Catch

**Name of the Vulnerable Software and Affected Versions** Drupal core versions 8.9.0 through 10.4.9 Drupal core versions 10.5.0 through 10.5.9 Drupal core versions 10.6.0 through 10.6.8 Drupal core versions 11.0.0 through 11.1.9 Drupal core versions 11.2.0 through 11.2.11 Drupal core versions 11.3.0 through 11.3.9 **Description** An unauthenticated SQL injection flaw exists in the database abstraction API of Drupal core, specifically within the PostgreSQL `EntityQuery` condition handler. The issue occurs when attacker-controlled PHP associative array keys, such as `filter[...][condition][value][malicious key]`, are concatenated directly into SQL identifiers without proper sanitization. This allows remote anonymous users to execute arbitrary SQL commands on sites using PostgreSQL databases. Successful exploitation can lead to full database access, exfiltration of sensitive data and session tokens, privilege escalation to Administrator, and potentially remote code execution (RCE) if database permissions are misconfigured (e.g., allowing `COPY FROM PROGRAM`). This flaw has been actively exploited in the wild, with over 15,000 attack probes detected against approximately 6,000 sites across 65 countries, primarily targeting gaming and financial services. **Recommendations** Update to version 10.4.10 for versions prior to 10.4.10. Update to version 10.5.10 for versions prior to 10.5.10. Update to version 10.6.9 for versions prior to 10.6.9. Update to version 11.1.10 for versions prior to 11.1.10. Update to version 11.2.12 for versions prior to 11.2.12. Update to version 11.3.10 for versions prior to 11.3.10. Restrict user roles that have the ability to update Twig templates via Views or contributed modules. Route production traffic through a Web Application Firewall (WAF) to filter malicious nested array payload signatures as a temporary mitigation. Review PostgreSQL and WAF logs for unusual anonymous user queries or structural query modifications.

**Name of the Vulnerable Software and Affected Versions** Drupal versions 8.0.0 through 10.4.9 Drupal versions 10.5.0 through 10.5.6 Drupal versions 11.0.0 through 11.1.9 Drupal versions 11.2.0 through 11.2.8 **Description** An improper check for unusual or exceptional conditions exists in Drupal core, allowing for forceful browsing. This issue impacts the software's ability to handle unexpected input or situations, potentially leading to unauthorized access or information disclosure. **Recommendations** Update Drupal core to version 10.4.9 or later. Update Drupal core to version 10.5.6 or later. Update Drupal core to version 11.1.9 or later. Update Drupal core to version 11.2.8 or later.

**Name of the Vulnerable Software and Affected Versions** Drupal versions 8.0.0 through 10.4.9 Drupal versions 10.5.0 through 10.5.6 Drupal versions 11.0.0 through 11.1.9 Drupal versions 11.2.0 through 11.2.8 **Description** A flaw exists in Drupal core related to the use of a web browser cache that can contain sensitive information. This is due to incorrectly configured access control security levels. **Recommendations** Update Drupal core to version 10.4.9 or later. Update Drupal core to version 10.5.6 or later. Update Drupal core to version 11.1.9 or later. Update Drupal core to version 11.2.8 or later.

**Name of the Vulnerable Software and Affected Versions** Drupal versions 8.0.0 through 10.4.9 Drupal versions 10.5.0 through 10.5.6 Drupal versions 11.0.0 through 11.1.9 Drupal versions 11.2.0 through 11.2.7 **Description** Drupal core contains an improperly controlled modification of dynamically-determined object attributes, leading to Object Injection. This allows for potential manipulation of objects within the system. **Recommendations** Update Drupal core to version 10.4.9 or later. Update Drupal core to version 10.5.6 or later. Update Drupal core to version 11.1.9 or later. Update Drupal core to version 11.2.8 or later.

**Name of the Vulnerable Software and Affected Versions** Drupal versions 8.0.0 through 10.4.9 Drupal versions 10.5.0 through 10.5.6 Drupal versions 11.0.0 through 11.1.9 Drupal versions 11.2.0 through 11.2.8 **Description** A flaw exists in Drupal core that allows for content spoofing through a user interface misrepresentation of critical information. This issue impacts the display of content within the application. **Recommendations** Update Drupal core to version 10.4.9 or later. Update Drupal core to version 10.5.6 or later. Update Drupal core to version 11.1.9 or later. Update Drupal core to version 11.2.8 or later.

**Name of the Vulnerable Software and Affected Versions** Drupal core versions 8.0.0 through 10.3.12 Drupal core versions 10.4.0 through 10.4.2 Drupal core versions 11.0.0 through 11.0.11 Drupal core versions 11.1.0 through 11.1.2 **Description** The issue affects Drupal core, allowing Cross-Site Scripting (XSS) due to improper neutralization of input during web page generation. **Recommendations** For versions 8.0.0 through 10.3.12, update to version 10.3.13 or later. For versions 10.4.0 through 10.4.2, update to version 10.4.3 or later. For versions 11.0.0 through 11.0.11, update to version 11.0.12 or later. For versions 11.1.0 through 11.1.2, update to version 11.1.3 or later.

**Name of the Vulnerable Software and Affected Versions** Ignition Error Pages versions 0.0.0 through 1.0.3 **Description** The issue is related to Improper Neutralization of Input During Web Page Generation, also known as Cross-site Scripting (XSS), in Drupal Ignition Error Pages. This allows for Cross-Site Scripting (XSS) attacks. **Recommendations** For Ignition Error Pages versions 0.0.0 through 1.0.3, update to version 1.0.4 or later to resolve the issue.

Name of the Vulnerable Software and Affected Versions: Intel SGX (affected versions not specified) Description: The issue is a side-channel timing attack against Intel SGX enclaves, which can lead to the complete compromise of Trusted Execution Environment (TEE) attestation. A proof of concept (PoC) has demonstrated key extraction in less than 4 seconds. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Opigno group manager versions 0.0.0 through 3.1.1 **Description** The issue is related to the improper neutralization of directives in statically saved code, also known as 'static code injection', which allows for PHP Local File Inclusion in the Opigno group manager. **Recommendations** For Opigno group manager versions 0.0.0 through 3.1.1, update to a version newer than 3.1.1 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** CKEditor 4 LTS - WYSIWYG HTML editor versions 1.0.0 through 1.0.0 **Description** The issue is related to improper neutralization of input during web page generation, allowing Cross-Site Scripting (XSS). This enables attackers to inject malicious scripts into websites, potentially leading to unauthorized access or control. **Recommendations** For CKEditor 4 LTS - WYSIWYG HTML editor version 1.0.0, update to version 1.0.1 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Opigno TinCan Question Type versions 7.X-1.0 through 7.X-1.2 **Description** The issue is related to improper neutralization of directives in statically saved code, also known as 'Static Code Injection', which allows PHP Local File Inclusion. This can potentially be exploited to access sensitive files on the server. **Recommendations** For Opigno TinCan Question Type versions 7.X-1.0 through 7.X-1.2, update to version 7.X-1.3 or later to resolve the issue.

Name of the Vulnerable Software and Affected Versions: Drupal Core versions 8.8.0 through 10.2.11 Drupal Core versions 10.3.0 through 10.3.9 Drupal Core versions 11.0.0 through 11.0.8 Description: The issue is related to insufficient protection of the web page structure, allowing an attacker to conduct a cross-site scripting (XSS) attack. This is due to improper neutralization of input during web page generation, which enables cross-site scripting. The problem affects Drupal Core, allowing attackers to exploit this flaw and leading to XSS. Recommendations: For Drupal Core versions 8.8.0 through 10.2.11, update to version 10.2.11 or later. For Drupal Core versions 10.3.0 through 10.3.9, update to version 10.3.9 or later. For Drupal Core versions 11.0.0 through 11.0.8, update to version 11.0.8 or later. As a temporary workaround, consider restricting the use of JavaScript to render status messages in certain cases and configurations to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Drupal Core versions 10.0.0 through 10.2.9 Description: A vulnerability in Drupal Core allows file manipulation. This issue is related to weaknesses in handling error situations, which could allow a remote attacker to impact the integrity of protected information. Under certain uncommon site configurations, a bug in the CKEditor 5 module can cause some image uploads to move the entire webroot to a different location on the file system, potentially allowing a malicious user to take down a site. The issue is mitigated by the fact that several non-default site configurations must exist simultaneously for this to occur. Recommendations: For Drupal Core versions 10.0.0 through 10.2.9, update to version 10.2.10 or later to resolve the issue. As a temporary workaround, consider restricting access to the CKEditor 5 module to minimize the risk of exploitation. Avoid using the module for image uploads until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Drupal Opigno versions 7.X-1.0 through 7.X-1.23 **Description** The issue is related to improper neutralization of directives in statically saved code, also known as 'Static Code Injection', which allows PHP Local File Inclusion. This can be exploited by a remote attacker to execute arbitrary code. **Recommendations** For versions 7.X-1.0 through 7.X-1.23, update to version 7.X-1.23 or later to resolve the issue. As a temporary workaround, consider restricting access to sensitive files and directories to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Opigno module versions 0.0.0 through 3.1.2 **Description** The issue is related to improper neutralization of directives in statically saved code, also known as 'Static Code Injection', which can lead to PHP Local File Inclusion. This allows a remote attacker to execute arbitrary code. **Recommendations** For Opigno module versions 0.0.0 through 3.1.2, update to version 3.1.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the Opigno module until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** Opigno Learning path versions 0.0.0 through 3.1.2 **Description** The issue is related to improper neutralization of directives in statically saved code, also known as 'static code injection', which allows for PHP Local File Inclusion. This can enable a remote attacker to execute arbitrary code. The vulnerability is associated with errors in input data processing during code syntax analysis. **Recommendations** For Opigno Learning path versions 0.0.0 through 3.1.2, update to a version newer than 3.1.2 to resolve the issue. As a temporary workaround, consider restricting access to sensitive files and directories to minimize the risk of exploitation.