CVSS: 8.8EPSS: 16%CPEs: 6EXPL: 0CVE-2020-13671 – Drupal core Un-restricted Upload of File
https://notcve.org/view.php?id=CVE-2020-13671
20 Nov 2020 — Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations. This issue affects: Drupal Drupal Core 9.0 versions prior to 9.0.8, 8.9 versions prior to 8.9.9, 8.8 versions prior to 8.8.11, and 7 versions prior to 7.74. Drupal core no sanea apropiadamente determinados nombres de archivo en los archivos cargados, lo que puede conllevar a un... • https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5KSFM672XW3X6BR7TVKRD63SLZGKK437 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 7.8EPSS: 74%CPEs: 11EXPL: 4CVE-2020-28948 – Archive_Tar: allows an unserialization attack because phar: is blocked but PHAR: is not blocked
https://notcve.org/view.php?id=CVE-2020-28948
19 Nov 2020 — Archive_Tar through 1.4.10 allows an unserialization attack because phar: is blocked but PHAR: is not blocked. Archive_Tar versiones hasta 1.4.10, permite un ataque de no serialización porque phar: está bloqueado pero PHAR: no está bloqueado The php-pear package contains the PHP Extension and Application Repository, a framework and distribution system for reusable PHP components. Issues addressed include file overwrite and traversal vulnerabilities. • https://github.com/0x240x23elu/CVE-2020-28948-and-CVE-2020-28949 • CWE-502: Deserialization of Untrusted Data •
CVSS: 7.8EPSS: 93%CPEs: 11EXPL: 5CVE-2020-28949 – PEAR Archive_Tar Deserialization of Untrusted Data Vulnerability
https://notcve.org/view.php?id=CVE-2020-28949
19 Nov 2020 — Archive_Tar through 1.4.10 has :// filename sanitization only to address phar attacks, and thus any other stream-wrapper attack (such as file:// to overwrite files) can still succeed. Archive_Tar versiones hasta 1.4.10, presenta una desinfección del nombre de archivo :// solo para abordar los ataques phar y, por lo tanto, cualquier otro ataque de empaquetado de flujo (tal y como file:// para sobrescribir archivos) aún puede tener éxito A flaw was found in the Archive_Tar package. PEAR Archive_Tar could allo... • https://packetstorm.news/files/id/161095 • CWE-20: Improper Input Validation CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 8.8EPSS: 0%CPEs: 4EXPL: 0CVE-2020-13663 – Debian Security Advisory 4706-1
https://notcve.org/view.php?id=CVE-2020-13663
28 Jun 2020 — Cross Site Request Forgery vulnerability in Drupal Core Form API does not properly handle certain form input from cross-site requests, which can lead to other vulnerabilities. Una vulnerabilidad de tipo Cross Site Request Forgery en la API de Drupal Core Form no maneja apropiadamente determinadas entradas de formularios de peticiones de tipo cross-site, lo que puede conllevar a otras vulnerabilidades It was discovered that Drupal, a fully-featured content management framework, was suspectible to cross site ... • https://www.drupal.org/sa-core-2020-004 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2019-6342 – Drupal core - Critical - Access bypass - SA-CORE-2019-008
https://notcve.org/view.php?id=CVE-2019-6342
28 May 2020 — An access bypass vulnerability exists when the experimental Workspaces module in Drupal 8 core is enabled. This can be mitigated by disabling the Workspaces module. It does not affect any release other than Drupal 8.7.4. Se presenta una vulnerabilidad de omisión de acceso cuando el módulo de Workspaces experimental en el core de Drupal versión 8 está habilitado. Esto puede mitigarse deshabilitando el módulo Workspaces. • https://www.drupal.org/sa-core-2019-008 •
CVSS: 6.9EPSS: 2%CPEs: 206EXPL: 6CVE-2020-11022 – Potential XSS vulnerability in jQuery
https://notcve.org/view.php?id=CVE-2020-11022
29 Apr 2020 — In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0. En las versiones de jQuery mayores o iguales a 1.2 y anteriores a la versión 3.5.0, se puede ejecutar HTML desde fuentes no seguras, incluso después de desinfectarlo, a uno de los métodos de manipulación DOM de jQuery (es decir .h... • https://packetstorm.news/files/id/162159 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 11%CPEs: 81EXPL: 8CVE-2020-11023 – JQuery Cross-Site Scripting (XSS) Vulnerability
https://notcve.org/view.php?id=CVE-2020-11023
29 Apr 2020 — In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing
CVSS: 6.1EPSS: 1%CPEs: 24EXPL: 0CVE-2020-9281 – Ubuntu Security Notice USN-5340-1
https://notcve.org/view.php?id=CVE-2020-9281
07 Mar 2020 — A cross-site scripting (XSS) vulnerability in the HTML Data Processor for CKEditor 4.0 before 4.14 allows remote attackers to inject arbitrary web script through a crafted "protected" comment (with the cke_protected syntax). Una vulnerabilidad de tipo cross-site scripting (XSS) en el HTML Data Processor for CKEditor versiones 4.0 anteriores a 4.14, permite a atacantes remotos inyectar script web arbitrario por medio de un comentario "protected" diseñado (con la sintaxis cke_protected). Kyaw Min Thein discov... • https://github.com/ckeditor/ckeditor4 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 1CVE-2019-11876
https://notcve.org/view.php?id=CVE-2019-11876
24 May 2019 — In PrestaShop 1.7.5.2, the shop_country parameter in the install/index.php installation script/component is affected by Reflected XSS. Exploitation by a malicious actor requires the user to follow the initial stages of the setup (accepting terms and conditions) before executing the malicious link. En PrestaShop versión 1.7.5.2, el parámetro shop_country en el archivo install/index.php la instalación script/component se ve afectado por una vulnerabilidad Reflected XSS. la explotación por parte de un actor ma... • https://www.logicallysecure.com/blog/xss-presta-xss-drupal • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 7EXPL: 0CVE-2019-10909 – Debian Security Advisory 4441-1
https://notcve.org/view.php?id=CVE-2019-10909
10 May 2019 — In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, validation messages are not escaped, which can lead to XSS when user input is included. This is related to symfony/framework-bundle. En Symfony anterior de la versión 2.7.51, versión 2.8.x anterior de 2.8.50, versión 3.x anterior de 3.4.26, versión 4.x anterior de 4.1.12 y versión 4.2.x anterior de 4.2.7, los mensajes de validación no son evadidos, lo que puede llevar a una vulnerabilidad de XSS cuan... • https://github.com/symfony/symfony/commit/ab4d05358c3d0dd1a36fc8c306829f68e3dd84e2 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •