Red Hat Enterprise Linux SEoL (8.8.x, 8.9.x)

According to its version, Red Hat Enterprise Linux is 8.8.x or 8.9.x. It is, therefore, no longer maintained by its vendor or provider. Lack of support implies that no new security patches for the product will be released by the vendor. As a result, it may contain security vulnerabilities...

BIT-DRUPAL-2020-13668 Access bypass in Drupal Core 8/9

Access Bypass vulnerability in Drupal Core allows for an attacker to leverage the way that HTML is rendered for affected forms in order to exploit the vulnerability. This issue affects: Drupal Core 8.8.x versions prior to 8.8.10; 8.9.x versions prior to 8.9.6; 9.0.x versions prior to 9.0.6...

BIT-DRUPAL-2020-13670

Information Disclosure vulnerability in file module of Drupal Core allows an attacker to gain access to the file metadata of a permanent private file that they do not have access to by guessing the ID of the file. This issue affects: Drupal Core 8.8.x versions prior to 8.8.10; 8.9.x versions prio...

Tenable Nessus SEoL (8.9.x)

According to its version, Tenable Nessus is 8.9.x. It is, therefore, no longer maintained by its vendor or provider. Lack of support implies that no new security patches for the product will be released by the vendor. As a result, it may contain security vulnerabilities. %NASLMINLEVEL 80900 C...

Atlassian Jira 8.9.x < 8.9.1 Xss In Issue Attachments

According to its self-reported version number, the instance of Atlassian Jira hosted on the remote web server is prior to 8.9.1. It is, therefore, affected by a vulnerability which permits remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting XSS vulnerability issue...

GHSA-QF2G-MRRX-RR5P Drupal Core Cross-site scripting vulnerability

Cross-site scripting vulnerability in Drupal Core allows an attacker could leverage the way that HTML is rendered for affected forms in order to exploit the vulnerability. This issue affects: Drupal Core 8.8.X versions prior to 8.8.10; 8.9.X versions prior to 8.9.6; 9.0.X versions prior to 9.0.6...

GHSA-WXQP-JWC9-G39X Drupal Core Access bypass vulnerability

Access bypass vulnerability in Drupal Core allows JSON:API when JSON:API is in read/write mode. Only sites that have the readonly set to FALSE under jsonapi.settings config are vulnerable. This issue affects: Drupal Drupal Core 8.8.x versions prior to 8.8.8; 8.9.x versions prior to 8.9.1; 9.0.x...

Drupal Core Cross-site scripting vulnerability

Cross-site scripting vulnerability in Drupal Core. Drupal AJAX API does not disable JSONP by default, allowing for an XSS attack. This issue affects: Drupal Drupal Core 7.x versions prior to 7.73; 8.8.x versions prior to 8.8.10; 8.9.x versions prior to 8.9.6; 9.0.x versions prior to 9.0.6...

GitLab 8.9.x - 8.10.12, 8.11.x - 8.11.9, 8.12.x - 8.12.7, 8.13.x - 8.13.2 Directory Traversal Vulnerability

GitLab is prone to a directory traversal vulnerability. SPDX-FileCopyrightText: 2022 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:gitlab:gitlab"; if...

UBUNTU-CVE-2020-13670

Information Disclosure vulnerability in file module of Drupal Core allows an attacker to gain access to the file metadata of a permanent private file that they do not have access to by guessing the ID of the file. This issue affects: Drupal Core 8.8.x versions prior to 8.8.10; 8.9.x versions prio...

Drupal 8.9.x < 8.9.17 Third-Party Library Vulnerability

According to its self-reported version, the instance of Drupal running on the remote web server is 7.0.x prior to 7.82, 8.9.x prior to 8.9.17, 9.1.x prior to 9.1.11 or 9.2.x prior to 9.2.2. It is, therefore, affected by a vulnerability due to the PEAR ArchiveTar library used by Drupal. The Drupal...

Drupal 8.9.x < 8.9.16 Cross-Site Scripting

According to its self-reported version, the instance of Drupal running on the remote web server is 8.9.x prior to 8.9.16, 9.0.x prior to 9.0.14 or 9.1.x prior to 9.1.9. It is, therefore, affected by a Cross-Site Scripting XSS vulnerability. Drupal uses the third-party library CKEditor which is...

Security feature bypass

Access bypass vulnerability in Drupal Core allows JSON:API when JSON:API is in read/write mode. Only sites that have the readonly set to FALSE under jsonapi.settings config are vulnerable. This issue affects: Drupal Drupal Core 8.8.x versions prior to 8.8.8; 8.9.x versions prior to 8.9.1; 9.0.x...

CVE-2020-13664

Arbitrary PHP code execution vulnerability in Drupal Core under certain circumstances. An attacker could trick an administrator into visiting a malicious site that could result in creating a carefully named directory on the file system. With this directory in place, an attacker could attempt to...

CVE-2020-13665

Access bypass vulnerability in Drupal Core allows JSON:API when JSON:API is in read/write mode. Only sites that have the readonly set to FALSE under jsonapi.settings config are vulnerable. This issue affects: Drupal Drupal Core 8.8.x versions prior to 8.8.8; 8.9.x versions prior to 8.9.1; 9.0.x...

CVE-2020-13666

Cross-site scripting vulnerability in Drupal Core. Drupal AJAX API does not disable JSONP by default, allowing for an XSS attack. This issue affects: Drupal Drupal Core 7.x versions prior to 7.73; 8.8.x versions prior to 8.8.10; 8.9.x versions prior to 8.9.6; 9.0.x versions prior to 9.0.6...

CVE-2020-13665

CVE-2020-13665 is an access-bypass vulnerability in Drupal Core related to JSON:API when in read/write mode (jsonapi.settings read_only = FALSE). Affected are Drupal Core 8.8.x before 8.8.8; 8.9.x before 8.9.1; 9.0.x before 9.0.1. The issue stems from insufficient validation in JSON:API PATCH req...

CVE-2020-13665

Access bypass vulnerability in Drupal Core allows JSON:API when JSON:API is in read/write mode. Only sites that have the readonly set to FALSE under jsonapi.settings config are vulnerable. This issue affects: Drupal Drupal Core 8.8.x versions prior to 8.8.8; 8.9.x versions prior to 8.9.1; 9.0.x...

CVE-2020-13666

Cross-site scripting vulnerability in Drupal Core. Drupal AJAX API does not disable JSONP by default, allowing for an XSS attack. This issue affects: Drupal Drupal Core 7.x versions prior to 7.73; 8.8.x versions prior to 8.8.10; 8.9.x versions prior to 8.9.6; 9.0.x versions prior to 9.0.6...

Drupal 8.9.x < 8.9.14 Cross-Site Scripting

According to its self-reported version, the instance of Drupal running on the remote web server is 7.0.x prior to 7.80, 8.9.x prior to 8.9.14, 9.0.x prior to 9.0.12 or 9.1.x prior to 9.1.7. It is, therefore, affected by a Cross-Site Scripting XSS vulnerability due to Drupal core's sanitization AP...