Filtered by vendor Drupal
Subscriptions
Filtered by product Drupal
Subscriptions
Total
710 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-13671 | 2 Drupal, Fedoraproject | 2 Drupal, Fedora | 2025-03-14 | 8.8 High |
| Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations. This issue affects: Drupal Drupal Core 9.0 versions prior to 9.0.8, 8.9 versions prior to 8.9.9, 8.8 versions prior to 8.8.11, and 7 versions prior to 7.74. | ||||
| CVE-2021-41184 | 7 Drupal, Fedoraproject, Jqueryui and 4 more | 36 Drupal, Fedora, Jquery Ui and 33 more | 2025-02-13 | 6.5 Medium |
| jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the `of` option of the `.position()` util from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the `of` option is now treated as a CSS selector. A workaround is to not accept the value of the `of` option from untrusted sources. | ||||
| CVE-2021-41183 | 8 Debian, Drupal, Fedoraproject and 5 more | 37 Debian Linux, Drupal, Fedora and 34 more | 2025-02-13 | 6.5 Medium |
| jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of various `*Text` options of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. The values passed to various `*Text` options are now always treated as pure text, not HTML. A workaround is to not accept the value of the `*Text` options from untrusted sources. | ||||
| CVE-2021-41182 | 8 Debian, Drupal, Fedoraproject and 5 more | 38 Debian Linux, Drupal, Fedora and 35 more | 2025-02-13 | 6.5 Medium |
| jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the `altField` option of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the `altField` option is now treated as a CSS selector. A workaround is to not accept the value of the `altField` option from untrusted sources. | ||||
| CVE-2019-6340 | 1 Drupal | 1 Drupal | 2025-02-07 | 8.1 High |
| Some field types do not properly sanitize data from non-form sources in Drupal 8.5.x before 8.5.11 and Drupal 8.6.x before 8.6.10. This can lead to arbitrary PHP code execution in some cases. A site is only affected by this if one of the following conditions is met: The site has the Drupal 8 core RESTful Web Services (rest) module enabled and allows PATCH or POST requests, or the site has another web services module enabled, like JSON:API in Drupal 8, or Services or RESTful Web Services in Drupal 7. (Note: The Drupal 7 Services module itself does not require an update at this time, but you should apply other contributed updates associated with this advisory if Services is in use.) | ||||
| CVE-2020-28949 | 5 Debian, Drupal, Fedoraproject and 2 more | 6 Debian Linux, Drupal, Fedora and 3 more | 2025-02-07 | 7.8 High |
| Archive_Tar through 1.4.10 has :// filename sanitization only to address phar attacks, and thus any other stream-wrapper attack (such as file:// to overwrite files) can still succeed. | ||||
| CVE-2022-25273 | 1 Drupal | 1 Drupal | 2025-02-03 | 7.5 High |
| Drupal core's form API has a vulnerability where certain contributed or custom modules' forms may be vulnerable to improper input validation. This could allow an attacker to inject disallowed values or overwrite data. Affected forms are uncommon, but in certain cases an attacker could alter critical or sensitive data. | ||||
| CVE-2022-25278 | 1 Drupal | 1 Drupal | 2025-02-03 | 6.5 Medium |
| Under certain circumstances, the Drupal core form API evaluates form element access incorrectly. This may lead to a user being able to alter data they should not have access to. No forms provided by Drupal core are known to be vulnerable. However, forms added through contributed or custom modules or themes may be affected. | ||||
| CVE-2022-25277 | 1 Drupal | 1 Drupal | 2025-02-03 | 7.2 High |
| Drupal core sanitizes filenames with dangerous extensions upon upload (reference: SA-CORE-2020-012) and strips leading and trailing dots from filenames to prevent uploading server configuration files (reference: SA-CORE-2019-010). However, the protections for these two vulnerabilities previously did not work correctly together. As a result, if the site were configured to allow the upload of files with an htaccess extension, these files' filenames would not be properly sanitized. This could allow bypassing the protections provided by Drupal core's default .htaccess files and possible remote code execution on Apache web servers. This issue is mitigated by the fact that it requires a field administrator to explicitly configure a file field to allow htaccess as an extension (a restricted permission), or a contributed module or custom code that overrides allowed file uploads. | ||||
| CVE-2022-25276 | 1 Drupal | 1 Drupal | 2025-02-03 | 6.1 Medium |
| The Media oEmbed iframe route does not properly validate the iframe domain setting, which allows embeds to be displayed in the context of the primary domain. Under certain circumstances, this could lead to cross-site scripting, leaked cookies, or other vulnerabilities. | ||||
| CVE-2022-25275 | 1 Drupal | 1 Drupal | 2025-02-03 | 7.5 High |
| In some situations, the Image module does not correctly check access to image files not stored in the standard public files directory when generating derivative images using the image styles system. Access to a non-public file is checked only if it is stored in the "private" file system. However, some contributed modules provide additional file systems, or schemes, which may lead to this vulnerability. This vulnerability is mitigated by the fact that it only applies when the site sets (Drupal 9) $config['image.settings']['allow_insecure_derivatives'] or (Drupal 7) $conf['image_allow_insecure_derivatives'] to TRUE. The recommended and default setting is FALSE, and Drupal core does not provide a way to change that in the admin UI. Some sites may require configuration changes following this security release. Review the release notes for your Drupal version if you have issues accessing files or image styles after updating. | ||||
| CVE-2022-25274 | 1 Drupal | 1 Drupal | 2025-02-03 | 5.4 Medium |
| Drupal 9.3 implemented a generic entity access API for entity revisions. However, this API was not completely integrated with existing permissions, resulting in some possible access bypass for users who have access to use revisions of content generally, but who do not have access to individual items of node and media content. This vulnerability only affects sites using Drupal's revision system. | ||||
| CVE-2023-31250 | 1 Drupal | 1 Drupal | 2025-02-03 | 6.5 Medium |
| The file download facility doesn't sufficiently sanitize file paths in certain situations. This may result in users gaining access to private files that they should not have access to. Some sites may require configuration changes following this security release. Review the release notes for your Drupal version if you have issues accessing private files after updating. | ||||
| CVE-2024-22362 | 1 Drupal | 1 Drupal | 2024-11-21 | 7.5 High |
| Drupal contains a vulnerability with improper handling of structural elements. If this vulnerability is exploited, an attacker may be able to cause a denial-of-service (DoS) condition. | ||||
| CVE-2023-5256 | 1 Drupal | 1 Drupal | 2024-11-21 | 7.5 High |
| In certain scenarios, Drupal's JSON:API module will output error backtraces. With some configurations, this may cause sensitive information to be cached and made available to anonymous users, leading to privilege escalation. This vulnerability only affects sites with the JSON:API module enabled, and can be mitigated by uninstalling JSON:API. The core REST and contributed GraphQL modules are not affected. | ||||
| CVE-2022-25271 | 2 Drupal, Fedoraproject | 2 Drupal, Fedora | 2024-11-21 | 7.5 High |
| Drupal core's form API has a vulnerability where certain contributed or custom modules' forms may be vulnerable to improper input validation. This could allow an attacker to inject disallowed values or overwrite data. Affected forms are uncommon, but in certain cases an attacker could alter critical or sensitive data. | ||||
| CVE-2022-25270 | 1 Drupal | 1 Drupal | 2024-11-21 | 6.5 Medium |
| The Quick Edit module does not properly check entity access in some circumstances. This could result in users with the "access in-place editing" permission viewing some content they are are not authorized to access. Sites are only affected if the QuickEdit module (which comes with the Standard profile) is installed. | ||||
| CVE-2021-41165 | 3 Ckeditor, Drupal, Oracle | 9 Ckeditor, Drupal, Agile Product Lifecycle Management and 6 more | 2024-11-21 | 8.2 High |
| CKEditor4 is an open source WYSIWYG HTML editor. In affected version a vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4. The vulnerability allowed to inject malformed comments HTML bypassing content sanitization, which could result in executing JavaScript code. It affects all users using the CKEditor 4 at version < 4.17.0. The problem has been recognized and patched. The fix will be available in version 4.17.0. | ||||
| CVE-2021-41164 | 4 Ckeditor, Drupal, Fedoraproject and 1 more | 10 Ckeditor, Drupal, Fedora and 7 more | 2024-11-21 | 8.2 High |
| CKEditor4 is an open source WYSIWYG HTML editor. In affected versions a vulnerability has been discovered in the Advanced Content Filter (ACF) module and may affect all plugins used by CKEditor 4. The vulnerability allowed to inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code. It affects all users using the CKEditor 4 at version < 4.17.0. The problem has been recognized and patched. The fix will be available in version 4.17.0. | ||||
| CVE-2021-33829 | 4 Ckeditor, Debian, Drupal and 1 more | 4 Ckeditor, Debian Linux, Drupal and 1 more | 2024-11-21 | 6.1 Medium |
| A cross-site scripting (XSS) vulnerability in the HTML Data Processor in CKEditor 4 4.14.0 through 4.16.x before 4.16.1 allows remote attackers to inject executable JavaScript code through a crafted comment because --!> is mishandled. | ||||