The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Drupal Core

vulnerability CVE-2019-10909 CVE-2019-11358

jQuery, Symfony: Cross Site Scripting via templates

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting via templates for Symfony, in order to run JavaScript code in the context of the web site.
Impacted products: Debian, Drupal Core, Fedora, Grafana, IBM API Connect, Joomla Extensions ~ not comprehensive, openSUSE Leap, Red Hat SSO, SLES, Symfony, Synology DSM, TYPO3 Core.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Number of vulnerabilities in this bulletin: 2.
Creation date: 18/04/2019.
Identifiers: CERTFR-2019-AVI-180, CVE-2019-10909, CVE-2019-11358, DLA-1777-1, DLA-1777-2, DLA-1778-1, DLA-1797-1, DRUPAL-SA-CORE-2019-005, DRUPAL-SA-CORE-2019-006, DSA-4434-1, DSA-4441-1, FEDORA-2019-2a7f472198, FEDORA-2019-32067d8b15, FEDORA-2019-3ee6a7adf2, FEDORA-2019-a3ca65028c, FEDORA-2019-f8db687840, ibm10882578, ibm10882596, ibm10882756, ibm10882762, ibm10882952, ibm10882956, openSUSE-SU-2019:1839-1, openSUSE-SU-2019:1872-1, RHSA-2019:1456-01, Synology-SA-19:19, TYPO3-CORE-SA-2019-009, TYPO3-CORE-SA-2019-010, TYPO3-CORE-SA-2019-011, TYPO3-CORE-SA-2019-012, TYPO3-CORE-SA-2019-013, TYPO3-PSA-2019-004, TYPO3-PSA-2019-005, TYPO3-PSA-2019-006, VIGILANCE-VUL-29070.

Description of the vulnerability

An attacker can trigger a Cross Site Scripting via templates for Symfony, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2019-10911

Symfony, Drupal: privilege escalation via the "remember me" cookie

Synthesis of the vulnerability

An attacker can bypass restrictions via the "remember me" cookie of Symfony or Drupal, in order to escalate his privileges.
Impacted products: Debian, Drupal Core, Fedora, IBM API Connect, Symfony, Synology DSM.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights.
Provenance: internet client.
Creation date: 18/04/2019.
Identifiers: CERTFR-2019-AVI-180, CVE-2019-10911, DLA-1778-1, DRUPAL-SA-CORE-2019-005, DRUPAL-SA-CORE-2019-006, DSA-4441-1, FEDORA-2019-2a7f472198, FEDORA-2019-32067d8b15, FEDORA-2019-3ee6a7adf2, FEDORA-2019-a3ca65028c, FEDORA-2019-f8db687840, ibm10882578, ibm10882596, ibm10882756, ibm10882762, ibm10882952, ibm10882956, Synology-SA-19:19, VIGILANCE-VUL-29065.

Description of the vulnerability

An attacker can bypass restrictions via the "remember me" cookie of Symfony or Drupal, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2019-10910

Symfony, Drupal: code execution via service IDs

Synthesis of the vulnerability

An attacker can use a vulnerability via service IDs of Symfony or Drupal, in order to run code.
Impacted products: Debian, Drupal Core, Fedora, IBM API Connect, Symfony, Synology DSM.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights, user access/rights.
Provenance: internet client.
Creation date: 18/04/2019.
Identifiers: CERTFR-2019-AVI-180, CVE-2019-10910, DLA-1778-1, DRUPAL-SA-CORE-2019-005, DRUPAL-SA-CORE-2019-006, DSA-4441-1, FEDORA-2019-2a7f472198, FEDORA-2019-32067d8b15, FEDORA-2019-3ee6a7adf2, FEDORA-2019-a3ca65028c, FEDORA-2019-f8db687840, ibm10882578, ibm10882596, ibm10882756, ibm10882762, ibm10882952, ibm10882956, Synology-SA-19:19, VIGILANCE-VUL-29064.

Description of the vulnerability

An attacker can use a vulnerability via service IDs of Symfony or Drupal, in order to run code.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2019-11358

jQuery Core: privilege escalation via Object.prototype Pollution

Synthesis of the vulnerability

An attacker can bypass restrictions via Object.prototype Pollution of jQuery Core, in order to escalate his privileges.
Impacted products: Debian, Drupal Core, eZ Platform, Fedora, jQuery Core, SnapCenter Backup Management, openSUSE Leap, Oracle Communications, WebLogic, RabbitMQ, Red Hat SSO, SLES, Synology DSM, Telerik.Web.UI.
Severity: 2/4.
Consequences: user access/rights, data reading.
Provenance: document.
Creation date: 11/04/2019.
Identifiers: cpujul2019, CVE-2019-11358, DLA-1797-1, DRUPAL-SA-CORE-2019-005, DRUPAL-SA-CORE-2019-006, DSA-4460-1, EZSA-2019-005, FEDORA-2019-2a0ce0c58c, FEDORA-2019-a06dffab1c, FEDORA-2019-f563e66380, NTAP-20190919-0001, openSUSE-SU-2019:1839-1, openSUSE-SU-2019:1872-1, RHSA-2019:1456-01, Synology-SA-19:19, VIGILANCE-VUL-29030.

Description of the vulnerability

An attacker can bypass restrictions via Object.prototype Pollution of jQuery Core, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2019-6341

Drupal Core: Cross Site Scripting via File Module/Subsystem

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting via File Module/Subsystem of Drupal Core, in order to run JavaScript code in the context of the web site.
Impacted products: Debian, Drupal Core, Fedora, IBM API Connect, I-Connect, Synology DSM.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 20/03/2019.
Identifiers: CVE-2019-6341, DLA-1746-1, DRUPAL-SA-CORE-2019-004, DSA-4412-1, FEDORA-2019-2fbce03df3, FEDORA-2019-35589cfcb5, ibm10879443, Synology-SA-19:13, VIGILANCE-VUL-28786, ZDI-19-291.

Description of the vulnerability

The Core module can be installed on Drupal.

However, it does not filter received data via File Module/Subsystem before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting via File Module/Subsystem of Drupal Core, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2019-6339

Drupal Core: code execution via Phar Stream Wrapper

Synthesis of the vulnerability

An attacker can use a vulnerability via Phar Stream Wrapper of Drupal Core, in order to run code.
Impacted products: Debian, Drupal Core, Fedora.
Severity: 2/4.
Consequences: user access/rights.
Provenance: user account.
Creation date: 17/01/2019.
Identifiers: CERTFR-2019-AVI-027, CVE-2019-6339, DLA-1659-1, DRUPAL-SA-CORE-2019-001, DRUPAL-SA-CORE-2019-002, DSA-4370-1, FEDORA-2019-0c1d62bf5b, FEDORA-2019-82df33e428, VIGILANCE-VUL-28299, ZDI-19-130.

Description of the vulnerability

An attacker can use a vulnerability via Phar Stream Wrapper of Drupal Core, in order to run code.
Full Vigil@nce bulletin... (Free trial)

vulnerability 27570

Drupal Core: multiple vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Drupal Core.
Impacted products: Debian, Drupal Core, Fedora.
Severity: 3/4.
Consequences: user access/rights, data reading.
Provenance: internet client.
Creation date: 18/10/2018.
Identifiers: CERTFR-2018-AVI-501, DLA-1550-1, DRUPAL-SA-CORE-2018-006, DSA-4323-1, FEDORA-2018-18023f40fa, FEDORA-2018-d3f4eb1f9f, VIGILANCE-VUL-27570.

Description of the vulnerability

An attacker can use several vulnerabilities of Drupal Core.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2018-14773

Symfony: information disclosure via X-Original-URL / X-Rewrite-URL

Synthesis of the vulnerability

An attacker can bypass access restrictions to data via X-Original-URL / X-Rewrite-URL of Symfony, in order to obtain sensitive information.
Impacted products: Debian, Drupal Core, Fedora, Symfony.
Severity: 3/4.
Consequences: data reading.
Provenance: internet client.
Creation date: 02/08/2018.
Identifiers: CERTFR-2018-AVI-370, CVE-2018-14773, DLA-1707-1, DRUPAL-SA-CORE-2018-005, DSA-4441-1, FEDORA-2018-4deae442f2, FEDORA-2018-6f3ceeb7cb, FEDORA-2018-732f45d43e, FEDORA-2018-7f43cbdb69, FEDORA-2018-9b54497b6e, FEDORA-2018-9c38d1dc1d, VIGILANCE-VUL-26884.

Description of the vulnerability

An attacker can bypass access restrictions to data via X-Original-URL / X-Rewrite-URL of Symfony, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note 25929

Drupal Core: Cross Site Scripting via CKEditor

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting via CKEditor of Drupal Core, in order to run JavaScript code in the context of the web site.
Impacted products: Drupal Core.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 19/04/2018.
Identifiers: CERTFR-2018-AVI-193, DRUPAL-SA-CORE-2018-003, VIGILANCE-VUL-25929.

Description of the vulnerability

The Core module can be installed on Drupal.

However, it does not filter received data via CKEditor before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting via CKEditor of Drupal Core, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2017-6926 CVE-2017-6927 CVE-2017-6928

Drupal Core: seven vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Drupal Core.
Impacted products: Debian, Drupal Core, Fedora.
Severity: 2/4.
Consequences: client access/rights, data reading, data creation/edition.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 7.
Creation date: 22/02/2018.
Identifiers: CERTFR-2018-AVI-099, CVE-2017-6926, CVE-2017-6927, CVE-2017-6928, CVE-2017-6929, CVE-2017-6930, CVE-2017-6931, CVE-2017-6932, DLA-1295-1, DRUPAL-SA-CORE-2018-001, DSA-4123-1, FEDORA-2018-143886fdbd, FEDORA-2018-d8269e4262, VIGILANCE-VUL-25346.

Description of the vulnerability

An attacker can use several vulnerabilities of Drupal Core.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Drupal Core: