-
Notifications
You must be signed in to change notification settings - Fork 19
/
vulnerabilities.go
793 lines (788 loc) · 48.9 KB
/
vulnerabilities.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
/*
Copyright 2019 Adevinta
*/
package main
import (
report "github.com/adevinta/vulcan-report"
)
type drupalVulnerability struct {
Constraints []string // Constraints that vulnerable versions must meet.
Vulnerability report.Vulnerability
}
var (
infoDrupal = report.Vulnerability{
Summary: "Drupal Detected",
Description: "The Drupal CMS has been detected.",
Score: report.SeverityThresholdNone,
Labels: []string{"issue"},
}
drupalVulnerabilities = []drupalVulnerability{
drupalVulnerability{
Constraints: []string{"<7", ">=8,<8.9", ">=9,<9.1"},
Vulnerability: report.Vulnerability{
Summary: "Drupal - End-of-Life",
CWEID: 937,
Description: "Versions of Drupal 9 prior to 9.1, 8 prior to 8.9 and versions prior to 7 are end-of-life and do not receive security coverage.",
Score: report.SeverityThresholdCritical,
Recommendations: []string{"Update to a supported version"},
Labels: []string{"issue"},
},
},
drupalVulnerability{
Constraints: []string{">=8,<8.9.19", ">=9,<9.1.13", ">=9.2,<9.2.6"},
Vulnerability: report.Vulnerability{
Summary: "Drupal - SA-CORE-2021-010 - Access Bypass",
CWEID: 284,
Description: "Under some circumstances, the Drupal core JSON:API module does not properly restrict access to certain content, which may result in unintended access bypass. Sites that do not have the JSON:API module enabled are not affected. This advisory is not covered by Drupal Steward.",
Score: report.SeverityThresholdMedium,
References: []string{"https://www.drupal.org/sa-core-2021-010"},
Recommendations: []string{
"Install the latest version:",
"If you are using Drupal 9.2, update to Drupal 9.2.6.",
"If you are using Drupal 9.1, update to Drupal 9.1.13.",
"If you are using Drupal 8.9, update to Drupal 8.9.19.",
"Versions of Drupal 8 prior to 8.9.x and versions of Drupal 9 prior to 9.1.x are end-of-life and do not receive security coverage.",
"Drupal 7 core does not include the JSON:API module and therefore is not affected.",
},
Labels: []string{"issue"},
},
},
drupalVulnerability{
Constraints: []string{">=8,<8.9.19", ">=9,<9.1.13", ">=9.2,<9.2.6"},
Vulnerability: report.Vulnerability{
Summary: "Drupal - SA-CORE-2021-009 - Access bypass",
CWEID: 284,
Description: "The QuickEdit module does not properly check access to fields in some circumstances, which can lead to unintended disclosure of field data. Sites are only affected if the QuickEdit module (which comes with the Standard profile) is installed. This advisory is not covered by Drupal Steward.",
Score: report.SeverityThresholdMedium,
References: []string{"https://www.drupal.org/sa-core-2021-009"},
Recommendations: []string{
"Install the latest version:",
"If you are using Drupal 9.2, update to Drupal 9.2.6.",
"If you are using Drupal 9.1, update to Drupal 9.1.13.",
"If you are using Drupal 8.9, update to Drupal 8.9.19.",
"Versions of Drupal 8 prior to 8.9.x and versions of Drupal 9 prior to 9.1.x are end-of-life and do not receive security coverage.",
"Drupal 7 core does not include the QuickEdit module and therefore is not affected.",
"Uninstalling the QuickEdit module will also mitigate the vulnerability. Site owners may wish to consider this option as the QuickEdit module will be removed from core in Drupal 10.",
},
Labels: []string{"issue"},
},
},
drupalVulnerability{
Constraints: []string{">=8,<8.9.19", ">=9,<9.1.13", ">=9.2,<9.2.6"},
Vulnerability: report.Vulnerability{
Summary: "Drupal - SA-CORE-2021-008 - Access bypass",
CWEID: 284,
Description: "Drupal's JSON:API and REST/File modules allow file uploads through their HTTP APIs. The modules do not correctly run all file validation, which causes an access bypass vulnerability. An attacker might be able to upload files that bypass the file validation process implemented by modules on the site. This vulnerability is mitigated by three factors: The JSON:API or REST File upload modules must be enabled on the site. An attacker must have access to a file upload via JSON:API or REST. The site must employ a file validation module. This advisory is not covered by Drupal Steward. Also see GraphQL - Moderately critical - Access bypass - SA-CONTRIB-2021-029 which addresses a similar vulnerability for that module.",
Score: report.SeverityThresholdMedium,
References: []string{"https://www.drupal.org/sa-core-2021-008"},
Recommendations: []string{
"Install the latest version:",
"If you are using Drupal 9.2, update to Drupal 9.2.6.",
"If you are using Drupal 9.1, update to Drupal 9.1.13.",
"If you are using Drupal 8.9, update to Drupal 8.9.19.",
"Versions of Drupal 8 prior to 8.9.x and versions of Drupal 9 prior to 9.1.x are end-of-life and do not receive security coverage.",
"Drupal 7 core is not affected.",
},
Labels: []string{"issue"},
},
},
drupalVulnerability{
Constraints: []string{">=8,<8.9.19", ">=9,<9.1.13", ">=9.2,<9.2.6"},
Vulnerability: report.Vulnerability{
Summary: "Drupal - SA-CORE-2021-007 - Cross Site Request Forgery",
CWEID: 352,
Description: "The QuickEdit module does not properly validate access to routes, which could allow cross-site request forgery under some circumstances and lead to possible data integrity issues. Sites are only affected if the QuickEdit module (which comes with the Standard profile) is installed. Removing the \"access in-place editing\" permission from untrusted users will not fully mitigate the vulnerability. This advisory is not covered by Drupal Steward.",
Score: report.SeverityThresholdMedium,
References: []string{"https://www.drupal.org/sa-core-2021-007"},
Recommendations: []string{
"Install the latest version:",
"If you are using Drupal 9.2, update to Drupal 9.2.6.",
"If you are using Drupal 9.1, update to Drupal 9.1.13.",
"If you are using Drupal 8.9, update to Drupal 8.9.19.",
"Versions of Drupal 8 prior to 8.9.x and versions of Drupal 9 prior to 9.1.x are end-of-life and do not receive security coverage.",
"Drupal 7 core does not include the QuickEdit module and therefore is not affected.",
"Uninstalling the QuickEdit module will also mitigate the vulnerability. Site owners may wish to consider this option as the QuickEdit module will be removed from core in Drupal 10.",
},
Labels: []string{"issue"},
},
},
drupalVulnerability{
Constraints: []string{">=8,<8.9.19", ">=9,<9.1.13", ">=9.2,<9.2.6"},
Vulnerability: report.Vulnerability{
Summary: "Drupal - SA-CORE-2021-006 - Cross Site Request Forgery",
CWEID: 352,
Description: "The Drupal core Media module allows embedding internal and external media in content fields. In certain circumstances, the filter could allow an unprivileged user to inject HTML into a page when it is accessed by a trusted user with permission to embed media. In some cases, this could lead to cross-site scripting. This advisory is not covered by Drupal Steward. Also see Entity Embed - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2021-028 which addresses a similar vulnerability for that module.",
Score: report.SeverityThresholdMedium,
References: []string{"https://www.drupal.org/sa-core-2021-006"},
Recommendations: []string{
"Install the latest version:",
"If you are using Drupal 9.2, update to Drupal 9.2.6.",
"If you are using Drupal 9.1, update to Drupal 9.1.13.",
"If you are using Drupal 8.9, update to Drupal 8.9.19.",
"Versions of Drupal 8 prior to 8.9.x and versions of Drupal 9 prior to 9.1.x are end-of-life and do not receive security coverage.",
"Drupal 7 core is not affected.",
},
Labels: []string{"issue"},
},
},
drupalVulnerability{
Constraints: []string{">=8,<8.9.18", ">=9,<9.1.12", ">=9.2,<9.2.4"},
Vulnerability: report.Vulnerability{
Summary: "Drupal - SA-CORE-2021-005 - Third-party libraries",
CWEID: 94,
Description: "The Drupal project uses the CKEditor, library for WYSIWYG editing. CKEditor has released a security update that impacts Drupal. Vulnerabilities are possible if Drupal is configured to allow use of the CKEditor library for WYSIWYG editing. An attacker that can create or edit content (even without access to CKEditor themselves) may be able to exploit one or more Cross-Site Scripting (XSS) vulnerabilities to target users with access to the WYSIWYG CKEditor, including site admins with privileged access. ",
Score: report.SeverityThresholdMedium,
References: []string{"https://www.drupal.org/sa-core-2021-005"},
Recommendations: []string{
"Install the latest version:",
"If you are using Drupal 9.2, update to Drupal 9.2.4 or newer.",
"If you are using Drupal 9.1, update to Drupal 9.1.12 or newer.",
"If you are using Drupal 8.9, update to Drupal 8.9.18 or newer.",
"Versions of Drupal 8 prior to 8.9.x and versions of Drupal 9 prior to 9.1.x are end-of-life and do not receive security coverage.",
"Drupal 7 core is not affected, although Drupal 7, 8, and 9 site owners should review their site following the protocol for managing external libraries and plugins previously suggested by the Drupal Security Team, as contributed projects may use additional CKEditor plugins not packaged in Drupal core.",
},
Labels: []string{"issue"},
},
},
drupalVulnerability{
Constraints: []string{">=7,<7.82", ">=8,<8.9.17", ">=9,<9.1.11", ">=9.2,<9.2.2"},
Vulnerability: report.Vulnerability{
Summary: "Drupal - SA-CORE-2021-004 - Third-party libraries",
CWEID: 59,
Description: "The Drupal project uses the pear Archive_Tar library, which has released a security update that impacts Drupal. The vulnerability is mitigated by the fact that Drupal core's use of the Archive_Tar library is not vulnerable, as it does not permit symlinks. Exploitation may be possible if contrib or custom code uses the library to extract tar archives (for example .tar, .tar.gz, .bz2, or .tlz) which come from a potentially untrusted source.",
Score: report.SeverityThresholdHigh,
References: []string{"https://www.drupal.org/sa-core-2021-004"},
Recommendations: []string{
"Install the latest version:",
"If you are using Drupal 9.2, update to Drupal 9.2.2 or newer.",
"If you are using Drupal 9.1, update to Drupal 9.1.11 or newer.",
"If you are using Drupal 8.9, update to Drupal 8.9.17 or newer.",
"If you are using Drupal 7, update to Drupal 7.82 or newer.",
"Versions of Drupal 8 prior to 8.9.x and versions of Drupal 9 prior to 9.1.x are end-of-life and do not receive security coverage.",
},
Labels: []string{"issue"},
},
},
drupalVulnerability{
Constraints: []string{">=8,<8.9.16", ">=9,<9.0.14", ">=9.1,<9.1.9"},
Vulnerability: report.Vulnerability{
Summary: "Drupal - SA-CORE-2021-003 - Cross-site scripting",
CWEID: 79,
Description: "Drupal core uses the third-party CKEditor library. This library has an error in parsing HTML that could lead to an XSS attack. CKEditor 4.16.1 and later include the fix.",
Score: report.SeverityThresholdHigh,
References: []string{"https://www.drupal.org/sa-core-2021-003"},
Recommendations: []string{
"Install the latest version:",
"If you are using Drupal 9.1, update to Drupal 9.1.9 or newer.",
"If you are using Drupal 9.0, update to Drupal 9.0.14 or newer.",
"If you are using Drupal 8.9, update to Drupal 8.9.16 or newer.",
"Versions of Drupal 8 prior to 8.9.x are end-of-life and do not receive security coverage.",
},
Labels: []string{"issue"},
},
},
drupalVulnerability{
Constraints: []string{">=7,<7.80", ">=8,<8.9.14", ">=9,<9.0.12", ">=9.1,<9.1.7"},
Vulnerability: report.Vulnerability{
Summary: "Drupal - SA-CORE-2021-002 - Cross-site scripting",
CWEID: 79,
Description: "Drupal core's sanitization API fails to properly filter cross-site scripting under certain circumstances. Not all sites and users are affected, but configuration changes to prevent the exploit might be impractical and will vary between sites. Therefore, we recommend all sites update to this release as soon as possible.",
Score: report.SeverityThresholdHigh,
References: []string{"https://www.drupal.org/sa-core-2021-002"},
Recommendations: []string{
"Install the latest version:",
"If you are using Drupal 9.1, update to Drupal 9.1.7 or newer.",
"If you are using Drupal 9.0, update to Drupal 9.0.12 or newer.",
"If you are using Drupal 8.9, update to Drupal 8.9.14 or newer.",
"If you are using Drupal 7, update to Drupal 7.80 or newer.",
"Versions of Drupal 8 prior to 8.9.x are end-of-life and do not receive security coverage.",
},
Labels: []string{"issue"},
},
},
drupalVulnerability{
Constraints: []string{">=7,<7.78", ">=8,<8.9.13", ">=9,<9.0.11", ">=9.1,<9.1.3"},
Vulnerability: report.Vulnerability{
Summary: "Drupal - SA-CORE-2021-001 - Third-party libraries",
CWEID: 200,
Description: "The Drupal project uses the pear Archive_Tar library, which has released a security update that impacts Drupal. For more information please see: CVE-2020-36193. Exploits may be possible if Drupal is configured to allow .tar, .tar.gz, .bz2, or .tlz file uploads and processes them.",
Score: report.SeverityThresholdHigh,
References: []string{"https://www.drupal.org/sa-core-2021-001"},
Recommendations: []string{
"Install the latest version:",
"If you are using Drupal 9.1, update to Drupal 9.1.3 or newer.",
"If you are using Drupal 9.0, update to Drupal 9.0.11 or newer.",
"If you are using Drupal 8.9, update to Drupal 8.9.13 or newer.",
"If you are using Drupal 7, update to Drupal 7.78 or newer.",
"Versions of Drupal 8 prior to 8.9.x are end-of-life and do not receive security coverage.",
"Disable uploads of .tar, .tar.gz, .bz2, or .tlz files to mitigate the vulnerability.",
},
Labels: []string{"issue"},
},
},
drupalVulnerability{
Constraints: []string{">=7,<7.75", ">=8,<8.8.12", ">=8.9,<8.9.10", ">=9,<9.0.9"},
Vulnerability: report.Vulnerability{
Summary: "Drupal - SA-CORE-2020-013 - Arbitrary PHP code execution",
CWEID: 200,
Description: "The Drupal project uses the PEAR Archive_Tar library. The PEAR Archive_Tar library has released a security update that impacts Drupal. For more information please see: CVE-2020-28948 CVE-2020-28949. Multiple vulnerabilities are possible if Drupal is configured to allow .tar, .tar.gz, .bz2, or .tlz file uploads and processes them.",
Score: report.SeverityThresholdHigh,
References: []string{"https://www.drupal.org/sa-core-2020-013"},
Recommendations: []string{
"Install the latest version:",
"If you are using Drupal 9.0, update to Drupal 9.0.9 or newer.",
"If you are using Drupal 8.9, update to Drupal 8.9.10 or newer.",
"If you are using Drupal 8.8 or earlier, update to Drupal 8.8.12 or newer.",
"If you are using Drupal 7, update to Drupal 7.75 or newer.",
"Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage.",
"According to the regular security release window schedule, November 25th would not typically be a core security window. However, this release is necessary because there are known exploits for one of core's dependencies and some configurations of Drupal are vulnerable.",
},
Labels: []string{"issue"},
},
},
drupalVulnerability{
Constraints: []string{">=7,<7.74", ">=8,<8.8.11", ">=8.9,<8.9.9", ">=9,<9.0.8"},
Vulnerability: report.Vulnerability{
Summary: "Drupal - SA-CORE-2020-012 - Remote code execution",
CWEID: 200,
Description: "Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations.",
Score: report.SeverityThresholdHigh,
References: []string{"https://www.drupal.org/sa-core-2020-012"},
Recommendations: []string{
"Install the latest version:",
"If you are using Drupal 9.0, update to Drupal 9.0.8 or newer.",
"If you are using Drupal 8.9, update to Drupal 8.9.9 or newer.",
"If you are using Drupal 8.8 or earlier, update to Drupal 8.8.11 or newer.",
"If you are using Drupal 7, update to Drupal 7.74 or newer.",
"Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage.",
"Additionally, it's recommended that you audit all previously uploaded files to check for malicious extensions. Look specifically for files that include more than one extension, like filename.php.txt or filename.html.gif, without an underscore (_) in the extension. Pay specific attention to the following file extensions, which should be considered dangerous even when followed by one or more additional extensions:",
"phar",
"php",
"pl",
"py",
"cgi",
"asp",
"js",
"html",
"htm",
"phtml",
"This list is not exhaustive, so evaluate security concerns for other unmunged extensions on a case-by-case basis.",
},
Labels: []string{"issue"},
},
},
drupalVulnerability{
Constraints: []string{">=8,<8.8.10", ">=8.9,<8.9.6", ">=9,<9.0.6"},
Vulnerability: report.Vulnerability{
Summary: "Drupal - SA-CORE-2020-011 - Information disclosure",
CWEID: 200,
Description: "A vulnerability exists in the File module which allows an attacker to gain access to the file metadata of a permanent private file that they do not have access to by guessing the ID of the file.",
Score: report.SeverityThresholdMedium,
References: []string{"https://www.drupal.org/sa-core-2020-011"},
Recommendations: []string{
"Install the latest version:",
"If you are using Drupal 8.8.x, upgrade to Drupal 8.8.10 or newer.",
"If you are using Drupal 8.9.x, upgrade to Drupal 8.9.6 or newer.",
"If you are using Drupal 9.0.x, upgrade to Drupal 9.0.6 or newer.",
"Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage. Sites on 8.7.x or earlier should update to 8.8.10.",
},
Labels: []string{"issue"},
},
},
drupalVulnerability{
Constraints: []string{">=8,<8.8.10", ">=8.9,<8.9.6", ">=9,<9.0.6"},
Vulnerability: report.Vulnerability{
Summary: "Drupal - SA-CORE-2020-010 - Cross-site scripting",
CWEID: 79,
Description: "Drupal core's built-in CKEditor image caption functionality is vulnerable to XSS.",
Score: report.SeverityThresholdMedium,
References: []string{"https://www.drupal.org/sa-core-2020-010"},
Recommendations: []string{
"Install the latest version:",
"If you are using Drupal 8.8.x, upgrade to Drupal 8.8.10 or newer.",
"If you are using Drupal 8.9.x, upgrade to Drupal 8.9.6 or newer.",
"If you are using Drupal 9.0.x, upgrade to Drupal 9.0.6 or newer.",
"Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage. Sites on 8.7.x or earlier should update to 8.8.10.",
},
Labels: []string{"issue"},
},
},
drupalVulnerability{
Constraints: []string{">=8,<8.8.10", ">=8.9,<8.9.6", ">=9,<9.0.6"},
Vulnerability: report.Vulnerability{
Summary: "Drupal - SA-CORE-2020-009 - Cross-site scripting",
CWEID: 79,
Description: "Drupal 8 and 9 have a reflected cross-site scripting (XSS) vulnerability under certain circumstances. An attacker could leverage the way that HTML is rendered for affected forms in order to exploit the vulnerability.",
Score: report.SeverityThresholdHigh,
References: []string{"https://www.drupal.org/sa-core-2020-009"},
Recommendations: []string{
"Install the latest version:",
"If you are using Drupal 8.8.x, upgrade to Drupal 8.8.10 or newer.",
"If you are using Drupal 8.9.x, upgrade to Drupal 8.9.6 or newer.",
"If you are using Drupal 9.0.x, upgrade to Drupal 9.0.6 or newer.",
"Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage. Sites on 8.7.x or earlier should update to 8.8.10.",
"In addition to updating Drupal core, sites that override \\Drupal\\Core\\Form\\FormBuilder's renderPlaceholderFormAction() and/or buildFormAction() methods in contrib and/or custom code should ensure that appropriate sanitization is applied for URLs.",
},
Labels: []string{"issue"},
},
},
drupalVulnerability{
Constraints: []string{">=8,<8.8.10", ">=8.9,<8.9.6", ">=9,<9.0.6"},
Vulnerability: report.Vulnerability{
Summary: "Drupal - SA-CORE-2020-008 - Access bypass",
CWEID: 276,
Description: "The experimental Workspaces module allows you to create multiple workspaces on your site in which draft content can be edited before being published to the live workspace. The Workspaces module doesn't sufficiently check access permissions when switching workspaces, leading to an access bypass vulnerability. An attacker might be able to see content before the site owner intends people to see the content. This vulnerability is mitigated by the fact that sites are only vulnerable if they have installed the experimental Workspaces module.",
Score: report.SeverityThresholdMedium,
References: []string{"https://www.drupal.org/sa-core-2020-008"},
Recommendations: []string{
"Install the latest version:",
"If you are using Drupal 8.8.x, upgrade to Drupal 8.8.10 or newer.",
"If you are using Drupal 8.9.x, upgrade to Drupal 8.9.6 or newer.",
"If you are using Drupal 9.0.x, upgrade to Drupal 9.0.6 or newer.",
"Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage. Sites on 8.7.x or earlier should update to 8.8.10.",
"Once a site running Workspaces is upgraded, authenticated users may continue to see unauthorized workspace content that they accessed previously until they are logged out.",
"If it is important for the unintended access to stop immediately, you may wish to end all active user sessions on your site (for example, by truncating the sessions table). Be aware that this will immediately log all users out and can cause side effects like lost user input.",
},
Labels: []string{"issue"},
},
},
drupalVulnerability{
Constraints: []string{">=7,<7.73", ">=8,<8.8.10", ">=8.9,<8.9.6", ">=9,<9.0.6"},
Vulnerability: report.Vulnerability{
Summary: "Drupal - SA-CORE-2020-007 - Cross-site scripting",
CWEID: 79,
Description: "The Drupal AJAX API does not disable JSONP by default, which can lead to cross-site scripting.",
Score: report.SeverityThresholdMedium,
References: []string{"https://www.drupal.org/sa-core-2020-007"},
Recommendations: []string{
"Install the latest version:",
"If you are using Drupal 7.x, upgrade to Drupal 7.73 or newer.",
"If you are using Drupal 8.8.x, upgrade to Drupal 8.8.10 or newer.",
"If you are using Drupal 8.9.x, upgrade to Drupal 8.9.6 or newer.",
"If you are using Drupal 9.0.x, upgrade to Drupal 9.0.6 or newer.",
"Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage. Sites on 8.7.x or earlier should update to 8.8.10.",
"If you were previously relying on Drupal's AJAX API to perform trusted JSONP requests, you'll either need to override the AJAX options to set \"jsonp: true\", or you'll need to use the jQuery AJAX API directly.",
"If you are using jQuery's AJAX API for user-provided URLs in a contrib or custom module, you should review your code and set \"jsonp: false\" where this is appropriate.",
},
Labels: []string{"issue"},
},
},
drupalVulnerability{
Constraints: []string{">=8,<8.8.8", ">=8.9,<8.9.1", ">=9,<9.0.1"},
Vulnerability: report.Vulnerability{
Summary: "Drupal - SA-CORE-2020-006 - Access bypass",
CWEID: 77,
Description: "JSON:API PATCH requests may bypass validation for certain fields. By default, JSON:API works in a read-only mode which makes it impossible to exploit the vulnerability. Only sites that have the read_only set to FALSE under jsonapi.settings config are vulnerable.",
Score: report.SeverityThresholdLow,
References: []string{"https://www.drupal.org/sa-core-2020-006"},
Recommendations: []string{
"Install the latest version:",
"If you are using Drupal 8.8.x, upgrade to Drupal 8.8.8 or newer.",
"If you are using Drupal 8.9.x, upgrade to Drupal 8.9.1 or newer.",
"If you are using Drupal 9.0.x, upgrade to Drupal 9.0.1 or newer.",
"Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage. Sites on 8.7.x or earlier should update to 8.8.8.",
},
Labels: []string{"issue"},
},
},
drupalVulnerability{
Constraints: []string{">=8,<8.8.8", ">=8.9,<8.9.1", ">=9,<9.0.1"},
Vulnerability: report.Vulnerability{
Summary: "Drupal - SA-CORE-2020-005 - Arbitrary PHP code execution",
CWEID: 77,
Description: "Drupal 8 and 9 have a remote code execution vulnerability under certain circumstances. An attacker could trick an administrator into visiting a malicious site that could result in creating a carefully named directory on the file system. With this directory in place, an attacker could attempt to brute force a remote code execution vulnerability. Windows servers are most likely to be affected.",
Score: report.SeverityThresholdHigh,
References: []string{"https://www.drupal.org/sa-core-2020-005"},
Recommendations: []string{
"Install the latest version:",
"If you are using Drupal 8.8.x, upgrade to Drupal 8.8.8 or newer.",
"If you are using Drupal 8.9.x, upgrade to Drupal 8.9.1 or newer.",
"If you are using Drupal 9.0.x, upgrade to Drupal 9.0.1 or newer.",
"Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage. Sites on 8.7.x or earlier should update to 8.8.8.",
},
Labels: []string{"issue"},
},
},
drupalVulnerability{
Constraints: []string{">=7,<7.72", ">=8,<8.8.8", ">=8.9,<8.9.1", ">=9,<9.0.1"},
Vulnerability: report.Vulnerability{
Summary: "Drupal - SA-CORE-2020-004 - Cross Site Request Forgery",
CWEID: 601,
Description: "The Drupal core Form API does not properly handle certain form input from cross-site requests, which can lead to other vulnerabilities.",
Score: report.SeverityThresholdHigh,
References: []string{"https://www.drupal.org/sa-core-2020-004"},
Recommendations: []string{
"Install the latest version:",
"If you are using Drupal 7.x, upgrade to Drupal 7.72 or newer.",
"If you are using Drupal 8.8.x, upgrade to Drupal 8.8.8 or newer.",
"If you are using Drupal 8.9.x, upgrade to Drupal 8.9.1 or newer.",
"If you are using Drupal 9.0.x, upgrade to Drupal 9.0.1 or newer.",
"Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage. Sites on 8.7.x or earlier should update to 8.8.8.",
},
Labels: []string{"issue"},
},
},
drupalVulnerability{
Constraints: []string{">=7,<7.70"},
Vulnerability: report.Vulnerability{
Summary: "Drupal - SA-CORE-2020-003 - Open Redirect",
CWEID: 601,
Description: "Drupal 7 has an Open Redirect vulnerability. For example, a user could be tricked into visiting a specially crafted link which would redirect them to an arbitrary external URL. The vulnerability is caused by insufficient validation of the destination query parameter in the drupal_goto() function. Other versions of Drupal core are not vulnerable.",
Score: report.SeverityThresholdMedium,
References: []string{"https://www.drupal.org/sa-core-2020-003"},
Recommendations: []string{
"Install the latest version:",
"If you use Drupal 7.x upgrade to Drupal 7.70",
},
Labels: []string{"issue"},
},
},
drupalVulnerability{
Constraints: []string{">=7,<7.70", ">=8,<8.7.14", ">=8.8,<8.8.6"},
Vulnerability: report.Vulnerability{
Summary: "Drupal - SA-CORE-2020-002 - Cross Site Scripting",
CWEID: 79,
Description: "The jQuery project released version 3.5.0, and as part of that, disclosed two security vulnerabilities that affect all prior versions.",
Score: report.SeverityThresholdMedium,
References: []string{"https://www.drupal.org/sa-core-2020-002"},
Recommendations: []string{
"Install the latest version:",
"If you are using Drupal 8.8, upgrade to Drupal 8.8.6 or newer.",
"If you are using Drupal 8.7, upgrade to Drupal 8.7.14 or newer.",
"If you are using Drupal 7, upgrade to Drupal 7.70 or newer.",
"Versions of Drupal 8 prior to 8.7 are end-of-life and do not receive security coverage. Sites on 8.6 or earlier should update to 8.7.14.",
"The pre-release Drupal versions (8.9 and 9.0) have been updated jQuery to version 3.5.1 as of 8.9.0-beta3 and 9.0.0-beta3.",
},
Labels: []string{"issue"},
},
},
drupalVulnerability{
Constraints: []string{">=8,<8.7.12", ">=8.8,<8.8.4"},
Vulnerability: report.Vulnerability{
Summary: "Drupal - SA-CORE-2020-001 - Third-party library",
CWEID: 79,
Description: "The Drupal project uses the third-party library CKEditor, which has released a security improvement that is needed to protect some Drupal configurations. Vulnerabilities are possible if Drupal is configured to use the WYSIWYG CKEditor for your site's users. An attacker that can create or edit content may be able to exploit this Cross Site Scripting (XSS) vulnerability to target users with access to the WYSIWYG CKEditor, and this may include site admins with privileged access. The latest versions of Drupal update CKEditor to 4.14 to mitigate the vulnerabilities.",
Score: report.SeverityThresholdMedium,
References: []string{"https://www.drupal.org/sa-core-2020-001"},
Recommendations: []string{
"Install the latest version:",
"If you are using Drupal 8.8.x, upgrade to Drupal 8.8.4 or newer.",
"If you are using Drupal 8.7.x, upgrade to Drupal 8.7.12 or newer.",
"Versions of Drupal 8 prior to 8.7.x have reached end-of-life and do not receive security coverage.",
"The CKEditor module can also be disabled to mitigate the vulnerability until the site is updated.",
},
Labels: []string{"issue"},
},
},
drupalVulnerability{
Constraints: []string{">=7,<7.69", ">=8,<8.7.11", ">=8.8,<8.8.1"},
Vulnerability: report.Vulnerability{
Summary: "Drupal - SA-CORE-2019-012 - Multiple vulnerabilities",
CWEID: 74,
Description: "The Drupal project uses the third-party library Archive_Tar, which has released a security improvement that is needed to protect some Drupal configurations. Multiple vulnerabilities are possible if Drupal is configured to allow .tar, .tar.gz, .bz2 or .tlz file uploads and processes them. The latest versions of Drupal update Archive_Tar to 1.4.9 to mitigate the file processing vulnerabilities.",
Score: report.SeverityThresholdHigh,
References: []string{"https://www.drupal.org/sa-core-2019-012"},
Recommendations: []string{
"Install the latest version:",
"If you are using Drupal 7.x, upgrade to Drupal 7.69 or newer.",
"If you are using Drupal 8.7.x, upgrade to Drupal 8.7.11 or newer.",
"If you are using Drupal 8.8.x, upgrade to Drupal 8.8.1 or newer.",
"Versions of Drupal 8 prior to 8.7.x are end-of-life and do not receive security coverage.",
},
Labels: []string{"issue"},
},
},
drupalVulnerability{
Constraints: []string{">=8,<8.7.11", ">=8.8,<8.8.1"},
Vulnerability: report.Vulnerability{
Summary: "Drupal - SA-CORE-2019-011 - Access bypass",
CWEID: 79,
Description: "The Media Library module has a security vulnerability whereby it doesn't sufficiently restrict access to media items in certain configurations.",
Score: report.SeverityThresholdMedium,
References: []string{"https://www.drupal.org/sa-core-2019-011"},
Recommendations: []string{
"Install the latest version:",
"If you are using Drupal 8.7.x, you should upgrade to Drupal 8.7.11 or newer.",
"If you are using Drupal 8.8.x, you should upgrade to Drupal 8.8.1 or newer.",
"Versions of Drupal 8 prior to 8.7.x are end-of-life and do not receive security coverage.",
"Alternatively, you may mitigate this vulnerability by unchecking the \"Enable advanced UI\" checkbox on /admin/config/media/media-library. (This mitigation is not available in 8.7.x.)",
},
Labels: []string{"issue"},
},
},
drupalVulnerability{
Constraints: []string{">=8,<8.7.11", ">=8.8,<8.8.1"},
Vulnerability: report.Vulnerability{
Summary: "Drupal - SA-CORE-2019-010 - Multiple vulnerabilities",
CWEID: 79,
Description: "Drupal 8 core's file_save_upload() function does not strip the leading and trailing dot ('.') from filenames, like Drupal 7 did. Users with the ability to upload files with any extension in conjunction with contributed modules may be able to use this to upload system files such as .htaccess in order to bypass protections afforded by Drupal's default .htaccess file.",
Score: report.SeverityThresholdMedium,
References: []string{"https://www.drupal.org/sa-core-2019-010"},
Recommendations: []string{
"Install the latest version:",
"If you use Drupal core 8.7.x: 8.7.11 or newer.",
"If you use Drupal core 8.8.x: 8.8.1 or newer.",
"Versions of Drupal 8 prior to 8.7.x are end-of-life and do not receive security coverage.",
},
Labels: []string{"issue"},
},
},
drupalVulnerability{
Constraints: []string{">=8,<8.7.11", ">=8.8,<8.8.1"},
Vulnerability: report.Vulnerability{
Summary: "Drupal - SA-CORE-2019-009 - Denial of Service",
CWEID: 79,
Description: "A visit to install.php can cause cached data to become corrupted. This could cause a site to be impaired until caches are rebuilt.",
Score: report.SeverityThresholdMedium,
References: []string{"https://www.drupal.org/sa-core-2019-009"},
Recommendations: []string{
"Install the latest version:",
"If you are using Drupal 8.7.x, upgrade to Drupal 8.7.11 or newer.",
"If you are using Drupal 8.8.x, upgrade to Drupal 8.8.1 or newer.",
"Versions of Drupal 8 prior to 8.7.x are end-of-life and do not receive security coverage.",
"To mitigate this issue in any version of Drupal 8, you can also block access to install.php if it's not required.",
},
Labels: []string{"issue"},
},
},
drupalVulnerability{
Constraints: []string{">=8.7.4,<8.7.5"},
Vulnerability: report.Vulnerability{
Summary: "Drupal - SA-CORE-2019-008 - Access bypass",
CWEID: 284,
Description: "In Drupal 8.7.4, when the experimental Workspaces module is enabled, an access bypass condition is created.",
Score: report.SeverityThresholdHigh,
References: []string{"https://www.drupal.org/sa-core-2019-008"},
Recommendations: []string{
"If the site is running Drupal 8.7.4, upgrade to Drupal 8.7.5.",
},
Labels: []string{"issue"},
},
},
drupalVulnerability{
Constraints: []string{">=7,<7.67", ">=8,<8.6.16", ">=8.7,<8.7.1"},
Vulnerability: report.Vulnerability{
Summary: "Drupal - SA-CORE-2019-007 - Third-party libraries",
CWEID: 502,
Description: "This security release fixes third-party dependencies included in or required by Drupal core. TYPO3-PSA-2019-007: By-passing protection of Phar Stream Wrapper Interceptor. The known vulnerability in Drupal core requires the \"administer themes\" permission. However, additional vulnerabilities may exist in contributed or custom modules, so site should still update even if they do not grant this permission.",
Score: report.SeverityThresholdMedium,
References: []string{"https://www.drupal.org/sa-core-2019-007"},
Recommendations: []string{
"Install the latest version:",
"If you are using Drupal 8.7, update to Drupal 8.7.1 or newer.",
"If you are using Drupal 8.6 or earlier, update to Drupal 8.6.16 or newer.",
"If you are using Drupal 7, update to Drupal 7.67 or newer.",
"Versions of Drupal 8 prior to 8.6.x are end-of-life and do not receive security coverage.",
},
Labels: []string{"issue"},
},
},
drupalVulnerability{
Constraints: []string{">=7,<7.66", ">=8,<8.5.15", ">=8.6,<8.6.15"},
Vulnerability: report.Vulnerability{
Summary: "Drupal - SA-CORE-2019-006 - Cross Site Scripting",
CWEID: 79,
Description: "The jQuery project released version 3.4.0, and as part of that, disclosed a security vulnerability that affects all prior versions. It's possible that this vulnerability is exploitable with some Drupal modules. As a precaution, this Drupal security release backports the fix to jQuery.extend(), without making any other changes to the jQuery version that is included in Drupal core.",
Score: report.SeverityThresholdMedium,
References: []string{"https://www.drupal.org/sa-core-2019-006"},
Recommendations: []string{
"Install the latest version:",
"If you are using Drupal 8.6, update to Drupal 8.6.15 or newer.",
"If you are using Drupal 8.5 or earlier, update to Drupal 8.5.15 or newer.",
"If you are using Drupal 7, update to Drupal 7.66 or newer.",
"Versions of Drupal 8 prior to 8.5.x are end-of-life and do not receive security coverage.",
},
Labels: []string{"issue"},
},
},
drupalVulnerability{
Constraints: []string{">=8,<8.5.15", ">=8.6,<8.6.15"},
Vulnerability: report.Vulnerability{
Summary: "Drupal - SA-CORE-2019-005 - Multiple Vulnerabilities",
CWEID: 79,
Description: "CVE-2019-10909: Escape validation messages in the PHP templating engine. CVE-2019-10910: Check service IDs are valid. CVE-2019-10911: Add a separator in the remember me cookie hash.",
Score: report.SeverityThresholdMedium,
References: []string{"https://www.drupal.org/sa-core-2019-005"},
Recommendations: []string{
"Install the latest version:",
"If you are using Drupal 8.6, update to Drupal 8.6.15 or newer.",
"If you are using Drupal 8.5 or earlier, update to Drupal 8.5.15 or newer.",
"Versions of Drupal 8 prior to 8.5.x are end-of-life and do not receive security coverage.",
},
Labels: []string{"issue"},
},
},
drupalVulnerability{
Constraints: []string{">=7,<7.65", ">=8,<8.5.14", ">=8.6,<8.6.13"},
Vulnerability: report.Vulnerability{
Summary: "Drupal - SA-CORE-2019-004 - Cross Site Scripting",
CWEID: 79,
Description: "Under certain circumstances the File module/subsystem allows a malicious user to upload a file that can trigger a cross-site scripting (XSS) vulnerability.",
Score: report.SeverityThresholdMedium,
References: []string{"https://www.drupal.org/sa-core-2019-004"},
Recommendations: []string{
"If you are using Drupal 8.6, update to Drupal 8.6.13 or newer.",
"If you are using Drupal 8.5 or earlier, update to Drupal 8.5.14 or newer.",
"If you are using Drupal 7, update to Drupal 7.65 or newer.",
"Versions of Drupal 8 prior to 8.5.x are end-of-life and do not receive security coverage.",
},
Labels: []string{"issue"},
},
},
drupalVulnerability{
Constraints: []string{">=8,<8.5.11", ">=8.6,<8.6.10"},
Vulnerability: report.Vulnerability{
Summary: "Drupal - SA-CORE-2019-003 - Remote Code Execution",
CWEID: 937,
Description: "Some field types do not properly sanitize data from non-form sources. This can lead to arbitrary PHP code execution in some cases.",
Score: report.SeverityThresholdCritical,
References: []string{"https://www.drupal.org/sa-core-2019-003"},
Recommendations: []string{
"If you are using Drupal 8.6.x, upgrade to Drupal 8.6.10 or newer.",
"If you are using Drupal 8.5.x or earlier, upgrade to Drupal 8.5.11 or newer.",
"Be sure to install any available security updates for contributed projects after updating Drupal core.",
"No core update is required for Drupal 7, but several Drupal 7 contributed modules do require updates, see https://www.drupal.org/security/contrib .",
"Versions of Drupal 8 prior to 8.5.x are end-of-life and do not receive security coverage.",
},
Labels: []string{"issue"},
},
},
drupalVulnerability{
Constraints: []string{">=7,<7.62", ">=8,<8.5.9", ">=8.6,<8.6.6"},
Vulnerability: report.Vulnerability{
Summary: "Drupal - SA-CORE-2019-002 - Arbitrary PHP code execution",
CWEID: 937,
Description: "A remote code execution vulnerability exists in PHP's built-in phar stream wrapper when performing file operations on an untrusted phar:// URI. Some Drupal code (core, contrib, and custom) may be performing file operations on insufficiently validated user input, thereby being exposed to this vulnerability. This vulnerability is mitigated by the fact that such code paths typically require access to an administrative permission or an atypical configuration.",
Score: report.SeverityThresholdHigh,
References: []string{"https://www.drupal.org/sa-core-2019-002"},
Recommendations: []string{
"If you are using Drupal 8.6.x, upgrade to Drupal 8.6.6 or newer.",
"If you are using Drupal 8.5.x or earlier, upgrade to Drupal 8.5.9 or newer.",
"If you are using Drupal 7.x, upgrade to Drupal 7.62 or newer.",
"Versions of Drupal 8 prior to 8.5.x are end-of-life and do not receive security coverage.",
},
Labels: []string{"issue"},
},
},
drupalVulnerability{
Constraints: []string{">=7,<7.62", ">=8,<8.5.9", ">=8.6,<8.6.6"},
Vulnerability: report.Vulnerability{
Summary: "Drupal - SA-CORE-2019-001 - Third Party Libraries",
CWEID: 937,
Description: "Drupal core uses the third-party PEAR Archive_Tar library. This library has released a security update which impacts some Drupal configurations. Refer to CVE-2018-1000888 for details.",
Score: report.SeverityThresholdHigh,
References: []string{"https://www.drupal.org/sa-core-2019-001"},
Recommendations: []string{
"If you are using Drupal 8.6.x, upgrade to Drupal 8.6.6 or newer.",
"If you are using Drupal 8.5.x or earlier, upgrade to Drupal 8.5.9 or newer.",
"If you are using Drupal 7.x, upgrade to Drupal 7.62 or newer.",
"Versions of Drupal 8 prior to 8.5.x are end-of-life and do not receive security coverage.",
},
Labels: []string{"issue"},
},
},
drupalVulnerability{
Constraints: []string{">=7,<7.60", ">=8,<8.5.8", ">=8.6,<8.6.2"},
Vulnerability: report.Vulnerability{
Summary: "Drupal - SA-CORE-2018-006 - Multiple Vulnerabilities",
CWEID: 937,
Description: "Multiple vulnerabilities in both Drupal 7 and Drupal 8, one critical",
Score: report.SeverityThresholdHigh,
References: []string{"https://www.drupal.org/sa-core-2018-006"},
Recommendations: []string{
"Upgrade to the most recent version of Drupal 7 or 8 core.",
"If you are running 7.x, upgrade to Drupal 7.60 or newer.",
"If you are running 8.6.x, upgrade to Drupal 8.6.2 or newer.",
"If you are running 8.5.x or earlier, upgrade to Drupal 8.5.8 or newer.",
"Minor versions of Drupal 8 prior to 8.5.x are not supported and do not receive security coverage, so sites running older versions should update to the above 8.5.x release immediately. 8.5.x will receive security coverage until May 2019.",
},
Labels: []string{"issue"},
},
},
drupalVulnerability{
Constraints: []string{">=8,<8.5.6"},
Vulnerability: report.Vulnerability{
Summary: "Drupal - SA-CORE-2018-005 - 3rd-party libraries",
CWEID: 937,
Description: "If Symfony is used, path restrictions can be bypassed",
Score: report.SeverityThresholdLow,
References: []string{"https://www.drupal.org/sa-core-2018-005"},
Recommendations: []string{
"Upgrade to Drupal 8.5.6 or newer.",
"Versions of Drupal 8 prior to 8.5.x are end-of-life and do not receive security coverage.",
},
Labels: []string{"issue"},
},
},
drupalVulnerability{
Constraints: []string{">=7,<7.59", ">=8,<8.4.8", ">=8.5,<8.5.3"},
Vulnerability: report.Vulnerability{
Summary: "Drupal - SA-CORE-2018-004 - Remote Code Execution",
CWEID: 937,
Description: "A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being compromised. This vulnerability is related to Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002. Both SA-CORE-2018-002 and this vulnerability are being exploited in the wild.",
Score: report.SeverityThresholdCritical,
References: []string{"https://www.drupal.org/sa-core-2018-004"},
Recommendations: []string{
"Upgrade to the most recent version of Drupal 7 or 8 core.",
"If you are running 7.x, upgrade to Drupal 7.59 or newer.",
"If you are running 8.5.x, upgrade to Drupal 8.5.3 or newer.",
"If you are running 8.4.x, upgrade to Drupal 8.4.8. (Drupal 8.4.x is no longer supported and we don't normally provide security releases for unsupported minor releases. However, we are providing this 8.4.x release so that sites can update as quickly as possible. You should update to 8.4.8 immediately, then update to 8.5.3 or the latest secure release as soon as possible.)",
},
Labels: []string{"issue"},
},
},
drupalVulnerability{
Constraints: []string{">=8,<8.5.2"},
Vulnerability: report.Vulnerability{
Summary: "Drupal - SA-CORE-2018-003 - Cross-Site Scripting",
CWEID: 937,
Description: "CKEditor, a third-party JavaScript library included in Drupal core, has a cross-site scripting (XSS) vulnerability. The vulnerability stems from the fact that it was possible to execute XSS inside CKEditor when using the image2 plugin (which Drupal 8 core also uses).",
Score: report.SeverityThresholdHigh,
References: []string{"https://www.drupal.org/sa-core-2018-003"},
Recommendations: []string{
"If you are using Drupal 8, update to Drupal 8.5.2 or Drupal 8.4.7 or newer.",
"The Drupal 7.x CKEditor contributed module is not affected if you are running CKEditor module 7.x-1.18 and using CKEditor from the CDN, since it currently uses a version of the CKEditor library that is not vulnerable.",
"If you installed CKEditor in Drupal 7 using another method (for example with the WYSIWYG module or the CKEditor module with CKEditor locally) and you’re using a version of CKEditor from 4.5.11 up to 4.9.1, update the third-party JavaScript library by downloading CKEditor 4.9.2 from CKEditor's site.",
},
Labels: []string{"issue"},
},
},
drupalVulnerability{
Constraints: []string{"<7.58", ">=8,<8.3.9", ">=8.4,<8.4.6", ">=8.5,<8.5.1"},
Vulnerability: report.Vulnerability{
Summary: "Drupal - SA-CORE-2018-002 - Remote Code Execution",
CWEID: 937,
Description: "A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised.",
Score: report.SeverityThresholdCritical,
References: []string{"https://www.drupal.org/sa-core-2018-002"},
Recommendations: []string{
"Upgrade to the most recent version of Drupal 7 or 8 core.",
"If you are running 7.x, upgrade to Drupal 7.58 or newer.",
"If you are running 8.5.x, upgrade to Drupal 8.5.1 or newer.",
"Drupal 8.3.x and 8.4.x are no longer supported and we don't normally provide security releases for unsupported minor releases. However, given the potential severity of this issue, we are providing 8.3.x and 8.4.x releases that includes the fix for sites which have not yet had a chance to update to 8.5.0.",
"Your site's update report page will recommend the 8.5.x release even if you are on 8.3.x or 8.4.x. Please take the time to update to a supported version after installing this security update.",
"If you are running 8.3.x, upgrade to Drupal 8.3.9 or newer.",
"If you are running 8.4.x, upgrade to Drupal 8.4.6 or newer.",
"This issue also affects Drupal 8.2.x and earlier, which are no longer supported. If you are running any of these versions of Drupal 8, update to a more recent release and then follow the instructions above.",
},
Labels: []string{"issue"},
},
},
drupalVulnerability{
Constraints: []string{">=7,<7.57", ">=8,<8.4.5"},
Vulnerability: report.Vulnerability{
Summary: "Drupal - SA-CORE-2018-001 - Multiple Vulnerabilities",
CWEID: 937,
Description: "Multiple critical vulnerabilities in both Drupal 7 and Drupal 8.",
Score: report.SeverityThresholdCritical,
References: []string{"https://www.drupal.org/sa-core-2018-001"},
Recommendations: []string{
"Install the latest version:",
"If you are using Drupal 8, upgrade to Drupal 8.4.5 or newer",
"If you are using Drupal 7, upgrade to Drupal 7.57 or newer",
},
Labels: []string{"issue"},
},
},
}
)