Vulnerabilities > Drupal > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2019-03-26 | CVE-2019-6341 | Cross-site Scripting vulnerability in multiple products In Drupal 7 versions prior to 7.65; Drupal 8.6 versions prior to 8.6.13;Drupal 8.5 versions prior to 8.5.14. | 5.4 |
| 2019-01-22 | CVE-2017-6923 | Missing Authorization vulnerability in Drupal In Drupal 8.x prior to 8.3.7 When creating a view, you can optionally use Ajax to update the displayed data via filter parameters. | 6.5 |
| 2019-01-22 | CVE-2017-6922 | Files or Directories Accessible to External Parties vulnerability in multiple products In Drupal core 8.x prior to 8.3.4 and Drupal core 7.x prior to 7.56; Private files that have been uploaded by an anonymous user but not permanently attached to content on the site should only be visible to the anonymous user that uploaded them, rather than all anonymous users. | 6.5 |
| 2019-01-15 | CVE-2017-6921 | Improper Input Validation vulnerability in Drupal In Drupal 8 prior to 8.3.4; The file REST resource does not properly validate some fields when manipulating files. | 5.9 |
| 2018-08-03 | CVE-2018-14773 | An issue was discovered in Http Foundation in Symfony 2.7.0 through 2.7.48, 2.8.0 through 2.8.43, 3.3.0 through 3.3.17, 3.4.0 through 3.4.13, 4.0.0 through 4.0.13, and 4.1.0 through 4.1.2. | 6.5 |
| 2018-04-19 | CVE-2018-9861 | Cross-site Scripting vulnerability in multiple products Cross-site scripting (XSS) vulnerability in the Enhanced Image (aka image2) plugin for CKEditor (in versions 4.5.10 through 4.9.1; fixed in 4.9.2), as used in Drupal 8 before 8.4.7 and 8.5.x before 8.5.2 and other products, allows remote attackers to inject arbitrary web script through a crafted IMG element. | 6.1 |
| 2018-03-01 | CVE-2017-6932 | Open Redirect vulnerability in multiple products Drupal core 7.x versions before 7.57 has an external link injection vulnerability when the language switcher block is used. | 4.7 |
| 2018-03-01 | CVE-2017-6931 | Unrestricted Upload of File with Dangerous Type vulnerability in Drupal In Drupal versions 8.4.x versions before 8.4.5 the Settings Tray module has a vulnerability that allows users to update certain data that they do not have the permissions for. | 6.5 |
| 2018-03-01 | CVE-2017-6929 | Cross-site Scripting vulnerability in multiple products A jQuery cross site scripting vulnerability is present when making Ajax requests to untrusted domains. | 6.1 |
| 2018-03-01 | CVE-2017-6928 | Incorrect Permission Assignment for Critical Resource vulnerability in multiple products Drupal core 7.x versions before 7.57 when using Drupal's private file system, Drupal will check to make sure a user has access to a file before allowing the user to view or download it. | 5.3 |