Security Audit v2.0.16

Language
- English
- Français
Login / Register

prod

Drupal 11

25 vulnerabilities has been found

0 abandonned packages has been found

Last analyse : 13 hours ago

No result.

25 vulnerabilities has been found

#	Total	C	H	M	L
Composer	25	0	5	8	12	0

Composer

3 twig/twig —— v3.10.3 +

high Twig has a possible sandbox bypass

Affected versions : >=3.0.0,<3.14.0|>=2.0.0,<2.16.1|>=1.0.0,<1.44.8
Patched versions : 1.44.8 2.16.1 3.14.0
https://github.com/advisories/GHSA-6j75-5wfj-gh66

Reported 9/9/24

CVE-2024-45411

low Unguarded calls to __isset() and to array-accesses when the sandbox is enabled

Affected versions : >=1.0.0,<2.0.0|>=2.0.0,<3.0.0|>=3.0.0,<3.11.2|>=3.12.0,<3.14.1
Patched versions : 3.11.2 3.14.1
https://symfony.com/blog/unguarded-calls-to-__isset-and-to-array-accesses-when-the-sandbox-is-enabled

Reported 11/6/24

CVE-2024-51755

low Unguarded calls to __toString() when nesting an object into an array

Reported 11/6/24

CVE-2024-51754

13 drupal/core —— 11.0.1 +

high Drupal core contains a potential PHP Object Injection vulnerability

Affected versions : >=11.0.0,<11.0.8|>=10.3.0,<10.3.9|>=8.8.0,<10.2.11
Patched versions : 10.2.11 10.3.9 11.0.8 10.2.11 10.3.9 11.0.8 10.2.11 10.3.9 11.0.8
https://github.com/advisories/GHSA-w6rx-9g2x-mg5g

Reported 12/10/24

CVE-2024-55637

medium Drupal Core Improperly Controlled Modification of Dynamically-Determined Object Attributes Vulnerability

Affected versions : >=11.1.0,<11.1.3|>=11.0.0,<11.0.12|>=10.4.0,<10.4.3|>=8.0.0,<10.3.13
Patched versions : 10.3.13 10.4.3 11.0.12 11.1.3
https://github.com/advisories/GHSA-2qph-q8xw-gv7q

Reported 4/1/25

CVE-2025-31674

medium Drupal Core Potential Cross-Site Scripting (XSS) via Error Messages

Reported 4/1/25

CVE-2025-3057

medium Drupal Core Vulnerable to Forceful Browsing

Reported 4/1/25

CVE-2025-31673

medium Drupal core Access bypass

Affected versions : >=11.0.0,<11.0.8|>=10.3.0,<10.3.9|>=8.0.0,<10.2.11
Patched versions : 10.2.11 10.3.9 11.0.8 10.2.11 10.3.9 11.0.8 10.2.11 10.3.9 11.0.8
https://github.com/advisories/GHSA-7cwc-fjqm-8vh8

Reported 12/10/24

CVE-2024-55634

medium Drupal core allows Object Injection

Affected versions : >=11.2.0,<11.2.8|>=11.0.0,<11.1.9|>=10.5.0,<10.5.6|>=8.0.0,<10.4.9
Patched versions : 10.4.9 10.5.6 11.1.9 11.2.8
https://github.com/advisories/GHSA-m6vv-vcj8-w8m7

Reported 11/18/25

CVE-2025-13081

medium Drupal Core Cross-Site Scripting (XSS)

Reported 12/10/24

CVE-2024-12393

low Drupal Core Cross-Site Scripting (XSS) Vulnerability

Affected versions : >=11.1.0,<11.1.5|>=11.0.0,<11.0.13|>=10.4.0,<10.4.5|>=8.0.0,<10.3.14
Patched versions : 10.3.14 10.4.5 11.0.13 11.1.5
https://github.com/advisories/GHSA-m4wj-hhwj-47qp

Reported 4/1/25

CVE-2025-31675

low Drupal core allows Forceful Browsing

Affected versions : >=11.2.0,<11.2.8|>=11.0.0,<11.1.9|>=10.5.0,<10.5.6|>=8.0.0,<10.4.9
Patched versions : 10.4.9 10.5.6 11.1.9 11.2.8
https://github.com/advisories/GHSA-83v7-c2cf-p9c2

Reported 11/18/25

CVE-2025-13080

low Drupal core allows Exploiting Incorrectly Configured Access Control Security Levels

Affected versions : >=11.2.0,<11.2.8|>=11.0.0,<11.1.9|>=10.5.0,<10.5.6|>=8.0.0,<10.4.9
Patched versions : 10.4.9 10.5.6 11.1.9 11.2.8
https://github.com/advisories/GHSA-mhpg-hpj5-73r2

Reported 11/18/25

CVE-2025-13083

low Drupal core allows Content Spoofing

Affected versions : >=11.2.0,<11.2.8|>=11.0.0,<11.1.9|>=10.5.0,<10.5.6|>=8.0.0,<10.4.9
Patched versions : 10.4.9 10.5.6 11.1.9 11.2.8
https://github.com/advisories/GHSA-h89p-5896-f4q8

Reported 11/18/25

CVE-2025-13082

low Drupal core contains a potential PHP Object Injection vulnerability

Reported 12/10/24

CVE-2024-55636

low Drupal Full Path Disclosure

Affected versions : >=8.0.0,<=11.0.4
Patched versions :
https://github.com/advisories/GHSA-mg8j-w93w-xjgc

Reported 8/29/24

CVE-2024-45440

5 drupal/core-recommended —— 11.0.1 +

high Drupal core contains a potential PHP Object Injection vulnerability

Reported 12/10/24

CVE-2024-55637

medium Drupal Core Cross-Site Scripting (XSS)

Reported 12/10/24

CVE-2024-12393

medium Drupal core Access bypass

Reported 12/10/24

CVE-2024-55634

low Drupal Full Path Disclosure

Affected versions : >=8.0.0,<=11.0.4
Patched versions :
https://github.com/advisories/GHSA-mg8j-w93w-xjgc

Reported 8/29/24

CVE-2024-45440

low Drupal core contains a potential PHP Object Injection vulnerability

Reported 12/10/24

CVE-2024-55636

2 symfony/http-foundation —— v7.1.3 +

high CVE-2025-64500: Incorrect parsing of PATH_INFO can lead to limited authorization bypass

Affected versions : >=2.0.0,<3.0.0|>=3.0.0,<4.0.0|>=4.0.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.50|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.29|>=7.0.0,<7.1.0|>=7.1.0,<7.2.0|>=7.2.0,<7.3.0|>=7.3.0,<7.3.7
Patched versions : 5.4.50 6.4.29 7.3.7 5.4.50 6.4.29 7.3.7
https://symfony.com/blog/cve-2025-64500-incorrect-parsing-of-path-info-can-lead-to-limited-authorization-bypass

Reported 11/12/25

CVE-2025-64500

low CVE-2024-50345: Open redirect via browser-sanitized URLs

Affected versions : >=2.0.0,<3.0.0|>=3.0.0,<4.0.0|>=4.0.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.46|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.14|>=7.0.0,<7.1.0|>=7.1.0,<7.1.7
Patched versions : 5.4.46 6.4.14 7.1.7 5.4.46 6.4.14 7.1.7
https://symfony.com/cve-2024-50345

Reported 11/5/24

CVE-2024-50345

1 symfony/process —— v7.1.3 +

high CVE-2024-51736: Command execution hijack on Windows with Process class

Reported 11/5/24

CVE-2024-51736

1 symfony/validator —— v7.1.3 +

low CVE-2024-50343: Incorrect response from Validator when input ends with ` `

Affected versions : >=2.0.0,<3.0.0|>=3.0.0,<4.0.0|>=4.0.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.43|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.11|>=7.0.0,<7.1.0|>=7.1.0,<7.1.4
Patched versions : 5.4.43 6.4.11 7.1.4 5.4.43 6.4.11 7.1.4
https://symfony.com/cve-2024-50343

Reported 8/30/24

CVE-2024-50343

Badge

[![Vulnerabilities](https://audit.security.code-rhapsodie.fr/badge/01915a71-4001-750d-ad7c-c98dcadce439?type=vulnerabilities)](https://audit.security.code-rhapsodie.fr/en/project/01915a71-4001-750d-ad7c-c98dcadce439)

[![Vulnerabilities](https://audit.security.code-rhapsodie.fr/badge/01915a71-4001-750d-ad7c-c98dcadce439?type=vulnerabilities&version=little)](https://audit.security.code-rhapsodie.fr/en/project/01915a71-4001-750d-ad7c-c98dcadce439)

[![Abandonned](https://audit.security.code-rhapsodie.fr/badge/01915a71-4001-750d-ad7c-c98dcadce439?type=abandonned)](https://audit.security.code-rhapsodie.fr/en/project/01915a71-4001-750d-ad7c-c98dcadce439)

[![Abandonned](https://audit.security.code-rhapsodie.fr/badge/01915a71-4001-750d-ad7c-c98dcadce439?type=abandonned&version=little)](https://audit.security.code-rhapsodie.fr/en/project/01915a71-4001-750d-ad7c-c98dcadce439)