Security Advisories - drupal/drupal

drupal/drupal Security Advisories for 8.0-alpha13 (64)

Drupal core - Moderately critical - Access bypass - SA-CORE-2020-008

Affected version: >=8.0.0,<8.1.0|>=8.1.0,<8.2.0|>=8.2.0,<8.3.0|>=8.3.0,<8.4.0|>=8.4.0,<8.5.0|>=8.5.0,<8.6.0|>=8.6.0,<8.7.0|>=8.7.0,<8.8.0|>=8.8.0,<8.8.10|>=8.9.0,<8.9.6|>=9.0.0,<9.0.6

Reported by:
FriendsOfPHP/security-advisories
Drupal core - Moderately critical - Information disclosure - SA-CORE-2020-011

Affected version: >=8.0.0,<8.1.0|>=8.1.0,<8.2.0|>=8.2.0,<8.3.0|>=8.3.0,<8.4.0|>=8.4.0,<8.5.0|>=8.5.0,<8.6.0|>=8.6.0,<8.7.0|>=8.7.0,<8.8.0|>=8.8.0,<8.8.10|>=8.9.0,<8.9.6|>=9.0.0,<9.0.6

Reported by:
FriendsOfPHP/security-advisories
Drupal core - Moderately critical - Cross-site scripting - SA-CORE-2020-007

Affected version: >=7.0.0,<7.73|>=8.0.0,<8.1.0|>=8.1.0,<8.2.0|>=8.2.0,<8.3.0|>=8.3.0,<8.4.0|>=8.4.0,<8.5.0|>=8.5.0,<8.6.0|>=8.6.0,<8.7.0|>=8.7.0,<8.8.0|>=8.8.0,<8.8.10|>=8.9.0,<8.9.6|>=9.0.0,<9.0.6

Reported by:
FriendsOfPHP/security-advisories
Drupal core - Critical - Cross-site scripting - SA-CORE-2020-009

Affected version: >=8.0.0,<8.1.0|>=8.1.0,<8.2.0|>=8.2.0,<8.3.0|>=8.3.0,<8.4.0|>=8.4.0,<8.5.0|>=8.5.0,<8.6.0|>=8.6.0,<8.7.0|>=8.7.0,<8.8.0|>=8.8.0,<8.8.10|>=8.9.0,<8.9.6|>=9.0.0,<9.0.6

Reported by:
FriendsOfPHP/security-advisories
Drupal core - Moderately critical - Cross-site scripting - SA-CORE-2020-010

Affected version: >=8.0.0,<8.1.0|>=8.1.0,<8.2.0|>=8.2.0,<8.3.0|>=8.3.0,<8.4.0|>=8.4.0,<8.5.0|>=8.5.0,<8.6.0|>=8.6.0,<8.7.0|>=8.7.0,<8.8.0|>=8.8.0,<8.8.10|>=8.9.0,<8.9.6|>=9.0.0,<9.0.6

Reported by:
FriendsOfPHP/security-advisories
Drupal core - Critical - Arbitrary PHP code execution - SA-CORE-2020-005

Affected version: >=8.0.0,<8.1.0|>=8.1.0,<8.2.0|>=8.2.0,<8.3.0|>=8.3.0,<8.4.0|>=8.4.0,<8.5.0|>=8.5.0,<8.6.0|>=8.6.0,<8.7.0|>=8.7.0,<8.8.0|>=8.8.0,<8.8.8|>=8.9.0,<8.9.1|>=9.0.0,<9.0.1

Reported by:
FriendsOfPHP/security-advisories
Drupal core - Critical - Cross Site Request Forgery - SA-CORE-2020-004

Affected version: >=7.0.0,<7.72|>=8.0.0,<8.1.0|>=8.1.0,<8.2.0|>=8.2.0,<8.3.0|>=8.3.0,<8.4.0|>=8.4.0,<8.5.0|>=8.5.0,<8.6.0|>=8.6.0,<8.7.0|>=8.7.0,<8.8.0|>=8.8.0,<8.8.8|>=8.9.0,<8.9.1|>=9.0.0,<9.0.1

Reported by:
FriendsOfPHP/security-advisories
Drupal core - Less critical - Access bypass - SA-CORE-2020-006

Affected version: >=8.0.0,<8.1.0|>=8.1.0,<8.2.0|>=8.2.0,<8.3.0|>=8.3.0,<8.4.0|>=8.4.0,<8.5.0|>=8.5.0,<8.6.0|>=8.6.0,<8.7.0|>=8.7.0,<8.8.0|>=8.8.0,<8.8.8|>=8.9.0,<8.9.1|>=9.0.0,<9.0.1

Reported by:
FriendsOfPHP/security-advisories
Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2020-002

Affected version: >=7.0.0,<7.70|>=8.0.0,<8.1.0|>=8.1.0,<8.2.0|>=8.2.0,<8.3.0|>=8.3.0,<8.4.0|>=8.4.0,<8.5.0|>=8.5.0,<8.6.0|>=8.6.0,<8.7.0|>=8.7.0,<8.7.14|>=8.8.0,<8.8.6

Reported by:
FriendsOfPHP/security-advisories
Drupal core - Moderately critical - Third-party library - SA-CORE-2020-001

Affected version: >=8.0.0,<8.1.0|>=8.1.0,<8.2.0|>=8.2.0,<8.3.0|>=8.3.0,<8.4.0|>=8.4.0,<8.5.0|>=8.5.0,<8.6.0|>=8.6.0,<8.7.0|>=8.7.0,<8.7.12|>=8.8.0,<8.8.4

Reported by:
FriendsOfPHP/security-advisories
Drupal core - Moderately critical - Access bypass - SA-CORE-2019-011

Affected version: >=8.0.0,<8.1.0|>=8.1.0,<8.2.0|>=8.2.0,<8.3.0|>=8.3.0,<8.4.0|>=8.4.0,<8.5.0|>=8.5.0,<8.6.0|>=8.6.0,<8.7.0|>=8.7.0,<8.7.11|>=8.8.0,<8.8.1

Reported by:
FriendsOfPHP/security-advisories
Drupal core - Moderately critical - Denial of Service - SA-CORE-2019-009

Affected version: >=8.0.0,<8.1.0|>=8.1.0,<8.2.0|>=8.2.0,<8.3.0|>=8.3.0,<8.4.0|>=8.4.0,<8.5.0|>=8.5.0,<8.6.0|>=8.6.0,<8.7.0|>=8.7.0,<8.7.11|>=8.8.0,<8.8.1

Reported by:
FriendsOfPHP/security-advisories
Drupal core - Critical - Multiple vulnerabilities - SA-CORE-2019-012

Affected version: >=7.0.0,<7.69|>=8.0.0,<8.1.0|>=8.1.0,<8.2.0|>=8.2.0,<8.3.0|>=8.3.0,<8.4.0|>=8.4.0,<8.5.0|>=8.5.0,<8.6.0|>=8.6.0,<8.7.0|>=8.7.0,<8.7.11|>=8.8.0,<8.8.1

Reported by:
FriendsOfPHP/security-advisories
Drupal core - Moderately critical - Multiple vulnerabilities - SA-CORE-2019-010

Affected version: >=8.0.0,<8.1.0|>=8.1.0,<8.2.0|>=8.2.0,<8.3.0|>=8.3.0,<8.4.0|>=8.4.0,<8.5.0|>=8.5.0,<8.6.0|>=8.6.0,<8.7.0|>=8.7.0,<8.7.11|>=8.8.0,<8.8.1

Reported by:
FriendsOfPHP/security-advisories
Moderately critical - Third-party libraries - SA-CORE-2019-007

CVE-2019-11831

Affected version: >=7.0.0,<7.67.0|>=8.0.0,<8.1.0|>=8.1.0,<8.2.0|>=8.2.0,<8.3.0|>=8.3.0,<8.4.0|>=8.4.0,<8.5.0|>=8.5.0,<8.6.0|>=8.6.0,<8.6.16|>=8.7.0,<8.7.1

Reported by:
FriendsOfPHP/security-advisories
Drupal core - Moderately critical - Multiple Vulnerabilities - SA-CORE-2019-005

Affected version: >=7.0,<7.65|>=8.0.0,<8.1.0|>=8.1.0,<8.2.0|>=8.2.0,<8.3.0|>=8.3.0,<8.4.0|>=8.4.0,<8.5.0|>=8.5.0,<8.5.14|>=8.6.0,<8.6.14

Reported by:
FriendsOfPHP/security-advisories
Moderately critical - Cross Site Scripting - SA-CORE-2019-004

Affected version: >=7.0,<7.64|>=8.0.0,<8.1.0|>=8.1.0,<8.2.0|>=8.2.0,<8.3.0|>=8.3.0,<8.4.0|>=8.4.0,<8.5.0|>=8.5.0,<8.5.13|>=8.6.0,<8.6.12

Reported by:
FriendsOfPHP/security-advisories
Highly critical - Remote Code Execution

CVE-2019-6340

Affected version: >=7.0.0,<7.62.0|>=8.0.0,<8.1.0|>=8.1.0,<8.2.0|>=8.2.0,<8.3.0|>=8.3.0,<8.4.0|>=8.4.0,<8.5.0|>=8.5.0,<8.5.11|>=8.6.0,<8.6.10

Reported by:
FriendsOfPHP/security-advisories
Critical - Third Party Libraries

CVE-2019-6338

Affected version: >=7.0.0,<7.62.0|>=8.0.0,<8.1.0|>=8.1.0,<8.2.0|>=8.2.0,<8.3.0|>=8.3.0,<8.4.0|>=8.4.0,<8.5.0|>=8.5.0,<8.5.9|>=8.6.0,<8.6.6

Reported by:
FriendsOfPHP/security-advisories
Critical - Arbitrary PHP code execution

CVE-2019-6339

Affected version: >=7.0.0,<7.62.0|>=8.0.0,<8.1.0|>=8.1.0,<8.2.0|>=8.2.0,<8.3.0|>=8.3.0,<8.4.0|>=8.4.0,<8.5.0|>=8.5.0,<8.5.9|>=8.6.0,<8.6.6

Reported by:
FriendsOfPHP/security-advisories
Content moderation - Moderately critical - Access bypass

Affected version: >=8.0.0,<8.1.0|>=8.1.0,<8.2.0|>=8.2.0,<8.3.0|>=8.3.0,<8.4.0|>=8.4.0,<8.5.0|>=8.5.0,<8.5.8|>=8.6.0,<8.6.2

Reported by:
FriendsOfPHP/security-advisories
Contextual Links validation - Critical - Remote Code Execution

Affected version: >=8.0.0,<8.1.0|>=8.1.0,<8.2.0|>=8.2.0,<8.3.0|>=8.3.0,<8.4.0|>=8.4.0,<8.5.0|>=8.5.0,<8.5.8|>=8.6.0,<8.6.2

Reported by:
FriendsOfPHP/security-advisories
Anonymous Open Redirect - Moderately Critical - Open Redirect

Affected version: >=8.0.0,<8.1.0|>=8.1.0,<8.2.0|>=8.2.0,<8.3.0|>=8.3.0,<8.4.0|>=8.4.0,<8.5.0|>=8.5.0,<8.5.8|>=8.6.0,<8.6.2

Reported by:
FriendsOfPHP/security-advisories
External URL injection through URL aliases - Moderately Critical - Open Redirect

Affected version: >=7.0,<7.60|>=8.0.0,<8.1.0|>=8.1.0,<8.2.0|>=8.2.0,<8.3.0|>=8.3.0,<8.4.0|>=8.4.0,<8.5.0|>=8.5.0,<8.5.8|>=8.6.0,<8.6.2

Reported by:
FriendsOfPHP/security-advisories
Injection in DefaultMailSystem::mail() - Critical - Remote Code Execution

Affected version: >=7.0,<7.60|>=8.0.0,<8.1.0|>=8.1.0,<8.2.0|>=8.2.0,<8.3.0|>=8.3.0,<8.4.0|>=8.4.0,<8.5.0|>=8.5.0,<8.5.8|>=8.6.0,<8.6.2

Reported by:
FriendsOfPHP/security-advisories
Critical - Remote Code Execution

CVE-2018-7602

Affected version: >=7.0,<7.59|>=8.0,<8.1.0|>=8.1.0,<8.2.0|>=8.2.0,<8.3.0|>=8.3.0,<8.4.0|>=8.4,<8.4.8|>=8.5,<8.5.3

Reported by:
FriendsOfPHP/security-advisories
Moderately critical - Cross Site Scripting

Affected version: >=8.0,<8.1.0|>=8.1.0,<8.2.0|>=8.2.0,<8.3.0|>=8.3.0,<8.4.0|>=8.4,<8.4.7|>=8.5,<8.5.2

Reported by:
FriendsOfPHP/security-advisories
Highly critical - Remote Code Execution

CVE-2018-7600

Affected version: >=7.0,<7.58|>=8.0,<8.3.9|>=8.4,<8.4.6|>=8.5,<8.5.1

Reported by:
FriendsOfPHP/security-advisories
JavaScript cross-site scripting prevention is incomplete.

CVE-2017-6927

Affected version: >=8.0,<8.1.0|>=8.1.0,<8.2.0|>=8.2.0,<8.3.0|>=8.3.0,<8.4.0|>=8.4.0,<8.4.5

Reported by:
FriendsOfPHP/security-advisories
Comment reply form allows access to restricted content.

CVE-2017-6926

Affected version: >=8.0,<8.1.0|>=8.1.0,<8.2.0|>=8.2.0,<8.3.0|>=8.3.0,<8.4.0|>=8.4.0,<8.4.5

Reported by:
FriendsOfPHP/security-advisories
External link injection on 404 pages when linking to the current page.

CVE-2017-6932

Affected version: >=8.0,<8.1.0|>=8.1.0,<8.2.0|>=8.2.0,<8.3.0|>=8.3.0,<8.4.0|>=8.4.0,<8.4.5

Reported by:
FriendsOfPHP/security-advisories
Language fallback can be incorrect on multilingual sites with node access restrictions.

CVE-2017-6930

Affected version: >=8.0,<8.1.0|>=8.1.0,<8.2.0|>=8.2.0,<8.3.0|>=8.3.0,<8.4.0|>=8.4.0,<8.4.5

Reported by:
FriendsOfPHP/security-advisories
Settings Tray access bypass.

CVE-2017-6931

Affected version: >=8.0,<8.1.0|>=8.1.0,<8.2.0|>=8.2.0,<8.3.0|>=8.3.0,<8.4.0|>=8.4.0,<8.4.5

Reported by:
FriendsOfPHP/security-advisories
Private file access bypass.

CVE-2017-6928

Affected version: >=8.0,<8.1.0|>=8.1.0,<8.2.0|>=8.2.0,<8.3.0|>=8.3.0,<8.4.0|>=8.4.0,<8.4.5

Reported by:
FriendsOfPHP/security-advisories
jQuery vulnerability with untrusted domains.

CVE-2017-6929

Affected version: >=8.0,<8.1.0|>=8.1.0,<8.2.0|>=8.2.0,<8.3.0|>=8.3.0,<8.4.0|>=8.4.0,<8.4.5

Reported by:
FriendsOfPHP/security-advisories
Views does not properly restrict access to the Ajax endpoint.

CVE-2017-6923

Affected version: >=8.0,<8.1.0|>=8.1.0,<8.2.0|>=8.2.0,<8.3.0|>=8.3.0,<8.3.7

Reported by:
FriendsOfPHP/security-advisories
REST API can bypass comment approval.

CVE-2017-6924

Affected version: >=8.0,<8.1.0|>=8.1.0,<8.2.0|>=8.2.0,<8.3.0|>=8.3.0,<8.3.7

Reported by:
FriendsOfPHP/security-advisories
Entity access bypass for entities that do not have UUIDs or have protected revisions.

CVE-2017-6925

Affected version: >=8.0,<8.1.0|>=8.1.0,<8.2.0|>=8.2.0,<8.3.0|>=8.3.0,<8.3.7

Reported by:
FriendsOfPHP/security-advisories
File REST resource does not properly validate

CVE-2017-6921

Affected version: >=8.0,<8.1.0|>=8.1.0,<8.2.0|>=8.2.0,<8.3.0|>=8.3.0,<8.3.4

Reported by:
FriendsOfPHP/security-advisories
Files uploaded by anonymous users into a private file system can be accessed by other anonymous users

CVE-2017-6922

Affected version: >=8.0,<8.1.0|>=8.1.0,<8.2.0|>=8.2.0,<8.3.0|>=8.3.0,<8.3.4

Reported by:
FriendsOfPHP/security-advisories
PECL YAML parser unsafe object handling

CVE-2017-6920

Affected version: >=8.0,<8.1.0|>=8.1.0,<8.2.0|>=8.2.0,<8.3.0|>=8.3.0,<8.3.4

Reported by:
FriendsOfPHP/security-advisories
Access bypass

CVE-2017-6919

Affected version: >=8.0,<8.1.0|>=8.1.0,<8.2.0|>=8.2.0,<8.2.8|>=8.3.0,<8.3.1

Reported by:
FriendsOfPHP/security-advisories
Editor module incorrectly checks access to inline private files

CVE-2017-6377

Affected version: >=8.0,<8.1.0|>=8.1.0,<8.2.0|>=8.2.0,<8.2.7

Reported by:
FriendsOfPHP/security-advisories
Some admin paths were not protected with a CSRF token

CVE-2017-6379

Affected version: >=8.0,<8.1.0|>=8.1.0,<8.2.0|>=8.2.0,<8.2.7

Reported by:
FriendsOfPHP/security-advisories
Remote code execution

CVE-2017-6381

Affected version: >=8.0,<8.1.0|>=8.1.0,<8.2.0|>=8.2.0,<8.2.7

Reported by:
FriendsOfPHP/security-advisories
Incorrect cache context on password reset page

CVE-2016-9450

Affected version: >=8.0,<8.1.0|>=8.1.0,<8.2.0|>=8.2.0,<8.2.3

Reported by:
FriendsOfPHP/security-advisories
Denial of service via transliterate mechanism

CVE-2016-9452

Affected version: >=8.0,<8.1.0|>=8.1.0,<8.2.0|>=8.2.0,<8.2.3

Reported by:
FriendsOfPHP/security-advisories
Inconsistent name for term access query

CVE-2016-9449

Affected version: >=8.0,<8.1.0|>=8.1.0,<8.2.0|>=8.2.0,<8.2.3

Reported by:
FriendsOfPHP/security-advisories
Users without "Administer comments" can set comment visibility on nodes they can edit

CVE-2016-7570

Affected version: >=8.0,<8.1.0|>=8.1.0,<8.1.10

Reported by:
FriendsOfPHP/security-advisories
Full config export can be downloaded without administrative permissions

CVE-2016-7572

Affected version: >=8.0,<8.1.0|>=8.1.0,<8.1.10

Reported by:
FriendsOfPHP/security-advisories
Cross-site Scripting in http exceptions

CVE-2016-7571

Affected version: >=8.0,<8.1.0|>=8.1.0,<8.1.10

Reported by:
FriendsOfPHP/security-advisories
Drupal Core - Highly Critical - Injection - SA-CORE-2016-003

CVE-2016-5385

Affected version: >=8.0,<8.1.0|>=8.1.0,<8.1.7

Reported by:
FriendsOfPHP/security-advisories
Saving user accounts can sometimes grant the user all roles

CVE-2016-6211

Affected version: >=8.0,<8.1.0|>=8.1.0,<8.1.3

Reported by:
FriendsOfPHP/security-advisories
Views can allow unauthorized users to see Statistics information

CVE-2016-6212

Affected version: >=8.0,<8.1.0|>=8.1.0,<8.1.3

Reported by:
FriendsOfPHP/security-advisories
HTTP header injection using line breaks

CVE-2016-3166

Affected version: >=8.0,<8.0.4

Reported by:
FriendsOfPHP/security-advisories
Open redirect via path manipulation

CVE-2016-3164

Affected version: >=8.0,<8.0.4

Reported by:
FriendsOfPHP/security-advisories
Reflected file download vulnerability

CVE-2016-3168

Affected version: >=8.0,<8.0.4

Reported by:
FriendsOfPHP/security-advisories
Session data truncation can lead to unserialization of user provided data

CVE-2016-3171

Affected version: >=8.0,<8.0.4

Reported by:
FriendsOfPHP/security-advisories
File upload access bypass and denial of service

CVE-2016-3162

Affected version: >=8.0,<8.0.4

Reported by:
FriendsOfPHP/security-advisories
Open redirect via double-encoded 'destination' parameter

CVE-2016-3167

Affected version: >=8.0,<8.0.4

Reported by:
FriendsOfPHP/security-advisories
Saving user accounts can sometimes grant the user all roles

CVE-2016-3169

Affected version: >=8.0,<8.0.4

Reported by:
FriendsOfPHP/security-advisories
Form API ignores access restrictions on submit buttons

CVE-2016-3165

Affected version: >=8.0,<8.0.4

Reported by:
FriendsOfPHP/security-advisories
Email address can be matched to an account

CVE-2016-3170

Affected version: >=8.0,<8.0.4

Reported by:
FriendsOfPHP/security-advisories
Brute force amplification attacks via XML-RPC

CVE-2016-3163

Affected version: >=8.0,<8.0.4

Reported by:
FriendsOfPHP/security-advisories