Drupal — система управления контентом с открытым исходным кодом. На Drupal работает более миллиона сайтов — от личных блогов до сайтов компаний, политических партий и государственных организаций.
Релизный цикл, информация об уязвимостях
График релизов
Количество 1 975
GHSA-8wgh-rhq6-89pj
The Node Reference module in Content Construction Kit (CCK) module 5.x before 5.x-1.11 and 6.x before 6.x-2.7 for Drupal does not perform access checks before displaying referenced nodes, which allows remote attackers to read controlled nodes.
GHSA-2p45-c9hc-p9hf
Cross-site scripting (XSS) vulnerability in the Hierarchical Select module 5.x before 5.x-3.2 and 6.x before 6.x-3.2 for Drupal allows remote authenticated users, with administer taxonomy permissions, to inject arbitrary web script or HTML via unspecified vectors in the hierarchical_select form.
GHSA-7pq7-q7xj-fgj3
SQL injection vulnerability in the Yr Weatherdata module for Drupal 6.x before 6.x-1.6 allows remote attackers to execute arbitrary SQL commands via the sorting method.
GHSA-pwfc-xvgf-hcc3
The Relevant Content module 5.x before 5.x-1.4 and 6.x before 6.x-1.5 for Drupal does not properly implement node access logic, which allows remote attackers to discover restricted node titles and relationships.
GHSA-hhwf-x424-rgm4
The Janrain Engage (formerly RPX) module 6.x-1.3 for Drupal does not validate the file for a profile image, which allows remote authenticated users to conduct cross-site scripting (XSS) attacks and possibly execute arbitrary PHP code by causing a crafted avatar to be downloaded from an external login provider site.
GHSA-7hx7-q7rx-7h3h
The AES encryption module 7.x-1.4 for Drupal leaves certain debugging code enabled in release, which records the plaintext password of the last logged-in user and allows remote attackers to gain privileges as that user.
GHSA-vq32-57rm-4rq8
Cross-site scripting (XSS) vulnerability in the Messaging module 6.x-2.x before 6.x-2.4 and 6.x-4.x before 6.x-4.0-beta8 for Drupal allows remote attackers with administer messaging permissions to inject arbitrary web script or HTML via unspecified vectors.
GHSA-xw8q-7hw6-59rg
SQL injection vulnerability in the Translation Management module 6.x before 6.x-1.21 for Drupal allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
GHSA-jmmf-pffx-66x4
Cross-site scripting (XSS) vulnerability in Translation Management module 6.x before 6.x-1.21 for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
GHSA-vh49-4q7j-v7vc
Cross-site request forgery (CSRF) vulnerability in the Translation Management module 6.x before 6.x-1.21 for Drupal allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.
Уязвимостей на страницу
Уязвимость | CVSS | EPSS | Опубликовано 1 | |
|---|---|---|---|---|
| GHSA-8wgh-rhq6-89pj The Node Reference module in Content Construction Kit (CCK) module 5.x before 5.x-1.11 and 6.x before 6.x-2.7 for Drupal does not perform access checks before displaying referenced nodes, which allows remote attackers to read controlled nodes. | 1% Низкий | больше 3 лет назад | |
| GHSA-2p45-c9hc-p9hf Cross-site scripting (XSS) vulnerability in the Hierarchical Select module 5.x before 5.x-3.2 and 6.x before 6.x-3.2 for Drupal allows remote authenticated users, with administer taxonomy permissions, to inject arbitrary web script or HTML via unspecified vectors in the hierarchical_select form. | 0% Низкий | больше 3 лет назад | |
| GHSA-7pq7-q7xj-fgj3 SQL injection vulnerability in the Yr Weatherdata module for Drupal 6.x before 6.x-1.6 allows remote attackers to execute arbitrary SQL commands via the sorting method. | 0% Низкий | больше 3 лет назад | |
| GHSA-pwfc-xvgf-hcc3 The Relevant Content module 5.x before 5.x-1.4 and 6.x before 6.x-1.5 for Drupal does not properly implement node access logic, which allows remote attackers to discover restricted node titles and relationships. | 1% Низкий | больше 3 лет назад | |
| GHSA-hhwf-x424-rgm4 The Janrain Engage (formerly RPX) module 6.x-1.3 for Drupal does not validate the file for a profile image, which allows remote authenticated users to conduct cross-site scripting (XSS) attacks and possibly execute arbitrary PHP code by causing a crafted avatar to be downloaded from an external login provider site. | 1% Низкий | больше 3 лет назад | |
| GHSA-7hx7-q7rx-7h3h The AES encryption module 7.x-1.4 for Drupal leaves certain debugging code enabled in release, which records the plaintext password of the last logged-in user and allows remote attackers to gain privileges as that user. | 0% Низкий | больше 3 лет назад | |
| GHSA-vq32-57rm-4rq8 Cross-site scripting (XSS) vulnerability in the Messaging module 6.x-2.x before 6.x-2.4 and 6.x-4.x before 6.x-4.0-beta8 for Drupal allows remote attackers with administer messaging permissions to inject arbitrary web script or HTML via unspecified vectors. | 0% Низкий | больше 3 лет назад | |
| GHSA-xw8q-7hw6-59rg SQL injection vulnerability in the Translation Management module 6.x before 6.x-1.21 for Drupal allows remote attackers to execute arbitrary SQL commands via unspecified vectors. | 0% Низкий | больше 3 лет назад | |
| GHSA-jmmf-pffx-66x4 Cross-site scripting (XSS) vulnerability in Translation Management module 6.x before 6.x-1.21 for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 0% Низкий | больше 3 лет назад | |
| GHSA-vh49-4q7j-v7vc Cross-site request forgery (CSRF) vulnerability in the Translation Management module 6.x before 6.x-1.21 for Drupal allows remote attackers to hijack the authentication of unspecified victims via unknown vectors. | 0% Низкий | больше 3 лет назад |
Уязвимостей на страницу