Vulnerabilities > Drupal > High

DATE CVE VULNERABILITY TITLE RISK
2018-03-01 CVE-2017-6926 Information Exposure vulnerability in Drupal
In Drupal versions 8.4.x versions before 8.4.5 users with permission to post comments are able to view content and comments they do not have access to, and are also able to add comments to this content.
network
low complexity
drupal CWE-200
8.1
2017-04-20 CVE-2017-6919 Unspecified vulnerability in Drupal
Drupal 8 before 8.2.8 and 8.3 before 8.3.1 allows critical access bypass by authenticated users if the RESTful Web Services (rest) module is enabled and the site allows PATCH requests.
network
high complexity
drupal
7.5
2017-03-16 CVE-2017-6381 Inclusion of Functionality from Untrusted Control Sphere vulnerability in Drupal
A 3rd party development library including with Drupal 8 development dependencies is vulnerable to remote code execution.
network
high complexity
drupal CWE-829
8.1
2017-03-16 CVE-2017-6379 Cross-Site Request Forgery (CSRF) vulnerability in Drupal
Some administrative paths in Drupal 8.2.x before 8.2.7 did not include protection for CSRF.
network
high complexity
drupal CWE-352
7.5
2017-03-16 CVE-2017-6377 Incorrect Authorization vulnerability in Drupal
When adding a private file via the editor in Drupal 8.2.x before 8.2.7, the editor will not correctly check access for the file being attached, resulting in an access bypass.
network
low complexity
drupal CWE-863
7.5
2016-11-25 CVE-2016-9450 Insufficient Verification of Data Authenticity vulnerability in Drupal
The user password reset form in Drupal 8.x before 8.2.3 allows remote attackers to conduct cache poisoning attacks by leveraging failure to specify a correct cache context.
network
low complexity
drupal CWE-345
7.5
2016-09-09 CVE-2016-6211 Permissions, Privileges, and Access Controls vulnerability in multiple products
The User module in Drupal 7.x before 7.44 allows remote authenticated users to gain privileges via vectors involving contributed or custom code that triggers a rebuild of the user profile form.
network
low complexity
drupal debian CWE-264
8.8
2016-07-19 CVE-2016-5385 Open Redirect vulnerability in multiple products
PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, as demonstrated by (1) an application that makes a getenv('HTTP_PROXY') call or (2) a CGI configuration of PHP, aka an "httpoxy" issue.
8.1
2016-04-12 CVE-2016-3171 Data Processing Errors vulnerability in multiple products
Drupal 6.x before 6.38, when used with PHP before 5.4.45, 5.5.x before 5.5.29, or 5.6.x before 5.6.13, might allow remote attackers to execute arbitrary code via vectors related to session data truncation.
network
high complexity
drupal debian CWE-19
8.1
2016-04-12 CVE-2016-3169 Permissions, Privileges, and Access Controls vulnerability in multiple products
The User module in Drupal 6.x before 6.38 and 7.x before 7.43 allows remote attackers to gain privileges by leveraging contributed or custom code that calls the user_save function with an explicit category and loads all roles into the array.
network
high complexity
debian drupal CWE-264
8.1