Vulnerabilities > Drupal
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-06-11 | CVE-2020-13663 | Cross-Site Request Forgery (CSRF) vulnerability in Drupal Cross Site Request Forgery vulnerability in Drupal Core Form API does not properly handle certain form input from cross-site requests, which can lead to other vulnerabilities. | 6.8 |
| 2021-06-11 | CVE-2020-13688 | Cross-site Scripting vulnerability in Drupal Cross-site scripting vulnerability in l Drupal Core allows an attacker could leverage the way that HTML is rendered for affected forms in order to exploit the vulnerability. | 4.3 |
| 2021-06-09 | CVE-2021-33829 | Cross-site Scripting vulnerability in multiple products A cross-site scripting (XSS) vulnerability in the HTML Data Processor in CKEditor 4 4.14.0 through 4.16.x before 4.16.1 allows remote attackers to inject executable JavaScript code through a crafted comment because --!> is mishandled. | 4.3 |
| 2021-05-17 | CVE-2020-13667 | Incorrect Default Permissions vulnerability in Drupal Access bypass vulnerability in of Drupal Core Workspaces allows an attacker to access data without correct permissions. | 4.3 |
| 2021-05-05 | CVE-2020-13664 | Command Injection vulnerability in Drupal Arbitrary PHP code execution vulnerability in Drupal Core under certain circumstances. | 9.3 |
| 2021-05-05 | CVE-2020-13665 | Incorrect Authorization vulnerability in Drupal Access bypass vulnerability in Drupal Core allows JSON:API when JSON:API is in read/write mode. | 7.5 |
| 2021-05-05 | CVE-2020-13662 | Open Redirect vulnerability in Drupal Open Redirect vulnerability in Drupal Core allows a user to be tricked into visiting a specially crafted link which would redirect them to an arbitrary external URL. | 5.8 |
| 2021-01-18 | CVE-2020-36193 | Link Following vulnerability in multiple products Tar.php in Archive_Tar through 1.4.11 allows write operations with Directory Traversal due to inadequate checking of symbolic links, a related issue to CVE-2020-28948. | 5.0 |
| 2020-12-17 | CVE-2020-35191 | Missing Authentication for Critical Function vulnerability in Drupal Docker Images 8.3.0Fpmalpine The official drupal docker images before 8.5.10-fpm-alpine (Alpine specific) contain a blank password for a root user. | 10.0 |
| 2020-11-20 | CVE-2020-13671 | Unrestricted Upload of File with Dangerous Type vulnerability in Drupal Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations. | 6.5 |