CVSS: 9.8EPSS: 77%CPEs: 5EXPL: 1CVE-2019-6339 – PHAR stream wrapper Arbitrary PHP code execution
https://notcve.org/view.php?id=CVE-2019-6339
22 Jan 2019 — In Drupal Core versions 7.x prior to 7.62, 8.6.x prior to 8.6.6 and 8.5.x prior to 8.5.9; A remote code execution vulnerability exists in PHP's built-in phar stream wrapper when performing file operations on an untrusted phar:// URI. Some Drupal code (core, contrib, and custom) may be performing file operations on insufficiently validated user input, thereby being exposed to this vulnerability. This vulnerability is mitigated by the fact that such code paths typically require access to an administrative per... • https://github.com/Vulnmachines/drupal-cve-2019-6339 • CWE-20: Improper Input Validation •
CVSS: 8.0EPSS: 1%CPEs: 5EXPL: 0CVE-2019-6338 – third-party PEAR Archive_Tar library updates
https://notcve.org/view.php?id=CVE-2019-6338
22 Jan 2019 — In Drupal Core versions 7.x prior to 7.62, 8.6.x prior to 8.6.6 and 8.5.x prior to 8.5.9; Drupal core uses the third-party PEAR Archive_Tar library. This library has released a security update which impacts some Drupal configurations. Refer to CVE-2018-1000888 for details Drupal Core, en sus versiones 7.x anteriores a la 7.62, en las 8.6.x anteriores a la 8.6.6 y en las 8.5.x anteriores a la 8.5.9, utiliza la biblioteca "PEAR Archive_Tar" de terceros. Esta biblioteca ha publicado una actualización de seguri... • http://www.securityfocus.com/bid/106706 • CWE-502: Deserialization of Untrusted Data •
CVSS: 6.5EPSS: 5%CPEs: 9EXPL: 0CVE-2018-14773 – Debian Security Advisory 4441-1
https://notcve.org/view.php?id=CVE-2018-14773
03 Aug 2018 — An issue was discovered in Http Foundation in Symfony 2.7.0 through 2.7.48, 2.8.0 through 2.8.43, 3.3.0 through 3.3.17, 3.4.0 through 3.4.13, 4.0.0 through 4.0.13, and 4.1.0 through 4.1.2. It arises from support for a (legacy) IIS header that lets users override the path in the request URL via the X-Original-URL or X-Rewrite-URL HTTP request header. These headers are designed for IIS support, but it's not verified that the server is in fact running IIS, which means anybody who can send these requests to an ... • http://www.securityfocus.com/bid/104943 •
CVSS: 9.8EPSS: 94%CPEs: 6EXPL: 9CVE-2018-7602 – Drupal Core Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2018-7602
26 Apr 2018 — A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being compromised. This vulnerability is related to Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002. Both SA-CORE-2018-002 and this vulnerability are being exploited in the wild. Existe una vulnerabilidad de ejecución remota de código en múltiples subsistemas de Drupal en v... • https://packetstorm.news/files/id/147380 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 0CVE-2018-9861 – Ubuntu Security Notice USN-5340-1
https://notcve.org/view.php?id=CVE-2018-9861
19 Apr 2018 — Cross-site scripting (XSS) vulnerability in the Enhanced Image (aka image2) plugin for CKEditor (in versions 4.5.10 through 4.9.1; fixed in 4.9.2), as used in Drupal 8 before 8.4.7 and 8.5.x before 8.5.2 and other products, allows remote attackers to inject arbitrary web script through a crafted IMG element. Vulnerabilidad Cross-Site Scripting (XSS) en el plugin Enhanced Image (también conocido como image2) para CKEditor (de la versión 4.5.10 a la 4.9.1; solucionado en la versión 4.9.2), tal y como se emple... • http://www.securityfocus.com/bid/103924 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 94%CPEs: 7EXPL: 45CVE-2018-7600 – Drupal Core Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2018-7600
29 Mar 2018 — Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations. Drupal en versiones anteriores a la 7.58, 8.x anteriores a la 8.3.9, 8.4.x anteriores a la 8.4.6 y 8.5.x anteriores a la 8.5.1 permite que los atacantes remotos ejecuten código arbitrario debido a un problema que afecta a múltiples subsistemas con configuraciones de módulos por defect... • https://packetstorm.news/files/id/147247 • CWE-20: Improper Input Validation •