Search for packages
| purl | pkg:composer/drupal/core@6.0.0 |
| Tags | Ghost |
| Next non-vulnerable version | 10.4.0-beta1 |
| Latest non-vulnerable version | 11.1.0-beta1 |
| Risk | 4.5 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-35sf-urkm-aaah
Aliases: CVE-2016-3165 GHSA-4gh5-3hqj-x3pj |
Improper Access Control The Form API in Drupal ignores access restrictions on submit buttons, which might allow remote attackers to bypass intended access restrictions by leveraging permission to submit a form with a button that has `#access` set to `FALSE` in the server-side form definition. |
Affected by 0 other vulnerabilities. Affected by 89 other vulnerabilities.
This version is affected by these other vulnerabilities:
|
|
VCID-8r44-x4sp-aaaa
Aliases: CVE-2016-3171 GHSA-69g8-g9jq-74v7 |
Session data truncation can lead to unserialization of user provided data Drupal might allow remote attackers to execute arbitrary code via vectors related to session data truncation. |
Affected by 0 other vulnerabilities. Affected by 84 other vulnerabilities.
This version is affected by these other vulnerabilities:
|
|
VCID-b5ph-7tjf-aaaj
Aliases: CVE-2016-3166 GHSA-fg5q-r2q5-qmh3 |
HTTP header injection using line breaks CRLF injection vulnerability in the `drupal_set_header` function in Drupal allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks by leveraging a module that allows user-submitted data to appear in HTTP headers. |
Affected by 0 other vulnerabilities. Affected by 84 other vulnerabilities.
This version is affected by these other vulnerabilities:
|
|
VCID-d5b5-6j54-aaas
Aliases: CVE-2016-3164 GHSA-836p-6p4j-35cg |
Open redirect via path manipulation Drupal might allow remote attackers to conduct open redirect attacks by leveraging (1) custom code or (2) a form shown on an error page, related to path manipulation. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 84 other vulnerabilities.
This version is affected by these other vulnerabilities:
|
|
VCID-exc6-n24q-aaaf
Aliases: CVE-2016-3163 GHSA-h3r9-pjmr-f938 |
Brute force amplification attacks via XML-RPC The XML-RPC system in Drupal might make it easier for remote attackers to conduct brute-force attacks via a large number of calls made at once to the same method. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 84 other vulnerabilities.
This version is affected by these other vulnerabilities:
|
|
VCID-n1bk-upb2-aaag
Aliases: CVE-2016-3167 GHSA-gxwx-c7m8-f95h |
Open redirect via double-encoded 'destination' parameter Open redirect vulnerability in the `drupal_goto` function in Drupal allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a double-encoded URL in the `destination` parameter. |
Affected by 0 other vulnerabilities. Affected by 84 other vulnerabilities.
This version is affected by these other vulnerabilities:
|
|
VCID-n4xy-1371-aaab
Aliases: CVE-2016-3168 GHSA-qqxc-cppg-4xp8 |
Reflected file download vulnerability The System module in Drupal might allow remote attackers to hijack the authentication of site administrators for requests that download and run files with arbitrary JSON-encoded content. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 84 other vulnerabilities.
This version is affected by these other vulnerabilities:
|
|
VCID-y9vf-63fm-aaad
Aliases: CVE-2016-3169 GHSA-q3p9-8728-wq7x |
Saving user accounts can sometimes grant the user all roles The User module in Drupal allows remote attackers to gain privileges by leveraging contributed or custom code that calls the `user_save` function with an explicit category and loads all roles into the array. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 89 other vulnerabilities.
This version is affected by these other vulnerabilities:
|
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||