Vulnerabilities > Drupal > High

DATE CVE VULNERABILITY TITLE RISK
2022-03-21 CVE-2022-24775 guzzlehttp/psr7 is a PSR-7 HTTP message library.
network
low complexity
drupal guzzlephp
7.5
2022-03-16 CVE-2022-24729 CKEditor4 is an open source what-you-see-is-what-you-get HTML editor.
network
low complexity
ckeditor drupal oracle fedoraproject
7.5
2022-02-16 CVE-2022-25271 Improper Input Validation vulnerability in multiple products
Drupal core's form API has a vulnerability where certain contributed or custom modules' forms may be vulnerable to improper input validation.
network
low complexity
drupal fedoraproject CWE-20
7.5
2022-02-11 CVE-2020-13670 Exposure of Resource to Wrong Sphere vulnerability in Drupal
Information Disclosure vulnerability in file module of Drupal Core allows an attacker to gain access to the file metadata of a permanent private file that they do not have access to by guessing the ID of the file.
network
low complexity
drupal CWE-668
7.5
2022-02-11 CVE-2020-13677 Unspecified vulnerability in Drupal
Under some circumstances, the Drupal core JSON:API module does not properly restrict access to certain content, which may result in unintended access bypass.
network
low complexity
drupal
7.5
2021-06-11 CVE-2020-13663 Cross-Site Request Forgery (CSRF) vulnerability in Drupal
Cross Site Request Forgery vulnerability in Drupal Core Form API does not properly handle certain form input from cross-site requests, which can lead to other vulnerabilities.
network
low complexity
drupal CWE-352
8.8
2021-05-05 CVE-2020-13664 Command Injection vulnerability in Drupal
Arbitrary PHP code execution vulnerability in Drupal Core under certain circumstances.
network
low complexity
drupal CWE-77
8.8
2021-01-18 CVE-2020-36193 Link Following vulnerability in multiple products
Tar.php in Archive_Tar through 1.4.11 allows write operations with Directory Traversal due to inadequate checking of symbolic links, a related issue to CVE-2020-28948.
network
low complexity
php fedoraproject debian drupal CWE-59
7.5
2020-11-20 CVE-2020-13671 Unrestricted Upload of File with Dangerous Type vulnerability in multiple products
Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations.
network
low complexity
drupal fedoraproject CWE-434
8.8
2020-11-19 CVE-2020-28949 Injection vulnerability in multiple products
Archive_Tar through 1.4.10 has :// filename sanitization only to address phar attacks, and thus any other stream-wrapper attack (such as file:// to overwrite files) can still succeed.
local
low complexity
php debian fedoraproject drupal CWE-74
7.8