Vulnerabilities > Drupal > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2018-03-01 | CVE-2017-6927 | Cross-site Scripting vulnerability in multiple products Drupal 8.4.x versions before 8.4.5 and Drupal 7.x versions before 7.57 has a Drupal.checkPlain() JavaScript function which is used to escape potentially dangerous text before outputting it to HTML (as JavaScript output does not typically go through Twig autoescaping). | 6.1 |
| 2017-10-18 | CVE-2015-7943 | Open Redirect vulnerability in multiple products Open redirect vulnerability in the Overlay module in Drupal 7.x before 7.41, the jQuery Update module 7.x-2.x before 7.x-2.7 for Drupal, and the LABjs module 7.x-1.x before 7.x-1.8 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors. | 6.1 |
| 2017-09-13 | CVE-2015-7880 | Information Exposure vulnerability in Drupal The Entity Registration module 7.x-1.x before 7.x-1.5 for Drupal allows remote attackers to obtain sensitive event registration information by leveraging the "Register other accounts" permission and knowledge of usernames. | 4.3 |
| 2017-09-13 | CVE-2015-2750 | Open Redirect vulnerability in multiple products Open redirect vulnerability in URL-related API functions in Drupal 6.x before 6.35 and 7.x before 7.35 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via vectors involving the "//" initial sequence. | 6.1 |
| 2017-09-13 | CVE-2015-2749 | Open Redirect vulnerability in multiple products Open redirect vulnerability in Drupal 6.x before 6.35 and 7.x before 7.35 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the destination parameter. | 6.1 |
| 2016-11-25 | CVE-2016-9452 | Improper Input Validation vulnerability in Drupal The transliterate mechanism in Drupal 8.x before 8.2.3 allows remote attackers to cause a denial of service via a crafted URL. | 6.5 |
| 2016-11-25 | CVE-2016-9451 | Open Redirect vulnerability in Drupal Confirmation forms in Drupal 7.x before 7.52 make it easier for remote authenticated users to conduct open redirect attacks via unspecified vectors. | 6.8 |
| 2016-11-25 | CVE-2016-9449 | Information Exposure vulnerability in Drupal The taxonomy module in Drupal 7.x before 7.52 and 8.x before 8.2.3 might allow remote authenticated users to obtain sensitive information about taxonomy terms by leveraging inconsistent naming of access query tags. | 4.3 |
| 2016-10-03 | CVE-2016-7572 | Permissions, Privileges, and Access Controls vulnerability in Drupal The system.temporary route in Drupal 8.x before 8.1.10 does not properly check for "Export configuration" permission, which allows remote authenticated users to bypass intended access restrictions and read a full config export via unspecified vectors. | 4.3 |
| 2016-10-03 | CVE-2016-7571 | Cross-site Scripting vulnerability in Drupal Cross-site scripting (XSS) vulnerability in Drupal 8.x before 8.1.10 allows remote attackers to inject arbitrary web script or HTML via vectors involving an HTTP exception. | 6.1 |