Total
708 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2010-2472 | 1 Drupal | 1 Drupal | 2023-12-10 | 3.5 LOW | 4.8 MEDIUM |
| Locale module and dependent contributed modules in Drupal 6.x before 6.16 and 5.x before version 5.22 do not sanitize the display of language codes, native and English language names properly which could allow an attacker to perform a cross-site scripting (XSS) attack. This vulnerability is mitigated by the fact that an attacker must have a role with the 'administer languages' permission. | |||||
| CVE-2011-2715 | 1 Drupal | 2 Data, Drupal | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
| An SQL Injection vulnerability exists in Drupal 6.20 with Data 6.x-1.0-alpha14 due to insufficient sanitization of table names or column names. | |||||
| CVE-2020-9281 | 4 Ckeditor, Drupal, Fedoraproject and 1 more | 11 Ckeditor, Drupal, Fedora and 8 more | 2023-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross-site scripting (XSS) vulnerability in the HTML Data Processor for CKEditor 4.0 before 4.14 allows remote attackers to inject arbitrary web script through a crafted "protected" comment (with the cke_protected syntax). | |||||
| CVE-2011-2714 | 1 Drupal | 2 Data, Drupal | 2023-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| A Cross-Site Scripting vulnerability exists in Drupal 6.20 with Data 6.x-1.0-alpha14 due to insufficient sanitization of table descriptions, field names, or labels before display. | |||||
| CVE-2010-2473 | 1 Drupal | 1 Drupal | 2023-12-10 | 3.5 LOW | 6.5 MEDIUM |
| Drupal 6.x before 6.16 and 5.x before version 5.22 does not properly block users under certain circumstances. A user with an open session that was blocked could maintain their session on the Drupal site despite being blocked. | |||||
| CVE-2010-2471 | 2 Debian, Drupal | 2 Debian Linux, Drupal | 2023-12-10 | 5.8 MEDIUM | 6.1 MEDIUM |
| Drupal versions 5.x and 6.x has open redirection | |||||
| CVE-2019-10911 | 2 Drupal, Sensiolabs | 2 Drupal, Symfony | 2023-12-10 | 6.0 MEDIUM | 7.5 HIGH |
| In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, a vulnerability would allow an attacker to authenticate as a privileged user on sites with user registration and remember me login functionality enabled. This is related to symfony/security. | |||||
| CVE-2019-11876 | 2 Drupal, Prestashop | 2 Drupal, Prestashop | 2023-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| In PrestaShop 1.7.5.2, the shop_country parameter in the install/index.php installation script/component is affected by Reflected XSS. Exploitation by a malicious actor requires the user to follow the initial stages of the setup (accepting terms and conditions) before executing the malicious link. | |||||
| CVE-2019-11831 | 5 Debian, Drupal, Fedoraproject and 2 more | 5 Debian Linux, Drupal, Fedora and 2 more | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
| The PharStreamWrapper (aka phar-stream-wrapper) package 2.x before 2.1.1 and 3.x before 3.1.1 for TYPO3 does not prevent directory traversal, which allows attackers to bypass a deserialization protection mechanism, as demonstrated by a phar:///path/bad.phar/../good.phar URL. | |||||
| CVE-2019-6341 | 3 Debian, Drupal, Fedoraproject | 3 Debian Linux, Drupal, Fedora | 2023-12-10 | 3.5 LOW | 5.4 MEDIUM |
| In Drupal 7 versions prior to 7.65; Drupal 8.6 versions prior to 8.6.13;Drupal 8.5 versions prior to 8.5.14. Under certain circumstances the File module/subsystem allows a malicious user to upload a file that can trigger a cross-site scripting (XSS) vulnerability. | |||||
| CVE-2019-10909 | 2 Drupal, Sensiolabs | 2 Drupal, Symfony | 2023-12-10 | 3.5 LOW | 5.4 MEDIUM |
| In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, validation messages are not escaped, which can lead to XSS when user input is included. This is related to symfony/framework-bundle. | |||||
| CVE-2019-10910 | 2 Drupal, Sensiolabs | 2 Drupal, Symfony | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
| In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, when service ids allow user input, this could allow for SQL Injection and remote code execution. This is related to symfony/dependency-injection. | |||||
| CVE-2017-6920 | 1 Drupal | 1 Drupal | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
| Drupal core 8 before versions 8.3.4 allows remote attackers to execute arbitrary code due to the PECL YAML parser not handling PHP objects safely during certain operations. | |||||
| CVE-2017-6925 | 1 Drupal | 1 Drupal | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
| In versions of Drupal 8 core prior to 8.3.7; There is a vulnerability in the entity access system that could allow unwanted access to view, create, update, or delete entities. This only affects entities that do not use or do not have UUIDs, and entities that have different access restrictions on different revisions of the same entity. | |||||
| CVE-2017-6922 | 2 Debian, Drupal | 2 Debian Linux, Drupal | 2023-12-10 | 4.0 MEDIUM | 6.5 MEDIUM |
| In Drupal core 8.x prior to 8.3.4 and Drupal core 7.x prior to 7.56; Private files that have been uploaded by an anonymous user but not permanently attached to content on the site should only be visible to the anonymous user that uploaded them, rather than all anonymous users. Drupal core did not previously provide this protection, allowing an access bypass vulnerability to occur. This issue is mitigated by the fact that in order to be affected, the site must allow anonymous users to upload files into a private file system. | |||||
| CVE-2019-6340 | 1 Drupal | 1 Drupal | 2023-12-10 | 6.8 MEDIUM | 8.1 HIGH |
| Some field types do not properly sanitize data from non-form sources in Drupal 8.5.x before 8.5.11 and Drupal 8.6.x before 8.6.10. This can lead to arbitrary PHP code execution in some cases. A site is only affected by this if one of the following conditions is met: The site has the Drupal 8 core RESTful Web Services (rest) module enabled and allows PATCH or POST requests, or the site has another web services module enabled, like JSON:API in Drupal 8, or Services or RESTful Web Services in Drupal 7. (Note: The Drupal 7 Services module itself does not require an update at this time, but you should apply other contributed updates associated with this advisory if Services is in use.) | |||||
| CVE-2017-6921 | 1 Drupal | 1 Drupal | 2023-12-10 | 4.3 MEDIUM | 5.9 MEDIUM |
| In Drupal 8 prior to 8.3.4; The file REST resource does not properly validate some fields when manipulating files. A site is only affected by this if the site has the RESTful Web Services (rest) module enabled, the file REST resource is enabled and allows PATCH requests, and an attacker can get or register a user account on the site with permissions to upload files and to modify the file resource. | |||||
| CVE-2019-6339 | 2 Debian, Drupal | 2 Debian Linux, Drupal | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
| In Drupal Core versions 7.x prior to 7.62, 8.6.x prior to 8.6.6 and 8.5.x prior to 8.5.9; A remote code execution vulnerability exists in PHP's built-in phar stream wrapper when performing file operations on an untrusted phar:// URI. Some Drupal code (core, contrib, and custom) may be performing file operations on insufficiently validated user input, thereby being exposed to this vulnerability. This vulnerability is mitigated by the fact that such code paths typically require access to an administrative permission or an atypical configuration. | |||||
| CVE-2018-14773 | 3 Debian, Drupal, Sensiolabs | 3 Debian Linux, Drupal, Symfony | 2023-12-10 | 4.0 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in Http Foundation in Symfony 2.7.0 through 2.7.48, 2.8.0 through 2.8.43, 3.3.0 through 3.3.17, 3.4.0 through 3.4.13, 4.0.0 through 4.0.13, and 4.1.0 through 4.1.2. It arises from support for a (legacy) IIS header that lets users override the path in the request URL via the X-Original-URL or X-Rewrite-URL HTTP request header. These headers are designed for IIS support, but it's not verified that the server is in fact running IIS, which means anybody who can send these requests to an application can trigger this. This affects \Symfony\Component\HttpFoundation\Request::prepareRequestUri() where X-Original-URL and X_REWRITE_URL are both used. The fix drops support for these methods so that they cannot be used as attack vectors such as web cache poisoning. | |||||
| CVE-2017-6924 | 1 Drupal | 1 Drupal | 2023-12-10 | 5.8 MEDIUM | 7.4 HIGH |
| In Drupal 8 prior to 8.3.7; When using the REST API, users without the correct permission can post comments via REST that are approved even if the user does not have permission to post approved comments. This issue only affects sites that have the RESTful Web Services (rest) module enabled, the comment entity REST resource enabled, and where an attacker can access a user account on the site with permissions to post comments, or where anonymous users can post comments. | |||||