Search for packages
| purl | pkg:composer/drupal/core@8.0.0 |
| Next non-vulnerable version | 10.4.0-beta1 |
| Latest non-vulnerable version | 11.1.0-beta1 |
| Risk | 10.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1fdt-5e5a-aaap
Aliases: CVE-2016-6212 GHSA-rfxx-gxwc-923c |
Information Exposure The Views module in Drupal and the Views module might allow remote authenticated users to bypass intended access restrictions and obtain sensitive Statistics information via unspecified vectors. |
Affected by 81 other vulnerabilities. Affected by 82 other vulnerabilities. |
|
VCID-1sty-tzsm-aaaa
Aliases: GHSA-pr99-c33p-fwf6 |
Drupal core Denial of Service |
Affected by 36 other vulnerabilities. Affected by 46 other vulnerabilities. |
|
VCID-1unh-sgm6-aaap
Aliases: CVE-2020-13674 GHSA-j586-cj67-vg4p |
Cross-Site Request Forgery in Drupal core |
Affected by 22 other vulnerabilities. Affected by 23 other vulnerabilities. Affected by 24 other vulnerabilities. |
|
VCID-26et-mv1c-aaag
Aliases: CVE-2022-25275 GHSA-xh3v-6f9j-wxw3 GMS-2022-3362 |
Drupal core Information Disclosure vulnerability |
Affected by 15 other vulnerabilities. Affected by 15 other vulnerabilities. |
|
VCID-35zf-t4ak-aaae
Aliases: CVE-2019-11831 GHSA-xv7v-rf6g-xwrc |
The PharStreamWrapper (aka phar-stream-wrapper) package 2.x before 2.1.1 and 3.x before 3.1.1 for TYPO3 does not prevent directory traversal, which allows attackers to bypass a deserialization protection mechanism, as demonstrated by a phar:///path/bad.phar/../good.phar URL. |
Affected by 36 other vulnerabilities. Affected by 40 other vulnerabilities. |
|
VCID-3nb4-kd7q-aaak
Aliases: CVE-2022-25277 GHSA-6955-67hm-vjjq GMS-2022-3361 |
Drupal core arbitrary PHP code execution |
Affected by 15 other vulnerabilities. Affected by 15 other vulnerabilities. |
|
VCID-3vvp-6wh9-aaam
Aliases: CVE-2019-6339 GHSA-8cw5-rv98-5c46 |
Arbitrary PHP code execution in Drupal |
Affected by 42 other vulnerabilities. |
|
VCID-4pjz-5ytr-aaag
Aliases: CVE-2019-6338 GHSA-6rmq-x2hv-vxpp |
Vulnerable third party libraries in certain configurations of Symfony |
Affected by 42 other vulnerabilities. |
|
VCID-539x-pa7r-aaaf
Aliases: CVE-2018-7600 GHSA-7fh9-933g-885p |
Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations. |
Affected by 68 other vulnerabilities. Affected by 57 other vulnerabilities. Affected by 56 other vulnerabilities. Affected by 57 other vulnerabilities. |
|
VCID-58wx-mazy-aaap
Aliases: CVE-2016-6211 GHSA-frqf-9qr4-6vxf |
Saving user accounts can sometimes grant the user all roles The User module in Drupal allows remote authenticated users to gain privileges via vectors involving contributed or custom code that triggers a rebuild of the user profile form. |
Affected by 81 other vulnerabilities. |
|
VCID-621d-xgjn-aaaq
Aliases: SA-CORE-2018-003 |
XSS Vulnerability CKEditor, a third-party JavaScript library included in Drupal core, is affected by a cross-site scripting (XSS) vulnerability. It's possible to execute XSS inside CKEditor when using the `image2` plugin. |
Affected by 54 other vulnerabilities. Affected by 55 other vulnerabilities. |
|
VCID-62ju-9pwz-aaaq
Aliases: CVE-2017-6381 GHSA-rhx9-3qf7-r3j7 |
Remote code execution A 3rd party development library including with Drupal 8 development dependencies is vulnerable to remote code execution. This is mitigated by the default .htaccess protection against PHP execution, and the fact that Composer development dependencies aren't normal installed. You might be vulnerable to this if you are running a version of Drupal. To be sure you aren’t vulnerable, you can remove the /vendor/phpunit directory from the site root of your production deployments. |
Affected by 71 other vulnerabilities. |
|
VCID-6dwy-xd5r-aaae
Aliases: 2018-04-18 |
Cross-site Scripting XSS vulnerabiltiy in drupal. |
Affected by 54 other vulnerabilities. Affected by 56 other vulnerabilities. Affected by 55 other vulnerabilities. |
|
VCID-6xgv-e6y2-aaaj
Aliases: CVE-2020-13668 GHSA-m6q5-wv4x-fv6h |
Cross-site Scripting in Drupal Core |
Affected by 33 other vulnerabilities. Affected by 34 other vulnerabilities. Affected by 30 other vulnerabilities. |
|
VCID-74fe-zgpr-aaab
Aliases: GHSA-98h9-727m-44qv |
Drupal core Multiple vulnerabilities due to the use of the third-party library Archive_Tar |
Affected by 36 other vulnerabilities. Affected by 46 other vulnerabilities. |
|
VCID-7s25-1pn3-aaaa
Aliases: CVE-2021-33829 GHSA-rgx6-rjj4-c388 |
A cross-site scripting (XSS) vulnerability in the HTML Data Processor in CKEditor 4 4.14.0 through 4.16.x before 4.16.1 allows remote attackers to inject executable JavaScript code through a crafted comment because --!> is mishandled. |
Affected by 27 other vulnerabilities. Affected by 23 other vulnerabilities. Affected by 28 other vulnerabilities. |
|
VCID-7y3q-9y2y-aaam
Aliases: 2018-10-17-1 |
Improper Access Control in drupal. |
Affected by 44 other vulnerabilities. |
|
VCID-82a8-am95-aaap
Aliases: GHSA-f84q-mgj9-8jfc |
Drupal Content moderation Access bypass |
Affected by 49 other vulnerabilities. Affected by 44 other vulnerabilities. |
|
VCID-8qef-akfk-aaaa
Aliases: CVE-2017-6919 GHSA-6hpj-9xj7-2jxx |
Access Bypass This is a critical access bypass vulnerability in Drupal. |
Affected by 70 other vulnerabilities. Affected by 70 other vulnerabilities. |
|
VCID-8r44-x4sp-aaaa
Aliases: CVE-2016-3171 GHSA-69g8-g9jq-74v7 |
Session data truncation can lead to unserialization of user provided data Drupal might allow remote attackers to execute arbitrary code via vectors related to session data truncation. |
Affected by 84 other vulnerabilities. |
|
VCID-93jg-mswc-aaan
Aliases: 2018-10-17-5 |
Improper Access Control In some conditions, content moderation fails to check a users access to use certain transitions, leading to an access bypass. |
Affected by 44 other vulnerabilities. |
|
VCID-95ed-tb3r-aaam
Aliases: CVE-2017-6923 GHSA-v3f6-f29f-rgvp |
Missing Authorization in Drupal |
Affected by 68 other vulnerabilities. Affected by 64 other vulnerabilities. |
|
VCID-9quj-q5ha-aaad
Aliases: GHSA-6ccv-8fgf-cjpw GMS-2024-214 |
Drupal core Denial of Service vulnerability |
Affected by 12 other vulnerabilities. Affected by 12 other vulnerabilities. |
|
VCID-afcp-mtpx-aaan
Aliases: GHSA-7v68-3pr5-h3cr |
Drupal Core Insufficient Contextual Links validation leads to Remote Code Execution |
Affected by 49 other vulnerabilities. Affected by 44 other vulnerabilities. |
|
VCID-agc9-wc5b-aaag
Aliases: CVE-2017-6920 GHSA-9c24-g32g-35rj |
PECL YAML parser unsafe object handling PECL YAML parser does not handle PHP objects safely during certain operations within Drupal core. This can lead to remote code execution. |
Affected by 67 other vulnerabilities. |
|
VCID-anxe-b2an-aaah
Aliases: CVE-2020-13675 GHSA-v8wr-r69p-mmwx |
Unrestricted Upload of File with Dangerous Type in Drupal core |
Affected by 22 other vulnerabilities. Affected by 23 other vulnerabilities. Affected by 24 other vulnerabilities. |
|
VCID-ar7v-kp7q-aaaj
Aliases: CVE-2019-6340 GHSA-3gx6-h57h-rm27 |
Improper Input Validation Some field types do not properly sanitize data from non-form sources in Drupal. This can lead to arbitrary PHP code execution in some cases. |
Affected by 41 other vulnerabilities. |
|
VCID-axfp-jb9u-aaam
Aliases: GHSA-mh4h-27gq-cxwj |
Drupal core Access bypass |
Affected by 36 other vulnerabilities. Affected by 46 other vulnerabilities. |
|
VCID-azrn-adcp-aaas
Aliases: GHSA-6gf6-24h2-66j4 |
Drupal core Open Redirect vulnerability | There are no reported fixed by versions. |
|
VCID-b17x-3qaq-aaam
Aliases: GHSA-v273-j5hq-26xp |
Drupal core uses a vulnerable Third-party library CKEditor |
Affected by 34 other vulnerabilities. Affected by 44 other vulnerabilities. |
|
VCID-b5ph-7tjf-aaaj
Aliases: CVE-2016-3166 GHSA-fg5q-r2q5-qmh3 |
HTTP header injection using line breaks CRLF injection vulnerability in the `drupal_set_header` function in Drupal allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks by leveraging a module that allows user-submitted data to appear in HTTP headers. |
Affected by 84 other vulnerabilities. |
|
VCID-b73a-2aef-aaam
Aliases: CVE-2016-9450 GHSA-98w5-wqp9-w466 |
Incorrect cache context on password reset page The user password reset form does not specify a proper cache context, which can lead to cache poisoning and unwanted content on the page. |
Affected by 74 other vulnerabilities. |
|
VCID-b8a9-wxjv-aaar
Aliases: CVE-2016-9452 GHSA-jpj8-49hr-wcwv |
Denial of service via transliterate mechanism A specially crafted URL can cause a denial of service via the transliterate mechanism. |
Affected by 74 other vulnerabilities. |
|
VCID-bcv4-ry3v-aaab
Aliases: CVE-2022-39261 GHSA-52m2-vc4m-jj33 |
Twig may load a template outside a configured directory when using the filesystem loader |
Affected by 14 other vulnerabilities. Affected by 14 other vulnerabilities. Affected by 14 other vulnerabilities. Affected by 13 other vulnerabilities. |
|
VCID-c686-n6t1-aaap
Aliases: CVE-2017-6925 GHSA-f4qx-jqfq-7785 |
Entity Access Bypass There is a vulnerability in the entity access system that could allow unwanted access to view, create, update, or delete entities. This only affects entities that do not use or do not have UUIDs, and entities that have different access restrictions on different revisions of the same entity. |
Affected by 64 other vulnerabilities. |
|
VCID-cbqm-jpus-aaag
Aliases: CVE-2016-7570 GHSA-6g9h-6v79-w4pc |
Unprivileged access to "Administer comments" Users who have rights to edit a node can set the visibility on comments for that node. This should be restricted to those who have the administer comments permission. |
Affected by 78 other vulnerabilities. |
|
VCID-cgr1-77ur-aaar
Aliases: CVE-2022-25273 GHSA-g36h-4jr6-qmm9 |
Improper input validation in Drupal core |
Affected by 20 other vulnerabilities. Affected by 20 other vulnerabilities. |
|
VCID-cnay-ga6u-aaar
Aliases: CVE-2020-13671 GHSA-68jc-v27h-vhmw |
Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations. This issue affects: Drupal Drupal Core 9.0 versions prior to 9.0.8, 8.9 versions prior to 8.9.9, 8.8 versions prior to 8.8.11, and 7 versions prior to 7.74. |
Affected by 32 other vulnerabilities. Affected by 33 other vulnerabilities. Affected by 29 other vulnerabilities. |
|
VCID-d5b5-6j54-aaas
Aliases: CVE-2016-3164 GHSA-836p-6p4j-35cg |
Open redirect via path manipulation Drupal might allow remote attackers to conduct open redirect attacks by leveraging (1) custom code or (2) a form shown on an error page, related to path manipulation. |
Affected by 84 other vulnerabilities. |
|
VCID-edah-2a2p-aaam
Aliases: 2019-03-20 |
Cross-site Scripting vulnerability in drupal. |
Affected by 40 other vulnerabilities. |
|
VCID-edhm-1e5u-aaag
Aliases: CVE-2018-9861 GHSA-g78h-pf65-46rv |
Cross-site Scripting Cross-site scripting (XSS) vulnerability in the Enhanced Image plugin for CKEditor. |
Affected by 54 other vulnerabilities. Affected by 55 other vulnerabilities. |
|
VCID-evjz-sadt-aaaj
Aliases: GHSA-gxxj-g9v8-w28p |
Drupal core Arbitrary PHP code execution |
Affected by 29 other vulnerabilities. Affected by 30 other vulnerabilities. Affected by 26 other vulnerabilities. |
|
VCID-exc6-n24q-aaaf
Aliases: CVE-2016-3163 GHSA-h3r9-pjmr-f938 |
Brute force amplification attacks via XML-RPC The XML-RPC system in Drupal might make it easier for remote attackers to conduct brute-force attacks via a large number of calls made at once to the same method. |
Affected by 84 other vulnerabilities. |
|
VCID-fcuw-cqny-aaae
Aliases: CVE-2017-6926 GHSA-2p28-5mvp-2j2r |
Comment reply form allows access to restricted content Users with permission to post comments are able to view content and comments they do not have access to, and are also able to add comments to this content. This vulnerability is mitigated by the fact that the comment system must be enabled and the attacker must have permission to post comments. |
Affected by 58 other vulnerabilities. |
|
VCID-fez2-9axz-aaaf
Aliases: CVE-2017-6924 GHSA-p8g6-5mg7-9r5q |
Improper Privilege Management When using the REST API, users without the correct permission can post comments via REST that are approved even if the user does not have permission to post approved comments. This issue only affects sites that have the RESTful Web Services (rest) module enabled, the comment entity REST resource enabled, and where an attacker can access a user account on the site with permissions to post comments, or where anonymous users can post comments. |
Affected by 68 other vulnerabilities. Affected by 64 other vulnerabilities. |
|
VCID-ga8h-xve8-aaae
Aliases: CVE-2022-25276 GHSA-4wfq-jc9h-vpcx |
Lack of domain validation in Druple core |
Affected by 15 other vulnerabilities. Affected by 15 other vulnerabilities. |
|
VCID-hm97-ssnm-aaap
Aliases: CVE-2017-6377 GHSA-w7qx-vwr9-2j3r |
Access Bypass When adding a private file via a configured text editor (like CKEditor), the editor will not correctly check access for the file being attached, resulting in an access bypass. |
Affected by 71 other vulnerabilities. |
|
VCID-j23h-3vqp-aaaq
Aliases: CVE-2022-25271 GHSA-fmfv-x8mp-5767 |
Drupal core's form API has a vulnerability where certain contributed or custom modules' forms may be vulnerable to improper input validation. This could allow an attacker to inject disallowed values or overwrite data. Affected forms are uncommon, but in certain cases an attacker could alter critical or sensitive data. |
Affected by 22 other vulnerabilities. Affected by 24 other vulnerabilities. |
|
VCID-mxdp-kn3v-aaab
Aliases: CVE-2019-10909 GHSA-g996-q5r8-w7g2 |
Escape validation messages in the PHP templating engine |
Affected by 37 other vulnerabilities. Affected by 37 other vulnerabilities. |
|
VCID-n1bk-upb2-aaag
Aliases: CVE-2016-3167 GHSA-gxwx-c7m8-f95h |
Open redirect via double-encoded 'destination' parameter Open redirect vulnerability in the `drupal_goto` function in Drupal allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a double-encoded URL in the `destination` parameter. |
Affected by 84 other vulnerabilities. |
|
VCID-n4xy-1371-aaab
Aliases: CVE-2016-3168 GHSA-qqxc-cppg-4xp8 |
Reflected file download vulnerability The System module in Drupal might allow remote attackers to hijack the authentication of site administrators for requests that download and run files with arbitrary JSON-encoded content. |
Affected by 84 other vulnerabilities. |
|
VCID-nhhw-dxca-eqhr
Aliases: CVE-2025-31673 GHSA-wpp8-fjgf-pwc7 |
Incorrect Authorization vulnerability in Drupal Drupal core allows Forceful Browsing.This issue affects Drupal core: from 8.0.0 before 10.3.13, from 10.4.0 before 10.4.3, from 11.0.0 before 11.0.12, from 11.1.0 before 11.1.3. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 2 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-njmu-4f5z-aaae
Aliases: CVE-2017-6931 GHSA-7ffh-cjvg-fpr4 |
Settings Tray access bypass The Settings Tray module has a vulnerability that allows users to update certain data that they do not have the permissions for. If you have implemented a Settings Tray form in contrib or a custom module, the correct access checks should be added. This release fixes the only two implementations in core, but does not harden against other such bypasses. This vulnerability can be mitigated by disabling the Settings Tray module. |
Affected by 58 other vulnerabilities. |
|
VCID-nmnf-at11-aaag
Aliases: CVE-2017-6922 GHSA-58f3-cx8p-h8jg |
Files uploaded by anonymous users accessed by other users Private files that have been uploaded by an anonymous user but not permanently attached to content on the site should only be visible to the anonymous user that uploaded them, rather than all anonymous users. Drupal core does not provide this protection, allowing an access bypass vulnerability to occur. This issue is mitigated by the fact that in order to be affected, the site must allow anonymous users to upload files into a private file system. |
Affected by 67 other vulnerabilities. |
|
VCID-nus4-1g5j-aaae
Aliases: CVE-2016-7572 GHSA-fmqh-2j2x-vgp3 |
Unprivileged access to config export The `system.temporary` route allows the download of a full config export. The full config export should be limited to those with "Export configuration" permission. |
Affected by 78 other vulnerabilities. |
|
VCID-nzut-ru5h-7ydr
Aliases: CVE-2024-55634 GHSA-7cwc-fjqm-8vh8 |
Drupal core Access bypass Drupal's uniqueness checking for certain user fields is inconsistent depending on the database engine and its collation. As a result, a user may be able to register with the same email address as another user. This may lead to data integrity issues. This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8. |
Affected by 4 other vulnerabilities. Affected by 4 other vulnerabilities. Affected by 4 other vulnerabilities. |
|
VCID-pk5w-rtgg-aaap
Aliases: CVE-2020-28948 GHSA-jh5x-hfhg-78jq |
Archive_Tar through 1.4.10 allows an unserialization attack because phar: is blocked but PHAR: is not blocked. |
Affected by 30 other vulnerabilities. Affected by 22 other vulnerabilities. Affected by 26 other vulnerabilities. Affected by 23 other vulnerabilities. |
|
VCID-prpe-f8kr-aaam
Aliases: CVE-2020-13672 GHSA-3m36-mjwj-352c |
Cross-site Scripting (XSS) vulnerability in Drupal core's sanitization API fails to properly filter cross-site scripting under certain circumstances. This issue affects: Drupal Core 9.1.x versions prior to 9.1.7; 9.0.x versions prior to 9.0.12; 8.9.x versions prior to 8.9.14; 7.x versions prior to 7.80. |
Affected by 28 other vulnerabilities. Affected by 24 other vulnerabilities. Affected by 29 other vulnerabilities. |
|
VCID-ptqv-hsav-aaaq
Aliases: 2018-10-17-3 |
URL Redirection to Untrusted Site ('Open Redirect') Anonymous Open Redirect in drupal. |
Affected by 44 other vulnerabilities. |
|
VCID-q2vs-jf13-aaam
Aliases: CVE-2016-5385 GHSA-m6ch-gg5f-wxx3 |
HTTP Proxy header vulnerability |
Affected by 81 other vulnerabilities. Affected by 81 other vulnerabilities. |
|
VCID-q428-p8hs-aaaa
Aliases: CVE-2022-25278 GHSA-cfh2-7f6h-3m85 |
Access bypass in Drupal Core |
Affected by 15 other vulnerabilities. Affected by 15 other vulnerabilities. |
|
VCID-qj1j-gszu-aaab
Aliases: CVE-2017-6379 GHSA-gxxq-fhc7-3jv9 |
Cross Site Request Forgery Some administrative paths did not include protection for CSRF. This would allow an attacker to disable some blocks on a site. This issue is mitigated by the fact that users would have to know the block ID. |
Affected by 71 other vulnerabilities. |
|
VCID-raxq-bt8x-aaam
Aliases: CVE-2016-3162 GHSA-w2pj-c8x5-jvg2 |
Improper Access Control The File module in Drupal allows remote authenticated users to bypass access restrictions and read, delete, or substitute a link to a file uploaded to an unprocessed form by leveraging permission to create content or comment and upload files. |
Affected by 84 other vulnerabilities. |
|
VCID-rfhb-dusd-aaak
Aliases: CVE-2016-7571 GHSA-vhg8-x858-7wq6 |
Cross-site Scripting in HTTP exceptions An attacker can create a specially crafted url, which can execute arbitrary code in the victim’s browser if loaded. Drupal is not properly sanitizing an exception. |
Affected by 78 other vulnerabilities. |
|
VCID-rm92-evce-aaaa
Aliases: CVE-2016-3170 GHSA-pqv4-xgqh-j8vh |
Information Exposure The `have you forgotten your password` links in the User module in Drupal allow remote attackers to obtain sensitive username information by leveraging a configuration that permits using an email address to login and a module that permits logging in. |
Affected by 84 other vulnerabilities. |
|
VCID-rnsu-dzsx-aaaf
Aliases: GHSA-6mgp-v5cm-ghg5 |
Drupal core Remote Code Execution |
Affected by 49 other vulnerabilities. Affected by 44 other vulnerabilities. |
|
VCID-rpk4-gxm8-aaab
Aliases: CVE-2022-24775 GHSA-q7rv-6hp3-vh96 |
Improper Input Validation in guzzlehttp/psr7 |
Affected by 21 other vulnerabilities. Affected by 19 other vulnerabilities. Affected by 22 other vulnerabilities. Affected by 12 other vulnerabilities. |
|
VCID-rvk8-qcrh-aaar
Aliases: CVE-2020-13669 GHSA-c533-c843-67h8 |
Cross-site Scripting (XSS) vulnerability in ckeditor of Drupal Core allows attacker to inject XSS. This issue affects: Drupal Core 8.8.x versions prior to 8.8.10.; 8.9.x versions prior to 8.9.6; 9.0.x versions prior to 9.0.6. |
Affected by 33 other vulnerabilities. Affected by 34 other vulnerabilities. Affected by 30 other vulnerabilities. |
|
VCID-rwya-unp6-aaaa
Aliases: 2018-10-17-4 |
Code Injection Injection in `DefaultMailSystem::mail()`. |
Affected by 44 other vulnerabilities. |
|
VCID-s8py-wjxc-aaag
Aliases: CVE-2020-13670 GHSA-mmjr-5q74-p3m4 |
Exposure of Resource to Wrong Sphere in Drupal Core |
Affected by 33 other vulnerabilities. Affected by 34 other vulnerabilities. Affected by 30 other vulnerabilities. |
|
VCID-sa2c-wvrg-aaan
Aliases: GHSA-7gwj-7fhm-vw4w |
Drupal core unrestricted file upload |
Affected by 36 other vulnerabilities. Affected by 46 other vulnerabilities. |
|
VCID-sexy-1ad2-aaab
Aliases: CVE-2017-6927 GHSA-585j-5449-mf5m |
JavaScript cross-site scripting prevention is incomplete Drupal has a Drupal.checkPlain() JavaScript function which is used to escape potentially dangerous text before outputting it to HTML (as JavaScript output is not auto-escaped by either Drupal 7 or Drupal 8). This function does not correctly handle all methods of injecting malicious HTML, leading to a cross-site scripting vulnerability under certain circumstances. The PHP functions which Drupal provides for HTML escaping are not affected. |
Affected by 58 other vulnerabilities. |
|
VCID-sm3n-jw2y-aaad
Aliases: 2018-10-17-2 |
URL Redirection to Untrusted Site ('Open Redirect') External URL injection through URL aliases in drupal. |
Affected by 44 other vulnerabilities. |
|
VCID-snyd-uvt1-aaac
Aliases: CVE-2017-6929 GHSA-5vpr-v24w-mmjj |
Cross-site Scripting A jQuery cross site scripting vulnerability is present when making Ajax requests to untrusted domains. This vulnerability is mitigated by the fact that it requires contributed or custom modules in order to exploit. |
Affected by 58 other vulnerabilities. |
|
VCID-t73t-tzz5-aaaa
Aliases: CVE-2017-6932 GHSA-wm86-w3cf-h6vm |
URL Redirection to Untrusted Site (Open Redirect) Drupal core has an external link injection vulnerability when the language switcher block is used. A similar vulnerability exists in various custom and contributed modules. This vulnerability could allow an attacker to trick users into unwillingly navigating to an external site. |
Affected by 58 other vulnerabilities. |
|
VCID-tmu9-vjgy-aaab
Aliases: CVE-2018-7602 GHSA-297x-j9pm-xjgg |
A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being compromised. This vulnerability is related to Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002. Both SA-CORE-2018-002 and this vulnerability are being exploited in the wild. |
Affected by 53 other vulnerabilities. Affected by 54 other vulnerabilities. |
|
VCID-uk59-3djt-aaaa
Aliases: GHSA-gfvf-2f25-f34r |
Drupal Anonymous Open Redirect |
Affected by 49 other vulnerabilities. Affected by 44 other vulnerabilities. |
|
VCID-v7k7-r3h5-aaar
Aliases: CVE-2017-6930 GHSA-3327-jr93-7hq3 |
Language fallback can be incorrect on multilingual sites with node access restrictions When using node access controls with a multilingual site, Drupal marks the untranslated version of a node as the default fallback for access queries. This fallback is used for languages that do not yet have a translated version of the created node. This can result in an access bypass vulnerability. This issue is mitigated by the fact that it only applies to sites that a) use the Content Translation module; and b) use a node access module such as Domain Access which implement hook_node_access_records(). Note that the update will mark the node access tables as needing a rebuild, which will take a long time on sites with a large number of nodes. |
Affected by 58 other vulnerabilities. |
|
VCID-v81n-gjq6-fycy
Aliases: CVE-2025-31674 GHSA-2qph-q8xw-gv7q |
Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection.This issue affects Drupal core: from 8.0.0 before 10.3.13, from 10.4.0 before 10.4.3, from 11.0.0 before 11.0.12, from 11.1.0 before 11.1.3. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 2 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-vsp2-5z41-2bbz
Aliases: CVE-2025-31675 GHSA-m4wj-hhwj-47qp |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS).This issue affects Drupal core: from 8.0.0 before 10.3.14, from 10.4.0 before 10.4.5, from 11.0.0 before 11.0.13, from 11.1.0 before 11.1.5. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 2 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-vwxc-s4kb-aaag
Aliases: GHSA-7f4f-p7mq-p4fv |
Drupal External URL injection through URL aliases leading to Open Redirect |
Affected by 49 other vulnerabilities. Affected by 44 other vulnerabilities. |
|
VCID-w87m-jf7e-aaae
Aliases: GHSA-vfgc-c76h-mwh4 |
Drupal core Cross-Site Scripting (XSS) vulnerabilities |
Affected by 26 other vulnerabilities. Affected by 27 other vulnerabilities. Affected by 28 other vulnerabilities. |
|
VCID-wb7e-crxb-aaan
Aliases: CVE-2020-13677 GHSA-3xr3-phjp-g6p2 |
Under some circumstances, the Drupal core JSON:API module does not properly restrict access to certain content, which may result in unintended access bypass. Sites that do not have the JSON:API module enabled are not affected. |
Affected by 22 other vulnerabilities. Affected by 23 other vulnerabilities. Affected by 24 other vulnerabilities. |
|
VCID-xja8-hukq-qub7
Aliases: CVE-2025-3057 GHSA-39g6-x4x8-5jcm |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS).This issue affects Drupal core: from 8.0.0 before 10.3.13, from 10.4.0 before 10.4.3, from 11.0.0 before 11.0.12, from 11.1.0 before 11.1.3. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 2 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-y3g8-ayqw-5fer
Aliases: CVE-2024-45440 GHSA-mg8j-w93w-xjgc |
core/authorize.php in Drupal 11.x-dev allows Full Path Disclosure (even when error logging is None) if the value of hash_salt is file_get_contents of a file that does not exist. |
Affected by 10 other vulnerabilities. Affected by 5 other vulnerabilities. Affected by 9 other vulnerabilities. Affected by 2 other vulnerabilities. Affected by 8 other vulnerabilities. |
|
VCID-y5c8-pny8-aaac
Aliases: CVE-2017-6921 GHSA-h377-287m-w2r9 |
File REST resource does not properly validate The file REST resource does not properly validate some fields when manipulating files. the file REST resource is enabled and allows PATCH requests, and an attacker can get or register a user account on the site with permissions to upload files and to modify the file resource. |
Affected by 67 other vulnerabilities. |
|
VCID-zgsn-a64t-aaah
Aliases: CVE-2020-13676 GHSA-qfhg-m6r8-xxpj |
Incorrect Authorization in Drupal core |
Affected by 22 other vulnerabilities. Affected by 23 other vulnerabilities. Affected by 24 other vulnerabilities. |
|
VCID-zjga-wdx7-aaan
Aliases: CVE-2016-9449 GHSA-p745-347h-hjfw |
Unprivileged access to taxonomy terms Modules wishing to restrict access to taxonomy terms may be incompatible with queries generated both by Drupal core as well as those generated by contributed modules like Entity Reference. As a result, information on taxonomy terms may be disclosed to unprivileged users. |
Affected by 74 other vulnerabilities. |
|
VCID-zrav-4vpr-aaaa
Aliases: CVE-2022-25270 GHSA-73q4-j324-2qcc |
Incorrect authorization in Drupal core |
Affected by 22 other vulnerabilities. Affected by 24 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-35sf-urkm-aaah | Improper Access Control The Form API in Drupal ignores access restrictions on submit buttons, which might allow remote attackers to bypass intended access restrictions by leveraging permission to submit a form with a button that has `#access` set to `FALSE` in the server-side form definition. |
CVE-2016-3165
GHSA-4gh5-3hqj-x3pj |
| VCID-d53w-5nj5-aaaf | In Drupal 7 versions prior to 7.65; Drupal 8.6 versions prior to 8.6.13;Drupal 8.5 versions prior to 8.5.14. Under certain circumstances the File module/subsystem allows a malicious user to upload a file that can trigger a cross-site scripting (XSS) vulnerability. |
CVE-2019-6341
GHSA-cmmh-8mwp-gq5p |
| VCID-dn1c-md6b-aaab | URL Redirection to Untrusted Site (Open Redirect) Confirmation forms in Drupal make it easier for remote authenticated users to conduct open redirect attacks via unspecified vectors. |
CVE-2016-9451
GHSA-66gr-xrcf-8jpq |
| VCID-dwc5-nygz-aaan | Incorrect Permission Assignment for Critical Resource When using Drupal's private file system, Drupal will check to make sure a user has access to a file before allowing the user to view or download it. This check fails under certain conditions in which one module is trying to grant access to the file and another is trying to deny it, leading to an access bypass vulnerability. This vulnerability is mitigated by the fact that it only occurs for unusual site configurations. |
CVE-2017-6928
GHSA-66mv-q8r2-hj8w |
| VCID-fhgh-jkwa-aaah | In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0. |
CVE-2020-11023
GHSA-jpcq-cgw6-v4j6 |
| VCID-hpqx-nbqb-aaag | An SQL Injection vulnerability exists in Drupal due to insufficient sanitization of table names or column names. |
CVE-2011-2715
GHSA-hcq9-hmgf-6qr9 |
| VCID-kkd1-e4k1-aaam | In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0. |
CVE-2020-11022
GHSA-gxr4-xjj5-5px2 |
| VCID-rdb7-bn6u-aaaq | Open Redirect vulnerability in Drupal Core allows a user to be tricked into visiting a specially crafted link which would redirect them to an arbitrary external URL. This issue affects: Drupal Drupal Core 7 version 7.70 and prior versions. |
CVE-2020-13662
GHSA-gjqg-9rhv-qj67 |
| VCID-sdrj-zubv-aaak | Cross Site Request Forgery vulnerability in Drupal Core Form API does not properly handle certain form input from cross-site requests, which can lead to other vulnerabilities. |
CVE-2020-13663
GHSA-m648-hpf8-qcjw |
| VCID-tv97-anfg-aaam | jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype. |
CVE-2019-11358
GHSA-6c3j-c64m-qhgq |
| VCID-y9vf-63fm-aaad | Saving user accounts can sometimes grant the user all roles The User module in Drupal allows remote attackers to gain privileges by leveraging contributed or custom code that calls the `user_save` function with an explicit category and loads all roles into the array. |
CVE-2016-3169
GHSA-q3p9-8728-wq7x |
| VCID-zkqs-pye6-aaaa | Cross-site Scripting A Cross-Site Scripting vulnerability exists in Drupal with Data due to insufficient sanitization of table descriptions, field names, or labels before display. |
CVE-2011-2714
GHSA-qp8q-gwf5-hqh2 |