Total
710 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-45440 | 1 Drupal | 1 Drupal | 2025-04-21 | N/A | 5.3 MEDIUM |
| core/authorize.php in Drupal 11.x-dev allows Full Path Disclosure (even when error logging is None) if the value of hash_salt is file_get_contents of a file that does not exist. | |||||
| CVE-2015-2750 | 2 Debian, Drupal | 2 Debian Linux, Drupal | 2025-04-20 | 5.8 MEDIUM | 6.1 MEDIUM |
| Open redirect vulnerability in URL-related API functions in Drupal 6.x before 6.35 and 7.x before 7.35 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via vectors involving the "//" initial sequence. | |||||
| CVE-2015-7880 | 1 Drupal | 1 Drupal | 2025-04-20 | 4.0 MEDIUM | 4.3 MEDIUM |
| The Entity Registration module 7.x-1.x before 7.x-1.5 for Drupal allows remote attackers to obtain sensitive event registration information by leveraging the "Register other accounts" permission and knowledge of usernames. | |||||
| CVE-2015-7943 | 3 Drupal, Jquery Update Project, Labjs Project | 3 Drupal, Jquery Update, Labjs | 2025-04-20 | 5.8 MEDIUM | 6.1 MEDIUM |
| Open redirect vulnerability in the Overlay module in Drupal 7.x before 7.41, the jQuery Update module 7.x-2.x before 7.x-2.7 for Drupal, and the LABjs module 7.x-1.x before 7.x-1.8 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-3233. | |||||
| CVE-2017-6377 | 1 Drupal | 1 Drupal | 2025-04-20 | 5.0 MEDIUM | 7.5 HIGH |
| When adding a private file via the editor in Drupal 8.2.x before 8.2.7, the editor will not correctly check access for the file being attached, resulting in an access bypass. | |||||
| CVE-2015-2749 | 2 Debian, Drupal | 2 Debian Linux, Drupal | 2025-04-20 | 5.8 MEDIUM | 6.1 MEDIUM |
| Open redirect vulnerability in Drupal 6.x before 6.35 and 7.x before 7.35 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the destination parameter. | |||||
| CVE-2017-6379 | 1 Drupal | 1 Drupal | 2025-04-20 | 5.1 MEDIUM | 7.5 HIGH |
| Some administrative paths in Drupal 8.2.x before 8.2.7 did not include protection for CSRF. This would allow an attacker to disable some blocks on a site. This issue is mitigated by the fact that users would have to know the block ID. | |||||
| CVE-2017-6919 | 1 Drupal | 1 Drupal | 2025-04-20 | 6.0 MEDIUM | 7.5 HIGH |
| Drupal 8 before 8.2.8 and 8.3 before 8.3.1 allows critical access bypass by authenticated users if the RESTful Web Services (rest) module is enabled and the site allows PATCH requests. | |||||
| CVE-2017-6381 | 1 Drupal | 1 Drupal | 2025-04-20 | 6.8 MEDIUM | 8.1 HIGH |
| A 3rd party development library including with Drupal 8 development dependencies is vulnerable to remote code execution. This is mitigated by the default .htaccess protection against PHP execution, and the fact that Composer development dependencies aren't normal installed. You might be vulnerable to this if you are running a version of Drupal before 8.2.2. To be sure you aren't vulnerable, you can remove the <siteroot>/vendor/phpunit directory from your production deployments | |||||
| CVE-2025-3057 | 1 Drupal | 1 Drupal | 2025-04-15 | N/A | 6.1 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS).This issue affects Drupal core: from 8.0.0 before 10.3.13, from 10.4.0 before 10.4.3, from 11.0.0 before 11.0.12, from 11.1.0 before 11.1.3. | |||||
| CVE-2016-9450 | 1 Drupal | 1 Drupal | 2025-04-12 | 5.0 MEDIUM | 7.5 HIGH |
| The user password reset form in Drupal 8.x before 8.2.3 allows remote attackers to conduct cache poisoning attacks by leveraging failure to specify a correct cache context. | |||||
| CVE-2016-3170 | 2 Debian, Drupal | 2 Debian Linux, Drupal | 2025-04-12 | 5.0 MEDIUM | 5.3 MEDIUM |
| The "have you forgotten your password" links in the User module in Drupal 7.x before 7.43 and 8.x before 8.0.4 allow remote attackers to obtain sensitive username information by leveraging a configuration that permits using an email address to login and a module that permits logging in. | |||||
| CVE-2015-3233 | 1 Drupal | 1 Drupal | 2025-04-12 | 5.8 MEDIUM | N/A |
| Open redirect vulnerability in the Overlay module in Drupal 7.x before 7.38 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors. | |||||
| CVE-2016-3171 | 3 Debian, Drupal, Php | 3 Debian Linux, Drupal, Php | 2025-04-12 | 6.8 MEDIUM | 8.1 HIGH |
| Drupal 6.x before 6.38, when used with PHP before 5.4.45, 5.5.x before 5.5.29, or 5.6.x before 5.6.13, might allow remote attackers to execute arbitrary code via vectors related to session data truncation. | |||||
| CVE-2014-2983 | 2 Debian, Drupal | 2 Debian Linux, Drupal | 2025-04-12 | 5.0 MEDIUM | N/A |
| Drupal 6.x before 6.31 and 7.x before 7.27 does not properly isolate the cached data of different anonymous users, which allows remote anonymous users to obtain sensitive interim form input information in opportunistic situations via unspecified vectors. | |||||
| CVE-2013-4177 | 2 Drupal, Google Authenticator Login Project | 2 Drupal, Ga Login | 2025-04-12 | 5.0 MEDIUM | N/A |
| The Google Authenticator login module 6.x-1.x before 6.x-1.2 and 7.x-1.x before 7.x-1.4 for Drupal does not properly identify user account names, which might allow remote attackers to bypass the two-factor authentication requirement via unspecified vectors. | |||||
| CVE-2015-6658 | 1 Drupal | 1 Drupal | 2025-04-12 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in the Autocomplete system in Drupal 6.x before 6.37 and 7.x before 7.39 allows remote attackers to inject arbitrary web script or HTML via a crafted URL, related to uploading files. | |||||
| CVE-2013-4178 | 2 Drupal, Google Authenticator Login Project | 2 Drupal, Ga Login | 2025-04-12 | 5.0 MEDIUM | N/A |
| The Google Authenticator login module 6.x-1.x before 6.x-1.2 and 7.x-1.x before 7.x-1.4 for Drupal allows remote attackers to obtain access by replaying the username, password, and one-time password (OTP). | |||||
| CVE-2016-6211 | 2 Debian, Drupal | 2 Debian Linux, Drupal | 2025-04-12 | 6.5 MEDIUM | 8.8 HIGH |
| The User module in Drupal 7.x before 7.44 allows remote authenticated users to gain privileges via vectors involving contributed or custom code that triggers a rebuild of the user profile form. | |||||
| CVE-2014-5019 | 1 Drupal | 1 Drupal | 2025-04-12 | 5.0 MEDIUM | N/A |
| The multisite feature in Drupal 6.x before 6.32 and 7.x before 7.29 allows remote attackers to cause a denial of service via a crafted HTTP Host header, related to determining which configuration file to use. | |||||