Vulnerabilities > Drupal
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-05-05 | CVE-2020-13665 | Unspecified vulnerability in Drupal Access bypass vulnerability in Drupal Core allows JSON:API when JSON:API is in read/write mode. | 7.5 |
| 2021-05-05 | CVE-2020-13662 | Open Redirect vulnerability in Drupal Open Redirect vulnerability in Drupal Core allows a user to be tricked into visiting a specially crafted link which would redirect them to an arbitrary external URL. | 5.8 |
| 2021-01-18 | CVE-2020-36193 | Link Following vulnerability in multiple products Tar.php in Archive_Tar through 1.4.11 allows write operations with Directory Traversal due to inadequate checking of symbolic links, a related issue to CVE-2020-28948. | 7.5 |
| 2020-12-17 | CVE-2020-35191 | Missing Authentication for Critical Function vulnerability in Drupal Docker Images 8.3.0Fpmalpine The official drupal docker images before 8.5.10-fpm-alpine (Alpine specific) contain a blank password for a root user. | 10.0 |
| 2020-11-20 | CVE-2020-13671 | Unrestricted Upload of File with Dangerous Type vulnerability in multiple products Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations. | 8.8 |
| 2020-11-19 | CVE-2020-28949 | Injection vulnerability in multiple products Archive_Tar through 1.4.10 has :// filename sanitization only to address phar attacks, and thus any other stream-wrapper attack (such as file:// to overwrite files) can still succeed. | 7.8 |
| 2020-11-19 | CVE-2020-28948 | Deserialization of Untrusted Data vulnerability in multiple products Archive_Tar through 1.4.10 allows an unserialization attack because phar: is blocked but PHAR: is not blocked. | 7.8 |
| 2020-05-28 | CVE-2019-6342 | Improper Input Validation vulnerability in Drupal 8.7.4 An access bypass vulnerability exists when the experimental Workspaces module in Drupal 8 core is enabled. | 6.8 |
| 2020-04-29 | CVE-2020-11022 | Cross-site Scripting vulnerability in multiple products In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. | 6.1 |
| 2020-04-29 | CVE-2020-11023 | Cross-site Scripting vulnerability in multiple products In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. | 6.1 |