CVE-2018-7600
Known exploited
Public exploit
Used for ransomware
Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations.
Max CVSS
9.8
EPSS Score
97.57%
Published
2018-03-29
Updated
2019-03-01
CISA KEV Added
2021-11-03
Drupal 6.x before 6.38, when used with PHP before 5.4.45, 5.5.x before 5.5.29, or 5.6.x before 5.6.13, might allow remote attackers to execute arbitrary code via vectors related to session data truncation.
Max CVSS
8.1
EPSS Score
4.18%
Published
2016-04-12
Updated
2016-05-09
The User module in Drupal 6.x before 6.38 and 7.x before 7.43 allows remote attackers to gain privileges by leveraging contributed or custom code that calls the user_save function with an explicit category and loads all roles into the array.
Max CVSS
8.1
EPSS Score
0.47%
Published
2016-04-12
Updated
2016-04-13
The System module in Drupal 6.x before 6.38 and 7.x before 7.43 might allow remote attackers to hijack the authentication of site administrators for requests that download and run files with arbitrary JSON-encoded content, aka a "reflected file download vulnerability."
Max CVSS
8.5
EPSS Score
0.26%
Published
2016-04-12
Updated
2016-04-14
Multiple unspecified vulnerabilities in the quota_by_role (Quota by role) module for Drupal have unknown impact and attack vectors.
Max CVSS
10.0
EPSS Score
0.31%
Published
2009-09-24
Updated
2022-09-27
includes/bootstrap.inc in Drupal 5.x before 5.12 and 6.x before 6.6, when the server is configured for "IP-based virtual hosts," allows remote attackers to include and execute arbitrary files via the HTTP Host header.
Max CVSS
9.3
EPSS Score
1.53%
Published
2009-02-19
Updated
2017-08-17
6 vulnerabilities found