VYPR

Packagist (Composer) package

drupal/core

pkg:composer/drupal/core

Vulnerabilities (91)

  • CVE-2020-13664HigMay 5, 2021
    affected >= 8.8.0, < 8.8.8fixed 8.8.8

    Arbitrary PHP code execution vulnerability in Drupal Core under certain circumstances. An attacker could trick an administrator into visiting a malicious site that could result in creating a carefully named directory on the file system. With this directory in place, an attacker c

  • CVE-2020-13662MedMay 5, 2021
    affected >= 7.0.0, < 7.70fixed 7.70

    Open Redirect vulnerability in Drupal Core allows a user to be tricked into visiting a specially crafted link which would redirect them to an arbitrary external URL. This issue affects: Drupal Drupal Core 7 version 7.70 and prior versions.

  • CVE-2020-13666MedMay 5, 2021
    affected >= 8.8.0, < 8.8.10fixed 8.8.10

    Cross-site scripting vulnerability in Drupal Core. Drupal AJAX API does not disable JSONP by default, allowing for an XSS attack. This issue affects: Drupal Drupal Core 7.x versions prior to 7.73; 8.8.x versions prior to 8.8.10; 8.9.x versions prior to 8.9.6; 9.0.x versions prior

  • CVE-2020-13671HigKEVNov 20, 2020
    affected >= 9.0.0, < 9.0.8fixed 9.0.8

    Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations. This issue affects: Drupal Drupal Core 9.0 ver

  • CVE-2011-2715CriJan 14, 2020

    An SQL Injection vulnerability exists in Drupal 6.20 with Data 6.x-1.0-alpha14 due to insufficient sanitization of table names or column names.

  • CVE-2011-2714MedJan 14, 2020

    A Cross-Site Scripting vulnerability exists in Drupal 6.20 with Data 6.x-1.0-alpha14 due to insufficient sanitization of table descriptions, field names, or labels before display.

  • CVE-2019-10909MedMay 16, 2019
    affected >= 8.0.0, < 8.5.15fixed 8.5.15

    In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, validation messages are not escaped, which can lead to XSS when user input is included. This is related to symfony/framework-bundle.

  • CVE-2019-11831CriMay 9, 2019
    affected >= 7.0.0, < 7.67.0fixed 7.67.0

    The PharStreamWrapper (aka phar-stream-wrapper) package 2.x before 2.1.1 and 3.x before 3.1.1 for TYPO3 does not prevent directory traversal, which allows attackers to bypass a deserialization protection mechanism, as demonstrated by a phar:///path/bad.phar/../good.phar URL.

  • CVE-2019-6341MedMar 26, 2019
    affected >= 7.0.0, < 7.65.0fixed 7.65.0

    In Drupal 7 versions prior to 7.65; Drupal 8.6 versions prior to 8.6.13;Drupal 8.5 versions prior to 8.5.14. Under certain circumstances the File module/subsystem allows a malicious user to upload a file that can trigger a cross-site scripting (XSS) vulnerability.

  • CVE-2019-6340HigKEVFeb 21, 2019
    affected >= 8.6.0, < 8.6.10fixed 8.6.10

    Some field types do not properly sanitize data from non-form sources in Drupal 8.5.x before 8.5.11 and Drupal 8.6.x before 8.6.10. This can lead to arbitrary PHP code execution in some cases. A site is only affected by this if one of the following conditions is met: The site has

  • CVE-2019-6339CriJan 22, 2019
    affected >= 7.0.0, < 7.62.0fixed 7.62.0

    In Drupal Core versions 7.x prior to 7.62, 8.6.x prior to 8.6.6 and 8.5.x prior to 8.5.9; A remote code execution vulnerability exists in PHP's built-in phar stream wrapper when performing file operations on an untrusted phar:// URI. Some Drupal code (core, contrib, and custom) m

  • CVE-2017-6923MedJan 22, 2019
    affected >= 8.0, < 8.3.7fixed 8.3.7

    In Drupal 8.x prior to 8.3.7 When creating a view, you can optionally use Ajax to update the displayed data via filter parameters. The views subsystem/module did not restrict access to the Ajax endpoint to only views configured to use Ajax. This is mitigated if you have access re

  • CVE-2017-6922MedJan 22, 2019
    affected >= 7.0, < 7.56fixed 7.56

    In Drupal core 8.x prior to 8.3.4 and Drupal core 7.x prior to 7.56; Private files that have been uploaded by an anonymous user but not permanently attached to content on the site should only be visible to the anonymous user that uploaded them, rather than all anonymous users. Dr

  • CVE-2017-6921MedJan 15, 2019
    affected >= 8.0, < 8.3.4fixed 8.3.4

    In Drupal 8 prior to 8.3.4; The file REST resource does not properly validate some fields when manipulating files. A site is only affected by this if the site has the RESTful Web Services (rest) module enabled, the file REST resource is enabled and allows PATCH requests, and an a

  • CVE-2017-6924HigJan 15, 2019
    affected >= 8.0, < 8.3.7fixed 8.3.7

    In Drupal 8 prior to 8.3.7; When using the REST API, users without the correct permission can post comments via REST that are approved even if the user does not have permission to post approved comments. This issue only affects sites that have the RESTful Web Services (rest) modu

  • CVE-2017-6925CriJan 15, 2019
    affected >= 8.0, < 8.3.7fixed 8.3.7

    In versions of Drupal 8 core prior to 8.3.7; There is a vulnerability in the entity access system that could allow unwanted access to view, create, update, or delete entities. This only affects entities that do not use or do not have UUIDs, and entities that have different access

  • CVE-2017-6920CriAug 6, 2018
    affected >= 8.0, < 8.3.4fixed 8.3.4

    Drupal core 8 before versions 8.3.4 allows remote attackers to execute arbitrary code due to the PECL YAML parser not handling PHP objects safely during certain operations.

  • CVE-2018-7602CriKEVJul 19, 2018
    affected >= 7.0, < 7.59fixed 7.59

    A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being compromised. This vulnerability is related to Drupal core - H

  • CVE-2018-9861MedApr 19, 2018
    affected >= 8.5.0, < 8.5.2fixed 8.5.2

    Cross-site scripting (XSS) vulnerability in the Enhanced Image (aka image2) plugin for CKEditor (in versions 4.5.10 through 4.9.1; fixed in 4.9.2), as used in Drupal 8 before 8.4.7 and 8.5.x before 8.5.2 and other products, allows remote attackers to inject arbitrary web script t

  • CVE-2018-7600CriKEVMar 29, 2018
    affected >= 7.0, < 7.58fixed 7.58

    Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations.