Drupal

Drupal

276 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
  • EPSS 1.28%
  • Veröffentlicht 05.05.2021 15:15:08
  • Zuletzt bearbeitet 21.11.2024 05:01:43

Access bypass vulnerability in Drupal Core allows JSON:API when JSON:API is in read/write mode. Only sites that have the read_only set to FALSE under jsonapi.settings config are vulnerable. This issue affects: Drupal Drupal Core 8.8.x versions prior ...

  • EPSS 2.93%
  • Veröffentlicht 05.05.2021 14:15:07
  • Zuletzt bearbeitet 21.11.2024 05:01:43

Cross-site scripting vulnerability in Drupal Core. Drupal AJAX API does not disable JSONP by default, allowing for an XSS attack. This issue affects: Drupal Drupal Core 7.x versions prior to 7.73; 8.8.x versions prior to 8.8.10; 8.9.x versions prior ...

Warnung
  • EPSS 70.6%
  • Veröffentlicht 18.01.2021 20:15:12
  • Zuletzt bearbeitet 07.11.2025 22:03:02

Tar.php in Archive_Tar through 1.4.11 allows write operations with Directory Traversal due to inadequate checking of symbolic links, a related issue to CVE-2020-28948.

Warnung
  • EPSS 4.27%
  • Veröffentlicht 20.11.2020 16:15:15
  • Zuletzt bearbeitet 03.11.2025 18:06:21

Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations. This issue affec...

Exploit
  • EPSS 47.49%
  • Veröffentlicht 19.11.2020 19:15:11
  • Zuletzt bearbeitet 21.11.2024 05:23:21

Archive_Tar through 1.4.10 allows an unserialization attack because phar: is blocked but PHAR: is not blocked.

Warnung Exploit
  • EPSS 84.55%
  • Veröffentlicht 19.11.2020 19:15:11
  • Zuletzt bearbeitet 07.11.2025 22:03:27

Archive_Tar through 1.4.10 has :// filename sanitization only to address phar attacks, and thus any other stream-wrapper attack (such as file:// to overwrite files) can still succeed.

  • EPSS 1.86%
  • Veröffentlicht 28.05.2020 21:15:11
  • Zuletzt bearbeitet 21.11.2024 04:46:26

An access bypass vulnerability exists when the experimental Workspaces module in Drupal 8 core is enabled. This can be mitigated by disabling the Workspaces module. It does not affect any release other than Drupal 8.7.4.

Exploit
  • EPSS 99.02%
  • Veröffentlicht 29.04.2020 22:15:11
  • Zuletzt bearbeitet 13.04.2026 15:16:29

In jQuery starting with 1.12.0 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in...

Warnung Exploit
  • EPSS 83.83%
  • Veröffentlicht 29.04.2020 21:15:11
  • Zuletzt bearbeitet 07.11.2025 19:32:52

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may ex...

  • EPSS 4.33%
  • Veröffentlicht 07.03.2020 01:15:15
  • Zuletzt bearbeitet 21.11.2024 05:40:20

A cross-site scripting (XSS) vulnerability in the HTML Data Processor for CKEditor 4.0 before 4.14 allows remote attackers to inject arbitrary web script through a crafted "protected" comment (with the cke_protected syntax).