CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Drupal : Security Vulnerabilities (CVSS score >= 7)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2020-35191 306 2020-12-17 2020-12-18
10.0
None Remote Low Not required Complete Complete Complete
The official drupal docker images before 8.5.10-fpm-alpine (Alpine specific) contain a blank password for a root user. System using the drupal docker container deployed by affected versions of the docker image may allow a remote attacker to achieve root access with a blank password.
2 CVE-2020-13665 863 Bypass 2021-05-05 2021-05-14
7.5
None Remote Low Not required Partial Partial Partial
Access bypass vulnerability in Drupal Core allows JSON:API when JSON:API is in read/write mode. Only sites that have the read_only set to FALSE under jsonapi.settings config are vulnerable. This issue affects: Drupal Drupal Core 8.8.x versions prior to 8.8.8; 8.9.x versions prior to 8.9.1; 9.0.x versions prior to 9.0.1.
3 CVE-2020-13664 77 Exec Code 2021-05-05 2021-05-14
9.3
None Remote Medium Not required Complete Complete Complete
Arbitrary PHP code execution vulnerability in Drupal Core under certain circumstances. An attacker could trick an administrator into visiting a malicious site that could result in creating a carefully named directory on the file system. With this directory in place, an attacker could attempt to brute force a remote code execution vulnerability. Windows servers are most likely to be affected. This issue affects: Drupal Drupal Core 8.8.x versions prior to 8.8.8; 8.9.x versions prior to 8.9.1; 9.0.1 versions prior to 9.0.1.
4 CVE-2019-19826 502 Exec Code 2019-12-16 2019-12-27
7.5
None Remote Low Not required Partial Partial Partial
The Views Dynamic Fields module through 7.x-1.0-alpha4 for Drupal makes insecure unserialize calls in handlers/views_handler_filter_dynamic_fields.inc, as demonstrated by PHP object injection, involving a field_names object and an Archive_Tar object, for file deletion. Code execution might also be possible.
5 CVE-2019-11831 22 Dir. Trav. Bypass 2019-05-09 2021-10-01
7.5
None Remote Low Not required Partial Partial Partial
The PharStreamWrapper (aka phar-stream-wrapper) package 2.x before 2.1.1 and 3.x before 3.1.1 for TYPO3 does not prevent directory traversal, which allows attackers to bypass a deserialization protection mechanism, as demonstrated by a phar:///path/bad.phar/../good.phar URL.
6 CVE-2019-10910 89 Exec Code Sql 2019-05-16 2021-09-29
7.5
None Remote Low Not required Partial Partial Partial
In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, when service ids allow user input, this could allow for SQL Injection and remote code execution. This is related to symfony/dependency-injection.
7 CVE-2019-6339 20 Exec Code 2019-01-22 2019-10-09
7.5
None Remote Low Not required Partial Partial Partial
In Drupal Core versions 7.x prior to 7.62, 8.6.x prior to 8.6.6 and 8.5.x prior to 8.5.9; A remote code execution vulnerability exists in PHP's built-in phar stream wrapper when performing file operations on an untrusted phar:// URI. Some Drupal code (core, contrib, and custom) may be performing file operations on insufficiently validated user input, thereby being exposed to this vulnerability. This vulnerability is mitigated by the fact that such code paths typically require access to an administrative permission or an atypical configuration.
8 CVE-2018-7602 Exec Code 2018-07-19 2021-04-20
7.5
None Remote Low Not required Partial Partial Partial
A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being compromised. This vulnerability is related to Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002. Both SA-CORE-2018-002 and this vulnerability are being exploited in the wild.
9 CVE-2018-7600 20 Exec Code 2018-03-29 2019-03-01
7.5
None Remote Low Not required Partial Partial Partial
Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations.
10 CVE-2017-6925 2019-01-15 2019-10-03
7.5
None Remote Low Not required Partial Partial Partial
In versions of Drupal 8 core prior to 8.3.7; There is a vulnerability in the entity access system that could allow unwanted access to view, create, update, or delete entities. This only affects entities that do not use or do not have UUIDs, and entities that have different access restrictions on different revisions of the same entity.
11 CVE-2017-6920 19 Exec Code 2018-08-06 2018-10-04
7.5
None Remote Low Not required Partial Partial Partial
Drupal core 8 before versions 8.3.4 allows remote attackers to execute arbitrary code due to the PECL YAML parser not handling PHP objects safely during certain operations.
12 CVE-2016-3168 254 2016-04-12 2016-04-14
8.5
None Remote Medium ??? Complete Complete Complete
The System module in Drupal 6.x before 6.38 and 7.x before 7.43 might allow remote attackers to hijack the authentication of site administrators for requests that download and run files with arbitrary JSON-encoded content, aka a "reflected file download vulnerability."
13 CVE-2015-6659 89 Exec Code Sql 2015-08-24 2016-12-24
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the SQL comment filtering system in the Database API in Drupal 7.x before 7.39 allows remote attackers to execute arbitrary SQL commands via an SQL comment.
14 CVE-2014-5170 20 Exec Code 2018-03-29 2018-04-27
7.5
None Remote Low Not required Partial Partial Partial
The Storage API module 7.x before 7.x-1.6 for Drupal might allow remote attackers to execute arbitrary code by leveraging failure to update .htaccess file contents after SA-CORE-2013-003.
15 CVE-2014-3704 89 4 Sql 2014-10-16 2021-09-29
7.5
None Remote Low Not required Partial Partial Partial
The expandArguments function in the database abstraction API in Drupal core 7.x before 7.32 does not properly construct prepared statements, which allows remote attackers to conduct SQL injection attacks via an array containing crafted keys.
16 CVE-2014-1475 2014-01-24 2014-02-21
7.5
None Remote Low Not required Partial Partial Partial
The OpenID module in Drupal 6.x before 6.30 and 7.x before 7.26 allows remote OpenID users to authenticate as other users via unspecified vectors.
17 CVE-2011-2715 89 Sql 2020-01-14 2020-01-24
7.5
None Remote Low Not required Partial Partial Partial
An SQL Injection vulnerability exists in Drupal 6.20 with Data 6.x-1.0-alpha14 due to insufficient sanitization of table names or column names.
18 CVE-2011-2687 264 Bypass 2011-07-27 2015-09-03
7.5
None Remote Low Not required Partial Partial Partial
Drupal 7.x before 7.3 allows remote attackers to bypass intended node_access restrictions via vectors related to a listing that shows nodes but lacks a JOIN clause for the node table.
19 CVE-2009-1034 89 Exec Code Sql 2009-03-20 2017-08-17
10.0
None Remote Low Not required Complete Complete Complete
SQL injection vulnerability in the Tasklist module 5.x-1.x before 5.x-1.3 and 5.x-2.x before 5.x-2.0-alpha1, a module for Drupal, allows remote attackers to execute arbitrary SQL commands via values in the URI.
20 CVE-2008-6171 16 2009-02-19 2017-08-17
9.3
None Remote Medium Not required Complete Complete Complete
includes/bootstrap.inc in Drupal 5.x before 5.12 and 6.x before 6.6, when the server is configured for "IP-based virtual hosts," allows remote attackers to include and execute arbitrary files via the HTTP Host header.
21 CVE-2008-6136 264 +Priv 2009-02-14 2017-08-17
7.5
None Remote Low Not required Partial Partial Partial
Unspecified vulnerability in EveryBlog 5.x and 6.x, a module for Drupal, allows remote attackers to gain privileges as another user or an administrator via unknown attack vectors.
22 CVE-2008-4793 264 Bypass 2008-10-29 2017-08-08
7.5
None Remote Low Not required Partial Partial Partial
The node module API in Drupal 5.x before 5.11 allows remote attackers to bypass node validation and have unspecified other impact via unknown vectors related to contributed modules.
23 CVE-2008-4598 XSS 2008-10-17 2017-08-08
7.5
None Remote Low Not required Partial Partial Partial
Unspecified vulnerability in Shindig-Integrator 5.x, a module for Drupal, has unspecified impact and remote attack vectors related to "numerous flaws" that are not related to XSS or access control, a different vulnerability than CVE-2008-4596 and CVE-2008-4597.
24 CVE-2008-4597 264 +Priv 2008-10-17 2017-08-08
7.5
None Remote Low Not required Partial Partial Partial
Shindig-Integrator 5.x, a module for Drupal, does not properly restrict generated page access, which allows remote attackers to gain privileges via unspecified vectors.
25 CVE-2008-4531 89 Exec Code Sql 2008-10-09 2017-08-08
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in Brilliant Gallery 5.x before 5.x-4.2, a module for Drupal, allows remote attackers to execute arbitrary SQL commands via unspecified vectors, related to queries. NOTE: this might be the same issue as CVE-2008-4338.
26 CVE-2008-4148 89 Exec Code Sql 2008-09-24 2017-08-08
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the Mailhandler module 5.x before 5.x-1.4 and 6.x before 6.x-1.4, a module for Drupal, allows remote attackers to execute arbitrary SQL commands via unspecified vectors, related to composing queries without using the Drupal database API.
27 CVE-2008-3223 89 Exec Code Sql 2008-07-18 2021-04-15
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the Schema API in Drupal 6.x before 6.3 allows remote attackers to execute arbitrary SQL commands via vectors related to "an inappropriate placeholder for 'numeric' fields."
28 CVE-2008-3001 94 Exec Code 2008-07-03 2017-08-08
9.3
None Remote Medium Not required Complete Complete Complete
The Aggregation module 5.x before 5.x-4.4 for Drupal allows remote attackers to upload files with arbitrary extensions, and possibly execute arbitrary code, via a crafted feed that allows upload of files with arbitrary extensions.
29 CVE-2008-2999 89 Exec Code Sql 2008-07-03 2017-08-08
7.5
None Remote Low Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in the Aggregation module 5.x before 5.x-4.4 for Drupal allow remote attackers to execute arbitrary SQL commands via unspecified vectors.
30 CVE-2008-2850 89 Exec Code Sql 2008-06-25 2017-08-08
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the TrailScout module 5.x before 5.x-1.4 for Drupal allows remote attackers to execute arbitrary SQL commands via unspecified cookies, related to improper use of the Drupal database API.
31 CVE-2008-2772 94 Exec Code 2008-06-18 2017-08-08
7.5
None Remote Low Not required Partial Partial Partial
The Magic Tabs module 5.x before 5.x-1.1 for Drupal allows remote attackers to execute arbitrary PHP code via unspecified URL arguments, possibly related to a missing "whitelist of callbacks."
32 CVE-2008-0823 287 2008-02-19 2017-08-08
10.0
None Remote Low Not required Complete Complete Complete
Unspecified vulnerability in the Header Image Module before 5.x-1.1 for Drupal allows remote attackers to access the administration pages via unknown attack vectors.
33 CVE-2008-0568 +Priv 2008-02-05 2011-03-08
10.0
None Remote Low Not required Complete Complete Complete
Unspecified vulnerability in the IP-authentication feature in the Secure Site 5.x-1.0 and 4.7.x-1.0 module for Drupal allows remote attackers to gain the privileges of a user who has authenticated from behind the same proxy server as the attacker.
34 CVE-2008-0277 20 Exec Code 2008-01-15 2017-08-08
8.5
None Remote Medium ??? Complete Complete Complete
Unspecified vulnerability in the Fileshare module for Drupal allows remote authenticated users with node-creation privileges to execute arbitrary code via unspecified vectors.
35 CVE-2007-6299 20 Exec Code Sql 2007-12-10 2017-08-08
7.5
None Remote Low Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in Drupal and vbDrupal 4.7.x before 4.7.9 and 5.x before 5.4 allow remote attackers to execute arbitrary SQL commands via modules that pass input to the taxonomy_select_nodes function, as demonstrated by the (1) taxonomy_menu, (2) ajaxLoader, and (3) ubrowser contributed modules.
36 CVE-2007-3690 2007-07-11 2017-07-29
7.8
None Remote Low Not required Complete None None
The Forward module before 4.7-1.1 and 5.x before 5.x-1.0 for Drupal allows remote attackers to read restricted posts in (1) Organic Groups, (2) Taxonomy Access Control, (3) Taxonomy Access Lite, and other unspecified node access modules, via modified URL arguments.
37 CVE-2007-3689 2007-07-11 2017-07-29
7.8
None Remote Low Not required Complete None None
The Print module before 4.7-1.0 and 5.x before 5.x-1.2 for Drupal allows remote attackers to read restricted posts in (1) Organic Groups, (2) Taxonomy Access Control, (3) Taxonomy Access Lite, and other unspecified node access modules, via modified URL arguments.
38 CVE-2007-2160 CSRF 2007-04-22 2011-03-08
7.5
None Remote Low Not required Partial Partial Partial
Multiple cross-site request forgery (CSRF) vulnerabilities in the Database Administration (dba) module 4.6.x-*, and before 4.7.x-1.2 in the 4.7.x-1.* series, for Drupal allow remote attackers to perform unauthorized actions as an arbitrary user, a related issue to CVE-2006-5476.
39 CVE-2007-1035 2007-02-21 2017-07-29
7.5
None Remote Low Not required Partial Partial Partial
Unspecified vulnerability in certain demonstration scripts in getID3 1.7.1, as used in the Mediafield and Audio modules for Drupal, allows remote attackers to read and delete arbitrary files, list arbitrary directories, and write to empty files or .mp3 files via unknown vectors.
40 CVE-2007-1033 Bypass 2007-02-21 2017-07-29
7.5
None Remote Low Not required Partial Partial Partial
Unspecified vulnerability in the Secure site 4.7.x-1.x-dev and 5.x-1.x-dev module for Drupal allows remote attackers to bypass access restrictions via a crafted URL.
41 CVE-2007-0505 Exec Code 2007-01-26 2017-07-29
8.5
None Remote Medium ??? Complete Complete Complete
Unrestricted file upload vulnerability in the Project issue tracking 4.7.0 through 5.x before 20070123, a module for Drupal, allows remote authenticated users to execute arbitrary code by attaching a file with executable or multiple extensions to a project issue.
42 CVE-2006-6530 Exec Code Sql 2006-12-14 2017-07-29
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the Help Tip module before 4.7.x-1.0 for Drupal allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
43 CVE-2006-6529 +Info 2006-12-14 2008-09-05
7.5
None Remote Low Not required Partial Partial Partial
The Chatroom Module before 4.7.x.-1.0 for Drupal displays private messages in a chatroom's last messages overview, which allows remote attackers to obtain sensitive information by reading the overview.
44 CVE-2006-6528 +Priv 2006-12-14 2011-03-08
7.5
None Remote Low Not required Partial Partial Partial
The Chatroom Module before 4.7.x.-1.0 for Drupal broadcasts Chatroom visitors' session IDs to all participants, which allows remote attackers to hijack sessions and gain privileges.
45 CVE-2006-5608 Exec Code Sql 2006-10-30 2017-07-20
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in Extended Tracker (xtracker) 4.7 before 1.5.2.1 for Drupal allows remote attackers to execute arbitrary SQL commands via unspecified vectors related to "parameters from URLs."
46 CVE-2006-5476 CSRF 2006-10-24 2018-10-17
7.5
None Remote Low Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in Drupal 4.6.x before 4.6.10 and 4.7.x before 4.7.4 allows remote attackers to perform unauthorized actions as an arbitrary user via unspecified vectors.
47 CVE-2006-4717 Bypass 2006-09-12 2011-03-08
7.5
None Remote Low Not required Partial Partial Partial
The login redirection mechanism in the Drupal 4.7 Pubcookie module before 1.2.2.4 2006/09/06 and the Drupal 4.6 Pubcookie module before 1.6.2.1 2006/09/07 allows remote attackers to bypass authentication requirements and spoof identities of arbitrary users via unspecified vectors.
48 CVE-2006-4356 Exec Code Sql 2006-08-27 2017-07-20
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in Drupal Easylinks Module (easylinks.module) 4.7 before 1.5.2.1 2006/08/19 12:02:27 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
49 CVE-2006-4108 Exec Code Sql 2006-08-14 2017-07-20
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in Bibliography (biblio.module) 4.6 before revision 1.1.1.1.4.11 and 4.7 before revision 1.13.2.5 for Drupal allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
50 CVE-2006-4107 Exec Code Sql 2006-08-14 2017-07-20
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the Job Search module (job.module) 4.6 before revision 1.3.2.1 in Drupal allows remote attackers to execute arbitrary SQL commands via a job or resume search.
Total number of vulnerabilities : 54   Page : 1 (This Page)2
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.