Drupal — система управления контентом с открытым исходным кодом. На Drupal работает более миллиона сайтов — от личных блогов до сайтов компаний, политических партий и государственных организаций.
Релизный цикл, информация об уязвимостях
График релизов
Количество 1 988
CVE-2020-11023
In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
CVE-2020-11022
In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
CVE-2020-9281
A cross-site scripting (XSS) vulnerability in the HTML Data Processor for CKEditor 4.0 before 4.14 allows remote attackers to inject arbitrary web script through a crafted "protected" comment (with the cke_protected syntax).
CVE-2020-9281
A cross-site scripting (XSS) vulnerability in the HTML Data Processor for CKEditor 4.0 before 4.14 allows remote attackers to inject arbitrary web script through a crafted "protected" comment (with the cke_protected syntax).
GHSA-cchx-mfrc-fwqr
Improper authentication in Symfony
CVE-2011-2715
An SQL Injection vulnerability exists in Drupal 6.20 with Data 6.x-1.0-alpha14 due to insufficient sanitization of table names or column names.
CVE-2011-2714
A Cross-Site Scripting vulnerability exists in Drupal 6.20 with Data 6.x-1.0-alpha14 due to insufficient sanitization of table descriptions, field names, or labels before display.
GHSA-6rmq-x2hv-vxpp
Drupal core third-party PEAR Archive_Tar library is vulnerable to Deserialization of Untrusted Data
GHSA-pgwj-prpq-jpc2
Symfony Service IDs Allow Injection
CVE-2011-2726
An access bypass issue was found in Drupal 7.x before version 7.5. If a Drupal site has the ability to attach File upload fields to any entity type in the system or has the ability to point individual File upload fields to the private file directory in comments, and the parent node is denied access, non-privileged users can still download the file attached to the comment if they know or guess its direct URL.
Уязвимостей на страницу
Уязвимость | CVSS | EPSS | Опубликовано 1 | |
|---|---|---|---|---|
 | CVE-2020-11023 In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0. | CVSS3: 6.1 | 32% Средний | почти 6 лет назад |
| CVE-2020-11022 In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0. | CVSS3: 6.1 | 19% Средний | почти 6 лет назад |
 | CVE-2020-9281 A cross-site scripting (XSS) vulnerability in the HTML Data Processor for CKEditor 4.0 before 4.14 allows remote attackers to inject arbitrary web script through a crafted "protected" comment (with the cke_protected syntax). | CVSS3: 6.1 | 1% Низкий | почти 6 лет назад |
 | CVE-2020-9281 A cross-site scripting (XSS) vulnerability in the HTML Data Processor for CKEditor 4.0 before 4.14 allows remote attackers to inject arbitrary web script through a crafted "protected" comment (with the cke_protected syntax). | CVSS3: 6.1 | 1% Низкий | почти 6 лет назад |
| GHSA-cchx-mfrc-fwqr Improper authentication in Symfony | CVSS3: 7.5 | 0% Низкий | почти 6 лет назад |
| CVE-2011-2715 An SQL Injection vulnerability exists in Drupal 6.20 with Data 6.x-1.0-alpha14 due to insufficient sanitization of table names or column names. | CVSS3: 9.8 | 1% Низкий | около 6 лет назад |
| CVE-2011-2714 A Cross-Site Scripting vulnerability exists in Drupal 6.20 with Data 6.x-1.0-alpha14 due to insufficient sanitization of table descriptions, field names, or labels before display. | CVSS3: 6.1 | 1% Низкий | около 6 лет назад |
| GHSA-6rmq-x2hv-vxpp Drupal core third-party PEAR Archive_Tar library is vulnerable to Deserialization of Untrusted Data | CVSS3: 8 | 1% Низкий | около 6 лет назад |
| GHSA-pgwj-prpq-jpc2 Symfony Service IDs Allow Injection | CVSS3: 9.8 | 13% Средний | около 6 лет назад |
| CVE-2011-2726 An access bypass issue was found in Drupal 7.x before version 7.5. If a Drupal site has the ability to attach File upload fields to any entity type in the system or has the ability to point individual File upload fields to the private file directory in comments, and the parent node is denied access, non-privileged users can still download the file attached to the comment if they know or guess its direct URL. | CVSS3: 7.5 | 0% Низкий | около 6 лет назад |
Уязвимостей на страницу