Vendor CVEs
Drupal
All CVEs
1,207 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2020-13663 | 0.00 | — | 0.01 | Jun 11, 2021 | Cross Site Request Forgery vulnerability in Drupal Core Form API does not properly handle certain form input from cross-site requests, which can lead to other vulnerabilities. | |||
| CVE-2020-13667 | 0.00 | — | 0.01 | May 17, 2021 | Access bypass vulnerability in of Drupal Core Workspaces allows an attacker to access data without correct permissions. The Workspaces module doesn't sufficiently check access permissions when switching workspaces, leading to an access bypass vulnerability. An attacker might be… | |||
| CVE-2020-13664 | 0.00 | — | 0.03 | May 5, 2021 | Arbitrary PHP code execution vulnerability in Drupal Core under certain circumstances. An attacker could trick an administrator into visiting a malicious site that could result in creating a carefully named directory on the file system. With this directory in place, an attacker… | |||
| CVE-2020-13662 | 0.00 | — | 0.01 | May 5, 2021 | Open Redirect vulnerability in Drupal Core allows a user to be tricked into visiting a specially crafted link which would redirect them to an arbitrary external URL. This issue affects: Drupal Drupal Core 7 version 7.70 and prior versions. | |||
| CVE-2020-13665 | 0.00 | — | 0.01 | May 5, 2021 | Access bypass vulnerability in Drupal Core allows JSON:API when JSON:API is in read/write mode. Only sites that have the read_only set to FALSE under jsonapi.settings config are vulnerable. This issue affects: Drupal Drupal Core 8.8.x versions prior to 8.8.8; 8.9.x versions… | |||
| CVE-2020-13666 | 0.00 | — | 0.03 | May 5, 2021 | Cross-site scripting vulnerability in Drupal Core. Drupal AJAX API does not disable JSONP by default, allowing for an XSS attack. This issue affects: Drupal Drupal Core 7.x versions prior to 7.73; 8.8.x versions prior to 8.8.10; 8.9.x versions prior to 8.9.6; 9.0.x versions… | |||
| CVE-2021-24131 | 0.00 | — | 0.01 | Mar 18, 2021 | Unvalidated input in the Anti-Spam by CleanTalk WordPress plugin, versions before 5.149, lead to multiple authenticated SQL injection vulnerabilities, however, it requires high privilege user (admin+). | |||
| CVE-2017-20001 | 0.00 | — | 0.00 | Dec 31, 2020 | The AES encryption project 7.x and 8.x for Drupal does not sufficiently prevent attackers from decrypting data, aka SA-CONTRIB-2017-027. NOTE: This project is not covered by Drupal's security advisory policy. | |||
| CVE-2016-20001 | 0.00 | — | 0.01 | Dec 31, 2020 | The REST/JSON project 7.x-1.x for Drupal allows node access bypass, aka SA-CONTRIB-2016-033. NOTE: This project is not covered by Drupal's security advisory policy. | |||
| CVE-2016-20002 | 0.00 | — | 0.01 | Dec 31, 2020 | The REST/JSON project 7.x-1.x for Drupal allows comment access bypass, aka SA-CONTRIB-2016-033. NOTE: This project is not covered by Drupal's security advisory policy. | |||
| CVE-2016-20003 | 0.00 | — | 0.01 | Dec 31, 2020 | The REST/JSON project 7.x-1.x for Drupal allows user enumeration, aka SA-CONTRIB-2016-033. NOTE: This project is not covered by Drupal's security advisory policy. | |||
| CVE-2016-20004 | 0.00 | — | 0.01 | Dec 31, 2020 | The REST/JSON project 7.x-1.x for Drupal allows field access bypass, aka SA-CONTRIB-2016-033. NOTE: This project is not covered by Drupal's security advisory policy. | |||
| CVE-2016-20005 | 0.00 | — | 0.01 | Dec 31, 2020 | The REST/JSON project 7.x-1.x for Drupal allows user registration bypass, aka SA-CONTRIB-2016-033. NOTE: This project is not covered by Drupal's security advisory policy. | |||
| CVE-2016-20006 | 0.00 | — | 0.01 | Dec 31, 2020 | The REST/JSON project 7.x-1.x for Drupal allows blockage of user logins, aka SA-CONTRIB-2016-033. NOTE: This project is not covered by Drupal's security advisory policy. | |||
| CVE-2016-20007 | 0.00 | — | 0.01 | Dec 31, 2020 | The REST/JSON project 7.x-1.x for Drupal allows session name guessing, aka SA-CONTRIB-2016-033. NOTE: This project is not covered by Drupal's security advisory policy. | |||
| CVE-2016-20008 | 0.00 | — | 0.01 | Dec 31, 2020 | The REST/JSON project 7.x-1.x for Drupal allows session enumeration, aka SA-CONTRIB-2016-033. NOTE: This project is not covered by Drupal's security advisory policy. | |||
| CVE-2019-6342 | 0.00 | — | 0.02 | May 28, 2020 | An access bypass vulnerability exists when the experimental Workspaces module in Drupal 8 core is enabled. This can be mitigated by disabling the Workspaces module. It does not affect any release other than Drupal 8.7.4. | |||
| CVE-2017-18669 | 0.00 | — | 0.00 | Apr 7, 2020 | An issue was discovered on Samsung mobile devices with N(7.x) software. Persona has an unprotected API that allows launch of any activity with system privileges. The Samsung ID is SVE-2017-9000 (June 2017). | |||
| CVE-2013-4227 | 0.00 | — | 0.01 | Feb 18, 2020 | Cross-site request forgery (CSRF) vulnerability in the persona_xsrf_token function in persona.module in the Mozilla Persona module 7.x-1.x before 7.x-1.11 for Drupal allows remote attackers to hijack the authentication of aribitrary users via a security token that is not a… | |||
| CVE-2014-8338 | 0.00 | — | 0.01 | Jan 31, 2020 | Cross-site scripting (XSS) vulnerability in vwrooms/js/jsor-jcarousel/examples/special_textscroller.php in the VideoWhisper Webcam plugins for Drupal 7.x allows remote attackers to inject arbitrary web script or HTML via a URL to a crafted SVG file in the feed parameter. | |||
| CVE-2013-4187 | 0.00 | — | 0.01 | Jan 30, 2020 | The Flippy module 7.x-1.x before 7.x-1.2 for Drupal does not properly restrict access to nodes, which allows remote authenticated users with the permission to access content to read a link or alias to a restricted node. | |||
| CVE-2019-19826 | 0.00 | — | 0.02 | Dec 16, 2019 | The Views Dynamic Fields module through 7.x-1.0-alpha4 for Drupal makes insecure unserialize calls in handlers/views_handler_filter_dynamic_fields.inc, as demonstrated by PHP object injection, involving a field_names object and an Archive_Tar object, for file deletion. Code… | |||
| CVE-2012-2079 | 0.00 | — | 0.00 | Nov 21, 2019 | A cross-site request forgery (CSRF) vulnerability in the Activity module 6.x-1.x for Drupal. | |||
| CVE-2012-2078 | 0.00 | — | 0.01 | Nov 21, 2019 | Cross-site scripting (XSS) vulnerability in the Activity module 6.x-1.x for Drupal. | |||
| CVE-2012-1637 | 0.00 | — | 0.01 | Nov 21, 2019 | Cross-site scripting vulnerability (XSS) in the Quick Tabs module 6.x-2.x before 6.x-2.1, 6.x-3.x before 6.x-3.1, and 7.x-3.x before 7.x-3.3 for Drupal. | |||
| CVE-2011-2726 | 0.00 | — | 0.02 | Nov 15, 2019 | An access bypass issue was found in Drupal 7.x before version 7.5. If a Drupal site has the ability to attach File upload fields to any entity type in the system or has the ability to point individual File upload fields to the private file directory in comments, and the parent… | |||
| CVE-2013-4275 | 0.00 | — | 0.01 | Nov 13, 2019 | Cross-site scripting (XSS) vulnerability in the zen_breadcrumb function in template.php in the Zen theme 6.x-1.x, 7.x-3.x before 7.x-3.2, and 7.x-5.x before 7.x-5.4 for Drupal allows remote authenticated users with the "administer themes" permission to inject arbitrary web… | |||
| CVE-2010-2473 | 0.00 | — | 0.01 | Nov 7, 2019 | Drupal 6.x before 6.16 and 5.x before version 5.22 does not properly block users under certain circumstances. A user with an open session that was blocked could maintain their session on the Drupal site despite being blocked. | |||
| CVE-2010-2472 | 0.00 | — | 0.01 | Nov 7, 2019 | Locale module and dependent contributed modules in Drupal 6.x before 6.16 and 5.x before version 5.22 do not sanitize the display of language codes, native and English language names properly which could allow an attacker to perform a cross-site scripting (XSS) attack. This… | |||
| CVE-2010-2250 | 0.00 | — | 0.01 | Nov 7, 2019 | Drupal 5.x and 6.x before 6.16 uses a user-supplied value in output during site installation which could allow an attacker to craft a URL and perform a cross-site scripting attack. | |||
| CVE-2010-2471 | 0.00 | — | 0.01 | Nov 6, 2019 | Drupal versions 5.x and 6.x has open redirection | |||
| CVE-2019-14352 | 0.00 | — | 0.01 | Jul 28, 2019 | In Joget Workflow 6.0.20, CSV Injection, also known as Formula Injection, exists, as demonstrated by jw/web/userview/crm_community/crm_userview_sales/_/account_new with the Account ID or Account Name field. NOTE: the vendor disputes the relevance of this finding because CSV is… | |||
| CVE-2019-6341 | 0.00 | — | 0.12 | Mar 26, 2019 | In Drupal 7 versions prior to 7.65; Drupal 8.6 versions prior to 8.6.13;Drupal 8.5 versions prior to 8.5.14. Under certain circumstances the File module/subsystem allows a malicious user to upload a file that can trigger a cross-site scripting (XSS) vulnerability. | |||
| CVE-2017-6923 | 0.00 | — | 0.02 | Jan 22, 2019 | In Drupal 8.x prior to 8.3.7 When creating a view, you can optionally use Ajax to update the displayed data via filter parameters. The views subsystem/module did not restrict access to the Ajax endpoint to only views configured to use Ajax. This is mitigated if you have access… | |||
| CVE-2019-6338 | 0.00 | — | 0.02 | Jan 22, 2019 | In Drupal Core versions 7.x prior to 7.62, 8.6.x prior to 8.6.6 and 8.5.x prior to 8.5.9; Drupal core uses the third-party PEAR Archive_Tar library. This library has released a security update which impacts some Drupal configurations. Refer to CVE-2018-1000888 for details | |||
| CVE-2017-6922 | 0.00 | — | 0.02 | Jan 22, 2019 | In Drupal core 8.x prior to 8.3.4 and Drupal core 7.x prior to 7.56; Private files that have been uploaded by an anonymous user but not permanently attached to content on the site should only be visible to the anonymous user that uploaded them, rather than all anonymous users.… | |||
| CVE-2019-6339 | 0.00 | — | 0.33 | Jan 22, 2019 | In Drupal Core versions 7.x prior to 7.62, 8.6.x prior to 8.6.6 and 8.5.x prior to 8.5.9; A remote code execution vulnerability exists in PHP's built-in phar stream wrapper when performing file operations on an untrusted phar:// URI. Some Drupal code (core, contrib, and custom)… | |||
| CVE-2017-6921 | 0.00 | — | 0.02 | Jan 15, 2019 | In Drupal 8 prior to 8.3.4; The file REST resource does not properly validate some fields when manipulating files. A site is only affected by this if the site has the RESTful Web Services (rest) module enabled, the file REST resource is enabled and allows PATCH requests, and an… | |||
| CVE-2017-6924 | 0.00 | — | 0.02 | Jan 15, 2019 | In Drupal 8 prior to 8.3.7; When using the REST API, users without the correct permission can post comments via REST that are approved even if the user does not have permission to post approved comments. This issue only affects sites that have the RESTful Web Services (rest)… | |||
| CVE-2017-6925 | 0.00 | — | 0.03 | Jan 15, 2019 | In versions of Drupal 8 core prior to 8.3.7; There is a vulnerability in the entity access system that could allow unwanted access to view, create, update, or delete entities. This only affects entities that do not use or do not have UUIDs, and entities that have different… | |||
| CVE-2015-8602 | 0.00 | — | 0.01 | Dec 17, 2015 | The Token Insert Entity module 7.x-1.x before 7.x-1.1 for Drupal does not properly check permissions, which allows remote authenticated users with certain permissions to bypass intended access restrictions and possibly obtain sensitive information by inserting a token, which… | |||
| CVE-2015-8233 | 0.00 | — | 0.01 | Nov 17, 2015 | Cross-site scripting (XSS) vulnerability in the MAYO theme 7.x-1.x before 7.x-1.4 and 7.x-2.x before 7.x-2.6 for Drupal allows remote administrators with the "Administer themes" permission to inject arbitrary web script or HTML via unspecified vectors related to theme settings. | |||
| CVE-2015-8232 | 0.00 | — | 0.01 | Nov 17, 2015 | The UC Profile module 6.x-1.x before 6.x-1.3 for Drupal does not properly check access to profiles in certain circumstances, which might allow remote attackers to obtain sensitive information from the anonymous user profile via unspecified vectors. | |||
| CVE-2015-8095 | 0.00 | — | 0.01 | Nov 9, 2015 | The recycle bin feature in the Monster Menus module 7.x-1.21 before 7.x-1.24 for Drupal does not properly remove nodes from view, which allows remote attackers to obtain sensitive information via an unspecified URL pattern. | |||
| CVE-2015-7881 | 0.00 | — | 0.01 | Oct 26, 2015 | The Colorbox module 7.x-2.x before 7.x-2.10 for Drupal allows remote authenticated users with certain permissions to bypass intended access restrictions and "add unexpected content to a Colorbox" via unspecified vectors, possibly related to a link in a comment. | |||
| CVE-2015-7876 | 0.00 | — | 0.02 | Oct 21, 2015 | The escapeLike function in sqlsrv/database.inc in the Drupal 7 driver for SQL Server and SQL Azure 7.x-1.x before 7.x-1.4 does not properly escape certain characters, which allows remote attackers to execute arbitrary SQL commands via vectors involving a module using the db_like… | |||
| CVE-2015-7234 | 0.00 | — | 0.02 | Sep 17, 2015 | The OSF module 7.x-3.x before 7.x-3.1 for Drupal, when the OSF Ontology and OSF Import modules are enabled, allows user-assisted remote attackers to delete arbitrary files via unspecified vectors. | |||
| CVE-2015-7233 | 0.00 | — | 0.01 | Sep 17, 2015 | Cross-site request forgery (CSRF) vulnerability in the OSF module 7.x-3.x before 7.x-3.1 for Drupal, when the OSF Import module is enabled, allows remote attackers to hijack the authentication of administrators for requests that create new OSF datasets via unspecified vectors. | |||
| CVE-2015-7232 | 0.00 | — | 0.01 | Sep 17, 2015 | Cross-site scripting (XSS) vulnerability in unspecified administration pages in the OSF module 7.x-3.x before 7.x-3.1 for Drupal, when the OSF Ontology module is enabled, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||
| CVE-2015-7231 | 0.00 | — | 0.01 | Sep 17, 2015 | The Commerce Commonwealth (CBA) module 7.x-1.x before 7.x-1.5 for Drupal does not properly validate payments, which allows remote attackers to make a failed payment appear valid via a crafted URL, related to a "response from commweb." |
- CVE-2020-13663Jun 11, 2021risk 0.00cvss —epss 0.01
Cross Site Request Forgery vulnerability in Drupal Core Form API does not properly handle certain form input from cross-site requests, which can lead to other vulnerabilities.
- CVE-2020-13667May 17, 2021risk 0.00cvss —epss 0.01
Access bypass vulnerability in of Drupal Core Workspaces allows an attacker to access data without correct permissions. The Workspaces module doesn't sufficiently check access permissions when switching workspaces, leading to an access bypass vulnerability. An attacker might be…
- CVE-2020-13664May 5, 2021risk 0.00cvss —epss 0.03
Arbitrary PHP code execution vulnerability in Drupal Core under certain circumstances. An attacker could trick an administrator into visiting a malicious site that could result in creating a carefully named directory on the file system. With this directory in place, an attacker…
- CVE-2020-13662May 5, 2021risk 0.00cvss —epss 0.01
Open Redirect vulnerability in Drupal Core allows a user to be tricked into visiting a specially crafted link which would redirect them to an arbitrary external URL. This issue affects: Drupal Drupal Core 7 version 7.70 and prior versions.
- CVE-2020-13665May 5, 2021risk 0.00cvss —epss 0.01
Access bypass vulnerability in Drupal Core allows JSON:API when JSON:API is in read/write mode. Only sites that have the read_only set to FALSE under jsonapi.settings config are vulnerable. This issue affects: Drupal Drupal Core 8.8.x versions prior to 8.8.8; 8.9.x versions…
- CVE-2020-13666May 5, 2021risk 0.00cvss —epss 0.03
Cross-site scripting vulnerability in Drupal Core. Drupal AJAX API does not disable JSONP by default, allowing for an XSS attack. This issue affects: Drupal Drupal Core 7.x versions prior to 7.73; 8.8.x versions prior to 8.8.10; 8.9.x versions prior to 8.9.6; 9.0.x versions…
- CVE-2021-24131Mar 18, 2021risk 0.00cvss —epss 0.01
Unvalidated input in the Anti-Spam by CleanTalk WordPress plugin, versions before 5.149, lead to multiple authenticated SQL injection vulnerabilities, however, it requires high privilege user (admin+).
- CVE-2017-20001Dec 31, 2020risk 0.00cvss —epss 0.00
The AES encryption project 7.x and 8.x for Drupal does not sufficiently prevent attackers from decrypting data, aka SA-CONTRIB-2017-027. NOTE: This project is not covered by Drupal's security advisory policy.
- CVE-2016-20001Dec 31, 2020risk 0.00cvss —epss 0.01
The REST/JSON project 7.x-1.x for Drupal allows node access bypass, aka SA-CONTRIB-2016-033. NOTE: This project is not covered by Drupal's security advisory policy.
- CVE-2016-20002Dec 31, 2020risk 0.00cvss —epss 0.01
The REST/JSON project 7.x-1.x for Drupal allows comment access bypass, aka SA-CONTRIB-2016-033. NOTE: This project is not covered by Drupal's security advisory policy.
- CVE-2016-20003Dec 31, 2020risk 0.00cvss —epss 0.01
The REST/JSON project 7.x-1.x for Drupal allows user enumeration, aka SA-CONTRIB-2016-033. NOTE: This project is not covered by Drupal's security advisory policy.
- CVE-2016-20004Dec 31, 2020risk 0.00cvss —epss 0.01
The REST/JSON project 7.x-1.x for Drupal allows field access bypass, aka SA-CONTRIB-2016-033. NOTE: This project is not covered by Drupal's security advisory policy.
- CVE-2016-20005Dec 31, 2020risk 0.00cvss —epss 0.01
The REST/JSON project 7.x-1.x for Drupal allows user registration bypass, aka SA-CONTRIB-2016-033. NOTE: This project is not covered by Drupal's security advisory policy.
- CVE-2016-20006Dec 31, 2020risk 0.00cvss —epss 0.01
The REST/JSON project 7.x-1.x for Drupal allows blockage of user logins, aka SA-CONTRIB-2016-033. NOTE: This project is not covered by Drupal's security advisory policy.
- CVE-2016-20007Dec 31, 2020risk 0.00cvss —epss 0.01
The REST/JSON project 7.x-1.x for Drupal allows session name guessing, aka SA-CONTRIB-2016-033. NOTE: This project is not covered by Drupal's security advisory policy.
- CVE-2016-20008Dec 31, 2020risk 0.00cvss —epss 0.01
The REST/JSON project 7.x-1.x for Drupal allows session enumeration, aka SA-CONTRIB-2016-033. NOTE: This project is not covered by Drupal's security advisory policy.
- CVE-2019-6342May 28, 2020risk 0.00cvss —epss 0.02
An access bypass vulnerability exists when the experimental Workspaces module in Drupal 8 core is enabled. This can be mitigated by disabling the Workspaces module. It does not affect any release other than Drupal 8.7.4.
- CVE-2017-18669Apr 7, 2020risk 0.00cvss —epss 0.00
An issue was discovered on Samsung mobile devices with N(7.x) software. Persona has an unprotected API that allows launch of any activity with system privileges. The Samsung ID is SVE-2017-9000 (June 2017).
- CVE-2013-4227Feb 18, 2020risk 0.00cvss —epss 0.01
Cross-site request forgery (CSRF) vulnerability in the persona_xsrf_token function in persona.module in the Mozilla Persona module 7.x-1.x before 7.x-1.11 for Drupal allows remote attackers to hijack the authentication of aribitrary users via a security token that is not a…
- CVE-2014-8338Jan 31, 2020risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in vwrooms/js/jsor-jcarousel/examples/special_textscroller.php in the VideoWhisper Webcam plugins for Drupal 7.x allows remote attackers to inject arbitrary web script or HTML via a URL to a crafted SVG file in the feed parameter.
- CVE-2013-4187Jan 30, 2020risk 0.00cvss —epss 0.01
The Flippy module 7.x-1.x before 7.x-1.2 for Drupal does not properly restrict access to nodes, which allows remote authenticated users with the permission to access content to read a link or alias to a restricted node.
- CVE-2019-19826Dec 16, 2019risk 0.00cvss —epss 0.02
The Views Dynamic Fields module through 7.x-1.0-alpha4 for Drupal makes insecure unserialize calls in handlers/views_handler_filter_dynamic_fields.inc, as demonstrated by PHP object injection, involving a field_names object and an Archive_Tar object, for file deletion. Code…
- CVE-2012-2079Nov 21, 2019risk 0.00cvss —epss 0.00
A cross-site request forgery (CSRF) vulnerability in the Activity module 6.x-1.x for Drupal.
- CVE-2012-2078Nov 21, 2019risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in the Activity module 6.x-1.x for Drupal.
- CVE-2012-1637Nov 21, 2019risk 0.00cvss —epss 0.01
Cross-site scripting vulnerability (XSS) in the Quick Tabs module 6.x-2.x before 6.x-2.1, 6.x-3.x before 6.x-3.1, and 7.x-3.x before 7.x-3.3 for Drupal.
- CVE-2011-2726Nov 15, 2019risk 0.00cvss —epss 0.02
An access bypass issue was found in Drupal 7.x before version 7.5. If a Drupal site has the ability to attach File upload fields to any entity type in the system or has the ability to point individual File upload fields to the private file directory in comments, and the parent…
- CVE-2013-4275Nov 13, 2019risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in the zen_breadcrumb function in template.php in the Zen theme 6.x-1.x, 7.x-3.x before 7.x-3.2, and 7.x-5.x before 7.x-5.4 for Drupal allows remote authenticated users with the "administer themes" permission to inject arbitrary web…
- CVE-2010-2473Nov 7, 2019risk 0.00cvss —epss 0.01
Drupal 6.x before 6.16 and 5.x before version 5.22 does not properly block users under certain circumstances. A user with an open session that was blocked could maintain their session on the Drupal site despite being blocked.
- CVE-2010-2472Nov 7, 2019risk 0.00cvss —epss 0.01
Locale module and dependent contributed modules in Drupal 6.x before 6.16 and 5.x before version 5.22 do not sanitize the display of language codes, native and English language names properly which could allow an attacker to perform a cross-site scripting (XSS) attack. This…
- CVE-2010-2250Nov 7, 2019risk 0.00cvss —epss 0.01
Drupal 5.x and 6.x before 6.16 uses a user-supplied value in output during site installation which could allow an attacker to craft a URL and perform a cross-site scripting attack.
- CVE-2010-2471Nov 6, 2019risk 0.00cvss —epss 0.01
Drupal versions 5.x and 6.x has open redirection
- CVE-2019-14352Jul 28, 2019risk 0.00cvss —epss 0.01
In Joget Workflow 6.0.20, CSV Injection, also known as Formula Injection, exists, as demonstrated by jw/web/userview/crm_community/crm_userview_sales/_/account_new with the Account ID or Account Name field. NOTE: the vendor disputes the relevance of this finding because CSV is…
- CVE-2019-6341Mar 26, 2019risk 0.00cvss —epss 0.12
In Drupal 7 versions prior to 7.65; Drupal 8.6 versions prior to 8.6.13;Drupal 8.5 versions prior to 8.5.14. Under certain circumstances the File module/subsystem allows a malicious user to upload a file that can trigger a cross-site scripting (XSS) vulnerability.
- CVE-2017-6923Jan 22, 2019risk 0.00cvss —epss 0.02
In Drupal 8.x prior to 8.3.7 When creating a view, you can optionally use Ajax to update the displayed data via filter parameters. The views subsystem/module did not restrict access to the Ajax endpoint to only views configured to use Ajax. This is mitigated if you have access…
- CVE-2019-6338Jan 22, 2019risk 0.00cvss —epss 0.02
In Drupal Core versions 7.x prior to 7.62, 8.6.x prior to 8.6.6 and 8.5.x prior to 8.5.9; Drupal core uses the third-party PEAR Archive_Tar library. This library has released a security update which impacts some Drupal configurations. Refer to CVE-2018-1000888 for details
- CVE-2017-6922Jan 22, 2019risk 0.00cvss —epss 0.02
In Drupal core 8.x prior to 8.3.4 and Drupal core 7.x prior to 7.56; Private files that have been uploaded by an anonymous user but not permanently attached to content on the site should only be visible to the anonymous user that uploaded them, rather than all anonymous users.…
- CVE-2019-6339Jan 22, 2019risk 0.00cvss —epss 0.33
In Drupal Core versions 7.x prior to 7.62, 8.6.x prior to 8.6.6 and 8.5.x prior to 8.5.9; A remote code execution vulnerability exists in PHP's built-in phar stream wrapper when performing file operations on an untrusted phar:// URI. Some Drupal code (core, contrib, and custom)…
- CVE-2017-6921Jan 15, 2019risk 0.00cvss —epss 0.02
In Drupal 8 prior to 8.3.4; The file REST resource does not properly validate some fields when manipulating files. A site is only affected by this if the site has the RESTful Web Services (rest) module enabled, the file REST resource is enabled and allows PATCH requests, and an…
- CVE-2017-6924Jan 15, 2019risk 0.00cvss —epss 0.02
In Drupal 8 prior to 8.3.7; When using the REST API, users without the correct permission can post comments via REST that are approved even if the user does not have permission to post approved comments. This issue only affects sites that have the RESTful Web Services (rest)…
- CVE-2017-6925Jan 15, 2019risk 0.00cvss —epss 0.03
In versions of Drupal 8 core prior to 8.3.7; There is a vulnerability in the entity access system that could allow unwanted access to view, create, update, or delete entities. This only affects entities that do not use or do not have UUIDs, and entities that have different…
- CVE-2015-8602Dec 17, 2015risk 0.00cvss —epss 0.01
The Token Insert Entity module 7.x-1.x before 7.x-1.1 for Drupal does not properly check permissions, which allows remote authenticated users with certain permissions to bypass intended access restrictions and possibly obtain sensitive information by inserting a token, which…
- CVE-2015-8233Nov 17, 2015risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in the MAYO theme 7.x-1.x before 7.x-1.4 and 7.x-2.x before 7.x-2.6 for Drupal allows remote administrators with the "Administer themes" permission to inject arbitrary web script or HTML via unspecified vectors related to theme settings.
- CVE-2015-8232Nov 17, 2015risk 0.00cvss —epss 0.01
The UC Profile module 6.x-1.x before 6.x-1.3 for Drupal does not properly check access to profiles in certain circumstances, which might allow remote attackers to obtain sensitive information from the anonymous user profile via unspecified vectors.
- CVE-2015-8095Nov 9, 2015risk 0.00cvss —epss 0.01
The recycle bin feature in the Monster Menus module 7.x-1.21 before 7.x-1.24 for Drupal does not properly remove nodes from view, which allows remote attackers to obtain sensitive information via an unspecified URL pattern.
- CVE-2015-7881Oct 26, 2015risk 0.00cvss —epss 0.01
The Colorbox module 7.x-2.x before 7.x-2.10 for Drupal allows remote authenticated users with certain permissions to bypass intended access restrictions and "add unexpected content to a Colorbox" via unspecified vectors, possibly related to a link in a comment.
- CVE-2015-7876Oct 21, 2015risk 0.00cvss —epss 0.02
The escapeLike function in sqlsrv/database.inc in the Drupal 7 driver for SQL Server and SQL Azure 7.x-1.x before 7.x-1.4 does not properly escape certain characters, which allows remote attackers to execute arbitrary SQL commands via vectors involving a module using the db_like…
- CVE-2015-7234Sep 17, 2015risk 0.00cvss —epss 0.02
The OSF module 7.x-3.x before 7.x-3.1 for Drupal, when the OSF Ontology and OSF Import modules are enabled, allows user-assisted remote attackers to delete arbitrary files via unspecified vectors.
- CVE-2015-7233Sep 17, 2015risk 0.00cvss —epss 0.01
Cross-site request forgery (CSRF) vulnerability in the OSF module 7.x-3.x before 7.x-3.1 for Drupal, when the OSF Import module is enabled, allows remote attackers to hijack the authentication of administrators for requests that create new OSF datasets via unspecified vectors.
- CVE-2015-7232Sep 17, 2015risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in unspecified administration pages in the OSF module 7.x-3.x before 7.x-3.1 for Drupal, when the OSF Ontology module is enabled, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
- CVE-2015-7231Sep 17, 2015risk 0.00cvss —epss 0.01
The Commerce Commonwealth (CBA) module 7.x-1.x before 7.x-1.5 for Drupal does not properly validate payments, which allows remote attackers to make a failed payment appear valid via a crafted URL, related to a "response from commweb."
Page 7 of 25