Drupal — система управления контентом с открытым исходным кодом. На Drupal работает более миллиона сайтов — от личных блогов до сайтов компаний, политических партий и государственных организаций.
Релизный цикл, информация об уязвимостях
График релизов
Количество 1 988
GHSA-vqp6-f6x9-5r96
Drupal 6.x before 6.16 and 5.x before version 5.22 does not properly block users under certain circumstances. A user with an open session that was blocked could maintain their session on the Drupal site despite being blocked.
GHSA-3gw2-26w5-pcm6
Locale module and dependent contributed modules in Drupal 6.x before 6.16 and 5.x before version 5.22 do not sanitize the display of language codes, native and English language names properly which could allow an attacker to perform a cross-site scripting (XSS) attack. This vulnerability is mitigated by the fact that an attacker must have a role with the 'administer languages' permission.
GHSA-3v66-h3rq-pj5p
drupal6 version 6.16 has open redirection
BDU:2022-02724
Уязвимость ядра CMS-системы Drupal, позволяющая нарушителю повысить свои привилегии
GHSA-q7rv-6hp3-vh96
Improper Input Validation in guzzlehttp/psr7
CVE-2022-24775
guzzlehttp/psr7 is a PSR-7 HTTP message library. Versions prior to 1.8.4 and 2.1.1 are vulnerable to improper header parsing. An attacker could sneak in a new line character and pass untrusted values. The issue is patched in 1.8.4 and 2.1.1. There are currently no known workarounds.
CVE-2022-24775
guzzlehttp/psr7 is a PSR-7 HTTP message library. Versions prior to 1.8 ...
CVE-2022-24775
guzzlehttp/psr7 is a PSR-7 HTTP message library. Versions prior to 1.8.4 and 2.1.1 are vulnerable to improper header parsing. An attacker could sneak in a new line character and pass untrusted values. The issue is patched in 1.8.4 and 2.1.1. There are currently no known workarounds.
GHSA-4fc4-4p5g-6w89
Cross-site Scripting in CKEditor4
CVE-2022-24729
CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. CKEditor4 prior to version 4.18.0 contains a vulnerability in the `dialog` plugin. The vulnerability allows abuse of a dialog input validator regular expression, which can cause a significant performance drop resulting in a browser tab freeze. A patch is available in version 4.18.0. There are currently no known workarounds.
Уязвимостей на страницу
Уязвимость | CVSS | EPSS | Опубликовано 1 | |
|---|---|---|---|---|
| GHSA-vqp6-f6x9-5r96 Drupal 6.x before 6.16 and 5.x before version 5.22 does not properly block users under certain circumstances. A user with an open session that was blocked could maintain their session on the Drupal site despite being blocked. | 0% Низкий | почти 4 года назад | |
| GHSA-3gw2-26w5-pcm6 Locale module and dependent contributed modules in Drupal 6.x before 6.16 and 5.x before version 5.22 do not sanitize the display of language codes, native and English language names properly which could allow an attacker to perform a cross-site scripting (XSS) attack. This vulnerability is mitigated by the fact that an attacker must have a role with the 'administer languages' permission. | 1% Низкий | почти 4 года назад | |
| GHSA-3v66-h3rq-pj5p drupal6 version 6.16 has open redirection | 1% Низкий | почти 4 года назад | |
 | BDU:2022-02724 Уязвимость ядра CMS-системы Drupal, позволяющая нарушителю повысить свои привилегии | CVSS3: 5.4 | почти 4 года назад | |
| GHSA-q7rv-6hp3-vh96 Improper Input Validation in guzzlehttp/psr7 | CVSS3: 5.3 | 1% Низкий | почти 4 года назад |
 | CVE-2022-24775 guzzlehttp/psr7 is a PSR-7 HTTP message library. Versions prior to 1.8.4 and 2.1.1 are vulnerable to improper header parsing. An attacker could sneak in a new line character and pass untrusted values. The issue is patched in 1.8.4 and 2.1.1. There are currently no known workarounds. | CVSS3: 7.5 | 1% Низкий | почти 4 года назад |
| CVE-2022-24775 guzzlehttp/psr7 is a PSR-7 HTTP message library. Versions prior to 1.8 ... | CVSS3: 7.5 | 1% Низкий | почти 4 года назад |
 | CVE-2022-24775 guzzlehttp/psr7 is a PSR-7 HTTP message library. Versions prior to 1.8.4 and 2.1.1 are vulnerable to improper header parsing. An attacker could sneak in a new line character and pass untrusted values. The issue is patched in 1.8.4 and 2.1.1. There are currently no known workarounds. | CVSS3: 7.5 | 1% Низкий | почти 4 года назад |
| GHSA-4fc4-4p5g-6w89 Cross-site Scripting in CKEditor4 | CVSS3: 5.4 | 1% Низкий | почти 4 года назад |
| CVE-2022-24729 CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. CKEditor4 prior to version 4.18.0 contains a vulnerability in the `dialog` plugin. The vulnerability allows abuse of a dialog input validator regular expression, which can cause a significant performance drop resulting in a browser tab freeze. A patch is available in version 4.18.0. There are currently no known workarounds. | CVSS3: 6.5 | 1% Низкий | почти 4 года назад |
Уязвимостей на страницу