cve,link,title,description,vendor,products,score,severity,epss,cisa,cisa_published,article,ransomware,exploited,exploited_date,poc,trended,trended_no_1,trended_no_1_date,published,trended_score CVE-2024-12393,https://securityvulnerability.io/vulnerability/CVE-2024-12393,Drupal Core Vulnerability - XSS (Cross-Site Scripting),"A vulnerability in Drupal Core allows for Cross-Site Scripting (XSS) due to improper neutralization of input during web page generation. Attackers can exploit this flaw to inject arbitrary web scripts into pages displayed to users, potentially leading to data theft or unauthorized actions. The issue impacts various versions of Drupal Core, necessitating immediate action from website administrators to ensure the security of their web applications.",Drupal,Drupal Core,,,0.0004299999854993075,false,,false,false,false,,,false,false,,2024-12-10T00:15:00.000Z,0 CVE-2024-11942,https://securityvulnerability.io/vulnerability/CVE-2024-11942,Drupal Core Vulnerability Allows File Manipulation,A vulnerability in Drupal Core allows File Manipulation.This issue affects Drupal Core: from 10.0.0 before 10.2.10.,Drupal,Drupal Core,,,0.0004299999854993075,false,,false,false,false,,,false,false,,2024-12-05T14:42:07.812Z,0 CVE-2024-11941,https://securityvulnerability.io/vulnerability/CVE-2024-11941,Excessive Allocation Vulnerability Affects Drupal Core,"A vulnerability in Drupal Core allows Excessive Allocation.This issue affects Drupal Core: from 10.2.0 before 10.2.2, from 10.1.0 before 10.1.8.",Drupal,Drupal Core,,,0.0004299999854993075,false,,false,false,false,,,false,false,,2024-12-05T14:39:37.975Z,0 CVE-2020-13688,https://securityvulnerability.io/vulnerability/CVE-2020-13688,,Cross-site scripting vulnerability in l Drupal Core allows an attacker could leverage the way that HTML is rendered for affected forms in order to exploit the vulnerability. This issue affects: Drupal Core 8.8.X versions prior to 8.8.10; 8.9.X versions prior to 8.9.6; 9.0.X versions prior to 9.0.6.,Drupal,Drupal Core,6.1,MEDIUM,0.0007800000021234155,false,,false,false,false,,,false,false,,2021-06-11T15:08:56.000Z,0 CVE-2020-13663,https://securityvulnerability.io/vulnerability/CVE-2020-13663,,"Cross Site Request Forgery vulnerability in Drupal Core Form API does not properly handle certain form input from cross-site requests, which can lead to other vulnerabilities.",Drupal,Drupal Core,8.8,HIGH,0.0007300000288523734,false,,false,false,false,,,false,false,,2021-06-11T15:07:25.000Z,0 CVE-2020-13667,https://securityvulnerability.io/vulnerability/CVE-2020-13667,,"Access bypass vulnerability in of Drupal Core Workspaces allows an attacker to access data without correct permissions. The Workspaces module doesn't sufficiently check access permissions when switching workspaces, leading to an access bypass vulnerability. An attacker might be able to see content before the site owner intends people to see the content. This vulnerability is mitigated by the fact that sites are only vulnerable if they have installed the experimental Workspaces module. This issue affects Drupal Core8.8.X versions prior to 8.8.10; 8.9.X versions prior to 8.9.6; 9.0.X versions prior to 9.0.6.",Drupal,Drupal Core,5.3,MEDIUM,0.0008399999933317304,false,,false,false,false,,,false,false,,2021-05-17T16:52:34.000Z,0 CVE-2020-13664,https://securityvulnerability.io/vulnerability/CVE-2020-13664,,"Arbitrary PHP code execution vulnerability in Drupal Core under certain circumstances. An attacker could trick an administrator into visiting a malicious site that could result in creating a carefully named directory on the file system. With this directory in place, an attacker could attempt to brute force a remote code execution vulnerability. Windows servers are most likely to be affected. This issue affects: Drupal Drupal Core 8.8.x versions prior to 8.8.8; 8.9.x versions prior to 8.9.1; 9.0.1 versions prior to 9.0.1.",Drupal,Drupal Core,8.8,HIGH,0.0067900000140070915,false,,false,false,false,,,false,false,,2021-05-05T14:56:39.000Z,0 CVE-2020-13662,https://securityvulnerability.io/vulnerability/CVE-2020-13662,,Open Redirect vulnerability in Drupal Core allows a user to be tricked into visiting a specially crafted link which would redirect them to an arbitrary external URL. This issue affects: Drupal Drupal Core 7 version 7.70 and prior versions.,Drupal,Drupal Core,6.1,MEDIUM,0.0007800000021234155,false,,false,false,false,,,false,false,,2021-05-05T14:32:03.000Z,0 CVE-2020-13665,https://securityvulnerability.io/vulnerability/CVE-2020-13665,,Access bypass vulnerability in Drupal Core allows JSON:API when JSON:API is in read/write mode. Only sites that have the read_only set to FALSE under jsonapi.settings config are vulnerable. This issue affects: Drupal Drupal Core 8.8.x versions prior to 8.8.8; 8.9.x versions prior to 8.9.1; 9.0.x versions prior to 9.0.1.,Drupal,Drupal Core,9.8,CRITICAL,0.0030799999367445707,false,,false,false,false,,,false,false,,2021-05-05T14:14:09.000Z,0 CVE-2020-13666,https://securityvulnerability.io/vulnerability/CVE-2020-13666,,"Cross-site scripting vulnerability in Drupal Core. Drupal AJAX API does not disable JSONP by default, allowing for an XSS attack. This issue affects: Drupal Drupal Core 7.x versions prior to 7.73; 8.8.x versions prior to 8.8.10; 8.9.x versions prior to 8.9.6; 9.0.x versions prior to 9.0.6.",Drupal,Drupal Core,6.1,MEDIUM,0.0007800000021234155,false,,false,false,false,,,false,false,,2021-05-05T13:50:13.000Z,0 CVE-2020-13671,https://securityvulnerability.io/vulnerability/CVE-2020-13671,,"Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations. This issue affects: Drupal Drupal Core 9.0 versions prior to 9.0.8, 8.9 versions prior to 8.9.9, 8.8 versions prior to 8.8.11, and 7 versions prior to 7.74.",Drupal,Drupal Core,8.8,HIGH,0.6765499711036682,true,2022-01-18T00:00:00.000Z,false,false,true,2022-01-18T00:00:00.000Z,,false,false,,2020-11-20T15:40:39.000Z,0 CVE-2019-6342,https://securityvulnerability.io/vulnerability/CVE-2019-6342,Drupal core - Critical - Access bypass - SA-CORE-2019-008,An access bypass vulnerability exists when the experimental Workspaces module in Drupal 8 core is enabled. This can be mitigated by disabling the Workspaces module. It does not affect any release other than Drupal 8.7.4.,Drupal,Drupal Core,9.8,CRITICAL,0.0030799999367445707,false,,false,false,false,,,false,false,,2020-05-28T20:59:46.000Z,0 CVE-2011-2726,https://securityvulnerability.io/vulnerability/CVE-2011-2726,,"An access bypass issue was found in Drupal 7.x before version 7.5. If a Drupal site has the ability to attach File upload fields to any entity type in the system or has the ability to point individual File upload fields to the private file directory in comments, and the parent node is denied access, non-privileged users can still download the file attached to the comment if they know or guess its direct URL.",drupal core,drupal core,7.5,HIGH,0.0029899999499320984,false,,false,false,false,,,false,false,,2019-11-15T16:21:51.000Z,0 CVE-2019-6341,https://securityvulnerability.io/vulnerability/CVE-2019-6341,Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2019-004,In Drupal 7 versions prior to 7.65; Drupal 8.6 versions prior to 8.6.13;Drupal 8.5 versions prior to 8.5.14. Under certain circumstances the File module/subsystem allows a malicious user to upload a file that can trigger a cross-site scripting (XSS) vulnerability.,Drupal,Drupal Core,5.4,MEDIUM,0.5741400122642517,false,,false,false,false,,,false,false,,2019-03-26T18:04:37.000Z,0 CVE-2019-6340,https://securityvulnerability.io/vulnerability/CVE-2019-6340,Drupal core - Highly critical - Remote Code Execution,"Some field types do not properly sanitize data from non-form sources in Drupal 8.5.x before 8.5.11 and Drupal 8.6.x before 8.6.10. This can lead to arbitrary PHP code execution in some cases. A site is only affected by this if one of the following conditions is met: The site has the Drupal 8 core RESTful Web Services (rest) module enabled and allows PATCH or POST requests, or the site has another web services module enabled, like JSON:API in Drupal 8, or Services or RESTful Web Services in Drupal 7. (Note: The Drupal 7 Services module itself does not require an update at this time, but you should apply other contributed updates associated with this advisory if Services is in use.)",Drupal,Drupal Core,8.1,HIGH,0.9737300276756287,true,2022-03-25T00:00:00.000Z,false,false,true,2021-05-01T15:00:34.000Z,true,false,false,,2019-02-21T21:00:00.000Z,0 CVE-2017-6923,https://securityvulnerability.io/vulnerability/CVE-2017-6923,Access bypass in Drupal 8 views,"In Drupal 8.x prior to 8.3.7 When creating a view, you can optionally use Ajax to update the displayed data via filter parameters. The views subsystem/module did not restrict access to the Ajax endpoint to only views configured to use Ajax. This is mitigated if you have access restrictions on the view. It is best practice to always include some form of access restrictions on all views, even if you are using another module to display them.",Drupal,Drupal Core,6.5,MEDIUM,0.0010400000028312206,false,,false,false,false,,,false,false,,2019-01-22T16:00:00.000Z,0 CVE-2019-6339,https://securityvulnerability.io/vulnerability/CVE-2019-6339,PHAR stream wrapper Arbitrary PHP code execution,"In Drupal Core versions 7.x prior to 7.62, 8.6.x prior to 8.6.6 and 8.5.x prior to 8.5.9; A remote code execution vulnerability exists in PHP's built-in phar stream wrapper when performing file operations on an untrusted phar:// URI. Some Drupal code (core, contrib, and custom) may be performing file operations on insufficiently validated user input, thereby being exposed to this vulnerability. This vulnerability is mitigated by the fact that such code paths typically require access to an administrative permission or an atypical configuration.",Drupal,Drupal Core,9.8,CRITICAL,0.7114199995994568,false,,false,false,true,2021-10-19T06:59:29.000Z,true,false,false,,2019-01-22T15:00:00.000Z,0 CVE-2019-6338,https://securityvulnerability.io/vulnerability/CVE-2019-6338,third-party PEAR Archive_Tar library updates,"In Drupal Core versions 7.x prior to 7.62, 8.6.x prior to 8.6.6 and 8.5.x prior to 8.5.9; Drupal core uses the third-party PEAR Archive_Tar library. This library has released a security update which impacts some Drupal configurations. Refer to CVE-2018-1000888 for details",Drupal,Drupal Core,8,HIGH,0.0024800000246614218,false,,false,false,false,,,false,false,,2019-01-22T15:00:00.000Z,0 CVE-2017-6922,https://securityvulnerability.io/vulnerability/CVE-2017-6922,Files uploaded by anonymous users into a private file system can be accessed by other anonymous users,"In Drupal core 8.x prior to 8.3.4 and Drupal core 7.x prior to 7.56; Private files that have been uploaded by an anonymous user but not permanently attached to content on the site should only be visible to the anonymous user that uploaded them, rather than all anonymous users. Drupal core did not previously provide this protection, allowing an access bypass vulnerability to occur. This issue is mitigated by the fact that in order to be affected, the site must allow anonymous users to upload files into a private file system.",Drupal,Drupal Core,6.5,MEDIUM,0.001879999996162951,false,,false,false,false,,,false,false,,2019-01-22T15:00:00.000Z,0 CVE-2017-6921,https://securityvulnerability.io/vulnerability/CVE-2017-6921,File REST resource does not properly validate,"In Drupal 8 prior to 8.3.4; The file REST resource does not properly validate some fields when manipulating files. A site is only affected by this if the site has the RESTful Web Services (rest) module enabled, the file REST resource is enabled and allows PATCH requests, and an attacker can get or register a user account on the site with permissions to upload files and to modify the file resource.",Drupal,Drupal Core,5.9,MEDIUM,0.0035000001080334187,false,,false,false,false,,,false,false,,2019-01-15T22:00:00.000Z,0 CVE-2017-6924,https://securityvulnerability.io/vulnerability/CVE-2017-6924,REST API can bypass comment approval - Access Bypass - Moderately Critical,"In Drupal 8 prior to 8.3.7; When using the REST API, users without the correct permission can post comments via REST that are approved even if the user does not have permission to post approved comments. This issue only affects sites that have the RESTful Web Services (rest) module enabled, the comment entity REST resource enabled, and where an attacker can access a user account on the site with permissions to post comments, or where anonymous users can post comments.",Drupal,Drupal Core,7.4,HIGH,0.0022700000554323196,false,,false,false,false,,,false,false,,2019-01-15T20:00:00.000Z,0 CVE-2017-6377,https://securityvulnerability.io/vulnerability/CVE-2017-6377,,"When adding a private file via the editor in Drupal 8.2.x before 8.2.7, the editor will not correctly check access for the file being attached, resulting in an access bypass.",Drupal,Drupal Core,7.5,HIGH,0.0025100000202655792,false,,false,false,false,,,false,false,,2017-03-16T14:00:00.000Z,0 CVE-2017-6379,https://securityvulnerability.io/vulnerability/CVE-2017-6379,,Some administrative paths in Drupal 8.2.x before 8.2.7 did not include protection for CSRF. This would allow an attacker to disable some blocks on a site. This issue is mitigated by the fact that users would have to know the block ID.,Drupal,Drupal Core,7.5,HIGH,0.0017900000093504786,false,,false,false,false,,,false,false,,2017-03-16T14:00:00.000Z,0 CVE-2017-6381,https://securityvulnerability.io/vulnerability/CVE-2017-6381,,"A 3rd party development library including with Drupal 8 development dependencies is vulnerable to remote code execution. This is mitigated by the default .htaccess protection against PHP execution, and the fact that Composer development dependencies aren't normal installed. You might be vulnerable to this if you are running a version of Drupal before 8.2.2. To be sure you aren't vulnerable, you can remove the /vendor/phpunit directory from your production deployments",Drupal,Drupal Core,8.1,HIGH,0.02548000030219555,false,,false,false,false,,,false,false,,2017-03-16T14:00:00.000Z,0