Drupal

Drupal

266 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
9.8

CVE-2020-13665

  • EPSS 0.58%
  • Veröffentlicht 05.05.2021 15:15:08
  • Zuletzt bearbeitet 21.11.2024 05:01:43

Access bypass vulnerability in Drupal Core allows JSON:API when JSON:API is in read/write mode. Only sites that have the read_only set to FALSE under jsonapi.settings config are vulnerable. This issue affects: Drupal Drupal Core 8.8.x versions prior ...

6.1

CVE-2020-13666

  • EPSS 0.51%
  • Veröffentlicht 05.05.2021 14:15:07
  • Zuletzt bearbeitet 21.11.2024 05:01:43

Cross-site scripting vulnerability in Drupal Core. Drupal AJAX API does not disable JSONP by default, allowing for an XSS attack. This issue affects: Drupal Drupal Core 7.x versions prior to 7.73; 8.8.x versions prior to 8.8.10; 8.9.x versions prior ...

7.5

CVE-2020-36193

Warnung
  • EPSS 86.02%
  • Veröffentlicht 18.01.2021 20:15:12
  • Zuletzt bearbeitet 03.04.2025 19:44:16

Tar.php in Archive_Tar through 1.4.11 allows write operations with Directory Traversal due to inadequate checking of symbolic links, a related issue to CVE-2020-28948.

8.8

CVE-2020-13671

Warnung
  • EPSS 12.44%
  • Veröffentlicht 20.11.2020 16:15:15
  • Zuletzt bearbeitet 14.03.2025 20:50:29

Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations. This issue affec...

7.8

CVE-2020-28948

Exploit
  • EPSS 76.87%
  • Veröffentlicht 19.11.2020 19:15:11
  • Zuletzt bearbeitet 21.11.2024 05:23:21

Archive_Tar through 1.4.10 allows an unserialization attack because phar: is blocked but PHAR: is not blocked.

7.8

CVE-2020-28949

Warnung Exploit
  • EPSS 93.06%
  • Veröffentlicht 19.11.2020 19:15:11
  • Zuletzt bearbeitet 07.03.2025 17:12:53

Archive_Tar through 1.4.10 has :// filename sanitization only to address phar attacks, and thus any other stream-wrapper attack (such as file:// to overwrite files) can still succeed.

9.8

CVE-2019-6342

  • EPSS 0.2%
  • Veröffentlicht 28.05.2020 21:15:11
  • Zuletzt bearbeitet 21.11.2024 04:46:26

An access bypass vulnerability exists when the experimental Workspaces module in Drupal 8 core is enabled. This can be mitigated by disabling the Workspaces module. It does not affect any release other than Drupal 8.7.4.

6.1

CVE-2020-11022

Exploit
  • EPSS 22.55%
  • Veröffentlicht 29.04.2020 22:15:11
  • Zuletzt bearbeitet 21.11.2024 04:56:36

In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This prob...

6.1

CVE-2020-11023

Warnung Exploit
  • EPSS 21.32%
  • Veröffentlicht 29.04.2020 21:15:11
  • Zuletzt bearbeitet 24.01.2025 02:00:02

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may ex...

6.1

CVE-2020-9281

  • EPSS 0.77%
  • Veröffentlicht 07.03.2020 01:15:15
  • Zuletzt bearbeitet 21.11.2024 05:40:20

A cross-site scripting (XSS) vulnerability in the HTML Data Processor for CKEditor 4.0 before 4.14 allows remote attackers to inject arbitrary web script through a crafted "protected" comment (with the cke_protected syntax).