Search for packages
| purl | pkg:composer/drupal/drupal@7.0.0 |
| Tags | Ghost |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-349d-w26k-mqfw
Aliases: CVE-2019-11831 GHSA-xv7v-rf6g-xwrc |
Moderately critical - Third-party libraries - SA-CORE-2019-007 The `PharStreamWrapper` (aka `phar-stream-wrapper`) package does not prevent directory traversal, which allows attackers to bypass a deserialization protection mechanism, as demonstrated by a `phar:///path/bad.phar/../good.phar` URL. |
Affected by 0 other vulnerabilities. Affected by 20 other vulnerabilities. Affected by 23 other vulnerabilities. |
|
VCID-3fka-y25d-m7a3
Aliases: CVE-2019-6339 GHSA-8cw5-rv98-5c46 |
Improper Input Validation A remote code execution vulnerability exists in PHP's built-in phar stream wrapper when performing file operations on an untrusted `phar://` URI. Some Drupal code (core, contrib, and custom) may be performing file operations on insufficiently validated user input, thereby being exposed to this vulnerability. This vulnerability is mitigated by the fact that such code paths typically require access to an administrative permission or an atypical configuration. |
Affected by 0 other vulnerabilities. Affected by 27 other vulnerabilities. Affected by 25 other vulnerabilities. |
|
VCID-3hf4-tvxn-zyh4
Aliases: CVE-2017-6922 GHSA-58f3-cx8p-h8jg |
Files uploaded by anonymous users accessed by other users Private files that have been uploaded by an anonymous user but not permanently attached to content on the site should only be visible to the anonymous user that uploaded them, rather than all anonymous users. Drupal core does not provide this protection, allowing an access bypass vulnerability to occur. This issue is mitigated by the fact that in order to be affected, the site must allow anonymous users to upload files into a private file system. |
Affected by 0 other vulnerabilities. Affected by 47 other vulnerabilities. |
|
VCID-48ut-ykkc-83fx
Aliases: CVE-2017-6926 GHSA-2p28-5mvp-2j2r |
Comment reply form allows access to restricted content Users with permission to post comments are able to view content and comments they do not have access to, and are also able to add comments to this content. This vulnerability is mitigated by the fact that the comment system must be enabled and the attacker must have permission to post comments. |
Affected by 0 other vulnerabilities. Affected by 41 other vulnerabilities. |
|
VCID-53h1-sj47-gugn
Aliases: CVE-2016-3162 GHSA-w2pj-c8x5-jvg2 |
Improper Access Control The File module in Drupal allows remote authenticated users to bypass access restrictions and read, delete, or substitute a link to a file uploaded to an unprocessed form by leveraging permission to create content or comment and upload files. |
Affected by 0 other vulnerabilities. Affected by 64 other vulnerabilities. |
|
VCID-5618-53yg-8qh4
Aliases: CVE-2020-11022 GHSA-gxr4-xjj5-5px2 |
Potential XSS vulnerability in jQuery ### Impact Passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. `.html()`, `.append()`, and others) may execute untrusted code. ### Patches This problem is patched in jQuery 3.5.0. ### Workarounds To workaround the issue without upgrading, adding the following to your code: ```js jQuery.htmlPrefilter = function( html ) { return html; }; ``` You need to use at least jQuery 1.12/2.2 or newer to be able to apply this workaround. ### References https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/ https://jquery.com/upgrade-guide/3.5/ ### For more information If you have any questions or comments about this advisory, search for a relevant issue in [the jQuery repo](https://github.com/jquery/jquery/issues). If you don't find an answer, open a new issue. |
Affected by 77 other vulnerabilities. Affected by 15 other vulnerabilities. Affected by 15 other vulnerabilities. Affected by 22 other vulnerabilities. Affected by 14 other vulnerabilities. |
|
VCID-565p-mgqe-gkfc
Aliases: 2019-03-20 |
Cross-site Scripting vulnerability in drupal. |
Affected by 23 other vulnerabilities. |
|
VCID-6ck5-9e5b-w3ay
Aliases: CVE-2022-25275 GHSA-xh3v-6f9j-wxw3 GMS-2022-3362 |
Improper access control In some situations, the Image module does not correctly check access to image files not stored in the standard public files directory when generating derivative images using the image styles system. Access to a non-public file is checked only if it is stored in the "private" file system. However, some contributed modules provide additional file systems, or schemes, which may lead to this vulnerability. This vulnerability is mitigated by the fact that it only applies when the site sets (Drupal 9) $config['image.settings']['allow_insecure_derivatives'] or (Drupal 7) $conf['image_allow_insecure_derivatives'] to TRUE. The recommended and default setting is FALSE, and Drupal core does not provide a way to change that in the admin UI. Some sites may require configuration changes following this security release. Review the release notes for your Drupal version if you have issues accessing files or image styles after updating. |
Affected by 0 other vulnerabilities. Affected by 6 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-6m8x-cfzp-tkf4
Aliases: CVE-2020-13671 GHSA-68jc-v27h-vhmw |
Drupal core Unrestricted Upload of File with Dangerous Type Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations. This issue affects: Drupal Drupal Core 9.0 versions prior to 9.0.8, 8.9 versions prior to 8.9.9, 8.8 versions prior to 8.8.11, and 7 versions prior to 7.74. |
Affected by 0 other vulnerabilities. Affected by 17 other vulnerabilities. Affected by 18 other vulnerabilities. Affected by 18 other vulnerabilities. |
|
VCID-8nda-kjr2-ufd4
Aliases: GHSA-jf8c-36vw-98x4 |
Drupal core Remote Code Execution In Drupal core, when sending email some variables were not being sanitized for shell arguments in `DefaultMailSystem::mail()`, which could lead to remote code execution. |
Affected by 0 other vulnerabilities. Affected by 32 other vulnerabilities. Affected by 27 other vulnerabilities. |
|
VCID-9j42-9tx5-yfbq
Aliases: CVE-2012-2153 GHSA-vpm6-h53m-x2xf |
Drupal improper access restrictions Drupal 7.x before 7.14 does not properly restrict access to nodes in a list when using a "contributed node access module," which allows remote authenticated users with the "Access the content overview page" permission to read all published nodes by accessing the admin/content page. |
Affected by 0 other vulnerabilities. |
|
VCID-9wt5-xe6d-n3cb
Aliases: CVE-2016-3164 GHSA-836p-6p4j-35cg |
Open redirect via path manipulation Drupal might allow remote attackers to conduct open redirect attacks by leveraging (1) custom code or (2) a form shown on an error page, related to path manipulation. |
Affected by 0 other vulnerabilities. Affected by 64 other vulnerabilities. |
|
VCID-bk92-66re-dkc5
Aliases: CVE-2023-31250 GHSA-8849-cv9f-vccm |
Access bypass in Drupal core The file download facility does not sufficiently sanitize file paths in certain situations. This may result in users gaining access to private files that they should not have access to. Some sites may require configuration changes following this security release. Review the release notes for your Drupal version if you have issues accessing private files after updating. |
Affected by 0 other vulnerabilities. Affected by 6 other vulnerabilities. Affected by 6 other vulnerabilities. Affected by 6 other vulnerabilities. |
|
VCID-btgv-ef3h-83d3
Aliases: CVE-2021-41182 GHSA-9gj3-hwp5-pmwc |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the `altField` option of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the `altField` option is now treated as a CSS selector. A workaround is to not accept the value of the `altField` option from untrusted sources. |
Affected by 77 other vulnerabilities. |
|
VCID-cucx-jfqf-pkd1
Aliases: CVE-2019-6338 GHSA-6rmq-x2hv-vxpp |
Deserialization of Untrusted Data Drupal core uses the third-party PEAR `Archive_Tar` library. This library has released a security update which impacts some Drupal configurations. Refer to CVE-2018-1000888 for details. |
Affected by 0 other vulnerabilities. Affected by 27 other vulnerabilities. Affected by 25 other vulnerabilities. |
|
VCID-cvxp-ctj9-guej
Aliases: CVE-2020-11023 GHSA-jpcq-cgw6-v4j6 |
Potential XSS vulnerability in jQuery ### Impact Passing HTML containing `<option>` elements from untrusted sources - even after sanitizing them - to one of jQuery's DOM manipulation methods (i.e. `.html()`, `.append()`, and others) may execute untrusted code. ### Patches This problem is patched in jQuery 3.5.0. ### Workarounds To workaround this issue without upgrading, use [DOMPurify](https://github.com/cure53/DOMPurify) with its `SAFE_FOR_JQUERY` option to sanitize the HTML string before passing it to a jQuery method. ### References https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/ ### For more information If you have any questions or comments about this advisory, search for a relevant issue in [the jQuery repo](https://github.com/jquery/jquery/issues). If you don't find an answer, open a new issue. |
Affected by 77 other vulnerabilities. Affected by 15 other vulnerabilities. Affected by 15 other vulnerabilities. Affected by 22 other vulnerabilities. Affected by 14 other vulnerabilities. |
|
VCID-djgn-ezxp-37eu
Aliases: CVE-2019-6341 GHSA-cmmh-8mwp-gq5p |
Cross-site Scripting Under certain circumstances the File `module/subsystem` allows a malicious user to upload a file that can trigger a cross-site scripting (XSS) vulnerability. |
Affected by 0 other vulnerabilities. Affected by 77 other vulnerabilities. Affected by 22 other vulnerabilities. Affected by 22 other vulnerabilities. |
|
VCID-en3b-g3f3-a3e3
Aliases: CVE-2016-3163 GHSA-h3r9-pjmr-f938 |
Brute force amplification attacks via XML-RPC The XML-RPC system in Drupal might make it easier for remote attackers to conduct brute-force attacks via a large number of calls made at once to the same method. |
Affected by 0 other vulnerabilities. Affected by 64 other vulnerabilities. |
|
VCID-er79-qj6u-sbgr
Aliases: GHSA-wxfg-253g-m7r4 |
Drupal core Open Redirect vulnerability Drupal 7 has an Open Redirect vulnerability. For example, a user could be tricked into visiting a specially crafted link which would redirect them to an arbitrary external URL. The vulnerability is caused by insufficient validation of the destination query parameter in the drupal_goto() function. Other versions of Drupal core are not vulnerable. |
Affected by 0 other vulnerabilities. |
|
VCID-g1rp-twzp-63e1
Aliases: CVE-2017-6929 GHSA-5vpr-v24w-mmjj |
Cross-site Scripting A jQuery cross site scripting vulnerability is present when making Ajax requests to untrusted domains. This vulnerability is mitigated by the fact that it requires contributed or custom modules in order to exploit. |
Affected by 0 other vulnerabilities. Affected by 48 other vulnerabilities. Affected by 41 other vulnerabilities. |
|
VCID-ga35-289v-vqhr
Aliases: CVE-2018-7600 GHSA-7fh9-933g-885p |
Drupal Core Remote Code Execution Vulnerability Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations. |
Affected by 0 other vulnerabilities. Affected by 39 other vulnerabilities. Affected by 39 other vulnerabilities. Affected by 40 other vulnerabilities. |
|
VCID-gbz5-5frj-hber
Aliases: CVE-2020-28949 GHSA-75c5-f4gw-38r9 |
Multiple vulnerabilities through filename manipulation in Archive_Tar Archive_Tar through 1.4.10 has `://` filename sanitization only to address phar attacks, and thus any other stream-wrapper attack (such as `file://` to overwrite files) can still succeed. See: https://github.com/pear/Archive_Tar/issues/33 |
Affected by 0 other vulnerabilities. Affected by 14 other vulnerabilities. Affected by 14 other vulnerabilities. Affected by 15 other vulnerabilities. Affected by 12 other vulnerabilities. Affected by 15 other vulnerabilities. Affected by 13 other vulnerabilities. |
|
VCID-gypk-ukbc-7qe3
Aliases: CVE-2021-41183 GHSA-j7qv-pgf6-hvh4 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of various `*Text` options of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. The values passed to various `*Text` options are now always treated as pure text, not HTML. A workaround is to not accept the value of the `*Text` options from untrusted sources. |
Affected by 77 other vulnerabilities. |
|
VCID-gzcu-sbks-wyfa
Aliases: 2018-10-17-2 |
URL Redirection to Untrusted Site ('Open Redirect') External URL injection through URL aliases in drupal. |
Affected by 27 other vulnerabilities. |
|
VCID-jfq8-xxwa-mkd1
Aliases: GHSA-m9fv-whq2-6wmc |
Drupal core Multiple vulnerabilities due to the use of the third-party library Archive_Tar The Drupal project uses the third-party library [Archive_Tar](https://pear.php.net/package/Archive_Tar/), which has released a security improvement that is needed to protect some Drupal configurations. Multiple vulnerabilities are possible if Drupal is configured to allow .tar, .tar.gz, .bz2 or .tlz file uploads and processes them. The latest versions of Drupal update Archive_Tar to 1.4.9 to mitigate the file processing vulnerabilities. |
Affected by 0 other vulnerabilities. Affected by 19 other vulnerabilities. Affected by 26 other vulnerabilities. |
|
VCID-jnu7-1j9c-dqck
Aliases: CVE-2017-6927 GHSA-585j-5449-mf5m |
JavaScript cross-site scripting prevention is incomplete Drupal has a Drupal.checkPlain() JavaScript function which is used to escape potentially dangerous text before outputting it to HTML (as JavaScript output is not auto-escaped by either Drupal 7 or Drupal 8). This function does not correctly handle all methods of injecting malicious HTML, leading to a cross-site scripting vulnerability under certain circumstances. The PHP functions which Drupal provides for HTML escaping are not affected. |
Affected by 0 other vulnerabilities. Affected by 41 other vulnerabilities. |
|
VCID-jtcp-dw8k-pfbz
Aliases: CVE-2012-1589 GHSA-wwrm-8947-4m6c |
Drupal Open Redirect Open redirect vulnerability in the Form API in Drupal 7.x before 7.13 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via crafted parameters in a destination URL. |
Affected by 0 other vulnerabilities. |
|
VCID-k1gx-nznx-7qd6
Aliases: CVE-2020-13672 GHSA-3m36-mjwj-352c |
Drupal core Cross-site Scripting (XSS) vulnerability Cross-site Scripting (XSS) vulnerability in Drupal core's sanitization API fails to properly filter cross-site scripting under certain circumstances. This issue affects: Drupal Core 9.1.x versions prior to 9.1.7; 9.0.x versions prior to 9.0.12; 8.9.x versions prior to 8.9.14; 7.x versions prior to 7.80. |
Affected by 0 other vulnerabilities. Affected by 13 other vulnerabilities. Affected by 13 other vulnerabilities. Affected by 13 other vulnerabilities. |
|
VCID-kc7d-5k6x-77bp
Aliases: CVE-2020-36193 GHSA-rpw6-9xfx-jvcx |
Directory Traversal in Archive_Tar Tar.php in Archive_Tar through 1.4.11 allows write operations with Directory Traversal due to inadequate checking of symbolic links, a related issue to CVE-2020-28948. ### :exclamation: Note: There was an [initial fix](https://github.com/pear/Archive_Tar/commit/cde460582ff389404b5b3ccb59374e9b389de916) for this vulnerability made in version `1.4.12`. That fix introduced a bug which was [fixed in 1.4.13](https://github.com/pear/Archive_Tar/pull/36). Therefore we have set the first-patched-version to `1.4.13` which the earliest working version that avoids this vulnerability. |
Affected by 0 other vulnerabilities. Affected by 14 other vulnerabilities. Affected by 12 other vulnerabilities. Affected by 14 other vulnerabilities. Affected by 13 other vulnerabilities. Affected by 14 other vulnerabilities. |
|
VCID-mhk6-9qdy-83f3
Aliases: CVE-2020-13666 GHSA-8jj2-x2gc-ggm7 |
Drupal Core Cross-site scripting vulnerability Cross-site scripting vulnerability in Drupal Core. Drupal AJAX API does not disable JSONP by default, allowing for an XSS attack. This issue affects: Drupal Drupal Core 7.x versions prior to 7.73; 8.8.x versions prior to 8.8.10; 8.9.x versions prior to 8.9.6; 9.0.x versions prior to 9.0.6. |
Affected by 0 other vulnerabilities. Affected by 18 other vulnerabilities. Affected by 19 other vulnerabilities. Affected by 19 other vulnerabilities. |
|
VCID-mt37-qzh7-gyfv
Aliases: CVE-2016-3168 GHSA-qqxc-cppg-4xp8 |
Reflected file download vulnerability The System module in Drupal might allow remote attackers to hijack the authentication of site administrators for requests that download and run files with arbitrary JSON-encoded content. |
Affected by 0 other vulnerabilities. Affected by 64 other vulnerabilities. |
|
VCID-nd8n-5dsu-2fbp
Aliases: 2018-10-17-4 |
Code Injection Injection in `DefaultMailSystem::mail()`. |
Affected by 27 other vulnerabilities. |
|
VCID-rdgr-yuu7-xkey
Aliases: CVE-2024-55638 GHSA-gvf2-2f4g-jqf4 |
Drupal core contains a potential PHP Object Injection vulnerability that (if combined with another exploit) could lead to Remote Code Execution. It is not directly exploitable. This issue is mitigated by the fact that in order for it to be exploitable, a separate vulnerability must be present to allow an attacker to pass unsafe input to `unserialize()`. There are no such known exploits in Drupal core. To help protect against this potential vulnerability, some additional checks have been added to Drupal core's database code. If you use a third-party database driver, check the release notes for additional configuration steps that may be required in certain cases. This issue affects Drupal Core: from 7.0 before 7.102, from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-rhj7-dy7q-jkhw
Aliases: CVE-2019-6340 GHSA-3gx6-h57h-rm27 |
Drupal Core Remote Code Execution Vulnerability Some field types do not properly sanitize data from non-form sources in Drupal 8.5.x before 8.5.11 and Drupal 8.6.x before 8.6.10. This can lead to arbitrary PHP code execution in some cases. A site is only affected by this if one of the following conditions is met: The site has the Drupal 8 core RESTful Web Services (rest) module enabled and allows PATCH or POST requests, or the site has another web services module enabled, like JSON:API in Drupal 8, or Services or RESTful Web Services in Drupal 7. (Note: The Drupal 7 Services module itself does not require an update at this time, but you should apply other contributed updates associated with this advisory if Services is in use.) |
Affected by 0 other vulnerabilities. Affected by 24 other vulnerabilities. Affected by 24 other vulnerabilities. |
|
VCID-s8u8-xbdk-87dj
Aliases: CVE-2021-33829 GHSA-rgx6-rjj4-c388 |
ckeditor4 vulnerable to cross-site scripting A cross-site scripting (XSS) vulnerability in the HTML Data Processor in CKEditor 4 4.14.0 through 4.16.x before 4.16.1 allows remote attackers to inject executable JavaScript code through a crafted comment because `--!>` is mishandled. |
Affected by 0 other vulnerabilities. Affected by 12 other vulnerabilities. Affected by 13 other vulnerabilities. Affected by 13 other vulnerabilities. |
|
VCID-s9kv-9qfu-gbdq
Aliases: CVE-2017-6928 GHSA-66mv-q8r2-hj8w |
Incorrect Permission Assignment for Critical Resource When using Drupal's private file system, Drupal will check to make sure a user has access to a file before allowing the user to view or download it. This check fails under certain conditions in which one module is trying to grant access to the file and another is trying to deny it, leading to an access bypass vulnerability. This vulnerability is mitigated by the fact that it only occurs for unusual site configurations. |
Affected by 0 other vulnerabilities. Affected by 41 other vulnerabilities. |
|
VCID-sbmj-9trz-2ybf
Aliases: CVE-2021-41184 GHSA-gpqq-952q-5327 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') jQuery-UI is the official jQuery user interface library.Any string value passed to the `of` option is now treated as a CSS selector. A workaround is to not accept the value of the `of` option from untrusted sources. |
Affected by 77 other vulnerabilities. |
|
VCID-ssyn-dxp9-3kdq
Aliases: CVE-2020-13663 GHSA-m648-hpf8-qcjw |
Drupal Core Cross-Site Request Forgery (CSRF) vulnerability Cross Site Request Forgery vulnerability in Drupal Core Form API does not properly handle certain form input from cross-site requests, which can lead to other vulnerabilities. |
Affected by 0 other vulnerabilities. Affected by 22 other vulnerabilities. Affected by 23 other vulnerabilities. Affected by 23 other vulnerabilities. |
|
VCID-u5wt-ndvn-3ffg
Aliases: CVE-2016-3170 GHSA-pqv4-xgqh-j8vh |
Information Exposure The `have you forgotten your password` links in the User module in Drupal allow remote attackers to obtain sensitive username information by leveraging a configuration that permits using an email address to login and a module that permits logging in. |
Affected by 0 other vulnerabilities. Affected by 64 other vulnerabilities. |
|
VCID-utyg-huhu-2ucq
Aliases: GHSA-r67r-42wx-c8r7 |
Drupal External URL injection through URL aliases leading to Open Redirect The path module in Drupal allows users with the 'administer paths' to create pretty URLs for content. In certain circumstances the user can enter a particular path that triggers an open redirect to a malicious url. |
Affected by 0 other vulnerabilities. Affected by 32 other vulnerabilities. Affected by 27 other vulnerabilities. |
|
VCID-v9v6-ae3e-g3hk
Aliases: CVE-2020-28948 GHSA-jh5x-hfhg-78jq |
Deserialization of Untrusted Data in Archive_Tar Archive_Tar through 1.4.10 allows an unserialization attack because `phar:` is blocked but `PHAR:` is not blocked. See: https://github.com/pear/Archive_Tar/issues/33 |
Affected by 0 other vulnerabilities. Affected by 14 other vulnerabilities. Affected by 14 other vulnerabilities. Affected by 15 other vulnerabilities. Affected by 12 other vulnerabilities. Affected by 15 other vulnerabilities. Affected by 13 other vulnerabilities. |
|
VCID-vura-3gnb-rybs
Aliases: CVE-2020-13662 GHSA-gjqg-9rhv-qj67 |
Drupal Core Open Redirect vulnerability Open Redirect vulnerability in Drupal Core allows a user to be tricked into visiting a specially crafted link which would redirect them to an arbitrary external URL. This issue affects: Drupal Drupal Core 7 version 7.70 and prior versions. |
Affected by 0 other vulnerabilities. |
|
VCID-wbvy-zrtk-audw
Aliases: GHSA-j66p-fvp2-fxhj |
Drupal core Arbitrary PHP code execution The Drupal project uses the PEAR Archive_Tar library. The PEAR Archive_Tar library has released a security update that impacts Drupal. For more information please see: CVE-2020-28948 CVE-2020-28949 Multiple vulnerabilities are possible if Drupal is configured to allow .tar, .tar.gz, .bz2, or .tlz file uploads and processes them. To mitigate this issue, prevent untrusted users from uploading .tar, .tar.gz, .bz2, or .tlz files. |
Affected by 0 other vulnerabilities. Affected by 14 other vulnerabilities. Affected by 15 other vulnerabilities. Affected by 15 other vulnerabilities. |
|
VCID-we42-mkyk-hfer
Aliases: CVE-2016-3169 GHSA-q3p9-8728-wq7x |
Saving user accounts can sometimes grant the user all roles The User module in Drupal allows remote attackers to gain privileges by leveraging contributed or custom code that calls the `user_save` function with an explicit category and loads all roles into the array. |
Affected by 0 other vulnerabilities. Affected by 64 other vulnerabilities. |
|
VCID-wwvq-399y-rfhc
Aliases: CVE-2018-7602 GHSA-297x-j9pm-xjgg |
Drupal Core Remote Code Execution Vulnerability A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being compromised. This vulnerability is related to Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002. Both SA-CORE-2018-002 and this vulnerability are being exploited in the wild. |
Affected by 0 other vulnerabilities. Affected by 36 other vulnerabilities. Affected by 37 other vulnerabilities. |
|
VCID-yare-57j9-j7cs
Aliases: CVE-2017-6932 GHSA-wm86-w3cf-h6vm |
URL Redirection to Untrusted Site (Open Redirect) Drupal core has an external link injection vulnerability when the language switcher block is used. A similar vulnerability exists in various custom and contributed modules. This vulnerability could allow an attacker to trick users into unwillingly navigating to an external site. |
Affected by 0 other vulnerabilities. Affected by 41 other vulnerabilities. |
|
VCID-yrzt-3m97-53ce
Aliases: CVE-2016-9449 GHSA-p745-347h-hjfw |
Unprivileged access to taxonomy terms Modules wishing to restrict access to taxonomy terms may be incompatible with queries generated both by Drupal core as well as those generated by contributed modules like Entity Reference. As a result, information on taxonomy terms may be disclosed to unprivileged users. |
Affected by 0 other vulnerabilities. Affected by 56 other vulnerabilities. |
|
VCID-z5ba-3etw-eqb4
Aliases: CVE-2013-6389 GHSA-hxg2-5c8p-ppwm |
several |
Affected by 0 other vulnerabilities. |
|
VCID-zw3u-6ue7-efdf
Aliases: CVE-2022-25271 GHSA-fmfv-x8mp-5767 |
Improper Input Validation Drupal core's form API has a vulnerability where certain contributed or custom modules' forms may be vulnerable to improper input validation. This could allow an attacker to inject disallowed values or overwrite data. Affected forms are uncommon, but in certain cases an attacker could alter critical or sensitive data. |
Affected by 77 other vulnerabilities. Affected by 13 other vulnerabilities. Affected by 14 other vulnerabilities. |
|
VCID-zxqc-67jp-uba7
Aliases: CVE-2016-6211 GHSA-frqf-9qr4-6vxf |
Saving user accounts can sometimes grant the user all roles The User module in Drupal allows remote authenticated users to gain privileges via vectors involving contributed or custom code that triggers a rebuild of the user profile form. |
Affected by 0 other vulnerabilities. Affected by 61 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||