Vulnerabilites related to file_entity_project - file_entity
CVE-2024-13276 (GCVE-0-2024-13276)
Vulnerability from cvelistv5
Published
2025-01-09 19:28
Modified
2025-01-10 16:34
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-201 - Insertion of Sensitive Information Into Sent Data
Summary
Insertion of Sensitive Information Into Sent Data vulnerability in Drupal File Entity (fieldable files) allows Forceful Browsing.This issue affects File Entity (fieldable files): from 7.X-* before 7.X-2.39.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | File Entity (fieldable files) |
Version: 7.x-* < 7.x-2.39 |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-13276",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-10T16:33:50.519475Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-10T16:34:18.557Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/file_entity",
"defaultStatus": "unaffected",
"product": "File Entity (fieldable files)",
"repo": "https://git.drupalcode.org/project/file_entity",
"vendor": "Drupal",
"versions": [
{
"lessThan": "7.x-2.39",
"status": "affected",
"version": "7.x-*",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Devin Zuczek"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Devin Zuczek"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Joseph Olstad"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison"
},
{
"lang": "en",
"type": "coordinator",
"value": "Damien McKenna"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec"
}
],
"datePublic": "2024-09-11T16:38:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Insertion of Sensitive Information Into Sent Data vulnerability in Drupal File Entity (fieldable files) allows Forceful Browsing.\u003cp\u003eThis issue affects File Entity (fieldable files): from 7.X-* before 7.X-2.39.\u003c/p\u003e"
}
],
"value": "Insertion of Sensitive Information Into Sent Data vulnerability in Drupal File Entity (fieldable files) allows Forceful Browsing.This issue affects File Entity (fieldable files): from 7.X-* before 7.X-2.39."
}
],
"impacts": [
{
"capecId": "CAPEC-87",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-87 Forceful Browsing"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-201",
"description": "CWE-201 Insertion of Sensitive Information Into Sent Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-09T19:28:40.601Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2024-040"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "File Entity (fieldable files) - Moderately critical - Information Disclosure - SA-CONTRIB-2024-040",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2024-13276",
"datePublished": "2025-01-09T19:28:40.601Z",
"dateReserved": "2025-01-09T18:28:11.554Z",
"dateUpdated": "2025-01-10T16:34:18.557Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-13237 (GCVE-0-2024-13237)
Vulnerability from cvelistv5
Published
2025-01-09 18:15
Modified
2025-01-09 20:58
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal File Entity (fieldable files) allows Cross-Site Scripting (XSS).This issue affects File Entity (fieldable files): from 7.X-* before 7.X-2.38.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | File Entity (fieldable files) |
Version: 7.x-* ≤ |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-13237",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-09T20:53:06.354787Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-09T20:58:24.055Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/file_entity",
"defaultStatus": "unaffected",
"product": "File Entity (fieldable files)",
"repo": "https://git.drupalcode.org/project/file_entity",
"vendor": "Drupal",
"versions": [
{
"lessThan": "7.x-2.38",
"status": "affected",
"version": "7.x-*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Caroline Boyden"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Joseph Olstad"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Sascha Grossenbacher"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Caroline Boyden"
},
{
"lang": "en",
"type": "coordinator",
"value": "Damien McKenna"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison"
}
],
"datePublic": "2024-01-10T17:01:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Drupal File Entity (fieldable files) allows Cross-Site Scripting (XSS).\u003cp\u003eThis issue affects File Entity (fieldable files): from 7.X-* before 7.X-2.38.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Drupal File Entity (fieldable files) allows Cross-Site Scripting (XSS).This issue affects File Entity (fieldable files): from 7.X-* before 7.X-2.38."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-09T18:15:23.691Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2024-001"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "File Entity (fieldable files) - Moderately critical - Cross Site Scripting, Access bypass - SA-CONTRIB-2024-001",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2024-13237",
"datePublished": "2025-01-09T18:15:23.691Z",
"dateReserved": "2025-01-09T18:04:48.927Z",
"dateUpdated": "2025-01-09T20:58:24.055Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Vulnerability from fkie_nvd
Published
2025-01-09 19:15
Modified
2025-06-04 16:31
Severity ?
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal File Entity (fieldable files) allows Cross-Site Scripting (XSS).This issue affects File Entity (fieldable files): from 7.X-* before 7.X-2.38.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| mlhess@drupal.org | https://www.drupal.org/sa-contrib-2024-001 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| file_entity_project | file_entity | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:file_entity_project:file_entity:*:*:*:*:*:drupal:*:*",
"matchCriteriaId": "8B5354A0-E0A8-4182-A874-90331DEEBEE4",
"versionEndExcluding": "7.x-2.38",
"versionStartIncluding": "7.x-2.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Drupal File Entity (fieldable files) allows Cross-Site Scripting (XSS).This issue affects File Entity (fieldable files): from 7.X-* before 7.X-2.38."
},
{
"lang": "es",
"value": "La vulnerabilidad de neutralizaci\u00f3n incorrecta de la entrada durante la generaci\u00f3n de p\u00e1ginas web (\u0027Cross-site Scripting\u0027) en Drupal File Entity (archivos que se pueden filtrar) permite la ejecuci\u00f3n de Cross Site Scripting (XSS). Este problema afecta a File Entity (archivos que se pueden filtrar): desde 7.X-* hasta 7.X-2.38."
}
],
"id": "CVE-2024-13237",
"lastModified": "2025-06-04T16:31:52.380",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2025-01-09T19:15:17.437",
"references": [
{
"source": "mlhess@drupal.org",
"tags": [
"Vendor Advisory"
],
"url": "https://www.drupal.org/sa-contrib-2024-001"
}
],
"sourceIdentifier": "mlhess@drupal.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "mlhess@drupal.org",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-01-09 20:15
Modified
2025-09-02 18:29
Severity ?
Summary
Insertion of Sensitive Information Into Sent Data vulnerability in Drupal File Entity (fieldable files) allows Forceful Browsing.This issue affects File Entity (fieldable files): from 7.X-* before 7.X-2.39.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| mlhess@drupal.org | https://www.drupal.org/sa-contrib-2024-040 | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| file_entity_project | file_entity | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:file_entity_project:file_entity:*:*:*:*:*:drupal:*:*",
"matchCriteriaId": "2F2F8C58-566B-4219-BB61-6838520BFEEE",
"versionEndExcluding": "7.x-2.39",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Insertion of Sensitive Information Into Sent Data vulnerability in Drupal File Entity (fieldable files) allows Forceful Browsing.This issue affects File Entity (fieldable files): from 7.X-* before 7.X-2.39."
},
{
"lang": "es",
"value": "La vulnerabilidad de inserci\u00f3n de informaci\u00f3n confidencial en datos enviados en Drupal File Entity (archivos que se pueden clasificar en campos) permite una navegaci\u00f3n forzada. Este problema afecta a File Entity (archivos que se pueden clasificar en campos): desde 7.X-* antes de 7.X-2.39."
}
],
"id": "CVE-2024-13276",
"lastModified": "2025-09-02T18:29:20.593",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2025-01-09T20:15:36.487",
"references": [
{
"source": "mlhess@drupal.org",
"tags": [
"Third Party Advisory"
],
"url": "https://www.drupal.org/sa-contrib-2024-040"
}
],
"sourceIdentifier": "mlhess@drupal.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-201"
}
],
"source": "mlhess@drupal.org",
"type": "Secondary"
}
]
}