Vulnerabilities > Drupal > High

DATE CVE VULNERABILITY TITLE RISK
2019-05-16 CVE-2019-10910 SQL Injection vulnerability in multiple products
In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, when service ids allow user input, this could allow for SQL Injection and remote code execution.
network
low complexity
sensiolabs drupal CWE-89
7.5
2019-01-22 CVE-2019-6338 Deserialization of Untrusted Data vulnerability in multiple products
In Drupal Core versions 7.x prior to 7.62, 8.6.x prior to 8.6.6 and 8.5.x prior to 8.5.9; Drupal core uses the third-party PEAR Archive_Tar library.
network
low complexity
drupal debian CWE-502
8.0
2019-01-15 CVE-2017-6924 Improper Privilege Management vulnerability in Drupal
In Drupal 8 prior to 8.3.7; When using the REST API, users without the correct permission can post comments via REST that are approved even if the user does not have permission to post approved comments.
network
high complexity
drupal CWE-269
7.4
2019-01-15 CVE-2017-6925 Unspecified vulnerability in Drupal
In versions of Drupal 8 core prior to 8.3.7; There is a vulnerability in the entity access system that could allow unwanted access to view, create, update, or delete entities.
network
low complexity
drupal
7.5
2018-08-06 CVE-2017-6920 Data Processing Errors vulnerability in Drupal
Drupal core 8 before versions 8.3.4 allows remote attackers to execute arbitrary code due to the PECL YAML parser not handling PHP objects safely during certain operations.
network
low complexity
drupal CWE-19
7.5
2018-03-29 CVE-2014-5170 Improper Input Validation vulnerability in Drupal Storage API
The Storage API module 7.x before 7.x-1.6 for Drupal might allow remote attackers to execute arbitrary code by leveraging failure to update .htaccess file contents after SA-CORE-2013-003.
network
low complexity
drupal CWE-20
7.5
2018-03-29 CVE-2018-7600 Improper Input Validation vulnerability in multiple products
Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations.
network
low complexity
drupal debian CWE-20
7.5
2016-07-19 CVE-2016-5385 Open Redirect vulnerability in multiple products
PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, as demonstrated by (1) an application that makes a getenv('HTTP_PROXY') call or (2) a CGI configuration of PHP, aka an "httpoxy" issue.
8.1
2016-04-12 CVE-2016-3168 7PK - Security Features vulnerability in multiple products
The System module in Drupal 6.x before 6.38 and 7.x before 7.43 might allow remote attackers to hijack the authentication of site administrators for requests that download and run files with arbitrary JSON-encoded content, aka a "reflected file download vulnerability."
8.5
2015-08-24 CVE-2015-6659 SQL Injection vulnerability in Drupal
SQL injection vulnerability in the SQL comment filtering system in the Database API in Drupal 7.x before 7.39 allows remote attackers to execute arbitrary SQL commands via an SQL comment.
network
low complexity
drupal CWE-89
7.5