drupal

Link package | bugs open | bugs closed | Wiki | GitHub | web search
Description A PHP-based content management platform
Version 9.2.6-1 [community]

Resolved

Group Affected Fixed Severity Status Ticket
AVG-2407 9.2.0-1 9.2.6-1 High Fixed
AVG-2224 9.2.0-1 Medium Not affected
AVG-2069 9.1.7-1 9.1.10-1 High Fixed
AVG-1463 9.0.6-2 9.1.7-1 Critical Fixed
AVG-744 8.5.5-1 8.5.6-1 Medium Fixed
AVG-679 8.5.2-1 8.5.3-1 Critical Fixed
AVG-665 8.5.0-1 8.5.1-1 Critical Fixed
AVG-75 7.51-1 7.52-1 Medium Fixed
AVG-74 8.2.2-1 8.2.3-1 Medium Fixed
Issue Group Severity Remote Type Description
CVE-2021-33829 AVG-2069 High Yes Cross-site scripting
Drupal core uses the third-party CKEditor library. This library has an error in parsing HTML that could lead to a cross-site scripting (XSS) attack....
CVE-2021-32610 AVG-2224 Medium Yes Directory traversal
In Archive_Tar before 1.4.14, symlinks can refer to targets outside of the extracted archive, a different vulnerability than CVE-2020-36193.
CVE-2020-36193 AVG-1463 Medium Yes Directory traversal
Tar.php in Archive_Tar through 1.4.11 allows write operations with Directory Traversal due to inadequate checking of symbolic links, a related issue to...
CVE-2020-13677 AVG-2407 High Yes Access restriction bypass
Under some circumstances, the Drupal core JSON:API module does not properly restrict access to certain content, which may result in unintended access...
CVE-2020-13676 AVG-2407 High Yes Information disclosure
The Drupal QuickEdit module does not properly check access to fields in some circumstances, which can lead to unintended disclosure of field data.  Sites...
CVE-2020-13675 AVG-2407 High Yes Access restriction bypass
Drupal's JSON:API and REST/File modules allow file uploads through their HTTP APIs. The modules do not correctly run all file validation, which causes an...
CVE-2020-13674 AVG-2407 High Yes Cross-site request forgery
The Drupal QuickEdit module does not properly validate access to routes, which could allow cross-site request forgery under some circumstances and lead to...
CVE-2020-13673 AVG-2407 High Yes Cross-site scripting
The Drupal core Media module allows embedding internal and external media in content fields. In certain circumstances, the filter could allow an...
CVE-2020-13672 AVG-1463 Critical Yes Cross-site scripting
Drupal core's sanitization API fails to properly filter cross-site scripting under certain circumstances. The issue is fixed in Drupal versions 9.1.7,...
CVE-2018-14773 AVG-744 Medium Yes Access restriction bypass
Support for a (legacy) IIS header that lets users override the path in the request URL via the X-Original-URL or X-Rewrite-URL HTTP request header allows a...
CVE-2018-7602 AVG-679 Critical Yes Arbitrary command execution
A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack...
CVE-2018-7600 AVG-665 Critical Yes Arbitrary code execution
A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack...
CVE-2016-9452 AVG-74 Medium Yes Denial of service
A specially crafted URL can cause a denial of service via the transliterate mechanism.
CVE-2016-9451 AVG-75 Medium Yes Open redirect
Under certain circumstances, malicious users could construct a URL to a confirmation form that would trick users into being redirected to a 3rd party...
CVE-2016-9450 AVG-74 Low Yes Content spoofing
The user password reset form does not specify a proper cache context, which can lead to cache poisoning and unwanted content on the page.
CVE-2016-9449 AVG-74 Low Yes Information disclosure
Drupal provides a mechanism to alter database SELECT queries before they are executed. Contributed and custom modules may use this mechanism to restrict...

Advisories

Date Advisory Group Severity Type
15 Jun 2021 ASA-202106-35 AVG-2069 High cross-site scripting
27 Apr 2018 ASA-201804-10 AVG-679 Critical arbitrary command execution
01 Apr 2018 ASA-201804-1 AVG-665 Critical arbitrary code execution
19 Nov 2016 ASA-201611-20 AVG-74 Medium multiple issues