Vulnerabilities > Drupal

DATE CVE VULNERABILITY TITLE RISK
2020-12-17 CVE-2020-35191 Missing Authentication for Critical Function vulnerability in Drupal Docker Images 8.3.0Fpmalpine
The official drupal docker images before 8.5.10-fpm-alpine (Alpine specific) contain a blank password for a root user.
network
low complexity
drupal CWE-306
critical
10.0
2020-11-20 CVE-2020-13671 Unrestricted Upload of File With Dangerous Type vulnerability in Drupal
Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations.
network
low complexity
drupal CWE-434
6.5
2020-11-19 CVE-2020-28949 Injection vulnerability in multiple products
Archive_Tar through 1.4.10 has :// filename sanitization only to address phar attacks, and thus any other stream-wrapper attack (such as file:// to overwrite files) can still succeed.
6.8
2020-11-19 CVE-2020-28948 Deserialization of Untrusted Data vulnerability in multiple products
Archive_Tar through 1.4.10 allows an unserialization attack because phar: is blocked but PHAR: is not blocked.
6.8
2020-05-28 CVE-2019-6342 Improper Input Validation vulnerability in Drupal 8.7.4
An access bypass vulnerability exists when the experimental Workspaces module in Drupal 8 core is enabled.
6.8
2020-04-29 CVE-2020-11022 Cross-Site Scripting vulnerability in multiple products
In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e.
4.3
2020-02-18 CVE-2013-4226 Missing Authorization vulnerability in Drupal Authenticated User Page Caching
The Authenticated User Page Caching (Authcache) module 7.x-1.x before 7.x-1.5 for Drupal does not properly restrict access to cached pages, which allows remote attackers with the same role-combination as the superuser to obtain sensitive information via the cached pages of the superuser.
network
low complexity
drupal CWE-862
4.0
2020-01-14 CVE-2011-2715 SQL Injection vulnerability in Drupal Data and Drupal
An SQL Injection vulnerability exists in Drupal 6.20 with Data 6.x-1.0-alpha14 due to insufficient sanitization of table names or column names.
network
low complexity
drupal CWE-89
7.5
2020-01-14 CVE-2011-2714 Cross-Site Scripting vulnerability in Drupal Data and Drupal
A Cross-Site Scripting vulnerability exists in Drupal 6.20 with Data 6.x-1.0-alpha14 due to insufficient sanitization of table descriptions, field names, or labels before display.
network
drupal CWE-79
4.3
2019-12-16 CVE-2019-19826 Deserialization of Untrusted Data vulnerability in Drupal Views Dynamic Field
The Views Dynamic Fields module through 7.x-1.0-alpha4 for Drupal makes insecure unserialize calls in handlers/views_handler_filter_dynamic_fields.inc, as demonstrated by PHP object injection, involving a field_names object and an Archive_Tar object, for file deletion.
network
low complexity
drupal CWE-502
7.5