CVE-2024-31247 – WordPress FG Drupal to WordPress plugin <= 3.70.3 - Sensitive Data Exposure via Log File vulnerability
https://notcve.org/view.php?id=CVE-2024-31247
Insertion of Sensitive Information into Log File vulnerability in Frédéric GILLES FG Drupal to WordPress.This issue affects FG Drupal to WordPress: from n/a through 3.70.3. The FG Drupal to WordPress plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.70.3 via log files. This makes it possible for unauthenticated attackers to extract sensitive data from log files. • https://patchstack.com/database/vulnerability/fg-drupal-to-wp/wordpress-fg-drupal-to-wordpress-plugin-3-70-3-sensitive-data-exposure-via-log-file-vulnerability?_s_id=cve • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-532: Insertion of Sensitive Information into Log File •
CVE-2024-22362
https://notcve.org/view.php?id=CVE-2024-22362
Drupal contains a vulnerability with improper handling of structural elements. If this vulnerability is exploited, an attacker may be able to cause a denial-of-service (DoS) condition. Drupal contiene una vulnerabilidad con manejo inadecuado de elementos estructurales. Si se aprovecha esta vulnerabilidad, un atacante puede provocar una condición de denegación de servicio (DoS). • https://github.com/drupal/drupal https://jvn.jp/en/jp/JVN63383723 https://www.drupal.org https://www.drupal.org/about/core/policies/core-release-cycles/schedule •
CVE-2023-5256 – Drupal core - Critical - Cache poisoning - SA-CORE-2023-006
https://notcve.org/view.php?id=CVE-2023-5256
In certain scenarios, Drupal's JSON:API module will output error backtraces. With some configurations, this may cause sensitive information to be cached and made available to anonymous users, leading to privilege escalation. This vulnerability only affects sites with the JSON:API module enabled, and can be mitigated by uninstalling JSON:API. The core REST and contributed GraphQL modules are not affected. En ciertos escenarios, el módulo JSON:API de Drupal generará seguimientos de errores. Con algunas configuraciones, esto puede hacer que la información confidencial se almacene en caché y se ponga a disposición de usuarios anónimos, lo que lleva a una escalada de privilegios. Esta vulnerabilidad solo afecta a los sitios con el módulo JSON:API habilitado y se puede mitigar desinstalando JSON:API. • https://www.drupal.org/sa-core-2023-006 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2018-25085 – Responsive Menus Configuration Setting responsive_menus.module responsive_menus_admin_form_submit cross site scripting
https://notcve.org/view.php?id=CVE-2018-25085
A vulnerability classified as problematic was found in Responsive Menus 7.x-1.x-dev on Drupal. Affected by this vulnerability is the function responsive_menus_admin_form_submit of the file responsive_menus.module of the component Configuration Setting Handler. The manipulation leads to cross site scripting. The attack can be launched remotely. Upgrading to version 7.x-1.7 is able to address this issue. • https://git.drupalcode.org/project/responsive_menus/-/commit/3c554b31d32a367188f44d44857b061eac949fb8 https://vuldb.com/?ctiid.227755 https://vuldb.com/?id.227755 https://www.drupal.org/project/responsive_menus/releases/7.x-1.7 https://www.drupal.org/sa-contrib-2018-079 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2023-31250
https://notcve.org/view.php?id=CVE-2023-31250
The file download facility doesn't sufficiently sanitize file paths in certain situations. This may result in users gaining access to private files that they should not have access to. Some sites may require configuration changes following this security release. Review the release notes for your Drupal version if you have issues accessing private files after updating. • https://www.drupal.org/sa-core-2023-005 • CWE-863: Incorrect Authorization •