CVE-2024-31247 – WordPress FG Drupal to WordPress plugin <= 3.70.3 - Sensitive Data Exposure via Log File vulnerability
https://notcve.org/view.php?id=CVE-2024-31247
Insertion of Sensitive Information into Log File vulnerability in Frédéric GILLES FG Drupal to WordPress.This issue affects FG Drupal to WordPress: from n/a through 3.70.3. The FG Drupal to WordPress plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.70.3 via log files. This makes it possible for unauthenticated attackers to extract sensitive data from log files. • https://patchstack.com/database/vulnerability/fg-drupal-to-wp/wordpress-fg-drupal-to-wordpress-plugin-3-70-3-sensitive-data-exposure-via-log-file-vulnerability?_s_id=cve • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-532: Insertion of Sensitive Information into Log File •
CVE-2024-22362
https://notcve.org/view.php?id=CVE-2024-22362
Drupal contains a vulnerability with improper handling of structural elements. If this vulnerability is exploited, an attacker may be able to cause a denial-of-service (DoS) condition. Drupal contiene una vulnerabilidad con manejo inadecuado de elementos estructurales. Si se aprovecha esta vulnerabilidad, un atacante puede provocar una condición de denegación de servicio (DoS). • https://github.com/drupal/drupal https://jvn.jp/en/jp/JVN63383723 https://www.drupal.org https://www.drupal.org/about/core/policies/core-release-cycles/schedule •
CVE-2023-5256 – Drupal core - Critical - Cache poisoning - SA-CORE-2023-006
https://notcve.org/view.php?id=CVE-2023-5256
In certain scenarios, Drupal's JSON:API module will output error backtraces. With some configurations, this may cause sensitive information to be cached and made available to anonymous users, leading to privilege escalation. This vulnerability only affects sites with the JSON:API module enabled, and can be mitigated by uninstalling JSON:API. The core REST and contributed GraphQL modules are not affected. En ciertos escenarios, el módulo JSON:API de Drupal generará seguimientos de errores. Con algunas configuraciones, esto puede hacer que la información confidencial se almacene en caché y se ponga a disposición de usuarios anónimos, lo que lleva a una escalada de privilegios. Esta vulnerabilidad solo afecta a los sitios con el módulo JSON:API habilitado y se puede mitigar desinstalando JSON:API. • https://www.drupal.org/sa-core-2023-006 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2023-31250
https://notcve.org/view.php?id=CVE-2023-31250
The file download facility doesn't sufficiently sanitize file paths in certain situations. This may result in users gaining access to private files that they should not have access to. Some sites may require configuration changes following this security release. Review the release notes for your Drupal version if you have issues accessing private files after updating. • https://www.drupal.org/sa-core-2023-005 • CWE-863: Incorrect Authorization •
CVE-2022-25273
https://notcve.org/view.php?id=CVE-2022-25273
Drupal core's form API has a vulnerability where certain contributed or custom modules' forms may be vulnerable to improper input validation. This could allow an attacker to inject disallowed values or overwrite data. Affected forms are uncommon, but in certain cases an attacker could alter critical or sensitive data. • https://www.drupal.org/sa-core-2022-008 • CWE-20: Improper Input Validation •