Vulnerabilities > Drupal > Medium

DATE CVE VULNERABILITY TITLE RISK
2019-03-26 CVE-2019-6341 Cross-site Scripting vulnerability in multiple products
In Drupal 7 versions prior to 7.65; Drupal 8.6 versions prior to 8.6.13;Drupal 8.5 versions prior to 8.5.14.
network
low complexity
drupal debian fedoraproject CWE-79
5.4
2019-01-22 CVE-2017-6923 Missing Authorization vulnerability in Drupal
In Drupal 8.x prior to 8.3.7 When creating a view, you can optionally use Ajax to update the displayed data via filter parameters.
network
low complexity
drupal CWE-862
6.5
2019-01-22 CVE-2017-6922 Files or Directories Accessible to External Parties vulnerability in multiple products
In Drupal core 8.x prior to 8.3.4 and Drupal core 7.x prior to 7.56; Private files that have been uploaded by an anonymous user but not permanently attached to content on the site should only be visible to the anonymous user that uploaded them, rather than all anonymous users.
network
low complexity
drupal debian CWE-552
6.5
2019-01-15 CVE-2017-6921 Improper Input Validation vulnerability in Drupal
In Drupal 8 prior to 8.3.4; The file REST resource does not properly validate some fields when manipulating files.
network
high complexity
drupal CWE-20
5.9
2018-08-03 CVE-2018-14773 An issue was discovered in Http Foundation in Symfony 2.7.0 through 2.7.48, 2.8.0 through 2.8.43, 3.3.0 through 3.3.17, 3.4.0 through 3.4.13, 4.0.0 through 4.0.13, and 4.1.0 through 4.1.2.
network
low complexity
sensiolabs debian drupal
6.5
2018-04-19 CVE-2018-9861 Cross-site Scripting vulnerability in multiple products
Cross-site scripting (XSS) vulnerability in the Enhanced Image (aka image2) plugin for CKEditor (in versions 4.5.10 through 4.9.1; fixed in 4.9.2), as used in Drupal 8 before 8.4.7 and 8.5.x before 8.5.2 and other products, allows remote attackers to inject arbitrary web script through a crafted IMG element.
network
low complexity
ckeditor drupal CWE-79
6.1
2018-03-01 CVE-2017-6932 Open Redirect vulnerability in multiple products
Drupal core 7.x versions before 7.57 has an external link injection vulnerability when the language switcher block is used.
network
high complexity
drupal debian CWE-601
4.7
2018-03-01 CVE-2017-6931 Unrestricted Upload of File with Dangerous Type vulnerability in Drupal
In Drupal versions 8.4.x versions before 8.4.5 the Settings Tray module has a vulnerability that allows users to update certain data that they do not have the permissions for.
network
low complexity
drupal CWE-434
6.5
2018-03-01 CVE-2017-6929 Cross-site Scripting vulnerability in multiple products
A jQuery cross site scripting vulnerability is present when making Ajax requests to untrusted domains.
network
low complexity
drupal debian CWE-79
6.1
2018-03-01 CVE-2017-6928 Incorrect Permission Assignment for Critical Resource vulnerability in multiple products
Drupal core 7.x versions before 7.57 when using Drupal's private file system, Drupal will check to make sure a user has access to a file before allowing the user to view or download it.
network
high complexity
drupal debian CWE-732
5.3