Количество 1 988
Количество 1 988
GHSA-p68q-6jc7-9w28
Open redirect vulnerability in the Overlay module in Drupal 7.x before 7.38 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.
GHSA-p4jq-p7qf-pw64
Drupal 6.x before 6.31 and 7.x before 7.27 does not properly isolate the cached data of different anonymous users, which allows remote anonymous users to obtain sensitive interim form input information in opportunistic situations via unspecified vectors.
GHSA-p3x4-6c52-8c69
Cross-site scripting (XSS) vulnerability in the webform module in Drupal 4.6 before July 8, 2006 and 4.7 before July 8, 2006 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
GHSA-mrvq-r8g7-548f
The core Upload module in Drupal 4.7.x before 4.7.8 and 5.x before 5.3 places the .html extension on a whitelist, which allows remote attackers to conduct cross-site scripting (XSS) attacks by uploading .html files.
GHSA-mpww-gpm7-w7qg
** DISPUTED ** Drupal allows remote attackers to conduct cross-site scripting (XSS) attacks via an IMG tag with an unusual encoded Javascript function name, as demonstrated using variations of the alert() function. NOTE: a followup by the vendor suggests that the issue does not exist in 4.5.6 or 4.6.4 when "Filtered HTML" is enabled, and since "Full HTML" would not filter HTML by design, perhaps this should not be included in CVE.
GHSA-mmjr-5q74-p3m4
Exposure of Resource to Wrong Sphere in Drupal Core
GHSA-mhpg-hpj5-73r2
Drupal core allows Exploiting Incorrectly Configured Access Control Security Levels
GHSA-mg8j-w93w-xjgc
Drupal Full Path Disclosure
GHSA-m6vv-vcj8-w8m7
Drupal core allows Object Injection
GHSA-m6q5-wv4x-fv6h
Cross-site Scripting in Drupal Core
GHSA-m648-hpf8-qcjw
Drupal Core Cross-Site Request Forgery (CSRF) vulnerability
GHSA-m4wj-hhwj-47qp
Drupal Core Cross-Site Scripting (XSS) Vulnerability
GHSA-m4rx-8rj2-qhj2
The Entity Registration module 7.x-1.x before 7.x-1.5 for Drupal allows remote attackers to obtain sensitive event registration information by leveraging the "Register other accounts" permission and knowledge of usernames.
GHSA-m4pj-47x5-hq8v
The OpenID module in Drupal 7.x before 7.16 allows remote OpenID servers to read arbitrary files via a crafted DOCTYPE declaration in an XRDS file.
GHSA-m39x-8hp2-rvf4
The Image module in Drupal 7.x before 7.20 allows remote attackers to cause a denial of service (CPU and disk space consumption) via a large number of new derivative requests.
GHSA-jq73-c7h9-wr72
Drupal 6.x before 6.16 uses a user-supplied value in output during site installation which could allow an attacker to craft a URL and perform a cross-site scripting attack.
GHSA-jpj8-49hr-wcwv
Drupal Denial of service via transliterate mechanism
GHSA-jp2q-xrh4-4hph
SQL injection vulnerability in the SQL comment filtering system in the Database API in Drupal 7.x before 7.39 allows remote attackers to execute arbitrary SQL commands via an SQL comment.
GHSA-jmjm-jmgj-gh38
The Drupal.checkPlain function in Drupal 6.0 only escapes the first instance of a character in ECMAScript, which allows remote attackers to conduct cross-site scripting (XSS) attacks.
GHSA-jf54-qfqg-9hgv
The OpenID module in Drupal 6.x before 6.30 and 7.x before 7.26 allows remote OpenID users to authenticate as other users via unspecified vectors.
Уязвимостей на страницу
Уязвимость | CVSS | EPSS | Опубликовано | |
|---|---|---|---|---|
| GHSA-p68q-6jc7-9w28 Open redirect vulnerability in the Overlay module in Drupal 7.x before 7.38 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors. | 5% Низкий | больше 3 лет назад | |
| GHSA-p4jq-p7qf-pw64 Drupal 6.x before 6.31 and 7.x before 7.27 does not properly isolate the cached data of different anonymous users, which allows remote anonymous users to obtain sensitive interim form input information in opportunistic situations via unspecified vectors. | 0% Низкий | больше 3 лет назад | |
| GHSA-p3x4-6c52-8c69 Cross-site scripting (XSS) vulnerability in the webform module in Drupal 4.6 before July 8, 2006 and 4.7 before July 8, 2006 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 0% Низкий | больше 3 лет назад | |
| GHSA-mrvq-r8g7-548f The core Upload module in Drupal 4.7.x before 4.7.8 and 5.x before 5.3 places the .html extension on a whitelist, which allows remote attackers to conduct cross-site scripting (XSS) attacks by uploading .html files. | 1% Низкий | больше 3 лет назад | |
| GHSA-mpww-gpm7-w7qg ** DISPUTED ** Drupal allows remote attackers to conduct cross-site scripting (XSS) attacks via an IMG tag with an unusual encoded Javascript function name, as demonstrated using variations of the alert() function. NOTE: a followup by the vendor suggests that the issue does not exist in 4.5.6 or 4.6.4 when "Filtered HTML" is enabled, and since "Full HTML" would not filter HTML by design, perhaps this should not be included in CVE. | 1% Низкий | больше 3 лет назад | |
| GHSA-mmjr-5q74-p3m4 Exposure of Resource to Wrong Sphere in Drupal Core | CVSS3: 7.5 | 0% Низкий | почти 4 года назад |
| GHSA-mhpg-hpj5-73r2 Drupal core allows Exploiting Incorrectly Configured Access Control Security Levels | CVSS3: 3.7 | 0% Низкий | около 1 месяца назад |
| GHSA-mg8j-w93w-xjgc Drupal Full Path Disclosure | CVSS3: 5.3 | 85% Высокий | больше 1 года назад |
| GHSA-m6vv-vcj8-w8m7 Drupal core allows Object Injection | CVSS3: 5.9 | 0% Низкий | около 1 месяца назад |
| GHSA-m6q5-wv4x-fv6h Cross-site Scripting in Drupal Core | CVSS3: 6.1 | 1% Низкий | почти 4 года назад |
| GHSA-m648-hpf8-qcjw Drupal Core Cross-Site Request Forgery (CSRF) vulnerability | CVSS3: 8.8 | 0% Низкий | больше 3 лет назад |
| GHSA-m4wj-hhwj-47qp Drupal Core Cross-Site Scripting (XSS) Vulnerability | CVSS3: 5.4 | 0% Низкий | 9 месяцев назад |
| GHSA-m4rx-8rj2-qhj2 The Entity Registration module 7.x-1.x before 7.x-1.5 for Drupal allows remote attackers to obtain sensitive event registration information by leveraging the "Register other accounts" permission and knowledge of usernames. | CVSS3: 4.3 | 0% Низкий | больше 3 лет назад |
| GHSA-m4pj-47x5-hq8v The OpenID module in Drupal 7.x before 7.16 allows remote OpenID servers to read arbitrary files via a crafted DOCTYPE declaration in an XRDS file. | 55% Средний | больше 3 лет назад | |
| GHSA-m39x-8hp2-rvf4 The Image module in Drupal 7.x before 7.20 allows remote attackers to cause a denial of service (CPU and disk space consumption) via a large number of new derivative requests. | 1% Низкий | больше 3 лет назад | |
| GHSA-jq73-c7h9-wr72 Drupal 6.x before 6.16 uses a user-supplied value in output during site installation which could allow an attacker to craft a URL and perform a cross-site scripting attack. | 1% Низкий | больше 3 лет назад | |
| GHSA-jpj8-49hr-wcwv Drupal Denial of service via transliterate mechanism | CVSS3: 6.5 | 0% Низкий | больше 3 лет назад |
| GHSA-jp2q-xrh4-4hph SQL injection vulnerability in the SQL comment filtering system in the Database API in Drupal 7.x before 7.39 allows remote attackers to execute arbitrary SQL commands via an SQL comment. | 14% Средний | больше 3 лет назад | |
| GHSA-jmjm-jmgj-gh38 The Drupal.checkPlain function in Drupal 6.0 only escapes the first instance of a character in ECMAScript, which allows remote attackers to conduct cross-site scripting (XSS) attacks. | 0% Низкий | больше 3 лет назад | |
| GHSA-jf54-qfqg-9hgv The OpenID module in Drupal 6.x before 6.30 and 7.x before 7.26 allows remote OpenID users to authenticate as other users via unspecified vectors. | 1% Низкий | больше 3 лет назад |
Уязвимостей на страницу