Drupal — система управления контентом с открытым исходным кодом. На Drupal работает более миллиона сайтов — от личных блогов до сайтов компаний, политических партий и государственных организаций.
Релизный цикл, информация об уязвимостях
График релизов
Количество 1 988
CVE-2011-2726
An access bypass issue was found in Drupal 7.x before version 7.5. If ...
CVE-2011-2726
An access bypass issue was found in Drupal 7.x before version 7.5. If a Drupal site has the ability to attach File upload fields to any entity type in the system or has the ability to point individual File upload fields to the private file directory in comments, and the parent node is denied access, non-privileged users can still download the file attached to the comment if they know or guess its direct URL. If a Drupal site is using these features on comments, and the parent node is denied access (either by a node access module or by being unpublished), the file attached to the comment can still be downloaded by non-privileged users if they know or guess its direct URL. This issue affects Drupal 7.x only.
GHSA-g996-q5r8-w7g2
Symfony Cross-site Scripting (XSS) vulnerability
CVE-2010-2473
Drupal 6.x before 6.16 and 5.x before version 5.22 does not properly block users under certain circumstances. A user with an open session that was blocked could maintain their session on the Drupal site despite being blocked.
CVE-2010-2473
Drupal 6.x before 6.16 and 5.x before version 5.22 does not properly b ...
CVE-2010-2472
Locale module and dependent contributed modules in Drupal 6.x before 6.16 and 5.x before version 5.22 do not sanitize the display of language codes, native and English language names properly which could allow an attacker to perform a cross-site scripting (XSS) attack. This vulnerability is mitigated by the fact that an attacker must have a role with the 'administer languages' permission.
CVE-2010-2472
Locale module and dependent contributed modules in Drupal 6.x before 6 ...
CVE-2010-2472
Locale module and dependent contributed modules in Drupal 6.x before 6.16 and 5.x before version 5.22 do not sanitize the display of language codes, native and English language names properly which could allow an attacker to perform a cross-site scripting (XSS) attack. This vulnerability is mitigated by the fact that an attacker must have a role with the 'administer languages' permission.
CVE-2010-2473
Drupal 6.x before 6.16 and 5.x before version 5.22 does not properly block users under certain circumstances. A user with an open session that was blocked could maintain their session on the Drupal site despite being blocked.
CVE-2010-2250
Drupal 5.x and 6.x before 6.16 uses a user-supplied value in output during site installation which could allow an attacker to craft a URL and perform a cross-site scripting attack.
Уязвимостей на страницу
Уязвимость | CVSS | EPSS | Опубликовано 1 | |
|---|---|---|---|---|
| CVE-2011-2726 An access bypass issue was found in Drupal 7.x before version 7.5. If ... | CVSS3: 7.5 | 0% Низкий | около 6 лет назад |
 | CVE-2011-2726 An access bypass issue was found in Drupal 7.x before version 7.5. If a Drupal site has the ability to attach File upload fields to any entity type in the system or has the ability to point individual File upload fields to the private file directory in comments, and the parent node is denied access, non-privileged users can still download the file attached to the comment if they know or guess its direct URL. If a Drupal site is using these features on comments, and the parent node is denied access (either by a node access module or by being unpublished), the file attached to the comment can still be downloaded by non-privileged users if they know or guess its direct URL. This issue affects Drupal 7.x only. | CVSS3: 7.5 | 0% Низкий | около 6 лет назад |
| GHSA-g996-q5r8-w7g2 Symfony Cross-site Scripting (XSS) vulnerability | CVSS3: 5.4 | 0% Низкий | около 6 лет назад |
 | CVE-2010-2473 Drupal 6.x before 6.16 and 5.x before version 5.22 does not properly block users under certain circumstances. A user with an open session that was blocked could maintain their session on the Drupal site despite being blocked. | CVSS3: 6.5 | 0% Низкий | больше 6 лет назад |
| CVE-2010-2473 Drupal 6.x before 6.16 and 5.x before version 5.22 does not properly b ... | CVSS3: 6.5 | 0% Низкий | больше 6 лет назад |
| CVE-2010-2472 Locale module and dependent contributed modules in Drupal 6.x before 6.16 and 5.x before version 5.22 do not sanitize the display of language codes, native and English language names properly which could allow an attacker to perform a cross-site scripting (XSS) attack. This vulnerability is mitigated by the fact that an attacker must have a role with the 'administer languages' permission. | CVSS3: 4.8 | 1% Низкий | больше 6 лет назад |
| CVE-2010-2472 Locale module and dependent contributed modules in Drupal 6.x before 6 ... | CVSS3: 4.8 | 1% Низкий | больше 6 лет назад |
| CVE-2010-2472 Locale module and dependent contributed modules in Drupal 6.x before 6.16 and 5.x before version 5.22 do not sanitize the display of language codes, native and English language names properly which could allow an attacker to perform a cross-site scripting (XSS) attack. This vulnerability is mitigated by the fact that an attacker must have a role with the 'administer languages' permission. | CVSS3: 4.8 | 1% Низкий | больше 6 лет назад |
| CVE-2010-2473 Drupal 6.x before 6.16 and 5.x before version 5.22 does not properly block users under certain circumstances. A user with an open session that was blocked could maintain their session on the Drupal site despite being blocked. | CVSS3: 6.5 | 0% Низкий | больше 6 лет назад |
| CVE-2010-2250 Drupal 5.x and 6.x before 6.16 uses a user-supplied value in output during site installation which could allow an attacker to craft a URL and perform a cross-site scripting attack. | CVSS3: 6.1 | 1% Низкий | больше 6 лет назад |
Уязвимостей на страницу