Filtered by vendor Drupal
Subscribe
Total
833 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2019-6342 | 1 Drupal | 1 Drupal | 2023-12-10 | 6.8 MEDIUM | 9.8 CRITICAL |
An access bypass vulnerability exists when the experimental Workspaces module in Drupal 8 core is enabled. This can be mitigated by disabling the Workspaces module. It does not affect any release other than Drupal 8.7.4. | |||||
CVE-2020-11022 | 8 Debian, Drupal, Fedoraproject and 5 more | 78 Debian Linux, Drupal, Fedora and 75 more | 2023-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0. | |||||
CVE-2020-11023 | 7 Debian, Drupal, Fedoraproject and 4 more | 55 Debian Linux, Drupal, Fedora and 52 more | 2023-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0. | |||||
CVE-2019-19826 | 1 Drupal | 1 Views Dynamic Field | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
The Views Dynamic Fields module through 7.x-1.0-alpha4 for Drupal makes insecure unserialize calls in handlers/views_handler_filter_dynamic_fields.inc, as demonstrated by PHP object injection, involving a field_names object and an Archive_Tar object, for file deletion. Code execution might also be possible. | |||||
CVE-2011-2726 | 4 Debian, Drupal, Fedoraproject and 1 more | 4 Debian Linux, Drupal, Fedora and 1 more | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
An access bypass issue was found in Drupal 7.x before version 7.5. If a Drupal site has the ability to attach File upload fields to any entity type in the system or has the ability to point individual File upload fields to the private file directory in comments, and the parent node is denied access, non-privileged users can still download the file attached to the comment if they know or guess its direct URL. | |||||
CVE-2010-2250 | 1 Drupal | 1 Drupal | 2023-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
Drupal 5.x and 6.x before 6.16 uses a user-supplied value in output during site installation which could allow an attacker to craft a URL and perform a cross-site scripting attack. | |||||
CVE-2010-2472 | 1 Drupal | 1 Drupal | 2023-12-10 | 3.5 LOW | 4.8 MEDIUM |
Locale module and dependent contributed modules in Drupal 6.x before 6.16 and 5.x before version 5.22 do not sanitize the display of language codes, native and English language names properly which could allow an attacker to perform a cross-site scripting (XSS) attack. This vulnerability is mitigated by the fact that an attacker must have a role with the 'administer languages' permission. | |||||
CVE-2011-2715 | 1 Drupal | 2 Data, Drupal | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
An SQL Injection vulnerability exists in Drupal 6.20 with Data 6.x-1.0-alpha14 due to insufficient sanitization of table names or column names. | |||||
CVE-2020-9281 | 4 Ckeditor, Drupal, Fedoraproject and 1 more | 11 Ckeditor, Drupal, Fedora and 8 more | 2023-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
A cross-site scripting (XSS) vulnerability in the HTML Data Processor for CKEditor 4.0 before 4.14 allows remote attackers to inject arbitrary web script through a crafted "protected" comment (with the cke_protected syntax). | |||||
CVE-2011-2714 | 1 Drupal | 2 Data, Drupal | 2023-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
A Cross-Site Scripting vulnerability exists in Drupal 6.20 with Data 6.x-1.0-alpha14 due to insufficient sanitization of table descriptions, field names, or labels before display. | |||||
CVE-2010-2473 | 1 Drupal | 1 Drupal | 2023-12-10 | 3.5 LOW | 6.5 MEDIUM |
Drupal 6.x before 6.16 and 5.x before version 5.22 does not properly block users under certain circumstances. A user with an open session that was blocked could maintain their session on the Drupal site despite being blocked. | |||||
CVE-2012-1637 | 1 Drupal | 1 Quick Tabs | 2023-12-10 | 3.5 LOW | 4.8 MEDIUM |
Cross-site scripting vulnerability (XSS) in the Quick Tabs module 6.x-2.x before 6.x-2.1, 6.x-3.x before 6.x-3.1, and 7.x-3.x before 7.x-3.3 for Drupal. | |||||
CVE-2010-2471 | 2 Debian, Drupal | 2 Debian Linux, Drupal | 2023-12-10 | 5.8 MEDIUM | 6.1 MEDIUM |
Drupal versions 5.x and 6.x has open redirection | |||||
CVE-2011-3373 | 1 Drupal | 1 Views Builk Operations | 2023-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
Drupal Views Builk Operations (VBO) module 6.x-1.0 through 6.x-1.10 does not properly escape the vocabulary help when the vocabulary has had user tagging enabled and the "Modify node taxonomy terms" action is used. A remote attacker could provide a specially-crafted URL that could lead to cross-site scripting (XSS) attack. | |||||
CVE-2019-18856 | 1 Drupal | 1 Svg Sanitizer | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
A Denial Of Service vulnerability exists in the SVG Sanitizer module through 8.x-1.0-alpha1 for Drupal because access to external resources with an SVG use element is mishandled. | |||||
CVE-2012-2078 | 1 Drupal | 1 Activity | 2023-12-10 | 3.5 LOW | 4.8 MEDIUM |
Cross-site scripting (XSS) vulnerability in the Activity module 6.x-1.x for Drupal. | |||||
CVE-2013-4226 | 1 Drupal | 1 Authenticated User Page Caching | 2023-12-10 | 4.0 MEDIUM | 6.5 MEDIUM |
The Authenticated User Page Caching (Authcache) module 7.x-1.x before 7.x-1.5 for Drupal does not properly restrict access to cached pages, which allows remote attackers with the same role-combination as the superuser to obtain sensitive information via the cached pages of the superuser. | |||||
CVE-2012-2079 | 1 Drupal | 1 Activity | 2023-12-10 | 6.8 MEDIUM | 8.8 HIGH |
A cross-site request forgery (CSRF) vulnerability in the Activity module 6.x-1.x for Drupal. | |||||
CVE-2019-10911 | 2 Drupal, Sensiolabs | 2 Drupal, Symfony | 2023-12-10 | 6.0 MEDIUM | 7.5 HIGH |
In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, a vulnerability would allow an attacker to authenticate as a privileged user on sites with user registration and remember me login functionality enabled. This is related to symfony/security. | |||||
CVE-2019-11876 | 2 Drupal, Prestashop | 2 Drupal, Prestashop | 2023-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
In PrestaShop 1.7.5.2, the shop_country parameter in the install/index.php installation script/component is affected by Reflected XSS. Exploitation by a malicious actor requires the user to follow the initial stages of the setup (accepting terms and conditions) before executing the malicious link. |