Drupal

Drupal

266 vulnerabilities found.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
9.8

CVE-2020-13665

  • EPSS 0.58%
  • Published 05.05.2021 15:15:08
  • Last modified 21.11.2024 05:01:43

Access bypass vulnerability in Drupal Core allows JSON:API when JSON:API is in read/write mode. Only sites that have the read_only set to FALSE under jsonapi.settings config are vulnerable. This issue affects: Drupal Drupal Core 8.8.x versions prior ...

6.1

CVE-2020-13666

  • EPSS 0.51%
  • Published 05.05.2021 14:15:07
  • Last modified 21.11.2024 05:01:43

Cross-site scripting vulnerability in Drupal Core. Drupal AJAX API does not disable JSONP by default, allowing for an XSS attack. This issue affects: Drupal Drupal Core 7.x versions prior to 7.73; 8.8.x versions prior to 8.8.10; 8.9.x versions prior ...

7.5

CVE-2020-36193

Warning
  • EPSS 86.02%
  • Published 18.01.2021 20:15:12
  • Last modified 03.04.2025 19:44:16

Tar.php in Archive_Tar through 1.4.11 allows write operations with Directory Traversal due to inadequate checking of symbolic links, a related issue to CVE-2020-28948.

8.8

CVE-2020-13671

Warning
  • EPSS 12.44%
  • Published 20.11.2020 16:15:15
  • Last modified 14.03.2025 20:50:29

Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations. This issue affec...

7.8

CVE-2020-28948

Exploit
  • EPSS 76.87%
  • Published 19.11.2020 19:15:11
  • Last modified 21.11.2024 05:23:21

Archive_Tar through 1.4.10 allows an unserialization attack because phar: is blocked but PHAR: is not blocked.

7.8

CVE-2020-28949

Warning Exploit
  • EPSS 93.06%
  • Published 19.11.2020 19:15:11
  • Last modified 07.03.2025 17:12:53

Archive_Tar through 1.4.10 has :// filename sanitization only to address phar attacks, and thus any other stream-wrapper attack (such as file:// to overwrite files) can still succeed.

9.8

CVE-2019-6342

  • EPSS 0.2%
  • Published 28.05.2020 21:15:11
  • Last modified 21.11.2024 04:46:26

An access bypass vulnerability exists when the experimental Workspaces module in Drupal 8 core is enabled. This can be mitigated by disabling the Workspaces module. It does not affect any release other than Drupal 8.7.4.

6.1

CVE-2020-11022

Exploit
  • EPSS 22.55%
  • Published 29.04.2020 22:15:11
  • Last modified 21.11.2024 04:56:36

In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This prob...

6.1

CVE-2020-11023

Warning Exploit
  • EPSS 21.32%
  • Published 29.04.2020 21:15:11
  • Last modified 24.01.2025 02:00:02

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may ex...

6.1

CVE-2020-9281

  • EPSS 0.77%
  • Published 07.03.2020 01:15:15
  • Last modified 21.11.2024 05:40:20

A cross-site scripting (XSS) vulnerability in the HTML Data Processor for CKEditor 4.0 before 4.14 allows remote attackers to inject arbitrary web script through a crafted "protected" comment (with the cke_protected syntax).