CVSS: 8.8EPSS: 16%CPEs: 6EXPL: 0CVE-2020-13671 – Drupal core Un-restricted Upload of File
https://notcve.org/view.php?id=CVE-2020-13671
20 Nov 2020 — Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations. This issue affects: Drupal Drupal Core 9.0 versions prior to 9.0.8, 8.9 versions prior to 8.9.9, 8.8 versions prior to 8.8.11, and 7 versions prior to 7.74. Drupal core no sanea apropiadamente determinados nombres de archivo en los archivos cargados, lo que puede conllevar a un... • https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5KSFM672XW3X6BR7TVKRD63SLZGKK437 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 7.8EPSS: 74%CPEs: 11EXPL: 4CVE-2020-28948 – Archive_Tar: allows an unserialization attack because phar: is blocked but PHAR: is not blocked
https://notcve.org/view.php?id=CVE-2020-28948
19 Nov 2020 — Archive_Tar through 1.4.10 allows an unserialization attack because phar: is blocked but PHAR: is not blocked. Archive_Tar versiones hasta 1.4.10, permite un ataque de no serialización porque phar: está bloqueado pero PHAR: no está bloqueado The php-pear package contains the PHP Extension and Application Repository, a framework and distribution system for reusable PHP components. Issues addressed include file overwrite and traversal vulnerabilities. • https://github.com/0x240x23elu/CVE-2020-28948-and-CVE-2020-28949 • CWE-502: Deserialization of Untrusted Data •
CVSS: 7.8EPSS: 93%CPEs: 11EXPL: 5CVE-2020-28949 – PEAR Archive_Tar Deserialization of Untrusted Data Vulnerability
https://notcve.org/view.php?id=CVE-2020-28949
19 Nov 2020 — Archive_Tar through 1.4.10 has :// filename sanitization only to address phar attacks, and thus any other stream-wrapper attack (such as file:// to overwrite files) can still succeed. Archive_Tar versiones hasta 1.4.10, presenta una desinfección del nombre de archivo :// solo para abordar los ataques phar y, por lo tanto, cualquier otro ataque de empaquetado de flujo (tal y como file:// para sobrescribir archivos) aún puede tener éxito A flaw was found in the Archive_Tar package. PEAR Archive_Tar could allo... • https://packetstorm.news/files/id/161095 • CWE-20: Improper Input Validation CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 8.8EPSS: 0%CPEs: 4EXPL: 0CVE-2020-13663 – Debian Security Advisory 4706-1
https://notcve.org/view.php?id=CVE-2020-13663
28 Jun 2020 — Cross Site Request Forgery vulnerability in Drupal Core Form API does not properly handle certain form input from cross-site requests, which can lead to other vulnerabilities. Una vulnerabilidad de tipo Cross Site Request Forgery en la API de Drupal Core Form no maneja apropiadamente determinadas entradas de formularios de peticiones de tipo cross-site, lo que puede conllevar a otras vulnerabilidades It was discovered that Drupal, a fully-featured content management framework, was suspectible to cross site ... • https://www.drupal.org/sa-core-2020-004 • CWE-352: Cross-Site Request Forgery (CSRF) •