Drupal

Project: Drupal coreDate: 2023-September-20Security risk: Critical 16∕25 AC:Complex/A:None/CI:All/II:Some/E:Theoretical/TD:DefaultVulnerability: Cache poisoningAffected versions: >=8.7.0 =10.0 = 10.1 <10.1.4Description: In certain scenarios, Drupal's JSON:API module will output error backtraces. With some configurations, this may cause sensitive information to be cached and made available to anonymous users, leading to...

Project: Drupal coreDate: 2023-April-19Security risk: Moderately critical 13∕25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:AllVulnerability: Access bypassDescription: The file download facility doesn't sufficiently sanitize file paths in certain situations. This may result in users gaining access to private files that they should not have access to. Some sites may require configuration...

Project: Drupal coreDate: 2023-March-15Security risk: Moderately critical 14∕25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:UncommonVulnerability: Access bypassAffected versions: <7.95 || >=8.0.0 <9.4.12 || >=9.5.0 <9.5.5 || >=10.0.0 <10.0.5Description: Drupal core provides a page that outputs the markup from phpinfo() to assist with diagnosing PHP configuration. If an attacker was able to achieve...

Project: Drupal coreDate: 2023-March-15Security risk: Moderately critical 13∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:UncommonVulnerability: Information DisclosureAffected versions: >=8.0.0 <9.4.12 || >=9.5.0 <9.5.5 || >=10.0.0 <10.0.5Description: The language module provides a Language switcher block which can be placed to provide links to quickly switch between different languages. The URL of unpublished translations...

Project: Drupal coreDate: 2023-March-15Security risk: Moderately critical 14∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Information DisclosureAffected versions: >=8.0.0 <9.4.12 || >=9.5.0 <9.5.5 || >=10.0.0 <10.0.5Description: The Media module does not properly check entity access in some circumstances. This may result in users seeing thumbnails of media items they do not...

Project: Drupal coreDate: 2023-January-18Security risk: Moderately critical 12∕25 AC:None/A:User/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Information DisclosureAffected versions: >=8.0.0 <9.4.10 || >=9.5.0 <9.5.2 || >=10.0.0 <10.0.2Description: The Media Library module does not properly check entity access in some circumstances. This may result in users with access to edit content seeing metadata...

Project: Drupal coreDate: 2022-September-28Security risk: Critical 18∕25 AC:Basic/A:Admin/CI:All/II:All/E:Proof/TD:AllVulnerability: Multiple vulnerabilitiesAffected versions: >= 8.0.0 <9.3.22 || >= 9.4.0 <9.4.7CVE IDs: CVE-2022-39261Description: Drupal uses the Twig third-party library for content templating and sanitization. Twig has released a security update that affects Drupal. Twig has rated the vulnerability as...