Vulnerabilities > Drupal
|2020-12-17||CVE-2020-35191|| Missing Authentication for Critical Function vulnerability in Drupal Docker Images 8.3.0Fpmalpine |
The official drupal docker images before 8.5.10-fpm-alpine (Alpine specific) contain a blank password for a root user.
| 10.0 |
|2020-11-20||CVE-2020-13671|| Unrestricted Upload of File With Dangerous Type vulnerability in Drupal |
Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations.
| 6.5 |
|2020-11-19||CVE-2020-28949|| Injection vulnerability in multiple products |
Archive_Tar through 1.4.10 has :// filename sanitization only to address phar attacks, and thus any other stream-wrapper attack (such as file:// to overwrite files) can still succeed.
| 6.8 |
|2020-11-19||CVE-2020-28948|| Deserialization of Untrusted Data vulnerability in multiple products |
Archive_Tar through 1.4.10 allows an unserialization attack because phar: is blocked but PHAR: is not blocked.
| 6.8 |
|2020-05-28||CVE-2019-6342|| Improper Input Validation vulnerability in Drupal 8.7.4 |
An access bypass vulnerability exists when the experimental Workspaces module in Drupal 8 core is enabled.
| 6.8 |
|2020-04-29||CVE-2020-11022|| Cross-Site Scripting vulnerability in multiple products |
In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e.
| 4.3 |
|2020-02-18||CVE-2013-4226|| Missing Authorization vulnerability in Drupal Authenticated User Page Caching |
The Authenticated User Page Caching (Authcache) module 7.x-1.x before 7.x-1.5 for Drupal does not properly restrict access to cached pages, which allows remote attackers with the same role-combination as the superuser to obtain sensitive information via the cached pages of the superuser.
| 4.0 |
|2020-01-14||CVE-2011-2715|| SQL Injection vulnerability in Drupal Data and Drupal |
An SQL Injection vulnerability exists in Drupal 6.20 with Data 6.x-1.0-alpha14 due to insufficient sanitization of table names or column names.
| 7.5 |
|2020-01-14||CVE-2011-2714|| Cross-Site Scripting vulnerability in Drupal Data and Drupal |
A Cross-Site Scripting vulnerability exists in Drupal 6.20 with Data 6.x-1.0-alpha14 due to insufficient sanitization of table descriptions, field names, or labels before display.
| 4.3 |
|2019-12-16||CVE-2019-19826|| Deserialization of Untrusted Data vulnerability in Drupal Views Dynamic Field |
The Views Dynamic Fields module through 7.x-1.0-alpha4 for Drupal makes insecure unserialize calls in handlers/views_handler_filter_dynamic_fields.inc, as demonstrated by PHP object injection, involving a field_names object and an Archive_Tar object, for file deletion.
| 7.5 |