Search for packages
| purl | pkg:composer/drupal/drupal@8.1.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-26et-mv1c-aaag
Aliases: CVE-2022-25275 GHSA-xh3v-6f9j-wxw3 GMS-2022-3362 |
Drupal core Information Disclosure vulnerability |
Affected by 8 other vulnerabilities. Affected by 9 other vulnerabilities. |
|
VCID-2bng-kza3-aaaj
Aliases: GHSA-j66p-fvp2-fxhj |
Drupal core Arbitrary PHP code execution |
Affected by 19 other vulnerabilities. Affected by 20 other vulnerabilities. Affected by 20 other vulnerabilities. |
|
VCID-35zf-t4ak-aaae
Aliases: CVE-2019-11831 GHSA-xv7v-rf6g-xwrc |
The PharStreamWrapper (aka phar-stream-wrapper) package 2.x before 2.1.1 and 3.x before 3.1.1 for TYPO3 does not prevent directory traversal, which allows attackers to bypass a deserialization protection mechanism, as demonstrated by a phar:///path/bad.phar/../good.phar URL. |
Affected by 26 other vulnerabilities. Affected by 29 other vulnerabilities. |
|
VCID-3nb4-kd7q-aaak
Aliases: CVE-2022-25277 GHSA-6955-67hm-vjjq GMS-2022-3361 |
Drupal core arbitrary PHP code execution |
Affected by 8 other vulnerabilities. Affected by 9 other vulnerabilities. |
|
VCID-3vvp-6wh9-aaam
Aliases: CVE-2019-6339 GHSA-8cw5-rv98-5c46 |
Arbitrary PHP code execution in Drupal |
Affected by 33 other vulnerabilities. Affected by 31 other vulnerabilities. |
|
VCID-3yhr-5thb-aaan
Aliases: GHSA-337w-fxpq-5m34 |
Drupal core uses a vulnerable Third-party library CKEditor |
Affected by 23 other vulnerabilities. Affected by 33 other vulnerabilities. |
|
VCID-4pjz-5ytr-aaag
Aliases: CVE-2019-6338 GHSA-6rmq-x2hv-vxpp |
Vulnerable third party libraries in certain configurations of Symfony |
Affected by 33 other vulnerabilities. Affected by 31 other vulnerabilities. |
|
VCID-539x-pa7r-aaaf
Aliases: CVE-2018-7600 GHSA-7fh9-933g-885p |
Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations. |
Affected by 57 other vulnerabilities. Affected by 47 other vulnerabilities. Affected by 46 other vulnerabilities. Affected by 46 other vulnerabilities. |
|
VCID-621d-xgjn-aaaq
Aliases: SA-CORE-2018-003 |
XSS Vulnerability CKEditor, a third-party JavaScript library included in Drupal core, is affected by a cross-site scripting (XSS) vulnerability. It's possible to execute XSS inside CKEditor when using the `image2` plugin. |
Affected by 44 other vulnerabilities. Affected by 44 other vulnerabilities. |
|
VCID-62ju-9pwz-aaaq
Aliases: CVE-2017-6381 GHSA-rhx9-3qf7-r3j7 |
Remote code execution A 3rd party development library including with Drupal 8 development dependencies is vulnerable to remote code execution. This is mitigated by the default .htaccess protection against PHP execution, and the fact that Composer development dependencies aren't normal installed. You might be vulnerable to this if you are running a version of Drupal. To be sure you aren’t vulnerable, you can remove the /vendor/phpunit directory from the site root of your production deployments. |
Affected by 63 other vulnerabilities. Affected by 66 other vulnerabilities. Affected by 61 other vulnerabilities. |
|
VCID-6dwy-xd5r-aaae
Aliases: 2018-04-18 |
Cross-site Scripting XSS vulnerabiltiy in drupal. |
Affected by 44 other vulnerabilities. Affected by 46 other vulnerabilities. Affected by 44 other vulnerabilities. |
|
VCID-6xgv-e6y2-aaaj
Aliases: CVE-2020-13668 GHSA-m6q5-wv4x-fv6h |
Cross-site Scripting in Drupal Core |
Affected by 23 other vulnerabilities. Affected by 24 other vulnerabilities. Affected by 24 other vulnerabilities. |
|
VCID-7s25-1pn3-aaaa
Aliases: CVE-2021-33829 GHSA-rgx6-rjj4-c388 |
A cross-site scripting (XSS) vulnerability in the HTML Data Processor in CKEditor 4 4.14.0 through 4.16.x before 4.16.1 allows remote attackers to inject executable JavaScript code through a crafted comment because --!> is mishandled. |
Affected by 16 other vulnerabilities. Affected by 17 other vulnerabilities. Affected by 17 other vulnerabilities. |
|
VCID-7y3q-9y2y-aaam
Aliases: 2018-10-17-1 |
Improper Access Control in drupal. |
Affected by 33 other vulnerabilities. |
|
VCID-7y7x-t3r4-aaaq
Aliases: GHSA-5x28-3f32-x523 |
Drupal core Access control bypass |
Affected by 25 other vulnerabilities. Affected by 35 other vulnerabilities. |
|
VCID-8qef-akfk-aaaa
Aliases: CVE-2017-6919 GHSA-6hpj-9xj7-2jxx |
Access Bypass This is a critical access bypass vulnerability in Drupal. |
Affected by 63 other vulnerabilities. Affected by 60 other vulnerabilities. Affected by 60 other vulnerabilities. |
|
VCID-93jg-mswc-aaan
Aliases: 2018-10-17-5 |
Improper Access Control In some conditions, content moderation fails to check a users access to use certain transitions, leading to an access bypass. |
Affected by 33 other vulnerabilities. |
|
VCID-95ed-tb3r-aaam
Aliases: CVE-2017-6923 GHSA-v3f6-f29f-rgvp |
Missing Authorization in Drupal |
Affected by 57 other vulnerabilities. Affected by 54 other vulnerabilities. |
|
VCID-agc9-wc5b-aaag
Aliases: CVE-2017-6920 GHSA-9c24-g32g-35rj |
PECL YAML parser unsafe object handling PECL YAML parser does not handle PHP objects safely during certain operations within Drupal core. This can lead to remote code execution. |
Affected by 57 other vulnerabilities. |
|
VCID-ar7v-kp7q-aaaj
Aliases: CVE-2019-6340 GHSA-3gx6-h57h-rm27 |
Improper Input Validation Some field types do not properly sanitize data from non-form sources in Drupal. This can lead to arbitrary PHP code execution in some cases. |
Affected by 30 other vulnerabilities. |
|
VCID-b73a-2aef-aaam
Aliases: CVE-2016-9450 GHSA-98w5-wqp9-w466 |
Incorrect cache context on password reset page The user password reset form does not specify a proper cache context, which can lead to cache poisoning and unwanted content on the page. |
Affected by 64 other vulnerabilities. |
|
VCID-b8a9-wxjv-aaar
Aliases: CVE-2016-9452 GHSA-jpj8-49hr-wcwv |
Denial of service via transliterate mechanism A specially crafted URL can cause a denial of service via the transliterate mechanism. |
Affected by 64 other vulnerabilities. |
|
VCID-bcv4-ry3v-aaab
Aliases: CVE-2022-39261 GHSA-52m2-vc4m-jj33 |
Twig may load a template outside a configured directory when using the filesystem loader |
Affected by 7 other vulnerabilities. Affected by 7 other vulnerabilities. Affected by 8 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-c686-n6t1-aaap
Aliases: CVE-2017-6925 GHSA-f4qx-jqfq-7785 |
Entity Access Bypass There is a vulnerability in the entity access system that could allow unwanted access to view, create, update, or delete entities. This only affects entities that do not use or do not have UUIDs, and entities that have different access restrictions on different revisions of the same entity. |
Affected by 57 other vulnerabilities. Affected by 54 other vulnerabilities. |
|
VCID-cbqm-jpus-aaag
Aliases: CVE-2016-7570 GHSA-6g9h-6v79-w4pc |
Unprivileged access to "Administer comments" Users who have rights to edit a node can set the visibility on comments for that node. This should be restricted to those who have the administer comments permission. |
Affected by 65 other vulnerabilities. |
|
VCID-cgr1-77ur-aaar
Aliases: CVE-2022-25273 GHSA-g36h-4jr6-qmm9 |
Improper input validation in Drupal core |
Affected by 13 other vulnerabilities. Affected by 13 other vulnerabilities. |
|
VCID-cnay-ga6u-aaar
Aliases: CVE-2020-13671 GHSA-68jc-v27h-vhmw |
Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations. This issue affects: Drupal Drupal Core 9.0 versions prior to 9.0.8, 8.9 versions prior to 8.9.9, 8.8 versions prior to 8.8.11, and 7 versions prior to 7.74. |
Affected by 22 other vulnerabilities. Affected by 19 other vulnerabilities. Affected by 23 other vulnerabilities. Affected by 16 other vulnerabilities. Affected by 23 other vulnerabilities. |
|
VCID-d53w-5nj5-aaaf
Aliases: CVE-2019-6341 GHSA-cmmh-8mwp-gq5p |
In Drupal 7 versions prior to 7.65; Drupal 8.6 versions prior to 8.6.13;Drupal 8.5 versions prior to 8.5.14. Under certain circumstances the File module/subsystem allows a malicious user to upload a file that can trigger a cross-site scripting (XSS) vulnerability. |
Affected by 28 other vulnerabilities. Affected by 28 other vulnerabilities. |
|
VCID-dax7-4j13-aaam
Aliases: GHSA-x6v2-xmrq-574j |
Drupal Anonymous Open Redirect |
Affected by 38 other vulnerabilities. Affected by 33 other vulnerabilities. |
|
VCID-dhq8-q9ju-aaab
Aliases: GHSA-58xv-7h9r-mx3c |
Drupal Malicious file upload with filenames stating with dot |
Affected by 25 other vulnerabilities. Affected by 35 other vulnerabilities. |
|
VCID-dwc5-nygz-aaan
Aliases: CVE-2017-6928 GHSA-66mv-q8r2-hj8w |
Incorrect Permission Assignment for Critical Resource When using Drupal's private file system, Drupal will check to make sure a user has access to a file before allowing the user to view or download it. This check fails under certain conditions in which one module is trying to grant access to the file and another is trying to deny it, leading to an access bypass vulnerability. This vulnerability is mitigated by the fact that it only occurs for unusual site configurations. |
Affected by 48 other vulnerabilities. |
|
VCID-edah-2a2p-aaam
Aliases: 2019-03-20 |
Cross-site Scripting vulnerability in drupal. |
Affected by 29 other vulnerabilities. |
|
VCID-edhm-1e5u-aaag
Aliases: CVE-2018-9861 GHSA-g78h-pf65-46rv |
Cross-site Scripting Cross-site scripting (XSS) vulnerability in the Enhanced Image plugin for CKEditor. |
Affected by 44 other vulnerabilities. Affected by 44 other vulnerabilities. |
|
VCID-esfj-nun2-aaar
Aliases: CVE-2022-24728 GHSA-4fc4-4p5g-6w89 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CKEditor4 is an open source what-you-see-is-what-you-get HTML editor used by drupal. A vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4 prior to version 4.18.0. The vulnerability allows someone to inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code. This problem has been patched in version 4.18.0. There are currently no known workarounds. |
Affected by 15 other vulnerabilities. Affected by 12 other vulnerabilities. Affected by 16 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-fcuw-cqny-aaae
Aliases: CVE-2017-6926 GHSA-2p28-5mvp-2j2r |
Comment reply form allows access to restricted content Users with permission to post comments are able to view content and comments they do not have access to, and are also able to add comments to this content. This vulnerability is mitigated by the fact that the comment system must be enabled and the attacker must have permission to post comments. |
Affected by 48 other vulnerabilities. |
|
VCID-fez2-9axz-aaaf
Aliases: CVE-2017-6924 GHSA-p8g6-5mg7-9r5q |
Improper Privilege Management When using the REST API, users without the correct permission can post comments via REST that are approved even if the user does not have permission to post approved comments. This issue only affects sites that have the RESTful Web Services (rest) module enabled, the comment entity REST resource enabled, and where an attacker can access a user account on the site with permissions to post comments, or where anonymous users can post comments. |
Affected by 57 other vulnerabilities. Affected by 54 other vulnerabilities. |
|
VCID-ga8h-xve8-aaae
Aliases: CVE-2022-25276 GHSA-4wfq-jc9h-vpcx |
Lack of domain validation in Druple core |
Affected by 8 other vulnerabilities. Affected by 9 other vulnerabilities. |
|
VCID-gfse-6nvz-aaap
Aliases: GHSA-r67r-42wx-c8r7 |
Drupal External URL injection through URL aliases leading to Open Redirect |
Affected by 38 other vulnerabilities. Affected by 33 other vulnerabilities. |
|
VCID-gpjf-d56d-aaaj
Aliases: GHSA-w333-5f96-mjrr |
Drupal core Denial of Service |
Affected by 25 other vulnerabilities. Affected by 35 other vulnerabilities. |
|
VCID-mxdp-kn3v-aaab
Aliases: CVE-2019-10909 GHSA-g996-q5r8-w7g2 |
Escape validation messages in the PHP templating engine |
Affected by 27 other vulnerabilities. Affected by 27 other vulnerabilities. |
|
VCID-nmnf-at11-aaag
Aliases: CVE-2017-6922 GHSA-58f3-cx8p-h8jg |
Files uploaded by anonymous users accessed by other users Private files that have been uploaded by an anonymous user but not permanently attached to content on the site should only be visible to the anonymous user that uploaded them, rather than all anonymous users. Drupal core does not provide this protection, allowing an access bypass vulnerability to occur. This issue is mitigated by the fact that in order to be affected, the site must allow anonymous users to upload files into a private file system. |
Affected by 57 other vulnerabilities. |
|
VCID-nus4-1g5j-aaae
Aliases: CVE-2016-7572 GHSA-fmqh-2j2x-vgp3 |
Unprivileged access to config export The `system.temporary` route allows the download of a full config export. The full config export should be limited to those with "Export configuration" permission. |
Affected by 65 other vulnerabilities. |
|
VCID-nzut-ru5h-7ydr
Aliases: CVE-2024-55634 GHSA-7cwc-fjqm-8vh8 |
Drupal core Access bypass Drupal's uniqueness checking for certain user fields is inconsistent depending on the database engine and its collation. As a result, a user may be able to register with the same email address as another user. This may lead to data integrity issues. This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-prpe-f8kr-aaam
Aliases: CVE-2020-13672 GHSA-3m36-mjwj-352c |
Cross-site Scripting (XSS) vulnerability in Drupal core's sanitization API fails to properly filter cross-site scripting under certain circumstances. This issue affects: Drupal Core 9.1.x versions prior to 9.1.7; 9.0.x versions prior to 9.0.12; 8.9.x versions prior to 8.9.14; 7.x versions prior to 7.80. |
Affected by 18 other vulnerabilities. Affected by 18 other vulnerabilities. Affected by 18 other vulnerabilities. |
|
VCID-ptqv-hsav-aaaq
Aliases: 2018-10-17-3 |
URL Redirection to Untrusted Site ('Open Redirect') Anonymous Open Redirect in drupal. |
Affected by 33 other vulnerabilities. |
|
VCID-q428-p8hs-aaaa
Aliases: CVE-2022-25278 GHSA-cfh2-7f6h-3m85 |
Access bypass in Drupal Core |
Affected by 8 other vulnerabilities. Affected by 9 other vulnerabilities. |
|
VCID-r8jq-7x4r-aaaq
Aliases: GHSA-wxfg-253g-m7r4 |
Drupal core Open Redirect vulnerability | There are no reported fixed by versions. |
|
VCID-rfhb-dusd-aaak
Aliases: CVE-2016-7571 GHSA-vhg8-x858-7wq6 |
Cross-site Scripting in HTTP exceptions An attacker can create a specially crafted url, which can execute arbitrary code in the victim’s browser if loaded. Drupal is not properly sanitizing an exception. |
Affected by 65 other vulnerabilities. |
|
VCID-rpk4-gxm8-aaab
Aliases: CVE-2022-24775 GHSA-q7rv-6hp3-vh96 |
Improper Input Validation in guzzlehttp/psr7 |
Affected by 14 other vulnerabilities. Affected by 12 other vulnerabilities. Affected by 15 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-rvk8-qcrh-aaar
Aliases: CVE-2020-13669 GHSA-c533-c843-67h8 |
Cross-site Scripting (XSS) vulnerability in ckeditor of Drupal Core allows attacker to inject XSS. This issue affects: Drupal Core 8.8.x versions prior to 8.8.10.; 8.9.x versions prior to 8.9.6; 9.0.x versions prior to 9.0.6. |
Affected by 23 other vulnerabilities. Affected by 24 other vulnerabilities. Affected by 24 other vulnerabilities. |
|
VCID-rwya-unp6-aaaa
Aliases: 2018-10-17-4 |
Code Injection Injection in `DefaultMailSystem::mail()`. |
Affected by 33 other vulnerabilities. |
|
VCID-rze1-6p9t-aaae
Aliases: GHSA-m9fv-whq2-6wmc |
Drupal core Multiple vulnerabilities due to the use of the third-party library Archive_Tar |
Affected by 25 other vulnerabilities. Affected by 35 other vulnerabilities. |
|
VCID-s8py-wjxc-aaag
Aliases: CVE-2020-13670 GHSA-mmjr-5q74-p3m4 |
Exposure of Resource to Wrong Sphere in Drupal Core |
Affected by 23 other vulnerabilities. Affected by 24 other vulnerabilities. Affected by 24 other vulnerabilities. |
|
VCID-sdrj-zubv-aaak
Aliases: CVE-2020-13663 GHSA-m648-hpf8-qcjw |
Cross Site Request Forgery vulnerability in Drupal Core Form API does not properly handle certain form input from cross-site requests, which can lead to other vulnerabilities. |
Affected by 28 other vulnerabilities. Affected by 29 other vulnerabilities. Affected by 29 other vulnerabilities. |
|
VCID-sexy-1ad2-aaab
Aliases: CVE-2017-6927 GHSA-585j-5449-mf5m |
JavaScript cross-site scripting prevention is incomplete Drupal has a Drupal.checkPlain() JavaScript function which is used to escape potentially dangerous text before outputting it to HTML (as JavaScript output is not auto-escaped by either Drupal 7 or Drupal 8). This function does not correctly handle all methods of injecting malicious HTML, leading to a cross-site scripting vulnerability under certain circumstances. The PHP functions which Drupal provides for HTML escaping are not affected. |
Affected by 48 other vulnerabilities. |
|
VCID-sm3n-jw2y-aaad
Aliases: 2018-10-17-2 |
URL Redirection to Untrusted Site ('Open Redirect') External URL injection through URL aliases in drupal. |
Affected by 33 other vulnerabilities. |
|
VCID-snyd-uvt1-aaac
Aliases: CVE-2017-6929 GHSA-5vpr-v24w-mmjj |
Cross-site Scripting A jQuery cross site scripting vulnerability is present when making Ajax requests to untrusted domains. This vulnerability is mitigated by the fact that it requires contributed or custom modules in order to exploit. |
Affected by 48 other vulnerabilities. |
|
VCID-t73t-tzz5-aaaa
Aliases: CVE-2017-6932 GHSA-wm86-w3cf-h6vm |
URL Redirection to Untrusted Site (Open Redirect) Drupal core has an external link injection vulnerability when the language switcher block is used. A similar vulnerability exists in various custom and contributed modules. This vulnerability could allow an attacker to trick users into unwillingly navigating to an external site. |
Affected by 48 other vulnerabilities. |
|
VCID-tmu9-vjgy-aaab
Aliases: CVE-2018-7602 GHSA-297x-j9pm-xjgg |
A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being compromised. This vulnerability is related to Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002. Both SA-CORE-2018-002 and this vulnerability are being exploited in the wild. |
Affected by 43 other vulnerabilities. Affected by 43 other vulnerabilities. |
|
VCID-u5jw-wwpt-aaab
Aliases: GHSA-qf65-hph9-453r |
Drupal Cross-Site Scripting (XSS) affecting CKEditor Third-party library |
Affected by 16 other vulnerabilities. Affected by 16 other vulnerabilities. Affected by 21 other vulnerabilities. |
|
VCID-uzqp-mr6h-aaaa
Aliases: GHSA-jf8c-36vw-98x4 |
Drupal core Remote Code Execution |
Affected by 38 other vulnerabilities. Affected by 33 other vulnerabilities. |
|
VCID-v7k7-r3h5-aaar
Aliases: CVE-2017-6930 GHSA-3327-jr93-7hq3 |
Language fallback can be incorrect on multilingual sites with node access restrictions When using node access controls with a multilingual site, Drupal marks the untranslated version of a node as the default fallback for access queries. This fallback is used for languages that do not yet have a translated version of the created node. This can result in an access bypass vulnerability. This issue is mitigated by the fact that it only applies to sites that a) use the Content Translation module; and b) use a node access module such as Domain Access which implement hook_node_access_records(). Note that the update will mark the node access tables as needing a rebuild, which will take a long time on sites with a large number of nodes. |
Affected by 48 other vulnerabilities. |
|
VCID-x95g-fxr5-aaas
Aliases: GHSA-86xw-vmcx-9mj4 |
Drupal Content moderation Access bypass |
Affected by 38 other vulnerabilities. Affected by 33 other vulnerabilities. |
|
VCID-y3g8-ayqw-5fer
Aliases: CVE-2024-45440 GHSA-mg8j-w93w-xjgc |
core/authorize.php in Drupal 11.x-dev allows Full Path Disclosure (even when error logging is None) if the value of hash_salt is file_get_contents of a file that does not exist. |
Affected by 5 other vulnerabilities. Affected by 1 other vulnerability. Affected by 5 other vulnerabilities. Affected by 2 other vulnerabilities. Affected by 4 other vulnerabilities. |
|
VCID-y5c8-pny8-aaac
Aliases: CVE-2017-6921 GHSA-h377-287m-w2r9 |
File REST resource does not properly validate The file REST resource does not properly validate some fields when manipulating files. the file REST resource is enabled and allows PATCH requests, and an attacker can get or register a user account on the site with permissions to upload files and to modify the file resource. |
Affected by 57 other vulnerabilities. |
|
VCID-ypm1-1edv-aaag
Aliases: GHSA-jjx7-8462-w4m4 |
Drupal Core Insufficient Contextual Links validation leads to Remote Code Execution |
Affected by 38 other vulnerabilities. Affected by 33 other vulnerabilities. |
|
VCID-z2pc-nq4m-aaas
Aliases: CVE-2022-24729 GHSA-f6rf-9m92-x2hh |
Improper Input Validation CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. CKEditor4 prior to version 4.18.0 contains a vulnerability in the `dialog` plugin. The vulnerability allows abuse of a dialog input validator regular expression, which can cause a significant performance drop resulting in a browser tab freeze. A patch is available in version 4.18.0. There are currently no known workarounds. |
Affected by 15 other vulnerabilities. Affected by 12 other vulnerabilities. Affected by 16 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-zjga-wdx7-aaan
Aliases: CVE-2016-9449 GHSA-p745-347h-hjfw |
Unprivileged access to taxonomy terms Modules wishing to restrict access to taxonomy terms may be incompatible with queries generated both by Drupal core as well as those generated by contributed modules like Entity Reference. As a result, information on taxonomy terms may be disclosed to unprivileged users. |
Affected by 64 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-1fdt-5e5a-aaap | Information Exposure The Views module in Drupal and the Views module might allow remote authenticated users to bypass intended access restrictions and obtain sensitive Statistics information via unspecified vectors. |
CVE-2016-6212
GHSA-rfxx-gxwc-923c |
| VCID-58wx-mazy-aaap | Saving user accounts can sometimes grant the user all roles The User module in Drupal allows remote authenticated users to gain privileges via vectors involving contributed or custom code that triggers a rebuild of the user profile form. |
CVE-2016-6211
GHSA-frqf-9qr4-6vxf |
| VCID-q2vs-jf13-aaam | HTTP Proxy header vulnerability |
CVE-2016-5385
GHSA-m6ch-gg5f-wxx3 |