Security
Headlines
HeadlinesLatestCVEs

Source

ghsa

GHSA-ccc9-jgj7-hxc7: Drupal Cache Utility Cross-Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in Drupal Cache Utility allows Cross Site Request Forgery. This issue affects Cache Utility: from 0.0.0 before 1.2.1.

ghsa
#csrf#vulnerability#web#auth
GHSA-6chf-hhqf-749c: Drupal OAuth2 Client Cross-Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF) vulnerability in Drupal OAuth2 Client allows Cross Site Request Forgery. This issue affects OAuth2 Client: from 0.0.0 before 4.1.3.

GHSA-m9w8-wxvp-c9gv: Drupal Open Social Missing Authorization vulnerability

Missing Authorization vulnerability in Drupal Open Social allows Forceful Browsing. This issue affects Open Social: from 0.0.0 before 12.3.11, from 12.4.0 before 12.4.10.

GHSA-9w85-x5hg-fr66: Drupal AI Cross-Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in Drupal AI (Artificial Intelligence) allows Cross Site Request Forgery. This issue affects AI (Artificial Intelligence): from 1.0.0 before 1.0.2.

GHSA-c8q6-wp7v-46r9: Drupal AI Missing Authorization vulnerability

Missing Authorization vulnerability in Drupal AI (Artificial Intelligence) allows Forceful Browsing. This issue affects AI (Artificial Intelligence): from 0.0.0 before 1.0.3.

GHSA-m4wj-hhwj-47qp: Drupal Core Cross-Site Scripting (XSS) Vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS).This issue affects Drupal core: from 8.0.0 before 10.3.14, from 10.4.0 before 10.4.5, from 11.0.0 before 11.0.13, from 11.1.0 before 11.1.5.

GHSA-2qph-q8xw-gv7q: Drupal Core Improperly Controlled Modification of Dynamically-Determined Object Attributes Vulnerability

Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection.This issue affects Drupal core: from 8.0.0 before 10.3.13, from 10.4.0 before 10.4.3, from 11.0.0 before 11.0.12, from 11.1.0 before 11.1.3.

GHSA-wpp8-fjgf-pwc7: Drupal Core Vulnerable to Forceful Browsing

Incorrect Authorization vulnerability in Drupal core allows Forceful Browsing.This issue affects Drupal core: from 8.0.0 before 10.3.13, from 10.4.0 before 10.4.3, from 11.0.0 before 11.0.12, from 11.1.0 before 11.1.3.

GHSA-qq4x-c6h6-rfxh: aws-cdk-lib has Insertion of Sensitive Information into Log File vulnerability when using Cognito UserPoolClient Construct

### Summary The [AWS Cloud Development Kit (CDK)](https://aws.amazon.com/cdk/) is an open-source framework for defining cloud infrastructure using code. Customers use it to create their own applications which are converted to AWS CloudFormation templates during deployment to a customer’s AWS account. CDK contains pre-built components called "[constructs](https://docs.aws.amazon.com/cdk/v2/guide/constructs.html)" that are higher-level abstractions providing defaults and best practices. This approach enables developers to use familiar programming languages to define complex cloud infrastructure more efficiently than writing raw CloudFormation templates. The CDK [Cognito UserPool](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cognito.UserPool.html) construct deploys an AWS cognito user pool. An [Amazon Cognito user pool](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools.html) is a user directory for web and mobile app authentication and authorizat...

GHSA-pp64-wj43-xqcr: AWS SAM CLI Path Traversal allows file copy to local cache

### Summary The [AWS Serverless Application Model Command Line Interface (AWS SAM CLI)](https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/using-sam-cli.html) is an open-source CLI tool that helps Lambda developers to build and develop Lambda applications locally on their computers using Docker. After completing a build with AWS SAM CLI which include symlinks, the content of those symlinks are copied to the cache of the local workspace as regular files or directories. As a result, a user who does not have access to those symlinks outside of the Docker container would now have access via the local workspace. Users should [upgrade to v1.134.0 or newer](https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/manage-sam-cli-versions.html#manage-sam-cli-versions-upgrade) and ensure any forked or derivative code is patched to incorporate the new fixes. After upgrading, users must re-build their applications using the `sam build --use-cont...