Drupal — система управления контентом с открытым исходным кодом. На Drupal работает более миллиона сайтов — от личных блогов до сайтов компаний, политических партий и государственных организаций.
Релизный цикл, информация об уязвимостях
График релизов
Количество 1 988
GHSA-f2wf-25xc-69c9
Failure to strip the Cookie header on change in host or HTTP downgrade
GHSA-w248-ffj2-4v5q
Fix failure to strip Authorization header on HTTP downgrade
CVE-2022-29248
Guzzle is a PHP HTTP client. Guzzle prior to versions 6.5.6 and 7.4.3 contains a vulnerability with the cookie middleware. The vulnerability is that it is not checked if the cookie domain equals the domain of the server which sets the cookie via the Set-Cookie header, allowing a malicious server to set cookies for unrelated domains. The cookie middleware is disabled by default, so most library consumers will not be affected by this issue. Only those who manually add the cookie middleware to the handler stack or construct the client with ['cookies' => true] are affected. Moreover, those who do not use the same Guzzle client to call multiple domains and have disabled redirect forwarding are not affected by this vulnerability. Guzzle versions 6.5.6 and 7.4.3 contain a patch for this issue. As a workaround, turn off the cookie middleware.
CVE-2022-29248
Guzzle is a PHP HTTP client. Guzzle prior to versions 6.5.6 and 7.4.3 ...
CVE-2022-29248
Guzzle is a PHP HTTP client. Guzzle prior to versions 6.5.6 and 7.4.3 contains a vulnerability with the cookie middleware. The vulnerability is that it is not checked if the cookie domain equals the domain of the server which sets the cookie via the Set-Cookie header, allowing a malicious server to set cookies for unrelated domains. The cookie middleware is disabled by default, so most library consumers will not be affected by this issue. Only those who manually add the cookie middleware to the handler stack or construct the client with ['cookies' => true] are affected. Moreover, those who do not use the same Guzzle client to call multiple domains and have disabled redirect forwarding are not affected by this vulnerability. Guzzle versions 6.5.6 and 7.4.3 contain a patch for this issue. As a workaround, turn off the cookie middleware.
GHSA-cwmx-hcrq-mhc3
Cross-domain cookie leakage in Guzzle
GHSA-qf2g-mrrx-rr5p
Drupal Core Cross-site scripting vulnerability
GHSA-m648-hpf8-qcjw
Drupal Core Cross-Site Request Forgery (CSRF) vulnerability
GHSA-x2q9-r8gm-f657
Drupal Core Access bypass vulnerability
GHSA-8jj2-x2gc-ggm7
Drupal Core Cross-site scripting vulnerability
Уязвимостей на страницу
Уязвимость | CVSS | EPSS | Опубликовано 1 | |
|---|---|---|---|---|
| GHSA-f2wf-25xc-69c9 Failure to strip the Cookie header on change in host or HTTP downgrade | CVSS3: 7.5 | 1% Низкий | больше 3 лет назад |
| GHSA-w248-ffj2-4v5q Fix failure to strip Authorization header on HTTP downgrade | CVSS3: 7.5 | 1% Низкий | больше 3 лет назад |
 | CVE-2022-29248 Guzzle is a PHP HTTP client. Guzzle prior to versions 6.5.6 and 7.4.3 contains a vulnerability with the cookie middleware. The vulnerability is that it is not checked if the cookie domain equals the domain of the server which sets the cookie via the Set-Cookie header, allowing a malicious server to set cookies for unrelated domains. The cookie middleware is disabled by default, so most library consumers will not be affected by this issue. Only those who manually add the cookie middleware to the handler stack or construct the client with ['cookies' => true] are affected. Moreover, those who do not use the same Guzzle client to call multiple domains and have disabled redirect forwarding are not affected by this vulnerability. Guzzle versions 6.5.6 and 7.4.3 contain a patch for this issue. As a workaround, turn off the cookie middleware. | CVSS3: 8 | 1% Низкий | больше 3 лет назад |
| CVE-2022-29248 Guzzle is a PHP HTTP client. Guzzle prior to versions 6.5.6 and 7.4.3 ... | CVSS3: 8 | 1% Низкий | больше 3 лет назад |
 | CVE-2022-29248 Guzzle is a PHP HTTP client. Guzzle prior to versions 6.5.6 and 7.4.3 contains a vulnerability with the cookie middleware. The vulnerability is that it is not checked if the cookie domain equals the domain of the server which sets the cookie via the Set-Cookie header, allowing a malicious server to set cookies for unrelated domains. The cookie middleware is disabled by default, so most library consumers will not be affected by this issue. Only those who manually add the cookie middleware to the handler stack or construct the client with ['cookies' => true] are affected. Moreover, those who do not use the same Guzzle client to call multiple domains and have disabled redirect forwarding are not affected by this vulnerability. Guzzle versions 6.5.6 and 7.4.3 contain a patch for this issue. As a workaround, turn off the cookie middleware. | CVSS3: 8 | 1% Низкий | больше 3 лет назад |
| GHSA-cwmx-hcrq-mhc3 Cross-domain cookie leakage in Guzzle | CVSS3: 8 | 1% Низкий | больше 3 лет назад |
| GHSA-qf2g-mrrx-rr5p Drupal Core Cross-site scripting vulnerability | CVSS3: 6.1 | 0% Низкий | больше 3 лет назад |
| GHSA-m648-hpf8-qcjw Drupal Core Cross-Site Request Forgery (CSRF) vulnerability | CVSS3: 8.8 | 0% Низкий | больше 3 лет назад |
| GHSA-x2q9-r8gm-f657 Drupal Core Access bypass vulnerability | CVSS3: 5.3 | 0% Низкий | больше 3 лет назад |
| GHSA-8jj2-x2gc-ggm7 Drupal Core Cross-site scripting vulnerability | CVSS3: 6.1 | 1% Низкий | больше 3 лет назад |
Уязвимостей на страницу