Not all applications have patching support. For a comprehensive list of our coverage, please refer to Which applications does Patchman detect and fix?

For plugin vulnerabilities, please see the companion page Why is plugin X not patched by Patchman?

We aim to fix all vulnerabilities found in our covered applications as soon as possible. However, there are a couple of exceptions which we have decided to not support. This page documents these exceptions with a background of why no patches were created for these issues and why we consider it safe to leave these issues unaddressed.

WordPress

Preventing prototype pollution in Query String Modification and Creation for jQuery

Vulnerability details
Query String Modification and Creation for jQuery released version 2.2.3 containing 1 security fix for 1 vulnerability:

Affected versions
WordPress! 3.6 - 5.9.1

Fix complications
This doesn’t concern a WordPress! core vulnerability. If we would patch this vulnerability, we would also affect projects that depend on this library other than WordPress! We want to avoid that because we can’t guarantee that those other projects will be compatible with our changes to the code.

Mitigating factors
N/A

Update Lodash library to incorporate upstream security fixes

Vulnerability details
Several branches have been updated from 4.17.11, 4.17.15 and 4.17.19 to 4.17.21 to incorporate upstream security fixes in the Lodash library. Multiple security issues have been fixed.

Affected versions
WordPress 5.8
WordPress 5.7 - 5.7.2
WordPress 5.6 - 5.6.4
WordPress 5.5 - 5.5.5
WordPress 5.4 - 5.4.6
WordPress 5.3 - 5.3.8
WordPress 5.0 - 5.2.11

Fix complications
This doesn’t concern WordPress core vulnerabilities. If we would patch these vulnerabilities, we would also affect projects other than WordPress. We want to avoid that, because we can’t guarantee that those other projects will be compatible with our changes to the code.

Mitigating factors
N/A

External library getID3 vulnerable to XXE

Vulnerability details
WordPress uses the library getID3, which uses the PHP method simplexml_load_string() with the parameter LIBXML_NOENT set.

Used in this way, it makes the application vulnerable to XXE (XML external entity) attacks, because it can be abused to load unauthorized external entities. This can lead to other attack vectors such as cross-site scripting (XSS), remote file inclusion, or code injection.

Affected versions
WordPress 3.6 - 5.7

Fix complications
This doesn’t concern a WordPress core vulnerability. If we would patch this vulnerability, we would also affect projects other than WordPress. We want to avoid that because we can’t guarantee that those other projects will be compatible with our changes to the code.

Mitigating factors
N/A

FilteredIterator.php

Vulnerability details
An external library exposes a deserialization function for serialized request data, which is vulnerable to code execution through unsafe unserialization. Since the deserialization is not used, the patch would simply disable this.

Affected versions
WordPress 4.6 - 5.5.1

Fix complications
The library itself has no versioning and is maintained by WordPress, but other projects also use this library and it is therefore considered a non-core component.

This doesn’t concern a WordPress core vulnerability. If we would patch this vulnerability, we would also affect projects other than Wordpress. We want to avoid that, because we can’t guarantee that those other projects will be compatible with our changes to the code.

Mitigating factors
N/A

Joomla!

[20230102] Missing ACL checks for com_actionlogs

Vulnerability details
A missing ACL check allows non super-admin users to access com_actionlogs.

Affected versions
Joomla! 4.0.0-4.2.6

Fix complications
The code is introduced in new files which have to be at a specific location. For security reasons, we intentionally limit Patchman’s capability to only modify existing files, and not be able to create new files. We would thus be unable to create this new file.

Mitigating factors
N/A

[20221001] Disclosure of critical information in debug mode

Vulnerability details
Joomla 4 sites with publicly enabled debug mode exposed data of previous requests

Affected versions
Joomla! 4.0.0-4.2.3

Fix complications
The code is introduced in new files which have to be at a specific location. For security reasons, we intentionally limit Patchman’s capability to only modify existing files, and not be able to create new files. We would thus be unable to create this new file.

Mitigating factors
This vulnerability occurs only if the debug mode is enabled publicly. It is not expected debug mode to be enabled publicly in production websites, decreasing the likelihood of this vulnerability.

[20220801] Multiple Full Path Disclosures because of missing '_JEXEC or die check'

Vulnerability details
Multiple Full Path Disclosures because of missing ‘_JEXEC or die’ check caused by the PSR12 changes done in 4.2.0.

Affected versions
Joomla! 4.2.0

Fix complications
Variable _JEXEC is a constant which is generally defined in the “index.php” file which usually sits at the root of the Joomla! installation. This variable is being used as a marker of a secure entry point into Joomla!. However index.php files are also the files where we see the most changes when developers want to make tweaks in CMSs. Applying this patch can break websites on servers where index.php files are tweaked. As we can not guarantee that index.php files are untouched on our users' servers we can not proceed with this patch safely.

Mitigating factors
Upon PSR12 changes introduced in Joomla 4.2.0, multiple files were missed to include '_JEXEC or die’ check. This can lead to full path disclosure when one of the mentioned files is accessed directly by the end user which can create an error because of lack of an expected variable in the accessed function in the file. This can only happen on servers where .htaccess file is not properly configured to disable direct access to the PHP files by end users. Usual ACL configurations expected on a production server configuration decrease the probability of this path disclosure vulnerability to a minimum. In addition, this vulnerability only affects one Joomla! version, namely 4.2.0. All other versions are unaffected.

[20220309] XSS attack vector through SVG

Vulnerability details
Possible XSS attack vector through SVG embedding in com_media.

Affected versions
Joomla! 4.0.0 - 4.1.0

Fix complications
The code is introduced in a new file which has to be at a specific location. Moreover, the new file is a third-party file installed as a Composer dependency. For security reasons, we intentionally limit Patchman’s capability to only modify existing files, and not be able to create new files. We would thus be unable to create this new file.

Mitigating factors
N/A

[20220304] Missing input validation within com_fields class inputs

Vulnerability details
Lack of input validation could allow an XSS attack using com_fields.

Affected versions
Joomla! 3.7.0 - 3.10.6

Fix complications
The code is introduced in a new file which has to be at a specific location. For security reasons, we intentionally limit Patchman’s capability to only modify existing files, and not be able to create new files. We would thus be unable to create this new file.

Mitigating factors
N/A

[20210402] Inadequate filters on module layout settings

Vulnerability details
Inadequate filters on module layout settings could lead to LFI (Local File Inclusion).

Affected versions
Joomla! 2.5.0 - 3.9.25

Fix complications
The fix for this vulnerability consists of 2 separate independent fixes. The security fix for ModuleHelper.php can be backported and is patched by Patchman.

However, the other fix adds a new regular expression for validating the module layout field value. The reason why we can’t backport this security fix is exactly the same as for [2021103] Path traversal in mod_random_image below.

The Joomla! logic requires the file to be added (containing the regular expression) with this exact filename. Since creating files is not a possibility for Patchman, we are unable to provide this fix.

Mitigating factors
The module that contains this feature is managed from the admin section. That means the attacker requires a functional user account with access to the admin section in order to exploit this.

[20201103] Path traversal in mod_random_image

Vulnerability details
The folder parameter of mod_random_image lacks input validation which could lead to a path traversal vulnerability.

Affected versions
Joomla! 2.5.0 - 3.9.22

Fix complications
The official fix for this problem (in the file modules/mod_random_image/mod_random_image.xml) would also require a change in a dependent file libraries/src/Form/Rule/FilePathRule.php. Unfortunately, this file does not exist in versions prior to 3.9.21.

Our product is designed specifically to only be able to modify files which are marked by our own signature set as being vulnerable - that means we've intentionally limited our software to not be able to modify random files, let alone create or delete them. In the vast majority of cases, this doesn't matter. Many vulnerabilities don't actually require new files to be added - new code to pre-existing files is far more common. Unfortunately, this is the exception.

Due to our self-imposed restrictions, we are unable to properly make this vulnerability patch available to our customers in a way that is compatible with all Joomla! versions.

Mitigating factors
The module that contains this feature is managed from the admin section. That means the attacker requires a functional user account with access to the admin section in order to exploit this.

[20200602] Inconsistent default textfilter

Vulnerability details
The default settings of the global "textfilter" configuration doesn't block HTML inputs for 'Guest' users. With 3.9.19, the textfilter for new installations has been set to 'No HTML' for the groups 'Public', 'Guest' and 'Registered'.

Affected versions
Joomla! 2.5.0 - 3.9.18

Fix complications
The code is introduced in a new file which has to be at a specific location. For security reasons, we intentionally limit Patchman’s capability to only modify existing files, and not be able to create new files. We would thus be unable to create this new file.

Mitigating factors
The official patch only changes defaults, which only affects newly installed Joomla! sites. For existing sites, this patch would not change the required settings.

However, those settings can be changed manually to “No HTML” by site administrators through System -> Global -> Text Filters.

[20200604] XSS in jQuery.htmlPrefilter

Vulnerability details
jQuery released version 3.5.0 containing 2 security fixes for 2 vulnerabilities:

Affected versions
Joomla! 3.0.0 - 3.9.18

Fix complications
This doesn’t concern a Joomla! core vulnerability. If we would patch this vulnerability, we would also affect projects other than Joomla! We want to avoid that, because we can’t guarantee that those other projects will be compatible with our changes to the code.

Mitigating factors
N/A

[CVE-2015-8566] Remote code execution via php_var_unserialize

Vulnerability details
Several PHP bugs relating to unserialization functions (#70172 and #70219) were exploitable through the Joomla! Session Framework, allowing arbitrary remote code execution through specially forged requests.

Affected versions
Joomla! 1.5 - 3.4.6

Fix complications
The official fix for the problem released by the Joomla! Project modified the session serialization handlers the Joomla! Session Framework. For any code that uses the official API functions provided by the JSF this doesn't matter. However, many custom extensions try accessing the session variables directly, which would break after applying this update. Since Patchman wants to only provide fixes that do not break a website under any circumstances (regardless of which extensions are installed) this is a blocking problem for releasing the fix.

Mitigating factors
The vulnerability in PHP that allows the remote code execution was fixed in PHP versions 5.4.45, 5.5.29, 5.6.13 and 7. Several other sources also provided backported security fixes for PHP 5.3. If you are running a PHP version that is still under security support (official or third-party) the vulnerability has been patched in PHP itself and is no longer exploitable regardless of the use of unserialization functions in Joomla.

[20160803] Cross-site request forgery in com_joomlaupdate

Vulnerability details
The Joomla! Update Component does not perform CSRF token checks, allowing attackers to trick site administrators in triggering automatic Joomla! updates.

Affected versions
Joomla! 2.5.4 - 3.6.0

Fix complications
The official fix for the problem released by the Joomla! Project introduced checks on a new CSRF token, but also required such a token to be generated by the update migration path. Even for a regular update, this introduced complications (see this official announcement). It would be very complicated for us to backport this security fix while maintaining functional equivalence of the older installs of the Joomla! Update Component.

Mitigating factors
The worst case scenario that the vulnerability allows is triggering an automatic update from an official upstream source. This may be bad for website owners as it may break compatibility with themes and extensions, but by no means allows malicious attacks such as spam attacks or phishing site uploads (the kind of attacks Patchman prevents). From a server security standpoint, this vulnerability is harmless.

Drupal

[SA-CORE-2022-011] Third-party libraries

Vulnerability details
Drupal uses the third-party Guzzle library for handling HTTP requests and responses to external services. Guzzle has released a security update that may affect some Drupal sites.

This update contains the following security fixes:

Affected versions
Drupal 9.3.0 - 9.3.15
Drupal 9.0.0 - 9.2.20
Drupal 8.x

Fix complications
This doesn’t concern a Drupal core vulnerability. If we would patch this vulnerability, we would also affect projects other than Drupal. We want to avoid that because we can’t guarantee that those other projects will be compatible with our changes to the code.

Mitigating factors
N/A

[SA-CORE-2022-010] Third-party libraries

Vulnerability details
Drupal uses the third-party Guzzle library for handling HTTP requests and responses to external services. Guzzle has released a security update that may affect some Drupal sites.

Guzzle released an update containing the following security fixes:

Affected versions
Drupal 9.3.0 - 9.3.13
Drupal 9.0.0 - 9.2.19
Drupal 8.x

Fix complications
This doesn’t concern a Drupal core vulnerability. If we would patch this vulnerability, we would also affect projects other than Drupal. We want to avoid that because we can’t guarantee that those other projects will be compatible with our changes to the code.

Mitigating factors
N/A

[SA-CORE-2022-006] Third-party libraries

Vulnerability details
Drupal uses the third-party Guzzle library for handling HTTP requests and responses to external services. Guzzle has released a security update that may affect some Drupal sites.

Guzzle released an update containing the following security fixes:

Affected versions
Drupal 9.3.0 - 9.3.9
Drupal 9.0.0 - 9.2.16
Drupal 8.x

Fix complications
This doesn’t concern a Drupal core vulnerability. If we would patch this vulnerability, we would also affect projects other than Drupal. We want to avoid that because we can’t guarantee that those other projects will be compatible with our changes to the code.

Mitigating factors
N/A

[SA-CORE-2022-005] Third-party libraries

Vulnerability details
Drupal core uses the third-party CKEditor library for WYSIWYG editing. A potential vulnerability has been discovered in CKEditor 4 HTML processing core module. The vulnerability allowed to inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code. Another vulnerability discovered in CKEditor 4 dialog allowed an attacker to abuse a dialog input validator regular expression, which could cause a significant performance drop resulting in a browser tab freeze. It affects all users using the CKEditor 4 at version < 4.18.0. Drupal included these fixes in SA-CORE-2022-005.

CKEditor released 4.18 containing the following security fixes:

Affected versions
Drupal 9.3.0 - 9.3.7
Drupal 9.0.0 - 9.2.14
Drupal 8.x

Fix complications
This doesn’t concern a Drupal core vulnerability. If we would patch this vulnerability, we would also affect projects other than Drupal. We want to avoid that because we can’t guarantee that those other projects will be compatible with our changes to the code.

Mitigating factors
N/A

[SA-CORE-2022-001] [SA-CORE-2022-002] Cross Site Scripting

Vulnerability details
jQuery UI released version 1.13.0 containing  the following security fixes:

Drupal included these fixes in:

Affected versions
Drupal 9.0.0 - 9.3.2
Drupal 7.0.0 - 7.86

Fix complications
This doesn’t concern a Drupal core vulnerability. If we would patch this vulnerability, we would also affect projects other than Drupal. We want to avoid that, because we can’t guarantee that those other projects will be compatible with our changes to the code.

Mitigating factors
N/A

[SA-CORE-2021-011] Cross Site Scripting

Vulnerability details
Drupal core uses the third-party CKEditor library for WYSIWYG editing. When capable of creating or editing content, an attacker could exploit one or more Cross-Site Scripting (XSS) vulnerabilities to target users with or without access to the WYSIWYG CKEditor. These vulnerabilities affect CKEditor 4.16.2 and older.

Affected versions
Drupal 9.2.0 - 9.2.8
Drupal 9.1.0 - 9.1.13
Drupal 9.0.0 - 9.0.14
Drupal 8.0.0 - 8.9.19

Fix complications
This doesn’t concern a Drupal core vulnerability. If we would patch this vulnerability, we would also affect projects other than Drupal. We want to avoid that, because we can’t guarantee that those other projects will be compatible with our changes to the code.

Mitigating factors
Vulnerabilities are only possible if an attacker has create or edit content rights and Drupal is configured to allow use of the CKEditor library for WYSIWYG editing.

[SA-CORE-2021-005] Third party libraries

Vulnerability details
Drupal core uses the third-party CKEditor library for WYSIWYG editing. When capable of creating or editing content, an attacker could exploit one or more Cross-Site Scripting (XSS) vulnerabilities to target users with access to the WYSIWYG CKEditor. This vulnerability affects CKEditor 4.16.1 and older.

Affected versions
Drupal 9.2.0 - 9.2.3
Drupal 9.1.0 - 9.1.11
Drupal 9.0.0 - 9.0.14
Drupal 8.0.0 - 8.9.17

Fix complications
This doesn’t concern a Drupal core vulnerability. If we would patch this vulnerability, we would also affect projects other than Drupal. We want to avoid that, because we can’t guarantee that those other projects will be compatible with our changes to the code.

Mitigating factors
Vulnerabilities are only possible if Drupal is configured to allow use of the CKEditor library for WYSIWYG editing.

[SA-CORE-2021-004] Third party libraries (8.x and 9.x branches only)

Vulnerability details
The Drupal project uses the PEAR Archive_Tar library, which released a security update.

Affected versions
Drupal 9.2.0 - 9.2.1
Drupal 9.0.0 - 9.1.10
Drupal 8.0.0 - 8.9.16
Drupal 7.0 - 7.81 (see Notes below)

Fix complications Drupal 8 and 9
This doesn’t concern a Drupal core vulnerability. If we would patch this vulnerability, we would also affect projects other than Drupal. We want to avoid that, because we can’t guarantee that those other projects will be compatible with our changes to the code.

Mitigating factors
Exploitation was only possible if contribution or custom code uses the library to extract tar archives (for example .tar, .tar.gz, .bz2, or .tlz) which come from a potentially untrusted source.

Note for Drupal 7.x
The vulnerability is patchable for affected versions in the 7.x branch (Drupal 7.0 - 7.81) because this branch includes a copy of the library which is specific to Drupal, and thus can be safely patched without risking modification to unrelated applications.

[SA-CORE-2021-003] Cross Site Scripting

Vulnerability details
Drupal core uses the third-party CKEditor library. This library has an error in parsing HTML that could lead to an XSS attack. This vulnerability affects CKEditor 4.16.0 and older.

Affected versions
Drupal 9.1.0 - 9.1.8
Drupal 9.0.0 - 9.0.13
Drupal 8.0.0 - 8.9.15

Fix complications
This doesn’t concern a Drupal core vulnerability. If we would patch this vulnerability, we would also affect projects other than Drupal. We want to avoid that, because we can’t guarantee that those other projects will be compatible with our changes to the code.

Mitigating factors
This only affects sites with CKEditor enabled.

[SA-CORE-2021-001] Third party libraries

Vulnerability details
The Drupal project uses the PEAR Archive_Tar library. The PEAR Archive_Tar library has released a security update that impacts Drupal. For more information please see:

Drupal included these fixes in SA-CORE-2021-001.

Affected versions
Drupal 9.1.0 - 9.1.2
Drupal 9.0.0 - 9.0.10
Drupal 8.0.0 - 8.9.12
Drupal 7.0 - 7.77

Fix complications
This doesn’t concern a Drupal core vulnerability, but a library which is installed through package manager composer. Thus, introducing the official change in a composer file would not do anything to fix this problem.

As we currently do not offer patching support for the PEAR Archive_Tar library, this vulnerability in the library itself is out of scope.

Mitigating factors
The vulnerability is only exploitable if Drupal is configured so that untrusted users are allowed to upload files with the extensions .tar, .tar.gz, .bz2 or .tlz.

[SA-CORE-2020-013] Arbitrary PHP code execution

Vulnerability details
The Drupal project uses the PEAR Archive_Tar library. The PEAR Archive_Tar library has released a security update that impacts Drupal. For more information please see:

Drupal included these fixes in SA-CORE-2020-013.

Affected versions
Drupal 9.0.0 - 9.0.8
Drupal 8.9.0 - 8.9.9
Drupal 8.0.0 - 8.8.11
Drupal 7.0 - 7.74

Fix complications
This doesn’t concern a Drupal core vulnerability, but a library which is installed through package manager composer. Thus, introducing the official change in a composer file would not do anything to fix this problem.

As we currently do not offer patching support for the PEAR Archive_Tar library, this vulnerability in the library itself is out of scope.

Mitigating factors
The vulnerability is only exploitable if Drupal is configured so that untrusted users are allowed to upload files with the extensions .tar, .tar.gz, .bz2 or .tlz.

[SA-CORE-2020-002] Cross Site Scripting

Vulnerability details
jQuery released version 3.5.0 containing 2 security fixes for 2 vulnerabilities:

Drupal included these fixes in SA-CORE-2020-002.

Affected versions
Drupal 8.8.0 - 8.8.5
Drupal 8.0.0 - 8.7.13
Drupal 7.0 - 7.69

Fix complications
This doesn’t concern a Drupal core vulnerability. If we would patch this vulnerability, we would also affect projects other than Drupal. We want to avoid that, because we can’t guarantee that those other projects will be compatible with our changes to the code.

Mitigating factors
N/A

[SA-CORE-2020-001] Third party libraries

Vulnerability details
The Drupal project uses the third-party library CKEditor. That library released a security improvement in order to protect some Drupal configurations. Drupal included these fixes in SA-CORE-2020-001.

Affected versions
Drupal 8.8.0 - 8.8.3
Durpal 8.0.0 - 8.7.11

Fix complications
This doesn’t concern a Drupal core vulnerability. If we would patch this vulnerability, we would also affect projects other than Drupal. We want to avoid that, because we can’t guarantee that those other projects will be compatible with our changes to the code.

Mitigating factors
N/A