|
11
|
6.5
-
|
MEDIUM
Network
|
Under certain circumstances, the Drupal core form API evaluates form element access incorrectly. This may lead to a user being able to alter data they should not have access to. No forms provided by …
|
NVD-CWE-noinfo
|
CVE-2022-25278
|
cpe:2.3:a:drupal:drupal:*:*
|
9.4.0 8.0.0
|
|
|
9.4.3 9.3.19
|
2024-11-21 15:51
2023-04-27
|
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
12
|
6.1
-
|
MEDIUM
Network
|
The Media oEmbed iframe route does not properly validate the iframe domain setting, which allows embeds to be displayed in the context of the primary domain. Under certain circumstances, this could l…
|
CWE-79
Cross-site Scripting
|
CVE-2022-25276
|
cpe:2.3:a:drupal:drupal:*:*
|
9.4.0 9.3.0
|
|
|
9.4.3 9.3.19
|
2024-11-21 15:51
2023-04-27
|
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
13
|
7.2
-
|
HIGH
Network
|
Drupal core sanitizes filenames with dangerous extensions upon upload (reference: SA-CORE-2020-012) and strips leading and trailing dots from filenames to prevent uploading server configuration files…
|
CWE-434
Unrestricted Upload of File with Dangerous Type
|
CVE-2022-25277
|
cpe:2.3:a:drupal:drupal:*:*
|
9.4.0 8.0.0
|
|
|
9.4.3 9.3.19
|
2024-11-21 15:51
2023-04-27
|
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
14
|
7.5
-
|
HIGH
Network
|
In some situations, the Image module does not correctly check access to image files not stored in the standard public files directory when generating derivative images using the image styles system. …
|
NVD-CWE-Other
|
CVE-2022-25275
|
cpe:2.3:a:drupal:drupal:*:*
|
8.0.0 7.0 9.4.0
|
|
|
9.3.19 7.91 9.4.3
|
2024-11-21 15:51
2023-04-26
|
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
15
|
5.4
-
|
MEDIUM
Network
|
Drupal 9.3 implemented a generic entity access API for entity revisions. However, this API was not completely integrated with existing permissions, resulting in some possible access bypass for users …
|
CWE-863
Incorrect Authorization
|
CVE-2022-25274
|
cpe:2.3:a:drupal:drupal:*:*
|
9.3.0
|
|
|
9.3.12
|
2024-11-21 15:51
2023-04-26
|
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
16
|
7.5
-
|
HIGH
Network
|
Drupal core's form API has a vulnerability where certain contributed or custom modules' forms may be vulnerable to improper input validation. This could allow an attacker to inject disallowed values …
|
CWE-20
Improper Input Validation
|
CVE-2022-25273
|
cpe:2.3:a:drupal:drupal:*:*
|
9.3.0 8.0.0
|
|
|
9.3.12 9.2.18
|
2024-11-21 15:51
2023-04-26
|
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
17
|
7.5
-
|
HIGH
Network
|
Twig is a template language for PHP. Versions 1.x prior to 1.44.7, 2.x prior to 2.15.3, and 3.x prior to 3.4.3 encounter an issue when the filesystem loader loads templates for which the name is a us…
|
CWE-22
Path Traversal
|
CVE-2022-39261
|
cpe:2.3:a:drupal:drupal:*:*
|
9.4.0 8.0.0
|
|
|
9.4.7 9.3.22
|
2024-11-21 16:17
2022-09-28
|
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
18
|
7.5
5.0
|
HIGH
Network
|
Guzzle is an open source PHP HTTP client. In affected versions `Authorization` headers on requests are sensitive information. On making a request using the `https` scheme to a server which responds w…
|
CWE-212
Improper Removal of Sensitive Information Before Storage or Transfer
|
CVE-2022-31043
|
cpe:2.3:a:drupal:drupal:9.4.0:rc1 cpe:2.3:a:drupal:drupal:9.4.0:beta1 cpe:2.3:a:drupal:drupal:9.4.0:alpha1 cpe…
|
9.3.0 9.2.0
|
|
|
9.3.16 9.2.21
|
2024-11-21 16:03
2022-06-10
|
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
19
|
7.5
5.0
|
HIGH
Network
|
Guzzle is an open source PHP HTTP client. In affected versions the `Cookie` headers on requests are sensitive information. On making a request using the `https` scheme to a server which responds with…
|
CWE-212
Improper Removal of Sensitive Information Before Storage or Transfer
|
CVE-2022-31042
|
cpe:2.3:a:drupal:drupal:9.4.0:rc1 cpe:2.3:a:drupal:drupal:9.4.0:beta1 cpe:2.3:a:drupal:drupal:9.4.0:alpha1 cpe…
|
9.3.0 9.2.0
|
|
|
9.3.16 9.2.21
|
2024-11-21 16:03
2022-06-10
|
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
20
|
8.1
5.8
|
HIGH
Network
|
Guzzle is a PHP HTTP client. Guzzle prior to versions 6.5.6 and 7.4.3 contains a vulnerability with the cookie middleware. The vulnerability is that it is not checked if the cookie domain equals the …
|
CWE-565
Reliance on Cookies without Validation and Integrity Checking
|
CVE-2022-29248
|
cpe:2.3:a:drupal:drupal:*:*
|
9.2.0 9.3.0
|
|
|
9.2.20 9.3.14
|
2024-11-21 15:58
2022-05-26
|
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|