Vulnerabilities > Drupal > Medium

DATE CVE VULNERABILITY TITLE RISK
2018-03-01 CVE-2017-6927 Cross-site Scripting vulnerability in multiple products
Drupal 8.4.x versions before 8.4.5 and Drupal 7.x versions before 7.57 has a Drupal.checkPlain() JavaScript function which is used to escape potentially dangerous text before outputting it to HTML (as JavaScript output does not typically go through Twig autoescaping).
network
low complexity
drupal debian CWE-79
6.1
2017-10-18 CVE-2015-7943 Open Redirect vulnerability in multiple products
Open redirect vulnerability in the Overlay module in Drupal 7.x before 7.41, the jQuery Update module 7.x-2.x before 7.x-2.7 for Drupal, and the LABjs module 7.x-1.x before 7.x-1.8 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.
6.1
2017-09-13 CVE-2015-7880 Information Exposure vulnerability in Drupal
The Entity Registration module 7.x-1.x before 7.x-1.5 for Drupal allows remote attackers to obtain sensitive event registration information by leveraging the "Register other accounts" permission and knowledge of usernames.
network
low complexity
drupal CWE-200
4.3
2017-09-13 CVE-2015-2750 Open Redirect vulnerability in multiple products
Open redirect vulnerability in URL-related API functions in Drupal 6.x before 6.35 and 7.x before 7.35 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via vectors involving the "//" initial sequence.
network
low complexity
drupal debian CWE-601
6.1
2017-09-13 CVE-2015-2749 Open Redirect vulnerability in multiple products
Open redirect vulnerability in Drupal 6.x before 6.35 and 7.x before 7.35 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the destination parameter.
network
low complexity
drupal debian CWE-601
6.1
2016-11-25 CVE-2016-9452 Improper Input Validation vulnerability in Drupal
The transliterate mechanism in Drupal 8.x before 8.2.3 allows remote attackers to cause a denial of service via a crafted URL.
network
low complexity
drupal CWE-20
6.5
2016-11-25 CVE-2016-9451 Open Redirect vulnerability in Drupal
Confirmation forms in Drupal 7.x before 7.52 make it easier for remote authenticated users to conduct open redirect attacks via unspecified vectors.
network
low complexity
drupal CWE-601
6.8
2016-11-25 CVE-2016-9449 Information Exposure vulnerability in Drupal
The taxonomy module in Drupal 7.x before 7.52 and 8.x before 8.2.3 might allow remote authenticated users to obtain sensitive information about taxonomy terms by leveraging inconsistent naming of access query tags.
network
low complexity
drupal CWE-200
4.3
2016-10-03 CVE-2016-7572 Permissions, Privileges, and Access Controls vulnerability in Drupal
The system.temporary route in Drupal 8.x before 8.1.10 does not properly check for "Export configuration" permission, which allows remote authenticated users to bypass intended access restrictions and read a full config export via unspecified vectors.
network
low complexity
drupal CWE-264
4.3
2016-10-03 CVE-2016-7571 Cross-site Scripting vulnerability in Drupal
Cross-site scripting (XSS) vulnerability in Drupal 8.x before 8.1.10 allows remote attackers to inject arbitrary web script or HTML via vectors involving an HTTP exception.
network
low complexity
drupal CWE-79
6.1