Vulnerabilities > Drupal

DATE CVE VULNERABILITY TITLE RISK
2020-04-29 CVE-2020-11022 In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. 6.1
2020-04-29 CVE-2020-11023 In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. 6.1
2020-03-07 CVE-2020-9281 Cross-site Scripting vulnerability in multiple products
A cross-site scripting (XSS) vulnerability in the HTML Data Processor for CKEditor 4.0 before 4.14 allows remote attackers to inject arbitrary web script through a crafted "protected" comment (with the cke_protected syntax).
network
low complexity
ckeditor fedoraproject drupal oracle CWE-79
6.1
2020-02-18 CVE-2013-4226 Missing Authorization vulnerability in Drupal Authenticated User Page Caching
The Authenticated User Page Caching (Authcache) module 7.x-1.x before 7.x-1.5 for Drupal does not properly restrict access to cached pages, which allows remote attackers with the same role-combination as the superuser to obtain sensitive information via the cached pages of the superuser.
network
low complexity
drupal CWE-862
6.5
2020-01-14 CVE-2011-2715 SQL Injection vulnerability in Drupal Data and Drupal
An SQL Injection vulnerability exists in Drupal 6.20 with Data 6.x-1.0-alpha14 due to insufficient sanitization of table names or column names.
network
low complexity
drupal CWE-89
critical
9.8
2020-01-14 CVE-2011-2714 Cross-site Scripting vulnerability in Drupal Data and Drupal
A Cross-Site Scripting vulnerability exists in Drupal 6.20 with Data 6.x-1.0-alpha14 due to insufficient sanitization of table descriptions, field names, or labels before display.
network
low complexity
drupal CWE-79
6.1
2019-12-16 CVE-2019-19826 Deserialization of Untrusted Data vulnerability in Drupal Views Dynamic Field
The Views Dynamic Fields module through 7.x-1.0-alpha4 for Drupal makes insecure unserialize calls in handlers/views_handler_filter_dynamic_fields.inc, as demonstrated by PHP object injection, involving a field_names object and an Archive_Tar object, for file deletion.
network
low complexity
drupal CWE-502
critical
9.8
2019-11-25 CVE-2011-3373 Cross-site Scripting vulnerability in Drupal Views Builk Operations
Drupal Views Builk Operations (VBO) module 6.x-1.0 through 6.x-1.10 does not properly escape the vocabulary help when the vocabulary has had user tagging enabled and the "Modify node taxonomy terms" action is used.
network
low complexity
drupal CWE-79
6.1
2019-11-22 CVE-2012-2079 Cross-Site Request Forgery (CSRF) vulnerability in Drupal Activity 6.X1.X
A cross-site request forgery (CSRF) vulnerability in the Activity module 6.x-1.x for Drupal.
network
low complexity
drupal CWE-352
8.8
2019-11-21 CVE-2012-2078 Cross-site Scripting vulnerability in Drupal Activity 6.X1.X
Cross-site scripting (XSS) vulnerability in the Activity module 6.x-1.x for Drupal.
network
low complexity
drupal CWE-79
4.8