Page 3 of 23 results (0.019 seconds)

CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0

guzzlehttp/psr7 is a PSR-7 HTTP message library. Versions prior to 1.8.4 and 2.1.1 are vulnerable to improper header parsing. An attacker could sneak in a new line character and pass untrusted values. The issue is patched in 1.8.4 and 2.1.1. There are currently no known workarounds. guzzlehttp/psr7 es una biblioteca de mensajes HTTP PSR-7. • https://github.com/guzzle/psr7/pull/485/commits/e55afaa3fc138c89adf3b55a8ba20dc60d17f1f1 https://github.com/guzzle/psr7/pull/486/commits/9a96d9db668b485361ed9de7b5bf1e54895df1dc https://github.com/guzzle/psr7/security/advisories/GHSA-q7rv-6hp3-vh96 https://www.drupal.org/sa-core-2022-006 • CWE-20: Improper Input Validation •

CVSS: 7.5EPSS: 0%CPEs: 19EXPL: 0

CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. CKEditor4 prior to version 4.18.0 contains a vulnerability in the `dialog` plugin. The vulnerability allows abuse of a dialog input validator regular expression, which can cause a significant performance drop resulting in a browser tab freeze. A patch is available in version 4.18.0. There are currently no known workarounds. • https://ckeditor.com/cke4/release/CKEditor-4.18.0 https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-f6rf-9m92-x2hh https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VR76VBN5GW5QUBJFHVXRX36UZ6YTCMW6 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WOZGMCYDB2OKKULFXZKM6V7JJW4ZZHJP https://www.drupal.org/sa-core-2022-005 https://www.oracle.com/security-alerts/cpujul2022.html • CWE-400: Uncontrolled Resource Consumption CWE-1333: Inefficient Regular Expression Complexity •

CVSS: 5.4EPSS: 0%CPEs: 19EXPL: 0

CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4 prior to version 4.18.0. The vulnerability allows someone to inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code. This problem has been patched in version 4.18.0. There are currently no known workarounds. • https://ckeditor.com/cke4/release/CKEditor-4.18.0 https://github.com/ckeditor/ckeditor4/commit/d158413449692d920a778503502dcb22881bc949 https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-4fc4-4p5g-6w89 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VR76VBN5GW5QUBJFHVXRX36UZ6YTCMW6 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WOZGMCYDB2OKKULFXZKM6V7JJW4ZZHJP https://www.drupal.org/sa-core-2022-005 https://www.oracle.com/security& • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0

The Quick Edit module does not properly check entity access in some circumstances. This could result in users with the "access in-place editing" permission viewing some content they are are not authorized to access. Sites are only affected if the QuickEdit module (which comes with the Standard profile) is installed. El módulo Quick Edit no comprueba correctamente el acceso a las entidades en algunas circunstancias. Esto podría resultar en que usuarios con el permiso de "access in-place editing" visualicen algunos contenidos a los que no están autorizados a acceder. • https://www.drupal.org/sa-core-2022-004 • CWE-863: Incorrect Authorization •

CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 0

Drupal core's form API has a vulnerability where certain contributed or custom modules' forms may be vulnerable to improper input validation. This could allow an attacker to inject disallowed values or overwrite data. Affected forms are uncommon, but in certain cases an attacker could alter critical or sensitive data. La API de formularios del núcleo de Drupal presenta una vulnerabilidad en la que determinados formularios de módulos contribuidos o personalizados pueden ser vulnerables a una comprobación inapropiada de entradas. Esto podría permitir a un atacante inyectar valores no permitidos o sobrescribir datos. • https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVKIOWSXL2RF2ULNAP7PHESYCFSZIJE3 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SGSY236PYSFYIEBRGDERLA7OSY6D7XL4 https://www.drupal.org/sa-core-2022-003 • CWE-20: Improper Input Validation •