Drupal — система управления контентом с открытым исходным кодом. На Drupal работает более миллиона сайтов — от личных блогов до сайтов компаний, политических партий и государственных организаций.
Релизный цикл, информация об уязвимостях
График релизов
Количество 1 975
CVE-2022-29248
Guzzle is a PHP HTTP client. Guzzle prior to versions 6.5.6 and 7.4.3 ...
CVE-2022-29248
Guzzle is a PHP HTTP client. Guzzle prior to versions 6.5.6 and 7.4.3 contains a vulnerability with the cookie middleware. The vulnerability is that it is not checked if the cookie domain equals the domain of the server which sets the cookie via the Set-Cookie header, allowing a malicious server to set cookies for unrelated domains. The cookie middleware is disabled by default, so most library consumers will not be affected by this issue. Only those who manually add the cookie middleware to the handler stack or construct the client with ['cookies' => true] are affected. Moreover, those who do not use the same Guzzle client to call multiple domains and have disabled redirect forwarding are not affected by this vulnerability. Guzzle versions 6.5.6 and 7.4.3 contain a patch for this issue. As a workaround, turn off the cookie middleware.
GHSA-cwmx-hcrq-mhc3
Cross-domain cookie leakage in Guzzle
GHSA-qf2g-mrrx-rr5p
Drupal Core Cross-site scripting vulnerability
GHSA-m648-hpf8-qcjw
Drupal Core Cross-Site Request Forgery (CSRF) vulnerability
GHSA-x2q9-r8gm-f657
Drupal Core Access bypass vulnerability
GHSA-8jj2-x2gc-ggm7
Drupal Core Cross-site scripting vulnerability
GHSA-wxqp-jwc9-g39x
Drupal Core Access bypass vulnerability
GHSA-x72f-ggjw-v5xh
Drupal Core Arbitrary PHP code execution vulnerability
GHSA-gjqg-9rhv-qj67
Drupal Core Open Redirect vulnerability
Уязвимостей на страницу
Уязвимость | CVSS | EPSS | Опубликовано 1 | |
|---|---|---|---|---|
| CVE-2022-29248 Guzzle is a PHP HTTP client. Guzzle prior to versions 6.5.6 and 7.4.3 ... | CVSS3: 8 | 0% Низкий | около 3 лет назад |
 | CVE-2022-29248 Guzzle is a PHP HTTP client. Guzzle prior to versions 6.5.6 and 7.4.3 contains a vulnerability with the cookie middleware. The vulnerability is that it is not checked if the cookie domain equals the domain of the server which sets the cookie via the Set-Cookie header, allowing a malicious server to set cookies for unrelated domains. The cookie middleware is disabled by default, so most library consumers will not be affected by this issue. Only those who manually add the cookie middleware to the handler stack or construct the client with ['cookies' => true] are affected. Moreover, those who do not use the same Guzzle client to call multiple domains and have disabled redirect forwarding are not affected by this vulnerability. Guzzle versions 6.5.6 and 7.4.3 contain a patch for this issue. As a workaround, turn off the cookie middleware. | CVSS3: 8 | 0% Низкий | около 3 лет назад |
| GHSA-cwmx-hcrq-mhc3 Cross-domain cookie leakage in Guzzle | CVSS3: 8 | 0% Низкий | около 3 лет назад |
| GHSA-qf2g-mrrx-rr5p Drupal Core Cross-site scripting vulnerability | CVSS3: 6.1 | 0% Низкий | около 3 лет назад |
| GHSA-m648-hpf8-qcjw Drupal Core Cross-Site Request Forgery (CSRF) vulnerability | CVSS3: 8.8 | 0% Низкий | около 3 лет назад |
| GHSA-x2q9-r8gm-f657 Drupal Core Access bypass vulnerability | CVSS3: 5.3 | 0% Низкий | около 3 лет назад |
| GHSA-8jj2-x2gc-ggm7 Drupal Core Cross-site scripting vulnerability | CVSS3: 6.1 | 0% Низкий | около 3 лет назад |
| GHSA-wxqp-jwc9-g39x Drupal Core Access bypass vulnerability | CVSS3: 9.8 | 1% Низкий | около 3 лет назад |
| GHSA-x72f-ggjw-v5xh Drupal Core Arbitrary PHP code execution vulnerability | CVSS3: 8.8 | 1% Низкий | около 3 лет назад |
| GHSA-gjqg-9rhv-qj67 Drupal Core Open Redirect vulnerability | CVSS3: 6.1 | 1% Низкий | около 3 лет назад |
Уязвимостей на страницу