Product:

Drupal

(Drupal)
Repositories

Unknown:

This might be proprietary software.

#Vulnerabilities 200
Date ID Summary Products Score Patch
2020-05-28 CVE-2019-6342 An access bypass vulnerability exists when the experimental Workspaces module in Drupal 8 core is enabled. This can be mitigated by disabling the Workspaces module. It does not affect any release other than Drupal 8.7.4. Drupal N/A
2019-04-20 CVE-2019-11358 jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype. Backdrop, Debian_linux, Drupal, Jquery 6.1
2020-01-14 CVE-2011-2715 An SQL Injection vulnerability exists in Drupal 6.20 with Data 6.x-1.0-alpha14 due to insufficient sanitization of table names or column names. Data, Drupal N/A
2020-01-14 CVE-2011-2714 A Cross-Site Scripting vulnerability exists in Drupal 6.20 with Data 6.x-1.0-alpha14 due to insufficient sanitization of table descriptions, field names, or labels before display. Data, Drupal N/A
2019-11-15 CVE-2011-2726 An access bypass issue was found in Drupal 7.x before version 7.5. If a Drupal site has the ability to attach File upload fields to any entity type in the system or has the ability to point individual File upload fields to the private file directory in comments, and the parent node is denied access, non-privileged users can still download the file attached to the comment if they know or guess its direct URL. Debian_linux, Drupal, Fedora, Enterprise_linux N/A
2019-11-07 CVE-2010-2473 Drupal 6.x before 6.16 and 5.x before version 5.22 does not properly block users under certain circumstances. A user with an open session that was blocked could maintain their session on the Drupal site despite being blocked. Drupal N/A
2019-11-07 CVE-2010-2472 Locale module and dependent contributed modules in Drupal 6.x before 6.16 and 5.x before version 5.22 do not sanitize the display of language codes, native and English language names properly which could allow an attacker to perform a cross-site scripting (XSS) attack. This vulnerability is mitigated by the fact that an attacker must have a role with the 'administer languages' permission. Drupal N/A
2019-11-06 CVE-2010-2471 drupal6 version 6.16 has open redirection Debian_linux, Drupal N/A
2019-11-07 CVE-2010-2250 Drupal 6.x before 6.16 uses a user-supplied value in output during site installation which could allow an attacker to craft a URL and perform a cross-site scripting attack. Drupal N/A
2019-05-16 CVE-2019-10909 In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, validation messages are not escaped, which can lead to XSS when user input is included. This is related to symfony/framework-bundle. Drupal, Symfony 5.4