Dor Tumarkin

**Name of the Vulnerable Software and Affected Versions** Drupal Core versions 8.8.x prior to 8.8.10 Drupal Core versions 8.9.x prior to 8.9.6 Drupal Core versions 9.0.x prior to 9.0.6 **Description** The issue is related to a Cross-site Scripting (XSS) vulnerability in the ckeditor of Drupal Core, allowing an attacker to inject XSS. This vulnerability can be exploited by a remote attacker to perform cross-site scripting attacks. **Recommendations** For Drupal Core versions 8.8.x prior to 8.8.10, update to version 8.8.10 or later. For Drupal Core versions 8.9.x prior to 8.9.6, update to version 8.9.6 or later. For Drupal Core versions 9.0.x prior to 9.0.6, update to version 9.0.6 or later.

**Name of the Vulnerable Software and Affected Versions** Drupal Core (affected versions not specified) **Description** The issue is related to insufficient authentication of executed requests in the Drupal CMS system. It can be exploited by a remote attacker to execute arbitrary code. Additionally, there is a Cross Site Request Forgery vulnerability in the Drupal Core Form API, which does not properly handle certain form input from cross-site requests, potentially leading to other vulnerabilities. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Apache Dubbo versions 2.5.x Apache Dubbo versions 2.6.0 through 2.6.7 Apache Dubbo versions 2.7.0 through 2.7.4 **Description** Unsafe deserialization occurs within a Dubbo application which has HTTP remoting enabled. An attacker may submit a POST request with a Java object in it to completely compromise a Provider instance of Apache Dubbo, if this instance enables HTTP. **Recommendations** For Apache Dubbo versions 2.5.x, consider disabling HTTP remoting to prevent exploitation until a patch is available. For Apache Dubbo versions 2.6.0 through 2.6.7, consider disabling HTTP remoting to prevent exploitation until a patch is available. For Apache Dubbo versions 2.7.0 through 2.7.4, consider disabling HTTP remoting to prevent exploitation until a patch is available. As a temporary workaround, consider restricting access to the HTTP endpoint to minimize the risk of exploitation.