Vulnerabilities > Drupal > High

DATE CVE VULNERABILITY TITLE RISK
2022-02-16 CVE-2022-25271 Improper Input Validation vulnerability in multiple products
Drupal core's form API has a vulnerability where certain contributed or custom modules' forms may be vulnerable to improper input validation.
network
low complexity
drupal fedoraproject CWE-20
7.5
2022-02-11 CVE-2020-13675 Unrestricted Upload of File with Dangerous Type vulnerability in Drupal
Drupal's JSON:API and REST/File modules allow file uploads through their HTTP APIs.
network
low complexity
drupal CWE-434
7.5
2022-02-11 CVE-2020-13677 Unspecified vulnerability in Drupal
Under some circumstances, the Drupal core JSON:API module does not properly restrict access to certain content, which may result in unintended access bypass.
network
low complexity
drupal
7.5
2021-05-05 CVE-2020-13665 Unspecified vulnerability in Drupal
Access bypass vulnerability in Drupal Core allows JSON:API when JSON:API is in read/write mode.
network
low complexity
drupal
7.5
2021-01-18 CVE-2020-36193 Link Following vulnerability in multiple products
Tar.php in Archive_Tar through 1.4.11 allows write operations with Directory Traversal due to inadequate checking of symbolic links, a related issue to CVE-2020-28948.
network
low complexity
php fedoraproject debian drupal CWE-59
7.5
2020-11-20 CVE-2020-13671 Unrestricted Upload of File with Dangerous Type vulnerability in multiple products
Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations.
network
low complexity
drupal fedoraproject CWE-434
8.8
2020-11-19 CVE-2020-28949 Injection vulnerability in multiple products
Archive_Tar through 1.4.10 has :// filename sanitization only to address phar attacks, and thus any other stream-wrapper attack (such as file:// to overwrite files) can still succeed.
local
low complexity
php debian fedoraproject drupal CWE-74
7.8
2020-11-19 CVE-2020-28948 Deserialization of Untrusted Data vulnerability in multiple products
Archive_Tar through 1.4.10 allows an unserialization attack because phar: is blocked but PHAR: is not blocked.
local
low complexity
php debian fedoraproject drupal CWE-502
7.8
2020-01-14 CVE-2011-2715 SQL Injection vulnerability in Drupal Data and Drupal
An SQL Injection vulnerability exists in Drupal 6.20 with Data 6.x-1.0-alpha14 due to insufficient sanitization of table names or column names.
network
low complexity
drupal CWE-89
7.5
2019-12-16 CVE-2019-19826 Deserialization of Untrusted Data vulnerability in Drupal Views Dynamic Field
The Views Dynamic Fields module through 7.x-1.0-alpha4 for Drupal makes insecure unserialize calls in handlers/views_handler_filter_dynamic_fields.inc, as demonstrated by PHP object injection, involving a field_names object and an Archive_Tar object, for file deletion.
network
low complexity
drupal CWE-502
7.5