CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2020-13677
https://notcve.org/view.php?id=CVE-2020-13677
11 Feb 2022 — Under some circumstances, the Drupal core JSON:API module does not properly restrict access to certain content, which may result in unintended access bypass. Sites that do not have the JSON:API module enabled are not affected. En algunas circunstancias, el módulo JSON:API del núcleo de Drupal no restringe apropiadamente el acceso a determinados contenidos, lo que puede resultar en una omisión de acceso no intencionada. Los sitios que no presentan el módulo JSON:API habilitado no están afectados • https://www.drupal.org/sa-core-2021-010 • CWE-284: Improper Access Control •
CVSS: 9.8EPSS: 0%CPEs: 3EXPL: 0CVE-2020-13675
https://notcve.org/view.php?id=CVE-2020-13675
11 Feb 2022 — Drupal's JSON:API and REST/File modules allow file uploads through their HTTP APIs. The modules do not correctly run all file validation, which causes an access bypass vulnerability. An attacker might be able to upload files that bypass the file validation process implemented by modules on the site. Los módulos JSON:API y REST/File de Drupal permiten la carga de archivos mediante sus APIs HTTP. Los módulos no ejecutan correctamente toda la comprobación de los archivos, lo que causa una vulnerabilidad de omi... • https://www.drupal.org/sa-core-2021-008 • CWE-284: Improper Access Control CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 6.1EPSS: 0%CPEs: 4EXPL: 0CVE-2020-13672
https://notcve.org/view.php?id=CVE-2020-13672
11 Feb 2022 — Cross-site Scripting (XSS) vulnerability in Drupal core's sanitization API fails to properly filter cross-site scripting under certain circumstances. This issue affects: Drupal Core 9.1.x versions prior to 9.1.7; 9.0.x versions prior to 9.0.12; 8.9.x versions prior to 8.9.14; 7.x versions prior to 7.80. Una vulnerabilidad de tipo Cross-site Scripting (XSS) en la API de saneo del núcleo de Drupal que no filtra apropiadamente las vulnerabilidades de tipo cross-site scripting en determinadas circunstancias. Es... • https://www.drupal.org/sa-core-2021-002 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 54EXPL: 1CVE-2021-41183 – XSS in `*Text` options of the Datepicker widget
https://notcve.org/view.php?id=CVE-2021-41183
26 Oct 2021 — jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of various `*Text` options of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. The values passed to various `*Text` options are now always treated as pure text, not HTML. A workaround is to not accept the value of the `*Text` options from untrusted sources. jQuery-UI es la biblioteca oficial de interfaz de usuario de jQuery. • https://blog.jqueryui.com/2021/10/jquery-ui-1-13-0-released • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 53EXPL: 1CVE-2021-41184 – XSS in the `of` option of the `.position()` util
https://notcve.org/view.php?id=CVE-2021-41184
26 Oct 2021 — jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the `of` option of the `.position()` util from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the `of` option is now treated as a CSS selector. A workaround is to not accept the value of the `of` option from untrusted sources. jQuery-UI es la biblioteca oficial de interfaz de usuario de jQuery. • https://github.com/gabrielolivra/Exploit-Medium-CVE-2021-41184 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 4EXPL: 0CVE-2020-13666
https://notcve.org/view.php?id=CVE-2020-13666
05 May 2021 — Cross-site scripting vulnerability in Drupal Core. Drupal AJAX API does not disable JSONP by default, allowing for an XSS attack. This issue affects: Drupal Drupal Core 7.x versions prior to 7.73; 8.8.x versions prior to 8.8.10; 8.9.x versions prior to 8.9.6; 9.0.x versions prior to 9.0.6. Una vulnerabilidad de tipo cross-site scripting en Drupal Core. La API de Drupal AJAX no deshabilita JSONP por defecto, permitiendo un ataque de tipo XSS. • https://www.drupal.org/sa-core-2020-007 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 94%CPEs: 11EXPL: 0CVE-2020-36193 – PEAR Archive_Tar Improper Link Resolution Vulnerability
https://notcve.org/view.php?id=CVE-2020-36193
18 Jan 2021 — Tar.php in Archive_Tar through 1.4.11 allows write operations with Directory Traversal due to inadequate checking of symbolic links, a related issue to CVE-2020-28948. El archivo Tar.php en Archive_Tar versiones hasta 1.4.11, permite operaciones de escritura con Salto de Directorio debido a una comprobación inadecuada de enlaces simbólicos, un problema relacionado al CVE-2020-28948 A flaw was found in the Archive_Tar package. Archive_Tar could allow a remote attacker to traverse directories on the system ca... • https://github.com/pear/Archive_Tar/commit/cde460582ff389404b5b3ccb59374e9b389de916 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-59: Improper Link Resolution Before File Access ('Link Following') •
CVSS: 8.8EPSS: 67%CPEs: 6EXPL: 0CVE-2020-13671 – Drupal core Un-restricted Upload of File
https://notcve.org/view.php?id=CVE-2020-13671
20 Nov 2020 — Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations. This issue affects: Drupal Drupal Core 9.0 versions prior to 9.0.8, 8.9 versions prior to 8.9.9, 8.8 versions prior to 8.8.11, and 7 versions prior to 7.74. Drupal core no sanea apropiadamente determinados nombres de archivo en los archivos cargados, lo que puede conllevar a un... • https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5KSFM672XW3X6BR7TVKRD63SLZGKK437 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 7.8EPSS: 19%CPEs: 11EXPL: 4CVE-2020-28948 – Archive_Tar: allows an unserialization attack because phar: is blocked but PHAR: is not blocked
https://notcve.org/view.php?id=CVE-2020-28948
19 Nov 2020 — Archive_Tar through 1.4.10 allows an unserialization attack because phar: is blocked but PHAR: is not blocked. Archive_Tar versiones hasta 1.4.10, permite un ataque de no serialización porque phar: está bloqueado pero PHAR: no está bloqueado The php-pear package contains the PHP Extension and Application Repository, a framework and distribution system for reusable PHP components. Issues addressed include file overwrite and traversal vulnerabilities. • https://github.com/0x240x23elu/CVE-2020-28948-and-CVE-2020-28949 • CWE-502: Deserialization of Untrusted Data •
CVSS: 7.8EPSS: 96%CPEs: 11EXPL: 5CVE-2020-28949 – PEAR Archive_Tar Deserialization of Untrusted Data Vulnerability
https://notcve.org/view.php?id=CVE-2020-28949
19 Nov 2020 — Archive_Tar through 1.4.10 has :// filename sanitization only to address phar attacks, and thus any other stream-wrapper attack (such as file:// to overwrite files) can still succeed. Archive_Tar versiones hasta 1.4.10, presenta una desinfección del nombre de archivo :// solo para abordar los ataques phar y, por lo tanto, cualquier otro ataque de empaquetado de flujo (tal y como file:// para sobrescribir archivos) aún puede tener éxito A flaw was found in the Archive_Tar package. PEAR Archive_Tar could allo... • https://packetstorm.news/files/id/161095 • CWE-20: Improper Input Validation CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •