Vulnerabilities > Drupal > Medium

DATE CVE VULNERABILITY TITLE RISK
2018-03-01 CVE-2017-6931 Unrestricted Upload of File with Dangerous Type vulnerability in Drupal
In Drupal versions 8.4.x versions before 8.4.5 the Settings Tray module has a vulnerability that allows users to update certain data that they do not have the permissions for.
network
low complexity
drupal CWE-434
4.0
2018-03-01 CVE-2017-6930 Unspecified vulnerability in Drupal
In Drupal versions 8.4.x versions before 8.4.5 when using node access controls with a multilingual site, Drupal marks the untranslated version of a node as the default fallback for access queries.
network
drupal
6.8
2018-03-01 CVE-2017-6929 Cross-site Scripting vulnerability in multiple products
A jQuery cross site scripting vulnerability is present when making Ajax requests to untrusted domains.
network
drupal debian CWE-79
4.3
2018-03-01 CVE-2017-6927 Cross-site Scripting vulnerability in multiple products
Drupal 8.4.x versions before 8.4.5 and Drupal 7.x versions before 7.57 has a Drupal.checkPlain() JavaScript function which is used to escape potentially dangerous text before outputting it to HTML (as JavaScript output does not typically go through Twig autoescaping).
network
drupal debian CWE-79
4.3
2018-03-01 CVE-2017-6926 Information Exposure vulnerability in Drupal
In Drupal versions 8.4.x versions before 8.4.5 users with permission to post comments are able to view content and comments they do not have access to, and are also able to add comments to this content.
network
low complexity
drupal CWE-200
5.5
2017-10-18 CVE-2015-7943 Open Redirect vulnerability in multiple products
Open redirect vulnerability in the Overlay module in Drupal 7.x before 7.41, the jQuery Update module 7.x-2.x before 7.x-2.7 for Drupal, and the LABjs module 7.x-1.x before 7.x-1.8 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.
5.8
2017-09-13 CVE-2015-7880 Information Exposure vulnerability in Drupal
The Entity Registration module 7.x-1.x before 7.x-1.5 for Drupal allows remote attackers to obtain sensitive event registration information by leveraging the "Register other accounts" permission and knowledge of usernames.
network
low complexity
drupal CWE-200
4.0
2017-09-13 CVE-2015-2750 Open Redirect vulnerability in multiple products
Open redirect vulnerability in URL-related API functions in Drupal 6.x before 6.35 and 7.x before 7.35 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via vectors involving the "//" initial sequence.
5.8
2017-09-13 CVE-2015-2749 Open Redirect vulnerability in multiple products
Open redirect vulnerability in Drupal 6.x before 6.35 and 7.x before 7.35 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the destination parameter.
5.8
2017-04-20 CVE-2017-6919 Access Bypass vulnerability in Drupal
Drupal 8 before 8.2.8 and 8.3 before 8.3.1 allows critical access bypass by authenticated users if the RESTful Web Services (rest) module is enabled and the site allows PATCH requests.
network
drupal
6.0