CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 0CVE-2022-25271
https://notcve.org/view.php?id=CVE-2022-25271
16 Feb 2022 — Drupal core's form API has a vulnerability where certain contributed or custom modules' forms may be vulnerable to improper input validation. This could allow an attacker to inject disallowed values or overwrite data. Affected forms are uncommon, but in certain cases an attacker could alter critical or sensitive data. La API de formularios del núcleo de Drupal presenta una vulnerabilidad en la que determinados formularios de módulos contribuidos o personalizados pueden ser vulnerables a una comprobación ina... • https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVKIOWSXL2RF2ULNAP7PHESYCFSZIJE3 • CWE-20: Improper Input Validation •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2020-13677
https://notcve.org/view.php?id=CVE-2020-13677
11 Feb 2022 — Under some circumstances, the Drupal core JSON:API module does not properly restrict access to certain content, which may result in unintended access bypass. Sites that do not have the JSON:API module enabled are not affected. En algunas circunstancias, el módulo JSON:API del núcleo de Drupal no restringe apropiadamente el acceso a determinados contenidos, lo que puede resultar en una omisión de acceso no intencionada. Los sitios que no presentan el módulo JSON:API habilitado no están afectados • https://www.drupal.org/sa-core-2021-010 • CWE-284: Improper Access Control •
CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0CVE-2020-13676
https://notcve.org/view.php?id=CVE-2020-13676
11 Feb 2022 — The QuickEdit module does not properly check access to fields in some circumstances, which can lead to unintended disclosure of field data. Sites are only affected if the QuickEdit module (which comes with the Standard profile) is installed. El módulo QuickEdit no comprueba correctamente el acceso a los campos en algunas circunstancias, que puede conllevar a una divulgación involuntaria de los datos de los campos. Los sitios sólo están afectados si el módulo QuickEdit (que viene con el perfil estándar) está... • https://www.drupal.org/sa-core-2021-009 • CWE-284: Improper Access Control CWE-863: Incorrect Authorization •
CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0CVE-2020-13674
https://notcve.org/view.php?id=CVE-2020-13674
11 Feb 2022 — The QuickEdit module does not properly validate access to routes, which could allow cross-site request forgery under some circumstances and lead to possible data integrity issues. Sites are only affected if the QuickEdit module (which comes with the Standard profile) is installed. Removing the "access in-place editing" permission from untrusted users will not fully mitigate the vulnerability. El módulo QuickEdit no comprueba apropiadamente el acceso a las rutas, lo que podría permitir un ataque de tipo cros... • https://www.drupal.org/sa-core-2021-007 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.8EPSS: 0%CPEs: 3EXPL: 0CVE-2020-13675
https://notcve.org/view.php?id=CVE-2020-13675
11 Feb 2022 — Drupal's JSON:API and REST/File modules allow file uploads through their HTTP APIs. The modules do not correctly run all file validation, which causes an access bypass vulnerability. An attacker might be able to upload files that bypass the file validation process implemented by modules on the site. Los módulos JSON:API y REST/File de Drupal permiten la carga de archivos mediante sus APIs HTTP. Los módulos no ejecutan correctamente toda la comprobación de los archivos, lo que causa una vulnerabilidad de omi... • https://www.drupal.org/sa-core-2021-008 • CWE-284: Improper Access Control CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 6.1EPSS: 0%CPEs: 4EXPL: 0CVE-2020-13672
https://notcve.org/view.php?id=CVE-2020-13672
11 Feb 2022 — Cross-site Scripting (XSS) vulnerability in Drupal core's sanitization API fails to properly filter cross-site scripting under certain circumstances. This issue affects: Drupal Core 9.1.x versions prior to 9.1.7; 9.0.x versions prior to 9.0.12; 8.9.x versions prior to 8.9.14; 7.x versions prior to 7.80. Una vulnerabilidad de tipo Cross-site Scripting (XSS) en la API de saneo del núcleo de Drupal que no filtra apropiadamente las vulnerabilidades de tipo cross-site scripting en determinadas circunstancias. Es... • https://www.drupal.org/sa-core-2021-002 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.2EPSS: 0%CPEs: 21EXPL: 0CVE-2021-41165 – HTML comments vulnerability allowing to execute JavaScript code
https://notcve.org/view.php?id=CVE-2021-41165
17 Nov 2021 — CKEditor4 is an open source WYSIWYG HTML editor. In affected version a vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4. The vulnerability allowed to inject malformed comments HTML bypassing content sanitization, which could result in executing JavaScript code. It affects all users using the CKEditor 4 at version < 4.17.0. The problem has been recognized and patched. • https://github.com/ckeditor/ckeditor4/blob/major/CHANGES.md#ckeditor-417 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.2EPSS: 0%CPEs: 23EXPL: 0CVE-2021-41164 – Advanced Content Filter (ACF) vulnerability allowing to execute JavaScript code using malformed HTML
https://notcve.org/view.php?id=CVE-2021-41164
17 Nov 2021 — CKEditor4 is an open source WYSIWYG HTML editor. In affected versions a vulnerability has been discovered in the Advanced Content Filter (ACF) module and may affect all plugins used by CKEditor 4. The vulnerability allowed to inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code. It affects all users using the CKEditor 4 at version < 4.17.0. The problem has been recognized and patched. • https://github.com/ckeditor/ckeditor4/blob/major/CHANGES.md#ckeditor-417 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 3%CPEs: 54EXPL: 1CVE-2021-41183 – XSS in `*Text` options of the Datepicker widget
https://notcve.org/view.php?id=CVE-2021-41183
26 Oct 2021 — jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of various `*Text` options of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. The values passed to various `*Text` options are now always treated as pure text, not HTML. A workaround is to not accept the value of the `*Text` options from untrusted sources. jQuery-UI es la biblioteca oficial de interfaz de usuario de jQuery. • https://blog.jqueryui.com/2021/10/jquery-ui-1-13-0-released • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 40%CPEs: 53EXPL: 1CVE-2021-41184 – XSS in the `of` option of the `.position()` util
https://notcve.org/view.php?id=CVE-2021-41184
26 Oct 2021 — jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the `of` option of the `.position()` util from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the `of` option is now treated as a CSS selector. A workaround is to not accept the value of the `of` option from untrusted sources. jQuery-UI es la biblioteca oficial de interfaz de usuario de jQuery. • https://github.com/gabrielolivra/Exploit-Medium-CVE-2021-41184 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •