Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Drupal
(Drupal)| Repositories |
• https://github.com/jquery/jquery-ui
• https://github.com/symfony/symfony |
| #Vulnerabilities | 253 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2021-10-26 | CVE-2021-41182 | jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the `altField` option of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the `altField` option is now treated as a CSS selector. A workaround is to not accept the value of the `altField` option from untrusted sources. | Debian_linux, Drupal, Fedora, Jquery_ui, H300e_firmware, H300s_firmware, H410c_firmware, H410s_firmware, H500e_firmware, H500s_firmware, H700e_firmware, H700s_firmware, Agile_plm, Application_express, Banking_platform, Big_data_spatial_and_graph, Communications_interactive_session_recorder, Communications_operations_monitor, Hospitality_inventory_management, Hospitality_materials_control, Hospitality_suite8, Jd_edwards_enterpriseone_tools, Mysql_enterprise_monitor, Peoplesoft_enterprise_peopletools, Policy_automation, Primavera_unifier, Rest_data_services, Weblogic_server, Tenable\.sc | 6.1 | ||
| 2021-10-26 | CVE-2021-41183 | jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of various `*Text` options of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. The values passed to various `*Text` options are now always treated as pure text, not HTML. A workaround is to not accept the value of the `*Text` options from untrusted sources. | Debian_linux, Drupal, Fedora, Jquery_ui, H300e_firmware, H300s_firmware, H410c_firmware, H410s_firmware, H500e_firmware, H500s_firmware, H700e_firmware, H700s_firmware, Agile_plm, Application_express, Banking_platform, Big_data_spatial_and_graph, Communications_interactive_session_recorder, Communications_operations_monitor, Hospitality_inventory_management, Hospitality_suite8, Jd_edwards_enterpriseone_tools, Mysql_enterprise_monitor, Peoplesoft_enterprise_peopletools, Policy_automation, Primavera_gateway, Rest_data_services, Weblogic_server, Tenable\.sc | 6.1 | ||
| 2021-10-26 | CVE-2021-41184 | jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the `of` option of the `.position()` util from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the `of` option is now treated as a CSS selector. A workaround is to not accept the value of the `of` option from untrusted sources. | Drupal, Fedora, Jquery_ui, H300e_firmware, H300s_firmware, H410c_firmware, H410s_firmware, H500e_firmware, H500s_firmware, H700e_firmware, H700s_firmware, Agile_plm, Application_express, Banking_platform, Big_data_spatial_and_graph, Communications_interactive_session_recorder, Communications_operations_monitor, Hospitality_inventory_management, Hospitality_materials_control, Hospitality_suite8, Jd_edwards_enterpriseone_tools, Peoplesoft_enterprise_peopletools, Policy_automation, Primavera_unifier, Rest_data_services, Weblogic_server, Tenable\.sc | 6.1 | ||
| 2022-06-10 | CVE-2022-31042 | Guzzle is an open source PHP HTTP client. In affected versions the `Cookie` headers on requests are sensitive information. On making a request using the `https` scheme to a server which responds with a redirect to a URI with the `http` scheme, or on making a request to a server which responds with a redirect to a a URI to a different host, we should not forward the `Cookie` header on. Prior to this fix, only cookies that were managed by our cookie middleware would be safely removed, and any... | Debian_linux, Drupal, Guzzle | 7.5 | ||
| 2022-06-10 | CVE-2022-31043 | Guzzle is an open source PHP HTTP client. In affected versions `Authorization` headers on requests are sensitive information. On making a request using the `https` scheme to a server which responds with a redirect to a URI with the `http` scheme, we should not forward the `Authorization` header on. This is much the same as to how we don't forward on the header if the host changes. Prior to this fix, `https` to `http` downgrades did not result in the `Authorization` header being removed, only... | Debian_linux, Drupal, Guzzle | 7.5 | ||
| 2022-05-25 | CVE-2022-29248 | Guzzle is a PHP HTTP client. Guzzle prior to versions 6.5.6 and 7.4.3 contains a vulnerability with the cookie middleware. The vulnerability is that it is not checked if the cookie domain equals the domain of the server which sets the cookie via the Set-Cookie header, allowing a malicious server to set cookies for unrelated domains. The cookie middleware is disabled by default, so most library consumers will not be affected by this issue. Only those who manually add the cookie middleware to... | Debian_linux, Drupal, Guzzle | 8.1 | ||
| 2014-11-24 | CVE-2010-5312 | Cross-site scripting (XSS) vulnerability in jquery.ui.dialog.js in the Dialog widget in jQuery UI before 1.10.0 allows remote attackers to inject arbitrary web script or HTML via the title option. | Drill, Debian_linux, Drupal, Fedora, Jquery_ui, Snapcenter | 6.1 | ||
| 2023-04-26 | CVE-2022-25273 | Drupal core's form API has a vulnerability where certain contributed or custom modules' forms may be vulnerable to improper input validation. This could allow an attacker to inject disallowed values or overwrite data. Affected forms are uncommon, but in certain cases an attacker could alter critical or sensitive data. | Drupal | 7.5 | ||
| 2023-04-26 | CVE-2022-25274 | Drupal 9.3 implemented a generic entity access API for entity revisions. However, this API was not completely integrated with existing permissions, resulting in some possible access bypass for users who have access to use revisions of content generally, but who do not have access to individual items of node and media content. This vulnerability only affects sites using Drupal's revision system. | Drupal | 5.4 | ||
| 2023-04-26 | CVE-2022-25275 | In some situations, the Image module does not correctly check access to image files not stored in the standard public files directory when generating derivative images using the image styles system. Access to a non-public file is checked only if it is stored in the "private" file system. However, some contributed modules provide additional file systems, or schemes, which may lead to this vulnerability. This vulnerability is mitigated by the fact that it only applies when the site sets... | Drupal | 7.5 |