Drupal — система управления контентом с открытым исходным кодом. На Drupal работает более миллиона сайтов — от личных блогов до сайтов компаний, политических партий и государственных организаций.
Релизный цикл, информация об уязвимостях
График релизов
Количество 1 988
GHSA-58f3-cx8p-h8jg
Drupal core access bypass vulnerability
GHSA-5vwg-c233-4qjm
Cross-site request forgery (CSRF) vulnerability in the BrowserID (Mozilla Persona) module 7.x-1.x before 7.x-1.3 for Drupal allows remote attackers to hijack the authentication of arbitrary users for requests that login a user to another web site.
GHSA-j7rr-r9x8-9jvj
Multiple cross-site request forgery (CSRF) vulnerabilities in the RESTful Web Services (RESTWS) module 7.x-1.x before 7.x-1.1 and 7.x-2.x before 7.x-2.0-alpha3 for Drupal allow remote attackers to hijack the authentication of arbitrary users via unknown vectors.
GHSA-vp7c-82j8-vfqp
The RESTful Web Services (RESTWS) module 7.x-1.x before 7.x-1.3 and 7.x-2.x before 7.x-2.0-alpha5 for Drupal, when page caching is enabled and anonymous users are assigned RESTWS permissions, allows remote attackers to cause a denial of service via a GET request with an HTTP Accept header set to a non-HTML type, which can "interfere with Drupal's page cache."
GHSA-367f-3f3f-6cpx
The Organic Groups (OG) module 7.x-1.x before 7.x-1.5 for Drupal does not properly maintain pending group memberships, which allows remote authenticated users to post to arbitrary groups by modifying their own account while a pending membership is waiting to be approved.
GHSA-3gx6-h57h-rm27
Drupal Core Remote Code Execution Vulnerability
GHSA-9m8p-564h-5p6w
Multiple cross-site scripting (XSS) vulnerabilities in the Basic webmail module 6.x-1.x before 6.x-1.2 for Drupal allow remote attackers to inject arbitrary web script or HTML via a (1) page title or (2) crafted email message.
GHSA-cfc7-w9hw-779w
The password hashing API in Drupal 7.x before 7.34 and the Secure Password Hashes (aka phpass) module 6.x-2.x before 6.x-2.1 for Drupal allows remote attackers to cause a denial of service (CPU and memory consumption) via a crafted request.
GHSA-p4jq-p7qf-pw64
Drupal 6.x before 6.31 and 7.x before 7.27 does not properly isolate the cached data of different anonymous users, which allows remote anonymous users to obtain sensitive interim form input information in opportunistic situations via unspecified vectors.
GHSA-8wgj-6wx8-h5hq
Symfony HTTP Foundation web cache poisoning
Уязвимостей на страницу
Уязвимость | CVSS | EPSS | Опубликовано 1 | |
|---|---|---|---|---|
| GHSA-58f3-cx8p-h8jg Drupal core access bypass vulnerability | CVSS3: 6.5 | 3% Низкий | больше 3 лет назад |
| GHSA-5vwg-c233-4qjm Cross-site request forgery (CSRF) vulnerability in the BrowserID (Mozilla Persona) module 7.x-1.x before 7.x-1.3 for Drupal allows remote attackers to hijack the authentication of arbitrary users for requests that login a user to another web site. | 0% Низкий | больше 3 лет назад | |
| GHSA-j7rr-r9x8-9jvj Multiple cross-site request forgery (CSRF) vulnerabilities in the RESTful Web Services (RESTWS) module 7.x-1.x before 7.x-1.1 and 7.x-2.x before 7.x-2.0-alpha3 for Drupal allow remote attackers to hijack the authentication of arbitrary users via unknown vectors. | 0% Низкий | больше 3 лет назад | |
| GHSA-vp7c-82j8-vfqp The RESTful Web Services (RESTWS) module 7.x-1.x before 7.x-1.3 and 7.x-2.x before 7.x-2.0-alpha5 for Drupal, when page caching is enabled and anonymous users are assigned RESTWS permissions, allows remote attackers to cause a denial of service via a GET request with an HTTP Accept header set to a non-HTML type, which can "interfere with Drupal's page cache." | 0% Низкий | больше 3 лет назад | |
| GHSA-367f-3f3f-6cpx The Organic Groups (OG) module 7.x-1.x before 7.x-1.5 for Drupal does not properly maintain pending group memberships, which allows remote authenticated users to post to arbitrary groups by modifying their own account while a pending membership is waiting to be approved. | 0% Низкий | больше 3 лет назад | |
| GHSA-3gx6-h57h-rm27 Drupal Core Remote Code Execution Vulnerability | CVSS3: 8.1 | 94% Критический | больше 3 лет назад |
| GHSA-9m8p-564h-5p6w Multiple cross-site scripting (XSS) vulnerabilities in the Basic webmail module 6.x-1.x before 6.x-1.2 for Drupal allow remote attackers to inject arbitrary web script or HTML via a (1) page title or (2) crafted email message. | 0% Низкий | больше 3 лет назад | |
| GHSA-cfc7-w9hw-779w The password hashing API in Drupal 7.x before 7.34 and the Secure Password Hashes (aka phpass) module 6.x-2.x before 6.x-2.1 for Drupal allows remote attackers to cause a denial of service (CPU and memory consumption) via a crafted request. | 80% Высокий | больше 3 лет назад | |
| GHSA-p4jq-p7qf-pw64 Drupal 6.x before 6.31 and 7.x before 7.27 does not properly isolate the cached data of different anonymous users, which allows remote anonymous users to obtain sensitive interim form input information in opportunistic situations via unspecified vectors. | 0% Низкий | больше 3 лет назад | |
| GHSA-8wgj-6wx8-h5hq Symfony HTTP Foundation web cache poisoning | CVSS3: 6.5 | 17% Средний | больше 3 лет назад |
Уязвимостей на страницу