Vulnerabilities > Drupal

DATE CVE VULNERABILITY TITLE RISK
2021-05-17 CVE-2020-13667 Incorrect Default Permissions vulnerability in Drupal
Access bypass vulnerability in of Drupal Core Workspaces allows an attacker to access data without correct permissions.
network
drupal CWE-276
4.3
2021-05-05 CVE-2020-13664 Command Injection vulnerability in Drupal
Arbitrary PHP code execution vulnerability in Drupal Core under certain circumstances.
network
drupal CWE-77
critical
9.3
2021-05-05 CVE-2020-13665 Incorrect Authorization vulnerability in Drupal
Access bypass vulnerability in Drupal Core allows JSON:API when JSON:API is in read/write mode.
network
low complexity
drupal CWE-863
7.5
2021-05-05 CVE-2020-13662 Open Redirect vulnerability in Drupal
Open Redirect vulnerability in Drupal Core allows a user to be tricked into visiting a specially crafted link which would redirect them to an arbitrary external URL.
network
drupal CWE-601
5.8
2021-01-18 CVE-2020-36193 Path Traversal vulnerability in multiple products
Tar.php in Archive_Tar through 1.4.11 allows write operations with Directory Traversal due to inadequate checking of symbolic links, a related issue to CVE-2020-28948.
network
low complexity
php fedoraproject debian drupal CWE-22
5.0
2020-12-17 CVE-2020-35191 Missing Authentication for Critical Function vulnerability in Drupal Docker Images 8.3.0Fpmalpine
The official drupal docker images before 8.5.10-fpm-alpine (Alpine specific) contain a blank password for a root user.
network
low complexity
drupal CWE-306
critical
10.0
2020-11-20 CVE-2020-13671 Unrestricted Upload of File With Dangerous Type vulnerability in Drupal
Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations.
network
low complexity
drupal CWE-434
6.5
2020-11-19 CVE-2020-28949 Injection vulnerability in multiple products
Archive_Tar through 1.4.10 has :// filename sanitization only to address phar attacks, and thus any other stream-wrapper attack (such as file:// to overwrite files) can still succeed.
6.8
2020-11-19 CVE-2020-28948 Deserialization of Untrusted Data vulnerability in multiple products
Archive_Tar through 1.4.10 allows an unserialization attack because phar: is blocked but PHAR: is not blocked.
6.8
2020-05-28 CVE-2019-6342 Improper Input Validation vulnerability in Drupal 8.7.4
An access bypass vulnerability exists when the experimental Workspaces module in Drupal 8 core is enabled.
6.8