Vulnerabilities > Drupal > Drupal > 8.9.7
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2022-02-11 | CVE-2020-13674 | Cross-Site Request Forgery (CSRF) vulnerability in Drupal The QuickEdit module does not properly validate access to routes, which could allow cross-site request forgery under some circumstances and lead to possible data integrity issues. | 4.3 |
2022-02-11 | CVE-2020-13675 | Unrestricted Upload of File with Dangerous Type vulnerability in Drupal Drupal's JSON:API and REST/File modules allow file uploads through their HTTP APIs. | 7.5 |
2022-02-11 | CVE-2020-13676 | Incorrect Authorization vulnerability in Drupal The QuickEdit module does not properly check access to fields in some circumstances, which can lead to unintended disclosure of field data. | 4.0 |
2022-02-11 | CVE-2020-13677 | Unspecified vulnerability in Drupal Under some circumstances, the Drupal core JSON:API module does not properly restrict access to certain content, which may result in unintended access bypass. | 7.5 |
2021-11-17 | CVE-2021-41165 | Cross-site Scripting vulnerability in multiple products CKEditor4 is an open source WYSIWYG HTML editor. | 5.4 |
2021-11-17 | CVE-2021-41164 | Cross-site Scripting vulnerability in multiple products CKEditor4 is an open source WYSIWYG HTML editor. | 5.4 |
2021-06-09 | CVE-2021-33829 | Cross-site Scripting vulnerability in multiple products A cross-site scripting (XSS) vulnerability in the HTML Data Processor in CKEditor 4 4.14.0 through 4.16.x before 4.16.1 allows remote attackers to inject executable JavaScript code through a crafted comment because --!> is mishandled. | 6.1 |
2021-01-18 | CVE-2020-36193 | Link Following vulnerability in multiple products Tar.php in Archive_Tar through 1.4.11 allows write operations with Directory Traversal due to inadequate checking of symbolic links, a related issue to CVE-2020-28948. | 7.5 |
2020-11-20 | CVE-2020-13671 | Unrestricted Upload of File with Dangerous Type vulnerability in multiple products Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations. | 8.8 |
2020-11-19 | CVE-2020-28949 | Injection vulnerability in multiple products Archive_Tar through 1.4.10 has :// filename sanitization only to address phar attacks, and thus any other stream-wrapper attack (such as file:// to overwrite files) can still succeed. | 7.8 |