Drupal : Security Vulnerabilities (Code Execution)
Drupal core sanitizes filenames with dangerous extensions upon upload (reference: SA-CORE-2020-012) and strips leading and trailing dots from filenames to prevent uploading server configuration files (reference: SA-CORE-2019-010). However, the protections for these two vulnerabilities previously did not work correctly together. As a result, if the site were configured to allow the upload of files with an htaccess extension, these files' filenames would not be properly sanitized. This could allow bypassing the protections provided by Drupal core's default .htaccess files and possible remote code execution on Apache web servers. This issue is mitigated by the fact that it requires a field administrator to explicitly configure a file field to allow htaccess as an extension (a restricted permission), or a contributed module or custom code that overrides allowed file uploads.
| Max Base Score | 7.2 |
| Published | 2023-04-26 |
| Updated | 2023-05-09 |
| EPSS | 0.10% |
Arbitrary PHP code execution vulnerability in Drupal Core under certain circumstances. An attacker could trick an administrator into visiting a malicious site that could result in creating a carefully named directory on the file system. With this directory in place, an attacker could attempt to brute force a remote code execution vulnerability. Windows servers are most likely to be affected. This issue affects: Drupal Drupal Core 8.8.x versions prior to 8.8.8; 8.9.x versions prior to 8.9.1; 9.0.1 versions prior to 9.0.1.
| Max Base Score | 9.3 |
| Published | 2021-05-05 |
| Updated | 2021-05-14 |
| EPSS | 0.50% |
In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, when service ids allow user input, this could allow for SQL Injection and remote code execution. This is related to symfony/dependency-injection.
| Max Base Score | 9.8 |
| Published | 2019-05-16 |
| Updated | 2021-09-29 |
| EPSS | 1.53% |
In Drupal Core versions 7.x prior to 7.62, 8.6.x prior to 8.6.6 and 8.5.x prior to 8.5.9; A remote code execution vulnerability exists in PHP's built-in phar stream wrapper when performing file operations on an untrusted phar:// URI. Some Drupal code (core, contrib, and custom) may be performing file operations on insufficiently validated user input, thereby being exposed to this vulnerability. This vulnerability is mitigated by the fact that such code paths typically require access to an administrative permission or an atypical configuration.
| Max Base Score | 9.8 |
| Published | 2019-01-22 |
| Updated | 2019-10-09 |
| EPSS | 92.06% |
CVE-2018-7602
Known Exploited Vulnerability
A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being compromised. This vulnerability is related to Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002. Both SA-CORE-2018-002 and this vulnerability are being exploited in the wild.
| Max Base Score | 9.8 |
| Published | 2018-07-19 |
| Updated | 2021-04-20 |
| EPSS | 97.47% |
| KEV Added | 2022-04-13 |
CVE-2018-7600
Public exploit exists
Known Exploited Vulnerability
Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations.
| Max Base Score | 9.8 |
| Published | 2018-03-29 |
| Updated | 2019-03-01 |
| EPSS | 97.56% |
| KEV Added | 2021-11-03 |
Drupal core 8 before versions 8.3.4 allows remote attackers to execute arbitrary code due to the PECL YAML parser not handling PHP objects safely during certain operations.
| Max Base Score | 9.8 |
| Published | 2018-08-06 |
| Updated | 2018-10-04 |
| EPSS | 7.39% |
A 3rd party development library including with Drupal 8 development dependencies is vulnerable to remote code execution. This is mitigated by the default .htaccess protection against PHP execution, and the fact that Composer development dependencies aren't normal installed. You might be vulnerable to this if you are running a version of Drupal before 8.2.2. To be sure you aren't vulnerable, you can remove the <siteroot>/vendor/phpunit directory from your production deployments
| Max Base Score | 8.1 |
| Published | 2017-03-16 |
| Updated | 2019-10-03 |
| EPSS | 6.64% |
Drupal 6.x before 6.38, when used with PHP before 5.4.45, 5.5.x before 5.5.29, or 5.6.x before 5.6.13, might allow remote attackers to execute arbitrary code via vectors related to session data truncation.
| Max Base Score | 8.1 |
| Published | 2016-04-12 |
| Updated | 2016-05-09 |
| EPSS | 4.18% |
The Storage API module 7.x before 7.x-1.6 for Drupal might allow remote attackers to execute arbitrary code by leveraging failure to update .htaccess file contents after SA-CORE-2013-003.
| Max Base Score | 9.8 |
| Published | 2018-03-29 |
| Updated | 2018-04-27 |
| EPSS | 2.22% |
Unrestricted file upload vulnerability in the BlogAPI module in Drupal 5.x before 5.10 and 6.x before 6.4 allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, which is not validated.
| Max Base Score | 6.5 |
| Published | 2008-08-27 |
| Updated | 2017-08-08 |
| EPSS | 1.44% |
The Aggregation module 5.x before 5.x-4.4 for Drupal allows remote attackers to upload files with arbitrary extensions, and possibly execute arbitrary code, via a crafted feed that allows upload of files with arbitrary extensions.
| Max Base Score | 9.3 |
| Published | 2008-07-03 |
| Updated | 2017-08-08 |
| EPSS | 3.73% |
The Comment Upload 4.7.x before 4.7.x-0.1 and 5.x before 5.x-0.1 module for Drupal does not properly use functions in the upload module, which allows remote attackers to bypass upload validation, and upload arbitrary files and possibly execute arbitrary code, via unspecified vectors.
| Max Base Score | 6.4 |
| Published | 2008-02-05 |
| Updated | 2011-03-08 |
| EPSS | 1.99% |
Unspecified vulnerability in the Fileshare module for Drupal allows remote authenticated users with node-creation privileges to execute arbitrary code via unspecified vectors.
| Max Base Score | 8.5 |
| Published | 2008-01-15 |
| Updated | 2017-08-08 |
| EPSS | 0.35% |
Unspecified vulnerability in the Meta Tags (aka Nodewords) 5.x-1.6 module for Drupal, when images are permitted in node bodies, allows remote authenticated users to execute arbitrary code via unspecified vectors involving creation of a node.
| Max Base Score | 6.8 |
| Published | 2008-01-15 |
| Updated | 2017-08-08 |
| EPSS | 3.15% |
install.php in Drupal 5.x before 5.3, when the configured database server is not reachable, allows remote attackers to execute arbitrary code via vectors that cause settings.php to be modified.
| Max Base Score | 6.8 |
| Published | 2007-10-19 |
| Updated | 2021-04-19 |
| EPSS | 10.75% |
The comment_form_add_preview function in comment.module in Drupal before 4.7.6, and 5.x before 5.1, and vbDrupal, allows remote attackers with "post comments" privileges and access to multiple input filters to execute arbitrary code by previewing comments, which are not processed by "normal form validation routines."
| Max Base Score | 6.5 |
| Published | 2007-01-31 |
| Updated | 2021-04-19 |
| EPSS | 3.06% |
Unrestricted file upload vulnerability in the Project issue tracking 4.7.0 through 5.x before 20070123, a module for Drupal, allows remote authenticated users to execute arbitrary code by attaching a file with executable or multiple extensions to a project issue.
| Max Base Score | 8.5 |
| Published | 2007-01-26 |
| Updated | 2017-07-29 |
| EPSS | 1.94% |
Drupal 4.6.x before 4.6.8 and 4.7.x before 4.7.2, when running under certain Apache configurations such as when FileInfo overrides are disabled within .htaccess, allows remote attackers to execute arbitrary code by uploading a file with multiple extensions, a variant of CVE-2006-2743.
| Max Base Score | 7.5 |
| Published | 2006-06-06 |
| Updated | 2018-10-18 |
| EPSS | 15.29% |
19 vulnerabilities found