New FROST Attack Lets Websites Track What Sites and Apps You Open via SSD Timing

A malicious website can work out which sites you visit and which apps you open, using nothing but JavaScript and the timing of your SSD. The attack, called FROST , needs no native code, no extension, and no permission prompt. You open the page, leave the tab sitting there, and it watches the driv...

EUVD-2013-0278

Malware in sbrugna...

EUVD-2022-2727

Malicious code in bioql PyPI...

Missing Authorization

Overview goalgorilla/opensocial is a distribution for building social communities and intranets. Affected versions of this package are vulnerable to Missing Authorization where newly uploaded files were no longer stored in the private file system as intended. An attacker can gain unauthorized...

Open Social - Moderately critical - Access bypass - SA-CONTRIB-2024-076

Open Social is a Drupal distribution for online communities, which ships with a default optional module socialfileprivate to ensure the images and files provided by the distribution are stored in the private instead of the public filesystem. For installations of Open Social prior to version 11.8....

UBUNTU-CVE-2022-25275

In some situations, the Image module does not correctly check access to image files not stored in the standard public files directory when generating derivative images using the image styles system. Access to a non-public file is checked only if it is stored in the "private" file system. However,...

PT-2022-17184 · Drupal · Drupal

Name of the Vulnerable Software and Affected Versions: Drupal versions prior to the fixed version Description: The Image module does not correctly check access to image files not stored in the standard public files directory when generating derivative images using the image styles system. Access ...

GHSA-66MV-Q8R2-HJ8W Drupal access bypass vulnerability

Drupal core 7.x versions before 7.57 when using Drupal's private file system, Drupal will check to make sure a user has access to a file before allowing the user to view or download it. This check fails under certain conditions in which one module is trying to grant access to the file and another...

Drupal access bypass vulnerability

Drupal core 7.x versions before 7.57 when using Drupal's private file system, Drupal will check to make sure a user has access to a file before allowing the user to view or download it. This check fails under certain conditions in which one module is trying to grant access to the file and another...

UBUNTU-CVE-2017-6922

In Drupal core 8.x prior to 8.3.4 and Drupal core 7.x prior to 7.56; Private files that have been uploaded by an anonymous user but not permanently attached to content on the site should only be visible to the anonymous user that uploaded them, rather than all anonymous users. Drupal core did not...

CVE-2017-6928

Drupal core 7.x versions before 7.57 when using Drupal's private file system, Drupal will check to make sure a user has access to a file before allowing the user to view or download it. This check fails under certain conditions in which one module is trying to grant access to the file and another...

CVE-2017-6928

Drupal core 7.x versions before 7.57 when using Drupal's private file system, Drupal will check to make sure a user has access to a file before allowing the user to view or download it. This check fails under certain conditions in which one module is trying to grant access to the file and another...

Security feature bypass

Drupal core 7.x versions before 7.57 when using Drupal's private file system, Drupal will check to make sure a user has access to a file before allowing the user to view or download it. This check fails under certain conditions in which one module is trying to grant access to the file and another...

CVE-2017-6928

Drupal core 7.x versions before 7.57 when using Drupal's private file system, Drupal will check to make sure a user has access to a file before allowing the user to view or download it. This check fails under certain conditions in which one module is trying to grant access to the file and another...

UBUNTU-CVE-2017-6928

Drupal core 7.x versions before 7.57 when using Drupal's private file system, Drupal will check to make sure a user has access to a file before allowing the user to view or download it. This check fails under certain conditions in which one module is trying to grant access to the file and another...

FreeBSD : drupal -- Drupal Core - Multiple Vulnerabilities (4fc2df49-6279-11e7-be0f-6cf0497db129)

Drupal Security Team Reports : CVE-2017-6920: PECL YAML parser unsafe object handling. CVE-2017-6921: File REST resource does not properly validate CVE-2017-6922: Files uploaded by anonymous users into a private file system can be accessed by other anonymous users. %NASLMINLEVEL 70300 C Tenable...

Files uploaded by anonymous users into a private file system can be accessed by other anonymous users

More info at https://www.drupal.org/SA-CORE-2017-003...

SA-CONTRIB-2009-082 - Filefield module access bypass

The FileField module allows users to upload files through an AJAX-upload widget that can be added to content types through CCK. In the 3.1 version of FileField, the module would not restrict access to files based on node-access permissions when using Drupal core's private file system. Versions...