Количество 1 966
Количество 1 966
GHSA-xq54-x54m-vcpx
Drupal core Denial of Service
GHSA-xj97-v87w-5pf9
Multiple cross-site scripting (XSS) vulnerabilities in Drupal 5.x before 5.18 and 6.x before 6.12 allow (1) remote authenticated users to inject arbitrary web script or HTML via crafted UTF-8 byte sequences that are treated as UTF-7 by Internet Explorer 6 and 7, which are not properly handled in the "HTML exports of books" feature; and (2) allow remote authenticated users with administer taxonomy permissions to inject arbitrary web script or HTML via the help text of an arbitrary vocabulary. NOTE: vector 1 exists because of an incomplete fix for CVE-2009-1575.
GHSA-xhmx-mwfm-vrhx
includes/bootstrap.inc in Drupal 5.x before 5.12 and 6.x before 6.6, when the server is configured for "IP-based virtual hosts," allows remote attackers to include and execute arbitrary files via the HTTP Host header.
GHSA-xh3v-6f9j-wxw3
Drupal core Information Disclosure vulnerability
GHSA-x72f-ggjw-v5xh
Drupal Core Arbitrary PHP code execution vulnerability
GHSA-x6x4-j89w-cw4w
The image module in Drupal 7.x before 7.14 does not properly check permissions when caching derivative image styles of private images, which allows remote attackers to read private image styles.
GHSA-x3xc-9hqw-jqwj
Drupal 4.5.0 through 4.5.5 and 4.6.0 through 4.6.3, when running on PHP5, does not correctly enforce user privileges, which allows remote attackers to bypass the "access user profiles" permission.
GHSA-x2q9-r8gm-f657
Drupal Core Access bypass vulnerability
GHSA-wxqp-jwc9-g39x
Drupal Core Access bypass vulnerability
GHSA-wx48-g6pf-jvc9
The Drupal filter_xss_admin function in 5.x before 5.8 and 6.x before 6.3 does not "prevent use of the object HTML tag in administrator input," which has unknown impact and attack vectors, probably related to an insufficient cross-site scripting (XSS) protection mechanism.
GHSA-wwrm-8947-4m6c
Drupal Open Redirect
GHSA-wvh2-7875-xq75
Multiple unspecified vulnerabilities in the quota_by_role (Quota by role) module for Drupal have unknown impact and attack vectors.
GHSA-wpp8-fjgf-pwc7
Drupal Core Vulnerable to Forceful Browsing
GHSA-wm86-w3cf-h6vm
Drupal external link injection vulnerability
GHSA-whch-jrm6-gwgp
Interpretation conflict in file.inc in Drupal 4.5.0 through 4.5.5 and 4.6.0 through 4.6.3 allows remote authenticated users to inject arbitrary web script or HTML via HTML in a file with a GIF or JPEG file extension, which causes the HTML to be executed by a victim who views the file in Internet Explorer as a result of CVE-2005-3312. NOTE: it could be argued that this vulnerability is due to a design flaw in Internet Explorer and the proper fix should be in that browser; if so, then this should not be treated as a vulnerability in Drupal.
GHSA-wgpj-2628-3c8v
Drupal 6.x before 6.37 and 7.x before 7.39 allows remote attackers to obtain sensitive node titles by reading the menu.
GHSA-w7qx-vwr9-2j3r
Drupal editor module incorrectly checks access to inline private files
GHSA-w6rx-9g2x-mg5g
Drupal core contains a potential PHP Object Injection vulnerability
GHSA-w3gp-frj6-h378
Cross-site scripting (XSS) vulnerability in Drupal 4.0.0 allows remote attackers to inject arbitrary web script or HTML via Javascript in an IMG tag.
GHSA-w2pj-c8x5-jvg2
Drupal File upload access bypass and denial of service
Уязвимостей на страницу
Уязвимость | CVSS | EPSS | Опубликовано | |
|---|---|---|---|---|
| GHSA-xq54-x54m-vcpx Drupal core Denial of Service | CVSS3: 7.5 | 0% Низкий | 7 месяцев назад |
| GHSA-xj97-v87w-5pf9 Multiple cross-site scripting (XSS) vulnerabilities in Drupal 5.x before 5.18 and 6.x before 6.12 allow (1) remote authenticated users to inject arbitrary web script or HTML via crafted UTF-8 byte sequences that are treated as UTF-7 by Internet Explorer 6 and 7, which are not properly handled in the "HTML exports of books" feature; and (2) allow remote authenticated users with administer taxonomy permissions to inject arbitrary web script or HTML via the help text of an arbitrary vocabulary. NOTE: vector 1 exists because of an incomplete fix for CVE-2009-1575. | 0% Низкий | около 3 лет назад | |
| GHSA-xhmx-mwfm-vrhx includes/bootstrap.inc in Drupal 5.x before 5.12 and 6.x before 6.6, when the server is configured for "IP-based virtual hosts," allows remote attackers to include and execute arbitrary files via the HTTP Host header. | 3% Низкий | около 3 лет назад | |
| GHSA-xh3v-6f9j-wxw3 Drupal core Information Disclosure vulnerability | CVSS3: 7.5 | 0% Низкий | почти 3 года назад |
| GHSA-x72f-ggjw-v5xh Drupal Core Arbitrary PHP code execution vulnerability | CVSS3: 8.8 | 2% Низкий | около 3 лет назад |
| GHSA-x6x4-j89w-cw4w The image module in Drupal 7.x before 7.14 does not properly check permissions when caching derivative image styles of private images, which allows remote attackers to read private image styles. | 0% Низкий | около 3 лет назад | |
| GHSA-x3xc-9hqw-jqwj Drupal 4.5.0 through 4.5.5 and 4.6.0 through 4.6.3, when running on PHP5, does not correctly enforce user privileges, which allows remote attackers to bypass the "access user profiles" permission. | 1% Низкий | около 3 лет назад | |
| GHSA-x2q9-r8gm-f657 Drupal Core Access bypass vulnerability | CVSS3: 5.3 | 0% Низкий | около 3 лет назад |
| GHSA-wxqp-jwc9-g39x Drupal Core Access bypass vulnerability | CVSS3: 9.8 | 1% Низкий | около 3 лет назад |
| GHSA-wx48-g6pf-jvc9 The Drupal filter_xss_admin function in 5.x before 5.8 and 6.x before 6.3 does not "prevent use of the object HTML tag in administrator input," which has unknown impact and attack vectors, probably related to an insufficient cross-site scripting (XSS) protection mechanism. | 1% Низкий | около 3 лет назад | |
| GHSA-wwrm-8947-4m6c Drupal Open Redirect | 0% Низкий | около 3 лет назад | |
| GHSA-wvh2-7875-xq75 Multiple unspecified vulnerabilities in the quota_by_role (Quota by role) module for Drupal have unknown impact and attack vectors. | 0% Низкий | около 3 лет назад | |
| GHSA-wpp8-fjgf-pwc7 Drupal Core Vulnerable to Forceful Browsing | CVSS3: 4.6 | 0% Низкий | 3 месяца назад |
| GHSA-wm86-w3cf-h6vm Drupal external link injection vulnerability | CVSS3: 4.7 | 0% Низкий | около 3 лет назад |
| GHSA-whch-jrm6-gwgp Interpretation conflict in file.inc in Drupal 4.5.0 through 4.5.5 and 4.6.0 through 4.6.3 allows remote authenticated users to inject arbitrary web script or HTML via HTML in a file with a GIF or JPEG file extension, which causes the HTML to be executed by a victim who views the file in Internet Explorer as a result of CVE-2005-3312. NOTE: it could be argued that this vulnerability is due to a design flaw in Internet Explorer and the proper fix should be in that browser; if so, then this should not be treated as a vulnerability in Drupal. | 1% Низкий | около 3 лет назад | |
| GHSA-wgpj-2628-3c8v Drupal 6.x before 6.37 and 7.x before 7.39 allows remote attackers to obtain sensitive node titles by reading the menu. | 1% Низкий | около 3 лет назад | |
| GHSA-w7qx-vwr9-2j3r Drupal editor module incorrectly checks access to inline private files | CVSS3: 7.5 | 0% Низкий | около 3 лет назад |
| GHSA-w6rx-9g2x-mg5g Drupal core contains a potential PHP Object Injection vulnerability | CVSS3: 9.8 | 2% Низкий | 6 месяцев назад |
| GHSA-w3gp-frj6-h378 Cross-site scripting (XSS) vulnerability in Drupal 4.0.0 allows remote attackers to inject arbitrary web script or HTML via Javascript in an IMG tag. | 3% Низкий | около 3 лет назад | |
| GHSA-w2pj-c8x5-jvg2 Drupal File upload access bypass and denial of service | CVSS3: 8.1 | 0% Низкий | около 3 лет назад |
Уязвимостей на страницу