| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2019-11876 |
79 |
|
XSS |
2019-05-24 |
2019-05-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
In PrestaShop 1.7.5.2, the shop_country parameter in the install/index.php installation script/component is affected by Reflected XSS. Exploitation by a malicious actor requires the user to follow the initial stages of the setup (accepting terms and conditions) before executing the malicious link. |
|
2 |
CVE-2019-11358 |
79 |
|
XSS |
2019-04-19 |
2019-06-12 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype. |
|
3 |
CVE-2018-9861 |
79 |
|
XSS |
2018-04-19 |
2019-07-18 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Enhanced Image (aka image2) plugin for CKEditor (in versions 4.5.10 through 4.9.1; fixed in 4.9.2), as used in Drupal 8 before 8.4.7 and 8.5.x before 8.5.2 and other products, allows remote attackers to inject arbitrary web script through a crafted IMG element. |
|
4 |
CVE-2017-6931 |
434 |
|
Bypass |
2018-03-01 |
2019-10-02 |
4.0 |
None |
Remote |
Low |
Single system |
None |
Partial |
None |
|
In Drupal versions 8.4.x versions before 8.4.5 the Settings Tray module has a vulnerability that allows users to update certain data that they do not have the permissions for. If you have implemented a Settings Tray form in contrib or a custom module, the correct access checks should be added. This release fixes the only two implementations in core, but does not harden against other such bypasses. This vulnerability can be mitigated by disabling the Settings Tray module. |
|
5 |
CVE-2017-6929 |
79 |
|
XSS |
2018-03-01 |
2018-03-21 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
A jQuery cross site scripting vulnerability is present when making Ajax requests to untrusted domains. This vulnerability is mitigated by the fact that it requires contributed or custom modules in order to exploit. For Drupal 8, this vulnerability was already fixed in Drupal 8.4.0 in the Drupal core upgrade to jQuery 3. For Drupal 7, it is fixed in the current release (Drupal 7.57) for jQuery 1.4.4 (the version that ships with Drupal 7 core) as well as for other newer versions of jQuery that might be used on the site, for example using the jQuery Update module. |
|
6 |
CVE-2017-6927 |
79 |
|
XSS |
2018-03-01 |
2018-03-22 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Drupal 8.4.x versions before 8.4.5 and Drupal 7.x versions before 7.57 has a Drupal.checkPlain() JavaScript function which is used to escape potentially dangerous text before outputting it to HTML (as JavaScript output does not typically go through Twig autoescaping). This function does not correctly handle all methods of injecting malicious HTML, leading to a cross-site scripting vulnerability under certain circumstances. The PHP functions which Drupal provides for HTML escaping are not affected. |
|
7 |
CVE-2017-6923 |
862 |
|
|
2019-01-22 |
2019-10-09 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
In Drupal 8.x prior to 8.3.7 When creating a view, you can optionally use Ajax to update the displayed data via filter parameters. The views subsystem/module did not restrict access to the Ajax endpoint to only views configured to use Ajax. This is mitigated if you have access restrictions on the view. It is best practice to always include some form of access restrictions on all views, even if you are using another module to display them. |
|
8 |
CVE-2017-6922 |
552 |
|
Bypass |
2019-01-22 |
2019-10-09 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
In Drupal core 8.x prior to 8.3.4 and Drupal core 7.x prior to 7.56; Private files that have been uploaded by an anonymous user but not permanently attached to content on the site should only be visible to the anonymous user that uploaded them, rather than all anonymous users. Drupal core did not previously provide this protection, allowing an access bypass vulnerability to occur. This issue is mitigated by the fact that in order to be affected, the site must allow anonymous users to upload files into a private file system. |
|
9 |
CVE-2017-6921 |
20 |
|
|
2019-01-15 |
2019-10-09 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
In Drupal 8 prior to 8.3.4; The file REST resource does not properly validate some fields when manipulating files. A site is only affected by this if the site has the RESTful Web Services (rest) module enabled, the file REST resource is enabled and allows PATCH requests, and an attacker can get or register a user account on the site with permissions to upload files and to modify the file resource. |
|
10 |
CVE-2016-9452 |
20 |
|
DoS |
2016-11-25 |
2016-11-29 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
The transliterate mechanism in Drupal 8.x before 8.2.3 allows remote attackers to cause a denial of service via a crafted URL. |
|
11 |
CVE-2016-9451 |
601 |
|
|
2016-11-25 |
2017-01-06 |
4.9 |
None |
Remote |
Medium |
Single system |
Partial |
Partial |
None |
|
Confirmation forms in Drupal 7.x before 7.52 make it easier for remote authenticated users to conduct open redirect attacks via unspecified vectors. |
|
12 |
CVE-2016-9449 |
200 |
|
+Info |
2016-11-25 |
2017-01-06 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
The taxonomy module in Drupal 7.x before 7.52 and 8.x before 8.2.3 might allow remote authenticated users to obtain sensitive information about taxonomy terms by leveraging inconsistent naming of access query tags. |
|
13 |
CVE-2016-7572 |
264 |
|
Bypass |
2016-10-03 |
2016-10-04 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
The system.temporary route in Drupal 8.x before 8.1.10 does not properly check for "Export configuration" permission, which allows remote authenticated users to bypass intended access restrictions and read a full config export via unspecified vectors. |
|
14 |
CVE-2016-7571 |
79 |
|
XSS |
2016-10-03 |
2016-10-04 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in Drupal 8.x before 8.1.10 allows remote attackers to inject arbitrary web script or HTML via vectors involving an HTTP exception. |
|
15 |
CVE-2016-7570 |
264 |
|
|
2016-10-03 |
2016-10-04 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
Drupal 8.x before 8.1.10 does not properly check for "Administer comments" permission, which allows remote authenticated users to set the visibility of comments for arbitrary nodes by leveraging rights to edit those nodes. |
|
16 |
CVE-2016-3166 |
|
|
Http R.Spl. |
2016-04-12 |
2016-04-12 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
CRLF injection vulnerability in the drupal_set_header function in Drupal 6.x before 6.38, when used with PHP before 5.1.2, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks by leveraging a module that allows user-submitted data to appear in HTTP headers. |
|
17 |
CVE-2015-7880 |
200 |
|
+Info |
2017-09-13 |
2017-09-26 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
The Entity Registration module 7.x-1.x before 7.x-1.5 for Drupal allows remote attackers to obtain sensitive event registration information by leveraging the "Register other accounts" permission and knowledge of usernames. |
|
18 |
CVE-2015-6665 |
79 |
|
XSS |
2015-08-24 |
2016-12-23 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Ajax handler in Drupal 7.x before 7.39 and the Ctools module 6.x-1.x before 6.x-1.14 for Drupal allows remote attackers to inject arbitrary web script or HTML via vectors involving a whitelisted HTML element, possibly related to the "a" tag. |
|
19 |
CVE-2015-6658 |
79 |
|
XSS |
2015-08-24 |
2016-12-23 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Autocomplete system in Drupal 6.x before 6.37 and 7.x before 7.39 allows remote attackers to inject arbitrary web script or HTML via a crafted URL, related to uploading files. |
|
20 |
CVE-2015-3234 |
20 |
|
|
2015-06-22 |
2016-12-02 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
The OpenID module in Drupal 6.x before 6.36 and 7.x before 7.38 allows remote attackers to log into other users' accounts by leveraging an OpenID identity from certain providers, as demonstrated by the Verisign, LiveJournal, and StackExchange providers. |
|
21 |
CVE-2015-3231 |
200 |
|
+Info |
2015-06-22 |
2016-12-02 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
The Render cache system in Drupal 7.x before 7.38, when used to cache content by user role, allows remote authenticated users to obtain private content viewed by user 1 by reading the cache. |
|
22 |
CVE-2014-8765 |
79 |
|
XSS |
2014-10-14 |
2014-10-22 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in the Project Issue File Review module (PIFR) module 6.x-2.x before 6.x-2.17 for Drupal allow (1) remote attackers to inject arbitrary web script or HTML via a crafted patch, which triggers a PIFR client to test the patch and return the results to the PIFR_Server test results page or (2) remote authenticated users with the "manage PIFR environments" permission to inject arbitrary web script or HTML via vectors involving a PIFR_Server administrative page. |
|
23 |
CVE-2014-8747 |
79 |
|
XSS |
2014-10-13 |
2017-09-07 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Drupal Commons module 7.x-3.x before 7.x-3.9 for Drupal allows remote attackers to inject arbitrary web script or HTML via vectors related to content creation and activity stream messages. |
|
24 |
CVE-2014-8296 |
79 |
|
XSS |
2014-10-16 |
2017-09-07 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Modal Frame API module 6.x-1.x before 6.x-1.9 for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
|
25 |
CVE-2014-8079 |
79 |
|
XSS |
2014-10-09 |
2017-09-07 |
4.0 |
None |
Remote |
Low |
Single system |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the MAYO theme 7.x-1.x before 7.x-1.3 for Drupal allows remote authenticated users with the "administer themes" permission to inject arbitrary web script or HTML via vectors related to header background setting. |
|
26 |
CVE-2014-5022 |
79 |
|
XSS |
2014-07-22 |
2014-07-22 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Ajax system in Drupal 7.x before 7.29 allows remote attackers to inject arbitrary web script or HTML via vectors involving forms with an Ajax-enabled textfield and a file field. |
|
27 |
CVE-2014-5020 |
264 |
|
Bypass |
2014-07-22 |
2014-07-22 |
4.9 |
None |
Remote |
Medium |
Single system |
Partial |
Partial |
None |
|
The File module in Drupal 7.x before 7.29 does not properly check permissions to view files, which allows remote authenticated users with certain permissions to bypass intended restrictions and read files by attaching the file to content with a file field. |
|
28 |
CVE-2014-2983 |
200 |
|
+Info |
2014-04-23 |
2017-12-15 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
Drupal 6.x before 6.31 and 7.x before 7.27 does not properly isolate the cached data of different anonymous users, which allows remote anonymous users to obtain sensitive interim form input information in opportunistic situations via unspecified vectors. |
|
29 |
CVE-2014-1607 |
79 |
|
XSS |
2014-01-26 |
2018-10-09 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
** DISPUTED ** Cross-site scripting (XSS) vulnerability in the EventCalendar module for Drupal 7.14 allows remote attackers to inject arbitrary web script or HTML via the year parameter to eventcalander/. NOTE: this issue has been disputed by the Drupal Security Team; it may be site-specific. If so, then this CVE will be REJECTed in the future. |
|
30 |
CVE-2014-1476 |
264 |
|
+Info |
2014-01-24 |
2014-02-21 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
The Taxonomy module in Drupal 7.x before 7.26, when upgraded from an earlier version of Drupal, does not properly restrict access to unpublished content, which allows remote authenticated users to obtain sensitive information via a listing page. |
|
31 |
CVE-2013-6388 |
79 |
|
XSS |
2013-12-24 |
2014-01-03 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Color module in Drupal 7.x before 7.24 allows remote attackers to inject arbitrary web script or HTML via vectors related to CSS. |
|
32 |
CVE-2013-0246 |
264 |
|
|
2013-07-16 |
2013-07-16 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
The Image module in Drupal 7.x before 7.19, when a private file system is used, does not properly restrict access to derivative images, which allows remote attackers to read derivative images of otherwise restricted images via unspecified vectors. |
|
33 |
CVE-2012-2339 |
79 |
|
XSS |
2012-05-21 |
2017-08-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Glossary module 6.x-1.x before 6.x-1.8 for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to "taxonomy information." |
|
34 |
CVE-2012-2298 |
79 |
|
XSS |
2012-08-14 |
2017-08-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in the RealName module 6.x-1.x before 6.x-1.5 for Drupal allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) "user names in page titles" and (2) "autocomplete callbacks." |
|
35 |
CVE-2012-2153 |
264 |
|
|
2012-09-30 |
2013-12-12 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
Drupal 7.x before 7.14 does not properly restrict access to nodes in a list when using a "contributed node access module," which allows remote authenticated users with the "Access the content overview page" permission to read all published nodes by accessing the admin/content page. |
|
36 |
CVE-2012-1646 |
79 |
|
XSS |
2012-09-25 |
2017-08-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in the FAQ module 6.x-1.x before 6.x-1.13 and 7.x-1.x-rc1 for Drupal allow remote authenticated users to inject arbitrary web script or HTML via the (1) title parameter in faq.admin.inc or (2) detailed_question parameter in faq.module. |
|
37 |
CVE-2012-1590 |
264 |
|
+Info |
2012-09-30 |
2013-12-12 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
The forum list in Drupal 7.x before 7.14 does not properly check user permissions for unpublished forum posts, which allows remote authenticated users to obtain sensitive information such as the post title via the forum overview page. |
|
38 |
CVE-2009-4602 |
79 |
|
XSS |
2010-01-12 |
2010-01-13 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Randomizer module 5.x through 5.x-1.0 and 6.x through 6.x-1.0, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
|
39 |
CVE-2009-3479 |
79 |
|
XSS |
2009-09-30 |
2009-10-01 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in Bibliography (Biblio) 5.x before 5.x-1.17 and 6.x before 6.x-1.6, a module for Drupal, allows remote attackers, with "create content displayed by the Bibliography module" permissions, to inject arbitrary web script or HTML via a title. |
|
40 |
CVE-2009-2373 |
79 |
|
XSS |
2009-07-08 |
2009-07-08 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Forum module in Drupal 6.x before 6.13 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
|
41 |
CVE-2009-1576 |
|
|
+Info CSRF |
2009-05-06 |
2009-05-20 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
Unspecified vulnerability in Drupal 5.x before 5.17 and 6.x before 6.11, as used in vbDrupal before 5.17.0, allows user-assisted remote attackers to obtain sensitive information by tricking victims into visiting the front page of the site with a crafted URL and causing form data to be sent to an attacker-controlled site, possibly related to multiple / (slash) characters that are not properly handled by includes/bootstrap.inc, as demonstrated using the search box. NOTE: this vulnerability can be leveraged to conduct cross-site request forgery (CSRF) attacks. |
|
42 |
CVE-2009-1575 |
79 |
|
XSS |
2009-05-06 |
2017-08-16 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in Drupal 5.x before 5.17 and 6.x before 6.11, as used in vbDrupal before 5.17.0, allows remote attackers to inject arbitrary web script or HTML via crafted UTF-8 byte sequences before the Content-Type meta tag, which are treated as UTF-7 by Internet Explorer 6 and 7. |
|
43 |
CVE-2009-1344 |
79 |
|
XSS |
2009-04-20 |
2009-04-20 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Localization client module 5.x before 5.x-1.2 and 6.x before 6.x-1.7, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via input to the translation functionality. |
|
44 |
CVE-2009-1343 |
79 |
|
XSS |
2009-04-20 |
2009-04-21 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Print (aka Printer, e-mail and PDF versions) module 5.x before 5.x-4.5 and 6.x before 6.x-1.5, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via content titles. |
|
45 |
CVE-2009-1342 |
79 |
|
XSS |
2009-04-20 |
2009-04-20 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the CCK comment reference module 6.x before 6.x-1.2, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via certain comment titles associated with a node edit form. |
|
46 |
CVE-2009-1249 |
79 |
|
XSS |
2009-04-06 |
2009-04-07 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in Feed element mapper 5.x before 5.x-1.1, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via the content title in admin/content/node-type/nodetype/map. |
|
47 |
CVE-2009-1069 |
79 |
|
XSS |
2009-03-26 |
2017-08-16 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in the node edit form feature in Drupal Content Construction Kit (CCK) 6.x before 6.x-2.2, a module for Drupal, allow remote attackers to inject arbitrary web script or HTML via the (1) titles of candidate referenced nodes in the Node reference sub-module and the (2) names of candidate referenced users in the User reference sub-module. |
|
48 |
CVE-2009-1047 |
79 |
|
XSS |
2009-03-23 |
2009-04-01 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Send by e-mail module in the "Printer, e-mail and PDF versions" module 5.x before 5.x-4.4 and 6.x before 6.x-1.4, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via vectors involving outbound HTML e-mail. |
|
49 |
CVE-2009-0575 |
79 |
|
XSS |
2009-02-13 |
2017-08-16 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the theme_views_bulk_operations_confirmation function in views_bulk_operations.module in Views Bulk Operations 5.x before 5.x-1.3 and 6.x before 6.x-1.4, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to node titles. NOTE: some of these details are obtained from third party information. |
|
50 |
CVE-2009-0382 |
264 |
|
Bypass |
2009-02-02 |
2009-02-02 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
Unspecified vulnerability in Internationalization (i18n) Translation 5.x before 5.x-2.5, a module for Drupal, allows remote attackers with "translate node" permissions to bypass intended access restrictions and read unpublished nodes via unspecified vectors. |
