cve,link,title,description,vendor,products,score,severity,epss,cisa,cisa_published,article,ransomware,exploited,exploited_date,poc,trended,trended_no_1,trended_no_1_date,published,trended_score
CVE-2024-12393,https://securityvulnerability.io/vulnerability/CVE-2024-12393,Drupal Core Vulnerability - XSS (Cross-Site Scripting),"A vulnerability in Drupal Core allows for Cross-Site Scripting (XSS) due to improper neutralization of input during web page generation. Attackers can exploit this flaw to inject arbitrary web scripts into pages displayed to users, potentially leading to data theft or unauthorized actions. The issue impacts various versions of Drupal Core, necessitating immediate action from website administrators to ensure the security of their web applications.",Drupal,Drupal Core,,,0.0004299999854993075,false,,false,false,false,,,false,false,,2024-12-10T00:15:00.000Z,0
CVE-2024-11942,https://securityvulnerability.io/vulnerability/CVE-2024-11942,Drupal Core Vulnerability Allows File Manipulation,A vulnerability in Drupal Core allows File Manipulation.This issue affects Drupal Core: from 10.0.0 before 10.2.10.,Drupal,Drupal Core,,,0.0004299999854993075,false,,false,false,false,,,false,false,,2024-12-05T14:42:07.812Z,0
CVE-2024-11941,https://securityvulnerability.io/vulnerability/CVE-2024-11941,Excessive Allocation Vulnerability Affects Drupal Core,"A vulnerability in Drupal Core allows Excessive Allocation.This issue affects Drupal Core: from 10.2.0 before 10.2.2, from 10.1.0 before 10.1.8.",Drupal,Drupal Core,,,0.0004299999854993075,false,,false,false,false,,,false,false,,2024-12-05T14:39:37.975Z,0
CVE-2023-5256,https://securityvulnerability.io/vulnerability/CVE-2023-5256,Drupal core - Critical - Cache poisoning - SA-CORE-2023-006,"The JSON:API module in Drupal has a vulnerability that can lead to the exposure of sensitive information through backtraces in error messages. When this module is enabled under certain configurations, it can inadvertently cache error details that are accessible to anonymous users. This poses a risk of privilege escalation, as attackers can gather sensitive data about the site's architecture and potentially exploit it. To protect against this issue, administrators are advised to uninstall the JSON:API module if it is not explicitly needed, as the core REST and contributed GraphQL modules remain unaffected.",Drupal,Core,7.5,HIGH,0.0008900000248104334,false,,false,false,false,,,false,false,,2023-09-28T19:15:00.000Z,0
CVE-2022-25278,https://securityvulnerability.io/vulnerability/CVE-2022-25278,Access Control Vulnerability in Drupal Core by Drupal,"An access control vulnerability exists in the Drupal Core form API, which may incorrectly evaluate user permissions on form elements. This issue could allow unauthorized users to modify data they are not entitled to access, especially in forms created through custom or contributed modules. While no core Drupal forms are directly affected, it is crucial for site administrators to review their custom implementations to ensure sensitive data remains protected.",Drupal,Core,6.5,MEDIUM,0.0004900000058114529,false,,false,false,false,,,false,false,,2023-04-26T00:00:00.000Z,0
CVE-2023-31250,https://securityvulnerability.io/vulnerability/CVE-2023-31250,File Path Exposure Vulnerability in Drupal by Drupal,"This vulnerability arises from the inadequate sanitization of file paths within the file download functionality of Drupal. Exploitation of this flaw can allow users to access sensitive files that should remain private, posing a significant risk to user data and site integrity. It is crucial for Drupal administrators to review the release notes for their specific Drupal version and implement necessary configuration changes to secure their installations against this vulnerability.",Drupal,Core,6.5,MEDIUM,0.000590000010561198,false,,false,false,false,,,false,false,,2023-04-26T00:00:00.000Z,0
CVE-2022-25273,https://securityvulnerability.io/vulnerability/CVE-2022-25273,Improper Input Validation in Drupal Core Forms Affecting Custom Modules,"An improper input validation vulnerability exists in Drupal Core's form API that can affect contributed or custom modules. This flaw may permit attackers to inject unauthorized values or manipulate data within certain forms, which, although uncommon, could result in the alteration of critical or sensitive information. Properly securing these forms is essential to prevent the exploitation of this vulnerability.",Drupal,Core,7.5,HIGH,0.0005699999746866524,false,,false,false,false,,,false,false,,2023-04-26T00:00:00.000Z,0
CVE-2022-25274,https://securityvulnerability.io/vulnerability/CVE-2022-25274,Access Bypass in Drupal's Revision System for Node and Media Content,"Drupal 9.3 introduced a generic entity access API for managing entity revisions. However, the API was not fully integrated with the existing permission system, leading to potential access bypass for users who can interact with content revisions without possessing the requisite permissions for specific items within node and media content. This issue primarily affects installations utilizing Drupal's revision system, thereby posing a risk to content security.",Drupal,Core,5.4,MEDIUM,0.0004900000058114529,false,,false,false,false,,,false,false,,2023-04-26T00:00:00.000Z,0
CVE-2022-25275,https://securityvulnerability.io/vulnerability/CVE-2022-25275,Access Control Flaw in Drupal Image Module,"The Image module in Drupal exhibits an access control issue that may allow unauthorized access to image files not stored in the standard public directory. Specifically, when generating derivative images, the module fails to properly verify access for files housed in custom file systems or schemes provided by certain contributed modules. This flaw arises when the site's configuration is set to allow insecure file derivatives, which should be avoided as the default configuration is set to disallow such practices. Administrators should review their settings post-update, especially if customization has been applied, to maintain file security.",Drupal,Core,7.5,HIGH,0.0011599999852478504,false,,false,false,false,,,false,false,,2023-04-26T00:00:00.000Z,0
CVE-2022-25276,https://securityvulnerability.io/vulnerability/CVE-2022-25276,Cross-Site Scripting Vulnerability in Drupal's Media oEmbed Component,"The Media oEmbed component in Drupal features a flaw where the iframe domain setting is not properly validated. This oversight allows malicious embeds to be rendered within the context of the primary domain. Exploiting this vulnerability can lead to potential cross-site scripting attacks, facilitating the exposure of sensitive user data such as cookies and potentially allowing unauthorized actions on behalf of users.",Drupal,Core,6.1,MEDIUM,0.0005600000149570405,false,,false,false,false,,,false,false,,2023-04-26T00:00:00.000Z,0
CVE-2022-25277,https://securityvulnerability.io/vulnerability/CVE-2022-25277,File Upload Vulnerability in Drupal Core by Acquia,"Drupal Core has a vulnerability related to filename sanitization during file uploads. The system is designed to sanitize filenames with potentially dangerous extensions and remove leading and trailing dots to mitigate the risk of uploading sensitive configuration files. However, the sanitization process did not function effectively when both protections were applied together. Specifically, if a site allows the upload of files with an .htaccess extension, the filename may escape the intended sanitization safeguards. This can result in the possibility of remote code execution on Apache web servers if an administrator incorrectly configures file fields to permit .htaccess file uploads. The risk is generally mitigated unless a field administrator grants explicit permission or a module/script misconfigures upload rules.",Drupal,Core,7.2,HIGH,0.0030700000934302807,false,,false,false,false,,,false,false,,2023-04-26T00:00:00.000Z,0
CVE-2022-25270,https://securityvulnerability.io/vulnerability/CVE-2022-25270,Access Control Flaw in Quick Edit Module for Drupal by Drupal,"The Quick Edit module in Drupal fails to adequately verify entity access, allowing users with the 'access in-place editing' permission to potentially view content they should not be authorized to access. This issue primarily affects sites that have the Quick Edit module enabled, which is included with the Standard profile.",Drupal,Core,6.5,MEDIUM,0.0006500000017695129,false,,false,false,false,,,false,false,,2022-02-17T00:15:00.000Z,0
CVE-2022-25271,https://securityvulnerability.io/vulnerability/CVE-2022-25271,Improper Input Validation in Drupal Core's Form API Affecting User Data Security,"Drupal core's Form API is susceptible to a vulnerability where certain contributed or custom module forms may not properly validate inputs. This flaw could permit attackers to inject unauthorized values or alter existing data. Although the affected forms are not prevalent, in specific scenarios, this vulnerability could allow manipulation of critical or sensitive information, posing significant risks to data integrity and security.",Drupal,Core,7.5,HIGH,0.0020800000056624413,false,,false,false,false,,,false,false,,2022-02-16T00:00:00.000Z,0
CVE-2020-13677,https://securityvulnerability.io/vulnerability/CVE-2020-13677,Access Control Vulnerability in Drupal Core JSON:API by Drupal,"The Drupal Core JSON:API module has a vulnerability where it fails to adequately restrict access to certain content under specific conditions. This flaw could allow unauthorized users to bypass access controls and gain access to restricted content. Only sites with the JSON:API module enabled are at risk. To assure the security of your Drupal site, it is critical to review the module's permissions and take necessary updates as advised by security advisories.",Drupal,Core,7.5,HIGH,0.0017000000225380063,false,,false,false,false,,,false,false,,2022-02-11T15:55:12.000Z,0
CVE-2020-13676,https://securityvulnerability.io/vulnerability/CVE-2020-13676,Access Control Issue in Drupal's QuickEdit Module,"The QuickEdit module in Drupal fails to adequately verify user permissions for specific fields under certain conditions, which could result in unauthorized access to sensitive field data. This issue arises only when the QuickEdit module, part of the Standard profile, is active on a site.",Drupal,Core,6.5,MEDIUM,0.0006500000017695129,false,,false,false,false,,,false,false,,2022-02-11T15:50:11.000Z,0
CVE-2020-13670,https://securityvulnerability.io/vulnerability/CVE-2020-13670,Information Disclosure Vulnerability in Drupal Core File Module,"An information disclosure vulnerability exists in the file module of Drupal Core, allowing unauthorized access to file metadata of private files. Attackers can exploit this vulnerability by guessing the file ID, which can lead to exposure of sensitive information. This affects multiple versions of Drupal Core, including 8.8.x before 8.8.10, 8.9.x before 8.9.6, and 9.0.x before 9.0.6. Administrators are encouraged to update their installations to the latest versions to mitigate potential risks.",Drupal,Core,7.5,HIGH,0.0022100000642240047,false,,false,false,false,,,false,false,,2022-02-11T15:45:22.000Z,0
CVE-2020-13674,https://securityvulnerability.io/vulnerability/CVE-2020-13674,Access Validation Bypass in QuickEdit Module for Drupal,"The QuickEdit module for Drupal fails to properly validate user access to key routes, potentially exposing sites to cross-site request forgery (CSRF) attacks. This vulnerability can compromise data integrity and security within installations that include the QuickEdit module as part of the Standard profile. Simply removing the 'access in-place editing' permission from untrusted users is not a sufficient safeguard against exploitation, highlighting the need for comprehensive access control measures.",Drupal,Core,6.5,MEDIUM,0.0005300000193528831,false,,false,false,false,,,false,false,,2022-02-11T15:45:18.000Z,0
CVE-2020-13675,https://securityvulnerability.io/vulnerability/CVE-2020-13675,Access Bypass Vulnerability in Drupal's JSON:API and REST/File Modules,"Drupal's JSON:API and REST/File modules are susceptible to an access bypass issue due to insufficient file validation during file uploads via their HTTP APIs. Exploiting this vulnerability allows attackers to upload unauthorized files, potentially leading to malicious actions on the affected website. Proper validation procedures must be implemented to mitigate the risks associated with this flaw.",Drupal,Core,9.8,CRITICAL,0.0024900001008063555,false,,false,false,false,,,false,false,,2022-02-11T15:45:11.000Z,0
CVE-2020-13672,https://securityvulnerability.io/vulnerability/CVE-2020-13672,Cross-Site Scripting Vulnerability in Drupal Core by Drupal,"This vulnerability arises from a failure in Drupal core's sanitization API to adequately filter Cross-Site Scripting attacks under specific circumstances. As a result, attackers may exploit this flaw to execute arbitrary scripts in the user's browser, potentially leading to unauthorized access to sensitive information or user sessions when interacting with affected versions of Drupal. It's crucial for users to ensure their installations are updated to the latest versions to mitigate any risks associated with this vulnerability.",Drupal,Core,6.1,MEDIUM,0.0006099999882280827,false,,false,false,false,,,false,false,,2022-02-11T15:30:12.000Z,0
CVE-2020-13669,https://securityvulnerability.io/vulnerability/CVE-2020-13669,Cross-Site Scripting Vulnerability in Drupal Core by Drupal,"A Cross-Site Scripting (XSS) vulnerability exists in the ckeditor component of Drupal Core, allowing attackers to inject malicious scripts into web pages viewed by other users. This flaw can lead to unauthorized actions being performed on behalf of unsuspecting users or sensitive information being revealed. Affected versions include 8.8.x prior to 8.8.10, 8.9.x prior to 8.9.6, and 9.0.x prior to 9.0.6. It is crucial for website administrators to patch their installations to mitigate potential risks.",Drupal,Core,6.1,MEDIUM,0.0007800000021234155,false,,false,false,false,,,false,false,,2022-02-11T15:25:12.000Z,0
CVE-2020-13668,https://securityvulnerability.io/vulnerability/CVE-2020-13668,Access bypass in Drupal Core 8/9,Access Bypass vulnerability in Drupal Core allows for an attacker to leverage the way that HTML is rendered for affected forms in order to exploit the vulnerability. This issue affects: Drupal Core 8.8.x versions prior to 8.8.10; 8.9.x versions prior to 8.9.6; 9.0.x versions prior to 9.0.6.,Drupal,Core,6.1,MEDIUM,0.0007300000288523734,false,,false,false,false,,,false,false,,2022-02-11T15:15:14.000Z,0
CVE-2020-13688,https://securityvulnerability.io/vulnerability/CVE-2020-13688,,Cross-site scripting vulnerability in l Drupal Core allows an attacker could leverage the way that HTML is rendered for affected forms in order to exploit the vulnerability. This issue affects: Drupal Core 8.8.X versions prior to 8.8.10; 8.9.X versions prior to 8.9.6; 9.0.X versions prior to 9.0.6.,Drupal,Drupal Core,6.1,MEDIUM,0.0007800000021234155,false,,false,false,false,,,false,false,,2021-06-11T15:08:56.000Z,0
CVE-2020-13663,https://securityvulnerability.io/vulnerability/CVE-2020-13663,,"Cross Site Request Forgery vulnerability in Drupal Core Form API does not properly handle certain form input from cross-site requests, which can lead to other vulnerabilities.",Drupal,Drupal Core,8.8,HIGH,0.0007300000288523734,false,,false,false,false,,,false,false,,2021-06-11T15:07:25.000Z,0
CVE-2020-13667,https://securityvulnerability.io/vulnerability/CVE-2020-13667,,"Access bypass vulnerability in of Drupal Core Workspaces allows an attacker to access data without correct permissions. The Workspaces module doesn't sufficiently check access permissions when switching workspaces, leading to an access bypass vulnerability. An attacker might be able to see content before the site owner intends people to see the content. This vulnerability is mitigated by the fact that sites are only vulnerable if they have installed the experimental Workspaces module. This issue affects Drupal Core8.8.X versions prior to 8.8.10; 8.9.X versions prior to 8.9.6; 9.0.X versions prior to 9.0.6.",Drupal,Drupal Core,5.3,MEDIUM,0.0008399999933317304,false,,false,false,false,,,false,false,,2021-05-17T16:52:34.000Z,0
CVE-2020-13664,https://securityvulnerability.io/vulnerability/CVE-2020-13664,,"Arbitrary PHP code execution vulnerability in Drupal Core under certain circumstances. An attacker could trick an administrator into visiting a malicious site that could result in creating a carefully named directory on the file system. With this directory in place, an attacker could attempt to brute force a remote code execution vulnerability. Windows servers are most likely to be affected. This issue affects: Drupal Drupal Core 8.8.x versions prior to 8.8.8; 8.9.x versions prior to 8.9.1; 9.0.1 versions prior to 9.0.1.",Drupal,Drupal Core,8.8,HIGH,0.0067900000140070915,false,,false,false,false,,,false,false,,2021-05-05T14:56:39.000Z,0