CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2022-24775 – Improper Input Validation in guzzlehttp/psr7
https://notcve.org/view.php?id=CVE-2022-24775
21 Mar 2022 — guzzlehttp/psr7 is a PSR-7 HTTP message library. Versions prior to 1.8.4 and 2.1.1 are vulnerable to improper header parsing. An attacker could sneak in a new line character and pass untrusted values. The issue is patched in 1.8.4 and 2.1.1. There are currently no known workarounds. guzzlehttp/psr7 es una biblioteca de mensajes HTTP PSR-7. • https://github.com/guzzle/psr7/pull/485/commits/e55afaa3fc138c89adf3b55a8ba20dc60d17f1f1 • CWE-20: Improper Input Validation •
CVSS: 5.4EPSS: 0%CPEs: 19EXPL: 0CVE-2022-24728 – Cross-site Scripting in CKEditor4
https://notcve.org/view.php?id=CVE-2022-24728
16 Mar 2022 — CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4 prior to version 4.18.0. The vulnerability allows someone to inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code. This problem has been patched in version 4.18.0. There are currently no known workarounds. • https://ckeditor.com/cke4/release/CKEditor-4.18.0 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 19EXPL: 0CVE-2022-24729 – Regular expression Denial of Service in dialog plugin
https://notcve.org/view.php?id=CVE-2022-24729
16 Mar 2022 — CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. CKEditor4 prior to version 4.18.0 contains a vulnerability in the `dialog` plugin. The vulnerability allows abuse of a dialog input validator regular expression, which can cause a significant performance drop resulting in a browser tab freeze. A patch is available in version 4.18.0. There are currently no known workarounds. • https://ckeditor.com/cke4/release/CKEditor-4.18.0 • CWE-400: Uncontrolled Resource Consumption CWE-1333: Inefficient Regular Expression Complexity •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2022-25270
https://notcve.org/view.php?id=CVE-2022-25270
16 Feb 2022 — The Quick Edit module does not properly check entity access in some circumstances. This could result in users with the "access in-place editing" permission viewing some content they are are not authorized to access. Sites are only affected if the QuickEdit module (which comes with the Standard profile) is installed. El módulo Quick Edit no comprueba correctamente el acceso a las entidades en algunas circunstancias. Esto podría resultar en que usuarios con el permiso de "access in-place editing" visualicen a... • https://www.drupal.org/sa-core-2022-004 • CWE-863: Incorrect Authorization •
CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 0CVE-2022-25271
https://notcve.org/view.php?id=CVE-2022-25271
16 Feb 2022 — Drupal core's form API has a vulnerability where certain contributed or custom modules' forms may be vulnerable to improper input validation. This could allow an attacker to inject disallowed values or overwrite data. Affected forms are uncommon, but in certain cases an attacker could alter critical or sensitive data. La API de formularios del núcleo de Drupal presenta una vulnerabilidad en la que determinados formularios de módulos contribuidos o personalizados pueden ser vulnerables a una comprobación ina... • https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVKIOWSXL2RF2ULNAP7PHESYCFSZIJE3 • CWE-20: Improper Input Validation •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2020-13677
https://notcve.org/view.php?id=CVE-2020-13677
11 Feb 2022 — Under some circumstances, the Drupal core JSON:API module does not properly restrict access to certain content, which may result in unintended access bypass. Sites that do not have the JSON:API module enabled are not affected. En algunas circunstancias, el módulo JSON:API del núcleo de Drupal no restringe apropiadamente el acceso a determinados contenidos, lo que puede resultar en una omisión de acceso no intencionada. Los sitios que no presentan el módulo JSON:API habilitado no están afectados • https://www.drupal.org/sa-core-2021-010 • CWE-284: Improper Access Control •
CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0CVE-2020-13676
https://notcve.org/view.php?id=CVE-2020-13676
11 Feb 2022 — The QuickEdit module does not properly check access to fields in some circumstances, which can lead to unintended disclosure of field data. Sites are only affected if the QuickEdit module (which comes with the Standard profile) is installed. El módulo QuickEdit no comprueba correctamente el acceso a los campos en algunas circunstancias, que puede conllevar a una divulgación involuntaria de los datos de los campos. Los sitios sólo están afectados si el módulo QuickEdit (que viene con el perfil estándar) está... • https://www.drupal.org/sa-core-2021-009 • CWE-284: Improper Access Control CWE-863: Incorrect Authorization •
CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0CVE-2020-13674
https://notcve.org/view.php?id=CVE-2020-13674
11 Feb 2022 — The QuickEdit module does not properly validate access to routes, which could allow cross-site request forgery under some circumstances and lead to possible data integrity issues. Sites are only affected if the QuickEdit module (which comes with the Standard profile) is installed. Removing the "access in-place editing" permission from untrusted users will not fully mitigate the vulnerability. El módulo QuickEdit no comprueba apropiadamente el acceso a las rutas, lo que podría permitir un ataque de tipo cros... • https://www.drupal.org/sa-core-2021-007 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.8EPSS: 0%CPEs: 3EXPL: 0CVE-2020-13675
https://notcve.org/view.php?id=CVE-2020-13675
11 Feb 2022 — Drupal's JSON:API and REST/File modules allow file uploads through their HTTP APIs. The modules do not correctly run all file validation, which causes an access bypass vulnerability. An attacker might be able to upload files that bypass the file validation process implemented by modules on the site. Los módulos JSON:API y REST/File de Drupal permiten la carga de archivos mediante sus APIs HTTP. Los módulos no ejecutan correctamente toda la comprobación de los archivos, lo que causa una vulnerabilidad de omi... • https://www.drupal.org/sa-core-2021-008 • CWE-284: Improper Access Control CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 8.2EPSS: 0%CPEs: 21EXPL: 0CVE-2021-41165 – HTML comments vulnerability allowing to execute JavaScript code
https://notcve.org/view.php?id=CVE-2021-41165
17 Nov 2021 — CKEditor4 is an open source WYSIWYG HTML editor. In affected version a vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4. The vulnerability allowed to inject malformed comments HTML bypassing content sanitization, which could result in executing JavaScript code. It affects all users using the CKEditor 4 at version < 4.17.0. The problem has been recognized and patched. • https://github.com/ckeditor/ckeditor4/blob/major/CHANGES.md#ckeditor-417 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •