Vulnerabilities > Drupal

DATE CVE VULNERABILITY TITLE RISK
2021-06-11 CVE-2020-13663 Cross-Site Request Forgery (CSRF) vulnerability in Drupal
Cross Site Request Forgery vulnerability in Drupal Core Form API does not properly handle certain form input from cross-site requests, which can lead to other vulnerabilities.
network
drupal CWE-352
6.8
2021-06-11 CVE-2020-13688 Cross-site Scripting vulnerability in Drupal
Cross-site scripting vulnerability in l Drupal Core allows an attacker could leverage the way that HTML is rendered for affected forms in order to exploit the vulnerability.
network
drupal CWE-79
4.3
2021-06-09 CVE-2021-33829 Cross-site Scripting vulnerability in multiple products
A cross-site scripting (XSS) vulnerability in the HTML Data Processor in CKEditor 4 4.14.0 through 4.16.x before 4.16.1 allows remote attackers to inject executable JavaScript code through a crafted comment because --!> is mishandled.
4.3
2021-05-17 CVE-2020-13667 Incorrect Default Permissions vulnerability in Drupal
Access bypass vulnerability in of Drupal Core Workspaces allows an attacker to access data without correct permissions.
network
drupal CWE-276
4.3
2021-05-05 CVE-2020-13664 Command Injection vulnerability in Drupal
Arbitrary PHP code execution vulnerability in Drupal Core under certain circumstances.
network
drupal CWE-77
critical
9.3
2021-05-05 CVE-2020-13665 Incorrect Authorization vulnerability in Drupal
Access bypass vulnerability in Drupal Core allows JSON:API when JSON:API is in read/write mode.
network
low complexity
drupal CWE-863
7.5
2021-05-05 CVE-2020-13662 Open Redirect vulnerability in Drupal
Open Redirect vulnerability in Drupal Core allows a user to be tricked into visiting a specially crafted link which would redirect them to an arbitrary external URL.
network
drupal CWE-601
5.8
2021-01-18 CVE-2020-36193 Link Following vulnerability in multiple products
Tar.php in Archive_Tar through 1.4.11 allows write operations with Directory Traversal due to inadequate checking of symbolic links, a related issue to CVE-2020-28948.
network
low complexity
php fedoraproject debian drupal CWE-59
5.0
2020-12-17 CVE-2020-35191 Missing Authentication for Critical Function vulnerability in Drupal Docker Images 8.3.0Fpmalpine
The official drupal docker images before 8.5.10-fpm-alpine (Alpine specific) contain a blank password for a root user.
network
low complexity
drupal CWE-306
critical
10.0
2020-11-20 CVE-2020-13671 Unrestricted Upload of File with Dangerous Type vulnerability in Drupal
Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations.
network
low complexity
drupal CWE-434
6.5