Vulnerabilities > Drupal > High
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2018-03-01 | CVE-2017-6926 | Information Exposure vulnerability in Drupal In Drupal versions 8.4.x versions before 8.4.5 users with permission to post comments are able to view content and comments they do not have access to, and are also able to add comments to this content. | 8.1 |
| 2017-04-20 | CVE-2017-6919 | Unspecified vulnerability in Drupal Drupal 8 before 8.2.8 and 8.3 before 8.3.1 allows critical access bypass by authenticated users if the RESTful Web Services (rest) module is enabled and the site allows PATCH requests. | 7.5 |
| 2017-03-16 | CVE-2017-6381 | Inclusion of Functionality from Untrusted Control Sphere vulnerability in Drupal A 3rd party development library including with Drupal 8 development dependencies is vulnerable to remote code execution. | 8.1 |
| 2017-03-16 | CVE-2017-6379 | Cross-Site Request Forgery (CSRF) vulnerability in Drupal Some administrative paths in Drupal 8.2.x before 8.2.7 did not include protection for CSRF. | 7.5 |
| 2017-03-16 | CVE-2017-6377 | Incorrect Authorization vulnerability in Drupal When adding a private file via the editor in Drupal 8.2.x before 8.2.7, the editor will not correctly check access for the file being attached, resulting in an access bypass. | 7.5 |
| 2016-11-25 | CVE-2016-9450 | Insufficient Verification of Data Authenticity vulnerability in Drupal The user password reset form in Drupal 8.x before 8.2.3 allows remote attackers to conduct cache poisoning attacks by leveraging failure to specify a correct cache context. | 7.5 |
| 2016-09-09 | CVE-2016-6211 | Permissions, Privileges, and Access Controls vulnerability in multiple products The User module in Drupal 7.x before 7.44 allows remote authenticated users to gain privileges via vectors involving contributed or custom code that triggers a rebuild of the user profile form. | 8.8 |
| 2016-07-19 | CVE-2016-5385 | Open Redirect vulnerability in multiple products PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, as demonstrated by (1) an application that makes a getenv('HTTP_PROXY') call or (2) a CGI configuration of PHP, aka an "httpoxy" issue. | 8.1 |
| 2016-04-12 | CVE-2016-3171 | Data Processing Errors vulnerability in multiple products Drupal 6.x before 6.38, when used with PHP before 5.4.45, 5.5.x before 5.5.29, or 5.6.x before 5.6.13, might allow remote attackers to execute arbitrary code via vectors related to session data truncation. | 8.1 |
| 2016-04-12 | CVE-2016-3169 | Permissions, Privileges, and Access Controls vulnerability in multiple products The User module in Drupal 6.x before 6.38 and 7.x before 7.43 allows remote attackers to gain privileges by leveraging contributed or custom code that calls the user_save function with an explicit category and loads all roles into the array. | 8.1 |