| CVE-2021-33829 |
AVG-2069 |
High |
Yes |
Cross-site scripting |
Drupal core uses the third-party CKEditor library. This library has an error in parsing HTML that could lead to a cross-site scripting (XSS) attack.... |
| CVE-2021-32610 |
AVG-2224 |
Medium |
Yes |
Directory traversal |
In Archive_Tar before 1.4.14, symlinks can refer to targets outside of the extracted archive, a different vulnerability than CVE-2020-36193. |
| CVE-2020-36193 |
AVG-1463 |
Medium |
Yes |
Directory traversal |
Tar.php in Archive_Tar through 1.4.11 allows write operations with Directory Traversal due to inadequate checking of symbolic links, a related issue to... |
| CVE-2020-13677 |
AVG-2407 |
High |
Yes |
Access restriction bypass |
Under some circumstances, the Drupal core JSON:API module does not properly restrict access to certain content, which may result in unintended access... |
| CVE-2020-13676 |
AVG-2407 |
High |
Yes |
Information disclosure |
The Drupal QuickEdit module does not properly check access to fields in some circumstances, which can lead to unintended disclosure of field data. Sites... |
| CVE-2020-13675 |
AVG-2407 |
High |
Yes |
Access restriction bypass |
Drupal's JSON:API and REST/File modules allow file uploads through their HTTP APIs. The modules do not correctly run all file validation, which causes an... |
| CVE-2020-13674 |
AVG-2407 |
High |
Yes |
Cross-site request forgery |
The Drupal QuickEdit module does not properly validate access to routes, which could allow cross-site request forgery under some circumstances and lead to... |
| CVE-2020-13673 |
AVG-2407 |
High |
Yes |
Cross-site scripting |
The Drupal core Media module allows embedding internal and external media in content fields. In certain circumstances, the filter could allow an... |
| CVE-2020-13672 |
AVG-1463 |
Critical |
Yes |
Cross-site scripting |
Drupal core's sanitization API fails to properly filter cross-site scripting under certain circumstances. The issue is fixed in Drupal versions 9.1.7,... |
| CVE-2018-14773 |
AVG-744 |
Medium |
Yes |
Access restriction bypass |
Support for a (legacy) IIS header that lets users override the path in the request URL via the X-Original-URL or X-Rewrite-URL HTTP request header allows a... |
| CVE-2018-7602 |
AVG-679 |
Critical |
Yes |
Arbitrary command execution |
A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack... |
| CVE-2018-7600 |
AVG-665 |
Critical |
Yes |
Arbitrary code execution |
A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack... |
| CVE-2016-9452 |
AVG-74 |
Medium |
Yes |
Denial of service |
A specially crafted URL can cause a denial of service via the transliterate mechanism. |
| CVE-2016-9451 |
AVG-75 |
Medium |
Yes |
Open redirect |
Under certain circumstances, malicious users could construct a URL to a confirmation form that would trick users into being redirected to a 3rd party... |
| CVE-2016-9450 |
AVG-74 |
Low |
Yes |
Content spoofing |
The user password reset form does not specify a proper cache context, which can lead to cache poisoning and unwanted content on the page. |
| CVE-2016-9449 |
AVG-74 |
Low |
Yes |
Information disclosure |
Drupal provides a mechanism to alter database SELECT queries before they are executed. Contributed and custom modules may use this mechanism to restrict... |