Vulnerabilities > Drupal > Medium

DATE CVE VULNERABILITY TITLE RISK
2019-04-20 CVE-2019-11358 jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. 6.1
2019-03-26 CVE-2019-6341 Cross-site Scripting vulnerability in multiple products
In Drupal 7 versions prior to 7.65; Drupal 8.6 versions prior to 8.6.13;Drupal 8.5 versions prior to 8.5.14.
network
low complexity
drupal debian fedoraproject CWE-79
5.4
2019-02-21 CVE-2019-6340 Deserialization of Untrusted Data vulnerability in Drupal
Some field types do not properly sanitize data from non-form sources in Drupal 8.5.x before 8.5.11 and Drupal 8.6.x before 8.6.10.
network
drupal CWE-502
6.8
2019-01-22 CVE-2017-6923 Missing Authorization vulnerability in Drupal
In Drupal 8.x prior to 8.3.7 When creating a view, you can optionally use Ajax to update the displayed data via filter parameters.
network
low complexity
drupal CWE-862
6.5
2019-01-22 CVE-2017-6922 Files or Directories Accessible to External Parties vulnerability in multiple products
In Drupal core 8.x prior to 8.3.4 and Drupal core 7.x prior to 7.56; Private files that have been uploaded by an anonymous user but not permanently attached to content on the site should only be visible to the anonymous user that uploaded them, rather than all anonymous users.
network
low complexity
drupal debian CWE-552
6.5
2019-01-15 CVE-2017-6921 Improper Input Validation vulnerability in Drupal
In Drupal 8 prior to 8.3.4; The file REST resource does not properly validate some fields when manipulating files.
network
high complexity
drupal CWE-20
5.9
2018-08-03 CVE-2018-14773 An issue was discovered in Http Foundation in Symfony 2.7.0 through 2.7.48, 2.8.0 through 2.8.43, 3.3.0 through 3.3.17, 3.4.0 through 3.4.13, 4.0.0 through 4.0.13, and 4.1.0 through 4.1.2.
network
low complexity
sensiolabs debian drupal
4.0
2018-04-19 CVE-2018-9861 Cross-site Scripting vulnerability in multiple products
Cross-site scripting (XSS) vulnerability in the Enhanced Image (aka image2) plugin for CKEditor (in versions 4.5.10 through 4.9.1; fixed in 4.9.2), as used in Drupal 8 before 8.4.7 and 8.5.x before 8.5.2 and other products, allows remote attackers to inject arbitrary web script through a crafted IMG element.
4.3
2018-04-04 CVE-2018-9205 Path Traversal vulnerability in Drupal Avatar Uploader 7.X1.0
Vulnerability in avatar_uploader v7.x-1.0-beta8 , The code in view.php doesn't verify users or sanitize the file path.
network
low complexity
drupal CWE-22
5.0
2018-03-01 CVE-2017-6932 Open Redirect vulnerability in multiple products
Drupal core 7.x versions before 7.57 has an external link injection vulnerability when the language switcher block is used.
5.8