Drupal — система управления контентом с открытым исходным кодом. На Drupal работает более миллиона сайтов — от личных блогов до сайтов компаний, политических партий и государственных организаций.
Релизный цикл, информация об уязвимостях
График релизов
Количество 1 988
GHSA-2p28-5mvp-2j2r
Drupal Comment reply form allows access to restricted content
GHSA-pqhc-wq43-44m5
Cross-site scripting (XSS) vulnerability in the administrative interface in the Campaign Monitor module before 6.x-2.5 for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. NOTE: this refers to an issue in an independently developed Drupal module, and NOT an issue in the Campaign Monitor software itself (described on the campaignmonitor.com web site).
GHSA-9c24-g32g-35rj
Drupal PECL YAML parser unsafe object handling
GHSA-qr75-jf52-qrw8
** DISPUTED ** Cross-site scripting (XSS) vulnerability in the EventCalendar module for Drupal 7.14 allows remote attackers to inject arbitrary web script or HTML via the year parameter to eventcalander/. NOTE: this issue has been disputed by the Drupal Security Team; it may be site-specific. If so, then this CVE will be REJECTed in the future.
GHSA-6f6h-rwhv-q9gg
Multiple SQL injection vulnerabilities in the ajax_checklist_save function in the Ajax Checklist module 5.x before 5.x-1.1 for Drupal allow remote authenticated users, with "update ajax checklists" permissions, to execute arbitrary SQL commands via a save operation, related to the (1) nid, (2) qid, and (3) state parameters.
GHSA-7ffg-g538-4c8c
The user module in Drupal 5.x before 5.11 and 6.x before 6.5 might allow remote authenticated users to bypass intended login access rules and successfully login via unknown vectors.
GHSA-8q2j-8pc6-8c5r
The core BlogAPI module in Drupal 5.x before 5.11 and 6.x before 6.5 does not properly validate unspecified content fields of an internal Drupal form, which allows remote authenticated users to bypass intended access restrictions via modified field values.
GHSA-26gr-c7rc-wwqj
Drupal 6.x before 6.34 and 7.x before 7.34 allows remote attackers to hijack sessions via a crafted request, as demonstrated by a crafted request to a server that supports both HTTP and HTTPS sessions.
GHSA-hqq6-wqq7-jgjq
Drupal 6.x before 6.35 and 7.x before 7.35 allows remote authenticated users to reset the password of other accounts by leveraging an account with the same password hash as another account and a crafted password reset URL.
GHSA-7fh9-933g-885p
Drupal Core Remote Code Execution Vulnerability
Уязвимостей на страницу
Уязвимость | CVSS | EPSS | Опубликовано 1 | |
|---|---|---|---|---|
| GHSA-2p28-5mvp-2j2r Drupal Comment reply form allows access to restricted content | CVSS3: 8.1 | 0% Низкий | больше 3 лет назад |
| GHSA-pqhc-wq43-44m5 Cross-site scripting (XSS) vulnerability in the administrative interface in the Campaign Monitor module before 6.x-2.5 for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. NOTE: this refers to an issue in an independently developed Drupal module, and NOT an issue in the Campaign Monitor software itself (described on the campaignmonitor.com web site). | 0% Низкий | больше 3 лет назад | |
| GHSA-9c24-g32g-35rj Drupal PECL YAML parser unsafe object handling | CVSS3: 9.8 | 67% Средний | больше 3 лет назад |
| GHSA-qr75-jf52-qrw8 ** DISPUTED ** Cross-site scripting (XSS) vulnerability in the EventCalendar module for Drupal 7.14 allows remote attackers to inject arbitrary web script or HTML via the year parameter to eventcalander/. NOTE: this issue has been disputed by the Drupal Security Team; it may be site-specific. If so, then this CVE will be REJECTed in the future. | 0% Низкий | больше 3 лет назад | |
| GHSA-6f6h-rwhv-q9gg Multiple SQL injection vulnerabilities in the ajax_checklist_save function in the Ajax Checklist module 5.x before 5.x-1.1 for Drupal allow remote authenticated users, with "update ajax checklists" permissions, to execute arbitrary SQL commands via a save operation, related to the (1) nid, (2) qid, and (3) state parameters. | 0% Низкий | больше 3 лет назад | |
| GHSA-7ffg-g538-4c8c The user module in Drupal 5.x before 5.11 and 6.x before 6.5 might allow remote authenticated users to bypass intended login access rules and successfully login via unknown vectors. | 1% Низкий | больше 3 лет назад | |
| GHSA-8q2j-8pc6-8c5r The core BlogAPI module in Drupal 5.x before 5.11 and 6.x before 6.5 does not properly validate unspecified content fields of an internal Drupal form, which allows remote authenticated users to bypass intended access restrictions via modified field values. | 0% Низкий | больше 3 лет назад | |
| GHSA-26gr-c7rc-wwqj Drupal 6.x before 6.34 and 7.x before 7.34 allows remote attackers to hijack sessions via a crafted request, as demonstrated by a crafted request to a server that supports both HTTP and HTTPS sessions. | 2% Низкий | больше 3 лет назад | |
| GHSA-hqq6-wqq7-jgjq Drupal 6.x before 6.35 and 7.x before 7.35 allows remote authenticated users to reset the password of other accounts by leveraging an account with the same password hash as another account and a crafted password reset URL. | 0% Низкий | больше 3 лет назад | |
| GHSA-7fh9-933g-885p Drupal Core Remote Code Execution Vulnerability | CVSS3: 9.8 | 94% Критический | больше 3 лет назад |
Уязвимостей на страницу