Drupal Core
19 CVEs affecting Drupal Core. Latest disclosed: 2023-09-28. Critical: 0, High: 0.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2023-5256 | | 2023-09-28 | In certain scenarios, Drupal's JSON:API module will output error backtraces. With some configurations, this may cause sensitive information to be cached and ma… | |
CVE-2023-31250 | | 2023-04-26 | The file download facility doesn't sufficiently sanitize file paths in certain situations. This may result in users gaining access to private files that they s… | |
CVE-2022-25278 | | 2023-04-26 | Under certain circumstances, the Drupal core form API evaluates form element access incorrectly. This may lead to a user being able to alter data they should n… | |
CVE-2022-25277 | | 2023-04-26 | Drupal core sanitizes filenames with dangerous extensions upon upload (reference: SA-CORE-2020-012) and strips leading and trailing dots from filenames to prev… | |
CVE-2022-25276 | | 2023-04-26 | The Media oEmbed iframe route does not properly validate the iframe domain setting, which allows embeds to be displayed in the context of the primary domain. U… | |
CVE-2022-25275 | | 2023-04-26 | In some situations, the Image module does not correctly check access to image files not stored in the standard public files directory when generating derivativ… | |
CVE-2022-25274 | | 2023-04-26 | Drupal 9.3 implemented a generic entity access API for entity revisions. However, this API was not completely integrated with existing permissions, resulting i… | |
CVE-2022-25273 | | 2023-04-26 | Drupal core's form API has a vulnerability where certain contributed or custom modules' forms may be vulnerable to improper input validation. This could allow… | |
CVE-2022-25270 | | 2022-02-16 | The Quick Edit module does not properly check entity access in some circumstances. This could result in users with the "access in-place editing" permission vie… | |
CVE-2022-25271 | | 2022-02-16 | Drupal core's form API has a vulnerability where certain contributed or custom modules' forms may be vulnerable to improper input validation. This could allow… | |
CVE-2020-13677 | | 2022-02-11 | Under some circumstances, the Drupal core JSON:API module does not properly restrict access to certain content, which may result in unintended access bypass. S… | |
CVE-2020-13676 | | 2022-02-11 | The QuickEdit module does not properly check access to fields in some circumstances, which can lead to unintended disclosure of field data. Sites are only affe… | |
CVE-2020-13670 | | 2022-02-11 | Information Disclosure vulnerability in file module of Drupal Core allows an attacker to gain access to the file metadata of a permanent private file that they… | |
CVE-2020-13674 | | 2022-02-11 | The QuickEdit module does not properly validate access to routes, which could allow cross-site request forgery under some circumstances and lead to possible da… | |
CVE-2020-13675 | | 2022-02-11 | Drupal's JSON:API and REST/File modules allow file uploads through their HTTP APIs. The modules do not correctly run all file validation, which causes an acces… | |
CVE-2020-13672 | | 2022-02-11 | Cross-site Scripting (XSS) vulnerability in Drupal core's sanitization API fails to properly filter cross-site scripting under certain circumstances. This issu… | |
CVE-2020-13669 | | 2022-02-11 | Cross-site Scripting (XSS) vulnerability in ckeditor of Drupal Core allows attacker to inject XSS. This issue affects: Drupal Core 8.8.x versions prior to 8.8… | |
CVE-2020-13668 | | 2022-02-11 | Access Bypass vulnerability in Drupal Core allows for an attacker to leverage the way that HTML is rendered for affected forms in order to exploit the vulnerab… | |
CVE-2018-7602 | | 2018-07-19 | A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vec… |