Drupal
(Drupal)| Repositories |
Unknown: This might be proprietary software. |
| #Vulnerabilities | 200 |
| Date | ID | Summary | Products | Score | Patch |
|---|---|---|---|---|---|
| 2020-05-28 | CVE-2019-6342 | An access bypass vulnerability exists when the experimental Workspaces module in Drupal 8 core is enabled. This can be mitigated by disabling the Workspaces module. It does not affect any release other than Drupal 8.7.4. | Drupal | N/A | |
| 2019-04-20 | CVE-2019-11358 | jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype. | Backdrop, Debian_linux, Drupal, Jquery | 6.1 | |
| 2020-01-14 | CVE-2011-2715 | An SQL Injection vulnerability exists in Drupal 6.20 with Data 6.x-1.0-alpha14 due to insufficient sanitization of table names or column names. | Data, Drupal | N/A | |
| 2020-01-14 | CVE-2011-2714 | A Cross-Site Scripting vulnerability exists in Drupal 6.20 with Data 6.x-1.0-alpha14 due to insufficient sanitization of table descriptions, field names, or labels before display. | Data, Drupal | N/A | |
| 2019-11-15 | CVE-2011-2726 | An access bypass issue was found in Drupal 7.x before version 7.5. If a Drupal site has the ability to attach File upload fields to any entity type in the system or has the ability to point individual File upload fields to the private file directory in comments, and the parent node is denied access, non-privileged users can still download the file attached to the comment if they know or guess its direct URL. | Debian_linux, Drupal, Fedora, Enterprise_linux | N/A | |
| 2019-11-07 | CVE-2010-2473 | Drupal 6.x before 6.16 and 5.x before version 5.22 does not properly block users under certain circumstances. A user with an open session that was blocked could maintain their session on the Drupal site despite being blocked. | Drupal | N/A | |
| 2019-11-07 | CVE-2010-2472 | Locale module and dependent contributed modules in Drupal 6.x before 6.16 and 5.x before version 5.22 do not sanitize the display of language codes, native and English language names properly which could allow an attacker to perform a cross-site scripting (XSS) attack. This vulnerability is mitigated by the fact that an attacker must have a role with the 'administer languages' permission. | Drupal | N/A | |
| 2019-11-06 | CVE-2010-2471 | drupal6 version 6.16 has open redirection | Debian_linux, Drupal | N/A | |
| 2019-11-07 | CVE-2010-2250 | Drupal 6.x before 6.16 uses a user-supplied value in output during site installation which could allow an attacker to craft a URL and perform a cross-site scripting attack. | Drupal | N/A | |
| 2019-05-16 | CVE-2019-10909 | In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, validation messages are not escaped, which can lead to XSS when user input is included. This is related to symfony/framework-bundle. | Drupal, Symfony | 5.4 |