Vulnerabilities > Drupal > High

DATE CVE VULNERABILITY TITLE RISK
2016-04-12 CVE-2016-3167 Open redirect vulnerability in the drupal_goto function in Drupal 6.x before 6.38, when used with PHP before 5.4.7, allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a double-encoded URL in the "destination" parameter.
network
low complexity
drupal debian
7.4
2016-04-12 CVE-2016-3165 Improper Access Control vulnerability in Drupal
The Form API in Drupal 6.x before 6.38 ignores access restrictions on submit buttons, which might allow remote attackers to bypass intended access restrictions by leveraging permission to submit a form with a button that has "#access" set to FALSE in the server-side form definition.
network
low complexity
drupal CWE-284
7.5
2016-04-12 CVE-2016-3164 Drupal 6.x before 6.38, 7.x before 7.43, and 8.x before 8.0.4 might allow remote attackers to conduct open redirect attacks by leveraging (1) custom code or (2) a form shown on a 404 error page, related to path manipulation.
network
low complexity
drupal debian
7.4
2016-04-12 CVE-2016-3163 7PK - Security Features vulnerability in multiple products
The XML-RPC system in Drupal 6.x before 6.38 and 7.x before 7.43 might make it easier for remote attackers to conduct brute-force attacks via a large number of calls made at once to the same method.
network
low complexity
debian drupal CWE-254
7.5
2016-04-12 CVE-2016-3162 Improper Access Control vulnerability in multiple products
The File module in Drupal 7.x before 7.43 and 8.x before 8.0.4 allows remote authenticated users to bypass access restrictions and read, delete, or substitute a link to a file uploaded to an unprocessed form by leveraging permission to create content or comment and upload files.
network
low complexity
drupal debian CWE-284
8.1