Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Drupal
(Drupal)| Repositories |
• https://github.com/jquery/jquery-ui
• https://github.com/symfony/symfony |
| #Vulnerabilities | 253 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2023-09-28 | CVE-2023-5256 | In certain scenarios, Drupal's JSON:API module will output error backtraces. With some configurations, this may cause sensitive information to be cached and made available to anonymous users, leading to privilege escalation. This vulnerability only affects sites with the JSON:API module enabled, and can be mitigated by uninstalling JSON:API. The core REST and contributed GraphQL modules are not affected. | Drupal | 7.5 | ||
| 2022-02-11 | CVE-2020-13677 | Under some circumstances, the Drupal core JSON:API module does not properly restrict access to certain content, which may result in unintended access bypass. Sites that do not have the JSON:API module enabled are not affected. | Drupal | 7.5 | ||
| 2021-10-26 | CVE-2021-41182 | jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the `altField` option of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the `altField` option is now treated as a CSS selector. A workaround is to not accept the value of the `altField` option from untrusted sources. | Debian_linux, Drupal, Fedora, Jquery_ui, H300e_firmware, H300s_firmware, H410c_firmware, H410s_firmware, H500e_firmware, H500s_firmware, H700e_firmware, H700s_firmware, Agile_plm, Application_express, Banking_platform, Big_data_spatial_and_graph, Communications_interactive_session_recorder, Communications_operations_monitor, Hospitality_inventory_management, Hospitality_materials_control, Hospitality_suite8, Jd_edwards_enterpriseone_tools, Mysql_enterprise_monitor, Peoplesoft_enterprise_peopletools, Policy_automation, Primavera_unifier, Rest_data_services, Weblogic_server, Tenable\.sc | 6.1 | ||
| 2021-10-26 | CVE-2021-41183 | jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of various `*Text` options of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. The values passed to various `*Text` options are now always treated as pure text, not HTML. A workaround is to not accept the value of the `*Text` options from untrusted sources. | Debian_linux, Drupal, Fedora, Jquery_ui, H300e_firmware, H300s_firmware, H410c_firmware, H410s_firmware, H500e_firmware, H500s_firmware, H700e_firmware, H700s_firmware, Agile_plm, Application_express, Banking_platform, Big_data_spatial_and_graph, Communications_interactive_session_recorder, Communications_operations_monitor, Hospitality_inventory_management, Hospitality_suite8, Jd_edwards_enterpriseone_tools, Mysql_enterprise_monitor, Peoplesoft_enterprise_peopletools, Policy_automation, Primavera_gateway, Rest_data_services, Weblogic_server, Tenable\.sc | 6.1 | ||
| 2021-10-26 | CVE-2021-41184 | jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the `of` option of the `.position()` util from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the `of` option is now treated as a CSS selector. A workaround is to not accept the value of the `of` option from untrusted sources. | Drupal, Fedora, Jquery_ui, H300e_firmware, H300s_firmware, H410c_firmware, H410s_firmware, H500e_firmware, H500s_firmware, H700e_firmware, H700s_firmware, Agile_plm, Application_express, Banking_platform, Big_data_spatial_and_graph, Communications_interactive_session_recorder, Communications_operations_monitor, Hospitality_inventory_management, Hospitality_materials_control, Hospitality_suite8, Jd_edwards_enterpriseone_tools, Peoplesoft_enterprise_peopletools, Policy_automation, Primavera_unifier, Rest_data_services, Weblogic_server, Tenable\.sc | 6.1 | ||
| 2022-06-10 | CVE-2022-31042 | Guzzle is an open source PHP HTTP client. In affected versions the `Cookie` headers on requests are sensitive information. On making a request using the `https` scheme to a server which responds with a redirect to a URI with the `http` scheme, or on making a request to a server which responds with a redirect to a a URI to a different host, we should not forward the `Cookie` header on. Prior to this fix, only cookies that were managed by our cookie middleware would be safely removed, and any... | Debian_linux, Drupal, Guzzle | 7.5 | ||
| 2022-06-10 | CVE-2022-31043 | Guzzle is an open source PHP HTTP client. In affected versions `Authorization` headers on requests are sensitive information. On making a request using the `https` scheme to a server which responds with a redirect to a URI with the `http` scheme, we should not forward the `Authorization` header on. This is much the same as to how we don't forward on the header if the host changes. Prior to this fix, `https` to `http` downgrades did not result in the `Authorization` header being removed, only... | Debian_linux, Drupal, Guzzle | 7.5 | ||
| 2022-05-25 | CVE-2022-29248 | Guzzle is a PHP HTTP client. Guzzle prior to versions 6.5.6 and 7.4.3 contains a vulnerability with the cookie middleware. The vulnerability is that it is not checked if the cookie domain equals the domain of the server which sets the cookie via the Set-Cookie header, allowing a malicious server to set cookies for unrelated domains. The cookie middleware is disabled by default, so most library consumers will not be affected by this issue. Only those who manually add the cookie middleware to... | Debian_linux, Drupal, Guzzle | 8.1 | ||
| 2014-11-24 | CVE-2010-5312 | Cross-site scripting (XSS) vulnerability in jquery.ui.dialog.js in the Dialog widget in jQuery UI before 1.10.0 allows remote attackers to inject arbitrary web script or HTML via the title option. | Drill, Debian_linux, Drupal, Fedora, Jquery_ui, Snapcenter | 6.1 | ||
| 2023-04-26 | CVE-2022-25273 | Drupal core's form API has a vulnerability where certain contributed or custom modules' forms may be vulnerable to improper input validation. This could allow an attacker to inject disallowed values or overwrite data. Affected forms are uncommon, but in certain cases an attacker could alter critical or sensitive data. | Drupal | 7.5 |