Vulnerabilities > Drupal > Drupal > 8.1.7
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-11-19 | CVE-2020-28949 | Injection vulnerability in multiple products Archive_Tar through 1.4.10 has :// filename sanitization only to address phar attacks, and thus any other stream-wrapper attack (such as file:// to overwrite files) can still succeed. | 7.8 |
| 2020-11-19 | CVE-2020-28948 | Deserialization of Untrusted Data vulnerability in multiple products Archive_Tar through 1.4.10 allows an unserialization attack because phar: is blocked but PHAR: is not blocked. | 7.8 |
| 2019-01-22 | CVE-2017-6923 | Missing Authorization vulnerability in Drupal In Drupal 8.x prior to 8.3.7 When creating a view, you can optionally use Ajax to update the displayed data via filter parameters. | 6.5 |
| 2019-01-22 | CVE-2017-6922 | Files or Directories Accessible to External Parties vulnerability in multiple products In Drupal core 8.x prior to 8.3.4 and Drupal core 7.x prior to 7.56; Private files that have been uploaded by an anonymous user but not permanently attached to content on the site should only be visible to the anonymous user that uploaded them, rather than all anonymous users. | 6.5 |
| 2019-01-15 | CVE-2017-6921 | Improper Input Validation vulnerability in Drupal In Drupal 8 prior to 8.3.4; The file REST resource does not properly validate some fields when manipulating files. | 5.9 |
| 2019-01-15 | CVE-2017-6924 | Improper Privilege Management vulnerability in Drupal In Drupal 8 prior to 8.3.7; When using the REST API, users without the correct permission can post comments via REST that are approved even if the user does not have permission to post approved comments. | 7.4 |
| 2019-01-15 | CVE-2017-6925 | Unspecified vulnerability in Drupal In versions of Drupal 8 core prior to 8.3.7; There is a vulnerability in the entity access system that could allow unwanted access to view, create, update, or delete entities. | 7.5 |
| 2018-08-06 | CVE-2017-6920 | Data Processing Errors vulnerability in Drupal Drupal core 8 before versions 8.3.4 allows remote attackers to execute arbitrary code due to the PECL YAML parser not handling PHP objects safely during certain operations. | 7.5 |
| 2018-08-03 | CVE-2018-14773 | An issue was discovered in Http Foundation in Symfony 2.7.0 through 2.7.48, 2.8.0 through 2.8.43, 3.3.0 through 3.3.17, 3.4.0 through 3.4.13, 4.0.0 through 4.0.13, and 4.1.0 through 4.1.2. | 4.0 |
| 2018-04-19 | CVE-2018-9861 | Cross-site Scripting vulnerability in multiple products Cross-site scripting (XSS) vulnerability in the Enhanced Image (aka image2) plugin for CKEditor (in versions 4.5.10 through 4.9.1; fixed in 4.9.2), as used in Drupal 8 before 8.4.7 and 8.5.x before 8.5.2 and other products, allows remote attackers to inject arbitrary web script through a crafted IMG element. | 4.3 |