Vulnerabilities > Drupal
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2019-11-11 | CVE-2019-18856 | Incorrect Permission Assignment for Critical Resource vulnerability in Drupal SVG Sanitizer A Denial Of Service vulnerability exists in the SVG Sanitizer module through 8.x-1.0-alpha1 for Drupal because access to external resources with an SVG use element is mishandled. | 5.0 |
| 2019-11-07 | CVE-2010-2473 | Improper Input Validation vulnerability in Drupal Drupal 6.x before 6.16 and 5.x before version 5.22 does not properly block users under certain circumstances. | 3.5 |
| 2019-11-07 | CVE-2010-2472 | Cross-site Scripting vulnerability in Drupal Locale module and dependent contributed modules in Drupal 6.x before 6.16 and 5.x before version 5.22 do not sanitize the display of language codes, native and English language names properly which could allow an attacker to perform a cross-site scripting (XSS) attack. | 3.5 |
| 2019-11-07 | CVE-2010-2250 | Cross-site Scripting vulnerability in Drupal Drupal 5.x and 6.x before 6.16 uses a user-supplied value in output during site installation which could allow an attacker to craft a URL and perform a cross-site scripting attack. | 4.3 |
| 2019-11-06 | CVE-2010-2471 | Open Redirect vulnerability in multiple products Drupal versions 5.x and 6.x has open redirection | 5.8 |
| 2019-05-24 | CVE-2019-11876 | Cross-site Scripting vulnerability in multiple products In PrestaShop 1.7.5.2, the shop_country parameter in the install/index.php installation script/component is affected by Reflected XSS. | 4.3 |
| 2019-05-16 | CVE-2019-10911 | Improper Authentication vulnerability in multiple products In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, a vulnerability would allow an attacker to authenticate as a privileged user on sites with user registration and remember me login functionality enabled. | 6.0 |
| 2019-05-16 | CVE-2019-10910 | SQL Injection vulnerability in multiple products In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, when service ids allow user input, this could allow for SQL Injection and remote code execution. | 7.5 |
| 2019-05-16 | CVE-2019-10909 | Cross-site Scripting vulnerability in multiple products In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, validation messages are not escaped, which can lead to XSS when user input is included. | 3.5 |
| 2019-05-09 | CVE-2019-11831 | Deserialization of Untrusted Data vulnerability in multiple products The PharStreamWrapper (aka phar-stream-wrapper) package 2.x before 2.1.1 and 3.x before 3.1.1 for TYPO3 does not prevent directory traversal, which allows attackers to bypass a deserialization protection mechanism, as demonstrated by a phar:///path/bad.phar/../good.phar URL. | 9.8 |