VYPR

Drupal Core

by Drupal

CVEs (52)

  • CVE-2017-6924HigJan 15, 2019
    risk 0.48cvss 7.4epss 0.02

    In Drupal 8 prior to 8.3.7; When using the REST API, users without the correct permission can post comments via REST that are approved even if the user does not have permission to post approved comments. This issue only affects sites that have the RESTful Web Services (rest)…

  • CVE-2024-55634HigDec 10, 2024
    risk 0.46cvss 8.1epss 0.00

    A vulnerability in Drupal Core allows Privilege Escalation.This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8.

  • CVE-2019-6338HigJan 22, 2019
    risk 0.45cvss 8.0epss 0.02

    In Drupal Core versions 7.x prior to 7.62, 8.6.x prior to 8.6.6 and 8.5.x prior to 8.5.9; Drupal core uses the third-party PEAR Archive_Tar library. This library has released a security update which impacts some Drupal configurations. Refer to CVE-2018-1000888 for details

  • CVE-2017-6923MedJan 22, 2019
    risk 0.42cvss 6.5epss 0.02

    In Drupal 8.x prior to 8.3.7 When creating a view, you can optionally use Ajax to update the displayed data via filter parameters. The views subsystem/module did not restrict access to the Ajax endpoint to only views configured to use Ajax. This is mitigated if you have access…

  • CVE-2017-6922MedJan 22, 2019
    risk 0.42cvss 6.5epss 0.02

    In Drupal core 8.x prior to 8.3.4 and Drupal core 7.x prior to 7.56; Private files that have been uploaded by an anonymous user but not permanently attached to content on the site should only be visible to the anonymous user that uploaded them, rather than all anonymous users.…

  • CVE-2017-6931MedMar 1, 2018
    risk 0.42cvss 6.5epss 0.01

    In Drupal versions 8.4.x versions before 8.4.5 the Settings Tray module has a vulnerability that allows users to update certain data that they do not have the permissions for. If you have implemented a Settings Tray form in contrib or a custom module, the correct access checks…

  • CVE-2025-3057MedMar 31, 2025
    risk 0.40cvss 6.1epss 0.00

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS).This issue affects Drupal core: from 8.0.0 before 10.3.13, from 10.4.0 before 10.4.3, from 11.0.0 before 11.0.12, from…

  • CVE-2024-55635MedDec 10, 2024
    risk 0.40cvss 6.1epss 0.00

    Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Drupal Core allows Cross-Site Scripting (XSS).This issue affects Drupal Core: from 7.0 before 7.102.

  • CVE-2020-13688MedJun 11, 2021
    risk 0.40cvss 6.1epss 0.01

    Cross-site scripting vulnerability in l Drupal Core allows an attacker could leverage the way that HTML is rendered for affected forms in order to exploit the vulnerability. This issue affects: Drupal Core 8.8.X versions prior to 8.8.10; 8.9.X versions prior to 8.9.6; 9.0.X…

  • CVE-2020-13662MedMay 5, 2021
    risk 0.40cvss 6.1epss 0.01

    Open Redirect vulnerability in Drupal Core allows a user to be tricked into visiting a specially crafted link which would redirect them to an arbitrary external URL. This issue affects: Drupal Drupal Core 7 version 7.70 and prior versions.

  • CVE-2020-13666MedMay 5, 2021
    risk 0.40cvss 6.1epss 0.03

    Cross-site scripting vulnerability in Drupal Core. Drupal AJAX API does not disable JSONP by default, allowing for an XSS attack. This issue affects: Drupal Drupal Core 7.x versions prior to 7.73; 8.8.x versions prior to 8.8.10; 8.9.x versions prior to 8.9.6; 9.0.x versions…

  • CVE-2017-6929MedMar 1, 2018
    risk 0.40cvss 6.1epss 0.01

    A jQuery cross site scripting vulnerability is present when making Ajax requests to untrusted domains. This vulnerability is mitigated by the fact that it requires contributed or custom modules in order to exploit. For Drupal 8, this vulnerability was already fixed in Drupal…

  • CVE-2017-6927MedMar 1, 2018
    risk 0.40cvss 6.1epss 0.02

    Drupal 8.4.x versions before 8.4.5 and Drupal 7.x versions before 7.57 has a Drupal.checkPlain() JavaScript function which is used to escape potentially dangerous text before outputting it to HTML (as JavaScript output does not typically go through Twig autoescaping). This…

  • CVE-2024-11942MedDec 5, 2024
    risk 0.38cvss 5.9epss 0.00

    A vulnerability in Drupal Core allows File Manipulation.This issue affects Drupal Core: from 10.0.0 before 10.2.10.

  • CVE-2017-6921MedJan 15, 2019
    risk 0.38cvss 5.9epss 0.02

    In Drupal 8 prior to 8.3.4; The file REST resource does not properly validate some fields when manipulating files. A site is only affected by this if the site has the RESTful Web Services (rest) module enabled, the file REST resource is enabled and allows PATCH requests, and an…

  • CVE-2026-6366MedMay 19, 2026
    risk 0.36cvss 6.6epss 0.00

    Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection. This issue affects Drupal core: from 8.0.0 before 10.5.9, from 10.6.0 before 10.6.7, from 11.0.0 before 11.2.11, from 11.3.0 before 11.3.7.

  • CVE-2020-13667MedMay 17, 2021
    risk 0.35cvss 5.3epss 0.01

    Access bypass vulnerability in of Drupal Core Workspaces allows an attacker to access data without correct permissions. The Workspaces module doesn't sufficiently check access permissions when switching workspaces, leading to an access bypass vulnerability. An attacker might be…

  • CVE-2017-6928MedMar 1, 2018
    risk 0.35cvss 5.3epss 0.01

    Drupal core 7.x versions before 7.57 when using Drupal's private file system, Drupal will check to make sure a user has access to a file before allowing the user to view or download it. This check fails under certain conditions in which one module is trying to grant access to…

  • CVE-2026-6367MedMay 19, 2026
    risk 0.33cvss 6.1epss 0.00

    Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS). This issue affects Drupal core: from 11.3.0 before 11.3.7.

  • CVE-2026-6365MedMay 19, 2026
    risk 0.33cvss 6.1epss 0.00

    Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS). This issue affects Drupal core: from 8.0.0 before 10.5.9, from 10.6.0 before 10.6.7, from 11.0.0 before 11.2.11, from…