cve,link,title,description,vendor,products,score,severity,epss,cisa,cisa_published,article,ransomware,exploited,exploited_date,poc,trended,trended_no_1,trended_no_1_date,published,trended_score
CVE-2024-13311,https://securityvulnerability.io/vulnerability/CVE-2024-13311,File Extension Bypass Vulnerability in Drupal by Acquia,"A security vulnerability exists in Drupal that allows unrestricted file extensions for file fields, potentially enabling unauthorized file uploads. This flaw could result in users being able to upload malicious files that could compromise the integrity of the application. It is critical to monitor and restrict file upload capabilities to maintain the security posture of the Drupal platform. For more details, refer to the announcement on the official Drupal security page.",Drupal,Allow All File Extensions For File Fields,7.3,HIGH,0.0004299999854993075,false,,false,false,false,,false,false,false,,2025-01-09T21:15:00.000Z,0
CVE-2023-5256,https://securityvulnerability.io/vulnerability/CVE-2023-5256,Drupal core - Critical - Cache poisoning - SA-CORE-2023-006,"The JSON:API module in Drupal has a vulnerability that can lead to the exposure of sensitive information through backtraces in error messages. When this module is enabled under certain configurations, it can inadvertently cache error details that are accessible to anonymous users. This poses a risk of privilege escalation, as attackers can gather sensitive data about the site's architecture and potentially exploit it. To protect against this issue, administrators are advised to uninstall the JSON:API module if it is not explicitly needed, as the core REST and contributed GraphQL modules remain unaffected.",Drupal,Core,7.5,HIGH,0.0008900000248104334,false,,false,false,false,,,false,false,,2023-09-28T19:15:00.000Z,0
CVE-2022-25273,https://securityvulnerability.io/vulnerability/CVE-2022-25273,Improper Input Validation in Drupal Core Forms Affecting Custom Modules,"An improper input validation vulnerability exists in Drupal Core's form API that can affect contributed or custom modules. This flaw may permit attackers to inject unauthorized values or manipulate data within certain forms, which, although uncommon, could result in the alteration of critical or sensitive information. Properly securing these forms is essential to prevent the exploitation of this vulnerability.",Drupal,Core,7.5,HIGH,0.0005699999746866524,false,,false,false,false,,,false,false,,2023-04-26T00:00:00.000Z,0
CVE-2022-25277,https://securityvulnerability.io/vulnerability/CVE-2022-25277,File Upload Vulnerability in Drupal Core by Acquia,"Drupal Core has a vulnerability related to filename sanitization during file uploads. The system is designed to sanitize filenames with potentially dangerous extensions and remove leading and trailing dots to mitigate the risk of uploading sensitive configuration files. However, the sanitization process did not function effectively when both protections were applied together. Specifically, if a site allows the upload of files with an .htaccess extension, the filename may escape the intended sanitization safeguards. This can result in the possibility of remote code execution on Apache web servers if an administrator incorrectly configures file fields to permit .htaccess file uploads. The risk is generally mitigated unless a field administrator grants explicit permission or a module/script misconfigures upload rules.",Drupal,Core,7.2,HIGH,0.0030700000934302807,false,,false,false,false,,,false,false,,2023-04-26T00:00:00.000Z,0
CVE-2022-25275,https://securityvulnerability.io/vulnerability/CVE-2022-25275,Access Control Flaw in Drupal Image Module,"The Image module in Drupal exhibits an access control issue that may allow unauthorized access to image files not stored in the standard public directory. Specifically, when generating derivative images, the module fails to properly verify access for files housed in custom file systems or schemes provided by certain contributed modules. This flaw arises when the site's configuration is set to allow insecure file derivatives, which should be avoided as the default configuration is set to disallow such practices. Administrators should review their settings post-update, especially if customization has been applied, to maintain file security.",Drupal,Core,7.5,HIGH,0.0011599999852478504,false,,false,false,false,,,false,false,,2023-04-26T00:00:00.000Z,0
CVE-2022-25271,https://securityvulnerability.io/vulnerability/CVE-2022-25271,Improper Input Validation in Drupal Core's Form API Affecting User Data Security,"Drupal core's Form API is susceptible to a vulnerability where certain contributed or custom module forms may not properly validate inputs. This flaw could permit attackers to inject unauthorized values or alter existing data. Although the affected forms are not prevalent, in specific scenarios, this vulnerability could allow manipulation of critical or sensitive information, posing significant risks to data integrity and security.",Drupal,Core,7.5,HIGH,0.0020800000056624413,false,,false,false,false,,,false,false,,2022-02-16T00:00:00.000Z,0
CVE-2020-13677,https://securityvulnerability.io/vulnerability/CVE-2020-13677,Access Control Vulnerability in Drupal Core JSON:API by Drupal,"The Drupal Core JSON:API module has a vulnerability where it fails to adequately restrict access to certain content under specific conditions. This flaw could allow unauthorized users to bypass access controls and gain access to restricted content. Only sites with the JSON:API module enabled are at risk. To assure the security of your Drupal site, it is critical to review the module's permissions and take necessary updates as advised by security advisories.",Drupal,Core,7.5,HIGH,0.0017000000225380063,false,,false,false,false,,,false,false,,2022-02-11T15:55:12.000Z,0
CVE-2020-13670,https://securityvulnerability.io/vulnerability/CVE-2020-13670,Information Disclosure Vulnerability in Drupal Core File Module,"An information disclosure vulnerability exists in the file module of Drupal Core, allowing unauthorized access to file metadata of private files. Attackers can exploit this vulnerability by guessing the file ID, which can lead to exposure of sensitive information. This affects multiple versions of Drupal Core, including 8.8.x before 8.8.10, 8.9.x before 8.9.6, and 9.0.x before 9.0.6. Administrators are encouraged to update their installations to the latest versions to mitigate potential risks.",Drupal,Core,7.5,HIGH,0.0022100000642240047,false,,false,false,false,,,false,false,,2022-02-11T15:45:22.000Z,0
CVE-2020-13675,https://securityvulnerability.io/vulnerability/CVE-2020-13675,Access Bypass Vulnerability in Drupal's JSON:API and REST/File Modules,"Drupal's JSON:API and REST/File modules are susceptible to an access bypass issue due to insufficient file validation during file uploads via their HTTP APIs. Exploiting this vulnerability allows attackers to upload unauthorized files, potentially leading to malicious actions on the affected website. Proper validation procedures must be implemented to mitigate the risks associated with this flaw.",Drupal,Core,9.8,CRITICAL,0.0024900001008063555,false,,false,false,false,,,false,false,,2022-02-11T15:45:11.000Z,0
CVE-2020-13663,https://securityvulnerability.io/vulnerability/CVE-2020-13663,,"Cross Site Request Forgery vulnerability in Drupal Core Form API does not properly handle certain form input from cross-site requests, which can lead to other vulnerabilities.",Drupal,Drupal Core,8.8,HIGH,0.0007300000288523734,false,,false,false,false,,,false,false,,2021-06-11T15:07:25.000Z,0
CVE-2020-13664,https://securityvulnerability.io/vulnerability/CVE-2020-13664,,"Arbitrary PHP code execution vulnerability in Drupal Core under certain circumstances. An attacker could trick an administrator into visiting a malicious site that could result in creating a carefully named directory on the file system. With this directory in place, an attacker could attempt to brute force a remote code execution vulnerability. Windows servers are most likely to be affected. This issue affects: Drupal Drupal Core 8.8.x versions prior to 8.8.8; 8.9.x versions prior to 8.9.1; 9.0.1 versions prior to 9.0.1.",Drupal,Drupal Core,8.8,HIGH,0.0067900000140070915,false,,false,false,false,,,false,false,,2021-05-05T14:56:39.000Z,0
CVE-2020-13665,https://securityvulnerability.io/vulnerability/CVE-2020-13665,,Access bypass vulnerability in Drupal Core allows JSON:API when JSON:API is in read/write mode. Only sites that have the read_only set to FALSE under jsonapi.settings config are vulnerable. This issue affects: Drupal Drupal Core 8.8.x versions prior to 8.8.8; 8.9.x versions prior to 8.9.1; 9.0.x versions prior to 9.0.1.,Drupal,Drupal Core,9.8,CRITICAL,0.0030799999367445707,false,,false,false,false,,,false,false,,2021-05-05T14:14:09.000Z,0
CVE-2020-35191,https://securityvulnerability.io/vulnerability/CVE-2020-35191,,The official drupal docker images before 8.5.10-fpm-alpine (Alpine specific) contain a blank password for a root user. System using the drupal docker container deployed by affected versions of the docker image may allow a remote attacker to achieve root access with a blank password.,Drupal,Drupal Docker Images,9.8,CRITICAL,0.00343000004068017,false,,false,false,true,2021-12-24T18:59:31.000Z,true,false,false,,2020-12-17T01:08:36.000Z,0
CVE-2020-13671,https://securityvulnerability.io/vulnerability/CVE-2020-13671,,"Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations. This issue affects: Drupal Drupal Core 9.0 versions prior to 9.0.8, 8.9 versions prior to 8.9.9, 8.8 versions prior to 8.8.11, and 7 versions prior to 7.74.",Drupal,Drupal Core,8.8,HIGH,0.6765499711036682,true,2022-01-18T00:00:00.000Z,false,false,true,2022-01-18T00:00:00.000Z,,false,false,,2020-11-20T15:40:39.000Z,0
CVE-2019-6342,https://securityvulnerability.io/vulnerability/CVE-2019-6342,Drupal core - Critical - Access bypass - SA-CORE-2019-008,An access bypass vulnerability exists when the experimental Workspaces module in Drupal 8 core is enabled. This can be mitigated by disabling the Workspaces module. It does not affect any release other than Drupal 8.7.4.,Drupal,Drupal Core,9.8,CRITICAL,0.0030799999367445707,false,,false,false,false,,,false,false,,2020-05-28T20:59:46.000Z,0
CVE-2011-2715,https://securityvulnerability.io/vulnerability/CVE-2011-2715,,An SQL Injection vulnerability exists in Drupal 6.20 with Data 6.x-1.0-alpha14 due to insufficient sanitization of table names or column names.,Drupal,Data-module,9.8,CRITICAL,0.001560000004246831,false,,false,false,false,,,false,false,,2020-01-14T21:22:54.000Z,0
CVE-2019-19826,https://securityvulnerability.io/vulnerability/CVE-2019-19826,,"The Views Dynamic Fields module through 7.x-1.0-alpha4 for Drupal makes insecure unserialize calls in handlers/views_handler_filter_dynamic_fields.inc, as demonstrated by PHP object injection, involving a field_names object and an Archive_Tar object, for file deletion. Code execution might also be possible.",Drupal,Views Dynamic Field,8.1,HIGH,0.002360000042244792,false,,false,false,false,,,false,false,,2019-12-16T22:21:59.000Z,0
CVE-2011-2726,https://securityvulnerability.io/vulnerability/CVE-2011-2726,,"An access bypass issue was found in Drupal 7.x before version 7.5. If a Drupal site has the ability to attach File upload fields to any entity type in the system or has the ability to point individual File upload fields to the private file directory in comments, and the parent node is denied access, non-privileged users can still download the file attached to the comment if they know or guess its direct URL.",drupal core,drupal core,7.5,HIGH,0.0029899999499320984,false,,false,false,false,,,false,false,,2019-11-15T16:21:51.000Z,0
CVE-2019-18856,https://securityvulnerability.io/vulnerability/CVE-2019-18856,,A Denial Of Service vulnerability exists in the SVG Sanitizer module through 8.x-1.0-alpha1 for Drupal because access to external resources with an SVG use element is mishandled.,Drupal,Svg Sanitizer,7.5,HIGH,0.0010499999625608325,false,,false,false,false,,,false,false,,2019-11-11T14:35:14.000Z,0
CVE-2019-6340,https://securityvulnerability.io/vulnerability/CVE-2019-6340,Drupal core - Highly critical - Remote Code Execution,"Some field types do not properly sanitize data from non-form sources in Drupal 8.5.x before 8.5.11 and Drupal 8.6.x before 8.6.10. This can lead to arbitrary PHP code execution in some cases. A site is only affected by this if one of the following conditions is met: The site has the Drupal 8 core RESTful Web Services (rest) module enabled and allows PATCH or POST requests, or the site has another web services module enabled, like JSON:API in Drupal 8, or Services or RESTful Web Services in Drupal 7. (Note: The Drupal 7 Services module itself does not require an update at this time, but you should apply other contributed updates associated with this advisory if Services is in use.)",Drupal,Drupal Core,8.1,HIGH,0.9737300276756287,true,2022-03-25T00:00:00.000Z,false,false,true,2021-05-01T15:00:34.000Z,true,false,false,,2019-02-21T21:00:00.000Z,0
CVE-2019-6338,https://securityvulnerability.io/vulnerability/CVE-2019-6338,third-party PEAR Archive_Tar library updates,"In Drupal Core versions 7.x prior to 7.62, 8.6.x prior to 8.6.6 and 8.5.x prior to 8.5.9; Drupal core uses the third-party PEAR Archive_Tar library. This library has released a security update which impacts some Drupal configurations. Refer to CVE-2018-1000888 for details",Drupal,Drupal Core,8,HIGH,0.0024800000246614218,false,,false,false,false,,,false,false,,2019-01-22T15:00:00.000Z,0
CVE-2019-6339,https://securityvulnerability.io/vulnerability/CVE-2019-6339,PHAR stream wrapper Arbitrary PHP code execution,"In Drupal Core versions 7.x prior to 7.62, 8.6.x prior to 8.6.6 and 8.5.x prior to 8.5.9; A remote code execution vulnerability exists in PHP's built-in phar stream wrapper when performing file operations on an untrusted phar:// URI. Some Drupal code (core, contrib, and custom) may be performing file operations on insufficiently validated user input, thereby being exposed to this vulnerability. This vulnerability is mitigated by the fact that such code paths typically require access to an administrative permission or an atypical configuration.",Drupal,Drupal Core,9.8,CRITICAL,0.7114199995994568,false,,false,false,true,2021-10-19T06:59:29.000Z,true,false,false,,2019-01-22T15:00:00.000Z,0
CVE-2017-6924,https://securityvulnerability.io/vulnerability/CVE-2017-6924,REST API can bypass comment approval - Access Bypass - Moderately Critical,"In Drupal 8 prior to 8.3.7; When using the REST API, users without the correct permission can post comments via REST that are approved even if the user does not have permission to post approved comments. This issue only affects sites that have the RESTful Web Services (rest) module enabled, the comment entity REST resource enabled, and where an attacker can access a user account on the site with permissions to post comments, or where anonymous users can post comments.",Drupal,Drupal Core,7.4,HIGH,0.0022700000554323196,false,,false,false,false,,,false,false,,2019-01-15T20:00:00.000Z,0
CVE-2017-6925,https://securityvulnerability.io/vulnerability/CVE-2017-6925,,"In versions of Drupal 8 core prior to 8.3.7; There is a vulnerability in the entity access system that could allow unwanted access to view, create, update, or delete entities. This only affects entities that do not use or do not have UUIDs, and entities that have different access restrictions on different revisions of the same entity.",Drupal,Drupal,9.8,CRITICAL,0.003659999929368496,false,,false,false,false,,,false,false,,2019-01-15T17:00:00.000Z,0
CVE-2018-7602,https://securityvulnerability.io/vulnerability/CVE-2018-7602,Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-004,"A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being compromised. This vulnerability is related to Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002. Both SA-CORE-2018-002 and this vulnerability are being exploited in the wild.",Drupal,Core,9.8,CRITICAL,0.9700300097465515,true,2022-04-13T00:00:00.000Z,false,true,true,2020-06-25T12:06:07.000Z,true,false,false,,2018-07-19T17:00:00.000Z,0