and sanitization. [Twig has released a security update](https://symfony.com/blog/twig-security-release-possibility-to-load-a-template-outside-a-configured-directory-when-using-the-filesystem-loader) that affects Drupal. Twig has rated the vulnerability as high severity.\n\nDrupal core's code extending Twig has also been updated to mitigate a related vulnerability.\n\nMultiple vulnerabilities are possible if an untrusted user has access to write Twig code, including potential unauthorized read access to private files, the contents of other files on the server, or database credentials.\n\nThe vulnerability is mitigated by the fact that an exploit is only possible in Drupal core with a restricted access administrative permission. Additional exploit paths for the same vulnerability may exist with contributed or custom code that allows users to write Twig templates.", + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "drupal/core" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.0.0" + }, + { + "fixed": "9.3.22" + } + ], + "database_specific": { + "constraint": ">= 8.0.0 <9.3.22" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "9.4.0" + }, + { + "fixed": "9.4.7" + } + ], + "database_specific": { + "constraint": ">= 9.4.0 <9.4.7" + } + } + ], + "database_specific": { + "affected_versions": ">= 8.0.0 <9.3.22 || >= 9.4.0 <9.4.7" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-core-2022-016" + } + ], + "credits": [ + { + "name": "Fabien Potencier", + "contact": [ + "https://www.drupal.org/user/1467782" + ] + }, + { + "name": "James Williams", + "contact": [ + "https://www.drupal.org/user/592268" + ] + }, + { + "name": "Nicolas Grekas", + "contact": [ + "https://www.drupal.org/user/3407972" + ] + }, + { + "name": "Samuel Mortenson", + "contact": [ + "https://www.drupal.org/user/2582268" + ] + } + ] +} diff --git a/advisories/core/DRUPAL-CORE-2023-001.json b/advisories/core/DRUPAL-CORE-2023-001.json new file mode 100644 index 00000000..de54c977 --- /dev/null +++ b/advisories/core/DRUPAL-CORE-2023-001.json @@ -0,0 +1,78 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CORE-2023-001", + "modified": "2024-11-22T08:03:31.000Z", + "published": "2023-01-18T17:40:39.000Z", + "aliases": [], + "details": "The Media Library module does not properly check entity access in some circumstances. This may result in users with access to edit content seeing metadata about media items they are not authorized to access.\n\nThe vulnerability is mitigated by the fact that the inaccessible media will only be visible to users who can already edit content that includes a media reference field.\n\nThis advisory is not covered by [Drupal Steward](/steward).", + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "drupal/core" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.0.0" + }, + { + "fixed": "9.4.10" + } + ], + "database_specific": { + "constraint": ">=8.0.0 <9.4.10" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "9.5.0" + }, + { + "fixed": "9.5.2" + } + ], + "database_specific": { + "constraint": ">=9.5.0 <9.5.2" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "10.0.0" + }, + { + "fixed": "10.0.2" + } + ], + "database_specific": { + "constraint": ">=10.0.0 <10.0.2" + } + } + ], + "database_specific": { + "affected_versions": ">=8.0.0 <9.4.10 || >=9.5.0 <9.5.2 || >=10.0.0 <10.0.2" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-core-2023-001" + } + ], + "credits": [ + { + "name": "Dan Flanagan", + "contact": [ + "https://www.drupal.org/user/3615359" + ] + } + ] +} diff --git a/advisories/core/DRUPAL-CORE-2023-002.json b/advisories/core/DRUPAL-CORE-2023-002.json new file mode 100644 index 00000000..f6c3e589 --- /dev/null +++ b/advisories/core/DRUPAL-CORE-2023-002.json @@ -0,0 +1,84 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CORE-2023-002", + "modified": "2024-11-22T08:03:01.000Z", + "published": "2023-03-15T16:21:27.000Z", + "aliases": [], + "details": "The Media module does not properly check entity access in some circumstances. This may result in users seeing thumbnails of media items they do not have access to, including for private files.\n\nThis release was coordinated with [SA-CONTRIB-2023-010](https://www.drupal.org/sa-contrib-2023-010).\n\nThis advisory is not covered by [Drupal Steward](/steward).", + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "drupal/core" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.0.0" + }, + { + "fixed": "9.4.12" + } + ], + "database_specific": { + "constraint": ">=8.0.0 <9.4.12" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "9.5.0" + }, + { + "fixed": "9.5.5" + } + ], + "database_specific": { + "constraint": ">=9.5.0 <9.5.5" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "10.0.0" + }, + { + "fixed": "10.0.5" + } + ], + "database_specific": { + "constraint": ">=10.0.0 <10.0.5" + } + } + ], + "database_specific": { + "affected_versions": ">=8.0.0 <9.4.12 || >=9.5.0 <9.5.5 || >=10.0.0 <10.0.5" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-core-2023-002" + } + ], + "credits": [ + { + "name": "Dan Flanagan", + "contact": [ + "https://www.drupal.org/user/3615359" + ] + }, + { + "name": "James Williams", + "contact": [ + "https://www.drupal.org/user/592268" + ] + } + ] +} diff --git a/advisories/core/DRUPAL-CORE-2023-003.json b/advisories/core/DRUPAL-CORE-2023-003.json new file mode 100644 index 00000000..8321a69c --- /dev/null +++ b/advisories/core/DRUPAL-CORE-2023-003.json @@ -0,0 +1,78 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CORE-2023-003", + "modified": "2024-11-22T08:02:17.000Z", + "published": "2023-03-15T16:24:29.000Z", + "aliases": [], + "details": "The language module provides a Language switcher block which can be placed to provide links to quickly switch between different languages.\n\nThe URL of unpublished translations may be disclosed. When used in conjunction with a module like Pathauto, this may reveal the title of unpublished content.\n\nThis advisory is not covered by [Drupal Steward](/steward).", + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "drupal/core" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.0.0" + }, + { + "fixed": "9.4.12" + } + ], + "database_specific": { + "constraint": ">=8.0.0 <9.4.12" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "9.5.0" + }, + { + "fixed": "9.5.5" + } + ], + "database_specific": { + "constraint": ">=9.5.0 <9.5.5" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "10.0.0" + }, + { + "fixed": "10.0.5" + } + ], + "database_specific": { + "constraint": ">=10.0.0 <10.0.5" + } + } + ], + "database_specific": { + "affected_versions": ">=8.0.0 <9.4.12 || >=9.5.0 <9.5.5 || >=10.0.0 <10.0.5" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-core-2023-003" + } + ], + "credits": [ + { + "name": "Jan Kellermann", + "contact": [ + "https://www.drupal.org/user/371731" + ] + } + ] +} diff --git a/advisories/core/DRUPAL-CORE-2023-004.json b/advisories/core/DRUPAL-CORE-2023-004.json new file mode 100644 index 00000000..f63a21e7 --- /dev/null +++ b/advisories/core/DRUPAL-CORE-2023-004.json @@ -0,0 +1,98 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CORE-2023-004", + "modified": "2024-11-23T13:16:17.000Z", + "published": "2023-03-15T16:26:24.000Z", + "aliases": [], + "details": "Drupal core provides a page that outputs the markup from `phpinfo()` to assist with diagnosing PHP configuration.\n\nIf an attacker was able to achieve an XSS exploit against a privileged user, they may be able to use the phpinfo page to access sensitive information that could be used to escalate the attack.\n\nThis vulnerability is mitigated by the fact that a successful XSS exploit is required in order to exploit it.", + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "drupal/core" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "7.95.0" + } + ], + "database_specific": { + "constraint": "<7.95" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.0.0" + }, + { + "fixed": "9.4.12" + } + ], + "database_specific": { + "constraint": ">=8.0.0 <9.4.12" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "9.5.0" + }, + { + "fixed": "9.5.5" + } + ], + "database_specific": { + "constraint": ">=9.5.0 <9.5.5" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "10.0.0" + }, + { + "fixed": "10.0.5" + } + ], + "database_specific": { + "constraint": ">=10.0.0 <10.0.5" + } + } + ], + "database_specific": { + "affected_versions": "<7.95 || >=8.0.0 <9.4.12 || >=9.5.0 <9.5.5 || >=10.0.0 <10.0.5" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-core-2023-004" + } + ], + "credits": [ + { + "name": "Elar Lang", + "contact": [ + "https://www.drupal.org/user/3583903" + ] + }, + { + "name": "Janek Vind", + "contact": [ + "https://www.drupal.org/user/3621876" + ] + } + ] +} diff --git a/advisories/core/DRUPAL-CORE-2023-005.json b/advisories/core/DRUPAL-CORE-2023-005.json new file mode 100644 index 00000000..7a3ecb7a --- /dev/null +++ b/advisories/core/DRUPAL-CORE-2023-005.json @@ -0,0 +1,302 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CORE-2023-005", + "modified": "2025-01-09T21:09:52.000Z", + "published": "2023-04-19T17:06:18.000Z", + "aliases": [ + "CVE-2023-31250" + ], + "details": "The file download facility doesn't sufficiently sanitize file paths in certain situations. This may result in users gaining access to private files that they should not have access to.\n\nSome sites may require configuration changes following this security release. Review the release notes for your Drupal version if you have issues accessing private files after updating.\n\nThis advisory **is** covered by [Drupal Steward](/steward). Because this vulnerability is not mass exploitable, your Steward partner may respond by monitoring-only, rather than enforcing a new WAF rule.\n\nWe would normally not apply for a release of this severity. However, in this case we have chosen to apply Drupal Steward security coverage to test our processes.\n\n#### Drupal 7\n\n* All Drupal 7 sites on Windows web servers are vulnerable.\n* Drupal 7 sites on Linux web servers are vulnerable with certain file directory structures, or if a vulnerable contributed or custom file access module is installed.\n\n#### Drupal 9 and 10\n\nDrupal 9 and 10 sites are only vulnerable if certain contributed or custom file access modules are installed.", + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "drupal/core" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "7.96.0" + } + ], + "database_specific": { + "constraint": "<7.96.0" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "9.4.0" + }, + { + "fixed": "9.4.14" + } + ], + "database_specific": { + "constraint": ">=9.4.0 <9.4.14" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "9.5.0" + }, + { + "fixed": "9.5.8" + } + ], + "database_specific": { + "constraint": ">=9.5.0 <9.5.8" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "10.0.0" + }, + { + "fixed": "10.0.8" + } + ], + "database_specific": { + "constraint": ">=10.0.0 <10.0.8" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.0.0" + }, + { + "fixed": "8.1.0" + } + ], + "database_specific": { + "constraint": "8.0.*" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.1.0" + }, + { + "fixed": "8.2.0" + } + ], + "database_specific": { + "constraint": "8.1.*" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.2.0" + }, + { + "fixed": "8.3.0" + } + ], + "database_specific": { + "constraint": "8.2.*" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.3.0" + }, + { + "fixed": "8.4.0" + } + ], + "database_specific": { + "constraint": "8.3.*" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.4.0" + }, + { + "fixed": "8.5.0" + } + ], + "database_specific": { + "constraint": "8.4.*" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.5.0" + }, + { + "fixed": "8.6.0" + } + ], + "database_specific": { + "constraint": "8.5.*" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.6.0" + }, + { + "fixed": "8.7.0" + } + ], + "database_specific": { + "constraint": "8.6.*" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.7.0" + }, + { + "fixed": "8.8.0" + } + ], + "database_specific": { + "constraint": "8.7.*" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.8.0" + }, + { + "fixed": "8.9.0" + } + ], + "database_specific": { + "constraint": "8.8.*" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.9.0" + }, + { + "fixed": "8.10.0" + } + ], + "database_specific": { + "constraint": "8.9.*" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "9.0.0" + }, + { + "fixed": "9.1.0" + } + ], + "database_specific": { + "constraint": "9.0.*" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "9.1.0" + }, + { + "fixed": "9.2.0" + } + ], + "database_specific": { + "constraint": "9.1.*" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "9.2.0" + }, + { + "fixed": "9.3.0" + } + ], + "database_specific": { + "constraint": "9.2.*" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "9.3.0" + }, + { + "fixed": "9.4.0" + } + ], + "database_specific": { + "constraint": "9.3.*" + } + } + ], + "database_specific": { + "affected_versions": "<7.96.0 || >=9.4.0 <9.4.14 || >=9.5.0 <9.5.8 || >=10.0.0 <10.0.8 || 8.0.* || 8.1.* || 8.2.* || 8.3.* || 8.4.* || 8.5.* || 8.6.* || 8.7.* || 8.8.* || 8.9.* || 9.0.* || 9.1.* || 9.2.* || 9.3.*" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-core-2023-005" + } + ], + "credits": [ + { + "name": "Conrad Lara", + "contact": [ + "https://www.drupal.org/user/1790054" + ] + }, + { + "name": "Guy Elsmore-Paddock", + "contact": [ + "https://www.drupal.org/user/156932" + ] + }, + { + "name": "Heine", + "contact": [ + "https://www.drupal.org/user/17943" + ] + } + ] +} diff --git a/advisories/core/DRUPAL-CORE-2023-006.json b/advisories/core/DRUPAL-CORE-2023-006.json new file mode 100644 index 00000000..5c8ab81a --- /dev/null +++ b/advisories/core/DRUPAL-CORE-2023-006.json @@ -0,0 +1,80 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CORE-2023-006", + "modified": "2024-11-22T08:00:59.000Z", + "published": "2023-09-20T16:23:05.000Z", + "aliases": [ + "CVE-2023-5256" + ], + "details": "In certain scenarios, Drupal's JSON:API module will output error backtraces. With some configurations, this may cause sensitive information to be cached and made available to anonymous users, leading to privilege escalation.\n\nThis vulnerability only affects sites with the JSON:API module enabled, and can be mitigated by uninstalling JSON:API.\n\nThe core REST and contributed GraphQL modules are not affected.\n\n[Drupal Steward](/steward) partners have been made aware of this issue. Some platforms may provide mitigations. However, not all WAF configurations can mitigate the issue, so it is still recommended to update promptly to this security release if your site uses JSON:API.", + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "drupal/core" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.7.0" + }, + { + "fixed": "9.5.11" + } + ], + "database_specific": { + "constraint": ">=8.7.0 <9.5.11" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "10.0.0" + }, + { + "fixed": "10.0.11" + } + ], + "database_specific": { + "constraint": ">=10.0 <10.0.11" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "10.1.0" + }, + { + "fixed": "10.1.4" + } + ], + "database_specific": { + "constraint": ">= 10.1 <10.1.4" + } + } + ], + "database_specific": { + "affected_versions": ">=8.7.0 <9.5.11 || >=10.0 <10.0.11 || >= 10.1 <10.1.4" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-core-2023-006" + } + ], + "credits": [ + { + "name": "ghostccamm", + "contact": [ + "https://www.drupal.org/user/3778490" + ] + } + ] +} diff --git a/advisories/core/DRUPAL-CORE-2024-001.json b/advisories/core/DRUPAL-CORE-2024-001.json new file mode 100644 index 00000000..3a2f358d --- /dev/null +++ b/advisories/core/DRUPAL-CORE-2024-001.json @@ -0,0 +1,72 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CORE-2024-001", + "modified": "2024-12-05T15:36:26.000Z", + "published": "2024-01-17T17:04:39.000Z", + "aliases": [ + "CVE-2024-11941" + ], + "details": "The Comment module allows users to reply to comments. In certain cases, an attacker could make comment reply requests that would trigger a denial of service (DOS).\n\nSites that do not use the Comment module are not affected.", + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "drupal/core" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.0.0" + }, + { + "fixed": "10.1.8" + } + ], + "database_specific": { + "constraint": ">=8.0 <10.1.8" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "10.2.0" + }, + { + "fixed": "10.2.2" + } + ], + "database_specific": { + "constraint": ">=10.2 <10.2.2" + } + } + ], + "database_specific": { + "affected_versions": ">=8.0 <10.1.8 || >=10.2 <10.2.2" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-core-2024-001" + } + ], + "credits": [ + { + "name": "Alexander Antonenko", + "contact": [ + "https://www.drupal.org/user/225734" + ] + }, + { + "name": "Doug Green", + "contact": [ + "https://www.drupal.org/user/29191" + ] + } + ] +} diff --git a/advisories/core/DRUPAL-CORE-2024-002.json b/advisories/core/DRUPAL-CORE-2024-002.json new file mode 100644 index 00000000..060e89ea --- /dev/null +++ b/advisories/core/DRUPAL-CORE-2024-002.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CORE-2024-002", + "modified": "2024-12-05T15:36:43.000Z", + "published": "2024-10-16T16:27:27.000Z", + "aliases": [ + "CVE-2024-11942" + ], + "details": "Under certain uncommon site configurations, a bug in the CKEditor 5 module can cause some image uploads to move the entire webroot to a different location on the file system. This could be exploited by a malicious user to take down a site.\n\nThe issue is mitigated by the fact that several non-default site configurations must exist simultaneously for this to occur.", + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "drupal/core" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "10.0.0" + }, + { + "fixed": "10.2.10" + } + ], + "database_specific": { + "constraint": ">=10.0 < 10.2.10" + } + } + ], + "database_specific": { + "affected_versions": ">=10.0 < 10.2.10" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-core-2024-002" + } + ], + "credits": [ + { + "name": "Pierre Rudloff", + "contact": [ + "https://www.drupal.org/user/3611858" + ] + } + ] +} diff --git a/advisories/core/DRUPAL-CORE-2024-003.json b/advisories/core/DRUPAL-CORE-2024-003.json new file mode 100644 index 00000000..96846b55 --- /dev/null +++ b/advisories/core/DRUPAL-CORE-2024-003.json @@ -0,0 +1,80 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CORE-2024-003", + "modified": "2024-12-09T23:22:21.000Z", + "published": "2024-11-20T17:20:16.000Z", + "aliases": [ + "CVE-2024-12393" + ], + "details": "Drupal uses JavaScript to render status messages in some cases and configurations. In certain situations, the status messages are not adequately sanitized.", + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "drupal/core" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.8.0" + }, + { + "fixed": "10.2.11" + } + ], + "database_specific": { + "constraint": ">= 8.8.0 < 10.2.11" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "10.3.0" + }, + { + "fixed": "10.3.9" + } + ], + "database_specific": { + "constraint": ">= 10.3.0 < 10.3.9" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "11.0.0" + }, + { + "fixed": "11.0.8" + } + ], + "database_specific": { + "constraint": ">= 11.0.0 < 11.0.8" + } + } + ], + "database_specific": { + "affected_versions": ">= 8.8.0 < 10.2.11 || >= 10.3.0 < 10.3.9 || >= 11.0.0 < 11.0.8" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-core-2024-003" + } + ], + "credits": [ + { + "name": "Jay Beaton", + "contact": [ + "https://www.drupal.org/user/352123" + ] + } + ] +} diff --git a/advisories/core/DRUPAL-CORE-2024-004.json b/advisories/core/DRUPAL-CORE-2024-004.json new file mode 100644 index 00000000..580c4ea6 --- /dev/null +++ b/advisories/core/DRUPAL-CORE-2024-004.json @@ -0,0 +1,80 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CORE-2024-004", + "modified": "2024-12-09T23:22:01.000Z", + "published": "2024-11-20T17:21:58.000Z", + "aliases": [ + "CVE-2024-55634" + ], + "details": "Drupal's uniqueness checking for certain user fields is inconsistent depending on the database engine and its collation.\n\nAs a result, a user may be able to register with the same email address as another user.\n\nThis may lead to data integrity issues.", + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "drupal/core" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.0.0" + }, + { + "fixed": "10.2.11" + } + ], + "database_specific": { + "constraint": ">= 8.0.0 < 10.2.11" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "10.3.0" + }, + { + "fixed": "10.3.9" + } + ], + "database_specific": { + "constraint": ">= 10.3.0 < 10.3.9" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "11.0.0" + }, + { + "fixed": "11.0.8" + } + ], + "database_specific": { + "constraint": ">= 11.0.0 < 11.0.8" + } + } + ], + "database_specific": { + "affected_versions": ">= 8.0.0 < 10.2.11 || >= 10.3.0 < 10.3.9 || >= 11.0.0 < 11.0.8" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-core-2024-004" + } + ], + "credits": [ + { + "name": "Wayne Eaker", + "contact": [ + "https://www.drupal.org/user/326925" + ] + } + ] +} diff --git a/advisories/core/DRUPAL-CORE-2024-005.json b/advisories/core/DRUPAL-CORE-2024-005.json new file mode 100644 index 00000000..0a2b1035 --- /dev/null +++ b/advisories/core/DRUPAL-CORE-2024-005.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CORE-2024-005", + "modified": "2024-12-09T23:23:54.000Z", + "published": "2024-11-20T17:24:02.000Z", + "aliases": [ + "CVE-2024-55635" + ], + "details": "Drupal 7 core's Overlay module doesn't safely handle user input, leading to reflected cross-site scripting under certain circumstances.\n\nOnly sites with the Overlay module enabled are affected by this vulnerability.", + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "drupal/core" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "7.0.0" + }, + { + "fixed": "7.102.0" + } + ], + "database_specific": { + "constraint": ">=7.0 <7.102" + } + } + ], + "database_specific": { + "affected_versions": ">=7.0 <7.102" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-core-2024-005" + } + ], + "credits": [ + { + "name": "Cesar", + "contact": [ + "https://www.drupal.org/user/3546810" + ] + } + ] +} diff --git a/advisories/core/DRUPAL-CORE-2024-006.json b/advisories/core/DRUPAL-CORE-2024-006.json new file mode 100644 index 00000000..97771a70 --- /dev/null +++ b/advisories/core/DRUPAL-CORE-2024-006.json @@ -0,0 +1,80 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CORE-2024-006", + "modified": "2024-12-09T23:24:48.000Z", + "published": "2024-11-20T17:25:47.000Z", + "aliases": [ + "CVE-2024-55636" + ], + "details": "Drupal core contains a potential PHP Object Injection vulnerability that (if combined with another exploit) could lead to Artbitrary File Deletion. It is not directly exploitable.\n\nThis issue is mitigated by the fact that in order to be exploitable, a separate vulnerability must be present that allows an attacker to pass unsafe input to `unserialize()`. There are no such known exploits in Drupal core.\n\nTo help protect against this vulnerability, types have been added to properties in some of Drupal core's classes. If an application extends those classes, the same types may need to be specified on the subclass to avoid a `TypeError`.", + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "drupal/core" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.0.0" + }, + { + "fixed": "10.2.11" + } + ], + "database_specific": { + "constraint": ">= 8.0.0 < 10.2.11" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "10.3.0" + }, + { + "fixed": "10.3.9" + } + ], + "database_specific": { + "constraint": ">= 10.3.0 < 10.3.9" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "11.0.0" + }, + { + "fixed": "11.0.8" + } + ], + "database_specific": { + "constraint": ">= 11.0.0 < 11.0.8" + } + } + ], + "database_specific": { + "affected_versions": ">= 8.0.0 < 10.2.11 || >= 10.3.0 < 10.3.9 || >= 11.0.0 < 11.0.8" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-core-2024-006" + } + ], + "credits": [ + { + "name": "Drew Webber", + "contact": [ + "https://www.drupal.org/user/255969" + ] + } + ] +} diff --git a/advisories/core/DRUPAL-CORE-2024-007.json b/advisories/core/DRUPAL-CORE-2024-007.json new file mode 100644 index 00000000..d649a057 --- /dev/null +++ b/advisories/core/DRUPAL-CORE-2024-007.json @@ -0,0 +1,80 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CORE-2024-007", + "modified": "2024-12-09T23:25:48.000Z", + "published": "2024-11-20T17:27:28.000Z", + "aliases": [ + "CVE-2024-55637" + ], + "details": "Drupal core contains a potential PHP Object Injection vulnerability that (if combined with another exploit) could lead to Remote Code Execution. It is not directly exploitable.\n\nThis issue is mitigated by the fact that in order for it to be exploitable, a separate vulnerability must be present to allow an attacker to pass unsafe input to `unserialize()`. There are no such known exploits in Drupal core.\n\nTo help protect against this potential vulnerability, types have been added to properties in some of Drupal core's classes. If an application extends those classes, the same types may need to be specified on the subclass to avoid a `TypeError`.", + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "drupal/core" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.0.0" + }, + { + "fixed": "10.2.11" + } + ], + "database_specific": { + "constraint": ">= 8.0.0 < 10.2.11" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "10.3.0" + }, + { + "fixed": "10.3.9" + } + ], + "database_specific": { + "constraint": ">= 10.3.0 < 10.3.9" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "11.0.0" + }, + { + "fixed": "11.0.8" + } + ], + "database_specific": { + "constraint": ">= 11.0.0 < 11.0.8" + } + } + ], + "database_specific": { + "affected_versions": ">= 8.0.0 < 10.2.11 || >= 10.3.0 < 10.3.9 || >= 11.0.0 < 11.0.8" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-core-2024-007" + } + ], + "credits": [ + { + "name": "Drew Webber", + "contact": [ + "https://www.drupal.org/user/255969" + ] + } + ] +} diff --git a/advisories/core/DRUPAL-CORE-2024-008.json b/advisories/core/DRUPAL-CORE-2024-008.json new file mode 100644 index 00000000..b194c051 --- /dev/null +++ b/advisories/core/DRUPAL-CORE-2024-008.json @@ -0,0 +1,80 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CORE-2024-008", + "modified": "2024-12-09T23:26:47.000Z", + "published": "2024-11-20T17:29:59.000Z", + "aliases": [ + "CVE-2024-55638" + ], + "details": "Drupal core contains a potential PHP Object Injection vulnerability that (if combined with another exploit) could lead to Remote Code Execution. It is not directly exploitable.\n\nThis issue is mitigated by the fact that in order for it to be exploitable, a separate vulnerability must be present to allow an attacker to pass unsafe input to `unserialize()`. There are no such known exploits in Drupal core.\n\nTo help protect against this potential vulnerability, some additional checks have been added to Drupal core's database code. If you use a third-party database driver, check the release notes for additional configuration steps that may be required in certain cases.", + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "drupal/core" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "7.0.0" + }, + { + "fixed": "7.102.0" + } + ], + "database_specific": { + "constraint": ">=7.0 < 7.102" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.0.0" + }, + { + "fixed": "10.2.11" + } + ], + "database_specific": { + "constraint": ">= 8.0.0 < 10.2.11" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "10.3.0" + }, + { + "fixed": "10.3.9" + } + ], + "database_specific": { + "constraint": ">= 10.3.0 < 10.3.9" + } + } + ], + "database_specific": { + "affected_versions": ">=7.0 < 7.102 || >= 8.0.0 < 10.2.11 || >= 10.3.0 < 10.3.9" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-core-2024-008" + } + ], + "credits": [ + { + "name": "Drew Webber", + "contact": [ + "https://www.drupal.org/user/255969" + ] + } + ] +} diff --git a/advisories/core/DRUPAL-CORE-2025-001.json b/advisories/core/DRUPAL-CORE-2025-001.json new file mode 100644 index 00000000..3feb3e1c --- /dev/null +++ b/advisories/core/DRUPAL-CORE-2025-001.json @@ -0,0 +1,148 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CORE-2025-001", + "modified": "2025-03-31T21:57:06.000Z", + "published": "2025-02-19T16:49:28.000Z", + "aliases": [ + "CVE-2025-3057" + ], + "details": "Drupal core doesn't sufficiently filter error messages under certain circumstances, leading to a reflected Cross Site Scripting vulnerability (XSS).\n\nSites are encouraged to update. There are not yet public documented steps to exploit this, but there may be soon given the nature of this issue.\n\nThis issue is being protected by [Drupal Steward](https://www.drupal.org/steward). Sites that use Drupal Steward are already protected, but are still encouraged to upgrade in the near future.", + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "drupal/core" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.0.0" + }, + { + "fixed": "10.3.13" + } + ], + "database_specific": { + "constraint": ">= 8.0.0 < 10.3.13" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "10.4.0" + }, + { + "fixed": "10.4.3" + } + ], + "database_specific": { + "constraint": ">= 10.4.0 < 10.4.3" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "11.0.0" + }, + { + "fixed": "11.0.12" + } + ], + "database_specific": { + "constraint": ">= 11.0.0 < 11.0.12" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "11.1.0" + }, + { + "fixed": "11.1.3" + } + ], + "database_specific": { + "constraint": ">= 11.1.0 < 11.1.3" + } + } + ], + "database_specific": { + "affected_versions": ">= 8.0.0 < 10.3.13 || >= 10.4.0 < 10.4.3 || >= 11.0.0 < 11.0.12 || >= 11.1.0 < 11.1.3" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-core-2025-001" + } + ], + "credits": [ + { + "name": "Arne (arkepp)", + "contact": [ + "https://www.drupal.org/u/arkepp" + ] + }, + { + "name": "Douglas Groene (dgroene)", + "contact": [ + "https://www.drupal.org/u/dgroene" + ] + }, + { + "name": "Dragos Dumitrescu (dragos-dumi)", + "contact": [ + "https://www.drupal.org/u/dragos-dumi" + ] + }, + { + "name": "Flo Kosiol (flokosiol)", + "contact": [ + "https://www.drupal.org/u/flokosiol" + ] + }, + { + "name": "Gerardo Cadau (juanramonperez)", + "contact": [ + "https://www.drupal.org/u/juanramonperez" + ] + }, + { + "name": "Justin Christoffersen (larsdesigns)", + "contact": [ + "https://www.drupal.org/u/larsdesigns" + ] + }, + { + "name": "Sven Decabooter (svendecabooter)", + "contact": [ + "https://www.drupal.org/u/svendecabooter" + ] + }, + { + "name": "Will Gunn (wgunn_e)", + "contact": [ + "https://www.drupal.org/u/wgunn_e" + ] + }, + { + "name": "bdanin", + "contact": [ + "https://www.drupal.org/u/bdanin" + ] + }, + { + "name": "nuwans", + "contact": [ + "https://www.drupal.org/u/nuwans" + ] + } + ] +} diff --git a/advisories/core/DRUPAL-CORE-2025-002.json b/advisories/core/DRUPAL-CORE-2025-002.json new file mode 100644 index 00000000..d89590d8 --- /dev/null +++ b/advisories/core/DRUPAL-CORE-2025-002.json @@ -0,0 +1,94 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CORE-2025-002", + "modified": "2025-03-31T21:57:22.000Z", + "published": "2025-02-19T16:58:10.000Z", + "aliases": [ + "CVE-2025-31673" + ], + "details": "Bulk operations allow authorized users to modify several nodes at once from the Content page (`/admin/content`). A site builder can also add bulk operations to other pages using Views.\n\nA bug in the core Actions system allows some users to modify some fields using bulk actions that they do not have permission to modify on individual nodes.\n\nThis vulnerability is mitigated by the fact that an attacker must have permission to access `/admin/content` or other, custom views and to edit nodes.\n\nIn particular, the bulk operations\n\n* Make content sticky\n* Make content unsticky\n* Promote content to front page\n* Publish content\n* Remove content from front page\n* Unpublish content\n\nnow require the \"Administer content\" permission.", + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "drupal/core" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.0.0" + }, + { + "fixed": "10.3.13" + } + ], + "database_specific": { + "constraint": ">= 8.0.0 < 10.3.13" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "10.4.0" + }, + { + "fixed": "10.4.3" + } + ], + "database_specific": { + "constraint": ">= 10.4.0 < 10.4.3" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "11.0.0" + }, + { + "fixed": "11.0.12" + } + ], + "database_specific": { + "constraint": ">= 11.0.0 < 11.0.12" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "11.1.0" + }, + { + "fixed": "11.1.3" + } + ], + "database_specific": { + "constraint": ">= 11.1.0 < 11.1.3" + } + } + ], + "database_specific": { + "affected_versions": ">= 8.0.0 < 10.3.13 || >= 10.4.0 < 10.4.3 || >= 11.0.0 < 11.0.12 || >= 11.1.0 < 11.1.3" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-core-2025-002" + } + ], + "credits": [ + { + "name": "jeff cardwell", + "contact": [ + "https://www.drupal.org/u/jeff-cardwell" + ] + } + ] +} diff --git a/advisories/core/DRUPAL-CORE-2025-003.json b/advisories/core/DRUPAL-CORE-2025-003.json new file mode 100644 index 00000000..68e6ee61 --- /dev/null +++ b/advisories/core/DRUPAL-CORE-2025-003.json @@ -0,0 +1,100 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CORE-2025-003", + "modified": "2025-03-31T21:57:36.000Z", + "published": "2025-02-19T17:03:28.000Z", + "aliases": [ + "CVE-2025-31674" + ], + "details": "Drupal core contains a potential PHP Object Injection vulnerability that (if combined with another exploit) could lead to Arbitrary File Inclusion. Techniques exist to escalate this attack to Remote Code Execution. It is not directly exploitable.\n\nThis issue is mitigated by the fact that in order for it to be exploitable, a separate vulnerability must be present to allow an attacker to pass unsafe input to `unserialize()`. There are no such known exploits in Drupal core.", + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "drupal/core" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.0.0" + }, + { + "fixed": "10.3.13" + } + ], + "database_specific": { + "constraint": ">= 8.0.0 < 10.3.13" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "10.4.0" + }, + { + "fixed": "10.4.3" + } + ], + "database_specific": { + "constraint": ">= 10.4.0 < 10.4.3" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "11.0.0" + }, + { + "fixed": "11.0.12" + } + ], + "database_specific": { + "constraint": ">= 11.0.0 < 11.0.12" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "11.1.0" + }, + { + "fixed": "11.1.3" + } + ], + "database_specific": { + "constraint": ">= 11.1.0 < 11.1.3" + } + } + ], + "database_specific": { + "affected_versions": ">= 8.0.0 < 10.3.13 || >= 10.4.0 < 10.4.3 || >= 11.0.0 < 11.0.12 || >= 11.1.0 < 11.1.3" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-core-2025-003" + } + ], + "credits": [ + { + "name": "anzuukino", + "contact": [ + "https://www.drupal.org/u/anzuukino" + ] + }, + { + "name": "shin24", + "contact": [ + "https://www.drupal.org/u/shin24" + ] + } + ] +} diff --git a/advisories/core/DRUPAL-CORE-2025-004.json b/advisories/core/DRUPAL-CORE-2025-004.json new file mode 100644 index 00000000..e148d364 --- /dev/null +++ b/advisories/core/DRUPAL-CORE-2025-004.json @@ -0,0 +1,94 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CORE-2025-004", + "modified": "2025-06-14T13:06:04.000Z", + "published": "2025-03-19T18:54:35.000Z", + "aliases": [ + "CVE-2025-31675" + ], + "details": "Drupal core Link field attributes are not sufficiently sanitized, which can lead to a Cross Site Scripting vulnerability (XSS).\n\nThis vulnerability is mitigated by that fact that an attacker would need to have the ability to add specific attributes to a Link field, which typically requires edit access via core web services, or a contrib or custom module.\n\nSites with the Link module disabled or that do not use any link fields are not affected.", + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "drupal/core" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "8.0.0" + }, + { + "fixed": "10.3.14" + } + ], + "database_specific": { + "constraint": ">= 8.0.0 < 10.3.14" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "10.4.0" + }, + { + "fixed": "10.4.5" + } + ], + "database_specific": { + "constraint": ">= 10.4.0 < 10.4.5" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "11.0.0" + }, + { + "fixed": "11.0.13" + } + ], + "database_specific": { + "constraint": ">= 11.0.0 < 11.0.13" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "11.1.0" + }, + { + "fixed": "11.1.5" + } + ], + "database_specific": { + "constraint": ">= 11.1.0 < 11.1.5" + } + } + ], + "database_specific": { + "affected_versions": ">= 8.0.0 < 10.3.14 || >= 10.4.0 < 10.4.5 || >= 11.0.0 < 11.0.13 || >= 11.1.0 < 11.1.5" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-core-2025-004" + } + ], + "credits": [ + { + "name": "Samuel Mortenson (samuel.mortenson)", + "contact": [ + "https://www.drupal.org/u/samuelmortenson" + ] + } + ] +} diff --git a/advisories/core/DSA-CORE-2018-001.json b/advisories/core/DSA-CORE-2018-001.json deleted file mode 100644 index b691ddcd..00000000 --- a/advisories/core/DSA-CORE-2018-001.json +++ /dev/null @@ -1,100 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CORE-2018-001", - "modified": "2022-08-21T19:44:07.000Z", - "published": "2018-02-21T17:10:55.000Z", - "aliases": [], - "details": "This security advisory fixes multiple vulnerabilities in both Drupal 7 and Drupal 8. See below for a list.\n\n#### Comment reply form allows access to restricted content - Critical - Drupal 8 - CVE-2017-6926\n\nUsers with permission to post comments are able to view content and comments they do not have access to, and are also able to add comments to this content.\n\nThis vulnerability is mitigated by the fact that the comment system must be enabled and the attacker must have permission to post comments.\n\n#### JavaScript cross-site scripting prevention is incomplete - Critical - Drupal 7 and Drupal 8 - CVE-2017-6927\n\nDrupal has a `Drupal.checkPlain()` JavaScript function which is used to escape potentially dangerous text before outputting it to HTML (as JavaScript output is not auto-escaped by either Drupal 7 or Drupal 8). This function does not correctly handle all methods of injecting malicious HTML, leading to a cross-site scripting vulnerability under certain circumstances.\n\nThe PHP functions which Drupal provides for HTML escaping are not affected.\n\n#### Private file access bypass - Moderately Critical - Drupal 7 - CVE-2017-6928\n\nWhen using Drupal's private file system, Drupal will check to make sure a user has access to a file before allowing the user to view or download it. This check fails under certain conditions in which one module is trying to grant access to the file and another is trying to deny it, leading to an access bypass vulnerability.\n\nThis vulnerability is mitigated by the fact that it only occurs for unusual site configurations.\n\n#### jQuery vulnerability with untrusted domains - Moderately Critical - Drupal 7 - CVE-2017-6929\n\nA jQuery cross site scripting vulnerability is present when making Ajax requests to untrusted domains (the CVE for this issue in jQuery is CVE-2015-9251). This vulnerability is mitigated by the fact that it requires contributed or custom modules in order to exploit.\n\nFor Drupal 8, this vulnerability was already fixed in Drupal 8.4.0 in the Drupal core upgrade to jQuery 3. For Drupal 7, it is fixed in the current release (Drupal 7.57) for jQuery 1.4.4 (the version that ships with Drupal 7 core) as well as for other newer versions of jQuery that might be used on the site, for example using the [jQuery Update module](https://www.drupal.org/project/jquery_update).\n\n#### Language fallback can be incorrect on multilingual sites with node access restrictions - Moderately Critical - Drupal 8 - CVE-2017-6930\n\nWhen using node access controls with a multilingual site, Drupal marks the untranslated version of a node as the default fallback for access queries. This fallback is used for languages that do not yet have a translated version of the created node. This can result in an access bypass vulnerability.\n\nThis issue is mitigated by the fact that it only applies to sites that a) use the Content Translation module; and b) use a node access module such as Domain Access which implement `hook_node_access_records()`.\n\n*Note that the update will mark the node access tables as needing a rebuild, which will take a long time on sites with a large number of nodes.*\n\n#### Settings Tray access bypass - Moderately Critical - Drupal 8 - CVE-2017-6931\n\nThe Settings Tray module has a vulnerability that allows users to update certain data that they do not have the permissions for.\n\nIf you have implemented a Settings Tray form in contrib or a custom module, the correct access checks should be added. This release fixes the only two implementations in core, but does not harden against other such bypasses.\n\nThis vulnerability can be mitigated by disabling the Settings Tray module.\n\n#### External link injection on 404 pages when linking to the current page - Less Critical - Drupal 7 - CVE-2017-6932\n\nDrupal core has an external link injection vulnerability when the language switcher block is used. A similar vulnerability exists in various custom and contributed modules. This vulnerability could allow an attacker to trick users into unwillingly navigating to an external site.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/core" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "7.0.0" - }, - { - "fixed": "7.57.0" - } - ], - "database_specific": { - "constraint": ">=7.0 <7.57" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "8.0.0" - }, - { - "fixed": "8.4.5" - } - ], - "database_specific": { - "constraint": ">= 8.0.0 <8.4.5" - } - } - ], - "database_specific": { - "affected_versions": ">=7.0 <7.57 || >= 8.0.0 <8.4.5" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-core-2018-001" - } - ], - "credits": [ - { - "name": "Anders Olsson", - "contact": [ - "https://www.drupal.org/user/855656" - ] - }, - { - "name": "David Rothstein", - "contact": [ - "https://www.drupal.org/user/124982" - ] - }, - { - "name": "Grant Gaudet", - "contact": [ - "https://www.drupal.org/user/360002" - ] - }, - { - "name": "Ivan", - "contact": [ - "https://www.drupal.org/user/556138" - ] - }, - { - "name": "Ken Rickard", - "contact": [ - "https://www.drupal.org/user/20975" - ] - }, - { - "name": "Ted Bowman", - "contact": [ - "https://www.drupal.org/user/240860" - ] - }, - { - "name": "will c", - "contact": [ - "https://www.drupal.org/user/2610796" - ] - } - ] -} diff --git a/advisories/core/DSA-CORE-2018-002.json b/advisories/core/DSA-CORE-2018-002.json deleted file mode 100644 index 5ca8f760..00000000 --- a/advisories/core/DSA-CORE-2018-002.json +++ /dev/null @@ -1,94 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CORE-2018-002", - "modified": "2022-08-21T19:48:41.000Z", - "published": "2018-03-28T18:14:10.000Z", - "aliases": [ - "CVE-2018-7600" - ], - "details": "A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised.\n\nThe security team has written an [FAQ](https://groups.drupal.org/security/faq-2018-002) about this issue.\n\n*Edited 2020, February 13 to fix links to patch files.*", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/core" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "7.0.0" - }, - { - "fixed": "7.58.0" - } - ], - "database_specific": { - "constraint": ">=7.0 <7.58" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "8.0.0" - }, - { - "fixed": "8.3.9" - } - ], - "database_specific": { - "constraint": ">= 8.0.0 <8.3.9" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "8.4.0" - }, - { - "fixed": "8.4.6" - } - ], - "database_specific": { - "constraint": ">=8.4.0 <8.4.6" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "8.5.0" - }, - { - "fixed": "8.5.1" - } - ], - "database_specific": { - "constraint": ">=8.5.0 <8.5.1" - } - } - ], - "database_specific": { - "affected_versions": ">=7.0 <7.58 || >= 8.0.0 <8.3.9 || >=8.4.0 <8.4.6 || >=8.5.0 <8.5.1" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-core-2018-002" - } - ], - "credits": [ - { - "name": "Jasper Mattsson", - "contact": [ - "https://www.drupal.org/u/Jasu_M" - ] - } - ] -} diff --git a/advisories/core/DSA-CORE-2018-003.json b/advisories/core/DSA-CORE-2018-003.json deleted file mode 100644 index 83e6b62d..00000000 --- a/advisories/core/DSA-CORE-2018-003.json +++ /dev/null @@ -1,66 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CORE-2018-003", - "modified": "2022-08-21T19:47:01.000Z", - "published": "2018-04-18T15:34:09.000Z", - "aliases": [ - "CVE-2018-9861" - ], - "details": "CKEditor, a third-party JavaScript library included in Drupal core, has [fixed a cross-site scripting (XSS) vulnerability](https://ckeditor.com/blog/CKEditor-4.9.2-with-a-security-patch-released/). The vulnerability stemmed from the fact that it was possible to execute XSS inside CKEditor when using the `image2` plugin (which Drupal 8 core also uses).\n\nWe would like to thank the CKEditor team for patching the vulnerability and coordinating the fix and release process, and matching the Drupal core security window.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/core" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "8.0.0" - }, - { - "fixed": "8.4.7" - } - ], - "database_specific": { - "constraint": ">= 8.0.0 <8.4.7" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "8.5.0" - }, - { - "fixed": "8.5.2" - } - ], - "database_specific": { - "constraint": ">=8.5.0 <8.5.2" - } - } - ], - "database_specific": { - "affected_versions": ">= 8.0.0 <8.4.7 || >=8.5.0 <8.5.2" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-core-2018-003" - } - ], - "credits": [ - { - "name": "Kyaw Min Thein", - "contact": [ - "https://www.drupal.org/user/3560461" - ] - } - ] -} diff --git a/advisories/core/DSA-CORE-2018-004.json b/advisories/core/DSA-CORE-2018-004.json deleted file mode 100644 index 58e3ab8c..00000000 --- a/advisories/core/DSA-CORE-2018-004.json +++ /dev/null @@ -1,98 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CORE-2018-004", - "modified": "2022-08-21T19:46:05.000Z", - "published": "2018-04-25T16:13:58.000Z", - "aliases": [ - "CVE-2018-7602" - ], - "details": "A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being compromised. This vulnerability is related to [Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002](/sa-core-2018-002). Both SA-CORE-2018-002 and this vulnerability are being exploited in the wild.\n\n*Updated \u2014 this vulnerability is being exploited in the wild.*", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/core" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "7.0.0" - }, - { - "fixed": "7.59.0" - } - ], - "database_specific": { - "constraint": ">=7.0 <7.59" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "8.0.0" - }, - { - "fixed": "8.4.8" - } - ], - "database_specific": { - "constraint": ">= 8.0.0 <8.4.8" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "8.5.0" - }, - { - "fixed": "8.5.3" - } - ], - "database_specific": { - "constraint": ">=8.5.0 <8.5.3" - } - } - ], - "database_specific": { - "affected_versions": ">=7.0 <7.59 || >= 8.0.0 <8.4.8 || >=8.5.0 <8.5.3" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-core-2018-004" - } - ], - "credits": [ - { - "name": "Alex Pott", - "contact": [ - "https://www.drupal.org/user/157725" - ] - }, - { - "name": "David Rothstein", - "contact": [ - "https://www.drupal.org/user/124982" - ] - }, - { - "name": "Heine Deelstra", - "contact": [ - "https://www.drupal.org/user/17943" - ] - }, - { - "name": "Jasper Mattsson", - "contact": [ - "https://www.drupal.org/user/521118" - ] - } - ] -} diff --git a/advisories/core/DSA-CORE-2019-001.json b/advisories/core/DSA-CORE-2019-001.json deleted file mode 100644 index 39fa8b4d..00000000 --- a/advisories/core/DSA-CORE-2019-001.json +++ /dev/null @@ -1,86 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CORE-2019-001", - "modified": "2022-08-21T19:42:50.000Z", - "published": "2019-01-16T17:17:11.000Z", - "aliases": [ - "CVE-2019-6338" - ], - "details": "Drupal core uses the third-party PEAR Archive\\_Tar library. This library has released a security update which impacts some Drupal configurations. Refer to [CVE-2018-1000888](https://nvd.nist.gov/vuln/detail/CVE-2018-1000888) for details.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/core" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "7.0.0" - }, - { - "fixed": "7.62.0" - } - ], - "database_specific": { - "constraint": ">=7.0 <7.62" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "8.0.0" - }, - { - "fixed": "8.5.9" - } - ], - "database_specific": { - "constraint": ">= 8.0.0 <8.5.9" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "8.6.0" - }, - { - "fixed": "8.6.6" - } - ], - "database_specific": { - "constraint": ">=8.6.0 <8.6.6" - } - } - ], - "database_specific": { - "affected_versions": ">=7.0 <7.62 || >= 8.0.0 <8.5.9 || >=8.6.0 <8.6.6" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-core-2019-001" - } - ], - "credits": [ - { - "name": "Ayesh Karunaratne", - "contact": [ - "https://www.drupal.org/user/796148" - ] - }, - { - "name": "farisv", - "contact": [ - "https://www.drupal.org/u/farisv" - ] - } - ] -} diff --git a/advisories/core/DSA-CORE-2019-002.json b/advisories/core/DSA-CORE-2019-002.json deleted file mode 100644 index 3b05e398..00000000 --- a/advisories/core/DSA-CORE-2019-002.json +++ /dev/null @@ -1,86 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CORE-2019-002", - "modified": "2022-08-21T19:41:44.000Z", - "published": "2019-01-16T17:17:12.000Z", - "aliases": [ - "CVE-2019-6339" - ], - "details": "A remote code execution vulnerability exists in PHP's built-in phar stream wrapper when performing file operations on an untrusted phar:// URI.\n\nSome Drupal code (core, contrib, and custom) may be performing file operations on insufficiently validated user input, thereby being exposed to this vulnerability.\n\nThis vulnerability is mitigated by the fact that such code paths typically require access to an administrative permission or an atypical configuration.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/core" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "7.0.0" - }, - { - "fixed": "7.62.0" - } - ], - "database_specific": { - "constraint": ">=7.0 <7.62" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "8.0.0" - }, - { - "fixed": "8.5.9" - } - ], - "database_specific": { - "constraint": ">= 8.0.0 <8.5.9" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "8.6.0" - }, - { - "fixed": "8.6.6" - } - ], - "database_specific": { - "constraint": ">=8.6.0 <8.6.6" - } - } - ], - "database_specific": { - "affected_versions": ">=7.0 <7.62 || >= 8.0.0 <8.5.9 || >=8.6.0 <8.6.6" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-core-2019-002" - } - ], - "credits": [ - { - "name": "Greg Knaddison", - "contact": [ - "https://www.drupal.org/user/36762" - ] - }, - { - "name": "Sam Thomas", - "contact": [ - "https://www.drupal.org/u/jazzy2fives" - ] - } - ] -} diff --git a/advisories/core/DSA-CORE-2019-003.json b/advisories/core/DSA-CORE-2019-003.json deleted file mode 100644 index ceb93df2..00000000 --- a/advisories/core/DSA-CORE-2019-003.json +++ /dev/null @@ -1,66 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CORE-2019-003", - "modified": "2022-08-21T19:40:55.000Z", - "published": "2019-02-20T19:18:48.000Z", - "aliases": [ - "CVE-2019-6340" - ], - "details": "Some field types do not properly sanitize data from non-form sources. This can lead to arbitrary PHP code execution in some cases.\n\nA site is only affected by this if one of the following conditions is met:\n\n* The site has the Drupal 8 core RESTful Web Services (rest) module enabled and allows **GET**, PATCH or POST requests, or\n* the site has another web services module enabled, like [JSON:API](https://www.drupal.org/project/jsonapi) in Drupal 8, or [Services](https://www.drupal.org/project/services) or [RESTful Web Services](https://www.drupal.org/project/restws) in Drupal 7.\n\n(*Note: The Drupal 7 Services module itself does not require an update at this time, but you should still apply other contributed updates associated with this advisory if Services is in use.*)\n\nUpdates\n-------\n\n* **2019-02-22**: Updated risk score given new information; see [PSA-2019-02-22](https://www.drupal.org/psa-2019-02-22). The security risk score has been updated to 23/25 as there are now known exploits in the wild. In addition, any enabled REST resource end-point, **even if it only accepts GET requests**, is also vulnerable. Note this does not include REST exports from Views module.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/core" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "8.0.0" - }, - { - "fixed": "8.5.11" - } - ], - "database_specific": { - "constraint": ">= 8.0.0 <8.5.11" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "8.6.0" - }, - { - "fixed": "8.6.10" - } - ], - "database_specific": { - "constraint": ">=8.6.0 <8.6.10" - } - } - ], - "database_specific": { - "affected_versions": ">= 8.0.0 <8.5.11 || >=8.6.0 <8.6.10" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-core-2019-003" - } - ], - "credits": [ - { - "name": "Samuel Mortenson", - "contact": [ - "https://www.drupal.org/user/2582268" - ] - } - ] -} diff --git a/advisories/core/DSA-CORE-2019-004.json b/advisories/core/DSA-CORE-2019-004.json deleted file mode 100644 index 8f3f6da0..00000000 --- a/advisories/core/DSA-CORE-2019-004.json +++ /dev/null @@ -1,80 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CORE-2019-004", - "modified": "2022-08-21T19:40:19.000Z", - "published": "2019-03-20T16:08:16.000Z", - "aliases": [ - "CVE-2019-6341" - ], - "details": "Under certain circumstances the File module/subsystem allows a malicious user to upload a file that can trigger a cross-site scripting (XSS) vulnerability.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/core" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "7.0.0" - }, - { - "fixed": "7.65.0" - } - ], - "database_specific": { - "constraint": ">=7.0 <7.65" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "8.0.0" - }, - { - "fixed": "8.5.14" - } - ], - "database_specific": { - "constraint": ">= 8.0.0 <8.5.14" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "8.6.0" - }, - { - "fixed": "8.6.13" - } - ], - "database_specific": { - "constraint": ">=8.6.0 <8.6.13" - } - } - ], - "database_specific": { - "affected_versions": ">=7.0 <7.65 || >= 8.0.0 <8.5.14 || >=8.6.0 <8.6.13" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-core-2019-004" - } - ], - "credits": [ - { - "name": "Sam Thomas", - "contact": [ - "https://www.drupal.org/u/jazzy2fives" - ] - } - ] -} diff --git a/advisories/core/DSA-CORE-2019-005.json b/advisories/core/DSA-CORE-2019-005.json deleted file mode 100644 index 438e4891..00000000 --- a/advisories/core/DSA-CORE-2019-005.json +++ /dev/null @@ -1,64 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CORE-2019-005", - "modified": "2022-08-21T19:39:25.000Z", - "published": "2019-04-17T20:29:05.000Z", - "aliases": [], - "details": "This security release fixes third-party dependencies included in or required by Drupal core.\n\n* [CVE-2019-10909: Escape validation messages in the PHP templating engine](https://symfony.com/blog/cve-2019-10909-escape-validation-messages-in-the-php-templating-engine). From that advisory: \n > Validation messages were not escaped when using the form theme of the PHP templating engine which, when validation messages may contain user input, could result in an XSS.\n* [CVE-2019-10910: Check service IDs are valid](https://symfony.com/blog/cve-2019-10910-check-service-ids-are-valid). From that advisory:\n > Service IDs derived from unfiltered user input could result in the execution of any arbitrary code, resulting in possible remote code execution.\n* [CVE-2019-10911: Add a separator in the remember me cookie hash](https://symfony.com/blog/cve-2019-10911-add-a-separator-in-the-remember-me-cookie-hash). From that advisory:\n > This fixes situations where part of an expiry time in a cookie could be considered part of the username, or part of the username could be considered part of the expiry time. An attacker could modify the remember me cookie and authenticate as a different user. This attack is only possible if remember me functionality is enabled and the two users share a password hash or the password hashes (e.g. UserInterface::getPassword()) are null for all users (which is valid if passwords are checked by an external system, e.g. an SSO).", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/core" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "8.0.0" - }, - { - "fixed": "8.5.15" - } - ], - "database_specific": { - "constraint": ">= 8.0.0 <8.5.15" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "8.6.0" - }, - { - "fixed": "8.6.15" - } - ], - "database_specific": { - "constraint": ">=8.6.0 <8.6.15" - } - } - ], - "database_specific": { - "affected_versions": ">= 8.0.0 <8.5.15 || >=8.6.0 <8.6.15" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-core-2019-005" - } - ], - "credits": [ - { - "name": "Michael Cullum", - "contact": [ - "https://www.drupal.org/user/2706987" - ] - } - ] -} diff --git a/advisories/core/DSA-CORE-2019-006.json b/advisories/core/DSA-CORE-2019-006.json deleted file mode 100644 index 5e445f44..00000000 --- a/advisories/core/DSA-CORE-2019-006.json +++ /dev/null @@ -1,86 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CORE-2019-006", - "modified": "2022-08-21T19:38:49.000Z", - "published": "2019-04-17T20:30:56.000Z", - "aliases": [ - "CVE-2019-11358" - ], - "details": "The jQuery project released version 3.4.0, and as part of that, disclosed a security vulnerability that affects all prior versions. As described in their [release notes](https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/):\n\n> jQuery 3.4.0 includes a fix for some unintended behavior when using jQuery.extend(true, {}, ...). If an unsanitized source object contained an enumerable \\_\\_proto\\_\\_ property, it could extend the native Object.prototype. This fix is included in jQuery 3.4.0, but patch diffs exist to patch previous jQuery versions.\n\nIt's possible that this vulnerability is exploitable with some Drupal modules. As a precaution, this Drupal security release backports the fix to jQuery.extend(), without making any other changes to the jQuery version that is included in Drupal core (3.2.1 for Drupal 8 and 1.4.4 for Drupal 7) or running on the site via some other module such as [jQuery Update](https://www.drupal.org/project/jquery_update).\n\n*2019-04-22, edited to add CVE.*", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/core" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "7.0.0" - }, - { - "fixed": "7.66.0" - } - ], - "database_specific": { - "constraint": ">=7.0 <7.66" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "8.0.0" - }, - { - "fixed": "8.5.15" - } - ], - "database_specific": { - "constraint": ">= 8.0.0 <8.5.15" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "8.6.0" - }, - { - "fixed": "8.6.15" - } - ], - "database_specific": { - "constraint": ">=8.6.0 <8.6.15" - } - } - ], - "database_specific": { - "affected_versions": ">=7.0 <7.66 || >= 8.0.0 <8.5.15 || >=8.6.0 <8.6.15" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-core-2019-006" - } - ], - "credits": [ - { - "name": "dtv_rb", - "contact": [ - "https://www.drupal.org/user/3528196" - ] - }, - { - "name": "xjm", - "contact": [ - "https://www.drupal.org/user/65776" - ] - } - ] -} diff --git a/advisories/core/DSA-CORE-2019-007.json b/advisories/core/DSA-CORE-2019-007.json deleted file mode 100644 index f5fdcdb4..00000000 --- a/advisories/core/DSA-CORE-2019-007.json +++ /dev/null @@ -1,80 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CORE-2019-007", - "modified": "2022-08-21T19:30:38.000Z", - "published": "2019-05-08T16:56:58.000Z", - "aliases": [ - "CVE-2019-11831" - ], - "details": "This security release fixes third-party dependencies included in or required by Drupal core. As described in [TYPO3-PSA-2019-007: By-passing protection of Phar Stream Wrapper Interceptor](https://typo3.org/security/advisory/typo3-psa-2019-007/):\n\n> In order to intercept file invocations like file\\_exists or stat on compromised Phar archives the base name has to be determined and checked before allowing to be handled by PHP Phar stream handling. [...]\n>\n> The current implementation is vulnerable to path traversal leading to scenarios where the Phar archive to be assessed is not the actual (compromised) file.\n\nThe known vulnerability in Drupal core requires the \"administer themes\" permission. However, additional vulnerabilities may exist in contributed or custom modules, so site should still update even if they do not grant this permission.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/core" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "7.0.0" - }, - { - "fixed": "7.67.0" - } - ], - "database_specific": { - "constraint": ">=7.0 <7.67" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "8.0.0" - }, - { - "fixed": "8.6.16" - } - ], - "database_specific": { - "constraint": ">= 8.0.0 <8.6.16" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "8.7.0" - }, - { - "fixed": "8.7.1" - } - ], - "database_specific": { - "constraint": ">=8.7.0 <8.7.1" - } - } - ], - "database_specific": { - "affected_versions": ">=7.0 <7.67 || >= 8.0.0 <8.6.16 || >=8.7.0 <8.7.1" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-core-2019-007" - } - ], - "credits": [ - { - "name": "Daniel Le Gall", - "contact": [ - "https://www.drupal.org/user/3606561" - ] - } - ] -} diff --git a/advisories/core/DSA-CORE-2019-008.json b/advisories/core/DSA-CORE-2019-008.json deleted file mode 100644 index a58f78cd..00000000 --- a/advisories/core/DSA-CORE-2019-008.json +++ /dev/null @@ -1,52 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CORE-2019-008", - "modified": "2025-02-25T00:02:32.000Z", - "published": "2019-07-17T16:05:11.000Z", - "aliases": [ - "CVE-2019-6342" - ], - "details": "In Drupal 8.7.4, when the [experimental](https://www.drupal.org/core/experimental#beta) Workspaces module is enabled, an access bypass condition is created.\n\nThis can be mitigated by disabling the Workspaces module. It does not affect any release other than Drupal 8.7.4.\n\nDrupal 8.7.3 and earlier, Drupal 8.6.x and earlier, and Drupal 7.x are **not** affected.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/core" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "8.7.4" - }, - { - "fixed": "8.7.5" - } - ], - "database_specific": { - "constraint": ">=8.7.4 <8.7.5" - } - } - ], - "database_specific": { - "affected_versions": ">=8.7.4 <8.7.5" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-core-2019-008" - } - ], - "credits": [ - { - "name": "Dave Botsch", - "contact": [ - "https://www.drupal.org/user/3534164" - ] - } - ] -} diff --git a/advisories/core/DSA-CORE-2019-009.json b/advisories/core/DSA-CORE-2019-009.json deleted file mode 100644 index 54a56b00..00000000 --- a/advisories/core/DSA-CORE-2019-009.json +++ /dev/null @@ -1,64 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CORE-2019-009", - "modified": "2022-08-21T19:27:05.000Z", - "published": "2019-12-18T18:01:37.000Z", - "aliases": [], - "details": "A visit to `install.php` can cause cached data to become corrupted. This could cause a site to be impaired until caches are rebuilt.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/core" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "8.0.0" - }, - { - "fixed": "8.7.11" - } - ], - "database_specific": { - "constraint": ">= 8.0.0 <8.7.11" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "8.8.0" - }, - { - "fixed": "8.8.1" - } - ], - "database_specific": { - "constraint": ">= 8.8.0 <8.8.1" - } - } - ], - "database_specific": { - "affected_versions": ">= 8.0.0 <8.7.11 || >= 8.8.0 <8.8.1" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-core-2019-009" - } - ], - "credits": [ - { - "name": "Drew Webber", - "contact": [ - "https://www.drupal.org/user/255969" - ] - } - ] -} diff --git a/advisories/core/DSA-CORE-2019-010.json b/advisories/core/DSA-CORE-2019-010.json deleted file mode 100644 index 91b4b8c2..00000000 --- a/advisories/core/DSA-CORE-2019-010.json +++ /dev/null @@ -1,82 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CORE-2019-010", - "modified": "2022-08-21T19:26:37.000Z", - "published": "2019-12-18T18:07:15.000Z", - "aliases": [], - "details": "Drupal 8 core's `file_save_upload()` function does not strip the leading and trailing dot ('.') from filenames, like Drupal 7 did.\n\nUsers with the ability to upload files with any extension in conjunction with contributed modules may be able to use this to upload system files such as .htaccess in order to bypass protections afforded by Drupal's default .htaccess file.\n\nAfter this fix, `file_save_upload()` now trims leading and trailing dots from filenames.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/core" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "8.0.0" - }, - { - "fixed": "8.7.11" - } - ], - "database_specific": { - "constraint": ">= 8.0.0 <8.7.11" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "8.8.0" - }, - { - "fixed": "8.8.1" - } - ], - "database_specific": { - "constraint": ">= 8.8.0 <8.8.1" - } - } - ], - "database_specific": { - "affected_versions": ">= 8.0.0 <8.7.11 || >= 8.8.0 <8.8.1" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-core-2019-010" - } - ], - "credits": [ - { - "name": "Dan Reif", - "contact": [ - "https://www.drupal.org/user/454444" - ] - }, - { - "name": "Filipe Reis", - "contact": [ - "https://www.drupal.org/user/3521501" - ] - }, - { - "name": "Rohit Kapur", - "contact": [ - "https://www.drupal.org/user/3623849" - ] - }, - { - "name": "mramydnei", - "contact": [ - "https://www.drupal.org/user/3529990" - ] - } - ] -} diff --git a/advisories/core/DSA-CORE-2019-011.json b/advisories/core/DSA-CORE-2019-011.json deleted file mode 100644 index 25702ff4..00000000 --- a/advisories/core/DSA-CORE-2019-011.json +++ /dev/null @@ -1,64 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CORE-2019-011", - "modified": "2022-08-21T19:25:28.000Z", - "published": "2019-12-18T18:16:54.000Z", - "aliases": [], - "details": "The Media Library module has a security vulnerability whereby it doesn't sufficiently restrict access to media items in certain configurations.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/core" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "8.0.0" - }, - { - "fixed": "8.7.11" - } - ], - "database_specific": { - "constraint": ">= 8.0.0 <8.7.11" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "8.8.0" - }, - { - "fixed": "8.8.1" - } - ], - "database_specific": { - "constraint": ">= 8.8.0 <8.8.1" - } - } - ], - "database_specific": { - "affected_versions": ">= 8.0.0 <8.7.11 || >= 8.8.0 <8.8.1" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-core-2019-011" - } - ], - "credits": [ - { - "name": "Adam G-H", - "contact": [ - "https://www.drupal.org/user/205645" - ] - } - ] -} diff --git a/advisories/core/DSA-CORE-2019-012.json b/advisories/core/DSA-CORE-2019-012.json deleted file mode 100644 index cd3329d3..00000000 --- a/advisories/core/DSA-CORE-2019-012.json +++ /dev/null @@ -1,78 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CORE-2019-012", - "modified": "2022-08-21T19:20:53.000Z", - "published": "2019-12-18T18:30:18.000Z", - "aliases": [], - "details": "The Drupal project uses the third-party library [Archive\\_Tar](https://pear.php.net/package/Archive_Tar/), which has released a security improvement that is needed to protect some Drupal configurations.\n\nMultiple vulnerabilities are possible if Drupal is configured to allow `.tar`, `.tar.gz`, `.bz2` or `.tlz` file uploads and processes them.\n\nThe latest versions of Drupal update `Archive_Tar` to 1.4.9 to mitigate the file processing vulnerabilities.\n\n*Edited to clarify the nature of the upstream release.*", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/core" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "7.0.0" - }, - { - "fixed": "7.69.0" - } - ], - "database_specific": { - "constraint": ">=7.0 <7.69" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "8.0.0" - }, - { - "fixed": "8.7.11" - } - ], - "database_specific": { - "constraint": ">= 8.0.0 <8.7.11" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "8.8.0" - }, - { - "fixed": "8.8.1" - } - ], - "database_specific": { - "constraint": ">= 8.8.0 <8.8.1" - } - } - ], - "database_specific": { - "affected_versions": ">=7.0 <7.69 || >= 8.0.0 <8.7.11 || >= 8.8.0 <8.8.1" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-core-2019-012" - } - ], - "credits": [ - { - "name": "Jasper Mattsson", - "contact": [ - "https://www.drupal.org/user/521118" - ] - } - ] -} diff --git a/advisories/core/DSA-CORE-2020-001.json b/advisories/core/DSA-CORE-2020-001.json deleted file mode 100644 index 21e6a7a6..00000000 --- a/advisories/core/DSA-CORE-2020-001.json +++ /dev/null @@ -1,57 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CORE-2020-001", - "modified": "2022-08-21T19:15:20.000Z", - "published": "2020-03-18T17:07:36.000Z", - "aliases": [], - "details": "The Drupal project uses the third-party library [CKEditor](https://github.com/ckeditor/ckeditor4), which has released a [security improvement](https://ckeditor.com/blog/CKEditor-4.14-with-Paste-from-LibreOffice-released/#security-issues-fixed) that is needed to protect some Drupal configurations.\n\nVulnerabilities are possible if Drupal is configured to use the WYSIWYG CKEditor for your site's users. An attacker that can create or edit content may be able to exploit this Cross Site Scripting (XSS) vulnerability to target users with access to the WYSIWYG CKEditor, and this may include site admins with privileged access.\n\nThe latest versions of Drupal update CKEditor to 4.14 to mitigate the vulnerabilities.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/core" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "8.0.0" - }, - { - "fixed": "8.7.12" - } - ], - "database_specific": { - "constraint": ">= 8.0.0 <8.7.12" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "8.8.0" - }, - { - "fixed": "8.8.4" - } - ], - "database_specific": { - "constraint": ">= 8.8.0 <8.8.4" - } - } - ], - "database_specific": { - "affected_versions": ">= 8.0.0 <8.7.12 || >= 8.8.0 <8.8.4" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-core-2020-001" - } - ], - "credits": [] -} diff --git a/advisories/core/DSA-CORE-2020-002.json b/advisories/core/DSA-CORE-2020-002.json deleted file mode 100644 index 41ba2b68..00000000 --- a/advisories/core/DSA-CORE-2020-002.json +++ /dev/null @@ -1,84 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CORE-2020-002", - "modified": "2022-08-21T19:19:09.000Z", - "published": "2020-05-20T15:18:53.000Z", - "aliases": [], - "details": "The jQuery project released version 3.5.0, and as part of that, disclosed two security vulnerabilities that affect all prior versions. As mentioned in the [jQuery blog](https://blog.jquery.com/2020/05/04/jquery-3-5-1-released-fixing-a-regression/), both are\n\n> [...] security issues in jQuery\u2019s DOM manipulation methods, as in `.html()`, `.append()`, and the others. Security advisories for both of these issues have been published on GitHub.\n\nThose advisories are:\n\n* [CVE-2020-11022](https://github.com/jquery/jquery/security/advisories/GHSA-gxr4-xjj5-5px2)\n* [CVE-2020-11023](https://github.com/jquery/jquery/security/advisories/GHSA-jpcq-cgw6-v4j6)\n\nThese vulnerabilities may be exploitable on some Drupal sites. This Drupal security release backports the fixes to the relevant jQuery functions, without making any other changes to the jQuery version that is included in Drupal core or running on the site via some other module such as [jQuery Update](https://www.drupal.org/project/jquery_update). It is not necessary to update jquery\\_update on Drupal 7 sites that have the module installed.\n\nBackwards-compatibility code has also been added to minimize regressions to Drupal sites that might rely on jQuery's prior behavior. With jQuery 3.5, incorrect self-closing HTML tags in JavaScript for elements where end tags are normally required will encounter [a change in what jQuery returns or inserts](https://jquery.com/upgrade-guide/3.5/#description-of-the-change). To minimize that disruption in 8.8.x and earlier, this security release retains jQuery's prior behavior for most safe tags. There may still be regressions for edge cases, including invalidly self-closed [custom elements](https://html.spec.whatwg.org/multipage/custom-elements.html) on Internet Explorer.\n\n(Note: the backwards compatibility layer will not be included in the upcoming Drupal 8.9 and 9.0 releases, so Drupal 8 and 9 modules, themes, and sites should correct tags in JavaScript to properly use closing tags.)\n\nIf you find a [regression](https://en.wikipedia.org/wiki/Software_regression) caused by the jQuery changes, please report it in [Drupal core's issue queue](https://www.drupal.org/project/issues/drupal) (or that of the relevant contrib project). However, if you believe you have found a security issue, please [report it privately to the Drupal Security Team](https://www.drupal.org/security-team/report-issue).", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/core" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "7.0.0" - }, - { - "fixed": "7.70.0" - } - ], - "database_specific": { - "constraint": ">=7.0 <7.70" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "8.0.0" - }, - { - "fixed": "8.7.14" - } - ], - "database_specific": { - "constraint": ">= 8.0.0 <8.7.14" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "8.8.0" - }, - { - "fixed": "8.8.6" - } - ], - "database_specific": { - "constraint": ">= 8.8.0 <8.8.6" - } - } - ], - "database_specific": { - "affected_versions": ">=7.0 <7.70 || >= 8.0.0 <8.7.14 || >= 8.8.0 <8.8.6" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-core-2020-002" - } - ], - "credits": [ - { - "name": "Drew Webber", - "contact": [ - "https://www.drupal.org/user/255969" - ] - }, - { - "name": "Emerson Jair Reis Oliveira da Silva", - "contact": [ - "https://www.drupal.org/user/3580914" - ] - } - ] -} diff --git a/advisories/core/DSA-CORE-2020-003.json b/advisories/core/DSA-CORE-2020-003.json deleted file mode 100644 index 050886ed..00000000 --- a/advisories/core/DSA-CORE-2020-003.json +++ /dev/null @@ -1,52 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CORE-2020-003", - "modified": "2022-08-21T19:13:36.000Z", - "published": "2020-05-20T15:22:09.000Z", - "aliases": [ - "CVE-2020-13662 " - ], - "details": "Drupal 7 has an Open Redirect vulnerability. For example, a user could be tricked into visiting a specially crafted link which would redirect them to an arbitrary external URL.\n\nThe vulnerability is caused by insufficient validation of the `destination` query parameter in the `drupal_goto()` function.\n\nOther versions of Drupal core are not vulnerable.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/core" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "7.0.0" - }, - { - "fixed": "7.70.0" - } - ], - "database_specific": { - "constraint": ">=7.0 <7.70" - } - } - ], - "database_specific": { - "affected_versions": ">=7.0 <7.70" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-core-2020-003" - } - ], - "credits": [ - { - "name": "vortfu", - "contact": [ - "https://www.drupal.org/user/3638636" - ] - } - ] -} diff --git a/advisories/core/DSA-CORE-2020-004.json b/advisories/core/DSA-CORE-2020-004.json deleted file mode 100644 index 332ff4ad..00000000 --- a/advisories/core/DSA-CORE-2020-004.json +++ /dev/null @@ -1,100 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CORE-2020-004", - "modified": "2022-08-21T19:12:56.000Z", - "published": "2020-06-17T18:03:06.000Z", - "aliases": [ - "CVE-2020-13663" - ], - "details": "The Drupal core Form API does not properly handle certain form input from cross-site requests, which can lead to other vulnerabilities.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/core" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "7.0.0" - }, - { - "fixed": "7.72.0" - } - ], - "database_specific": { - "constraint": ">=7.0 <7.72" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "8.0.0" - }, - { - "fixed": "8.8.8" - } - ], - "database_specific": { - "constraint": ">= 8.0.0 <8.8.8" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "8.9.0" - }, - { - "fixed": "8.9.1" - } - ], - "database_specific": { - "constraint": ">= 8.9.0 <8.9.1" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "9.0.0" - }, - { - "fixed": "9.0.1" - } - ], - "database_specific": { - "constraint": ">=9.0.0 <9.0.1" - } - } - ], - "database_specific": { - "affected_versions": ">=7.0 <7.72 || >= 8.0.0 <8.8.8 || >= 8.9.0 <8.9.1 || >=9.0.0 <9.0.1" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-core-2020-004" - } - ], - "credits": [ - { - "name": "Dor Tumarkin", - "contact": [ - "https://www.drupal.org/user/3648639" - ] - }, - { - "name": "Samuel Mortenson", - "contact": [ - "https://www.drupal.org/user/2582268" - ] - } - ] -} diff --git a/advisories/core/DSA-CORE-2020-005.json b/advisories/core/DSA-CORE-2020-005.json deleted file mode 100644 index fadad8bc..00000000 --- a/advisories/core/DSA-CORE-2020-005.json +++ /dev/null @@ -1,86 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CORE-2020-005", - "modified": "2022-08-21T19:11:59.000Z", - "published": "2020-06-17T18:06:23.000Z", - "aliases": [ - "CVE-2020-13664" - ], - "details": "Drupal 8 and 9 have a remote code execution vulnerability under certain circumstances.\n\nAn attacker could trick an administrator into visiting a malicious site that could result in creating a carefully named directory on the file system. With this directory in place, an attacker could attempt to brute force a remote code execution vulnerability.\n\nWindows servers are most likely to be affected.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/core" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "8.0.0" - }, - { - "fixed": "8.8.8" - } - ], - "database_specific": { - "constraint": ">= 8.0.0 <8.8.8" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "8.9.0" - }, - { - "fixed": "8.9.1" - } - ], - "database_specific": { - "constraint": ">= 8.9.0 <8.9.1" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "9.0.0" - }, - { - "fixed": "9.0.1" - } - ], - "database_specific": { - "constraint": ">=9.0.0 <9.0.1" - } - } - ], - "database_specific": { - "affected_versions": ">= 8.0.0 <8.8.8 || >= 8.9.0 <8.9.1 || >=9.0.0 <9.0.1" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-core-2020-005" - } - ], - "credits": [ - { - "name": "Lorenzo G", - "contact": [ - "https://www.drupal.org/user/3644903" - ] - }, - { - "name": "Sam Thomas", - "contact": [ - "https://www.drupal.org/user/3603418" - ] - } - ] -} diff --git a/advisories/core/DSA-CORE-2020-006.json b/advisories/core/DSA-CORE-2020-006.json deleted file mode 100644 index 152e3701..00000000 --- a/advisories/core/DSA-CORE-2020-006.json +++ /dev/null @@ -1,80 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CORE-2020-006", - "modified": "2022-08-21T19:11:31.000Z", - "published": "2020-06-17T18:10:58.000Z", - "aliases": [ - "CVE-2020-13665 " - ], - "details": "JSON:API PATCH requests may bypass validation for certain fields.\n\nBy default, JSON:API works in a read-only mode which makes it impossible to exploit the vulnerability. Only sites that have the `read_only` set to `FALSE` under `jsonapi.settings` config are vulnerable.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/core" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "8.0.0" - }, - { - "fixed": "8.8.8" - } - ], - "database_specific": { - "constraint": ">= 8.0.0 <8.8.8" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "8.9.0" - }, - { - "fixed": "8.9.1" - } - ], - "database_specific": { - "constraint": ">= 8.9.0 <8.9.1" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "9.0.0" - }, - { - "fixed": "9.0.1" - } - ], - "database_specific": { - "constraint": ">=9.0.0 <9.0.1" - } - } - ], - "database_specific": { - "affected_versions": ">= 8.0.0 <8.8.8 || >= 8.9.0 <8.9.1 || >=9.0.0 <9.0.1" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-core-2020-006" - } - ], - "credits": [ - { - "name": "Sergii Bondarenko", - "contact": [ - "https://www.drupal.org/user/2802285" - ] - } - ] -} diff --git a/advisories/core/DSA-CORE-2020-007.json b/advisories/core/DSA-CORE-2020-007.json deleted file mode 100644 index b31001b0..00000000 --- a/advisories/core/DSA-CORE-2020-007.json +++ /dev/null @@ -1,94 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CORE-2020-007", - "modified": "2022-08-21T19:10:51.000Z", - "published": "2020-09-16T15:48:49.000Z", - "aliases": [ - "CVE-2020-13666" - ], - "details": "The Drupal AJAX API does not disable JSONP by default, which can lead to cross-site scripting.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/core" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "7.0.0" - }, - { - "fixed": "7.73.0" - } - ], - "database_specific": { - "constraint": ">=7.0 <7.73" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "8.0.0" - }, - { - "fixed": "8.8.10" - } - ], - "database_specific": { - "constraint": ">= 8.0.0 <8.8.10" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "8.9.0" - }, - { - "fixed": "8.9.6" - } - ], - "database_specific": { - "constraint": ">= 8.9.0 <8.9.6" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "9.0.0" - }, - { - "fixed": "9.0.6" - } - ], - "database_specific": { - "constraint": ">=9.0.0 <9.0.6" - } - } - ], - "database_specific": { - "affected_versions": ">=7.0 <7.73 || >= 8.0.0 <8.8.10 || >= 8.9.0 <8.9.6 || >=9.0.0 <9.0.6" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-core-2020-007" - } - ], - "credits": [ - { - "name": "Samuel Mortenson", - "contact": [ - "https://www.drupal.org/user/2582268" - ] - } - ] -} diff --git a/advisories/core/DSA-CORE-2020-008.json b/advisories/core/DSA-CORE-2020-008.json deleted file mode 100644 index 6548b215..00000000 --- a/advisories/core/DSA-CORE-2020-008.json +++ /dev/null @@ -1,80 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CORE-2020-008", - "modified": "2022-08-21T19:08:18.000Z", - "published": "2020-09-16T16:32:12.000Z", - "aliases": [ - "CVE-2020-13667" - ], - "details": "The experimental Workspaces module allows you to create multiple workspaces on your site in which draft content can be edited before being published to the live workspace.\n\nThe Workspaces module doesn't sufficiently check access permissions when switching workspaces, leading to an access bypass vulnerability. An attacker might be able to see content before the site owner intends people to see the content.\n\nThis vulnerability is mitigated by the fact that sites are only vulnerable if they have installed the experimental Workspaces module.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/core" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "8.0.0" - }, - { - "fixed": "8.8.10" - } - ], - "database_specific": { - "constraint": ">= 8.0.0 <8.8.10" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "8.9.0" - }, - { - "fixed": "8.9.6" - } - ], - "database_specific": { - "constraint": ">= 8.9.0 <8.9.6" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "9.0.0" - }, - { - "fixed": "9.0.6" - } - ], - "database_specific": { - "constraint": ">=9.0.0 <9.0.6" - } - } - ], - "database_specific": { - "affected_versions": ">= 8.0.0 <8.8.10 || >= 8.9.0 <8.9.6 || >=9.0.0 <9.0.6" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-core-2020-008" - } - ], - "credits": [ - { - "name": "Andrei Mateescu", - "contact": [ - "https://www.drupal.org/user/729614" - ] - } - ] -} diff --git a/advisories/core/DSA-CORE-2020-009.json b/advisories/core/DSA-CORE-2020-009.json deleted file mode 100644 index f7acb8fe..00000000 --- a/advisories/core/DSA-CORE-2020-009.json +++ /dev/null @@ -1,110 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CORE-2020-009", - "modified": "2022-08-21T19:09:38.000Z", - "published": "2020-09-16T16:11:00.000Z", - "aliases": [ - "CVE-2020-13688" - ], - "details": "Drupal 8 and 9 have a reflected cross-site scripting (XSS) vulnerability under certain circumstances.\n\nAn attacker could leverage the way that HTML is rendered for affected forms in order to exploit the vulnerability.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/core" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "8.0.0" - }, - { - "fixed": "8.8.10" - } - ], - "database_specific": { - "constraint": ">= 8.0.0 <8.8.10" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "8.9.0" - }, - { - "fixed": "8.9.6" - } - ], - "database_specific": { - "constraint": ">= 8.9.0 <8.9.6" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "9.0.0" - }, - { - "fixed": "9.0.6" - } - ], - "database_specific": { - "constraint": ">=9.0.0 <9.0.6" - } - } - ], - "database_specific": { - "affected_versions": ">= 8.0.0 <8.8.10 || >= 8.9.0 <8.9.6 || >=9.0.0 <9.0.6" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-core-2020-009" - } - ], - "credits": [ - { - "name": "Alejandro Garza", - "contact": [ - "https://www.drupal.org/user/153120" - ] - }, - { - "name": "Drew Webber", - "contact": [ - "https://www.drupal.org/user/255969" - ] - }, - { - "name": "Marc Addeo", - "contact": [ - "https://www.drupal.org/user/3312527" - ] - }, - { - "name": "Nathan Dentzau", - "contact": [ - "https://www.drupal.org/user/3444913" - ] - }, - { - "name": "Nuno Ramos", - "contact": [ - "https://www.drupal.org/user/3522063" - ] - }, - { - "name": "markwittens", - "contact": [ - "https://www.drupal.org/user/567198" - ] - } - ] -} diff --git a/advisories/core/DSA-CORE-2020-010.json b/advisories/core/DSA-CORE-2020-010.json deleted file mode 100644 index 7045a02d..00000000 --- a/advisories/core/DSA-CORE-2020-010.json +++ /dev/null @@ -1,80 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CORE-2020-010", - "modified": "2022-08-21T19:09:00.000Z", - "published": "2020-09-16T16:31:01.000Z", - "aliases": [ - "CVE-2020-13669" - ], - "details": "Drupal core's built-in CKEditor image caption functionality is vulnerable to XSS.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/core" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "8.0.0" - }, - { - "fixed": "8.8.10" - } - ], - "database_specific": { - "constraint": ">= 8.0.0 <8.8.10" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "8.9.0" - }, - { - "fixed": "8.9.6" - } - ], - "database_specific": { - "constraint": ">= 8.9.0 <8.9.6" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "9.0.0" - }, - { - "fixed": "9.0.6" - } - ], - "database_specific": { - "constraint": ">=9.0.0 <9.0.6" - } - } - ], - "database_specific": { - "affected_versions": ">= 8.0.0 <8.8.10 || >= 8.9.0 <8.9.6 || >=9.0.0 <9.0.6" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-core-2020-010" - } - ], - "credits": [ - { - "name": "Dor Tumarkin", - "contact": [ - "https://www.drupal.org/user/3648639" - ] - } - ] -} diff --git a/advisories/core/DSA-CORE-2020-011.json b/advisories/core/DSA-CORE-2020-011.json deleted file mode 100644 index ebf2e928..00000000 --- a/advisories/core/DSA-CORE-2020-011.json +++ /dev/null @@ -1,110 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CORE-2020-011", - "modified": "2022-08-21T19:07:45.000Z", - "published": "2020-09-16T16:45:26.000Z", - "aliases": [ - "CVE-2020-13670" - ], - "details": "A vulnerability exists in the File module which allows an attacker to gain access to the file metadata of a permanent private file that they do not have access to by guessing the ID of the file.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/core" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "8.0.0" - }, - { - "fixed": "8.8.10" - } - ], - "database_specific": { - "constraint": ">= 8.0.0 <8.8.10" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "8.9.0" - }, - { - "fixed": "8.9.6" - } - ], - "database_specific": { - "constraint": ">= 8.9.0 <8.9.6" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "9.0.0" - }, - { - "fixed": "9.0.6" - } - ], - "database_specific": { - "constraint": ">=9.0.0 <9.0.6" - } - } - ], - "database_specific": { - "affected_versions": ">= 8.0.0 <8.8.10 || >= 8.9.0 <8.9.6 || >=9.0.0 <9.0.6" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-core-2020-011" - } - ], - "credits": [ - { - "name": "David Rothstein", - "contact": [ - "https://www.drupal.org/user/124982" - ] - }, - { - "name": "Ivan", - "contact": [ - "https://www.drupal.org/user/556138" - ] - }, - { - "name": "Mori Sugimoto", - "contact": [ - "https://www.drupal.org/user/82971" - ] - }, - { - "name": "elarlang", - "contact": [ - "https://www.drupal.org/user/3583903" - ] - }, - { - "name": "kyk", - "contact": [ - "https://www.drupal.org/user/29822" - ] - }, - { - "name": "njbooher", - "contact": [ - "https://www.drupal.org/u/njbooher" - ] - } - ] -} diff --git a/advisories/core/DSA-CORE-2020-012.json b/advisories/core/DSA-CORE-2020-012.json deleted file mode 100644 index 0f8e87f7..00000000 --- a/advisories/core/DSA-CORE-2020-012.json +++ /dev/null @@ -1,118 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CORE-2020-012", - "modified": "2022-08-21T19:06:52.000Z", - "published": "2020-11-18T17:18:31.000Z", - "aliases": [ - "CVE-2020-13671" - ], - "details": "*Update November 18: Documented longer list of dangerous file extensions*\n\nDrupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/core" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "7.0.0" - }, - { - "fixed": "7.74.0" - } - ], - "database_specific": { - "constraint": ">=7.0 <7.74" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "8.0.0" - }, - { - "fixed": "8.8.11" - } - ], - "database_specific": { - "constraint": ">= 8.0.0 <8.8.11" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "8.9.0" - }, - { - "fixed": "8.9.9" - } - ], - "database_specific": { - "constraint": ">= 8.9.0 <8.9.9" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "9.0.0" - }, - { - "fixed": "9.0.8" - } - ], - "database_specific": { - "constraint": ">=9.0.0 <9.0.8" - } - } - ], - "database_specific": { - "affected_versions": ">=7.0 <7.74 || >= 8.0.0 <8.8.11 || >= 8.9.0 <8.9.9 || >=9.0.0 <9.0.8" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-core-2020-012" - } - ], - "credits": [ - { - "name": "Derek Wright", - "contact": [ - "https://www.drupal.org/user/46549" - ] - }, - { - "name": "Fr\u00e9d\u00e9ric G. Marand", - "contact": [ - "https://www.drupal.org/user/27985" - ] - }, - { - "name": "Mark Ferree", - "contact": [ - "https://www.drupal.org/user/76245" - ] - }, - { - "name": "Samuel Mortenson", - "contact": [ - "https://www.drupal.org/user/2582268" - ] - }, - { - "name": "ufku", - "contact": [ - "https://www.drupal.org/user/9910" - ] - } - ] -} diff --git a/advisories/core/DSA-CORE-2020-013.json b/advisories/core/DSA-CORE-2020-013.json deleted file mode 100644 index 09a1f50b..00000000 --- a/advisories/core/DSA-CORE-2020-013.json +++ /dev/null @@ -1,95 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CORE-2020-013", - "modified": "2022-08-21T19:06:25.000Z", - "published": "2020-11-25T23:57:48.000Z", - "aliases": [ - "CVE-2020-28949", - "CVE-2020-28948" - ], - "details": "The Drupal project uses the PEAR Archive\\_Tar library. The PEAR Archive\\_Tar library has released a security update that impacts Drupal. For more information please see:\n\n* [CVE-2020-28948](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28948)\n* [CVE-2020-28949](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28949)\n\nMultiple vulnerabilities are possible if Drupal is configured to allow `.tar`, `.tar.gz`, `.bz2`, or `.tlz` file uploads and processes them.\n\n**To mitigate this issue, prevent untrusted users from uploading `.tar`, `.tar.gz`, `.bz2`, or `.tlz` files.**\n\nThis is a different issue than [SA-CORE-2019-012](https://www.drupal.org/sa-core-2019-012). Similar configuration changes may mitigate the problem until you are able to patch.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/core" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "7.0.0" - }, - { - "fixed": "7.75.0" - } - ], - "database_specific": { - "constraint": ">=7.0 <7.75" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "8.0.0" - }, - { - "fixed": "8.8.12" - } - ], - "database_specific": { - "constraint": ">= 8.0.0 <8.8.12" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "8.9.0" - }, - { - "fixed": "8.9.10" - } - ], - "database_specific": { - "constraint": ">= 8.9.0 <8.9.10" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "9.0.0" - }, - { - "fixed": "9.0.9" - } - ], - "database_specific": { - "constraint": ">=9.0.0 <9.0.9" - } - } - ], - "database_specific": { - "affected_versions": ">=7.0 <7.75 || >= 8.0.0 <8.8.12 || >= 8.9.0 <8.9.10 || >=9.0.0 <9.0.9" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-core-2020-013" - } - ], - "credits": [ - { - "name": "Luke Stewart", - "contact": [ - "https://www.drupal.org/user/3564081" - ] - } - ] -} diff --git a/advisories/core/DSA-CORE-2021-001.json b/advisories/core/DSA-CORE-2021-001.json deleted file mode 100644 index e6515de6..00000000 --- a/advisories/core/DSA-CORE-2021-001.json +++ /dev/null @@ -1,110 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CORE-2021-001", - "modified": "2022-08-21T19:04:14.000Z", - "published": "2021-01-20T17:10:55.000Z", - "aliases": [], - "details": "The Drupal project uses the pear Archive\\_Tar library, which has released a security update that impacts Drupal. For more information please see:\n\n* [CVE-2020-36193](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36193)\n\nExploits may be possible if Drupal is configured to allow `.tar`, `.tar.gz`, `.bz2`, or `.tlz` file uploads and processes them.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/core" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "7.0.0" - }, - { - "fixed": "7.78.0" - } - ], - "database_specific": { - "constraint": ">=7.0 <7.78" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "8.0.0" - }, - { - "fixed": "8.9.13" - } - ], - "database_specific": { - "constraint": ">= 8.0.0 <8.9.13" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "9.0.0" - }, - { - "fixed": "9.0.11" - } - ], - "database_specific": { - "constraint": ">= 9.0.0 <9.0.11" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "9.1.0" - }, - { - "fixed": "9.1.3" - } - ], - "database_specific": { - "constraint": ">=9.1.0 <9.1.3" - } - } - ], - "database_specific": { - "affected_versions": ">=7.0 <7.78 || >= 8.0.0 <8.9.13 || >= 9.0.0 <9.0.11 || >=9.1.0 <9.1.3" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-core-2021-001" - } - ], - "credits": [ - { - "name": "Jonathan Danaher", - "contact": [ - "https://www.drupal.org/user/1771466" - ] - }, - { - "name": "Kim Pepper", - "contact": [ - "https://www.drupal.org/user/370574" - ] - }, - { - "name": "Richard Sheppard", - "contact": [ - "https://www.drupal.org/user/55284" - ] - }, - { - "name": "Stephen Cross", - "contact": [ - "https://www.drupal.org/user/2485138" - ] - } - ] -} diff --git a/advisories/core/DSA-CORE-2021-002.json b/advisories/core/DSA-CORE-2021-002.json deleted file mode 100644 index 1f0a6206..00000000 --- a/advisories/core/DSA-CORE-2021-002.json +++ /dev/null @@ -1,94 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CORE-2021-002", - "modified": "2022-08-21T19:03:20.000Z", - "published": "2021-04-21T15:58:22.000Z", - "aliases": [ - "CVE-2020-13672" - ], - "details": "Drupal core's sanitization API fails to properly filter cross-site scripting under certain circumstances.\n\nNot all sites and users are affected, but configuration changes to prevent the exploit might be impractical and will vary between sites. Therefore, we recommend all sites update to this release as soon as possible.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/core" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "7.0.0" - }, - { - "fixed": "7.80.0" - } - ], - "database_specific": { - "constraint": ">=7.0 <7.80" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "8.0.0" - }, - { - "fixed": "8.9.14" - } - ], - "database_specific": { - "constraint": ">= 8.0.0 <8.9.14" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "9.0.0" - }, - { - "fixed": "9.0.12" - } - ], - "database_specific": { - "constraint": ">= 9.0.0 <9.0.12" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "9.1.0" - }, - { - "fixed": "9.1.7" - } - ], - "database_specific": { - "constraint": ">=9.1.0 <9.1.7" - } - } - ], - "database_specific": { - "affected_versions": ">=7.0 <7.80 || >= 8.0.0 <8.9.14 || >= 9.0.0 <9.0.12 || >=9.1.0 <9.1.7" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-core-2021-002" - } - ], - "credits": [ - { - "name": "Jasper Mattsson", - "contact": [ - "https://www.drupal.org/user/521118" - ] - } - ] -} diff --git a/advisories/core/DSA-CORE-2021-003.json b/advisories/core/DSA-CORE-2021-003.json deleted file mode 100644 index bc3d8066..00000000 --- a/advisories/core/DSA-CORE-2021-003.json +++ /dev/null @@ -1,80 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CORE-2021-003", - "modified": "2022-08-21T19:01:54.000Z", - "published": "2021-05-26T18:33:55.000Z", - "aliases": [ - "CVE-2021-33829" - ], - "details": "**Update: 2021-06-11: Added CVE-2021-33829 identifier**\n\nDrupal core uses the third-party CKEditor library. This library has an error in parsing HTML that could lead to an XSS attack. CKEditor 4.16.1 and later include the fix.\n\nUpdate: 2021-06-11: More details are available on [CKEditor's blog](https://ckeditor.com/blog/ckeditor-4.16.1-with-accessibility-enhancements/#improvements-for-comments-in-html-parser).\n\nUsers of the CKEditor library via means other than Drupal core should update their 3rd party code (e.g. the WYSIWYG module for Drupal 7). The Drupal Security Team policy is not to alert for issues affecting 3rd party libraries unless those are shipped with Drupal core. See [DRUPAL-SA-PSA-2016-004 for more details](https://www.drupal.org/psa-2016-004).\n\nThis issue is mitigated by the fact that it only affects sites with CKEditor enabled.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/core" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "8.0.0" - }, - { - "fixed": "8.9.16" - } - ], - "database_specific": { - "constraint": ">= 8.0.0 <8.9.16" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "9.0.0" - }, - { - "fixed": "9.0.14" - } - ], - "database_specific": { - "constraint": ">= 9.0.0 <9.0.14" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "9.1.0" - }, - { - "fixed": "9.1.9" - } - ], - "database_specific": { - "constraint": ">=9.1.0 <9.1.9" - } - } - ], - "database_specific": { - "affected_versions": ">= 8.0.0 <8.9.16 || >= 9.0.0 <9.0.14 || >=9.1.0 <9.1.9" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-core-2021-003" - } - ], - "credits": [ - { - "name": "Or Sahar", - "contact": [ - "https://www.drupal.org/user/3676145" - ] - } - ] -} diff --git a/advisories/core/DSA-CORE-2021-004.json b/advisories/core/DSA-CORE-2021-004.json deleted file mode 100644 index 133c5362..00000000 --- a/advisories/core/DSA-CORE-2021-004.json +++ /dev/null @@ -1,94 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CORE-2021-004", - "modified": "2022-08-21T19:00:32.000Z", - "published": "2021-07-21T15:59:27.000Z", - "aliases": [ - "CVE-2021-32610" - ], - "details": "The Drupal project uses the pear Archive\\_Tar library, which has released a security update that impacts Drupal.\n\nThe vulnerability is mitigated by the fact that Drupal core's use of the Archive\\_Tar library is not vulnerable, as it does not permit symlinks.\n\nExploitation may be possible if contrib or custom code uses the library to extract tar archives (for example .tar, .tar.gz, .bz2, or .tlz) which come from a potentially untrusted source.\n\nThis advisory is not covered by [Drupal Steward](/steward).", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/core" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "7.0.0" - }, - { - "fixed": "7.82.0" - } - ], - "database_specific": { - "constraint": ">=7.0 <7.82" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "8.0.0" - }, - { - "fixed": "8.9.17" - } - ], - "database_specific": { - "constraint": ">= 8.0.0 <8.9.17" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "9.1.0" - }, - { - "fixed": "9.1.11" - } - ], - "database_specific": { - "constraint": ">= 9.1.0 <9.1.11" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "9.2.0" - }, - { - "fixed": "9.2.2" - } - ], - "database_specific": { - "constraint": ">=9.2.0 <9.2.2" - } - } - ], - "database_specific": { - "affected_versions": ">=7.0 <7.82 || >= 8.0.0 <8.9.17 || >= 9.1.0 <9.1.11 || >=9.2.0 <9.2.2" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-core-2021-004" - } - ], - "credits": [ - { - "name": "Drew Webber", - "contact": [ - "https://www.drupal.org/user/255969" - ] - } - ] -} diff --git a/advisories/core/DSA-CORE-2021-005.json b/advisories/core/DSA-CORE-2021-005.json deleted file mode 100644 index e7d2be64..00000000 --- a/advisories/core/DSA-CORE-2021-005.json +++ /dev/null @@ -1,78 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CORE-2021-005", - "modified": "2022-08-21T18:59:16.000Z", - "published": "2021-08-12T18:08:50.000Z", - "aliases": [], - "details": "The Drupal project uses the [CKEditor](https://github.com/ckeditor/ckeditor4), library for WYSIWYG editing. CKEditor has released [a security update that impacts Drupal](https://ckeditor.com/blog/ckeditor-4.16.2-with-browser-improvements-and-security-fixes/).\n\nVulnerabilities are possible if Drupal is configured to allow use of the CKEditor library for WYSIWYG editing. An attacker that can create or edit content (even without access to CKEditor themselves) may be able to exploit one or more Cross-Site Scripting (XSS) vulnerabilities to target users with access to the WYSIWYG CKEditor, including site admins with privileged access.\n\nFor more information, see [CKEditor's announcement of the release](https://ckeditor.com/blog/ckeditor-4.16.2-with-browser-improvements-and-security-fixes/).\n\nThis advisory is not covered by [Drupal Steward](/steward).", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/core" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "8.0.0" - }, - { - "fixed": "8.9.18" - } - ], - "database_specific": { - "constraint": ">= 8.0.0 <8.9.18" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "9.1.0" - }, - { - "fixed": "9.1.12" - } - ], - "database_specific": { - "constraint": ">= 9.1.0 <9.1.12" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "9.2.0" - }, - { - "fixed": "9.2.4" - } - ], - "database_specific": { - "constraint": ">=9.2.0 <9.2.4" - } - } - ], - "database_specific": { - "affected_versions": ">= 8.0.0 <8.9.18 || >= 9.1.0 <9.1.12 || >=9.2.0 <9.2.4" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-core-2021-005" - } - ], - "credits": [ - { - "name": "Krzysztof Krzton", - "contact": [ - "https://www.drupal.org/user/3618903" - ] - } - ] -} diff --git a/advisories/core/DSA-CORE-2021-006.json b/advisories/core/DSA-CORE-2021-006.json deleted file mode 100644 index 4c0fa4f0..00000000 --- a/advisories/core/DSA-CORE-2021-006.json +++ /dev/null @@ -1,80 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CORE-2021-006", - "modified": "2022-08-21T18:58:15.000Z", - "published": "2021-09-15T15:18:26.000Z", - "aliases": [ - "CVE-2020-13673" - ], - "details": "The Drupal core Media module allows embedding internal and external media in content fields. In certain circumstances, the filter could allow an unprivileged user to inject HTML into a page when it is accessed by a trusted user with permission to embed media. In some cases, this could lead to cross-site scripting.\n\nThis advisory is not covered by [Drupal Steward](/steward).\n\nAlso see [Entity Embed - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2021-028](https://www.drupal.org/sa-contrib-2021-028) which addresses a similar vulnerability for that module.\n\n*Updated 18:15 UTC to clarify text.*", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/core" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "8.0.0" - }, - { - "fixed": "8.9.19" - } - ], - "database_specific": { - "constraint": ">= 8.0.0 <8.9.19" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "9.1.0" - }, - { - "fixed": "9.1.13" - } - ], - "database_specific": { - "constraint": ">= 9.1.0 <9.1.13" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "9.2.0" - }, - { - "fixed": "9.2.6" - } - ], - "database_specific": { - "constraint": ">=9.2.0 <9.2.6" - } - } - ], - "database_specific": { - "affected_versions": ">= 8.0.0 <8.9.19 || >= 9.1.0 <9.1.13 || >=9.2.0 <9.2.6" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-core-2021-006" - } - ], - "credits": [ - { - "name": "Aaron Zinck", - "contact": [ - "https://www.drupal.org/user/518662" - ] - } - ] -} diff --git a/advisories/core/DSA-CORE-2021-007.json b/advisories/core/DSA-CORE-2021-007.json deleted file mode 100644 index f35e5762..00000000 --- a/advisories/core/DSA-CORE-2021-007.json +++ /dev/null @@ -1,80 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CORE-2021-007", - "modified": "2022-08-21T18:57:29.000Z", - "published": "2021-09-15T15:20:39.000Z", - "aliases": [ - "CVE-2020-13674" - ], - "details": "The QuickEdit module does not properly validate access to routes, which could allow cross-site request forgery under some circumstances and lead to possible data integrity issues.\n\nSites are only affected if the QuickEdit module (which comes with the Standard profile) is installed. Removing the \"access in-place editing\" permission from untrusted users **will not** fully mitigate the vulnerability.\n\nThis advisory is not covered by [Drupal Steward](/steward).", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/core" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "8.0.0" - }, - { - "fixed": "8.9.19" - } - ], - "database_specific": { - "constraint": ">= 8.0.0 <8.9.19" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "9.1.0" - }, - { - "fixed": "9.1.13" - } - ], - "database_specific": { - "constraint": ">= 9.1.0 <9.1.13" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "9.2.0" - }, - { - "fixed": "9.2.6" - } - ], - "database_specific": { - "constraint": ">=9.2.0 <9.2.6" - } - } - ], - "database_specific": { - "affected_versions": ">= 8.0.0 <8.9.19 || >= 9.1.0 <9.1.13 || >=9.2.0 <9.2.6" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-core-2021-007" - } - ], - "credits": [ - { - "name": "Samuel Mortenson", - "contact": [ - "https://www.drupal.org/user/2582268" - ] - } - ] -} diff --git a/advisories/core/DSA-CORE-2021-008.json b/advisories/core/DSA-CORE-2021-008.json deleted file mode 100644 index 65ff3bbb..00000000 --- a/advisories/core/DSA-CORE-2021-008.json +++ /dev/null @@ -1,80 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CORE-2021-008", - "modified": "2022-08-21T18:57:18.000Z", - "published": "2021-09-15T15:22:27.000Z", - "aliases": [ - "CVE-2020-13675" - ], - "details": "Drupal's JSON:API and REST/File modules allow file uploads through their HTTP APIs. The modules do not correctly run all file validation, which causes an access bypass vulnerability. An attacker might be able to upload files that bypass the file validation process implemented by modules on the site.\n\nThis vulnerability is mitigated by three factors:\n\n1. The JSON:API or REST File upload modules must be enabled on the site.\n2. An attacker must have access to a file upload via JSON:API or REST.\n3. The site must employ a file validation module.\n\nThis advisory is not covered by [Drupal Steward](/steward).\n\nAlso see [GraphQL - Moderately critical - Access bypass - SA-CONTRIB-2021-029](https://www.drupal.org/sa-contrib-2021-029) which addresses a similar vulnerability for that module.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/core" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "8.0.0" - }, - { - "fixed": "8.9.19" - } - ], - "database_specific": { - "constraint": ">= 8.0.0 <8.9.19" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "9.1.0" - }, - { - "fixed": "9.1.13" - } - ], - "database_specific": { - "constraint": ">= 9.1.0 <9.1.13" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "9.2.0" - }, - { - "fixed": "9.2.6" - } - ], - "database_specific": { - "constraint": ">=9.2.0 <9.2.6" - } - } - ], - "database_specific": { - "affected_versions": ">= 8.0.0 <8.9.19 || >= 9.1.0 <9.1.13 || >=9.2.0 <9.2.6" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-core-2021-008" - } - ], - "credits": [ - { - "name": "Klaus Purer", - "contact": [ - "https://www.drupal.org/user/262198" - ] - } - ] -} diff --git a/advisories/core/DSA-CORE-2021-009.json b/advisories/core/DSA-CORE-2021-009.json deleted file mode 100644 index 9f9f9339..00000000 --- a/advisories/core/DSA-CORE-2021-009.json +++ /dev/null @@ -1,80 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CORE-2021-009", - "modified": "2022-08-21T18:57:01.000Z", - "published": "2021-09-15T15:23:43.000Z", - "aliases": [ - "CVE-2020-13676" - ], - "details": "The QuickEdit module does not properly check access to fields in some circumstances, which can lead to unintended disclosure of field data.\n\nSites are only affected if the QuickEdit module (which comes with the Standard profile) is installed.\n\nThis advisory is not covered by [Drupal Steward](/steward).", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/core" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "8.0.0" - }, - { - "fixed": "8.9.19" - } - ], - "database_specific": { - "constraint": ">= 8.0.0 <8.9.19" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "9.1.0" - }, - { - "fixed": "9.1.13" - } - ], - "database_specific": { - "constraint": ">= 9.1.0 <9.1.13" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "9.2.0" - }, - { - "fixed": "9.2.6" - } - ], - "database_specific": { - "constraint": ">=9.2.0 <9.2.6" - } - } - ], - "database_specific": { - "affected_versions": ">= 8.0.0 <8.9.19 || >= 9.1.0 <9.1.13 || >=9.2.0 <9.2.6" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-core-2021-009" - } - ], - "credits": [ - { - "name": "Greg Watson", - "contact": [ - "https://www.drupal.org/user/2212910" - ] - } - ] -} diff --git a/advisories/core/DSA-CORE-2021-010.json b/advisories/core/DSA-CORE-2021-010.json deleted file mode 100644 index 49f3d3c5..00000000 --- a/advisories/core/DSA-CORE-2021-010.json +++ /dev/null @@ -1,80 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CORE-2021-010", - "modified": "2022-08-21T18:56:18.000Z", - "published": "2021-09-15T15:25:10.000Z", - "aliases": [ - "CVE-2020-13677" - ], - "details": "Under some circumstances, the Drupal core JSON:API module does not properly restrict access to certain content, which may result in unintended access bypass.\n\nSites that do not have the JSON:API module enabled are not affected.\n\nThis advisory is not covered by [Drupal Steward](/steward).", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/core" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "8.0.0" - }, - { - "fixed": "8.9.19" - } - ], - "database_specific": { - "constraint": ">= 8.0.0 <8.9.19" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "9.1.0" - }, - { - "fixed": "9.1.13" - } - ], - "database_specific": { - "constraint": ">= 9.1.0 <9.1.13" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "9.2.0" - }, - { - "fixed": "9.2.6" - } - ], - "database_specific": { - "constraint": ">=9.2.0 <9.2.6" - } - } - ], - "database_specific": { - "affected_versions": ">= 8.0.0 <8.9.19 || >= 9.1.0 <9.1.13 || >=9.2.0 <9.2.6" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-core-2021-010" - } - ], - "credits": [ - { - "name": "Brad Jones", - "contact": [ - "https://www.drupal.org/user/405824" - ] - } - ] -} diff --git a/advisories/core/DSA-CORE-2021-011.json b/advisories/core/DSA-CORE-2021-011.json deleted file mode 100644 index f2f30759..00000000 --- a/advisories/core/DSA-CORE-2021-011.json +++ /dev/null @@ -1,78 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CORE-2021-011", - "modified": "2022-08-21T18:55:20.000Z", - "published": "2021-11-17T21:28:49.000Z", - "aliases": [], - "details": "The Drupal project uses the [CKEditor](https://github.com/ckeditor/ckeditor4) library for WYSIWYG editing. CKEditor has released [a security update that impacts Drupal](https://ckeditor.com/cke4/release/CKEditor-4.17.0), along with a [hotfix for that update](https://ckeditor.com/cke4/release/CKEditor-4.17.1).\n\nVulnerabilities are possible if Drupal is configured to allow use of the CKEditor library for WYSIWYG editing. An attacker that can create or edit content (even without access to CKEditor themselves) may be able to exploit one or more Cross-Site Scripting (XSS) vulnerabilities to target users with access to the WYSIWYG CKEditor, including site admins with privileged access.\n\nFor more information, see CKEditor's security advisories:\n\n* [CVE-2021-41165: HTML comments vulnerability allowing to execute JavaScript code](https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-7h26-63m7-qhf2)\n* [CVE-2021-41164: Advanced Content Filter (ACF) vulnerability allowing to execute JavaScript code using malformed HTML](https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-pvmx-g8h5-cprj)\n\nThis advisory is not covered by [Drupal Steward](/steward).", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/core" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "8.0.0" - }, - { - "fixed": "8.9.20" - } - ], - "database_specific": { - "constraint": ">= 8.0.0 <8.9.20" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "9.1.0" - }, - { - "fixed": "9.1.14" - } - ], - "database_specific": { - "constraint": ">= 9.1.0 <9.1.14" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "9.2.0" - }, - { - "fixed": "9.2.9" - } - ], - "database_specific": { - "constraint": ">=9.2.0 <9.2.9" - } - } - ], - "database_specific": { - "affected_versions": ">= 8.0.0 <8.9.20 || >= 9.1.0 <9.1.14 || >=9.2.0 <9.2.9" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-core-2021-011" - } - ], - "credits": [ - { - "name": "Jacek Bogda\u0144ski", - "contact": [ - "https://www.drupal.org/user/3683355" - ] - } - ] -} diff --git a/advisories/core/DSA-CORE-2022-001.json b/advisories/core/DSA-CORE-2022-001.json deleted file mode 100644 index 760b713a..00000000 --- a/advisories/core/DSA-CORE-2022-001.json +++ /dev/null @@ -1,78 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CORE-2022-001", - "modified": "2022-08-21T18:53:57.000Z", - "published": "2022-01-19T17:20:38.000Z", - "aliases": [], - "details": "jQuery UI is a third-party library used by Drupal. This library was previously thought to be end-of-life.\n\nLate in 2021, jQuery UI announced that they would be continuing development, and released a [jQuery UI 1.13.0](https://blog.jqueryui.com/2021/10/jquery-ui-1-13-0-released/) version. As part of this 1.13.0 update, they disclosed the following security issue that may affect Drupal 9 and 7:\n\n* CVE-2021-41184: [XSS in the `of` option of the `.position()` util](https://github.com/jquery/jquery-ui/security/advisories/GHSA-gpqq-952q-5327)\n\nIt is possible that this vulnerability is exploitable with some Drupal modules. As a precaution, this Drupal security release applies the fix for the above cross-site description issue, without making any of the other changes to the jQuery version that is included in Drupal.\n\nThis advisory is not covered by [Drupal Steward](/steward).", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/core" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "7.0.0" - }, - { - "fixed": "7.86.0" - } - ], - "database_specific": { - "constraint": ">=7.0 <7.86" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "8.0.0" - }, - { - "fixed": "9.2.11" - } - ], - "database_specific": { - "constraint": ">= 8.0.0 <9.2.11" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "9.3.0" - }, - { - "fixed": "9.3.3" - } - ], - "database_specific": { - "constraint": ">= 9.3.0 <9.3.3" - } - } - ], - "database_specific": { - "affected_versions": ">=7.0 <7.86 || >= 8.0.0 <9.2.11 || >= 9.3.0 <9.3.3" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-core-2022-001" - } - ], - "credits": [ - { - "name": "Lauri Eskola", - "contact": [ - "https://www.drupal.org/user/1078742" - ] - } - ] -} diff --git a/advisories/core/DSA-CORE-2022-002.json b/advisories/core/DSA-CORE-2022-002.json deleted file mode 100644 index 658b0cfc..00000000 --- a/advisories/core/DSA-CORE-2022-002.json +++ /dev/null @@ -1,51 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CORE-2022-002", - "modified": "2022-08-21T18:53:10.000Z", - "published": "2022-01-19T17:27:57.000Z", - "aliases": [], - "details": "jQuery UI is a third-party library used by Drupal. This library was previously thought to be end-of-life.\n\nLate in 2021, jQuery UI announced that they would be continuing development, and released a [jQuery UI 1.13.0](https://blog.jqueryui.com/2021/10/jquery-ui-1-13-0-released/) version. In addition to the issue covered by [SA-CORE-2022-001](/sa-core-2022-001), further security vulnerabilities disclosed in jQuery UI 1.13.0 may affect Drupal 7 only:\n\n* CVE-2021-41182: [XSS in the altField option of the Datepicker widget](https://github.com/jquery/jquery-ui/security/advisories/GHSA-9gj3-hwp5-pmwc)\n* CVE-2021-41183: [XSS in \\*Text options of the Datepicker widget](https://github.com/jquery/jquery-ui/security/advisories/GHSA-j7qv-pgf6-hvh4)\n\nFurthermore, other vulnerabilities listed below were previously unaddressed in the version of jQuery UI included in Drupal 7 or in the [jQuery Update](/project/jquery_update) module:\n\n* CVE-2016-7103: [XSS in closeText option of Dialog](https://nvd.nist.gov/vuln/detail/CVE-2016-7103)\n* CVE-2010-5312: [XSS in the title option of Dialog](https://nvd.nist.gov/vuln/detail/CVE-2010-5312) (applicable only to the jQuery UI version included in D7 core)\n\nIt is possible that these vulnerabilities are exploitable via contributed Drupal modules or custom code. As a precaution, this Drupal security release applies the fix for the above cross-site scripting issues, without making other changes to the jQuery UI version that is included in Drupal.\n\nThis advisory is not covered by [Drupal Steward](/steward).\n\n### Important note regarding the jQuery Update contrib module\n\nThese backport fixes in D7 have also been tested with the version of jQuery UI provided by the most recent releases of the jQuery Update module (jQuery UI 1.10.2) and the fixes confirmed. Therefore, there is no accompanying security release for jQuery Update.\n\nHowever, in early 2022 the currently supported release of jQuery Update (7.x-2.7 from 2015) will be deprecated and replaced by a new release from the 7.x-4.x branch. The stable release from that branch will then be the only release considered by Drupal Security Team when new jQuery security issues arise.\n\nPlease check the [jQuery Update project page](/project/jquery_update) for more details, and for announcements when the changes are made to supported releases.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/core" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "7.0.0" - }, - { - "last_affected": "7.86.0" - } - ], - "database_specific": { - "constraint": ">=7.0 <=7.86" - } - } - ], - "database_specific": { - "affected_versions": ">=7.0 <=7.86", - "patched": true - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-core-2022-002" - } - ], - "credits": [ - { - "name": "Lauri Eskola", - "contact": [ - "https://www.drupal.org/user/1078742" - ] - } - ] -} diff --git a/advisories/core/DSA-CORE-2022-003.json b/advisories/core/DSA-CORE-2022-003.json deleted file mode 100644 index 2027ce35..00000000 --- a/advisories/core/DSA-CORE-2022-003.json +++ /dev/null @@ -1,80 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CORE-2022-003", - "modified": "2022-08-21T18:52:28.000Z", - "published": "2022-02-16T16:43:20.000Z", - "aliases": [ - "CVE-2022-25271" - ], - "details": "Drupal core's form API has a vulnerability where certain contributed or custom modules' forms may be vulnerable to improper input validation. This could allow an attacker to inject disallowed values or overwrite data. Affected forms are uncommon, but in certain cases an attacker could alter critical or sensitive data.\n\nThis advisory is not covered by [Drupal Steward](/steward).", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/core" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "7.0.0" - }, - { - "fixed": "7.88.0" - } - ], - "database_specific": { - "constraint": ">=7.0 <7.88" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "8.0.0" - }, - { - "fixed": "9.2.13" - } - ], - "database_specific": { - "constraint": ">= 8.0.0 <9.2.13" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "9.3.0" - }, - { - "fixed": "9.3.6" - } - ], - "database_specific": { - "constraint": ">= 9.3.0 <9.3.6" - } - } - ], - "database_specific": { - "affected_versions": ">=7.0 <7.88 || >= 8.0.0 <9.2.13 || >= 9.3.0 <9.3.6" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-core-2022-003" - } - ], - "credits": [ - { - "name": "Fabian Iwand", - "contact": [ - "https://www.drupal.org/user/1632364" - ] - } - ] -} diff --git a/advisories/core/DSA-CORE-2022-004.json b/advisories/core/DSA-CORE-2022-004.json deleted file mode 100644 index 6a908d5b..00000000 --- a/advisories/core/DSA-CORE-2022-004.json +++ /dev/null @@ -1,66 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CORE-2022-004", - "modified": "2022-08-21T18:51:53.000Z", - "published": "2022-02-16T16:46:24.000Z", - "aliases": [ - "CVE-2022-25270" - ], - "details": "The Quick Edit module does not properly check entity access in some circumstances. This could result in users with the \"access in-place editing\" permission viewing some content they are are not authorized to access.\n\nSites are only affected if the QuickEdit module (which comes with the Standard profile) is installed.\n\nAlso see [Quick Edit - Moderately critical - Information disclosure - SA-CONTRIB-2022-025](https://www.drupal.org/sa-contrib-2022-025) which addresses the same vulnerability for the contributed module.\n\nThis advisory is not covered by [Drupal Steward](/steward).", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/core" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "8.0.0" - }, - { - "fixed": "9.2.13" - } - ], - "database_specific": { - "constraint": ">= 8.0.0 <9.2.13" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "9.3.0" - }, - { - "fixed": "9.3.6" - } - ], - "database_specific": { - "constraint": ">= 9.3.0 <9.3.6" - } - } - ], - "database_specific": { - "affected_versions": " >= 8.0.0 <9.2.13 || >= 9.3.0 <9.3.6" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-core-2022-004" - } - ], - "credits": [ - { - "name": "Samuel Mortenson", - "contact": [ - "https://www.drupal.org/user/2582268" - ] - } - ] -} diff --git a/advisories/core/DSA-CORE-2022-005.json b/advisories/core/DSA-CORE-2022-005.json deleted file mode 100644 index 4396d444..00000000 --- a/advisories/core/DSA-CORE-2022-005.json +++ /dev/null @@ -1,67 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CORE-2022-005", - "modified": "2022-08-21T18:48:49.000Z", - "published": "2022-03-16T16:10:34.000Z", - "aliases": [ - "CVE-2022-24728", - "CVE-2022-24729" - ], - "details": "The Drupal project uses the [CKEditor](https://github.com/ckeditor/ckeditor4) library for WYSIWYG editing. CKEditor has released [a security update that impacts Drupal](https://ckeditor.com/blog/ckeditor-4.18.0-browser-bugfix-and-security-patches/).\n\nVulnerabilities are possible if Drupal is configured to allow use of the CKEditor library for WYSIWYG editing. An attacker that can create or edit content (even without access to CKEditor themselves) may be able to exploit one or more Cross-Site Scripting (XSS) vulnerabilities to target users with access to the WYSIWYG CKEditor, including site admins with privileged access.\n\nFor more information, see CKEditor's security advisories:\n\n* [CVE-2022-24728: HTML processing vulnerability allowing to execute JavaScript code](https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-4fc4-4p5g-6w89)\n* [CVE-2022-24729: Regular expression Denial of Service in dialog plugin](https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-f6rf-9m92-x2hh)\n\nThis advisory is not covered by [Drupal Steward](/steward).", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/core" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "8.0.0" - }, - { - "fixed": "9.2.15" - } - ], - "database_specific": { - "constraint": ">= 8.0.0 <9.2.15" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "9.3.0" - }, - { - "fixed": "9.3.8" - } - ], - "database_specific": { - "constraint": ">= 9.3.0 <9.3.8" - } - } - ], - "database_specific": { - "affected_versions": " >= 8.0.0 <9.2.15 || >= 9.3.0 <9.3.8" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-core-2022-005" - } - ], - "credits": [ - { - "name": "Jacek Bogda\u0144ski", - "contact": [ - "https://www.drupal.org/user/3683355" - ] - } - ] -} diff --git a/advisories/core/DSA-CORE-2022-006.json b/advisories/core/DSA-CORE-2022-006.json deleted file mode 100644 index e8167f82..00000000 --- a/advisories/core/DSA-CORE-2022-006.json +++ /dev/null @@ -1,72 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CORE-2022-006", - "modified": "2022-08-21T18:48:04.000Z", - "published": "2022-03-21T21:39:35.000Z", - "aliases": [ - "CVE-2022-24775" - ], - "details": "Drupal uses the third-party Guzzle library for handling HTTP requests and responses to external services. [Guzzle has released a security update](https://github.com/guzzle/psr7/security/advisories/GHSA-q7rv-6hp3-vh96) which may affect some Drupal sites.\n\nWe are issuing this security advisory outside our regular [Drupal security release window schedule](https://www.drupal.org/node/1173280) since Guzzle has already published information about the vulnerability, and vulnerabilities might exist with core, contributed modules, or custom modules that use Guzzle for outgoing requests. Guzzle has rated this vulnerability as low-risk.\n\nThis advisory is not covered by Drupal Steward.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/core" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "8.0.0" - }, - { - "fixed": "9.2.16" - } - ], - "database_specific": { - "constraint": ">= 8.0.0 <9.2.16" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "9.3.0" - }, - { - "fixed": "9.3.9" - } - ], - "database_specific": { - "constraint": ">= 9.3.0 <9.3.9" - } - } - ], - "database_specific": { - "affected_versions": " >= 8.0.0 <9.2.16 || >= 9.3.0 <9.3.9" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-core-2022-006" - } - ], - "credits": [ - { - "name": "Damien McKenna", - "contact": [ - "https://www.drupal.org/user/108450" - ] - }, - { - "name": "Jeroen Tubex", - "contact": [ - "https://www.drupal.org/user/2228934" - ] - } - ] -} diff --git a/advisories/core/DSA-CORE-2022-008.json b/advisories/core/DSA-CORE-2022-008.json deleted file mode 100644 index e74da8b5..00000000 --- a/advisories/core/DSA-CORE-2022-008.json +++ /dev/null @@ -1,66 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CORE-2022-008", - "modified": "2022-08-21T18:46:33.000Z", - "published": "2022-04-20T15:04:23.000Z", - "aliases": [ - "CVE-2022-25273" - ], - "details": "Drupal core's form API has a vulnerability where certain contributed or custom modules' forms may be vulnerable to improper input validation. This could allow an attacker to inject disallowed values or overwrite data. Affected forms are uncommon, but in certain cases an attacker could alter critical or sensitive data.\n\nWe do not know of affected forms within core itself, but contributed and custom project forms could be affected. Installing this update will fix those forms.\n\nThis advisory is not covered by [Drupal Steward](/steward).", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/core" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "8.0.0" - }, - { - "fixed": "9.2.18" - } - ], - "database_specific": { - "constraint": ">= 8.0.0 <9.2.18" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "9.3.0" - }, - { - "fixed": "9.3.12" - } - ], - "database_specific": { - "constraint": ">= 9.3.0 <9.3.12" - } - } - ], - "database_specific": { - "affected_versions": " >= 8.0.0 <9.2.18 || >= 9.3.0 <9.3.12" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-core-2022-008" - } - ], - "credits": [ - { - "name": "Dezs\u0151 BICZ\u00d3", - "contact": [ - "https://www.drupal.org/user/315522" - ] - } - ] -} diff --git a/advisories/core/DSA-CORE-2022-009.json b/advisories/core/DSA-CORE-2022-009.json deleted file mode 100644 index 6ecf9172..00000000 --- a/advisories/core/DSA-CORE-2022-009.json +++ /dev/null @@ -1,52 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CORE-2022-009", - "modified": "2022-08-21T18:45:59.000Z", - "published": "2022-04-20T15:07:29.000Z", - "aliases": [ - "CVE-2022-25274" - ], - "details": "Drupal 9.3 implemented a generic entity access API for entity revisions. However, this API was not completely integrated with existing permissions, resulting in some possible access bypass for users who have access to use revisions of content generally, but who do not have access to individual items of node and media content.\n\nThis vulnerability only affects sites using Drupal's revision system.\n\nThis advisory is not covered by [Drupal Steward](/steward).", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/core" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "9.3.0" - }, - { - "fixed": "9.3.12" - } - ], - "database_specific": { - "constraint": ">= 9.3.0 <9.3.12" - } - } - ], - "database_specific": { - "affected_versions": ">= 9.3.0 <9.3.12" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-core-2022-009" - } - ], - "credits": [ - { - "name": "Kristiaan Van den Eynde", - "contact": [ - "https://www.drupal.org/user/1345130" - ] - } - ] -} diff --git a/advisories/core/DSA-CORE-2022-010.json b/advisories/core/DSA-CORE-2022-010.json deleted file mode 100644 index 646a90f6..00000000 --- a/advisories/core/DSA-CORE-2022-010.json +++ /dev/null @@ -1,72 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CORE-2022-010", - "modified": "2022-08-21T18:45:29.000Z", - "published": "2022-05-25T19:39:01.000Z", - "aliases": [ - "CVE-2022-29248" - ], - "details": "Drupal uses the third-party Guzzle library for handling HTTP requests and responses to external services. [Guzzle has released a security update](https://github.com/guzzle/guzzle/security/advisories/GHSA-cwmx-hcrq-mhc3) which does not affect Drupal core, but may affect some contributed projects or custom code on Drupal sites.\n\nWe are issuing this security advisory outside our regular [Drupal security release window schedule](https://www.drupal.org/node/1173280) since Guzzle has already published information about the vulnerability, and vulnerabilities might exist in contributed modules or custom modules that use Guzzle for outgoing requests. Guzzle has rated this vulnerability as high-risk.\n\nThis advisory is not covered by Drupal Steward.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/core" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "8.0.0" - }, - { - "fixed": "9.2.20" - } - ], - "database_specific": { - "constraint": ">= 8.0.0 <9.2.20" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "9.3.0" - }, - { - "fixed": "9.3.14" - } - ], - "database_specific": { - "constraint": ">= 9.3.0 <9.3.14" - } - } - ], - "database_specific": { - "affected_versions": " >= 8.0.0 <9.2.20 || >= 9.3.0 <9.3.14" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-core-2022-010" - } - ], - "credits": [ - { - "name": "Dezs\u0151 BICZ\u00d3", - "contact": [ - "https://www.drupal.org/user/315522" - ] - }, - { - "name": "mayela", - "contact": [ - "https://www.drupal.org/user/3351026" - ] - } - ] -} diff --git a/advisories/core/DSA-CORE-2022-011.json b/advisories/core/DSA-CORE-2022-011.json deleted file mode 100644 index e3417af6..00000000 --- a/advisories/core/DSA-CORE-2022-011.json +++ /dev/null @@ -1,79 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CORE-2022-011", - "modified": "2022-08-21T18:43:31.000Z", - "published": "2022-06-10T19:39:02.000Z", - "aliases": [ - "CVE-2022-31042", - "CVE-2022-31043" - ], - "details": "*Updated 22:00 UTC 2022-06-10: Added steps to update without `drupal/core-recommended`.*\n\nDrupal uses the third-party Guzzle library for handling HTTP requests and responses to external services. Guzzle has released two security advisories:\n\n* [Failure to strip the Cookie header on change in host or HTTP downgrade](https://github.com/guzzle/guzzle/security/advisories/GHSA-f2wf-25xc-69c9)\n* [Fix failure to strip Authorization header on HTTP downgrade](https://github.com/guzzle/guzzle/security/advisories/GHSA-w248-ffj2-4v5q)\n\nThese do not affect Drupal core, but may affect some contributed projects or custom code on Drupal sites.\n\nWe are issuing this security advisory outside our regular [Drupal security release window schedule](https://www.drupal.org/node/1173280) since Guzzle has already published information about the vulnerabilities, and vulnerabilities might exist in contributed modules or custom modules that use Guzzle for outgoing requests. Guzzle has rated these vulnerabilities as high-risk.\n\nThis advisory is not covered by Drupal Steward.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/core" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "8.0.0" - }, - { - "fixed": "9.2.21" - } - ], - "database_specific": { - "constraint": ">= 8.0.0 <9.2.21" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "9.3.0" - }, - { - "fixed": "9.3.16" - } - ], - "database_specific": { - "constraint": ">= 9.3.0 <9.3.16" - } - } - ], - "database_specific": { - "affected_versions": ">= 8.0.0 <9.2.21 || >= 9.3.0 <9.3.16" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-core-2022-011" - } - ], - "credits": [ - { - "name": "GHaddon", - "contact": [ - "https://www.drupal.org/user/1507580" - ] - }, - { - "name": "Jeroen Tubex", - "contact": [ - "https://www.drupal.org/user/2228934" - ] - }, - { - "name": "Yasen Ivanov", - "contact": [ - "https://www.drupal.org/user/3513564" - ] - } - ] -} diff --git a/advisories/core/DSA-CORE-2022-012.json b/advisories/core/DSA-CORE-2022-012.json deleted file mode 100644 index a4914750..00000000 --- a/advisories/core/DSA-CORE-2022-012.json +++ /dev/null @@ -1,86 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CORE-2022-012", - "modified": "2022-08-21T18:23:29.000Z", - "published": "2022-07-20T15:34:05.000Z", - "aliases": [ - "CVE-2022-25275" - ], - "details": "In some situations, the Image module does not correctly check access to image files not stored in the standard public files directory when generating derivative images using the image styles system.\n\nAccess to a non-public file is checked only if it is stored in the \"private\" file system. However, some contributed modules provide additional file systems, or schemes, which may lead to this vulnerability.\n\nThis vulnerability is mitigated by the fact that it only applies when the site sets (Drupal 9) `$config['image.settings']['allow_insecure_derivatives']` or (Drupal 7) `$conf['image_allow_insecure_derivatives']` to TRUE. The recommended and default setting is FALSE, and Drupal core does not provide a way to change that in the admin UI.\n\nSome sites may require configuration changes following this security release. Review the release notes for your Drupal version if you have issues accessing files or image styles after updating.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/core" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "7.0.0" - }, - { - "fixed": "7.91.0" - } - ], - "database_specific": { - "constraint": ">=7.0 <7.91" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "8.0.0" - }, - { - "fixed": "9.3.19" - } - ], - "database_specific": { - "constraint": ">= 8.0.0 <9.3.19" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "9.4.0" - }, - { - "fixed": "9.4.3" - } - ], - "database_specific": { - "constraint": ">= 9.4.0 <9.4.3" - } - } - ], - "database_specific": { - "affected_versions": ">=7.0 <7.91 || >= 8.0.0 <9.3.19 || >= 9.4.0 <9.4.3" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-core-2022-012" - } - ], - "credits": [ - { - "name": "Conrad Lara", - "contact": [ - "https://www.drupal.org/user/1790054" - ] - }, - { - "name": "Guy Elsmore-Paddock", - "contact": [ - "https://www.drupal.org/user/156932" - ] - } - ] -} diff --git a/advisories/core/DSA-CORE-2022-013.json b/advisories/core/DSA-CORE-2022-013.json deleted file mode 100644 index 32c09097..00000000 --- a/advisories/core/DSA-CORE-2022-013.json +++ /dev/null @@ -1,72 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CORE-2022-013", - "modified": "2025-01-21T04:17:41.000Z", - "published": "2022-07-20T15:35:43.000Z", - "aliases": [ - "CVE-2022-25278" - ], - "details": "Under certain circumstances, the Drupal core form API evaluates form element access incorrectly. This may lead to a user being able to alter data they should not have access to.\n\nNo forms provided by Drupal core are known to be vulnerable. However, forms added through contributed or custom modules or themes may be affected.\n\nThis advisory is not covered by [Drupal Steward](/steward).", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/core" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "8.0.0" - }, - { - "fixed": "9.3.19" - } - ], - "database_specific": { - "constraint": ">= 8.0.0 <9.3.19" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "9.4.0" - }, - { - "fixed": "9.4.3" - } - ], - "database_specific": { - "constraint": ">= 9.4.0 <9.4.3" - } - } - ], - "database_specific": { - "affected_versions": ">= 8.0.0 <9.3.19 || >= 9.4.0 <9.4.3" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-core-2022-013" - } - ], - "credits": [ - { - "name": "Pierre Rudloff", - "contact": [ - "https://www.drupal.org/user/3611858" - ] - }, - { - "name": "Ted Bowman", - "contact": [ - "https://www.drupal.org/user/240860" - ] - } - ] -} diff --git a/advisories/core/DSA-CORE-2022-014.json b/advisories/core/DSA-CORE-2022-014.json deleted file mode 100644 index 00c78659..00000000 --- a/advisories/core/DSA-CORE-2022-014.json +++ /dev/null @@ -1,66 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CORE-2022-014", - "modified": "2022-08-21T18:22:47.000Z", - "published": "2022-07-20T15:40:05.000Z", - "aliases": [ - "CVE-2022-25277" - ], - "details": "*Updated 2022-07-20 19:45 UTC to indicate that this only affects Apache web servers.*\n\nDrupal core sanitizes filenames with dangerous extensions upon upload (reference: [SA-CORE-2020-012](https://www.drupal.org/sa-core-2020-012)) and strips leading and trailing dots from filenames to prevent uploading server configuration files (reference: [SA-CORE-2019-010](https://www.drupal.org/sa-core-2019-010)).\n\nHowever, the protections for these two vulnerabilities previously did not work correctly together. As a result, if the site were configured to allow the upload of files with an `htaccess` extension, these files' filenames would not be properly sanitized. This could allow bypassing the protections provided by Drupal core's default `.htaccess` files and possible remote code execution on Apache web servers.\n\nThis issue is mitigated by the fact that it requires a field administrator to explicitly configure a file field to allow `htaccess` as an extension (a restricted permission), or a contributed module or custom code that overrides allowed file uploads.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/core" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "8.0.0" - }, - { - "fixed": "9.3.19" - } - ], - "database_specific": { - "constraint": ">= 8.0.0 <9.3.19" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "9.4.0" - }, - { - "fixed": "9.4.3" - } - ], - "database_specific": { - "constraint": ">= 9.4.0 <9.4.3" - } - } - ], - "database_specific": { - "affected_versions": ">= 8.0.0 <9.3.19 || >= 9.4.0 <9.4.3" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-core-2022-014" - } - ], - "credits": [ - { - "name": "Elar Lang", - "contact": [ - "https://www.drupal.org/user/3583903" - ] - } - ] -} diff --git a/advisories/core/DSA-CORE-2022-015.json b/advisories/core/DSA-CORE-2022-015.json deleted file mode 100644 index 7a98a132..00000000 --- a/advisories/core/DSA-CORE-2022-015.json +++ /dev/null @@ -1,66 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CORE-2022-015", - "modified": "2022-08-21T18:22:56.000Z", - "published": "2022-07-20T15:41:37.000Z", - "aliases": [ - "CVE-2022-25276" - ], - "details": "The Media oEmbed iframe route does not properly validate the iframe domain setting, which allows embeds to be displayed in the context of the primary domain. Under certain circumstances, this could lead to cross-site scripting, leaked cookies, or other vulnerabilities.\n\nThis advisory is not covered by [Drupal Steward](/steward).", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/core" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "8.0.0" - }, - { - "fixed": "9.3.19" - } - ], - "database_specific": { - "constraint": ">= 8.0.0 <9.3.19" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "9.4.0" - }, - { - "fixed": "9.4.3" - } - ], - "database_specific": { - "constraint": ">= 9.4.0 <9.4.3" - } - } - ], - "database_specific": { - "affected_versions": ">= 8.0.0 <9.3.19 || >= 9.4.0 <9.4.3" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-core-2022-015" - } - ], - "credits": [ - { - "name": "Heine", - "contact": [ - "https://www.drupal.org/user/17943" - ] - } - ] -} diff --git a/advisories/core/DSA-CORE-2022-016.json b/advisories/core/DSA-CORE-2022-016.json deleted file mode 100644 index 604b539d..00000000 --- a/advisories/core/DSA-CORE-2022-016.json +++ /dev/null @@ -1,84 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CORE-2022-016", - "modified": "2022-09-29T21:45:51.000Z", - "published": "2022-09-28T16:24:08.000Z", - "aliases": [ - "CVE-2022-39261" - ], - "details": "Drupal uses the [Twig](https://twig.symfony.com/) third-party library for content templating and sanitization. [Twig has released a security update](https://symfony.com/blog/twig-security-release-possibility-to-load-a-template-outside-a-configured-directory-when-using-the-filesystem-loader) that affects Drupal. Twig has rated the vulnerability as high severity.\n\nDrupal core's code extending Twig has also been updated to mitigate a related vulnerability.\n\nMultiple vulnerabilities are possible if an untrusted user has access to write Twig code, including potential unauthorized read access to private files, the contents of other files on the server, or database credentials.\n\nThe vulnerability is mitigated by the fact that an exploit is only possible in Drupal core with a restricted access administrative permission. Additional exploit paths for the same vulnerability may exist with contributed or custom code that allows users to write Twig templates.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/core" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "8.0.0" - }, - { - "fixed": "9.3.22" - } - ], - "database_specific": { - "constraint": ">= 8.0.0 <9.3.22" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "9.4.0" - }, - { - "fixed": "9.4.7" - } - ], - "database_specific": { - "constraint": ">= 9.4.0 <9.4.7" - } - } - ], - "database_specific": { - "affected_versions": ">= 8.0.0 <9.3.22 || >= 9.4.0 <9.4.7" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-core-2022-016" - } - ], - "credits": [ - { - "name": "Fabien Potencier", - "contact": [ - "https://www.drupal.org/user/1467782" - ] - }, - { - "name": "James Williams", - "contact": [ - "https://www.drupal.org/user/592268" - ] - }, - { - "name": "Nicolas Grekas", - "contact": [ - "https://www.drupal.org/user/3407972" - ] - }, - { - "name": "Samuel Mortenson", - "contact": [ - "https://www.drupal.org/user/2582268" - ] - } - ] -} diff --git a/advisories/core/DSA-CORE-2023-001.json b/advisories/core/DSA-CORE-2023-001.json deleted file mode 100644 index 00656f90..00000000 --- a/advisories/core/DSA-CORE-2023-001.json +++ /dev/null @@ -1,78 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CORE-2023-001", - "modified": "2024-11-22T08:03:31.000Z", - "published": "2023-01-18T17:40:39.000Z", - "aliases": [], - "details": "The Media Library module does not properly check entity access in some circumstances. This may result in users with access to edit content seeing metadata about media items they are not authorized to access.\n\nThe vulnerability is mitigated by the fact that the inaccessible media will only be visible to users who can already edit content that includes a media reference field.\n\nThis advisory is not covered by [Drupal Steward](/steward).", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/core" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "8.0.0" - }, - { - "fixed": "9.4.10" - } - ], - "database_specific": { - "constraint": ">=8.0.0 <9.4.10" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "9.5.0" - }, - { - "fixed": "9.5.2" - } - ], - "database_specific": { - "constraint": ">=9.5.0 <9.5.2" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "10.0.0" - }, - { - "fixed": "10.0.2" - } - ], - "database_specific": { - "constraint": ">=10.0.0 <10.0.2" - } - } - ], - "database_specific": { - "affected_versions": ">=8.0.0 <9.4.10 || >=9.5.0 <9.5.2 || >=10.0.0 <10.0.2" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-core-2023-001" - } - ], - "credits": [ - { - "name": "Dan Flanagan", - "contact": [ - "https://www.drupal.org/user/3615359" - ] - } - ] -} diff --git a/advisories/core/DSA-CORE-2023-002.json b/advisories/core/DSA-CORE-2023-002.json deleted file mode 100644 index f03e083a..00000000 --- a/advisories/core/DSA-CORE-2023-002.json +++ /dev/null @@ -1,84 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CORE-2023-002", - "modified": "2024-11-22T08:03:01.000Z", - "published": "2023-03-15T16:21:27.000Z", - "aliases": [], - "details": "The Media module does not properly check entity access in some circumstances. This may result in users seeing thumbnails of media items they do not have access to, including for private files.\n\nThis release was coordinated with [SA-CONTRIB-2023-010](https://www.drupal.org/sa-contrib-2023-010).\n\nThis advisory is not covered by [Drupal Steward](/steward).", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/core" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "8.0.0" - }, - { - "fixed": "9.4.12" - } - ], - "database_specific": { - "constraint": ">=8.0.0 <9.4.12" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "9.5.0" - }, - { - "fixed": "9.5.5" - } - ], - "database_specific": { - "constraint": ">=9.5.0 <9.5.5" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "10.0.0" - }, - { - "fixed": "10.0.5" - } - ], - "database_specific": { - "constraint": ">=10.0.0 <10.0.5" - } - } - ], - "database_specific": { - "affected_versions": ">=8.0.0 <9.4.12 || >=9.5.0 <9.5.5 || >=10.0.0 <10.0.5" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-core-2023-002" - } - ], - "credits": [ - { - "name": "Dan Flanagan", - "contact": [ - "https://www.drupal.org/user/3615359" - ] - }, - { - "name": "James Williams", - "contact": [ - "https://www.drupal.org/user/592268" - ] - } - ] -} diff --git a/advisories/core/DSA-CORE-2023-003.json b/advisories/core/DSA-CORE-2023-003.json deleted file mode 100644 index b05f4512..00000000 --- a/advisories/core/DSA-CORE-2023-003.json +++ /dev/null @@ -1,78 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CORE-2023-003", - "modified": "2024-11-22T08:02:17.000Z", - "published": "2023-03-15T16:24:29.000Z", - "aliases": [], - "details": "The language module provides a Language switcher block which can be placed to provide links to quickly switch between different languages.\n\nThe URL of unpublished translations may be disclosed. When used in conjunction with a module like Pathauto, this may reveal the title of unpublished content.\n\nThis advisory is not covered by [Drupal Steward](/steward).", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/core" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "8.0.0" - }, - { - "fixed": "9.4.12" - } - ], - "database_specific": { - "constraint": ">=8.0.0 <9.4.12" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "9.5.0" - }, - { - "fixed": "9.5.5" - } - ], - "database_specific": { - "constraint": ">=9.5.0 <9.5.5" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "10.0.0" - }, - { - "fixed": "10.0.5" - } - ], - "database_specific": { - "constraint": ">=10.0.0 <10.0.5" - } - } - ], - "database_specific": { - "affected_versions": ">=8.0.0 <9.4.12 || >=9.5.0 <9.5.5 || >=10.0.0 <10.0.5" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-core-2023-003" - } - ], - "credits": [ - { - "name": "Jan Kellermann", - "contact": [ - "https://www.drupal.org/user/371731" - ] - } - ] -} diff --git a/advisories/core/DSA-CORE-2023-004.json b/advisories/core/DSA-CORE-2023-004.json deleted file mode 100644 index c2a0cb97..00000000 --- a/advisories/core/DSA-CORE-2023-004.json +++ /dev/null @@ -1,98 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CORE-2023-004", - "modified": "2024-11-23T13:16:17.000Z", - "published": "2023-03-15T16:26:24.000Z", - "aliases": [], - "details": "Drupal core provides a page that outputs the markup from `phpinfo()` to assist with diagnosing PHP configuration.\n\nIf an attacker was able to achieve an XSS exploit against a privileged user, they may be able to use the phpinfo page to access sensitive information that could be used to escalate the attack.\n\nThis vulnerability is mitigated by the fact that a successful XSS exploit is required in order to exploit it.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/core" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "7.95.0" - } - ], - "database_specific": { - "constraint": "<7.95" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "8.0.0" - }, - { - "fixed": "9.4.12" - } - ], - "database_specific": { - "constraint": ">=8.0.0 <9.4.12" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "9.5.0" - }, - { - "fixed": "9.5.5" - } - ], - "database_specific": { - "constraint": ">=9.5.0 <9.5.5" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "10.0.0" - }, - { - "fixed": "10.0.5" - } - ], - "database_specific": { - "constraint": ">=10.0.0 <10.0.5" - } - } - ], - "database_specific": { - "affected_versions": "<7.95 || >=8.0.0 <9.4.12 || >=9.5.0 <9.5.5 || >=10.0.0 <10.0.5" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-core-2023-004" - } - ], - "credits": [ - { - "name": "Elar Lang", - "contact": [ - "https://www.drupal.org/user/3583903" - ] - }, - { - "name": "Janek Vind", - "contact": [ - "https://www.drupal.org/user/3621876" - ] - } - ] -} diff --git a/advisories/core/DSA-CORE-2023-005.json b/advisories/core/DSA-CORE-2023-005.json deleted file mode 100644 index 5a1cc709..00000000 --- a/advisories/core/DSA-CORE-2023-005.json +++ /dev/null @@ -1,302 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CORE-2023-005", - "modified": "2025-01-09T21:09:52.000Z", - "published": "2023-04-19T17:06:18.000Z", - "aliases": [ - "CVE-2023-31250" - ], - "details": "The file download facility doesn't sufficiently sanitize file paths in certain situations. This may result in users gaining access to private files that they should not have access to.\n\nSome sites may require configuration changes following this security release. Review the release notes for your Drupal version if you have issues accessing private files after updating.\n\nThis advisory **is** covered by [Drupal Steward](/steward). Because this vulnerability is not mass exploitable, your Steward partner may respond by monitoring-only, rather than enforcing a new WAF rule.\n\nWe would normally not apply for a release of this severity. However, in this case we have chosen to apply Drupal Steward security coverage to test our processes.\n\n#### Drupal 7\n\n* All Drupal 7 sites on Windows web servers are vulnerable.\n* Drupal 7 sites on Linux web servers are vulnerable with certain file directory structures, or if a vulnerable contributed or custom file access module is installed.\n\n#### Drupal 9 and 10\n\nDrupal 9 and 10 sites are only vulnerable if certain contributed or custom file access modules are installed.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/core" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "7.96.0" - } - ], - "database_specific": { - "constraint": "<7.96.0" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "9.4.0" - }, - { - "fixed": "9.4.14" - } - ], - "database_specific": { - "constraint": ">=9.4.0 <9.4.14" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "9.5.0" - }, - { - "fixed": "9.5.8" - } - ], - "database_specific": { - "constraint": ">=9.5.0 <9.5.8" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "10.0.0" - }, - { - "fixed": "10.0.8" - } - ], - "database_specific": { - "constraint": ">=10.0.0 <10.0.8" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "8.0.0" - }, - { - "fixed": "8.1.0" - } - ], - "database_specific": { - "constraint": "8.0.*" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "8.1.0" - }, - { - "fixed": "8.2.0" - } - ], - "database_specific": { - "constraint": "8.1.*" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "8.2.0" - }, - { - "fixed": "8.3.0" - } - ], - "database_specific": { - "constraint": "8.2.*" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "8.3.0" - }, - { - "fixed": "8.4.0" - } - ], - "database_specific": { - "constraint": "8.3.*" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "8.4.0" - }, - { - "fixed": "8.5.0" - } - ], - "database_specific": { - "constraint": "8.4.*" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "8.5.0" - }, - { - "fixed": "8.6.0" - } - ], - "database_specific": { - "constraint": "8.5.*" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "8.6.0" - }, - { - "fixed": "8.7.0" - } - ], - "database_specific": { - "constraint": "8.6.*" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "8.7.0" - }, - { - "fixed": "8.8.0" - } - ], - "database_specific": { - "constraint": "8.7.*" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "8.8.0" - }, - { - "fixed": "8.9.0" - } - ], - "database_specific": { - "constraint": "8.8.*" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "8.9.0" - }, - { - "fixed": "8.10.0" - } - ], - "database_specific": { - "constraint": "8.9.*" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "9.0.0" - }, - { - "fixed": "9.1.0" - } - ], - "database_specific": { - "constraint": "9.0.*" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "9.1.0" - }, - { - "fixed": "9.2.0" - } - ], - "database_specific": { - "constraint": "9.1.*" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "9.2.0" - }, - { - "fixed": "9.3.0" - } - ], - "database_specific": { - "constraint": "9.2.*" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "9.3.0" - }, - { - "fixed": "9.4.0" - } - ], - "database_specific": { - "constraint": "9.3.*" - } - } - ], - "database_specific": { - "affected_versions": "<7.96.0 || >=9.4.0 <9.4.14 || >=9.5.0 <9.5.8 || >=10.0.0 <10.0.8 || 8.0.* || 8.1.* || 8.2.* || 8.3.* || 8.4.* || 8.5.* || 8.6.* || 8.7.* || 8.8.* || 8.9.* || 9.0.* || 9.1.* || 9.2.* || 9.3.*" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-core-2023-005" - } - ], - "credits": [ - { - "name": "Conrad Lara", - "contact": [ - "https://www.drupal.org/user/1790054" - ] - }, - { - "name": "Guy Elsmore-Paddock", - "contact": [ - "https://www.drupal.org/user/156932" - ] - }, - { - "name": "Heine", - "contact": [ - "https://www.drupal.org/user/17943" - ] - } - ] -} diff --git a/advisories/core/DSA-CORE-2023-006.json b/advisories/core/DSA-CORE-2023-006.json deleted file mode 100644 index 5f9ad3d6..00000000 --- a/advisories/core/DSA-CORE-2023-006.json +++ /dev/null @@ -1,80 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CORE-2023-006", - "modified": "2024-11-22T08:00:59.000Z", - "published": "2023-09-20T16:23:05.000Z", - "aliases": [ - "CVE-2023-5256" - ], - "details": "In certain scenarios, Drupal's JSON:API module will output error backtraces. With some configurations, this may cause sensitive information to be cached and made available to anonymous users, leading to privilege escalation.\n\nThis vulnerability only affects sites with the JSON:API module enabled, and can be mitigated by uninstalling JSON:API.\n\nThe core REST and contributed GraphQL modules are not affected.\n\n[Drupal Steward](/steward) partners have been made aware of this issue. Some platforms may provide mitigations. However, not all WAF configurations can mitigate the issue, so it is still recommended to update promptly to this security release if your site uses JSON:API.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/core" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "8.7.0" - }, - { - "fixed": "9.5.11" - } - ], - "database_specific": { - "constraint": ">=8.7.0 <9.5.11" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "10.0.0" - }, - { - "fixed": "10.0.11" - } - ], - "database_specific": { - "constraint": ">=10.0 <10.0.11" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "10.1.0" - }, - { - "fixed": "10.1.4" - } - ], - "database_specific": { - "constraint": ">= 10.1 <10.1.4" - } - } - ], - "database_specific": { - "affected_versions": ">=8.7.0 <9.5.11 || >=10.0 <10.0.11 || >= 10.1 <10.1.4" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-core-2023-006" - } - ], - "credits": [ - { - "name": "ghostccamm", - "contact": [ - "https://www.drupal.org/user/3778490" - ] - } - ] -} diff --git a/advisories/core/DSA-CORE-2024-001.json b/advisories/core/DSA-CORE-2024-001.json deleted file mode 100644 index e0e64517..00000000 --- a/advisories/core/DSA-CORE-2024-001.json +++ /dev/null @@ -1,72 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CORE-2024-001", - "modified": "2024-12-05T15:36:26.000Z", - "published": "2024-01-17T17:04:39.000Z", - "aliases": [ - "CVE-2024-11941" - ], - "details": "The Comment module allows users to reply to comments. In certain cases, an attacker could make comment reply requests that would trigger a denial of service (DOS).\n\nSites that do not use the Comment module are not affected.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/core" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "8.0.0" - }, - { - "fixed": "10.1.8" - } - ], - "database_specific": { - "constraint": ">=8.0 <10.1.8" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "10.2.0" - }, - { - "fixed": "10.2.2" - } - ], - "database_specific": { - "constraint": ">=10.2 <10.2.2" - } - } - ], - "database_specific": { - "affected_versions": ">=8.0 <10.1.8 || >=10.2 <10.2.2" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-core-2024-001" - } - ], - "credits": [ - { - "name": "Alexander Antonenko", - "contact": [ - "https://www.drupal.org/user/225734" - ] - }, - { - "name": "Doug Green", - "contact": [ - "https://www.drupal.org/user/29191" - ] - } - ] -} diff --git a/advisories/core/DSA-CORE-2024-002.json b/advisories/core/DSA-CORE-2024-002.json deleted file mode 100644 index e591d23e..00000000 --- a/advisories/core/DSA-CORE-2024-002.json +++ /dev/null @@ -1,52 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CORE-2024-002", - "modified": "2024-12-05T15:36:43.000Z", - "published": "2024-10-16T16:27:27.000Z", - "aliases": [ - "CVE-2024-11942" - ], - "details": "Under certain uncommon site configurations, a bug in the CKEditor 5 module can cause some image uploads to move the entire webroot to a different location on the file system. This could be exploited by a malicious user to take down a site.\n\nThe issue is mitigated by the fact that several non-default site configurations must exist simultaneously for this to occur.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/core" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "10.0.0" - }, - { - "fixed": "10.2.10" - } - ], - "database_specific": { - "constraint": ">=10.0 < 10.2.10" - } - } - ], - "database_specific": { - "affected_versions": ">=10.0 < 10.2.10" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-core-2024-002" - } - ], - "credits": [ - { - "name": "Pierre Rudloff", - "contact": [ - "https://www.drupal.org/user/3611858" - ] - } - ] -} diff --git a/advisories/core/DSA-CORE-2024-003.json b/advisories/core/DSA-CORE-2024-003.json deleted file mode 100644 index eb88a750..00000000 --- a/advisories/core/DSA-CORE-2024-003.json +++ /dev/null @@ -1,80 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CORE-2024-003", - "modified": "2024-12-09T23:22:21.000Z", - "published": "2024-11-20T17:20:16.000Z", - "aliases": [ - "CVE-2024-12393" - ], - "details": "Drupal uses JavaScript to render status messages in some cases and configurations. In certain situations, the status messages are not adequately sanitized.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/core" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "8.8.0" - }, - { - "fixed": "10.2.11" - } - ], - "database_specific": { - "constraint": ">= 8.8.0 < 10.2.11" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "10.3.0" - }, - { - "fixed": "10.3.9" - } - ], - "database_specific": { - "constraint": ">= 10.3.0 < 10.3.9" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "11.0.0" - }, - { - "fixed": "11.0.8" - } - ], - "database_specific": { - "constraint": ">= 11.0.0 < 11.0.8" - } - } - ], - "database_specific": { - "affected_versions": ">= 8.8.0 < 10.2.11 || >= 10.3.0 < 10.3.9 || >= 11.0.0 < 11.0.8" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-core-2024-003" - } - ], - "credits": [ - { - "name": "Jay Beaton", - "contact": [ - "https://www.drupal.org/user/352123" - ] - } - ] -} diff --git a/advisories/core/DSA-CORE-2024-004.json b/advisories/core/DSA-CORE-2024-004.json deleted file mode 100644 index 26f2523d..00000000 --- a/advisories/core/DSA-CORE-2024-004.json +++ /dev/null @@ -1,80 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CORE-2024-004", - "modified": "2024-12-09T23:22:01.000Z", - "published": "2024-11-20T17:21:58.000Z", - "aliases": [ - "CVE-2024-55634" - ], - "details": "Drupal's uniqueness checking for certain user fields is inconsistent depending on the database engine and its collation.\n\nAs a result, a user may be able to register with the same email address as another user.\n\nThis may lead to data integrity issues.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/core" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "8.0.0" - }, - { - "fixed": "10.2.11" - } - ], - "database_specific": { - "constraint": ">= 8.0.0 < 10.2.11" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "10.3.0" - }, - { - "fixed": "10.3.9" - } - ], - "database_specific": { - "constraint": ">= 10.3.0 < 10.3.9" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "11.0.0" - }, - { - "fixed": "11.0.8" - } - ], - "database_specific": { - "constraint": ">= 11.0.0 < 11.0.8" - } - } - ], - "database_specific": { - "affected_versions": ">= 8.0.0 < 10.2.11 || >= 10.3.0 < 10.3.9 || >= 11.0.0 < 11.0.8" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-core-2024-004" - } - ], - "credits": [ - { - "name": "Wayne Eaker", - "contact": [ - "https://www.drupal.org/user/326925" - ] - } - ] -} diff --git a/advisories/core/DSA-CORE-2024-005.json b/advisories/core/DSA-CORE-2024-005.json deleted file mode 100644 index 49096395..00000000 --- a/advisories/core/DSA-CORE-2024-005.json +++ /dev/null @@ -1,52 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CORE-2024-005", - "modified": "2024-12-09T23:23:54.000Z", - "published": "2024-11-20T17:24:02.000Z", - "aliases": [ - "CVE-2024-55635" - ], - "details": "Drupal 7 core's Overlay module doesn't safely handle user input, leading to reflected cross-site scripting under certain circumstances.\n\nOnly sites with the Overlay module enabled are affected by this vulnerability.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/core" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "7.0.0" - }, - { - "fixed": "7.102.0" - } - ], - "database_specific": { - "constraint": ">=7.0 <7.102" - } - } - ], - "database_specific": { - "affected_versions": ">=7.0 <7.102" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-core-2024-005" - } - ], - "credits": [ - { - "name": "Cesar", - "contact": [ - "https://www.drupal.org/user/3546810" - ] - } - ] -} diff --git a/advisories/core/DSA-CORE-2024-006.json b/advisories/core/DSA-CORE-2024-006.json deleted file mode 100644 index d28261f9..00000000 --- a/advisories/core/DSA-CORE-2024-006.json +++ /dev/null @@ -1,80 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CORE-2024-006", - "modified": "2024-12-09T23:24:48.000Z", - "published": "2024-11-20T17:25:47.000Z", - "aliases": [ - "CVE-2024-55636" - ], - "details": "Drupal core contains a potential PHP Object Injection vulnerability that (if combined with another exploit) could lead to Artbitrary File Deletion. It is not directly exploitable.\n\nThis issue is mitigated by the fact that in order to be exploitable, a separate vulnerability must be present that allows an attacker to pass unsafe input to `unserialize()`. There are no such known exploits in Drupal core.\n\nTo help protect against this vulnerability, types have been added to properties in some of Drupal core's classes. If an application extends those classes, the same types may need to be specified on the subclass to avoid a `TypeError`.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/core" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "8.0.0" - }, - { - "fixed": "10.2.11" - } - ], - "database_specific": { - "constraint": ">= 8.0.0 < 10.2.11" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "10.3.0" - }, - { - "fixed": "10.3.9" - } - ], - "database_specific": { - "constraint": ">= 10.3.0 < 10.3.9" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "11.0.0" - }, - { - "fixed": "11.0.8" - } - ], - "database_specific": { - "constraint": ">= 11.0.0 < 11.0.8" - } - } - ], - "database_specific": { - "affected_versions": ">= 8.0.0 < 10.2.11 || >= 10.3.0 < 10.3.9 || >= 11.0.0 < 11.0.8" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-core-2024-006" - } - ], - "credits": [ - { - "name": "Drew Webber", - "contact": [ - "https://www.drupal.org/user/255969" - ] - } - ] -} diff --git a/advisories/core/DSA-CORE-2024-007.json b/advisories/core/DSA-CORE-2024-007.json deleted file mode 100644 index 2926dcde..00000000 --- a/advisories/core/DSA-CORE-2024-007.json +++ /dev/null @@ -1,80 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CORE-2024-007", - "modified": "2024-12-09T23:25:48.000Z", - "published": "2024-11-20T17:27:28.000Z", - "aliases": [ - "CVE-2024-55637" - ], - "details": "Drupal core contains a potential PHP Object Injection vulnerability that (if combined with another exploit) could lead to Remote Code Execution. It is not directly exploitable.\n\nThis issue is mitigated by the fact that in order for it to be exploitable, a separate vulnerability must be present to allow an attacker to pass unsafe input to `unserialize()`. There are no such known exploits in Drupal core.\n\nTo help protect against this potential vulnerability, types have been added to properties in some of Drupal core's classes. If an application extends those classes, the same types may need to be specified on the subclass to avoid a `TypeError`.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/core" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "8.0.0" - }, - { - "fixed": "10.2.11" - } - ], - "database_specific": { - "constraint": ">= 8.0.0 < 10.2.11" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "10.3.0" - }, - { - "fixed": "10.3.9" - } - ], - "database_specific": { - "constraint": ">= 10.3.0 < 10.3.9" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "11.0.0" - }, - { - "fixed": "11.0.8" - } - ], - "database_specific": { - "constraint": ">= 11.0.0 < 11.0.8" - } - } - ], - "database_specific": { - "affected_versions": ">= 8.0.0 < 10.2.11 || >= 10.3.0 < 10.3.9 || >= 11.0.0 < 11.0.8" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-core-2024-007" - } - ], - "credits": [ - { - "name": "Drew Webber", - "contact": [ - "https://www.drupal.org/user/255969" - ] - } - ] -} diff --git a/advisories/core/DSA-CORE-2024-008.json b/advisories/core/DSA-CORE-2024-008.json deleted file mode 100644 index 99192336..00000000 --- a/advisories/core/DSA-CORE-2024-008.json +++ /dev/null @@ -1,80 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CORE-2024-008", - "modified": "2024-12-09T23:26:47.000Z", - "published": "2024-11-20T17:29:59.000Z", - "aliases": [ - "CVE-2024-55638" - ], - "details": "Drupal core contains a potential PHP Object Injection vulnerability that (if combined with another exploit) could lead to Remote Code Execution. It is not directly exploitable.\n\nThis issue is mitigated by the fact that in order for it to be exploitable, a separate vulnerability must be present to allow an attacker to pass unsafe input to `unserialize()`. There are no such known exploits in Drupal core.\n\nTo help protect against this potential vulnerability, some additional checks have been added to Drupal core's database code. If you use a third-party database driver, check the release notes for additional configuration steps that may be required in certain cases.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/core" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "7.0.0" - }, - { - "fixed": "7.102.0" - } - ], - "database_specific": { - "constraint": ">=7.0 < 7.102" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "8.0.0" - }, - { - "fixed": "10.2.11" - } - ], - "database_specific": { - "constraint": ">= 8.0.0 < 10.2.11" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "10.3.0" - }, - { - "fixed": "10.3.9" - } - ], - "database_specific": { - "constraint": ">= 10.3.0 < 10.3.9" - } - } - ], - "database_specific": { - "affected_versions": ">=7.0 < 7.102 || >= 8.0.0 < 10.2.11 || >= 10.3.0 < 10.3.9" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-core-2024-008" - } - ], - "credits": [ - { - "name": "Drew Webber", - "contact": [ - "https://www.drupal.org/user/255969" - ] - } - ] -} diff --git a/advisories/core/DSA-CORE-2025-001.json b/advisories/core/DSA-CORE-2025-001.json deleted file mode 100644 index bc29cea7..00000000 --- a/advisories/core/DSA-CORE-2025-001.json +++ /dev/null @@ -1,148 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CORE-2025-001", - "modified": "2025-03-31T21:57:06.000Z", - "published": "2025-02-19T16:49:28.000Z", - "aliases": [ - "CVE-2025-3057" - ], - "details": "Drupal core doesn't sufficiently filter error messages under certain circumstances, leading to a reflected Cross Site Scripting vulnerability (XSS).\n\nSites are encouraged to update. There are not yet public documented steps to exploit this, but there may be soon given the nature of this issue.\n\nThis issue is being protected by [Drupal Steward](https://www.drupal.org/steward). Sites that use Drupal Steward are already protected, but are still encouraged to upgrade in the near future.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/core" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "8.0.0" - }, - { - "fixed": "10.3.13" - } - ], - "database_specific": { - "constraint": ">= 8.0.0 < 10.3.13" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "10.4.0" - }, - { - "fixed": "10.4.3" - } - ], - "database_specific": { - "constraint": ">= 10.4.0 < 10.4.3" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "11.0.0" - }, - { - "fixed": "11.0.12" - } - ], - "database_specific": { - "constraint": ">= 11.0.0 < 11.0.12" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "11.1.0" - }, - { - "fixed": "11.1.3" - } - ], - "database_specific": { - "constraint": ">= 11.1.0 < 11.1.3" - } - } - ], - "database_specific": { - "affected_versions": ">= 8.0.0 < 10.3.13 || >= 10.4.0 < 10.4.3 || >= 11.0.0 < 11.0.12 || >= 11.1.0 < 11.1.3" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-core-2025-001" - } - ], - "credits": [ - { - "name": "Arne (arkepp)", - "contact": [ - "https://www.drupal.org/u/arkepp" - ] - }, - { - "name": "Douglas Groene (dgroene)", - "contact": [ - "https://www.drupal.org/u/dgroene" - ] - }, - { - "name": "Dragos Dumitrescu (dragos-dumi)", - "contact": [ - "https://www.drupal.org/u/dragos-dumi" - ] - }, - { - "name": "Flo Kosiol (flokosiol)", - "contact": [ - "https://www.drupal.org/u/flokosiol" - ] - }, - { - "name": "Gerardo Cadau (juanramonperez)", - "contact": [ - "https://www.drupal.org/u/juanramonperez" - ] - }, - { - "name": "Justin Christoffersen (larsdesigns)", - "contact": [ - "https://www.drupal.org/u/larsdesigns" - ] - }, - { - "name": "Sven Decabooter (svendecabooter)", - "contact": [ - "https://www.drupal.org/u/svendecabooter" - ] - }, - { - "name": "Will Gunn (wgunn_e)", - "contact": [ - "https://www.drupal.org/u/wgunn_e" - ] - }, - { - "name": "bdanin", - "contact": [ - "https://www.drupal.org/u/bdanin" - ] - }, - { - "name": "nuwans", - "contact": [ - "https://www.drupal.org/u/nuwans" - ] - } - ] -} diff --git a/advisories/core/DSA-CORE-2025-002.json b/advisories/core/DSA-CORE-2025-002.json deleted file mode 100644 index f3bb6dc2..00000000 --- a/advisories/core/DSA-CORE-2025-002.json +++ /dev/null @@ -1,94 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CORE-2025-002", - "modified": "2025-03-31T21:57:22.000Z", - "published": "2025-02-19T16:58:10.000Z", - "aliases": [ - "CVE-2025-31673" - ], - "details": "Bulk operations allow authorized users to modify several nodes at once from the Content page (`/admin/content`). A site builder can also add bulk operations to other pages using Views.\n\nA bug in the core Actions system allows some users to modify some fields using bulk actions that they do not have permission to modify on individual nodes.\n\nThis vulnerability is mitigated by the fact that an attacker must have permission to access `/admin/content` or other, custom views and to edit nodes.\n\nIn particular, the bulk operations\n\n* Make content sticky\n* Make content unsticky\n* Promote content to front page\n* Publish content\n* Remove content from front page\n* Unpublish content\n\nnow require the \"Administer content\" permission.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/core" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "8.0.0" - }, - { - "fixed": "10.3.13" - } - ], - "database_specific": { - "constraint": ">= 8.0.0 < 10.3.13" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "10.4.0" - }, - { - "fixed": "10.4.3" - } - ], - "database_specific": { - "constraint": ">= 10.4.0 < 10.4.3" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "11.0.0" - }, - { - "fixed": "11.0.12" - } - ], - "database_specific": { - "constraint": ">= 11.0.0 < 11.0.12" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "11.1.0" - }, - { - "fixed": "11.1.3" - } - ], - "database_specific": { - "constraint": ">= 11.1.0 < 11.1.3" - } - } - ], - "database_specific": { - "affected_versions": ">= 8.0.0 < 10.3.13 || >= 10.4.0 < 10.4.3 || >= 11.0.0 < 11.0.12 || >= 11.1.0 < 11.1.3" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-core-2025-002" - } - ], - "credits": [ - { - "name": "jeff cardwell", - "contact": [ - "https://www.drupal.org/u/jeff-cardwell" - ] - } - ] -} diff --git a/advisories/core/DSA-CORE-2025-003.json b/advisories/core/DSA-CORE-2025-003.json deleted file mode 100644 index 5e31a69b..00000000 --- a/advisories/core/DSA-CORE-2025-003.json +++ /dev/null @@ -1,100 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CORE-2025-003", - "modified": "2025-03-31T21:57:36.000Z", - "published": "2025-02-19T17:03:28.000Z", - "aliases": [ - "CVE-2025-31674" - ], - "details": "Drupal core contains a potential PHP Object Injection vulnerability that (if combined with another exploit) could lead to Arbitrary File Inclusion. Techniques exist to escalate this attack to Remote Code Execution. It is not directly exploitable.\n\nThis issue is mitigated by the fact that in order for it to be exploitable, a separate vulnerability must be present to allow an attacker to pass unsafe input to `unserialize()`. There are no such known exploits in Drupal core.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/core" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "8.0.0" - }, - { - "fixed": "10.3.13" - } - ], - "database_specific": { - "constraint": ">= 8.0.0 < 10.3.13" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "10.4.0" - }, - { - "fixed": "10.4.3" - } - ], - "database_specific": { - "constraint": ">= 10.4.0 < 10.4.3" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "11.0.0" - }, - { - "fixed": "11.0.12" - } - ], - "database_specific": { - "constraint": ">= 11.0.0 < 11.0.12" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "11.1.0" - }, - { - "fixed": "11.1.3" - } - ], - "database_specific": { - "constraint": ">= 11.1.0 < 11.1.3" - } - } - ], - "database_specific": { - "affected_versions": ">= 8.0.0 < 10.3.13 || >= 10.4.0 < 10.4.3 || >= 11.0.0 < 11.0.12 || >= 11.1.0 < 11.1.3" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-core-2025-003" - } - ], - "credits": [ - { - "name": "anzuukino", - "contact": [ - "https://www.drupal.org/u/anzuukino" - ] - }, - { - "name": "shin24", - "contact": [ - "https://www.drupal.org/u/shin24" - ] - } - ] -} diff --git a/advisories/core/DSA-CORE-2025-004.json b/advisories/core/DSA-CORE-2025-004.json deleted file mode 100644 index a5f4c2f5..00000000 --- a/advisories/core/DSA-CORE-2025-004.json +++ /dev/null @@ -1,94 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CORE-2025-004", - "modified": "2025-06-14T13:06:04.000Z", - "published": "2025-03-19T18:54:35.000Z", - "aliases": [ - "CVE-2025-31675" - ], - "details": "Drupal core Link field attributes are not sufficiently sanitized, which can lead to a Cross Site Scripting vulnerability (XSS).\n\nThis vulnerability is mitigated by that fact that an attacker would need to have the ability to add specific attributes to a Link field, which typically requires edit access via core web services, or a contrib or custom module.\n\nSites with the Link module disabled or that do not use any link fields are not affected.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/core" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "8.0.0" - }, - { - "fixed": "10.3.14" - } - ], - "database_specific": { - "constraint": ">= 8.0.0 < 10.3.14" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "10.4.0" - }, - { - "fixed": "10.4.5" - } - ], - "database_specific": { - "constraint": ">= 10.4.0 < 10.4.5" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "11.0.0" - }, - { - "fixed": "11.0.13" - } - ], - "database_specific": { - "constraint": ">= 11.0.0 < 11.0.13" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "11.1.0" - }, - { - "fixed": "11.1.5" - } - ], - "database_specific": { - "constraint": ">= 11.1.0 < 11.1.5" - } - } - ], - "database_specific": { - "affected_versions": ">= 8.0.0 < 10.3.14 || >= 10.4.0 < 10.4.5 || >= 11.0.0 < 11.0.13 || >= 11.1.0 < 11.1.5" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-core-2025-004" - } - ], - "credits": [ - { - "name": "Samuel Mortenson (samuel.mortenson)", - "contact": [ - "https://www.drupal.org/u/samuelmortenson" - ] - } - ] -} diff --git a/advisories/create_user_permission/DRUPAL-CONTRIB-2019-066.json b/advisories/create_user_permission/DRUPAL-CONTRIB-2019-066.json new file mode 100644 index 00000000..b6c2dba2 --- /dev/null +++ b/advisories/create_user_permission/DRUPAL-CONTRIB-2019-066.json @@ -0,0 +1,50 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2019-066", + "modified": "2023-08-11T18:34:46.000Z", + "published": "2019-09-18T15:07:56.000Z", + "aliases": [], + "details": "This module enables you to have a separate permission only for creating users.\n\nThe module doesn't respect Drupal's setting for \"Who can register accounts?\" when set to \"Visitors, but administrator approval is required\".\n\nWhen this option is chosen, the module overrides the setting, and makes it possible to register accounts with no approval.\n\nThis vulnerability can be mitigated by having other settings in place for account registration, such as requiring email verification for new accounts, or permitting account creation for \"Administrators only\".", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/create_user_permission" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.2.0" + } + ], + "database_specific": { + "constraint": "<1.2.0" + } + } + ], + "database_specific": { + "affected_versions": "<1.2.0" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2019-066" + } + ], + "credits": [ + { + "name": "jddh", + "contact": [ + "https://www.drupal.org/user/509004" + ] + } + ] +} diff --git a/advisories/create_user_permission/DSA-CONTRIB-2019-066.json b/advisories/create_user_permission/DSA-CONTRIB-2019-066.json deleted file mode 100644 index 36e1d5f3..00000000 --- a/advisories/create_user_permission/DSA-CONTRIB-2019-066.json +++ /dev/null @@ -1,50 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2019-066", - "modified": "2023-08-11T18:34:46.000Z", - "published": "2019-09-18T15:07:56.000Z", - "aliases": [], - "details": "This module enables you to have a separate permission only for creating users.\n\nThe module doesn't respect Drupal's setting for \"Who can register accounts?\" when set to \"Visitors, but administrator approval is required\".\n\nWhen this option is chosen, the module overrides the setting, and makes it possible to register accounts with no approval.\n\nThis vulnerability can be mitigated by having other settings in place for account registration, such as requiring email verification for new accounts, or permitting account creation for \"Administrators only\".", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/create_user_permission" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "1.2.0" - } - ], - "database_specific": { - "constraint": "<1.2.0" - } - } - ], - "database_specific": { - "affected_versions": "<1.2.0" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2019-066" - } - ], - "credits": [ - { - "name": "jddh", - "contact": [ - "https://www.drupal.org/user/509004" - ] - } - ] -} diff --git a/advisories/cshs/DRUPAL-CONTRIB-2021-031.json b/advisories/cshs/DRUPAL-CONTRIB-2021-031.json new file mode 100644 index 00000000..2fc473fc --- /dev/null +++ b/advisories/cshs/DRUPAL-CONTRIB-2021-031.json @@ -0,0 +1,50 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2021-031", + "modified": "2023-08-11T17:04:21.000Z", + "published": "2021-09-22T16:49:24.000Z", + "aliases": [], + "details": "The module provides a field widget for selecting taxonomy terms in a hierarchical fashion.\n\nThe module doesn't sanitize user input in certain cases, leading to a possible Cross-Site-Scripting (XSS) vulnerability.\n\nThis vulnerability is mitigated by the fact that an attacker must have a role with permission to create or edit taxonomy terms to which the widget may apply.", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/cshs" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "3.5.0" + } + ], + "database_specific": { + "constraint": "<3.5.0" + } + } + ], + "database_specific": { + "affected_versions": "<3.5.0" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2021-031" + } + ], + "credits": [ + { + "name": "Patrick Fey", + "contact": [ + "https://www.drupal.org/user/998680" + ] + } + ] +} diff --git a/advisories/cshs/DSA-CONTRIB-2021-031.json b/advisories/cshs/DSA-CONTRIB-2021-031.json deleted file mode 100644 index 45f0f1e2..00000000 --- a/advisories/cshs/DSA-CONTRIB-2021-031.json +++ /dev/null @@ -1,50 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2021-031", - "modified": "2023-08-11T17:04:21.000Z", - "published": "2021-09-22T16:49:24.000Z", - "aliases": [], - "details": "The module provides a field widget for selecting taxonomy terms in a hierarchical fashion.\n\nThe module doesn't sanitize user input in certain cases, leading to a possible Cross-Site-Scripting (XSS) vulnerability.\n\nThis vulnerability is mitigated by the fact that an attacker must have a role with permission to create or edit taxonomy terms to which the widget may apply.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/cshs" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "3.5.0" - } - ], - "database_specific": { - "constraint": "<3.5.0" - } - } - ], - "database_specific": { - "affected_versions": "<3.5.0" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2021-031" - } - ], - "credits": [ - { - "name": "Patrick Fey", - "contact": [ - "https://www.drupal.org/user/998680" - ] - } - ] -} diff --git a/advisories/ctools/DRUPAL-CONTRIB-2021-009.json b/advisories/ctools/DRUPAL-CONTRIB-2021-009.json new file mode 100644 index 00000000..deaeff91 --- /dev/null +++ b/advisories/ctools/DRUPAL-CONTRIB-2021-009.json @@ -0,0 +1,50 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2021-009", + "modified": "2023-08-11T17:18:42.000Z", + "published": "2021-05-12T16:23:23.000Z", + "aliases": [], + "details": "Chaos tool suite (ctools) module provides a number of APIs and extensions for Drupal, it's 8.x-3.x branch is a start from scratch to evaluate the features of ctools that didn't make it into Drupal Core 8.0.x and port them.\n\nThe module doesn't sufficiently handle access control on its EntityView plugin.\n\nThis vulnerability is mitigated by the fact that successful exploitation requires special conditions in place such as custom solutions that allow injecting the context by means other than the route.", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/ctools" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "3.6.0" + } + ], + "database_specific": { + "constraint": "<3.6.0" + } + } + ], + "database_specific": { + "affected_versions": "<3.6.0" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2021-009" + } + ], + "credits": [ + { + "name": "Jonathan Hedstrom", + "contact": [ + "https://www.drupal.org/user/208732" + ] + } + ] +} diff --git a/advisories/ctools/DRUPAL-CONTRIB-2021-015.json b/advisories/ctools/DRUPAL-CONTRIB-2021-015.json new file mode 100644 index 00000000..b1b12d19 --- /dev/null +++ b/advisories/ctools/DRUPAL-CONTRIB-2021-015.json @@ -0,0 +1,50 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2021-015", + "modified": "2023-08-11T17:08:06.000Z", + "published": "2021-06-16T15:58:47.000Z", + "aliases": [], + "details": "Chaos tool suite (ctools) module provides a number of APIs and extensions for Drupal, its 8.x-3.x branch is a start from scratch to evaluate the features of ctools that didn't make it into Drupal Core 8.0.x and port them.\n\nThe module doesn't sufficiently handle block access control on its EntityView plugin. This is a followup to more fully implement the fixes from [SA-CONTRIB-2021-009](https://www.drupal.org/sa-contrib-2021-009)\n\nThis vulnerability is mitigated by the fact that successful exploitation requires special conditions in place such as custom blockAccess() method that differs from the default return value of 'AccessResult::allowed()' and extending from EntityView.", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/ctools" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "3.7.0" + } + ], + "database_specific": { + "constraint": "<3.7.0" + } + } + ], + "database_specific": { + "affected_versions": "<3.7.0" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2021-015" + } + ], + "credits": [ + { + "name": "Michael Vanetta", + "contact": [ + "https://www.drupal.org/user/452914" + ] + } + ] +} diff --git a/advisories/ctools/DSA-CONTRIB-2021-009.json b/advisories/ctools/DSA-CONTRIB-2021-009.json deleted file mode 100644 index 04249bbf..00000000 --- a/advisories/ctools/DSA-CONTRIB-2021-009.json +++ /dev/null @@ -1,50 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2021-009", - "modified": "2023-08-11T17:18:42.000Z", - "published": "2021-05-12T16:23:23.000Z", - "aliases": [], - "details": "Chaos tool suite (ctools) module provides a number of APIs and extensions for Drupal, it's 8.x-3.x branch is a start from scratch to evaluate the features of ctools that didn't make it into Drupal Core 8.0.x and port them.\n\nThe module doesn't sufficiently handle access control on its EntityView plugin.\n\nThis vulnerability is mitigated by the fact that successful exploitation requires special conditions in place such as custom solutions that allow injecting the context by means other than the route.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/ctools" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "3.6.0" - } - ], - "database_specific": { - "constraint": "<3.6.0" - } - } - ], - "database_specific": { - "affected_versions": "<3.6.0" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2021-009" - } - ], - "credits": [ - { - "name": "Jonathan Hedstrom", - "contact": [ - "https://www.drupal.org/user/208732" - ] - } - ] -} diff --git a/advisories/ctools/DSA-CONTRIB-2021-015.json b/advisories/ctools/DSA-CONTRIB-2021-015.json deleted file mode 100644 index ce35447b..00000000 --- a/advisories/ctools/DSA-CONTRIB-2021-015.json +++ /dev/null @@ -1,50 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2021-015", - "modified": "2023-08-11T17:08:06.000Z", - "published": "2021-06-16T15:58:47.000Z", - "aliases": [], - "details": "Chaos tool suite (ctools) module provides a number of APIs and extensions for Drupal, its 8.x-3.x branch is a start from scratch to evaluate the features of ctools that didn't make it into Drupal Core 8.0.x and port them.\n\nThe module doesn't sufficiently handle block access control on its EntityView plugin. This is a followup to more fully implement the fixes from [SA-CONTRIB-2021-009](https://www.drupal.org/sa-contrib-2021-009)\n\nThis vulnerability is mitigated by the fact that successful exploitation requires special conditions in place such as custom blockAccess() method that differs from the default return value of 'AccessResult::allowed()' and extending from EntityView.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/ctools" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "3.7.0" - } - ], - "database_specific": { - "constraint": "<3.7.0" - } - } - ], - "database_specific": { - "affected_versions": "<3.7.0" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2021-015" - } - ], - "credits": [ - { - "name": "Michael Vanetta", - "contact": [ - "https://www.drupal.org/user/452914" - ] - } - ] -} diff --git a/advisories/custom_breadcrumbs/DRUPAL-CONTRIB-2022-024.json b/advisories/custom_breadcrumbs/DRUPAL-CONTRIB-2022-024.json new file mode 100644 index 00000000..6378d1cc --- /dev/null +++ b/advisories/custom_breadcrumbs/DRUPAL-CONTRIB-2022-024.json @@ -0,0 +1,50 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2022-024", + "modified": "2023-08-11T13:49:13.000Z", + "published": "2022-02-09T15:20:08.000Z", + "aliases": [], + "details": "The Custom Breadcrumbs module provides a variety of options for customizing the breadcrumb trail.\n\nThe module doesn't sufficiently filter on output, leading to a Cross Site Scripting vulnerability.\n\nThis vulnerability is mitigated by the fact that an attacker must have a role with the permission \"Administer custom breadcrumbs\" permission.", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/custom_breadcrumbs" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.0.1" + } + ], + "database_specific": { + "constraint": "<1.0.1" + } + } + ], + "database_specific": { + "affected_versions": "<1.0.1" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2022-024" + } + ], + "credits": [ + { + "name": "Krzysztof Doma\u0144ski", + "contact": [ + "https://www.drupal.org/user/3572982" + ] + } + ] +} diff --git a/advisories/custom_breadcrumbs/DSA-CONTRIB-2022-024.json b/advisories/custom_breadcrumbs/DSA-CONTRIB-2022-024.json deleted file mode 100644 index beae1e8e..00000000 --- a/advisories/custom_breadcrumbs/DSA-CONTRIB-2022-024.json +++ /dev/null @@ -1,50 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2022-024", - "modified": "2023-08-11T13:49:13.000Z", - "published": "2022-02-09T15:20:08.000Z", - "aliases": [], - "details": "The Custom Breadcrumbs module provides a variety of options for customizing the breadcrumb trail.\n\nThe module doesn't sufficiently filter on output, leading to a Cross Site Scripting vulnerability.\n\nThis vulnerability is mitigated by the fact that an attacker must have a role with the permission \"Administer custom breadcrumbs\" permission.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/custom_breadcrumbs" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "1.0.1" - } - ], - "database_specific": { - "constraint": "<1.0.1" - } - } - ], - "database_specific": { - "affected_versions": "<1.0.1" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2022-024" - } - ], - "credits": [ - { - "name": "Krzysztof Doma\u0144ski", - "contact": [ - "https://www.drupal.org/user/3572982" - ] - } - ] -} diff --git a/advisories/d8_google_optimize_hide_page/DRUPAL-CONTRIB-2025-040.json b/advisories/d8_google_optimize_hide_page/DRUPAL-CONTRIB-2025-040.json new file mode 100644 index 00000000..c1422649 --- /dev/null +++ b/advisories/d8_google_optimize_hide_page/DRUPAL-CONTRIB-2025-040.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2025-040", + "modified": "2025-04-16T16:26:13.000Z", + "published": "2025-04-16T16:26:13.000Z", + "aliases": [ + "CVE-2025-3739" + ], + "details": "The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: [https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...](https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-maintainer-of-a-project-that-is-unsupported-for-security-reasons)", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/d8_google_optimize_hide_page" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + } + ], + "database_specific": { + "constraint": "*" + } + } + ], + "database_specific": { + "affected_versions": "*" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2025-040" + } + ], + "credits": [] +} diff --git a/advisories/d8_google_optimize_hide_page/DSA-CONTRIB-2025-040.json b/advisories/d8_google_optimize_hide_page/DSA-CONTRIB-2025-040.json deleted file mode 100644 index dd90bbfd..00000000 --- a/advisories/d8_google_optimize_hide_page/DSA-CONTRIB-2025-040.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2025-040", - "modified": "2025-04-16T16:26:13.000Z", - "published": "2025-04-16T16:26:13.000Z", - "aliases": [ - "CVE-2025-3739" - ], - "details": "The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: [https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...](https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-maintainer-of-a-project-that-is-unsupported-for-security-reasons)", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/d8_google_optimize_hide_page" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - } - ], - "database_specific": { - "constraint": "*" - } - } - ], - "database_specific": { - "affected_versions": "*" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2025-040" - } - ], - "credits": [] -} diff --git a/advisories/datafield/DRUPAL-CONTRIB-2023-040.json b/advisories/datafield/DRUPAL-CONTRIB-2023-040.json new file mode 100644 index 00000000..78face0b --- /dev/null +++ b/advisories/datafield/DRUPAL-CONTRIB-2023-040.json @@ -0,0 +1,50 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2023-040", + "modified": "2023-08-23T18:28:12.000Z", + "published": "2023-08-23T17:24:02.000Z", + "aliases": [], + "details": "The Data Field module provides a way of building field types that are made up of other fields, a simpler alternative to e.g. the Paragraphs system.\n\nAccess to these forms isn't properly validated, allowing a user with the \"access content\" permission to view and edit fields on entities.", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/datafield" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.0.16" + } + ], + "database_specific": { + "constraint": "<1.0.16" + } + } + ], + "database_specific": { + "affected_versions": "<1.0.16" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2023-040" + } + ], + "credits": [ + { + "name": "Mitch Portier", + "contact": [ + "https://www.drupal.org/user/2284182" + ] + } + ] +} diff --git a/advisories/datafield/DSA-CONTRIB-2023-040.json b/advisories/datafield/DSA-CONTRIB-2023-040.json deleted file mode 100644 index fc019f62..00000000 --- a/advisories/datafield/DSA-CONTRIB-2023-040.json +++ /dev/null @@ -1,50 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2023-040", - "modified": "2023-08-23T18:28:12.000Z", - "published": "2023-08-23T17:24:02.000Z", - "aliases": [], - "details": "The Data Field module provides a way of building field types that are made up of other fields, a simpler alternative to e.g. the Paragraphs system.\n\nAccess to these forms isn't properly validated, allowing a user with the \"access content\" permission to view and edit fields on entities.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/datafield" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "1.0.16" - } - ], - "database_specific": { - "constraint": "<1.0.16" - } - } - ], - "database_specific": { - "affected_versions": "<1.0.16" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2023-040" - } - ], - "credits": [ - { - "name": "Mitch Portier", - "contact": [ - "https://www.drupal.org/user/2284182" - ] - } - ] -} diff --git a/advisories/decoupled_router/DRUPAL-CONTRIB-2018-071.json b/advisories/decoupled_router/DRUPAL-CONTRIB-2018-071.json new file mode 100644 index 00000000..2960b468 --- /dev/null +++ b/advisories/decoupled_router/DRUPAL-CONTRIB-2018-071.json @@ -0,0 +1,50 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2018-071", + "modified": "2023-08-11T21:13:17.000Z", + "published": "2018-10-31T14:59:17.000Z", + "aliases": [], + "details": "This module enables you to resolve the provided Drupal path in order to find the canonical path and information about the resolved entity. This information includes entity type ID, entity ID, entity UUID and entity label.\n\nThe module doesn't sufficiently check access before displaying entity labels. This leads to the display of labels on entities that are not be accessible, for example; titles of unpublished content.", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/decoupled_router" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.2.0" + } + ], + "database_specific": { + "constraint": "<1.2.0" + } + } + ], + "database_specific": { + "affected_versions": "<1.2.0" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2018-071" + } + ], + "credits": [ + { + "name": "Rainer Friederich", + "contact": [ + "https://www.drupal.org/user/3066367" + ] + } + ] +} diff --git a/advisories/decoupled_router/DSA-CONTRIB-2018-071.json b/advisories/decoupled_router/DSA-CONTRIB-2018-071.json deleted file mode 100644 index 064e6f12..00000000 --- a/advisories/decoupled_router/DSA-CONTRIB-2018-071.json +++ /dev/null @@ -1,50 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2018-071", - "modified": "2023-08-11T21:13:17.000Z", - "published": "2018-10-31T14:59:17.000Z", - "aliases": [], - "details": "This module enables you to resolve the provided Drupal path in order to find the canonical path and information about the resolved entity. This information includes entity type ID, entity ID, entity UUID and entity label.\n\nThe module doesn't sufficiently check access before displaying entity labels. This leads to the display of labels on entities that are not be accessible, for example; titles of unpublished content.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/decoupled_router" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "1.2.0" - } - ], - "database_specific": { - "constraint": "<1.2.0" - } - } - ], - "database_specific": { - "affected_versions": "<1.2.0" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2018-071" - } - ], - "credits": [ - { - "name": "Rainer Friederich", - "contact": [ - "https://www.drupal.org/user/3066367" - ] - } - ] -} diff --git a/advisories/dfp/DRUPAL-CONTRIB-2022-035.json b/advisories/dfp/DRUPAL-CONTRIB-2022-035.json new file mode 100644 index 00000000..efe5dfd4 --- /dev/null +++ b/advisories/dfp/DRUPAL-CONTRIB-2022-035.json @@ -0,0 +1,50 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2022-035", + "modified": "2023-08-10T21:43:30.000Z", + "published": "2022-05-04T16:06:53.000Z", + "aliases": [], + "details": "Doubleclick for Publishers (DFP) module enables a site to place ads from Doubleclick For Publishers.\n\nThe module doesn't sanitize user input in certain cases, which leads to Cross-Site-Scripting (XSS) vulnerabilities. An attacker that can create or edit certain entities may be able to exploit a Cross-Site-Scripting (XSS) vulnerability to target visitors of the site, including site admins with privileged access.\n\nThis vulnerability is mitigated by the fact that an attacker must have a role with the permission \"administer DFP\".", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/dfp" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.2.0" + } + ], + "database_specific": { + "constraint": "<1.2.0" + } + } + ], + "database_specific": { + "affected_versions": "<1.2.0" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2022-035" + } + ], + "credits": [ + { + "name": "John Herre\u00f1o", + "contact": [ + "https://www.drupal.org/user/350711" + ] + } + ] +} diff --git a/advisories/dfp/DSA-CONTRIB-2022-035.json b/advisories/dfp/DSA-CONTRIB-2022-035.json deleted file mode 100644 index 2eef9385..00000000 --- a/advisories/dfp/DSA-CONTRIB-2022-035.json +++ /dev/null @@ -1,50 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2022-035", - "modified": "2023-08-10T21:43:30.000Z", - "published": "2022-05-04T16:06:53.000Z", - "aliases": [], - "details": "Doubleclick for Publishers (DFP) module enables a site to place ads from Doubleclick For Publishers.\n\nThe module doesn't sanitize user input in certain cases, which leads to Cross-Site-Scripting (XSS) vulnerabilities. An attacker that can create or edit certain entities may be able to exploit a Cross-Site-Scripting (XSS) vulnerability to target visitors of the site, including site admins with privileged access.\n\nThis vulnerability is mitigated by the fact that an attacker must have a role with the permission \"administer DFP\".", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/dfp" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "1.2.0" - } - ], - "database_specific": { - "constraint": "<1.2.0" - } - } - ], - "database_specific": { - "affected_versions": "<1.2.0" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2022-035" - } - ], - "credits": [ - { - "name": "John Herre\u00f1o", - "contact": [ - "https://www.drupal.org/user/350711" - ] - } - ] -} diff --git a/advisories/diff/DRUPAL-CONTRIB-2024-042.json b/advisories/diff/DRUPAL-CONTRIB-2024-042.json new file mode 100644 index 00000000..b9e419a1 --- /dev/null +++ b/advisories/diff/DRUPAL-CONTRIB-2024-042.json @@ -0,0 +1,67 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2024-042", + "modified": "2025-02-20T19:27:15.000Z", + "published": "2024-10-02T16:15:59.000Z", + "aliases": [ + "CVE-2024-13278" + ], + "details": "This module adds a tab for sufficiently permissioned users. The tab shows all revisions like standard Drupal but it also allows pretty viewing of all added/changed/deleted words between revisions.\n\nThe module doesn't sufficiently check revision access before rendering a diff report for 1) nodes or 2) general entities that support diff.\n\nThis vulnerability is mitigated by the fact that an attacker must have a role with the permission from the general node permission to \"view all revisions\", one of the more specific node type permissions, \"view %bundle revisions\" or the equivalent for other general entity types.", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/diff" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.8.0" + } + ], + "database_specific": { + "constraint": "<1.8.0" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.0.0-beta1" + }, + { + "fixed": "2.0.0-beta3" + } + ], + "database_specific": { + "constraint": ">=2.0.0-beta1 <2.0.0-beta3" + } + } + ], + "database_specific": { + "affected_versions": "<1.8.0 || >=2.0.0-beta1 <2.0.0-beta3", + "patched": true + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2024-042" + } + ], + "credits": [ + { + "name": "Matthias Vogel", + "contact": [ + "https://www.drupal.org/user/3319139" + ] + } + ] +} diff --git a/advisories/diff/DSA-CONTRIB-2024-042.json b/advisories/diff/DSA-CONTRIB-2024-042.json deleted file mode 100644 index d7ec3e3e..00000000 --- a/advisories/diff/DSA-CONTRIB-2024-042.json +++ /dev/null @@ -1,67 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2024-042", - "modified": "2025-02-20T19:27:15.000Z", - "published": "2024-10-02T16:15:59.000Z", - "aliases": [ - "CVE-2024-13278" - ], - "details": "This module adds a tab for sufficiently permissioned users. The tab shows all revisions like standard Drupal but it also allows pretty viewing of all added/changed/deleted words between revisions.\n\nThe module doesn't sufficiently check revision access before rendering a diff report for 1) nodes or 2) general entities that support diff.\n\nThis vulnerability is mitigated by the fact that an attacker must have a role with the permission from the general node permission to \"view all revisions\", one of the more specific node type permissions, \"view %bundle revisions\" or the equivalent for other general entity types.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/diff" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "1.8.0" - } - ], - "database_specific": { - "constraint": "<1.8.0" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "2.0.0-beta1" - }, - { - "fixed": "2.0.0-beta3" - } - ], - "database_specific": { - "constraint": ">=2.0.0-beta1 <2.0.0-beta3" - } - } - ], - "database_specific": { - "affected_versions": "<1.8.0 || >=2.0.0-beta1 <2.0.0-beta3", - "patched": true - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2024-042" - } - ], - "credits": [ - { - "name": "Matthias Vogel", - "contact": [ - "https://www.drupal.org/user/3319139" - ] - } - ] -} diff --git a/advisories/domain_group/DRUPAL-CONTRIB-2021-037.json b/advisories/domain_group/DRUPAL-CONTRIB-2021-037.json new file mode 100644 index 00000000..b764bd01 --- /dev/null +++ b/advisories/domain_group/DRUPAL-CONTRIB-2021-037.json @@ -0,0 +1,64 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2021-037", + "modified": "2023-08-11T16:54:22.000Z", + "published": "2021-09-22T17:17:05.000Z", + "aliases": [], + "details": "This module enables sites to define a domain from Domain Access that points directly to a group page.\n\nThe module doesn't sufficiently manage the access to content administrative paths allowing an attacker to see and take actions on content (nodes) they should be allowed to.", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/domain_group" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.4.0" + } + ], + "database_specific": { + "constraint": "<1.4.0" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.0.0" + }, + { + "last_affected": "2.0.0" + } + ], + "database_specific": { + "constraint": "2.0.0" + } + } + ], + "database_specific": { + "affected_versions": "<1.4.0 || 2.0.0" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2021-037" + } + ], + "credits": [ + { + "name": "Kalle Kipin\u00e4", + "contact": [ + "https://www.drupal.org/user/813328" + ] + } + ] +} diff --git a/advisories/domain_group/DSA-CONTRIB-2021-037.json b/advisories/domain_group/DSA-CONTRIB-2021-037.json deleted file mode 100644 index e6190ee4..00000000 --- a/advisories/domain_group/DSA-CONTRIB-2021-037.json +++ /dev/null @@ -1,64 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2021-037", - "modified": "2023-08-11T16:54:22.000Z", - "published": "2021-09-22T17:17:05.000Z", - "aliases": [], - "details": "This module enables sites to define a domain from Domain Access that points directly to a group page.\n\nThe module doesn't sufficiently manage the access to content administrative paths allowing an attacker to see and take actions on content (nodes) they should be allowed to.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/domain_group" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "1.4.0" - } - ], - "database_specific": { - "constraint": "<1.4.0" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "2.0.0" - }, - { - "last_affected": "2.0.0" - } - ], - "database_specific": { - "constraint": "2.0.0" - } - } - ], - "database_specific": { - "affected_versions": "<1.4.0 || 2.0.0" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2021-037" - } - ], - "credits": [ - { - "name": "Kalle Kipin\u00e4", - "contact": [ - "https://www.drupal.org/user/813328" - ] - } - ] -} diff --git a/advisories/download_all_files/DRUPAL-CONTRIB-2024-069.json b/advisories/download_all_files/DRUPAL-CONTRIB-2024-069.json new file mode 100644 index 00000000..0b1a55e4 --- /dev/null +++ b/advisories/download_all_files/DRUPAL-CONTRIB-2024-069.json @@ -0,0 +1,58 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2024-069", + "modified": "2025-02-20T20:07:35.000Z", + "published": "2024-12-04T15:13:14.000Z", + "aliases": [ + "CVE-2024-13303" + ], + "details": "This module provides a field formatter for the field type 'file' called `Table of files with download all link` .\n\nThe module had vulnerabilities allowing a user to download files they normally should not be able to download.", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/download_all_files" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.0.2" + } + ], + "database_specific": { + "constraint": "<2.0.2" + } + } + ], + "database_specific": { + "affected_versions": "<2.0.2" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2024-069" + } + ], + "credits": [ + { + "name": "Jeroen Tubex", + "contact": [ + "https://www.drupal.org/user/2228934" + ] + }, + { + "name": "Pierre Rudloff", + "contact": [ + "https://www.drupal.org/user/3611858" + ] + } + ] +} diff --git a/advisories/download_all_files/DSA-CONTRIB-2024-069.json b/advisories/download_all_files/DSA-CONTRIB-2024-069.json deleted file mode 100644 index bc0aba77..00000000 --- a/advisories/download_all_files/DSA-CONTRIB-2024-069.json +++ /dev/null @@ -1,58 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2024-069", - "modified": "2025-02-20T20:07:35.000Z", - "published": "2024-12-04T15:13:14.000Z", - "aliases": [ - "CVE-2024-13303" - ], - "details": "This module provides a field formatter for the field type 'file' called `Table of files with download all link` .\n\nThe module had vulnerabilities allowing a user to download files they normally should not be able to download.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/download_all_files" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "2.0.2" - } - ], - "database_specific": { - "constraint": "<2.0.2" - } - } - ], - "database_specific": { - "affected_versions": "<2.0.2" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2024-069" - } - ], - "credits": [ - { - "name": "Jeroen Tubex", - "contact": [ - "https://www.drupal.org/user/2228934" - ] - }, - { - "name": "Pierre Rudloff", - "contact": [ - "https://www.drupal.org/user/3611858" - ] - } - ] -} diff --git a/advisories/drd_agent/DRUPAL-CONTRIB-2018-022.json b/advisories/drd_agent/DRUPAL-CONTRIB-2018-022.json new file mode 100644 index 00000000..364ee0f3 --- /dev/null +++ b/advisories/drd_agent/DRUPAL-CONTRIB-2018-022.json @@ -0,0 +1,50 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2018-022", + "modified": "2023-08-11T21:38:26.000Z", + "published": "2018-04-25T17:37:20.000Z", + "aliases": [], + "details": "This module enables you to monitor and manage any number of remote Drupal sites and aggregate useful information for administrators in a central dashboard.\n\nThe modules (DRD and DRD Agent) encrypt the data which is exchanged between them but in order to do so, they use the PHP serialize/unserialize functions instead of the json\\_encode/json\\_decode combination. As the unserialize function is called on unauthenticated content, this introduces a PHP object injection vulnerability.", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/drd_agent" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "3.7.0" + } + ], + "database_specific": { + "constraint": "<3.7.0" + } + } + ], + "database_specific": { + "affected_versions": "<3.7.0" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2018-022" + } + ], + "credits": [ + { + "name": "David Snopek", + "contact": [ + "https://www.drupal.org/user/266527" + ] + } + ] +} diff --git a/advisories/drd_agent/DSA-CONTRIB-2018-022.json b/advisories/drd_agent/DSA-CONTRIB-2018-022.json deleted file mode 100644 index d0a1681a..00000000 --- a/advisories/drd_agent/DSA-CONTRIB-2018-022.json +++ /dev/null @@ -1,50 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2018-022", - "modified": "2023-08-11T21:38:26.000Z", - "published": "2018-04-25T17:37:20.000Z", - "aliases": [], - "details": "This module enables you to monitor and manage any number of remote Drupal sites and aggregate useful information for administrators in a central dashboard.\n\nThe modules (DRD and DRD Agent) encrypt the data which is exchanged between them but in order to do so, they use the PHP serialize/unserialize functions instead of the json\\_encode/json\\_decode combination. As the unserialize function is called on unauthenticated content, this introduces a PHP object injection vulnerability.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/drd_agent" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "3.7.0" - } - ], - "database_specific": { - "constraint": "<3.7.0" - } - } - ], - "database_specific": { - "affected_versions": "<3.7.0" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2018-022" - } - ], - "credits": [ - { - "name": "David Snopek", - "contact": [ - "https://www.drupal.org/user/266527" - ] - } - ] -} diff --git a/advisories/druadmin_lte_theme/DRUPAL-CONTRIB-2025-010.json b/advisories/druadmin_lte_theme/DRUPAL-CONTRIB-2025-010.json new file mode 100644 index 00000000..ebecb8b3 --- /dev/null +++ b/advisories/druadmin_lte_theme/DRUPAL-CONTRIB-2025-010.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2025-010", + "modified": "2025-03-31T22:23:22.000Z", + "published": "2025-01-29T16:57:22.000Z", + "aliases": [ + "CVE-2025-3062" + ], + "details": "The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: [https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...](https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-maintainer-of-a-project-that-is-unsupported-for-security-reasons)", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/druadmin_lte_theme" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + } + ], + "database_specific": { + "constraint": "*" + } + } + ], + "database_specific": { + "affected_versions": "*" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2025-010" + } + ], + "credits": [] +} diff --git a/advisories/druadmin_lte_theme/DSA-CONTRIB-2025-010.json b/advisories/druadmin_lte_theme/DSA-CONTRIB-2025-010.json deleted file mode 100644 index 03d1a47b..00000000 --- a/advisories/druadmin_lte_theme/DSA-CONTRIB-2025-010.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2025-010", - "modified": "2025-03-31T22:23:22.000Z", - "published": "2025-01-29T16:57:22.000Z", - "aliases": [ - "CVE-2025-3062" - ], - "details": "The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: [https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...](https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-maintainer-of-a-project-that-is-unsupported-for-security-reasons)", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/druadmin_lte_theme" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - } - ], - "database_specific": { - "constraint": "*" - } - } - ], - "database_specific": { - "affected_versions": "*" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2025-010" - } - ], - "credits": [] -} diff --git a/advisories/dvf/DRUPAL-CONTRIB-2023-055.json b/advisories/dvf/DRUPAL-CONTRIB-2023-055.json new file mode 100644 index 00000000..7b2472bf --- /dev/null +++ b/advisories/dvf/DRUPAL-CONTRIB-2023-055.json @@ -0,0 +1,50 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2023-055", + "modified": "2023-12-20T17:53:15.000Z", + "published": "2023-12-20T17:02:51.000Z", + "aliases": [], + "details": "This module allows you to turn various data sources (Eg CSV or JSON file) into interactive visualisation. The DVF module provides a field (storage, widget & formatter) that can be added to any entity.\n\nThis module uses two third-party JS libraries having from low to medium vulnerabilities. One of the vulnerabilities is a Cross Site Scripting vulnerability that may affect Drupal sites as a Persistent Cross Site Scripting vulnerability (i.e. not reflected). This release updates the libraries.\n\nThe issue is mitigated by the fact an attacker needs the permission to create or edit content that is displayed using the Data Visualization Framework.", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/dvf" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.0.2" + } + ], + "database_specific": { + "constraint": "< 2.0.2" + } + } + ], + "database_specific": { + "affected_versions": "< 2.0.2" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2023-055" + } + ], + "credits": [ + { + "name": "Joseph Zhao", + "contact": [ + "https://www.drupal.org/user/1987218" + ] + } + ] +} diff --git a/advisories/dvf/DSA-CONTRIB-2023-055.json b/advisories/dvf/DSA-CONTRIB-2023-055.json deleted file mode 100644 index 8ff51459..00000000 --- a/advisories/dvf/DSA-CONTRIB-2023-055.json +++ /dev/null @@ -1,50 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2023-055", - "modified": "2023-12-20T17:53:15.000Z", - "published": "2023-12-20T17:02:51.000Z", - "aliases": [], - "details": "This module allows you to turn various data sources (Eg CSV or JSON file) into interactive visualisation. The DVF module provides a field (storage, widget & formatter) that can be added to any entity.\n\nThis module uses two third-party JS libraries having from low to medium vulnerabilities. One of the vulnerabilities is a Cross Site Scripting vulnerability that may affect Drupal sites as a Persistent Cross Site Scripting vulnerability (i.e. not reflected). This release updates the libraries.\n\nThe issue is mitigated by the fact an attacker needs the permission to create or edit content that is displayed using the Data Visualization Framework.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/dvf" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "2.0.2" - } - ], - "database_specific": { - "constraint": "< 2.0.2" - } - } - ], - "database_specific": { - "affected_versions": "< 2.0.2" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2023-055" - } - ], - "credits": [ - { - "name": "Joseph Zhao", - "contact": [ - "https://www.drupal.org/user/1987218" - ] - } - ] -} diff --git a/advisories/easy_breadcrumb/DRUPAL-CONTRIB-2020-027.json b/advisories/easy_breadcrumb/DRUPAL-CONTRIB-2020-027.json new file mode 100644 index 00000000..70f8cd4c --- /dev/null +++ b/advisories/easy_breadcrumb/DRUPAL-CONTRIB-2020-027.json @@ -0,0 +1,50 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2020-027", + "modified": "2023-08-11T17:49:02.000Z", + "published": "2020-07-22T17:58:17.000Z", + "aliases": [], + "details": "This module enables you to use the current URL (path alias) and the current page's title to automatically extract the breadcrumb's segments and its respective links then show them as breadcrumbs on your website.\n\nThe module doesn't sufficiently sanitize editor input in certain circumstances leading to a Cross Site Scripting (XSS) vulnerability.\n\nThis vulnerability requires the user have 'administer Easy Breadcrumb settings permission'.", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/easy_breadcrumb" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.13.0" + } + ], + "database_specific": { + "constraint": "<1.13.0" + } + } + ], + "database_specific": { + "affected_versions": "<1.13.0" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2020-027" + } + ], + "credits": [ + { + "name": "Greg Boggs", + "contact": [ + "https://www.drupal.org/user/153069" + ] + } + ] +} diff --git a/advisories/easy_breadcrumb/DSA-CONTRIB-2020-027.json b/advisories/easy_breadcrumb/DSA-CONTRIB-2020-027.json deleted file mode 100644 index c2843b4e..00000000 --- a/advisories/easy_breadcrumb/DSA-CONTRIB-2020-027.json +++ /dev/null @@ -1,50 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2020-027", - "modified": "2023-08-11T17:49:02.000Z", - "published": "2020-07-22T17:58:17.000Z", - "aliases": [], - "details": "This module enables you to use the current URL (path alias) and the current page's title to automatically extract the breadcrumb's segments and its respective links then show them as breadcrumbs on your website.\n\nThe module doesn't sufficiently sanitize editor input in certain circumstances leading to a Cross Site Scripting (XSS) vulnerability.\n\nThis vulnerability requires the user have 'administer Easy Breadcrumb settings permission'.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/easy_breadcrumb" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "1.13.0" - } - ], - "database_specific": { - "constraint": "<1.13.0" - } - } - ], - "database_specific": { - "affected_versions": "<1.13.0" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2020-027" - } - ], - "credits": [ - { - "name": "Greg Boggs", - "contact": [ - "https://www.drupal.org/user/153069" - ] - } - ] -} diff --git a/advisories/eca/DRUPAL-CONTRIB-2025-031.json b/advisories/eca/DRUPAL-CONTRIB-2025-031.json new file mode 100644 index 00000000..bbdc635b --- /dev/null +++ b/advisories/eca/DRUPAL-CONTRIB-2025-031.json @@ -0,0 +1,94 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2025-031", + "modified": "2025-04-10T16:01:51.000Z", + "published": "2025-04-09T17:04:15.000Z", + "aliases": [ + "CVE-2025-3131" + ], + "details": "This module enables you to define automations on your Drupal site.\n\nThe module doesn't sufficiently protect certain routes from CSRF attacks.\n\nThis vulnerability can be mitigated by disabling the \"eca\\_ui\" submodule, which leaves ECA functionality intact, but the vulnerable routes will no longer be available.", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/eca" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.1.12" + } + ], + "database_specific": { + "constraint": "<1.1.12" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.0.0" + }, + { + "fixed": "2.0.16" + } + ], + "database_specific": { + "constraint": ">=2.0.0 <2.0.16" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.1.0" + }, + { + "fixed": "2.1.7" + } + ], + "database_specific": { + "constraint": ">=2.1.0 <2.1.7" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "1.2.0" + }, + { + "fixed": "1.3.0" + } + ], + "database_specific": { + "constraint": "1.2.*" + } + } + ], + "database_specific": { + "affected_versions": "<1.1.12 || >=2.0.0 <2.0.16 || >=2.1.0 <2.1.7 || 1.2.*" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2025-031" + } + ], + "credits": [ + { + "name": "Juraj Nemec (poker10)", + "contact": [ + "https://www.drupal.org/u/poker10" + ] + } + ] +} diff --git a/advisories/eca/DSA-CONTRIB-2025-031.json b/advisories/eca/DSA-CONTRIB-2025-031.json deleted file mode 100644 index be00b5c6..00000000 --- a/advisories/eca/DSA-CONTRIB-2025-031.json +++ /dev/null @@ -1,94 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2025-031", - "modified": "2025-04-10T16:01:51.000Z", - "published": "2025-04-09T17:04:15.000Z", - "aliases": [ - "CVE-2025-3131" - ], - "details": "This module enables you to define automations on your Drupal site.\n\nThe module doesn't sufficiently protect certain routes from CSRF attacks.\n\nThis vulnerability can be mitigated by disabling the \"eca\\_ui\" submodule, which leaves ECA functionality intact, but the vulnerable routes will no longer be available.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/eca" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "1.1.12" - } - ], - "database_specific": { - "constraint": "<1.1.12" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "2.0.0" - }, - { - "fixed": "2.0.16" - } - ], - "database_specific": { - "constraint": ">=2.0.0 <2.0.16" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "2.1.0" - }, - { - "fixed": "2.1.7" - } - ], - "database_specific": { - "constraint": ">=2.1.0 <2.1.7" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "1.2.0" - }, - { - "fixed": "1.3.0" - } - ], - "database_specific": { - "constraint": "1.2.*" - } - } - ], - "database_specific": { - "affected_versions": "<1.1.12 || >=2.0.0 <2.0.16 || >=2.1.0 <2.1.7 || 1.2.*" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2025-031" - } - ], - "credits": [ - { - "name": "Juraj Nemec (poker10)", - "contact": [ - "https://www.drupal.org/u/poker10" - ] - } - ] -} diff --git a/advisories/elf/DRUPAL-CONTRIB-2019-063.json b/advisories/elf/DRUPAL-CONTRIB-2019-063.json new file mode 100644 index 00000000..71557d07 --- /dev/null +++ b/advisories/elf/DRUPAL-CONTRIB-2019-063.json @@ -0,0 +1,50 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2019-063", + "modified": "2023-08-11T18:33:56.000Z", + "published": "2019-08-14T17:26:13.000Z", + "aliases": [], + "details": "The External Link Filter module provides an input filter that replaces external links by a local link that redirects to the target URL.\n\nThe module did not have protection for the Redirect URL to go where content authors intended.", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/elf" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.2.0" + } + ], + "database_specific": { + "constraint": "<1.2.0" + } + } + ], + "database_specific": { + "affected_versions": "<1.2.0" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2019-063" + } + ], + "credits": [ + { + "name": "Manuel Ad\u00e1n", + "contact": [ + "https://www.drupal.org/user/516420" + ] + } + ] +} diff --git a/advisories/elf/DSA-CONTRIB-2019-063.json b/advisories/elf/DSA-CONTRIB-2019-063.json deleted file mode 100644 index bfc1f43a..00000000 --- a/advisories/elf/DSA-CONTRIB-2019-063.json +++ /dev/null @@ -1,50 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2019-063", - "modified": "2023-08-11T18:33:56.000Z", - "published": "2019-08-14T17:26:13.000Z", - "aliases": [], - "details": "The External Link Filter module provides an input filter that replaces external links by a local link that redirects to the target URL.\n\nThe module did not have protection for the Redirect URL to go where content authors intended.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/elf" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "1.2.0" - } - ], - "database_specific": { - "constraint": "<1.2.0" - } - } - ], - "database_specific": { - "affected_versions": "<1.2.0" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2019-063" - } - ], - "credits": [ - { - "name": "Manuel Ad\u00e1n", - "contact": [ - "https://www.drupal.org/user/516420" - ] - } - ] -} diff --git a/advisories/email_contact/DRUPAL-CONTRIB-2024-020.json b/advisories/email_contact/DRUPAL-CONTRIB-2024-020.json new file mode 100644 index 00000000..1fcea55d --- /dev/null +++ b/advisories/email_contact/DRUPAL-CONTRIB-2024-020.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2024-020", + "modified": "2025-02-20T18:43:21.000Z", + "published": "2024-05-22T16:03:46.000Z", + "aliases": [ + "CVE-2024-13256" + ], + "details": "The Email Contact module provides email field display formatters that can display the field as a link to the contact form, or as an inline contact form.\n\nThe module does not sufficiently handle restricted entity or field access to the mail sending form, when the \"Email contact link\" formatter is used.\n\nThis vulnerability is mitigated by the fact that it requires the \"Email contact link\" formatter to be used.", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/email_contact" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.0.4" + } + ], + "database_specific": { + "constraint": "<2.0.4" + } + } + ], + "database_specific": { + "affected_versions": "<2.0.4" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2024-020" + } + ], + "credits": [ + { + "name": "Claudiu Cristea", + "contact": [ + "https://www.drupal.org/user/56348" + ] + } + ] +} diff --git a/advisories/email_contact/DSA-CONTRIB-2024-020.json b/advisories/email_contact/DSA-CONTRIB-2024-020.json deleted file mode 100644 index c6e4aa25..00000000 --- a/advisories/email_contact/DSA-CONTRIB-2024-020.json +++ /dev/null @@ -1,52 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2024-020", - "modified": "2025-02-20T18:43:21.000Z", - "published": "2024-05-22T16:03:46.000Z", - "aliases": [ - "CVE-2024-13256" - ], - "details": "The Email Contact module provides email field display formatters that can display the field as a link to the contact form, or as an inline contact form.\n\nThe module does not sufficiently handle restricted entity or field access to the mail sending form, when the \"Email contact link\" formatter is used.\n\nThis vulnerability is mitigated by the fact that it requires the \"Email contact link\" formatter to be used.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/email_contact" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "2.0.4" - } - ], - "database_specific": { - "constraint": "<2.0.4" - } - } - ], - "database_specific": { - "affected_versions": "<2.0.4" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2024-020" - } - ], - "credits": [ - { - "name": "Claudiu Cristea", - "contact": [ - "https://www.drupal.org/user/56348" - ] - } - ] -} diff --git a/advisories/email_tfa/DRUPAL-CONTRIB-2025-001.json b/advisories/email_tfa/DRUPAL-CONTRIB-2025-001.json new file mode 100644 index 00000000..7400613e --- /dev/null +++ b/advisories/email_tfa/DRUPAL-CONTRIB-2025-001.json @@ -0,0 +1,53 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2025-001", + "modified": "2025-06-19T22:05:09.000Z", + "published": "2025-01-08T17:22:11.000Z", + "aliases": [ + "CVE-2025-31676" + ], + "details": "This module enables you to do Two-Factor Authentication by email, using a user registered email to send a verification code to the user's email every time the user tries to log in to your site.\n\nThe module did not sufficiently protect against brute force attacks, allowing an attacker to bypass the second factor.\n\nThis vulnerability is mitigated by the fact the attacker must be able to present the username and first factor (i.e. password).", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/email_tfa" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.0.0" + }, + { + "fixed": "2.0.3" + } + ], + "database_specific": { + "constraint": ">=2.0.0 <2.0.3" + } + } + ], + "database_specific": { + "affected_versions": ">=2.0.0 <2.0.3", + "patched": true + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2025-001" + } + ], + "credits": [ + { + "name": "Ursin Cola", + "contact": [ + "https://www.drupal.org/user/679260" + ] + } + ] +} diff --git a/advisories/email_tfa/DSA-CONTRIB-2025-001.json b/advisories/email_tfa/DSA-CONTRIB-2025-001.json deleted file mode 100644 index 5849dfa5..00000000 --- a/advisories/email_tfa/DSA-CONTRIB-2025-001.json +++ /dev/null @@ -1,53 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2025-001", - "modified": "2025-06-19T22:05:09.000Z", - "published": "2025-01-08T17:22:11.000Z", - "aliases": [ - "CVE-2025-31676" - ], - "details": "This module enables you to do Two-Factor Authentication by email, using a user registered email to send a verification code to the user's email every time the user tries to log in to your site.\n\nThe module did not sufficiently protect against brute force attacks, allowing an attacker to bypass the second factor.\n\nThis vulnerability is mitigated by the fact the attacker must be able to present the username and first factor (i.e. password).", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/email_tfa" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "2.0.0" - }, - { - "fixed": "2.0.3" - } - ], - "database_specific": { - "constraint": ">=2.0.0 <2.0.3" - } - } - ], - "database_specific": { - "affected_versions": ">=2.0.0 <2.0.3", - "patched": true - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2025-001" - } - ], - "credits": [ - { - "name": "Ursin Cola", - "contact": [ - "https://www.drupal.org/user/679260" - ] - } - ] -} diff --git a/advisories/embed/DRUPAL-CONTRIB-2022-042.json b/advisories/embed/DRUPAL-CONTRIB-2022-042.json new file mode 100644 index 00000000..8197fa76 --- /dev/null +++ b/advisories/embed/DRUPAL-CONTRIB-2022-042.json @@ -0,0 +1,50 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2022-042", + "modified": "2023-08-10T21:02:21.000Z", + "published": "2022-05-25T16:45:17.000Z", + "aliases": [], + "details": "The Drupal Embed module provides a filter to allow embedding various embeddable items like entities in content fields.\n\nIn certain circumstances, the filter could allow an unprivileged user to inject HTML into a page when it is accessed by a trusted user with permission to embed items. In some cases, this could lead to Cross-Site Request Forgery.", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/embed" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.5.0" + } + ], + "database_specific": { + "constraint": "<1.5.0" + } + } + ], + "database_specific": { + "affected_versions": "<1.5.0" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2022-042" + } + ], + "credits": [ + { + "name": "Aaron Zinck", + "contact": [ + "https://www.drupal.org/user/518662" + ] + } + ] +} diff --git a/advisories/embed/DSA-CONTRIB-2022-042.json b/advisories/embed/DSA-CONTRIB-2022-042.json deleted file mode 100644 index b1e65a70..00000000 --- a/advisories/embed/DSA-CONTRIB-2022-042.json +++ /dev/null @@ -1,50 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2022-042", - "modified": "2023-08-10T21:02:21.000Z", - "published": "2022-05-25T16:45:17.000Z", - "aliases": [], - "details": "The Drupal Embed module provides a filter to allow embedding various embeddable items like entities in content fields.\n\nIn certain circumstances, the filter could allow an unprivileged user to inject HTML into a page when it is accessed by a trusted user with permission to embed items. In some cases, this could lead to Cross-Site Request Forgery.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/embed" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "1.5.0" - } - ], - "database_specific": { - "constraint": "<1.5.0" - } - } - ], - "database_specific": { - "affected_versions": "<1.5.0" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2022-042" - } - ], - "credits": [ - { - "name": "Aaron Zinck", - "contact": [ - "https://www.drupal.org/user/518662" - ] - } - ] -} diff --git a/advisories/entity_browser/DRUPAL-CONTRIB-2023-002.json b/advisories/entity_browser/DRUPAL-CONTRIB-2023-002.json new file mode 100644 index 00000000..2fb97356 --- /dev/null +++ b/advisories/entity_browser/DRUPAL-CONTRIB-2023-002.json @@ -0,0 +1,50 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2023-002", + "modified": "2023-08-10T14:25:24.000Z", + "published": "2023-01-18T17:28:05.000Z", + "aliases": [], + "details": "The Entity Browser module allows you to select entities from entity reference fields using a custom entity browser widget.\n\nEntity Browser does not properly check entity access in some circumstances. This may result in users with access to edit content seeing metadata about entities they are not authorized to access.\n\nThe vulnerability is mitigated by the fact that the inaccessible entities will only be visible to users who can already edit content using Entity Browser.", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/entity_browser" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.9.0" + } + ], + "database_specific": { + "constraint": "<2.9.0" + } + } + ], + "database_specific": { + "affected_versions": "<2.9.0" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2023-002" + } + ], + "credits": [ + { + "name": "Lee Rowlands", + "contact": [ + "https://www.drupal.org/user/395439" + ] + } + ] +} diff --git a/advisories/entity_browser/DSA-CONTRIB-2023-002.json b/advisories/entity_browser/DSA-CONTRIB-2023-002.json deleted file mode 100644 index 5fab3575..00000000 --- a/advisories/entity_browser/DSA-CONTRIB-2023-002.json +++ /dev/null @@ -1,50 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2023-002", - "modified": "2023-08-10T14:25:24.000Z", - "published": "2023-01-18T17:28:05.000Z", - "aliases": [], - "details": "The Entity Browser module allows you to select entities from entity reference fields using a custom entity browser widget.\n\nEntity Browser does not properly check entity access in some circumstances. This may result in users with access to edit content seeing metadata about entities they are not authorized to access.\n\nThe vulnerability is mitigated by the fact that the inaccessible entities will only be visible to users who can already edit content using Entity Browser.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/entity_browser" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "2.9.0" - } - ], - "database_specific": { - "constraint": "<2.9.0" - } - } - ], - "database_specific": { - "affected_versions": "<2.9.0" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2023-002" - } - ], - "credits": [ - { - "name": "Lee Rowlands", - "contact": [ - "https://www.drupal.org/user/395439" - ] - } - ] -} diff --git a/advisories/entity_browser_block/DRUPAL-CONTRIB-2022-044.json b/advisories/entity_browser_block/DRUPAL-CONTRIB-2022-044.json new file mode 100644 index 00000000..2173a0ad --- /dev/null +++ b/advisories/entity_browser_block/DRUPAL-CONTRIB-2022-044.json @@ -0,0 +1,50 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2022-044", + "modified": "2023-08-10T21:33:53.000Z", + "published": "2022-05-25T16:53:45.000Z", + "aliases": [], + "details": "Entity Browser Block provides a Block Plugin for every Entity Browser on your site.\n\nThe module didn't sufficiently check entity view access in the block form.\n\nThis vulnerability is mitigated by the fact that an attacker must be able to place a block - either through the core \"Block Layout\" page or via a module like Layout Builder.", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/entity_browser_block" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.2.0" + } + ], + "database_specific": { + "constraint": "<1.2.0" + } + } + ], + "database_specific": { + "affected_versions": "<1.2.0" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2022-044" + } + ], + "credits": [ + { + "name": "Dan Flanagan", + "contact": [ + "https://www.drupal.org/user/3615359" + ] + } + ] +} diff --git a/advisories/entity_browser_block/DSA-CONTRIB-2022-044.json b/advisories/entity_browser_block/DSA-CONTRIB-2022-044.json deleted file mode 100644 index 24c4539e..00000000 --- a/advisories/entity_browser_block/DSA-CONTRIB-2022-044.json +++ /dev/null @@ -1,50 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2022-044", - "modified": "2023-08-10T21:33:53.000Z", - "published": "2022-05-25T16:53:45.000Z", - "aliases": [], - "details": "Entity Browser Block provides a Block Plugin for every Entity Browser on your site.\n\nThe module didn't sufficiently check entity view access in the block form.\n\nThis vulnerability is mitigated by the fact that an attacker must be able to place a block - either through the core \"Block Layout\" page or via a module like Layout Builder.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/entity_browser_block" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "1.2.0" - } - ], - "database_specific": { - "constraint": "<1.2.0" - } - } - ], - "database_specific": { - "affected_versions": "<1.2.0" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2022-044" - } - ], - "credits": [ - { - "name": "Dan Flanagan", - "contact": [ - "https://www.drupal.org/user/3615359" - ] - } - ] -} diff --git a/advisories/entity_delete/DRUPAL-CONTRIB-2018-040.json b/advisories/entity_delete/DRUPAL-CONTRIB-2018-040.json new file mode 100644 index 00000000..a2992bd2 --- /dev/null +++ b/advisories/entity_delete/DRUPAL-CONTRIB-2018-040.json @@ -0,0 +1,50 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2018-040", + "modified": "2023-08-11T21:31:17.000Z", + "published": "2018-06-06T13:05:27.000Z", + "aliases": [], + "details": "This module enables you to delete any types of entities in bulk.\n\nThe module doesn't sufficiently verify access permissions under its use cases, leading to access bypass. The module also does not protect against Cross Site Request Forgeries on its delete process.\n\nThe access bypass vulnerability is mitigated by the fact that an attacker must have a role with the permission \"access content\". There is no additional mitigation for the Cross Site Request Forgery vulnerability.", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/entity_delete" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.4.0" + } + ], + "database_specific": { + "constraint": "<1.4.0" + } + } + ], + "database_specific": { + "affected_versions": "<1.4.0" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2018-040" + } + ], + "credits": [ + { + "name": "Balazs Janos Tatar", + "contact": [ + "https://www.drupal.org/user/649590" + ] + } + ] +} diff --git a/advisories/entity_delete/DSA-CONTRIB-2018-040.json b/advisories/entity_delete/DSA-CONTRIB-2018-040.json deleted file mode 100644 index 0766ce9a..00000000 --- a/advisories/entity_delete/DSA-CONTRIB-2018-040.json +++ /dev/null @@ -1,50 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2018-040", - "modified": "2023-08-11T21:31:17.000Z", - "published": "2018-06-06T13:05:27.000Z", - "aliases": [], - "details": "This module enables you to delete any types of entities in bulk.\n\nThe module doesn't sufficiently verify access permissions under its use cases, leading to access bypass. The module also does not protect against Cross Site Request Forgeries on its delete process.\n\nThe access bypass vulnerability is mitigated by the fact that an attacker must have a role with the permission \"access content\". There is no additional mitigation for the Cross Site Request Forgery vulnerability.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/entity_delete" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "1.4.0" - } - ], - "database_specific": { - "constraint": "<1.4.0" - } - } - ], - "database_specific": { - "affected_versions": "<1.4.0" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2018-040" - } - ], - "credits": [ - { - "name": "Balazs Janos Tatar", - "contact": [ - "https://www.drupal.org/user/649590" - ] - } - ] -} diff --git a/advisories/entity_delete_log/DRUPAL-CONTRIB-2024-007.json b/advisories/entity_delete_log/DRUPAL-CONTRIB-2024-007.json new file mode 100644 index 00000000..d8ccc76f --- /dev/null +++ b/advisories/entity_delete_log/DRUPAL-CONTRIB-2024-007.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2024-007", + "modified": "2025-02-20T18:38:01.000Z", + "published": "2024-01-31T17:22:36.000Z", + "aliases": [ + "CVE-2024-13243" + ], + "details": "The Entity Delete Log module tracks the deletion of configured entity types, such as node or comments.\n\nIt does not add sufficient permission to the log report page, allowing an attacker to view information from deleted entities.", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/entity_delete_log" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.1.1" + } + ], + "database_specific": { + "constraint": "<1.1.1" + } + } + ], + "database_specific": { + "affected_versions": "<1.1.1" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2024-007" + } + ], + "credits": [ + { + "name": "Ryan Szrama", + "contact": [ + "https://www.drupal.org/user/49344" + ] + } + ] +} diff --git a/advisories/entity_delete_log/DSA-CONTRIB-2024-007.json b/advisories/entity_delete_log/DSA-CONTRIB-2024-007.json deleted file mode 100644 index 7091abae..00000000 --- a/advisories/entity_delete_log/DSA-CONTRIB-2024-007.json +++ /dev/null @@ -1,52 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2024-007", - "modified": "2025-02-20T18:38:01.000Z", - "published": "2024-01-31T17:22:36.000Z", - "aliases": [ - "CVE-2024-13243" - ], - "details": "The Entity Delete Log module tracks the deletion of configured entity types, such as node or comments.\n\nIt does not add sufficient permission to the log report page, allowing an attacker to view information from deleted entities.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/entity_delete_log" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "1.1.1" - } - ], - "database_specific": { - "constraint": "<1.1.1" - } - } - ], - "database_specific": { - "affected_versions": "<1.1.1" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2024-007" - } - ], - "credits": [ - { - "name": "Ryan Szrama", - "contact": [ - "https://www.drupal.org/user/49344" - ] - } - ] -} diff --git a/advisories/entity_embed/DRUPAL-CONTRIB-2021-028.json b/advisories/entity_embed/DRUPAL-CONTRIB-2021-028.json new file mode 100644 index 00000000..dc2f258a --- /dev/null +++ b/advisories/entity_embed/DRUPAL-CONTRIB-2021-028.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2021-028", + "modified": "2023-08-11T17:02:11.000Z", + "published": "2021-09-15T15:28:04.000Z", + "aliases": [ + "CVE-2020-13673" + ], + "details": "This advisory addresses a similar issue to [Drupal core - Moderately critical - Cross Site Request Forgery - SA-CORE-2021-006](https://www.drupal.org/sa-core-2021-006).\n\nThe Entity Embed module provides a filter to allow embedding entities in content fields. In certain circumstances, the filter could allow an unprivileged user to inject HTML into a page when it is accessed by a trusted user with permission to embed entities. In some cases, this could lead to cross-site scripting.", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/entity_embed" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.2.0" + } + ], + "database_specific": { + "constraint": "<1.2.0" + } + } + ], + "database_specific": { + "affected_versions": "<1.2.0" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2021-028" + } + ], + "credits": [ + { + "name": "Aaron Zinck", + "contact": [ + "https://www.drupal.org/user/518662" + ] + } + ] +} diff --git a/advisories/entity_embed/DSA-CONTRIB-2021-028.json b/advisories/entity_embed/DSA-CONTRIB-2021-028.json deleted file mode 100644 index 7f144d44..00000000 --- a/advisories/entity_embed/DSA-CONTRIB-2021-028.json +++ /dev/null @@ -1,52 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2021-028", - "modified": "2023-08-11T17:02:11.000Z", - "published": "2021-09-15T15:28:04.000Z", - "aliases": [ - "CVE-2020-13673" - ], - "details": "This advisory addresses a similar issue to [Drupal core - Moderately critical - Cross Site Request Forgery - SA-CORE-2021-006](https://www.drupal.org/sa-core-2021-006).\n\nThe Entity Embed module provides a filter to allow embedding entities in content fields. In certain circumstances, the filter could allow an unprivileged user to inject HTML into a page when it is accessed by a trusted user with permission to embed entities. In some cases, this could lead to cross-site scripting.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/entity_embed" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "1.2.0" - } - ], - "database_specific": { - "constraint": "<1.2.0" - } - } - ], - "database_specific": { - "affected_versions": "<1.2.0" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2021-028" - } - ], - "credits": [ - { - "name": "Aaron Zinck", - "contact": [ - "https://www.drupal.org/user/518662" - ] - } - ] -} diff --git a/advisories/entity_form_steps/DRUPAL-CONTRIB-2024-071.json b/advisories/entity_form_steps/DRUPAL-CONTRIB-2024-071.json new file mode 100644 index 00000000..f494ce0a --- /dev/null +++ b/advisories/entity_form_steps/DRUPAL-CONTRIB-2024-071.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2024-071", + "modified": "2025-02-20T20:07:52.000Z", + "published": "2024-12-04T16:20:57.000Z", + "aliases": [ + "CVE-2024-13305" + ], + "details": "This module allows a site builder to create multi-step entity forms leveraging the Field Group field type plugins.\n\nThe module doesn't escape plain text administrative configurations. An attacker with admin access could inject arbitrary JavaScript code.\n\nThis vulnerability is mitigated by the fact that an attacker must have a role with the 'administer [entity\\_type] form display' permission allowing access to configure entity form displays.", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/entity_form_steps" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.1.4" + } + ], + "database_specific": { + "constraint": "<1.1.4" + } + } + ], + "database_specific": { + "affected_versions": "<1.1.4" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2024-071" + } + ], + "credits": [ + { + "name": "Ide Braakman", + "contact": [ + "https://www.drupal.org/user/1879760" + ] + } + ] +} diff --git a/advisories/entity_form_steps/DSA-CONTRIB-2024-071.json b/advisories/entity_form_steps/DSA-CONTRIB-2024-071.json deleted file mode 100644 index 8957003f..00000000 --- a/advisories/entity_form_steps/DSA-CONTRIB-2024-071.json +++ /dev/null @@ -1,52 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2024-071", - "modified": "2025-02-20T20:07:52.000Z", - "published": "2024-12-04T16:20:57.000Z", - "aliases": [ - "CVE-2024-13305" - ], - "details": "This module allows a site builder to create multi-step entity forms leveraging the Field Group field type plugins.\n\nThe module doesn't escape plain text administrative configurations. An attacker with admin access could inject arbitrary JavaScript code.\n\nThis vulnerability is mitigated by the fact that an attacker must have a role with the 'administer [entity\\_type] form display' permission allowing access to configure entity form displays.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/entity_form_steps" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "1.1.4" - } - ], - "database_specific": { - "constraint": "<1.1.4" - } - } - ], - "database_specific": { - "affected_versions": "<1.1.4" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2024-071" - } - ], - "credits": [ - { - "name": "Ide Braakman", - "contact": [ - "https://www.drupal.org/user/1879760" - ] - } - ] -} diff --git a/advisories/entity_print/DRUPAL-CONTRIB-2022-048.json b/advisories/entity_print/DRUPAL-CONTRIB-2022-048.json new file mode 100644 index 00000000..ba7d962a --- /dev/null +++ b/advisories/entity_print/DRUPAL-CONTRIB-2022-048.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2022-048", + "modified": "2023-08-10T21:36:29.000Z", + "published": "2022-07-13T15:44:42.000Z", + "aliases": [], + "details": "This module enables you to generate print versions of content. \nSome installations of the module make use of the dompdf/dompdf third-party dependency. \nSecurity vulnerabilities exist for versions of dompdf/dompdf < 2.0.0\n\nSee the library release notes for more detail: \n\n### Note on 3rd party vulnerabilities\n\nThis security advisory corresponds to a 3rd party vulnerability. Normally the Drupal Security Team would not issue advisories related to 3rd party code that is shipped separately from a module per our policy (most recent update is [PSA-2019-09-04](https://www.drupal.org/psa-2019-09-04)). In this case, because the module required a specific version and could not be updated without a change to the Drupal module we do issue an advisory.", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/entity_print" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.6.0" + } + ], + "database_specific": { + "constraint": "<2.6.0" + } + } + ], + "database_specific": { + "affected_versions": "<2.6.0" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2022-048" + } + ], + "credits": [ + { + "name": "Munavir P k", + "contact": [ + "https://www.drupal.org/user/3604066" + ] + }, + { + "name": "szato", + "contact": [ + "https://www.drupal.org/user/389677" + ] + } + ] +} diff --git a/advisories/entity_print/DSA-CONTRIB-2022-048.json b/advisories/entity_print/DSA-CONTRIB-2022-048.json deleted file mode 100644 index fd8d157a..00000000 --- a/advisories/entity_print/DSA-CONTRIB-2022-048.json +++ /dev/null @@ -1,56 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2022-048", - "modified": "2023-08-10T21:36:29.000Z", - "published": "2022-07-13T15:44:42.000Z", - "aliases": [], - "details": "This module enables you to generate print versions of content. \nSome installations of the module make use of the dompdf/dompdf third-party dependency. \nSecurity vulnerabilities exist for versions of dompdf/dompdf < 2.0.0\n\nSee the library release notes for more detail: \n\n### Note on 3rd party vulnerabilities\n\nThis security advisory corresponds to a 3rd party vulnerability. Normally the Drupal Security Team would not issue advisories related to 3rd party code that is shipped separately from a module per our policy (most recent update is [PSA-2019-09-04](https://www.drupal.org/psa-2019-09-04)). In this case, because the module required a specific version and could not be updated without a change to the Drupal module we do issue an advisory.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/entity_print" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "2.6.0" - } - ], - "database_specific": { - "constraint": "<2.6.0" - } - } - ], - "database_specific": { - "affected_versions": "<2.6.0" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2022-048" - } - ], - "credits": [ - { - "name": "Munavir P k", - "contact": [ - "https://www.drupal.org/user/3604066" - ] - }, - { - "name": "szato", - "contact": [ - "https://www.drupal.org/user/389677" - ] - } - ] -} diff --git a/advisories/entity_ref_tab_formatter/DRUPAL-CONTRIB-2018-008.json b/advisories/entity_ref_tab_formatter/DRUPAL-CONTRIB-2018-008.json new file mode 100644 index 00000000..9eff7e10 --- /dev/null +++ b/advisories/entity_ref_tab_formatter/DRUPAL-CONTRIB-2018-008.json @@ -0,0 +1,50 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2018-008", + "modified": "2023-08-11T21:41:56.000Z", + "published": "2018-02-07T18:45:12.000Z", + "aliases": [], + "details": "This module enables you to show referenced entities in tabs.\n\nThe module doesn't sufficiently sanitize the body fields of the referenced entities when it prints them to the tabs.\n\nThis vulnerability is mitigated by the fact that an attacker must have a role with the permission create/edit content of the content type that is referenced.", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/entity_ref_tab_formatter" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.3.0" + } + ], + "database_specific": { + "constraint": "<1.3.0" + } + } + ], + "database_specific": { + "affected_versions": "<1.3.0" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2018-008" + } + ], + "credits": [ + { + "name": "Tatar Balazs Janos", + "contact": [ + "https://www.drupal.org/u/tatarbj" + ] + } + ] +} diff --git a/advisories/entity_ref_tab_formatter/DSA-CONTRIB-2018-008.json b/advisories/entity_ref_tab_formatter/DSA-CONTRIB-2018-008.json deleted file mode 100644 index 72ee6b1b..00000000 --- a/advisories/entity_ref_tab_formatter/DSA-CONTRIB-2018-008.json +++ /dev/null @@ -1,50 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2018-008", - "modified": "2023-08-11T21:41:56.000Z", - "published": "2018-02-07T18:45:12.000Z", - "aliases": [], - "details": "This module enables you to show referenced entities in tabs.\n\nThe module doesn't sufficiently sanitize the body fields of the referenced entities when it prints them to the tabs.\n\nThis vulnerability is mitigated by the fact that an attacker must have a role with the permission create/edit content of the content type that is referenced.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/entity_ref_tab_formatter" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "1.3.0" - } - ], - "database_specific": { - "constraint": "<1.3.0" - } - } - ], - "database_specific": { - "affected_versions": "<1.3.0" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2018-008" - } - ], - "credits": [ - { - "name": "Tatar Balazs Janos", - "contact": [ - "https://www.drupal.org/u/tatarbj" - ] - } - ] -} diff --git a/advisories/entity_reference_tree/DRUPAL-CONTRIB-2022-026.json b/advisories/entity_reference_tree/DRUPAL-CONTRIB-2022-026.json new file mode 100644 index 00000000..a5174114 --- /dev/null +++ b/advisories/entity_reference_tree/DRUPAL-CONTRIB-2022-026.json @@ -0,0 +1,50 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2022-026", + "modified": "2023-08-11T13:50:17.000Z", + "published": "2022-02-23T17:10:52.000Z", + "aliases": [], + "details": "This module provides an entity relationship hierarchy tree widget for an entity reference field.\n\nThe module doesn't sufficiently filter on output, leading to a Cross Site Scripting vulnerability.\n\nThis vulnerability is mitigated by the fact that an attacker must have a role with the permission to modify an entity that is the reference to a field.", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/entity_reference_tree" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.0.2" + } + ], + "database_specific": { + "constraint": "<2.0.2" + } + } + ], + "database_specific": { + "affected_versions": "<2.0.2" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2022-026" + } + ], + "credits": [ + { + "name": "Jeroen Vreuls", + "contact": [ + "https://www.drupal.org/user/2700643" + ] + } + ] +} diff --git a/advisories/entity_reference_tree/DSA-CONTRIB-2022-026.json b/advisories/entity_reference_tree/DSA-CONTRIB-2022-026.json deleted file mode 100644 index 91d4fc0f..00000000 --- a/advisories/entity_reference_tree/DSA-CONTRIB-2022-026.json +++ /dev/null @@ -1,50 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2022-026", - "modified": "2023-08-11T13:50:17.000Z", - "published": "2022-02-23T17:10:52.000Z", - "aliases": [], - "details": "This module provides an entity relationship hierarchy tree widget for an entity reference field.\n\nThe module doesn't sufficiently filter on output, leading to a Cross Site Scripting vulnerability.\n\nThis vulnerability is mitigated by the fact that an attacker must have a role with the permission to modify an entity that is the reference to a field.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/entity_reference_tree" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "2.0.2" - } - ], - "database_specific": { - "constraint": "<2.0.2" - } - } - ], - "database_specific": { - "affected_versions": "<2.0.2" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2022-026" - } - ], - "credits": [ - { - "name": "Jeroen Vreuls", - "contact": [ - "https://www.drupal.org/user/2700643" - ] - } - ] -} diff --git a/advisories/etracker/DRUPAL-CONTRIB-2025-074.json b/advisories/etracker/DRUPAL-CONTRIB-2025-074.json new file mode 100644 index 00000000..db368d26 --- /dev/null +++ b/advisories/etracker/DRUPAL-CONTRIB-2025-074.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2025-074", + "modified": "2025-05-29T18:16:36.000Z", + "published": "2025-05-28T17:44:33.000Z", + "aliases": [ + "CVE-2025-48920" + ], + "details": "The module adds the etracker web statistics tracking system to your website.\n\nThe cookies\\_etracker submodule allows the inline JavaScript to be included in consent management. However, this does not adequately check whether the provided JavaScript code originates from authorized users.\n\nA potential attacker would at least need permission to create and publish HTML (e.g. content or comments).", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/etracker" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "3.1.0" + } + ], + "database_specific": { + "constraint": "<3.1.0" + } + } + ], + "database_specific": { + "affected_versions": "<3.1.0" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2025-074" + } + ], + "credits": [ + { + "name": "Pierre Rudloff (prudloff)", + "contact": [ + "https://www.drupal.org/u/prudloff" + ] + } + ] +} diff --git a/advisories/etracker/DSA-CONTRIB-2025-074.json b/advisories/etracker/DSA-CONTRIB-2025-074.json deleted file mode 100644 index 2c4986c8..00000000 --- a/advisories/etracker/DSA-CONTRIB-2025-074.json +++ /dev/null @@ -1,52 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2025-074", - "modified": "2025-05-29T18:16:36.000Z", - "published": "2025-05-28T17:44:33.000Z", - "aliases": [ - "CVE-2025-48920" - ], - "details": "The module adds the etracker web statistics tracking system to your website.\n\nThe cookies\\_etracker submodule allows the inline JavaScript to be included in consent management. However, this does not adequately check whether the provided JavaScript code originates from authorized users.\n\nA potential attacker would at least need permission to create and publish HTML (e.g. content or comments).", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/etracker" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "3.1.0" - } - ], - "database_specific": { - "constraint": "<3.1.0" - } - } - ], - "database_specific": { - "affected_versions": "<3.1.0" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2025-074" - } - ], - "credits": [ - { - "name": "Pierre Rudloff (prudloff)", - "contact": [ - "https://www.drupal.org/u/prudloff" - ] - } - ] -} diff --git a/advisories/eu_cookie_compliance/DRUPAL-CONTRIB-2019-033.json b/advisories/eu_cookie_compliance/DRUPAL-CONTRIB-2019-033.json new file mode 100644 index 00000000..517384ad --- /dev/null +++ b/advisories/eu_cookie_compliance/DRUPAL-CONTRIB-2019-033.json @@ -0,0 +1,50 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2019-033", + "modified": "2023-08-11T18:50:05.000Z", + "published": "2019-03-06T18:16:22.000Z", + "aliases": [], + "details": "This module addresses the General Data Protection Regulation (GDPR) that came into effect 25th May 2018, and the EU Directive on Privacy and Electronic Communications from 2012. It provides a banner where you can gather consent from the user when the website stores cookies on their computer or otherwise handles their personal information.\n\nThe module doesn't sufficiently sanitize data for some interface labels and strings shown in the cookie policy banner, opening up possibility of Cross Site Scripting exploits that can be created by somebody that has access to the admin interface of the module.\n\nThis vulnerability is mitigated by the fact that an attacker must have a role with the permission \"Administer EU Cookie Compliance banner\". For Drupal 8, the vulnerability also requires access to a text format that doesn't sanitize data.", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/eu_cookie_compliance" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.3.0" + } + ], + "database_specific": { + "constraint": "<1.3.0" + } + } + ], + "database_specific": { + "affected_versions": "<1.3.0" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2019-033" + } + ], + "credits": [ + { + "name": "Yonatan Offek", + "contact": [ + "https://www.drupal.org/user/194009" + ] + } + ] +} diff --git a/advisories/eu_cookie_compliance/DRUPAL-CONTRIB-2025-072.json b/advisories/eu_cookie_compliance/DRUPAL-CONTRIB-2025-072.json new file mode 100644 index 00000000..5fda919b --- /dev/null +++ b/advisories/eu_cookie_compliance/DRUPAL-CONTRIB-2025-072.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2025-072", + "modified": "2025-05-29T18:16:59.000Z", + "published": "2025-05-28T17:43:44.000Z", + "aliases": [ + "CVE-2025-48917" + ], + "details": "This module addresses the General Data Protection Regulation (GDPR) and the EU Directive on Privacy and Electronic Communications.\n\nThe module doesn't sufficiently verify whether \"disabled JavaScript\" entries are valid or correspond to actual scripts on the page. As a result, an attacker could inject and execute arbitrary JavaScript by adding invalid or non-existent entries, which the module then attempts to process.\n\nThis vulnerability is mitigated by the fact that an attacker must have a role with the permission \"Administer EU Cookie Compliance banner\".", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/eu_cookie_compliance" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.26.0" + } + ], + "database_specific": { + "constraint": "<1.26.0" + } + } + ], + "database_specific": { + "affected_versions": "<1.26.0" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2025-072" + } + ], + "credits": [ + { + "name": "Pierre Rudloff (prudloff)", + "contact": [ + "https://www.drupal.org/u/prudloff" + ] + } + ] +} diff --git a/advisories/eu_cookie_compliance/DSA-CONTRIB-2019-033.json b/advisories/eu_cookie_compliance/DSA-CONTRIB-2019-033.json deleted file mode 100644 index f7abca4f..00000000 --- a/advisories/eu_cookie_compliance/DSA-CONTRIB-2019-033.json +++ /dev/null @@ -1,50 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2019-033", - "modified": "2023-08-11T18:50:05.000Z", - "published": "2019-03-06T18:16:22.000Z", - "aliases": [], - "details": "This module addresses the General Data Protection Regulation (GDPR) that came into effect 25th May 2018, and the EU Directive on Privacy and Electronic Communications from 2012. It provides a banner where you can gather consent from the user when the website stores cookies on their computer or otherwise handles their personal information.\n\nThe module doesn't sufficiently sanitize data for some interface labels and strings shown in the cookie policy banner, opening up possibility of Cross Site Scripting exploits that can be created by somebody that has access to the admin interface of the module.\n\nThis vulnerability is mitigated by the fact that an attacker must have a role with the permission \"Administer EU Cookie Compliance banner\". For Drupal 8, the vulnerability also requires access to a text format that doesn't sanitize data.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/eu_cookie_compliance" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "1.3.0" - } - ], - "database_specific": { - "constraint": "<1.3.0" - } - } - ], - "database_specific": { - "affected_versions": "<1.3.0" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2019-033" - } - ], - "credits": [ - { - "name": "Yonatan Offek", - "contact": [ - "https://www.drupal.org/user/194009" - ] - } - ] -} diff --git a/advisories/eu_cookie_compliance/DSA-CONTRIB-2025-072.json b/advisories/eu_cookie_compliance/DSA-CONTRIB-2025-072.json deleted file mode 100644 index 799afd55..00000000 --- a/advisories/eu_cookie_compliance/DSA-CONTRIB-2025-072.json +++ /dev/null @@ -1,52 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2025-072", - "modified": "2025-05-29T18:16:59.000Z", - "published": "2025-05-28T17:43:44.000Z", - "aliases": [ - "CVE-2025-48917" - ], - "details": "This module addresses the General Data Protection Regulation (GDPR) and the EU Directive on Privacy and Electronic Communications.\n\nThe module doesn't sufficiently verify whether \"disabled JavaScript\" entries are valid or correspond to actual scripts on the page. As a result, an attacker could inject and execute arbitrary JavaScript by adding invalid or non-existent entries, which the module then attempts to process.\n\nThis vulnerability is mitigated by the fact that an attacker must have a role with the permission \"Administer EU Cookie Compliance banner\".", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/eu_cookie_compliance" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "1.26.0" - } - ], - "database_specific": { - "constraint": "<1.26.0" - } - } - ], - "database_specific": { - "affected_versions": "<1.26.0" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2025-072" - } - ], - "credits": [ - { - "name": "Pierre Rudloff (prudloff)", - "contact": [ - "https://www.drupal.org/u/prudloff" - ] - } - ] -} diff --git a/advisories/events_log_track/DRUPAL-CONTRIB-2025-059.json b/advisories/events_log_track/DRUPAL-CONTRIB-2025-059.json new file mode 100644 index 00000000..4fb3ae6e --- /dev/null +++ b/advisories/events_log_track/DRUPAL-CONTRIB-2025-059.json @@ -0,0 +1,66 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2025-059", + "modified": "2025-05-29T18:18:54.000Z", + "published": "2025-05-14T18:04:52.000Z", + "aliases": [ + "CVE-2025-4416" + ], + "details": "The Events Log Track module enables you to log specific events on a Drupal site.\n\nThe module doesn't sufficiently mitigate resource consumption for certain requests which allows a Denial of Service attack.", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/events_log_track" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "3.1.11" + } + ], + "database_specific": { + "constraint": "<3.1.11" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.0.0" + }, + { + "fixed": "4.0.2" + } + ], + "database_specific": { + "constraint": ">=4.0.0 <4.0.2" + } + } + ], + "database_specific": { + "affected_versions": "<3.1.11 || >=4.0.0 <4.0.2" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2025-059" + } + ], + "credits": [ + { + "name": "Scott Phillips (scottatdrake)", + "contact": [ + "https://www.drupal.org/u/scottatdrake" + ] + } + ] +} diff --git a/advisories/events_log_track/DSA-CONTRIB-2025-059.json b/advisories/events_log_track/DSA-CONTRIB-2025-059.json deleted file mode 100644 index 595c9453..00000000 --- a/advisories/events_log_track/DSA-CONTRIB-2025-059.json +++ /dev/null @@ -1,66 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2025-059", - "modified": "2025-05-29T18:18:54.000Z", - "published": "2025-05-14T18:04:52.000Z", - "aliases": [ - "CVE-2025-4416" - ], - "details": "The Events Log Track module enables you to log specific events on a Drupal site.\n\nThe module doesn't sufficiently mitigate resource consumption for certain requests which allows a Denial of Service attack.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/events_log_track" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "3.1.11" - } - ], - "database_specific": { - "constraint": "<3.1.11" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "4.0.0" - }, - { - "fixed": "4.0.2" - } - ], - "database_specific": { - "constraint": ">=4.0.0 <4.0.2" - } - } - ], - "database_specific": { - "affected_versions": "<3.1.11 || >=4.0.0 <4.0.2" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2025-059" - } - ], - "credits": [ - { - "name": "Scott Phillips (scottatdrake)", - "contact": [ - "https://www.drupal.org/u/scottatdrake" - ] - } - ] -} diff --git a/advisories/examples/DRUPAL-CONTRIB-2020-035.json b/advisories/examples/DRUPAL-CONTRIB-2020-035.json new file mode 100644 index 00000000..30eefeaa --- /dev/null +++ b/advisories/examples/DRUPAL-CONTRIB-2020-035.json @@ -0,0 +1,78 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2020-035", + "modified": "2023-08-11T17:43:11.000Z", + "published": "2020-11-18T17:15:24.000Z", + "aliases": [], + "details": "The File Example submodule within the Examples project does not properly sanitize certain filenames as described in [SA-CORE-2020-012](https://www.drupal.org/sa-core-2020-012), along with other related vulnerabilities.\n\nTherefore, File Example so is being removed from Examples until a version demonstrating file security best practices can added back in the future.", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/examples" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "1.0.0" + }, + { + "last_affected": "1.0.0" + } + ], + "database_specific": { + "constraint": "1.0.0" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "3.0.0" + }, + { + "last_affected": "3.0.0" + } + ], + "database_specific": { + "constraint": "3.0.0" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "3.0.1" + }, + { + "last_affected": "3.0.1" + } + ], + "database_specific": { + "constraint": "3.0.1" + } + } + ], + "database_specific": { + "affected_versions": "1.0.0 || 3.0.0 || 3.0.1" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2020-035" + } + ], + "credits": [ + { + "name": "Alex Pott", + "contact": [ + "https://www.drupal.org/user/157725" + ] + } + ] +} diff --git a/advisories/examples/DSA-CONTRIB-2020-035.json b/advisories/examples/DSA-CONTRIB-2020-035.json deleted file mode 100644 index ddb83dcf..00000000 --- a/advisories/examples/DSA-CONTRIB-2020-035.json +++ /dev/null @@ -1,78 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2020-035", - "modified": "2023-08-11T17:43:11.000Z", - "published": "2020-11-18T17:15:24.000Z", - "aliases": [], - "details": "The File Example submodule within the Examples project does not properly sanitize certain filenames as described in [SA-CORE-2020-012](https://www.drupal.org/sa-core-2020-012), along with other related vulnerabilities.\n\nTherefore, File Example so is being removed from Examples until a version demonstrating file security best practices can added back in the future.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/examples" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "1.0.0" - }, - { - "last_affected": "1.0.0" - } - ], - "database_specific": { - "constraint": "1.0.0" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "3.0.0" - }, - { - "last_affected": "3.0.0" - } - ], - "database_specific": { - "constraint": "3.0.0" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "3.0.1" - }, - { - "last_affected": "3.0.1" - } - ], - "database_specific": { - "constraint": "3.0.1" - } - } - ], - "database_specific": { - "affected_versions": "1.0.0 || 3.0.0 || 3.0.1" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2020-035" - } - ], - "credits": [ - { - "name": "Alex Pott", - "contact": [ - "https://www.drupal.org/user/157725" - ] - } - ] -} diff --git a/advisories/exif/DRUPAL-CONTRIB-2018-017.json b/advisories/exif/DRUPAL-CONTRIB-2018-017.json new file mode 100644 index 00000000..a29d05e4 --- /dev/null +++ b/advisories/exif/DRUPAL-CONTRIB-2018-017.json @@ -0,0 +1,50 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2018-017", + "modified": "2023-08-11T21:44:22.000Z", + "published": "2018-03-21T17:05:41.000Z", + "aliases": [], + "details": "This module enables you to retrieve image metadata and use them in fields or title.\n\nThe module doesn't sufficiently restrict access to module setting pages thereby causing an access bypass vulnerability.\n\nThis vulnerability is mitigated by the fact that an attacker must have permission to create entities of certain content entity types.", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/exif" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.1.0" + } + ], + "database_specific": { + "constraint": "<1.1.0" + } + } + ], + "database_specific": { + "affected_versions": "<1.1.0" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2018-017" + } + ], + "credits": [ + { + "name": "Jean-Francois Hovinne", + "contact": [ + "https://www.drupal.org/user/77723" + ] + } + ] +} diff --git a/advisories/exif/DRUPAL-CONTRIB-2022-015.json b/advisories/exif/DRUPAL-CONTRIB-2022-015.json new file mode 100644 index 00000000..d950d953 --- /dev/null +++ b/advisories/exif/DRUPAL-CONTRIB-2022-015.json @@ -0,0 +1,64 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2022-015", + "modified": "2023-08-11T14:02:31.000Z", + "published": "2022-01-25T18:39:13.000Z", + "aliases": [], + "details": "This module enables you to automatically scan images uploaded to the site to extract their meta data and store it in taxonomy structures.\n\nThe module doesn't sufficiently protect against malicious files being used to attack the site.\n\nThis vulnerability is mitigated by the fact that an attacker must have permission to upload images to the site.", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/exif" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.3.0" + } + ], + "database_specific": { + "constraint": "<1.3.0" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.0.0" + }, + { + "fixed": "2.3.0" + } + ], + "database_specific": { + "constraint": ">=2.0.0 <2.3.0" + } + } + ], + "database_specific": { + "affected_versions": "<1.3.0 || >=2.0.0 <2.3.0" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2022-015" + } + ], + "credits": [ + { + "name": "Patrick Fey", + "contact": [ + "https://www.drupal.org/user/998680" + ] + } + ] +} diff --git a/advisories/exif/DSA-CONTRIB-2018-017.json b/advisories/exif/DSA-CONTRIB-2018-017.json deleted file mode 100644 index bf0e9ccf..00000000 --- a/advisories/exif/DSA-CONTRIB-2018-017.json +++ /dev/null @@ -1,50 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2018-017", - "modified": "2023-08-11T21:44:22.000Z", - "published": "2018-03-21T17:05:41.000Z", - "aliases": [], - "details": "This module enables you to retrieve image metadata and use them in fields or title.\n\nThe module doesn't sufficiently restrict access to module setting pages thereby causing an access bypass vulnerability.\n\nThis vulnerability is mitigated by the fact that an attacker must have permission to create entities of certain content entity types.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/exif" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "1.1.0" - } - ], - "database_specific": { - "constraint": "<1.1.0" - } - } - ], - "database_specific": { - "affected_versions": "<1.1.0" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2018-017" - } - ], - "credits": [ - { - "name": "Jean-Francois Hovinne", - "contact": [ - "https://www.drupal.org/user/77723" - ] - } - ] -} diff --git a/advisories/exif/DSA-CONTRIB-2022-015.json b/advisories/exif/DSA-CONTRIB-2022-015.json deleted file mode 100644 index dede36d8..00000000 --- a/advisories/exif/DSA-CONTRIB-2022-015.json +++ /dev/null @@ -1,64 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2022-015", - "modified": "2023-08-11T14:02:31.000Z", - "published": "2022-01-25T18:39:13.000Z", - "aliases": [], - "details": "This module enables you to automatically scan images uploaded to the site to extract their meta data and store it in taxonomy structures.\n\nThe module doesn't sufficiently protect against malicious files being used to attack the site.\n\nThis vulnerability is mitigated by the fact that an attacker must have permission to upload images to the site.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/exif" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "1.3.0" - } - ], - "database_specific": { - "constraint": "<1.3.0" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "2.0.0" - }, - { - "fixed": "2.3.0" - } - ], - "database_specific": { - "constraint": ">=2.0.0 <2.3.0" - } - } - ], - "database_specific": { - "affected_versions": "<1.3.0 || >=2.0.0 <2.3.0" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2022-015" - } - ], - "credits": [ - { - "name": "Patrick Fey", - "contact": [ - "https://www.drupal.org/user/998680" - ] - } - ] -} diff --git a/advisories/existing_values_autocomplete_widget/DRUPAL-CONTRIB-2019-060.json b/advisories/existing_values_autocomplete_widget/DRUPAL-CONTRIB-2019-060.json new file mode 100644 index 00000000..8c8f2a9e --- /dev/null +++ b/advisories/existing_values_autocomplete_widget/DRUPAL-CONTRIB-2019-060.json @@ -0,0 +1,50 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2019-060", + "modified": "2023-08-11T18:32:38.000Z", + "published": "2019-07-24T17:36:23.000Z", + "aliases": [], + "details": "This module provides an autocomplete widget for text fields that suggests all existing (previously entered) values for that field.\n\nThe module doesn't sufficiently check for proper access permission before returning autocomplete results.\n\nThis vulnerability is mitigated by the fact that an attacker must know the route to the autocomplete callback controller though this is easily known.", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/existing_values_autocomplete_widget" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.2.0" + } + ], + "database_specific": { + "constraint": "<1.2.0" + } + } + ], + "database_specific": { + "affected_versions": "<1.2.0" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2019-060" + } + ], + "credits": [ + { + "name": "David Stinemetze", + "contact": [ + "https://www.drupal.org/user/2508346" + ] + } + ] +} diff --git a/advisories/existing_values_autocomplete_widget/DSA-CONTRIB-2019-060.json b/advisories/existing_values_autocomplete_widget/DSA-CONTRIB-2019-060.json deleted file mode 100644 index 9531c2a6..00000000 --- a/advisories/existing_values_autocomplete_widget/DSA-CONTRIB-2019-060.json +++ /dev/null @@ -1,50 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2019-060", - "modified": "2023-08-11T18:32:38.000Z", - "published": "2019-07-24T17:36:23.000Z", - "aliases": [], - "details": "This module provides an autocomplete widget for text fields that suggests all existing (previously entered) values for that field.\n\nThe module doesn't sufficiently check for proper access permission before returning autocomplete results.\n\nThis vulnerability is mitigated by the fact that an attacker must know the route to the autocomplete callback controller though this is easily known.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/existing_values_autocomplete_widget" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "1.2.0" - } - ], - "database_specific": { - "constraint": "<1.2.0" - } - } - ], - "database_specific": { - "affected_versions": "<1.2.0" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2019-060" - } - ], - "credits": [ - { - "name": "David Stinemetze", - "contact": [ - "https://www.drupal.org/user/2508346" - ] - } - ] -} diff --git a/advisories/expandable_formatter/DRUPAL-CONTRIB-2023-028.json b/advisories/expandable_formatter/DRUPAL-CONTRIB-2023-028.json new file mode 100644 index 00000000..74190f09 --- /dev/null +++ b/advisories/expandable_formatter/DRUPAL-CONTRIB-2023-028.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2023-028", + "modified": "2023-07-31T21:17:11.000Z", + "published": "2023-06-28T17:21:37.000Z", + "aliases": [], + "details": "This module enables you to render a field in an expandable/collapsible region.\n\nThe module doesn't sufficiently sanitize the field content when displaying it to an end user.\n\nThis vulnerability is mitigated by the fact that an attacker must have a role capable of creating content that uses the field formatter.", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/expandable_formatter" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.4.0" + } + ], + "database_specific": { + "constraint": "<1.4.0" + } + } + ], + "database_specific": { + "affected_versions": "<1.4.0" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2023-028" + } + ], + "credits": [ + { + "name": "Mariusz Andrzejewski", + "contact": [ + "https://www.drupal.org/user/3517832" + ] + }, + { + "name": "Mitch Portier", + "contact": [ + "https://www.drupal.org/user/2284182" + ] + } + ] +} diff --git a/advisories/expandable_formatter/DSA-CONTRIB-2023-028.json b/advisories/expandable_formatter/DSA-CONTRIB-2023-028.json deleted file mode 100644 index 1c44144c..00000000 --- a/advisories/expandable_formatter/DSA-CONTRIB-2023-028.json +++ /dev/null @@ -1,56 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2023-028", - "modified": "2023-07-31T21:17:11.000Z", - "published": "2023-06-28T17:21:37.000Z", - "aliases": [], - "details": "This module enables you to render a field in an expandable/collapsible region.\n\nThe module doesn't sufficiently sanitize the field content when displaying it to an end user.\n\nThis vulnerability is mitigated by the fact that an attacker must have a role capable of creating content that uses the field formatter.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/expandable_formatter" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "1.4.0" - } - ], - "database_specific": { - "constraint": "<1.4.0" - } - } - ], - "database_specific": { - "affected_versions": "<1.4.0" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2023-028" - } - ], - "credits": [ - { - "name": "Mariusz Andrzejewski", - "contact": [ - "https://www.drupal.org/user/3517832" - ] - }, - { - "name": "Mitch Portier", - "contact": [ - "https://www.drupal.org/user/2284182" - ] - } - ] -} diff --git a/advisories/expire_reset_pass_link/DRUPAL-CONTRIB-2022-009.json b/advisories/expire_reset_pass_link/DRUPAL-CONTRIB-2022-009.json new file mode 100644 index 00000000..a1b990d0 --- /dev/null +++ b/advisories/expire_reset_pass_link/DRUPAL-CONTRIB-2022-009.json @@ -0,0 +1,40 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2022-009", + "modified": "2023-08-11T14:02:59.000Z", + "published": "2022-01-25T18:36:37.000Z", + "aliases": [], + "details": "The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: ", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/expire_reset_pass_link" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + } + ], + "database_specific": { + "constraint": "*" + } + } + ], + "database_specific": { + "affected_versions": "*" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2022-009" + } + ], + "credits": [] +} diff --git a/advisories/expire_reset_pass_link/DSA-CONTRIB-2022-009.json b/advisories/expire_reset_pass_link/DSA-CONTRIB-2022-009.json deleted file mode 100644 index 748f45c0..00000000 --- a/advisories/expire_reset_pass_link/DSA-CONTRIB-2022-009.json +++ /dev/null @@ -1,40 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2022-009", - "modified": "2023-08-11T14:02:59.000Z", - "published": "2022-01-25T18:36:37.000Z", - "aliases": [], - "details": "The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: ", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/expire_reset_pass_link" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - } - ], - "database_specific": { - "constraint": "*" - } - } - ], - "database_specific": { - "affected_versions": "*" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2022-009" - } - ], - "credits": [] -} diff --git a/advisories/fac/DRUPAL-CONTRIB-2021-005.json b/advisories/fac/DRUPAL-CONTRIB-2021-005.json new file mode 100644 index 00000000..1738e02a --- /dev/null +++ b/advisories/fac/DRUPAL-CONTRIB-2021-005.json @@ -0,0 +1,50 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2021-005", + "modified": "2023-08-11T17:15:48.000Z", + "published": "2021-03-17T18:36:07.000Z", + "aliases": [], + "details": "The [Fast Autocomplete module](https://www.drupal.org/project/fac) provides fast IMDB-like suggestions below a text input field. Suggestions are stored as JSON files in the public files folder so that they can be provided to the browser relatively fast without the need for Drupal to be bootstrapped.\n\nThe module doesn't correctly generate certain hashes when the configuration option \"Perform search as anonymous user only\" is switched from the default on value to off.\n\nThis enables a malicious user to read search results generated by users with other roles, disclosing search results the user normally has no access to.", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/fac" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.8.0" + } + ], + "database_specific": { + "constraint": "<1.8.0" + } + } + ], + "database_specific": { + "affected_versions": "<1.8.0" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2021-005" + } + ], + "credits": [ + { + "name": "Heine Deelstra", + "contact": [ + "https://www.drupal.org/user/17943" + ] + } + ] +} diff --git a/advisories/fac/DSA-CONTRIB-2021-005.json b/advisories/fac/DSA-CONTRIB-2021-005.json deleted file mode 100644 index d74e24d4..00000000 --- a/advisories/fac/DSA-CONTRIB-2021-005.json +++ /dev/null @@ -1,50 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2021-005", - "modified": "2023-08-11T17:15:48.000Z", - "published": "2021-03-17T18:36:07.000Z", - "aliases": [], - "details": "The [Fast Autocomplete module](https://www.drupal.org/project/fac) provides fast IMDB-like suggestions below a text input field. Suggestions are stored as JSON files in the public files folder so that they can be provided to the browser relatively fast without the need for Drupal to be bootstrapped.\n\nThe module doesn't correctly generate certain hashes when the configuration option \"Perform search as anonymous user only\" is switched from the default on value to off.\n\nThis enables a malicious user to read search results generated by users with other roles, disclosing search results the user normally has no access to.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/fac" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "1.8.0" - } - ], - "database_specific": { - "constraint": "<1.8.0" - } - } - ], - "database_specific": { - "affected_versions": "<1.8.0" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2021-005" - } - ], - "credits": [ - { - "name": "Heine Deelstra", - "contact": [ - "https://www.drupal.org/user/17943" - ] - } - ] -} diff --git a/advisories/facets/DRUPAL-CONTRIB-2019-030.json b/advisories/facets/DRUPAL-CONTRIB-2019-030.json new file mode 100644 index 00000000..ffaffdfb --- /dev/null +++ b/advisories/facets/DRUPAL-CONTRIB-2019-030.json @@ -0,0 +1,50 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2019-030", + "modified": "2023-08-11T18:48:35.000Z", + "published": "2019-02-27T17:28:36.000Z", + "aliases": [], + "details": "This module enables you to create facet-filters for results of a search query and exposes them as blocks\n\nThe module doesn't sufficiently escape HTML under the scenario leading to a Cross Site Scripting (XSS) vulnerability.\n\nThis vulnerability is mitigated by two factors. First, an attacker must have a way to insert results in the dataset that is exposed as a facet before this can happen. The permission to inject malicious strings depends on the site's search configuration but could be available to any user who can create content in a site. Second, the site must be using the Javascript-based dropdown widget.", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/facets" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.3.0" + } + ], + "database_specific": { + "constraint": "<1.3.0" + } + } + ], + "database_specific": { + "affected_versions": "<1.3.0" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2019-030" + } + ], + "credits": [ + { + "name": "Ide Braakman", + "contact": [ + "https://www.drupal.org/user/1879760" + ] + } + ] +} diff --git a/advisories/facets/DRUPAL-CONTRIB-2021-008.json b/advisories/facets/DRUPAL-CONTRIB-2021-008.json new file mode 100644 index 00000000..1fd8a04f --- /dev/null +++ b/advisories/facets/DRUPAL-CONTRIB-2021-008.json @@ -0,0 +1,50 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2021-008", + "modified": "2023-08-11T17:17:58.000Z", + "published": "2021-05-12T16:14:35.000Z", + "aliases": [], + "details": "This module enables you to add customizable facets on search pages, from core search or searches provided by Search API.\n\nThe module doesn't sufficiently filter all output in certain circumstances.\n\nThis vulnerability is mitigated by the fact that an attacker must have a role with the permission \"administer facets\".", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/facets" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.8.0" + } + ], + "database_specific": { + "constraint": "<1.8.0" + } + } + ], + "database_specific": { + "affected_versions": "<1.8.0" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2021-008" + } + ], + "credits": [ + { + "name": "Ide Braakman", + "contact": [ + "https://www.drupal.org/user/1879760" + ] + } + ] +} diff --git a/advisories/facets/DRUPAL-CONTRIB-2024-047.json b/advisories/facets/DRUPAL-CONTRIB-2024-047.json new file mode 100644 index 00000000..7461e913 --- /dev/null +++ b/advisories/facets/DRUPAL-CONTRIB-2024-047.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2024-047", + "modified": "2025-02-20T19:26:17.000Z", + "published": "2024-10-09T15:54:27.000Z", + "aliases": [ + "CVE-2024-13283" + ], + "details": "This module enables you to to easily create and manage faceted search interfaces.\n\nThe module doesn't sufficiently filter for malicious script leading to a reflected cross site scripting (XSS) vulnerability.\n\nThe vulnerability exists in the Facets Summary submodule. If you do not use that sub module your site is not vulnerable to this issue.\n\n*Edited October 9, 2024: clarified that Facets Summary is where the vulnerability is located*", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/facets" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.0.9" + } + ], + "database_specific": { + "constraint": "<2.0.9" + } + } + ], + "database_specific": { + "affected_versions": "<2.0.9" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2024-047" + } + ], + "credits": [ + { + "name": "Andrea Racco", + "contact": [ + "https://www.drupal.org/user/2950843" + ] + } + ] +} diff --git a/advisories/facets/DSA-CONTRIB-2019-030.json b/advisories/facets/DSA-CONTRIB-2019-030.json deleted file mode 100644 index 3e96a97a..00000000 --- a/advisories/facets/DSA-CONTRIB-2019-030.json +++ /dev/null @@ -1,50 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2019-030", - "modified": "2023-08-11T18:48:35.000Z", - "published": "2019-02-27T17:28:36.000Z", - "aliases": [], - "details": "This module enables you to create facet-filters for results of a search query and exposes them as blocks\n\nThe module doesn't sufficiently escape HTML under the scenario leading to a Cross Site Scripting (XSS) vulnerability.\n\nThis vulnerability is mitigated by two factors. First, an attacker must have a way to insert results in the dataset that is exposed as a facet before this can happen. The permission to inject malicious strings depends on the site's search configuration but could be available to any user who can create content in a site. Second, the site must be using the Javascript-based dropdown widget.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/facets" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "1.3.0" - } - ], - "database_specific": { - "constraint": "<1.3.0" - } - } - ], - "database_specific": { - "affected_versions": "<1.3.0" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2019-030" - } - ], - "credits": [ - { - "name": "Ide Braakman", - "contact": [ - "https://www.drupal.org/user/1879760" - ] - } - ] -} diff --git a/advisories/facets/DSA-CONTRIB-2021-008.json b/advisories/facets/DSA-CONTRIB-2021-008.json deleted file mode 100644 index 23bd2ff1..00000000 --- a/advisories/facets/DSA-CONTRIB-2021-008.json +++ /dev/null @@ -1,50 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2021-008", - "modified": "2023-08-11T17:17:58.000Z", - "published": "2021-05-12T16:14:35.000Z", - "aliases": [], - "details": "This module enables you to add customizable facets on search pages, from core search or searches provided by Search API.\n\nThe module doesn't sufficiently filter all output in certain circumstances.\n\nThis vulnerability is mitigated by the fact that an attacker must have a role with the permission \"administer facets\".", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/facets" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "1.8.0" - } - ], - "database_specific": { - "constraint": "<1.8.0" - } - } - ], - "database_specific": { - "affected_versions": "<1.8.0" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2021-008" - } - ], - "credits": [ - { - "name": "Ide Braakman", - "contact": [ - "https://www.drupal.org/user/1879760" - ] - } - ] -} diff --git a/advisories/facets/DSA-CONTRIB-2024-047.json b/advisories/facets/DSA-CONTRIB-2024-047.json deleted file mode 100644 index b6905354..00000000 --- a/advisories/facets/DSA-CONTRIB-2024-047.json +++ /dev/null @@ -1,52 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2024-047", - "modified": "2025-02-20T19:26:17.000Z", - "published": "2024-10-09T15:54:27.000Z", - "aliases": [ - "CVE-2024-13283" - ], - "details": "This module enables you to to easily create and manage faceted search interfaces.\n\nThe module doesn't sufficiently filter for malicious script leading to a reflected cross site scripting (XSS) vulnerability.\n\nThe vulnerability exists in the Facets Summary submodule. If you do not use that sub module your site is not vulnerable to this issue.\n\n*Edited October 9, 2024: clarified that Facets Summary is where the vulnerability is located*", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/facets" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "2.0.9" - } - ], - "database_specific": { - "constraint": "<2.0.9" - } - } - ], - "database_specific": { - "affected_versions": "<2.0.9" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2024-047" - } - ], - "credits": [ - { - "name": "Andrea Racco", - "contact": [ - "https://www.drupal.org/user/2950843" - ] - } - ] -} diff --git a/advisories/fancy_file_delete/DRUPAL-CONTRIB-2022-023.json b/advisories/fancy_file_delete/DRUPAL-CONTRIB-2022-023.json new file mode 100644 index 00000000..e669abae --- /dev/null +++ b/advisories/fancy_file_delete/DRUPAL-CONTRIB-2022-023.json @@ -0,0 +1,50 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2022-023", + "modified": "2023-08-11T13:48:49.000Z", + "published": "2022-02-09T15:17:56.000Z", + "aliases": [], + "details": "This module enables you to manage and delete files.\n\nThe module doesn't sufficiently protect unmanaged files from view under the scenario unauthenticated user knows path to visit the view and can attempt to delete files which results in duplicate files being created.\n\nTo mitigate this issue without deploying code, review all views that are based on Fancy File Delete and ensure they have an access control set to use the permission \"administer unmanaged files entities\".", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/fancy_file_delete" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.0.7" + } + ], + "database_specific": { + "constraint": "<2.0.7" + } + } + ], + "database_specific": { + "affected_versions": "<2.0.7" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2022-023" + } + ], + "credits": [ + { + "name": "Ambient.Impact", + "contact": [ + "https://www.drupal.org/user/1131532" + ] + } + ] +} diff --git a/advisories/fancy_file_delete/DSA-CONTRIB-2022-023.json b/advisories/fancy_file_delete/DSA-CONTRIB-2022-023.json deleted file mode 100644 index 11d6dc66..00000000 --- a/advisories/fancy_file_delete/DSA-CONTRIB-2022-023.json +++ /dev/null @@ -1,50 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2022-023", - "modified": "2023-08-11T13:48:49.000Z", - "published": "2022-02-09T15:17:56.000Z", - "aliases": [], - "details": "This module enables you to manage and delete files.\n\nThe module doesn't sufficiently protect unmanaged files from view under the scenario unauthenticated user knows path to visit the view and can attempt to delete files which results in duplicate files being created.\n\nTo mitigate this issue without deploying code, review all views that are based on Fancy File Delete and ensure they have an access control set to use the permission \"administer unmanaged files entities\".", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/fancy_file_delete" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "2.0.7" - } - ], - "database_specific": { - "constraint": "<2.0.7" - } - } - ], - "database_specific": { - "affected_versions": "<2.0.7" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2022-023" - } - ], - "credits": [ - { - "name": "Ambient.Impact", - "contact": [ - "https://www.drupal.org/user/1131532" - ] - } - ] -} diff --git a/advisories/faq/DSA-CONTRIB-2019-077.json b/advisories/faq/DSA-CONTRIB-2019-077.json deleted file mode 100644 index edf3da0c..00000000 --- a/advisories/faq/DSA-CONTRIB-2019-077.json +++ /dev/null @@ -1,40 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2019-077", - "modified": "2023-08-11T18:22:53.000Z", - "published": "2019-11-13T18:00:36.000Z", - "aliases": [], - "details": "The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: ", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/faq" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - } - ], - "database_specific": { - "constraint": "*" - } - } - ], - "database_specific": { - "affected_versions": "*" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2019-077" - } - ], - "credits": [] -} diff --git a/advisories/field_slideshow/DRUPAL-CONTRIB-2019-082.json b/advisories/field_slideshow/DRUPAL-CONTRIB-2019-082.json new file mode 100644 index 00000000..55c26a38 --- /dev/null +++ b/advisories/field_slideshow/DRUPAL-CONTRIB-2019-082.json @@ -0,0 +1,50 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2019-082", + "modified": "2023-08-11T18:23:20.000Z", + "published": "2019-11-13T18:05:45.000Z", + "aliases": [], + "details": "This module enables you to output a field as a slideshow.\n\nThe module doesn't sufficiently filter strings added to the fields leading to a Cross Site Scripting (XSS) vulnerability.\n\nThis vulnerability is mitigated by the fact that an attacker must have the ability to create content which is output as a slideshow.", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/field_slideshow" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.83.0" + } + ], + "database_specific": { + "constraint": "<1.83.0" + } + } + ], + "database_specific": { + "affected_versions": "<1.83.0" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2019-082" + } + ], + "credits": [ + { + "name": "Yonatan Offek", + "contact": [ + "https://www.drupal.org/user/194009" + ] + } + ] +} diff --git a/advisories/field_slideshow/DSA-CONTRIB-2019-082.json b/advisories/field_slideshow/DSA-CONTRIB-2019-082.json deleted file mode 100644 index 9751b6f3..00000000 --- a/advisories/field_slideshow/DSA-CONTRIB-2019-082.json +++ /dev/null @@ -1,50 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2019-082", - "modified": "2023-08-11T18:23:20.000Z", - "published": "2019-11-13T18:05:45.000Z", - "aliases": [], - "details": "This module enables you to output a field as a slideshow.\n\nThe module doesn't sufficiently filter strings added to the fields leading to a Cross Site Scripting (XSS) vulnerability.\n\nThis vulnerability is mitigated by the fact that an attacker must have the ability to create content which is output as a slideshow.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/field_slideshow" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "1.83.0" - } - ], - "database_specific": { - "constraint": "<1.83.0" - } - } - ], - "database_specific": { - "affected_versions": "<1.83.0" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2019-082" - } - ], - "credits": [ - { - "name": "Yonatan Offek", - "contact": [ - "https://www.drupal.org/user/194009" - ] - } - ] -} diff --git a/advisories/file_chooser_field/DRUPAL-CONTRIB-2023-015.json b/advisories/file_chooser_field/DRUPAL-CONTRIB-2023-015.json new file mode 100644 index 00000000..9635a60c --- /dev/null +++ b/advisories/file_chooser_field/DRUPAL-CONTRIB-2023-015.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2023-015", + "modified": "2023-08-10T13:58:30.000Z", + "published": "2023-05-17T16:46:26.000Z", + "aliases": [], + "details": "The File Chooser Field allows users to upload files using 3rd party plugins such as Google Drive and Dropbox.\n\nThis module fails to validate user input sufficiently which could under certain circumstances lead to a Server Side Request Forgery (SSRF) vulnerability leading to Information Disclosure. In uncommon configurations and scenarios, it might lead to Remote Code Execution.", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/file_chooser_field" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.13.0" + } + ], + "database_specific": { + "constraint": "<1.13" + } + } + ], + "database_specific": { + "affected_versions": "<1.13" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2023-015" + } + ], + "credits": [ + { + "name": "Drew Webber", + "contact": [ + "https://www.drupal.org/user/255969" + ] + }, + { + "name": "George Hazlewood", + "contact": [ + "https://www.drupal.org/user/2314" + ] + } + ] +} diff --git a/advisories/file_chooser_field/DSA-CONTRIB-2023-015.json b/advisories/file_chooser_field/DSA-CONTRIB-2023-015.json deleted file mode 100644 index dbb6c056..00000000 --- a/advisories/file_chooser_field/DSA-CONTRIB-2023-015.json +++ /dev/null @@ -1,56 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2023-015", - "modified": "2023-08-10T13:58:30.000Z", - "published": "2023-05-17T16:46:26.000Z", - "aliases": [], - "details": "The File Chooser Field allows users to upload files using 3rd party plugins such as Google Drive and Dropbox.\n\nThis module fails to validate user input sufficiently which could under certain circumstances lead to a Server Side Request Forgery (SSRF) vulnerability leading to Information Disclosure. In uncommon configurations and scenarios, it might lead to Remote Code Execution.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/file_chooser_field" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "1.13.0" - } - ], - "database_specific": { - "constraint": "<1.13" - } - } - ], - "database_specific": { - "affected_versions": "<1.13" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2023-015" - } - ], - "credits": [ - { - "name": "Drew Webber", - "contact": [ - "https://www.drupal.org/user/255969" - ] - }, - { - "name": "George Hazlewood", - "contact": [ - "https://www.drupal.org/user/2314" - ] - } - ] -} diff --git a/advisories/file_download/DRUPAL-CONTRIB-2025-089.json b/advisories/file_download/DRUPAL-CONTRIB-2025-089.json new file mode 100644 index 00000000..73edd003 --- /dev/null +++ b/advisories/file_download/DRUPAL-CONTRIB-2025-089.json @@ -0,0 +1,66 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2025-089", + "modified": "2025-07-16T16:46:08.000Z", + "published": "2025-07-16T16:46:08.000Z", + "aliases": [ + "CVE-2025-7717" + ], + "details": "The File Download enables you to allow users to download file and image entities directly using a custom field formatter. It also provides an optional submodule to count and display file downloads in Views, similar to how the core statistics module tracks content views.\n\nThe File Download module does not properly validate input when handling file access requests. This can allow users to bypass protections and access private files that should not be publicly available.", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/file_download" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.9.0" + } + ], + "database_specific": { + "constraint": "<1.9.0" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.0.0" + }, + { + "fixed": "2.0.1" + } + ], + "database_specific": { + "constraint": ">=2.0.0 <2.0.1" + } + } + ], + "database_specific": { + "affected_versions": "<1.9.0 || >=2.0.0 <2.0.1" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2025-089" + } + ], + "credits": [ + { + "name": "Willem Drupal enthousiast (willempje2)", + "contact": [ + "https://www.drupal.org/u/willempje2" + ] + } + ] +} diff --git a/advisories/file_download/DSA-CONTRIB-2025-089.json b/advisories/file_download/DSA-CONTRIB-2025-089.json deleted file mode 100644 index 2e807e57..00000000 --- a/advisories/file_download/DSA-CONTRIB-2025-089.json +++ /dev/null @@ -1,66 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2025-089", - "modified": "2025-07-16T16:46:08.000Z", - "published": "2025-07-16T16:46:08.000Z", - "aliases": [ - "CVE-2025-7717" - ], - "details": "The File Download enables you to allow users to download file and image entities directly using a custom field formatter. It also provides an optional submodule to count and display file downloads in Views, similar to how the core statistics module tracks content views.\n\nThe File Download module does not properly validate input when handling file access requests. This can allow users to bypass protections and access private files that should not be publicly available.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/file_download" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "1.9.0" - } - ], - "database_specific": { - "constraint": "<1.9.0" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "2.0.0" - }, - { - "fixed": "2.0.1" - } - ], - "database_specific": { - "constraint": ">=2.0.0 <2.0.1" - } - } - ], - "database_specific": { - "affected_versions": "<1.9.0 || >=2.0.0 <2.0.1" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2025-089" - } - ], - "credits": [ - { - "name": "Willem Drupal enthousiast (willempje2)", - "contact": [ - "https://www.drupal.org/u/willempje2" - ] - } - ] -} diff --git a/advisories/file_extractor/DRUPAL-CONTRIB-2021-033.json b/advisories/file_extractor/DRUPAL-CONTRIB-2021-033.json new file mode 100644 index 00000000..d4e95ad9 --- /dev/null +++ b/advisories/file_extractor/DRUPAL-CONTRIB-2021-033.json @@ -0,0 +1,78 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2021-033", + "modified": "2023-08-11T17:05:59.000Z", + "published": "2021-09-22T16:55:24.000Z", + "aliases": [], + "details": "This module enables you to extract the textual content of files for use on a website, e.g. to display it or use it in search indexes.\n\nThe module doesn't sufficiently protect the administrator-defined commands that are executed on the server, which leads to post-authentication remote code execution by a limited set of users.\n\nThis vulnerability is mitigated by the fact that an attacker must have a role with the permission \"Administer File Extractor\" to access the settings form. Sites are encouraged to review which roles have that permission and which users have that role, to ensure that only trusted users have that permission.", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/file_extractor" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.0.3" + } + ], + "database_specific": { + "constraint": "<2.0.3" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "3.0.0" + }, + { + "last_affected": "3.0.0" + } + ], + "database_specific": { + "constraint": "3.0.0" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.0.0" + }, + { + "last_affected": "4.0.0" + } + ], + "database_specific": { + "constraint": "4.0.0" + } + } + ], + "database_specific": { + "affected_versions": "<2.0.3 || 3.0.0 || 4.0.0" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2021-033" + } + ], + "credits": [ + { + "name": "Florent Torregrosa", + "contact": [ + "https://www.drupal.org/user/2388214" + ] + } + ] +} diff --git a/advisories/file_extractor/DSA-CONTRIB-2021-033.json b/advisories/file_extractor/DSA-CONTRIB-2021-033.json deleted file mode 100644 index 96c60916..00000000 --- a/advisories/file_extractor/DSA-CONTRIB-2021-033.json +++ /dev/null @@ -1,78 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2021-033", - "modified": "2023-08-11T17:05:59.000Z", - "published": "2021-09-22T16:55:24.000Z", - "aliases": [], - "details": "This module enables you to extract the textual content of files for use on a website, e.g. to display it or use it in search indexes.\n\nThe module doesn't sufficiently protect the administrator-defined commands that are executed on the server, which leads to post-authentication remote code execution by a limited set of users.\n\nThis vulnerability is mitigated by the fact that an attacker must have a role with the permission \"Administer File Extractor\" to access the settings form. Sites are encouraged to review which roles have that permission and which users have that role, to ensure that only trusted users have that permission.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/file_extractor" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "2.0.3" - } - ], - "database_specific": { - "constraint": "<2.0.3" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "3.0.0" - }, - { - "last_affected": "3.0.0" - } - ], - "database_specific": { - "constraint": "3.0.0" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "4.0.0" - }, - { - "last_affected": "4.0.0" - } - ], - "database_specific": { - "constraint": "4.0.0" - } - } - ], - "database_specific": { - "affected_versions": "<2.0.3 || 3.0.0 || 4.0.0" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2021-033" - } - ], - "credits": [ - { - "name": "Florent Torregrosa", - "contact": [ - "https://www.drupal.org/user/2388214" - ] - } - ] -} diff --git a/advisories/flattern/DRUPAL-CONTRIB-2025-005.json b/advisories/flattern/DRUPAL-CONTRIB-2025-005.json new file mode 100644 index 00000000..4f324b60 --- /dev/null +++ b/advisories/flattern/DRUPAL-CONTRIB-2025-005.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2025-005", + "modified": "2025-03-31T22:23:08.000Z", + "published": "2025-01-22T16:59:00.000Z", + "aliases": [ + "CVE-2025-3060" + ], + "details": "The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: [https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...](https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-maintainer-of-a-project-that-is-unsupported-for-security-reasons)", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/flattern" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + } + ], + "database_specific": { + "constraint": "*" + } + } + ], + "database_specific": { + "affected_versions": "*" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2025-005" + } + ], + "credits": [] +} diff --git a/advisories/flattern/DSA-CONTRIB-2025-005.json b/advisories/flattern/DSA-CONTRIB-2025-005.json deleted file mode 100644 index f18b1c8f..00000000 --- a/advisories/flattern/DSA-CONTRIB-2025-005.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2025-005", - "modified": "2025-03-31T22:23:08.000Z", - "published": "2025-01-22T16:59:00.000Z", - "aliases": [ - "CVE-2025-3060" - ], - "details": "The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: [https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...](https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-maintainer-of-a-project-that-is-unsupported-for-security-reasons)", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/flattern" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - } - ], - "database_specific": { - "constraint": "*" - } - } - ], - "database_specific": { - "affected_versions": "*" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2025-005" - } - ], - "credits": [] -} diff --git a/advisories/fontawesome/DRUPAL-CONTRIB-2019-025.json b/advisories/fontawesome/DRUPAL-CONTRIB-2019-025.json new file mode 100644 index 00000000..91b413b8 --- /dev/null +++ b/advisories/fontawesome/DRUPAL-CONTRIB-2019-025.json @@ -0,0 +1,43 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2019-025", + "modified": "2023-08-11T18:57:13.000Z", + "published": "2019-02-20T17:56:44.000Z", + "aliases": [], + "details": "This resolves issues described in [SA-CORE-2019-003](https://www.drupal.org/sa-core-2019-003) for this module. Not all configurations are affected. See [SA-CORE-2019-003](https://www.drupal.org/sa-core-2019-003) for details.", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/fontawesome" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.12.0" + } + ], + "database_specific": { + "constraint": "<2.12.0" + } + } + ], + "database_specific": { + "affected_versions": "<2.12.0" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2019-025" + } + ], + "credits": [] +} diff --git a/advisories/fontawesome/DSA-CONTRIB-2019-025.json b/advisories/fontawesome/DSA-CONTRIB-2019-025.json deleted file mode 100644 index e0958d46..00000000 --- a/advisories/fontawesome/DSA-CONTRIB-2019-025.json +++ /dev/null @@ -1,43 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2019-025", - "modified": "2023-08-11T18:57:13.000Z", - "published": "2019-02-20T17:56:44.000Z", - "aliases": [], - "details": "This resolves issues described in [SA-CORE-2019-003](https://www.drupal.org/sa-core-2019-003) for this module. Not all configurations are affected. See [SA-CORE-2019-003](https://www.drupal.org/sa-core-2019-003) for details.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/fontawesome" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "2.12.0" - } - ], - "database_specific": { - "constraint": "<2.12.0" - } - } - ], - "database_specific": { - "affected_versions": "<2.12.0" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2019-025" - } - ], - "credits": [] -} diff --git a/advisories/form_mode_manager/DRUPAL-CONTRIB-2021-023.json b/advisories/form_mode_manager/DRUPAL-CONTRIB-2021-023.json new file mode 100644 index 00000000..72643a2e --- /dev/null +++ b/advisories/form_mode_manager/DRUPAL-CONTRIB-2021-023.json @@ -0,0 +1,62 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2021-023", + "modified": "2023-08-11T16:57:55.000Z", + "published": "2021-07-21T16:51:57.000Z", + "aliases": [], + "details": "This module provides a user interface that allows the implementation and use of *Form modes* without custom development.\n\nThe module does not sufficiently respect access restrictions to entity forms for routes it creates to use specific form modes.\n\nThis vulnerability is mitigated by the fact that an attacker must have a role with the permission to use a specific form mode, for example `use X form mode`.", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/form_mode_manager" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.4.0" + } + ], + "database_specific": { + "constraint": "<1.4.0" + } + } + ], + "database_specific": { + "affected_versions": "<1.4.0" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2021-023" + } + ], + "credits": [ + { + "name": "Bec", + "contact": [ + "https://www.drupal.org/user/81067" + ] + }, + { + "name": "Byron Duvall", + "contact": [ + "https://www.drupal.org/user/1279040" + ] + }, + { + "name": "Jason Partyka", + "contact": [ + "https://www.drupal.org/user/344048" + ] + } + ] +} diff --git a/advisories/form_mode_manager/DSA-CONTRIB-2021-023.json b/advisories/form_mode_manager/DSA-CONTRIB-2021-023.json deleted file mode 100644 index fbbcc160..00000000 --- a/advisories/form_mode_manager/DSA-CONTRIB-2021-023.json +++ /dev/null @@ -1,62 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2021-023", - "modified": "2023-08-11T16:57:55.000Z", - "published": "2021-07-21T16:51:57.000Z", - "aliases": [], - "details": "This module provides a user interface that allows the implementation and use of *Form modes* without custom development.\n\nThe module does not sufficiently respect access restrictions to entity forms for routes it creates to use specific form modes.\n\nThis vulnerability is mitigated by the fact that an attacker must have a role with the permission to use a specific form mode, for example `use X form mode`.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/form_mode_manager" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "1.4.0" - } - ], - "database_specific": { - "constraint": "<1.4.0" - } - } - ], - "database_specific": { - "affected_versions": "<1.4.0" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2021-023" - } - ], - "credits": [ - { - "name": "Bec", - "contact": [ - "https://www.drupal.org/user/81067" - ] - }, - { - "name": "Byron Duvall", - "contact": [ - "https://www.drupal.org/user/1279040" - ] - }, - { - "name": "Jason Partyka", - "contact": [ - "https://www.drupal.org/user/344048" - ] - } - ] -} diff --git a/advisories/formatter_suite/DRUPAL-CONTRIB-2025-026.json b/advisories/formatter_suite/DRUPAL-CONTRIB-2025-026.json new file mode 100644 index 00000000..ed3621a9 --- /dev/null +++ b/advisories/formatter_suite/DRUPAL-CONTRIB-2025-026.json @@ -0,0 +1,58 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2025-026", + "modified": "2025-03-31T22:07:23.000Z", + "published": "2025-03-19T18:53:42.000Z", + "aliases": [ + "CVE-2025-31697" + ], + "details": "Formatter Suite provides a suite of field formatters to help present numbers, dates, times, text, links, entity references, files, and images. The module provides a custom formatter for link fields.\n\nDrupal core does not sufficiently sanitize link element attributes, which can lead to a Cross Site Scripting vulnerability (XSS).\n\nA separate fix for Drupal core has been released but this module requires a concurrent release to make use of the Drupal core fix.\n\nThis vulnerability is mitigated by that fact that an attacker would need to have the ability to add specific attributes to a Link field, which typically requires edit access via core web services, or a contrib or custom module.", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/formatter_suite" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.1.0" + } + ], + "database_specific": { + "constraint": "<2.1.0" + } + } + ], + "database_specific": { + "affected_versions": "<2.1.0" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2025-026" + } + ], + "credits": [ + { + "name": "Daniel Wehner (dawehner)", + "contact": [ + "https://www.drupal.org/u/dawehner" + ] + }, + { + "name": "Joseph Zhao (pandaski)", + "contact": [ + "https://www.drupal.org/u/pandaski" + ] + } + ] +} diff --git a/advisories/formatter_suite/DSA-CONTRIB-2025-026.json b/advisories/formatter_suite/DSA-CONTRIB-2025-026.json deleted file mode 100644 index e97596d7..00000000 --- a/advisories/formatter_suite/DSA-CONTRIB-2025-026.json +++ /dev/null @@ -1,58 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2025-026", - "modified": "2025-03-31T22:07:23.000Z", - "published": "2025-03-19T18:53:42.000Z", - "aliases": [ - "CVE-2025-31697" - ], - "details": "Formatter Suite provides a suite of field formatters to help present numbers, dates, times, text, links, entity references, files, and images. The module provides a custom formatter for link fields.\n\nDrupal core does not sufficiently sanitize link element attributes, which can lead to a Cross Site Scripting vulnerability (XSS).\n\nA separate fix for Drupal core has been released but this module requires a concurrent release to make use of the Drupal core fix.\n\nThis vulnerability is mitigated by that fact that an attacker would need to have the ability to add specific attributes to a Link field, which typically requires edit access via core web services, or a contrib or custom module.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/formatter_suite" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "2.1.0" - } - ], - "database_specific": { - "constraint": "<2.1.0" - } - } - ], - "database_specific": { - "affected_versions": "<2.1.0" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2025-026" - } - ], - "credits": [ - { - "name": "Daniel Wehner (dawehner)", - "contact": [ - "https://www.drupal.org/u/dawehner" - ] - }, - { - "name": "Joseph Zhao (pandaski)", - "contact": [ - "https://www.drupal.org/u/pandaski" - ] - } - ] -} diff --git a/advisories/forms_steps/DRUPAL-CONTRIB-2019-064.json b/advisories/forms_steps/DRUPAL-CONTRIB-2019-064.json new file mode 100644 index 00000000..2082da43 --- /dev/null +++ b/advisories/forms_steps/DRUPAL-CONTRIB-2019-064.json @@ -0,0 +1,50 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2019-064", + "modified": "2023-08-11T18:34:14.000Z", + "published": "2019-08-14T17:33:20.000Z", + "aliases": [], + "details": "Forms Steps provides an UI to create form workflows using form modes. It creates quick and configurable multisteps forms.\n\nThe module doesn't sufficiently check user permissions to access its workflows entities that allows to see any entities that have been created through the different steps of its multistep forms.\n\nThis vulnerability is mitigated by the fact that you have to know the Forms Steps URL to create a content linked to the flow. Also, all created content is very hard to edit through the same flow as you have to know the URL and the linked hash to the content.", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/forms_steps" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.2.0" + } + ], + "database_specific": { + "constraint": "<1.2.0" + } + } + ], + "database_specific": { + "affected_versions": "<1.2.0" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2019-064" + } + ], + "credits": [ + { + "name": "solide-echt", + "contact": [ + "https://www.drupal.org/user/46176" + ] + } + ] +} diff --git a/advisories/forms_steps/DSA-CONTRIB-2019-064.json b/advisories/forms_steps/DSA-CONTRIB-2019-064.json deleted file mode 100644 index b4d8eeb4..00000000 --- a/advisories/forms_steps/DSA-CONTRIB-2019-064.json +++ /dev/null @@ -1,50 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2019-064", - "modified": "2023-08-11T18:34:14.000Z", - "published": "2019-08-14T17:33:20.000Z", - "aliases": [], - "details": "Forms Steps provides an UI to create form workflows using form modes. It creates quick and configurable multisteps forms.\n\nThe module doesn't sufficiently check user permissions to access its workflows entities that allows to see any entities that have been created through the different steps of its multistep forms.\n\nThis vulnerability is mitigated by the fact that you have to know the Forms Steps URL to create a content linked to the flow. Also, all created content is very hard to edit through the same flow as you have to know the URL and the linked hash to the content.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/forms_steps" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "1.2.0" - } - ], - "database_specific": { - "constraint": "<1.2.0" - } - } - ], - "database_specific": { - "affected_versions": "<1.2.0" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2019-064" - } - ], - "credits": [ - { - "name": "solide-echt", - "contact": [ - "https://www.drupal.org/user/46176" - ] - } - ] -} diff --git a/advisories/forum_access/DRUPAL-CONTRIB-2023-035.json b/advisories/forum_access/DRUPAL-CONTRIB-2023-035.json new file mode 100644 index 00000000..34e50cbc --- /dev/null +++ b/advisories/forum_access/DRUPAL-CONTRIB-2023-035.json @@ -0,0 +1,50 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2023-035", + "modified": "2023-08-23T18:45:59.000Z", + "published": "2023-08-23T14:54:52.000Z", + "aliases": [], + "details": "This module changes your forum administration page to allow you to set forums private. You can control what user roles can view, edit, delete, and post to each forum. You can also give each forum a list of users who have administrative access on that forum (AKA moderators). This module requires the ACL module.\n\nThe module processes user input in a way that could be unsafe. This can lead to Remote Code Execution via Object Injection.\n\nThis vulnerability is mitigated by the fact that an attacker needs the \"administer forums\" permission.\n\nThis Security Advisory is being released in coordination with [SA-CONTRIB-2023-034](https://www.drupal.org/sa-contrib-2023-034) for the ACL module, on which Forum Access depends.", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/forum_access" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.0.0" + } + ], + "database_specific": { + "constraint": "<1.0.0" + } + } + ], + "database_specific": { + "affected_versions": "<1.0.0" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2023-035" + } + ], + "credits": [ + { + "name": "Drew Webber", + "contact": [ + "https://www.drupal.org/user/255969" + ] + } + ] +} diff --git a/advisories/forum_access/DSA-CONTRIB-2023-035.json b/advisories/forum_access/DSA-CONTRIB-2023-035.json deleted file mode 100644 index bddae409..00000000 --- a/advisories/forum_access/DSA-CONTRIB-2023-035.json +++ /dev/null @@ -1,50 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2023-035", - "modified": "2023-08-23T18:45:59.000Z", - "published": "2023-08-23T14:54:52.000Z", - "aliases": [], - "details": "This module changes your forum administration page to allow you to set forums private. You can control what user roles can view, edit, delete, and post to each forum. You can also give each forum a list of users who have administrative access on that forum (AKA moderators). This module requires the ACL module.\n\nThe module processes user input in a way that could be unsafe. This can lead to Remote Code Execution via Object Injection.\n\nThis vulnerability is mitigated by the fact that an attacker needs the \"administer forums\" permission.\n\nThis Security Advisory is being released in coordination with [SA-CONTRIB-2023-034](https://www.drupal.org/sa-contrib-2023-034) for the ACL module, on which Forum Access depends.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/forum_access" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "1.0.0" - } - ], - "database_specific": { - "constraint": "<1.0.0" - } - } - ], - "database_specific": { - "affected_versions": "<1.0.0" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2023-035" - } - ], - "credits": [ - { - "name": "Drew Webber", - "contact": [ - "https://www.drupal.org/user/255969" - ] - } - ] -} diff --git a/advisories/fraction/DRUPAL-CONTRIB-2018-059.json b/advisories/fraction/DRUPAL-CONTRIB-2018-059.json new file mode 100644 index 00000000..878ecbe0 --- /dev/null +++ b/advisories/fraction/DRUPAL-CONTRIB-2018-059.json @@ -0,0 +1,50 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2018-059", + "modified": "2023-08-11T21:18:37.000Z", + "published": "2018-09-05T17:22:50.000Z", + "aliases": [], + "details": "This module enables you to create fields for storing decimal values as two integers (numerator and denominator) for maximum precision.\n\nThe module doesn't sufficiently filter XSS strings out of field labels.\n\nThis vulnerability is mitigated by the fact that an attacker must have a role with the ability to manage field configuration.", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/fraction" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.2.0" + } + ], + "database_specific": { + "constraint": "<1.2.0" + } + } + ], + "database_specific": { + "affected_versions": "<1.2.0" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2018-059" + } + ], + "credits": [ + { + "name": "bucefal91", + "contact": [ + "https://www.drupal.org/user/504128" + ] + } + ] +} diff --git a/advisories/fraction/DSA-CONTRIB-2018-059.json b/advisories/fraction/DSA-CONTRIB-2018-059.json deleted file mode 100644 index 5f70601f..00000000 --- a/advisories/fraction/DSA-CONTRIB-2018-059.json +++ /dev/null @@ -1,50 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2018-059", - "modified": "2023-08-11T21:18:37.000Z", - "published": "2018-09-05T17:22:50.000Z", - "aliases": [], - "details": "This module enables you to create fields for storing decimal values as two integers (numerator and denominator) for maximum precision.\n\nThe module doesn't sufficiently filter XSS strings out of field labels.\n\nThis vulnerability is mitigated by the fact that an attacker must have a role with the ability to manage field configuration.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/fraction" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "1.2.0" - } - ], - "database_specific": { - "constraint": "<1.2.0" - } - } - ], - "database_specific": { - "affected_versions": "<1.2.0" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2018-059" - } - ], - "credits": [ - { - "name": "bucefal91", - "contact": [ - "https://www.drupal.org/user/504128" - ] - } - ] -} diff --git a/advisories/freelinking/DRUPAL-CONTRIB-2024-034.json b/advisories/freelinking/DRUPAL-CONTRIB-2024-034.json new file mode 100644 index 00000000..71f91434 --- /dev/null +++ b/advisories/freelinking/DRUPAL-CONTRIB-2024-034.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2024-034", + "modified": "2025-02-20T19:23:44.000Z", + "published": "2024-09-04T15:35:55.000Z", + "aliases": [ + "CVE-2024-13270" + ], + "details": "This module enables you to configure a wiki-like input filter that allows users to create links to site and external content.\n\nThe module doesn't sufficiently check if a user has access to some URLs before rendering them as links.\n\nThis vulnerability is mitigated by the fact that an attacker must have a role with the permission \"access content\" (which is commonly assigned to all roles), and the site must be configured to disallow access to certain content.", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/freelinking" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "4.0.1" + } + ], + "database_specific": { + "constraint": "<4.0.1" + } + } + ], + "database_specific": { + "affected_versions": "<4.0.1" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2024-034" + } + ], + "credits": [ + { + "name": "Matthew Radcliffe", + "contact": [ + "https://www.drupal.org/user/157079" + ] + } + ] +} diff --git a/advisories/freelinking/DSA-CONTRIB-2024-034.json b/advisories/freelinking/DSA-CONTRIB-2024-034.json deleted file mode 100644 index 043f04f3..00000000 --- a/advisories/freelinking/DSA-CONTRIB-2024-034.json +++ /dev/null @@ -1,52 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2024-034", - "modified": "2025-02-20T19:23:44.000Z", - "published": "2024-09-04T15:35:55.000Z", - "aliases": [ - "CVE-2024-13270" - ], - "details": "This module enables you to configure a wiki-like input filter that allows users to create links to site and external content.\n\nThe module doesn't sufficiently check if a user has access to some URLs before rendering them as links.\n\nThis vulnerability is mitigated by the fact that an attacker must have a role with the permission \"access content\" (which is commonly assigned to all roles), and the site must be configured to disallow access to certain content.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/freelinking" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "4.0.1" - } - ], - "database_specific": { - "constraint": "<4.0.1" - } - } - ], - "database_specific": { - "affected_versions": "<4.0.1" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2024-034" - } - ], - "credits": [ - { - "name": "Matthew Radcliffe", - "contact": [ - "https://www.drupal.org/user/157079" - ] - } - ] -} diff --git a/advisories/gdpr/DRUPAL-CONTRIB-2025-018.json b/advisories/gdpr/DRUPAL-CONTRIB-2025-018.json new file mode 100644 index 00000000..87c0dbe1 --- /dev/null +++ b/advisories/gdpr/DRUPAL-CONTRIB-2025-018.json @@ -0,0 +1,66 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2025-018", + "modified": "2025-03-31T22:06:05.000Z", + "published": "2025-02-26T18:34:59.000Z", + "aliases": [ + "CVE-2025-31689" + ], + "details": "The GDPR Task submodule enables you to create GDPR tasks.\n\nThe module doesn't sufficiently protect against Cross Site Request Forgery (CSRF) attacks by validating user identity and intent when creating tasks.", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/gdpr" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "3.0.1" + } + ], + "database_specific": { + "constraint": "<3.0.1" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "3.1.0" + }, + { + "fixed": "3.1.2" + } + ], + "database_specific": { + "constraint": ">=3.1.0 <3.1.2" + } + } + ], + "database_specific": { + "affected_versions": "<3.0.1 || >=3.1.0 <3.1.2" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2025-018" + } + ], + "credits": [ + { + "name": "Pierre Rudloff (prudloff)", + "contact": [ + "https://www.drupal.org/u/prudloff" + ] + } + ] +} diff --git a/advisories/gdpr/DSA-CONTRIB-2025-018.json b/advisories/gdpr/DSA-CONTRIB-2025-018.json deleted file mode 100644 index f607190d..00000000 --- a/advisories/gdpr/DSA-CONTRIB-2025-018.json +++ /dev/null @@ -1,66 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2025-018", - "modified": "2025-03-31T22:06:05.000Z", - "published": "2025-02-26T18:34:59.000Z", - "aliases": [ - "CVE-2025-31689" - ], - "details": "The GDPR Task submodule enables you to create GDPR tasks.\n\nThe module doesn't sufficiently protect against Cross Site Request Forgery (CSRF) attacks by validating user identity and intent when creating tasks.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/gdpr" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "3.0.1" - } - ], - "database_specific": { - "constraint": "<3.0.1" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "3.1.0" - }, - { - "fixed": "3.1.2" - } - ], - "database_specific": { - "constraint": ">=3.1.0 <3.1.2" - } - } - ], - "database_specific": { - "affected_versions": "<3.0.1 || >=3.1.0 <3.1.2" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2025-018" - } - ], - "credits": [ - { - "name": "Pierre Rudloff (prudloff)", - "contact": [ - "https://www.drupal.org/u/prudloff" - ] - } - ] -} diff --git a/advisories/gdpr_alert/DRUPAL-CONTRIB-2023-023.json b/advisories/gdpr_alert/DRUPAL-CONTRIB-2023-023.json new file mode 100644 index 00000000..d65418ec --- /dev/null +++ b/advisories/gdpr_alert/DRUPAL-CONTRIB-2023-023.json @@ -0,0 +1,50 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2023-023", + "modified": "2023-08-10T13:53:00.000Z", + "published": "2023-06-28T17:02:13.000Z", + "aliases": [], + "details": "This module enables you to define configurable GDPR alert messages.\n\nThe module doesn't sufficiently filter user-supplied text leading to a Cross Site Scripting (XSS) vulnerability.\n\nThis vulnerability is mitigated by the fact that an attacker needs additional permissions. The vulnerability can be exploited by an attacker with a role with the permission \"administer gdpr alert\" regardless of other configurations.", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/gdpr_alert" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "1.0.0" + }, + { + "fixed": "1.0.1" + } + ], + "database_specific": { + "constraint": ">=1.0 <1.0.1" + } + } + ], + "database_specific": { + "affected_versions": ">=1.0 <1.0.1" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2023-023" + } + ], + "credits": [ + { + "name": "Mitch Portier", + "contact": [ + "https://www.drupal.org/user/2284182" + ] + } + ] +} diff --git a/advisories/gdpr_alert/DSA-CONTRIB-2023-023.json b/advisories/gdpr_alert/DSA-CONTRIB-2023-023.json deleted file mode 100644 index a937d785..00000000 --- a/advisories/gdpr_alert/DSA-CONTRIB-2023-023.json +++ /dev/null @@ -1,50 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2023-023", - "modified": "2023-08-10T13:53:00.000Z", - "published": "2023-06-28T17:02:13.000Z", - "aliases": [], - "details": "This module enables you to define configurable GDPR alert messages.\n\nThe module doesn't sufficiently filter user-supplied text leading to a Cross Site Scripting (XSS) vulnerability.\n\nThis vulnerability is mitigated by the fact that an attacker needs additional permissions. The vulnerability can be exploited by an attacker with a role with the permission \"administer gdpr alert\" regardless of other configurations.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/gdpr_alert" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "1.0.0" - }, - { - "fixed": "1.0.1" - } - ], - "database_specific": { - "constraint": ">=1.0 <1.0.1" - } - } - ], - "database_specific": { - "affected_versions": ">=1.0 <1.0.1" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2023-023" - } - ], - "credits": [ - { - "name": "Mitch Portier", - "contact": [ - "https://www.drupal.org/user/2284182" - ] - } - ] -} diff --git a/advisories/gifplayer/DRUPAL-CONTRIB-2025-032.json b/advisories/gifplayer/DRUPAL-CONTRIB-2025-032.json new file mode 100644 index 00000000..6d19d0db --- /dev/null +++ b/advisories/gifplayer/DRUPAL-CONTRIB-2025-032.json @@ -0,0 +1,66 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2025-032", + "modified": "2025-04-09T17:04:46.000Z", + "published": "2025-04-09T17:04:46.000Z", + "aliases": [ + "CVE-2025-31128" + ], + "details": "Gif Player Field creates a simple file field types that allows you to upload the GIF files and configure the output for this using the Field Formatters.\n\nThe module uses [GifPlayer jQuery library](https://github.com/rubentd/gifplayer) to render the GIF according to configured setups for the Field Formatter. The external Gif Player Library doesn't satinize the attributes properly when rendering the widget, allowing a malicious user to run XSS attacks.\n\nThis vulnerability is mitigated by the fact that an attacker would need to have an account on the website and be able to create an image tag with a data-label element. There are no fields that allow that element on a default Drupal site for a user with user-level permissions.", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/gifplayer" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.5.0" + } + ], + "database_specific": { + "constraint": "<1.5.0" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.0.0" + }, + { + "fixed": "2.0.4" + } + ], + "database_specific": { + "constraint": ">=2.0.0 <2.0.4" + } + } + ], + "database_specific": { + "affected_versions": "<1.5.0 || >=2.0.0 <2.0.4" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2025-032" + } + ], + "credits": [ + { + "name": "Pierre Rudloff (prudloff)", + "contact": [ + "https://www.drupal.org/u/prudloff" + ] + } + ] +} diff --git a/advisories/gifplayer/DSA-CONTRIB-2025-032.json b/advisories/gifplayer/DSA-CONTRIB-2025-032.json deleted file mode 100644 index 1b229028..00000000 --- a/advisories/gifplayer/DSA-CONTRIB-2025-032.json +++ /dev/null @@ -1,66 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2025-032", - "modified": "2025-04-09T17:04:46.000Z", - "published": "2025-04-09T17:04:46.000Z", - "aliases": [ - "CVE-2025-31128" - ], - "details": "Gif Player Field creates a simple file field types that allows you to upload the GIF files and configure the output for this using the Field Formatters.\n\nThe module uses [GifPlayer jQuery library](https://github.com/rubentd/gifplayer) to render the GIF according to configured setups for the Field Formatter. The external Gif Player Library doesn't satinize the attributes properly when rendering the widget, allowing a malicious user to run XSS attacks.\n\nThis vulnerability is mitigated by the fact that an attacker would need to have an account on the website and be able to create an image tag with a data-label element. There are no fields that allow that element on a default Drupal site for a user with user-level permissions.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/gifplayer" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "1.5.0" - } - ], - "database_specific": { - "constraint": "<1.5.0" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "2.0.0" - }, - { - "fixed": "2.0.4" - } - ], - "database_specific": { - "constraint": ">=2.0.0 <2.0.4" - } - } - ], - "database_specific": { - "affected_versions": "<1.5.0 || >=2.0.0 <2.0.4" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2025-032" - } - ], - "credits": [ - { - "name": "Pierre Rudloff (prudloff)", - "contact": [ - "https://www.drupal.org/u/prudloff" - ] - } - ] -} diff --git a/advisories/git_utils/DRUPAL-CONTRIB-2024-074.json b/advisories/git_utils/DRUPAL-CONTRIB-2024-074.json new file mode 100644 index 00000000..5692f387 --- /dev/null +++ b/advisories/git_utils/DRUPAL-CONTRIB-2024-074.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2024-074", + "modified": "2025-02-20T20:08:21.000Z", + "published": "2024-12-11T14:27:22.000Z", + "aliases": [ + "CVE-2024-13310" + ], + "details": "The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: [https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...](https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-maintainer-of-a-project-that-is-unsupported-for-security-reasons)", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/git_utils" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + } + ], + "database_specific": { + "constraint": "*" + } + } + ], + "database_specific": { + "affected_versions": "*" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2024-074" + } + ], + "credits": [] +} diff --git a/advisories/git_utils/DSA-CONTRIB-2024-074.json b/advisories/git_utils/DSA-CONTRIB-2024-074.json deleted file mode 100644 index a33279a4..00000000 --- a/advisories/git_utils/DSA-CONTRIB-2024-074.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2024-074", - "modified": "2025-02-20T20:08:21.000Z", - "published": "2024-12-11T14:27:22.000Z", - "aliases": [ - "CVE-2024-13310" - ], - "details": "The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: [https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...](https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-maintainer-of-a-project-that-is-unsupported-for-security-reasons)", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/git_utils" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - } - ], - "database_specific": { - "constraint": "*" - } - } - ], - "database_specific": { - "affected_versions": "*" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2024-074" - } - ], - "credits": [] -} diff --git a/advisories/glightbox/DRUPAL-CONTRIB-2025-078.json b/advisories/glightbox/DRUPAL-CONTRIB-2025-078.json new file mode 100644 index 00000000..d5968ca8 --- /dev/null +++ b/advisories/glightbox/DRUPAL-CONTRIB-2025-078.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2025-078", + "modified": "2025-06-25T18:41:20.000Z", + "published": "2025-06-25T18:41:20.000Z", + "aliases": [ + "CVE-2025-48922" + ], + "details": "GLightbox module is a pure Javascript lightbox for CKEditor.\n\nThe module doesn't sufficiently filter user-supplied text for the GLightbox Javascript library leading to a Cross Site Scripting (XSS) vulnerability.\n\nThis vulnerability is mitigated by the fact that an attacker must have a role with the permissions to edit content that is configured to support the Glightbox module.", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/glightbox" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.0.16" + } + ], + "database_specific": { + "constraint": "<1.0.16" + } + } + ], + "database_specific": { + "affected_versions": "<1.0.16" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2025-078" + } + ], + "credits": [ + { + "name": "Pierre Rudloff (prudloff)", + "contact": [ + "https://www.drupal.org/u/prudloff" + ] + } + ] +} diff --git a/advisories/glightbox/DSA-CONTRIB-2025-078.json b/advisories/glightbox/DSA-CONTRIB-2025-078.json deleted file mode 100644 index 3ebbe143..00000000 --- a/advisories/glightbox/DSA-CONTRIB-2025-078.json +++ /dev/null @@ -1,52 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2025-078", - "modified": "2025-06-25T18:41:20.000Z", - "published": "2025-06-25T18:41:20.000Z", - "aliases": [ - "CVE-2025-48922" - ], - "details": "GLightbox module is a pure Javascript lightbox for CKEditor.\n\nThe module doesn't sufficiently filter user-supplied text for the GLightbox Javascript library leading to a Cross Site Scripting (XSS) vulnerability.\n\nThis vulnerability is mitigated by the fact that an attacker must have a role with the permissions to edit content that is configured to support the Glightbox module.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/glightbox" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "1.0.16" - } - ], - "database_specific": { - "constraint": "<1.0.16" - } - } - ], - "database_specific": { - "affected_versions": "<1.0.16" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2025-078" - } - ], - "credits": [ - { - "name": "Pierre Rudloff (prudloff)", - "contact": [ - "https://www.drupal.org/u/prudloff" - ] - } - ] -} diff --git a/advisories/gmap_store_locator/DRUPAL-CONTRIB-2025-038.json b/advisories/gmap_store_locator/DRUPAL-CONTRIB-2025-038.json new file mode 100644 index 00000000..ad08b604 --- /dev/null +++ b/advisories/gmap_store_locator/DRUPAL-CONTRIB-2025-038.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2025-038", + "modified": "2025-04-16T16:25:45.000Z", + "published": "2025-04-16T16:25:45.000Z", + "aliases": [ + "CVE-2025-3737" + ], + "details": "The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: [https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...](https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-maintainer-of-a-project-that-is-unsupported-for-security-reasons)", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/gmap_store_locator" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + } + ], + "database_specific": { + "constraint": "*" + } + } + ], + "database_specific": { + "affected_versions": "*" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2025-038" + } + ], + "credits": [] +} diff --git a/advisories/gmap_store_locator/DSA-CONTRIB-2025-038.json b/advisories/gmap_store_locator/DSA-CONTRIB-2025-038.json deleted file mode 100644 index 224a9006..00000000 --- a/advisories/gmap_store_locator/DSA-CONTRIB-2025-038.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2025-038", - "modified": "2025-04-16T16:25:45.000Z", - "published": "2025-04-16T16:25:45.000Z", - "aliases": [ - "CVE-2025-3737" - ], - "details": "The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: [https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...](https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-maintainer-of-a-project-that-is-unsupported-for-security-reasons)", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/gmap_store_locator" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - } - ], - "database_specific": { - "constraint": "*" - } - } - ], - "database_specific": { - "affected_versions": "*" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2025-038" - } - ], - "credits": [] -} diff --git a/advisories/google_optimize/DRUPAL-CONTRIB-2025-039.json b/advisories/google_optimize/DRUPAL-CONTRIB-2025-039.json new file mode 100644 index 00000000..48069b87 --- /dev/null +++ b/advisories/google_optimize/DRUPAL-CONTRIB-2025-039.json @@ -0,0 +1,42 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2025-039", + "modified": "2025-04-16T16:25:56.000Z", + "published": "2025-04-16T16:25:56.000Z", + "aliases": [ + "CVE-2025-3738" + ], + "details": "The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: [https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...](https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-maintainer-of-a-project-that-is-unsupported-for-security-reasons)", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/google_optimize" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + } + ], + "database_specific": { + "constraint": "*" + } + } + ], + "database_specific": { + "affected_versions": "*" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2025-039" + } + ], + "credits": [] +} diff --git a/advisories/google_optimize/DSA-CONTRIB-2025-039.json b/advisories/google_optimize/DSA-CONTRIB-2025-039.json deleted file mode 100644 index da3ebef4..00000000 --- a/advisories/google_optimize/DSA-CONTRIB-2025-039.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2025-039", - "modified": "2025-04-16T16:25:56.000Z", - "published": "2025-04-16T16:25:56.000Z", - "aliases": [ - "CVE-2025-3738" - ], - "details": "The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: [https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...](https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-maintainer-of-a-project-that-is-unsupported-for-security-reasons)", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/google_optimize" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - } - ], - "database_specific": { - "constraint": "*" - } - } - ], - "database_specific": { - "affected_versions": "*" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2025-039" - } - ], - "credits": [] -} diff --git a/advisories/google_tag/DRUPAL-CONTRIB-2025-011.json b/advisories/google_tag/DRUPAL-CONTRIB-2025-011.json new file mode 100644 index 00000000..24bc40c6 --- /dev/null +++ b/advisories/google_tag/DRUPAL-CONTRIB-2025-011.json @@ -0,0 +1,66 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2025-011", + "modified": "2025-03-31T22:04:35.000Z", + "published": "2025-01-29T17:13:29.000Z", + "aliases": [ + "CVE-2025-31682" + ], + "details": "This module enables you to integrate the site with the Google Tag Manager (GTM) application.\n\nThe module doesn't have the \"restrict access\" flag on the \"administer google\\_tag\\_container\" permission. A user with this permission can load a GTM container that completely changes the page or inserts malicious JS, resulting in a cross site scripting vulnerability.\n\nThis vulnerability is mitigated by the fact that an attacker must have a role with the aforementioned permission.", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/google_tag" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.8.0" + } + ], + "database_specific": { + "constraint": "<1.8.0" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.0.0" + }, + { + "fixed": "2.0.8" + } + ], + "database_specific": { + "constraint": ">=2.0.0 <2.0.8" + } + } + ], + "database_specific": { + "affected_versions": "<1.8.0 || >=2.0.0 <2.0.8" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2025-011" + } + ], + "credits": [ + { + "name": "Pierre Rudloff", + "contact": [ + "https://www.drupal.org/user/3611858" + ] + } + ] +} diff --git a/advisories/google_tag/DRUPAL-CONTRIB-2025-012.json b/advisories/google_tag/DRUPAL-CONTRIB-2025-012.json new file mode 100644 index 00000000..73a455de --- /dev/null +++ b/advisories/google_tag/DRUPAL-CONTRIB-2025-012.json @@ -0,0 +1,72 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2025-012", + "modified": "2025-03-31T22:04:42.000Z", + "published": "2025-01-29T17:16:19.000Z", + "aliases": [ + "CVE-2025-31683" + ], + "details": "This module enables you to integrate the site with the Google Tag Manager (GTM) application.\n\nThe module doesn't sufficiently validate the enabling or disabling of a tag container. The routes involved are not protected against Cross Site Request Forgery (CSRF).\n\nThis vulnerability is mitigated by the fact that an attacker needs to know the machine name of the container. The machine name is a random string, making an attack more difficult.", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/google_tag" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.8.0" + } + ], + "database_specific": { + "constraint": "<1.8.0" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.0.0" + }, + { + "fixed": "2.0.8" + } + ], + "database_specific": { + "constraint": ">=2.0.0 <2.0.8" + } + } + ], + "database_specific": { + "affected_versions": "<1.8.0 || >=2.0.0 <2.0.8" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2025-012" + } + ], + "credits": [ + { + "name": "Florent Torregrosa", + "contact": [ + "https://www.drupal.org/user/2388214" + ] + }, + { + "name": "Pierre Rudloff", + "contact": [ + "https://www.drupal.org/user/3611858" + ] + } + ] +} diff --git a/advisories/google_tag/DSA-CONTRIB-2025-011.json b/advisories/google_tag/DSA-CONTRIB-2025-011.json deleted file mode 100644 index 3c3f0298..00000000 --- a/advisories/google_tag/DSA-CONTRIB-2025-011.json +++ /dev/null @@ -1,66 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2025-011", - "modified": "2025-03-31T22:04:35.000Z", - "published": "2025-01-29T17:13:29.000Z", - "aliases": [ - "CVE-2025-31682" - ], - "details": "This module enables you to integrate the site with the Google Tag Manager (GTM) application.\n\nThe module doesn't have the \"restrict access\" flag on the \"administer google\\_tag\\_container\" permission. A user with this permission can load a GTM container that completely changes the page or inserts malicious JS, resulting in a cross site scripting vulnerability.\n\nThis vulnerability is mitigated by the fact that an attacker must have a role with the aforementioned permission.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/google_tag" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "1.8.0" - } - ], - "database_specific": { - "constraint": "<1.8.0" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "2.0.0" - }, - { - "fixed": "2.0.8" - } - ], - "database_specific": { - "constraint": ">=2.0.0 <2.0.8" - } - } - ], - "database_specific": { - "affected_versions": "<1.8.0 || >=2.0.0 <2.0.8" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2025-011" - } - ], - "credits": [ - { - "name": "Pierre Rudloff", - "contact": [ - "https://www.drupal.org/user/3611858" - ] - } - ] -} diff --git a/advisories/google_tag/DSA-CONTRIB-2025-012.json b/advisories/google_tag/DSA-CONTRIB-2025-012.json deleted file mode 100644 index 954e134b..00000000 --- a/advisories/google_tag/DSA-CONTRIB-2025-012.json +++ /dev/null @@ -1,72 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2025-012", - "modified": "2025-03-31T22:04:42.000Z", - "published": "2025-01-29T17:16:19.000Z", - "aliases": [ - "CVE-2025-31683" - ], - "details": "This module enables you to integrate the site with the Google Tag Manager (GTM) application.\n\nThe module doesn't sufficiently validate the enabling or disabling of a tag container. The routes involved are not protected against Cross Site Request Forgery (CSRF).\n\nThis vulnerability is mitigated by the fact that an attacker needs to know the machine name of the container. The machine name is a random string, making an attack more difficult.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/google_tag" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "1.8.0" - } - ], - "database_specific": { - "constraint": "<1.8.0" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "2.0.0" - }, - { - "fixed": "2.0.8" - } - ], - "database_specific": { - "constraint": ">=2.0.0 <2.0.8" - } - } - ], - "database_specific": { - "affected_versions": "<1.8.0 || >=2.0.0 <2.0.8" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2025-012" - } - ], - "credits": [ - { - "name": "Florent Torregrosa", - "contact": [ - "https://www.drupal.org/user/2388214" - ] - }, - { - "name": "Pierre Rudloff", - "contact": [ - "https://www.drupal.org/user/3611858" - ] - } - ] -} diff --git a/advisories/govuk_theme/DRUPAL-CONTRIB-2022-027.json b/advisories/govuk_theme/DRUPAL-CONTRIB-2022-027.json new file mode 100644 index 00000000..1c567cc1 --- /dev/null +++ b/advisories/govuk_theme/DRUPAL-CONTRIB-2022-027.json @@ -0,0 +1,50 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2022-027", + "modified": "2023-08-10T21:37:54.000Z", + "published": "2022-02-23T17:18:07.000Z", + "aliases": [], + "details": "The GOV.UK Theme (`govuk_theme`) is a Drupal theme for the GOV.UK Design System.\n\nThe theme doesn't sanitize user input in certain cases, which leads to Cross-Site-Scripting (XSS) vulnerabilities. An attacker that can create or edit certain entities or configuration may be able to exploit one or more Cross-Site-Scripting (XSS) vulnerabilities to target visitors of the site, including site admins with privileged access.\n\nThe vulnerability is mitigated by the facts, that:\n\n* An attacker must have one of several permissions, of which at least some are commonly only assigned to either editors, site builders or administrators.\n* For some of the vulnerabilities, certain contributed modules must be enabled.", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/govuk_theme" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.9.0" + } + ], + "database_specific": { + "constraint": "<1.9.0" + } + } + ], + "database_specific": { + "affected_versions": "<1.9.0" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2022-027" + } + ], + "credits": [ + { + "name": "Patrick Fey", + "contact": [ + "https://www.drupal.org/user/998680" + ] + } + ] +} diff --git a/advisories/govuk_theme/DSA-CONTRIB-2022-027.json b/advisories/govuk_theme/DSA-CONTRIB-2022-027.json deleted file mode 100644 index e933710e..00000000 --- a/advisories/govuk_theme/DSA-CONTRIB-2022-027.json +++ /dev/null @@ -1,50 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2022-027", - "modified": "2023-08-10T21:37:54.000Z", - "published": "2022-02-23T17:18:07.000Z", - "aliases": [], - "details": "The GOV.UK Theme (`govuk_theme`) is a Drupal theme for the GOV.UK Design System.\n\nThe theme doesn't sanitize user input in certain cases, which leads to Cross-Site-Scripting (XSS) vulnerabilities. An attacker that can create or edit certain entities or configuration may be able to exploit one or more Cross-Site-Scripting (XSS) vulnerabilities to target visitors of the site, including site admins with privileged access.\n\nThe vulnerability is mitigated by the facts, that:\n\n* An attacker must have one of several permissions, of which at least some are commonly only assigned to either editors, site builders or administrators.\n* For some of the vulnerabilities, certain contributed modules must be enabled.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/govuk_theme" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "1.9.0" - } - ], - "database_specific": { - "constraint": "<1.9.0" - } - } - ], - "database_specific": { - "affected_versions": "<1.9.0" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2022-027" - } - ], - "credits": [ - { - "name": "Patrick Fey", - "contact": [ - "https://www.drupal.org/user/998680" - ] - } - ] -} diff --git a/advisories/graphql/DRUPAL-CONTRIB-2021-013.json b/advisories/graphql/DRUPAL-CONTRIB-2021-013.json new file mode 100644 index 00000000..785b8824 --- /dev/null +++ b/advisories/graphql/DRUPAL-CONTRIB-2021-013.json @@ -0,0 +1,50 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2021-013", + "modified": "2023-08-11T17:07:00.000Z", + "published": "2021-06-02T16:56:19.000Z", + "aliases": [], + "details": "This module lets you craft and expose a GraphQL web service API.\n\nThe module does not sufficiently protect arbitrary exception and error messages thereby exposing an information disclosure vulnerability.\n\nThis vulnerability is mitigated by the fact that a GraphQL server must be enabled and a data producer be configured that throws exceptions with confidential error messages that must not be exposed over the GraphQL API.", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/graphql" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.0.0" + }, + { + "last_affected": "4.0.0" + } + ], + "database_specific": { + "constraint": "4.0.0" + } + } + ], + "database_specific": { + "affected_versions": "4.0.0" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2021-013" + } + ], + "credits": [ + { + "name": "Alex Tkachev", + "contact": [ + "https://www.drupal.org/user/390336" + ] + } + ] +} diff --git a/advisories/graphql/DRUPAL-CONTRIB-2021-029.json b/advisories/graphql/DRUPAL-CONTRIB-2021-029.json new file mode 100644 index 00000000..90aae7ce --- /dev/null +++ b/advisories/graphql/DRUPAL-CONTRIB-2021-029.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2021-029", + "modified": "2023-08-11T17:03:09.000Z", + "published": "2021-09-15T15:30:15.000Z", + "aliases": [ + "CVE-2020-13675" + ], + "details": "This advisory addresses a similar issue to [Drupal core - Moderately critical - Access bypass - SA-CORE-2021-008](https://www.drupal.org/sa-core-2021-008).\n\nThe GraphQL module allows file uploads through its HTTP API. The module does not correctly run all file validation, which causes an access bypass vulnerability. An attacker might be able to upload files that bypass the file validation process implemented by modules on the site.\n\nThis vulnerability is mitigated by four factors:\n\n1. The GraphQL module must be enabled on the site.\n2. The GraphQL schema must expose a file upload by using the helper \"src/GraphQL/Utility/FileUpload.php\" in the module.\n3. An attacker must have access to that file upload via the GraphQL API.\n4. The site must employ a file validation module.", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/graphql" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.0.0" + }, + { + "fixed": "4.2.0" + } + ], + "database_specific": { + "constraint": ">=4.0.0 <4.2.0" + } + } + ], + "database_specific": { + "affected_versions": ">=4.0.0 <4.2.0" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2021-029" + } + ], + "credits": [ + { + "name": "Klaus Purer", + "contact": [ + "https://www.drupal.org/user/262198" + ] + } + ] +} diff --git a/advisories/graphql/DRUPAL-CONTRIB-2023-050.json b/advisories/graphql/DRUPAL-CONTRIB-2023-050.json new file mode 100644 index 00000000..7f3f5bc8 --- /dev/null +++ b/advisories/graphql/DRUPAL-CONTRIB-2023-050.json @@ -0,0 +1,64 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2023-050", + "modified": "2023-11-08T17:10:18.000Z", + "published": "2023-11-08T15:30:45.000Z", + "aliases": [], + "details": "This module lets you craft and expose a GraphQL schema for Drupal 9 and 10.\n\nThe module currently does not adequately verify whether a given user has the necessary permissions to access an entity's label creating an access bypass vulnerability.\n\nThis vulnerability is mitigated by the fact that entity view and entity label access are usually handled by the same access check; developers have to opt-in for supporting different logic on entity types. Additionally your schema must make use of the EntityLabel DataProducer to be affected.", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/graphql" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "3.4.0" + } + ], + "database_specific": { + "constraint": "<3.4.0" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.0.0" + }, + { + "fixed": "4.6.0" + } + ], + "database_specific": { + "constraint": ">=4.0.0 <4.6.0" + } + } + ], + "database_specific": { + "affected_versions": "<3.4.0 || >=4.0.0 <4.6.0" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2023-050" + } + ], + "credits": [ + { + "name": "Dezs\u0151 Bicz\u00f3", + "contact": [ + "https://www.drupal.org/user/315522" + ] + } + ] +} diff --git a/advisories/graphql/DRUPAL-CONTRIB-2023-051.json b/advisories/graphql/DRUPAL-CONTRIB-2023-051.json new file mode 100644 index 00000000..94e69ce1 --- /dev/null +++ b/advisories/graphql/DRUPAL-CONTRIB-2023-051.json @@ -0,0 +1,64 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2023-051", + "modified": "2023-11-08T17:10:24.000Z", + "published": "2023-11-08T15:33:12.000Z", + "aliases": [], + "details": "The GraphQL module enables you to build GraphQL APIs which can include data fetching through Queries and data updates (create, update, delete) through mutations.\n\nThe module does not sufficiently validate incoming requests that are made from domains other than the one serving the GraphQL endpoint. In case a user visits a malicious site, that site may make requests on the users behalf which can lead to the execution of mutations, exposing a CSRF vulnerability. Whether data is returned to the malicious site depends on your sites CORS configuration.\n\nThis vulnerability is mitigated by the fact that a user with access to the API must have an active session cookie while visiting a malicious site. This vulnerability is also mitigated by restricting session cookies with the SameSite attribute (see solution below).", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/graphql" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "3.4.0" + } + ], + "database_specific": { + "constraint": "<3.4.0" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.0.0" + }, + { + "fixed": "4.6.0" + } + ], + "database_specific": { + "constraint": ">=4.0.0 <4.6.0" + } + } + ], + "database_specific": { + "affected_versions": "<3.4.0 || >=4.0.0 <4.6.0" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2023-051" + } + ], + "credits": [ + { + "name": "Sam Becker", + "contact": [ + "https://www.drupal.org/user/1485048" + ] + } + ] +} diff --git a/advisories/graphql/DSA-CONTRIB-2021-013.json b/advisories/graphql/DSA-CONTRIB-2021-013.json deleted file mode 100644 index d76d0a59..00000000 --- a/advisories/graphql/DSA-CONTRIB-2021-013.json +++ /dev/null @@ -1,50 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2021-013", - "modified": "2023-08-11T17:07:00.000Z", - "published": "2021-06-02T16:56:19.000Z", - "aliases": [], - "details": "This module lets you craft and expose a GraphQL web service API.\n\nThe module does not sufficiently protect arbitrary exception and error messages thereby exposing an information disclosure vulnerability.\n\nThis vulnerability is mitigated by the fact that a GraphQL server must be enabled and a data producer be configured that throws exceptions with confidential error messages that must not be exposed over the GraphQL API.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/graphql" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "4.0.0" - }, - { - "last_affected": "4.0.0" - } - ], - "database_specific": { - "constraint": "4.0.0" - } - } - ], - "database_specific": { - "affected_versions": "4.0.0" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2021-013" - } - ], - "credits": [ - { - "name": "Alex Tkachev", - "contact": [ - "https://www.drupal.org/user/390336" - ] - } - ] -} diff --git a/advisories/graphql/DSA-CONTRIB-2021-029.json b/advisories/graphql/DSA-CONTRIB-2021-029.json deleted file mode 100644 index 0f26f243..00000000 --- a/advisories/graphql/DSA-CONTRIB-2021-029.json +++ /dev/null @@ -1,52 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2021-029", - "modified": "2023-08-11T17:03:09.000Z", - "published": "2021-09-15T15:30:15.000Z", - "aliases": [ - "CVE-2020-13675" - ], - "details": "This advisory addresses a similar issue to [Drupal core - Moderately critical - Access bypass - SA-CORE-2021-008](https://www.drupal.org/sa-core-2021-008).\n\nThe GraphQL module allows file uploads through its HTTP API. The module does not correctly run all file validation, which causes an access bypass vulnerability. An attacker might be able to upload files that bypass the file validation process implemented by modules on the site.\n\nThis vulnerability is mitigated by four factors:\n\n1. The GraphQL module must be enabled on the site.\n2. The GraphQL schema must expose a file upload by using the helper \"src/GraphQL/Utility/FileUpload.php\" in the module.\n3. An attacker must have access to that file upload via the GraphQL API.\n4. The site must employ a file validation module.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/graphql" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "4.0.0" - }, - { - "fixed": "4.2.0" - } - ], - "database_specific": { - "constraint": ">=4.0.0 <4.2.0" - } - } - ], - "database_specific": { - "affected_versions": ">=4.0.0 <4.2.0" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2021-029" - } - ], - "credits": [ - { - "name": "Klaus Purer", - "contact": [ - "https://www.drupal.org/user/262198" - ] - } - ] -} diff --git a/advisories/graphql/DSA-CONTRIB-2023-050.json b/advisories/graphql/DSA-CONTRIB-2023-050.json deleted file mode 100644 index c1476dbf..00000000 --- a/advisories/graphql/DSA-CONTRIB-2023-050.json +++ /dev/null @@ -1,64 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2023-050", - "modified": "2023-11-08T17:10:18.000Z", - "published": "2023-11-08T15:30:45.000Z", - "aliases": [], - "details": "This module lets you craft and expose a GraphQL schema for Drupal 9 and 10.\n\nThe module currently does not adequately verify whether a given user has the necessary permissions to access an entity's label creating an access bypass vulnerability.\n\nThis vulnerability is mitigated by the fact that entity view and entity label access are usually handled by the same access check; developers have to opt-in for supporting different logic on entity types. Additionally your schema must make use of the EntityLabel DataProducer to be affected.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/graphql" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "3.4.0" - } - ], - "database_specific": { - "constraint": "<3.4.0" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "4.0.0" - }, - { - "fixed": "4.6.0" - } - ], - "database_specific": { - "constraint": ">=4.0.0 <4.6.0" - } - } - ], - "database_specific": { - "affected_versions": "<3.4.0 || >=4.0.0 <4.6.0" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2023-050" - } - ], - "credits": [ - { - "name": "Dezs\u0151 Bicz\u00f3", - "contact": [ - "https://www.drupal.org/user/315522" - ] - } - ] -} diff --git a/advisories/graphql/DSA-CONTRIB-2023-051.json b/advisories/graphql/DSA-CONTRIB-2023-051.json deleted file mode 100644 index ab06e0ff..00000000 --- a/advisories/graphql/DSA-CONTRIB-2023-051.json +++ /dev/null @@ -1,64 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2023-051", - "modified": "2023-11-08T17:10:24.000Z", - "published": "2023-11-08T15:33:12.000Z", - "aliases": [], - "details": "The GraphQL module enables you to build GraphQL APIs which can include data fetching through Queries and data updates (create, update, delete) through mutations.\n\nThe module does not sufficiently validate incoming requests that are made from domains other than the one serving the GraphQL endpoint. In case a user visits a malicious site, that site may make requests on the users behalf which can lead to the execution of mutations, exposing a CSRF vulnerability. Whether data is returned to the malicious site depends on your sites CORS configuration.\n\nThis vulnerability is mitigated by the fact that a user with access to the API must have an active session cookie while visiting a malicious site. This vulnerability is also mitigated by restricting session cookies with the SameSite attribute (see solution below).", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/graphql" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "3.4.0" - } - ], - "database_specific": { - "constraint": "<3.4.0" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "4.0.0" - }, - { - "fixed": "4.6.0" - } - ], - "database_specific": { - "constraint": ">=4.0.0 <4.6.0" - } - } - ], - "database_specific": { - "affected_versions": "<3.4.0 || >=4.0.0 <4.6.0" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2023-051" - } - ], - "credits": [ - { - "name": "Sam Becker", - "contact": [ - "https://www.drupal.org/user/1485048" - ] - } - ] -} diff --git a/advisories/gridstack/DRUPAL-CONTRIB-2023-024.json b/advisories/gridstack/DRUPAL-CONTRIB-2023-024.json new file mode 100644 index 00000000..e7718239 --- /dev/null +++ b/advisories/gridstack/DRUPAL-CONTRIB-2023-024.json @@ -0,0 +1,50 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2023-024", + "modified": "2023-08-10T13:40:55.000Z", + "published": "2023-06-28T17:03:36.000Z", + "aliases": [], + "details": "This module enables you to create dynamic layouts and add sample color palettes for color selection hints via its UI.\n\nThe module doesn't sufficiently sanitize the module's settings in certain scenarios leading to a Cross Site Scripting vulnerability.\n\nThis vulnerability is mitigated by the fact that an attacker must have a role with the permissions \"administer gridstack\".", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/gridstack" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.11.0" + } + ], + "database_specific": { + "constraint": "<2.11" + } + } + ], + "database_specific": { + "affected_versions": "<2.11" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2023-024" + } + ], + "credits": [ + { + "name": "Mitch Portier", + "contact": [ + "https://www.drupal.org/user/2284182" + ] + } + ] +} diff --git a/advisories/gridstack/DSA-CONTRIB-2023-024.json b/advisories/gridstack/DSA-CONTRIB-2023-024.json deleted file mode 100644 index d73a34ba..00000000 --- a/advisories/gridstack/DSA-CONTRIB-2023-024.json +++ /dev/null @@ -1,50 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2023-024", - "modified": "2023-08-10T13:40:55.000Z", - "published": "2023-06-28T17:03:36.000Z", - "aliases": [], - "details": "This module enables you to create dynamic layouts and add sample color palettes for color selection hints via its UI.\n\nThe module doesn't sufficiently sanitize the module's settings in certain scenarios leading to a Cross Site Scripting vulnerability.\n\nThis vulnerability is mitigated by the fact that an attacker must have a role with the permissions \"administer gridstack\".", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/gridstack" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "2.11.0" - } - ], - "database_specific": { - "constraint": "<2.11" - } - } - ], - "database_specific": { - "affected_versions": "<2.11" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2023-024" - } - ], - "credits": [ - { - "name": "Mitch Portier", - "contact": [ - "https://www.drupal.org/user/2284182" - ] - } - ] -} diff --git a/advisories/group/DRUPAL-CONTRIB-2020-030.json b/advisories/group/DRUPAL-CONTRIB-2020-030.json new file mode 100644 index 00000000..28b7b283 --- /dev/null +++ b/advisories/group/DRUPAL-CONTRIB-2020-030.json @@ -0,0 +1,50 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2020-030", + "modified": "2023-08-11T17:46:26.000Z", + "published": "2020-07-29T12:23:17.000Z", + "aliases": [], + "details": "This module enables you to hand out permissions on a smaller subset, section or community of your website.\n\nThe module used to leverage the node grants system but turned it off in its recent 8.x-1.0 release in favor of a system that works for ALL entity types, not just nodes. By doing so, some regular node access checks turned from neutral into allowed because of the way the node grants system operates.\n\nThis vulnerability is mitigated by the fact that the victim must have the GroupNode plugin installed on their website and have no other `hook_node_grants()` implementations on their website aside from the one that was recently removed by Group. If you do not use the GroupNode plugin or still have `hook_node_grants()` implementing modules enabled, your site may not be affected.", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/group" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "1.0.0" + }, + { + "last_affected": "1.0.0" + } + ], + "database_specific": { + "constraint": "1.0.0" + } + } + ], + "database_specific": { + "affected_versions": "1.0.0" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2020-030" + } + ], + "credits": [ + { + "name": "Kristiaan Van den Eynde", + "contact": [ + "https://www.drupal.org/user/1345130" + ] + } + ] +} diff --git a/advisories/group/DRUPAL-CONTRIB-2020-032.json b/advisories/group/DRUPAL-CONTRIB-2020-032.json new file mode 100644 index 00000000..edcd0a7a --- /dev/null +++ b/advisories/group/DRUPAL-CONTRIB-2020-032.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2020-032", + "modified": "2023-08-11T17:31:20.000Z", + "published": "2020-08-05T15:47:56.000Z", + "aliases": [], + "details": "The Group module enables you to hand out permissions on a smaller subset, section or community of your website.\n\nWith the 1.1 security release, new code was introduced to ensure proper access for all entity types, but a mistake introduced unexpected access to unpublished nodes.", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/group" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.2.0" + } + ], + "database_specific": { + "constraint": "<1.2.0" + } + } + ], + "database_specific": { + "affected_versions": "<1.2.0" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2020-032" + } + ], + "credits": [ + { + "name": "Martijn Vermeulen", + "contact": [ + "https://www.drupal.org/user/960720" + ] + }, + { + "name": "Sean Blommaert", + "contact": [ + "https://www.drupal.org/user/545912" + ] + } + ] +} diff --git a/advisories/group/DRUPAL-CONTRIB-2020-033.json b/advisories/group/DRUPAL-CONTRIB-2020-033.json new file mode 100644 index 00000000..cd5214a8 --- /dev/null +++ b/advisories/group/DRUPAL-CONTRIB-2020-033.json @@ -0,0 +1,50 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2020-033", + "modified": "2023-08-11T17:31:14.000Z", + "published": "2020-08-05T20:05:36.000Z", + "aliases": [], + "details": "The Group module enables you to hand out permissions on a smaller subset, section or community of your website.\n\nUnder very specific circumstances, where two group types support the same content, yet hand out different permissions, non-members of the first group type may use the set of permissions of the 2nd group type for the grouped content.\n\nThis vulnerability is mitigated by the fact that you must already have a rare set-up and the two group types are configured in a way where one is more permissive than the other over the same type of content.", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/group" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.2.0" + } + ], + "database_specific": { + "constraint": "<1.2.0" + } + } + ], + "database_specific": { + "affected_versions": "<1.2.0" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2020-033" + } + ], + "credits": [ + { + "name": "John Pitcairn", + "contact": [ + "https://www.drupal.org/user/425866" + ] + } + ] +} diff --git a/advisories/group/DRUPAL-CONTRIB-2023-054.json b/advisories/group/DRUPAL-CONTRIB-2023-054.json new file mode 100644 index 00000000..de85a1d5 --- /dev/null +++ b/advisories/group/DRUPAL-CONTRIB-2023-054.json @@ -0,0 +1,64 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2023-054", + "modified": "2023-12-07T02:47:34.000Z", + "published": "2023-12-06T16:16:28.000Z", + "aliases": [], + "details": "The Group module has the ability to make content private to specific groups. When viewing a list of entities, e.g. nodes, a visitor should only see those entities that are either not attached to a group or that they have group access to.\n\nThe module doesn't sufficiently enforce list access under the scenario where two users have the same outsider and insider permissions, but are members of different groups without any individual roles being assigned to said memberships. In such a scenario, the permissions hash for both will be the same even though it should differ.\n\nThis vulnerability is mitigated by the fact that an attacker must have the same hash as someone else, which is quite rare yet not unthinkable.", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/group" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.0.0" + }, + { + "fixed": "2.2.2" + } + ], + "database_specific": { + "constraint": ">=2.0.0 <2.2.2" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "3.0.0" + }, + { + "fixed": "3.2.2" + } + ], + "database_specific": { + "constraint": ">=3.0.0 <3.2.2" + } + } + ], + "database_specific": { + "affected_versions": ">=2.0.0 <2.2.2 || >=3.0.0 <3.2.2" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2023-054" + } + ], + "credits": [ + { + "name": "Dylan Donkersgoed", + "contact": [ + "https://www.drupal.org/user/2803351" + ] + } + ] +} diff --git a/advisories/group/DSA-CONTRIB-2020-030.json b/advisories/group/DSA-CONTRIB-2020-030.json deleted file mode 100644 index 3570bba1..00000000 --- a/advisories/group/DSA-CONTRIB-2020-030.json +++ /dev/null @@ -1,50 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2020-030", - "modified": "2023-08-11T17:46:26.000Z", - "published": "2020-07-29T12:23:17.000Z", - "aliases": [], - "details": "This module enables you to hand out permissions on a smaller subset, section or community of your website.\n\nThe module used to leverage the node grants system but turned it off in its recent 8.x-1.0 release in favor of a system that works for ALL entity types, not just nodes. By doing so, some regular node access checks turned from neutral into allowed because of the way the node grants system operates.\n\nThis vulnerability is mitigated by the fact that the victim must have the GroupNode plugin installed on their website and have no other `hook_node_grants()` implementations on their website aside from the one that was recently removed by Group. If you do not use the GroupNode plugin or still have `hook_node_grants()` implementing modules enabled, your site may not be affected.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/group" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "1.0.0" - }, - { - "last_affected": "1.0.0" - } - ], - "database_specific": { - "constraint": "1.0.0" - } - } - ], - "database_specific": { - "affected_versions": "1.0.0" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2020-030" - } - ], - "credits": [ - { - "name": "Kristiaan Van den Eynde", - "contact": [ - "https://www.drupal.org/user/1345130" - ] - } - ] -} diff --git a/advisories/group/DSA-CONTRIB-2020-032.json b/advisories/group/DSA-CONTRIB-2020-032.json deleted file mode 100644 index 4bb23e57..00000000 --- a/advisories/group/DSA-CONTRIB-2020-032.json +++ /dev/null @@ -1,56 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2020-032", - "modified": "2023-08-11T17:31:20.000Z", - "published": "2020-08-05T15:47:56.000Z", - "aliases": [], - "details": "The Group module enables you to hand out permissions on a smaller subset, section or community of your website.\n\nWith the 1.1 security release, new code was introduced to ensure proper access for all entity types, but a mistake introduced unexpected access to unpublished nodes.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/group" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "1.2.0" - } - ], - "database_specific": { - "constraint": "<1.2.0" - } - } - ], - "database_specific": { - "affected_versions": "<1.2.0" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2020-032" - } - ], - "credits": [ - { - "name": "Martijn Vermeulen", - "contact": [ - "https://www.drupal.org/user/960720" - ] - }, - { - "name": "Sean Blommaert", - "contact": [ - "https://www.drupal.org/user/545912" - ] - } - ] -} diff --git a/advisories/group/DSA-CONTRIB-2020-033.json b/advisories/group/DSA-CONTRIB-2020-033.json deleted file mode 100644 index 2ff443c4..00000000 --- a/advisories/group/DSA-CONTRIB-2020-033.json +++ /dev/null @@ -1,50 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2020-033", - "modified": "2023-08-11T17:31:14.000Z", - "published": "2020-08-05T20:05:36.000Z", - "aliases": [], - "details": "The Group module enables you to hand out permissions on a smaller subset, section or community of your website.\n\nUnder very specific circumstances, where two group types support the same content, yet hand out different permissions, non-members of the first group type may use the set of permissions of the 2nd group type for the grouped content.\n\nThis vulnerability is mitigated by the fact that you must already have a rare set-up and the two group types are configured in a way where one is more permissive than the other over the same type of content.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/group" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "1.2.0" - } - ], - "database_specific": { - "constraint": "<1.2.0" - } - } - ], - "database_specific": { - "affected_versions": "<1.2.0" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2020-033" - } - ], - "credits": [ - { - "name": "John Pitcairn", - "contact": [ - "https://www.drupal.org/user/425866" - ] - } - ] -} diff --git a/advisories/group/DSA-CONTRIB-2023-054.json b/advisories/group/DSA-CONTRIB-2023-054.json deleted file mode 100644 index 747a14ad..00000000 --- a/advisories/group/DSA-CONTRIB-2023-054.json +++ /dev/null @@ -1,64 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2023-054", - "modified": "2023-12-07T02:47:34.000Z", - "published": "2023-12-06T16:16:28.000Z", - "aliases": [], - "details": "The Group module has the ability to make content private to specific groups. When viewing a list of entities, e.g. nodes, a visitor should only see those entities that are either not attached to a group or that they have group access to.\n\nThe module doesn't sufficiently enforce list access under the scenario where two users have the same outsider and insider permissions, but are members of different groups without any individual roles being assigned to said memberships. In such a scenario, the permissions hash for both will be the same even though it should differ.\n\nThis vulnerability is mitigated by the fact that an attacker must have the same hash as someone else, which is quite rare yet not unthinkable.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/group" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "2.0.0" - }, - { - "fixed": "2.2.2" - } - ], - "database_specific": { - "constraint": ">=2.0.0 <2.2.2" - } - }, - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "3.0.0" - }, - { - "fixed": "3.2.2" - } - ], - "database_specific": { - "constraint": ">=3.0.0 <3.2.2" - } - } - ], - "database_specific": { - "affected_versions": ">=2.0.0 <2.2.2 || >=3.0.0 <3.2.2" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2023-054" - } - ], - "credits": [ - { - "name": "Dylan Donkersgoed", - "contact": [ - "https://www.drupal.org/user/2803351" - ] - } - ] -} diff --git a/advisories/group_forum/DRUPAL-CONTRIB-2023-008.json b/advisories/group_forum/DRUPAL-CONTRIB-2023-008.json new file mode 100644 index 00000000..4ae37d14 --- /dev/null +++ b/advisories/group_forum/DRUPAL-CONTRIB-2023-008.json @@ -0,0 +1,50 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2023-008", + "modified": "2023-08-10T14:21:21.000Z", + "published": "2023-03-01T17:38:09.000Z", + "aliases": [], + "details": "This module enables you to associate Forums as Group 1.x content and use Group access permissions.\n\nPrevious versions of the module incorrectly set node access on creation, and did not correctly restrict access to lists of forum topics.", + "affected": [ + { + "package": { + "ecosystem": "Drupal", + "name": "drupal/group_forum" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.0.0" + }, + { + "fixed": "2.0.2" + } + ], + "database_specific": { + "constraint": ">=2.0.0 <2.0.2" + } + } + ], + "database_specific": { + "affected_versions": ">=2.0.0 <2.0.2" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2023-008" + } + ], + "credits": [ + { + "name": "ekes", + "contact": [ + "https://www.drupal.org/user/10083" + ] + } + ] +} diff --git a/advisories/group_forum/DSA-CONTRIB-2023-008.json b/advisories/group_forum/DSA-CONTRIB-2023-008.json deleted file mode 100644 index d9b4865d..00000000 --- a/advisories/group_forum/DSA-CONTRIB-2023-008.json +++ /dev/null @@ -1,50 +0,0 @@ -{ - "schema_version": "1.7.0", - "id": "DSA-CONTRIB-2023-008", - "modified": "2023-08-10T14:21:21.000Z", - "published": "2023-03-01T17:38:09.000Z", - "aliases": [], - "details": "This module enables you to associate Forums as Group 1.x content and use Group access permissions.\n\nPrevious versions of the module incorrectly set node access on creation, and did not correctly restrict access to lists of forum topics.", - "affected": [ - { - "package": { - "ecosystem": "Packagist", - "name": "drupal/group_forum" - }, - "severity": [], - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "2.0.0" - }, - { - "fixed": "2.0.2" - } - ], - "database_specific": { - "constraint": ">=2.0.0 <2.0.2" - } - } - ], - "database_specific": { - "affected_versions": ">=2.0.0 <2.0.2" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://www.drupal.org/sa-contrib-2023-008" - } - ], - "credits": [ - { - "name": "ekes", - "contact": [ - "https://www.drupal.org/user/10083" - ] - } - ] -} diff --git a/advisories/gtm/DRUPAL-CONTRIB-2025-094.json b/advisories/gtm/DRUPAL-CONTRIB-2025-094.json new file mode 100644 index 00000000..2619e409 --- /dev/null +++ b/advisories/gtm/DRUPAL-CONTRIB-2025-094.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2025-094", + "modified": "2025-07-30T16:31:23.000Z", + "published": "2025-07-30T16:31:23.000Z", + "aliases": [ + "CVE-2025-8362" + ], + "details": "This module enables you to integrate Google Tag Manager (GTM) into your Drupal site by allowing administrators to configure and embed GTM container snippets.\n\nThe module doesn't sufficiently sanitize the GTM container ID under the scenario where a user with the *Administer gtm* permission enters malicious input into the *GTM-ID* field. This value is directly inserted into a `