Vulnerabilities > Drupal > High

DATE CVE VULNERABILITY TITLE RISK
2020-11-19 CVE-2020-28948 Deserialization of Untrusted Data vulnerability in multiple products
Archive_Tar through 1.4.10 allows an unserialization attack because phar: is blocked but PHAR: is not blocked.
local
low complexity
php debian fedoraproject drupal CWE-502
7.8
2019-11-22 CVE-2012-2079 Cross-Site Request Forgery (CSRF) vulnerability in Drupal Activity 6.X1.X
A cross-site request forgery (CSRF) vulnerability in the Activity module 6.x-1.x for Drupal.
network
low complexity
drupal CWE-352
8.8
2019-11-15 CVE-2011-2726 Incorrect Authorization vulnerability in multiple products
An access bypass issue was found in Drupal 7.x before version 7.5.
network
low complexity
drupal debian redhat fedoraproject CWE-863
7.5
2019-11-11 CVE-2019-18856 Incorrect Permission Assignment for Critical Resource vulnerability in Drupal SVG Sanitizer
A Denial Of Service vulnerability exists in the SVG Sanitizer module through 8.x-1.0-alpha1 for Drupal because access to external resources with an SVG use element is mishandled.
network
low complexity
drupal CWE-732
7.5
2019-05-16 CVE-2019-10911 Improper Authentication vulnerability in multiple products
In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, a vulnerability would allow an attacker to authenticate as a privileged user on sites with user registration and remember me login functionality enabled.
network
high complexity
sensiolabs drupal CWE-287
7.5
2019-02-21 CVE-2019-6340 Deserialization of Untrusted Data vulnerability in Drupal
Some field types do not properly sanitize data from non-form sources in Drupal 8.5.x before 8.5.11 and Drupal 8.6.x before 8.6.10.
network
high complexity
drupal CWE-502
8.1
2019-01-22 CVE-2019-6338 Deserialization of Untrusted Data vulnerability in multiple products
In Drupal Core versions 7.x prior to 7.62, 8.6.x prior to 8.6.6 and 8.5.x prior to 8.5.9; Drupal core uses the third-party PEAR Archive_Tar library.
network
low complexity
drupal debian CWE-502
8.0
2019-01-15 CVE-2017-6924 Improper Privilege Management vulnerability in Drupal
In Drupal 8 prior to 8.3.7; When using the REST API, users without the correct permission can post comments via REST that are approved even if the user does not have permission to post approved comments.
network
high complexity
drupal CWE-269
7.4
2018-04-04 CVE-2018-9205 Path Traversal vulnerability in Drupal Avatar Uploader 7.X1.0
Vulnerability in avatar_uploader v7.x-1.0-beta8 , The code in view.php doesn't verify users or sanitize the file path.
network
low complexity
drupal CWE-22
7.5
2018-03-01 CVE-2017-6930 Unspecified vulnerability in Drupal
In Drupal versions 8.4.x versions before 8.4.5 when using node access controls with a multilingual site, Drupal marks the untranslated version of a node as the default fallback for access queries.
network
high complexity
drupal
8.1