CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 0CVE-2020-13688
https://notcve.org/view.php?id=CVE-2020-13688
11 Jun 2021 — Cross-site scripting vulnerability in l Drupal Core allows an attacker could leverage the way that HTML is rendered for affected forms in order to exploit the vulnerability. This issue affects: Drupal Core 8.8.X versions prior to 8.8.10; 8.9.X versions prior to 8.9.6; 9.0.X versions prior to 9.0.6. Una vulnerabilidad de tipo cross-site scripting en l Drupal Core permite que un atacante pueda aprovechar la forma en que se renderiza el HTML de los formularios afectados para explotar la vulnerabilidad. Este pr... • https://www.drupal.org/sa-core-2020-009 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 1%CPEs: 8EXPL: 0CVE-2021-33829 – Ubuntu Security Notice USN-5340-1
https://notcve.org/view.php?id=CVE-2021-33829
09 Jun 2021 — A cross-site scripting (XSS) vulnerability in the HTML Data Processor in CKEditor 4 4.14.0 through 4.16.x before 4.16.1 allows remote attackers to inject executable JavaScript code through a crafted comment because --!> is mishandled. Una vulnerabilidad de tipo cross-site scripting (XSS) en el Procesador de Datos HTML en CKEditor versiones 4 4.14.0 hasta 4.16.x versiones anteriores a 4.16.1, permite a atacantes remotos inyectar código JavaScript ejecutable mediante un comentario diseñado porque -!> No es... • https://ckeditor.com/blog/ckeditor-4.16.1-with-accessibility-enhancements/#improvements-for-comments-in-html-parser • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 3EXPL: 0CVE-2020-13667
https://notcve.org/view.php?id=CVE-2020-13667
17 May 2021 — Access bypass vulnerability in of Drupal Core Workspaces allows an attacker to access data without correct permissions. The Workspaces module doesn't sufficiently check access permissions when switching workspaces, leading to an access bypass vulnerability. An attacker might be able to see content before the site owner intends people to see the content. This vulnerability is mitigated by the fact that sites are only vulnerable if they have installed the experimental Workspaces module. This issue affects Dru... • https://www.drupal.org/sa-core-2020-008 • CWE-276: Incorrect Default Permissions •
CVSS: 9.3EPSS: 2%CPEs: 3EXPL: 0CVE-2020-13664
https://notcve.org/view.php?id=CVE-2020-13664
05 May 2021 — Arbitrary PHP code execution vulnerability in Drupal Core under certain circumstances. An attacker could trick an administrator into visiting a malicious site that could result in creating a carefully named directory on the file system. With this directory in place, an attacker could attempt to brute force a remote code execution vulnerability. Windows servers are most likely to be affected. This issue affects: Drupal Drupal Core 8.8.x versions prior to 8.8.8; 8.9.x versions prior to 8.9.1; 9.0.1 versions p... • https://www.drupal.org/sa-core-2020-005 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 9.8EPSS: 0%CPEs: 3EXPL: 0CVE-2020-13665
https://notcve.org/view.php?id=CVE-2020-13665
05 May 2021 — Access bypass vulnerability in Drupal Core allows JSON:API when JSON:API is in read/write mode. Only sites that have the read_only set to FALSE under jsonapi.settings config are vulnerable. This issue affects: Drupal Drupal Core 8.8.x versions prior to 8.8.8; 8.9.x versions prior to 8.9.1; 9.0.x versions prior to 9.0.1. Una vulnerabilidad de omisión de acceso en Drupal Core permite JSON:API cuando JSON:API está en modo de lectura y escritura. Solo los sitios que tienen read_only ajustado en FALSE bajo ... • https://www.drupal.org/sa-core-2020-006 •
CVSS: 6.1EPSS: 0%CPEs: 4EXPL: 0CVE-2020-13666
https://notcve.org/view.php?id=CVE-2020-13666
05 May 2021 — Cross-site scripting vulnerability in Drupal Core. Drupal AJAX API does not disable JSONP by default, allowing for an XSS attack. This issue affects: Drupal Drupal Core 7.x versions prior to 7.73; 8.8.x versions prior to 8.8.10; 8.9.x versions prior to 8.9.6; 9.0.x versions prior to 9.0.6. Una vulnerabilidad de tipo cross-site scripting en Drupal Core. La API de Drupal AJAX no deshabilita JSONP por defecto, permitiendo un ataque de tipo XSS. • https://www.drupal.org/sa-core-2020-007 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 76%CPEs: 11EXPL: 0CVE-2020-36193 – PEAR Archive_Tar Improper Link Resolution Vulnerability
https://notcve.org/view.php?id=CVE-2020-36193
18 Jan 2021 — Tar.php in Archive_Tar through 1.4.11 allows write operations with Directory Traversal due to inadequate checking of symbolic links, a related issue to CVE-2020-28948. El archivo Tar.php en Archive_Tar versiones hasta 1.4.11, permite operaciones de escritura con Salto de Directorio debido a una comprobación inadecuada de enlaces simbólicos, un problema relacionado al CVE-2020-28948 A flaw was found in the Archive_Tar package. Archive_Tar could allow a remote attacker to traverse directories on the system ca... • https://github.com/pear/Archive_Tar/commit/cde460582ff389404b5b3ccb59374e9b389de916 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-59: Improper Link Resolution Before File Access ('Link Following') •
CVSS: 8.8EPSS: 16%CPEs: 6EXPL: 0CVE-2020-13671 – Drupal core Un-restricted Upload of File
https://notcve.org/view.php?id=CVE-2020-13671
20 Nov 2020 — Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations. This issue affects: Drupal Drupal Core 9.0 versions prior to 9.0.8, 8.9 versions prior to 8.9.9, 8.8 versions prior to 8.8.11, and 7 versions prior to 7.74. Drupal core no sanea apropiadamente determinados nombres de archivo en los archivos cargados, lo que puede conllevar a un... • https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5KSFM672XW3X6BR7TVKRD63SLZGKK437 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 7.8EPSS: 74%CPEs: 11EXPL: 4CVE-2020-28948 – Archive_Tar: allows an unserialization attack because phar: is blocked but PHAR: is not blocked
https://notcve.org/view.php?id=CVE-2020-28948
19 Nov 2020 — Archive_Tar through 1.4.10 allows an unserialization attack because phar: is blocked but PHAR: is not blocked. Archive_Tar versiones hasta 1.4.10, permite un ataque de no serialización porque phar: está bloqueado pero PHAR: no está bloqueado The php-pear package contains the PHP Extension and Application Repository, a framework and distribution system for reusable PHP components. Issues addressed include file overwrite and traversal vulnerabilities. • https://github.com/0x240x23elu/CVE-2020-28948-and-CVE-2020-28949 • CWE-502: Deserialization of Untrusted Data •
CVSS: 7.8EPSS: 93%CPEs: 11EXPL: 5CVE-2020-28949 – PEAR Archive_Tar Deserialization of Untrusted Data Vulnerability
https://notcve.org/view.php?id=CVE-2020-28949
19 Nov 2020 — Archive_Tar through 1.4.10 has :// filename sanitization only to address phar attacks, and thus any other stream-wrapper attack (such as file:// to overwrite files) can still succeed. Archive_Tar versiones hasta 1.4.10, presenta una desinfección del nombre de archivo :// solo para abordar los ataques phar y, por lo tanto, cualquier otro ataque de empaquetado de flujo (tal y como file:// para sobrescribir archivos) aún puede tener éxito A flaw was found in the Archive_Tar package. PEAR Archive_Tar could allo... • https://packetstorm.news/files/id/161095 • CWE-20: Improper Input Validation CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •