Drupal core – Moderately critical – Cross Site Scripting – SA-CORE-2019-004

Project:  Drupal core Date:  2019-March-20 Security risk:  Moderately critical 13∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default Vulnerability:  Cross Site Scripting Description:  Under certain circumstances the File module/subsystem allows a malicious user to upload a file that can trigger a cross-site scripting (XSS) vulnerability. Solution:  If you are using Drupal 8.6,[…]

Drupal core – Critical – Multiple Vulnerabilities – SA-CORE-2018-001

Project:  Drupal core Version:  8.4.x-dev 7.x-dev Date:  2018-February-21 Security risk:  Critical 16∕25 AC:Basic/A:User/CI:Some/II:Some/E:Exploit/TD:Default Vulnerability:  Multiple Vulnerabilities Description:  This security advisory fixes multiple vulnerabilities in both Drupal 7 and Drupal 8. See below for a list. Comment reply form allows access to restricted content – Critical[…]

Drupal Core – Moderately Critical – Multiple Vulnerabilities – SA-CORE-2016-005

Advisory ID: DRUPAL-SA-CORE-2016-005 Project: Drupal core Version: 7.x, 8.x Date: 2016-November-16 Security risk: 13/25 ( Moderately Critical) AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:Uncommon Vulnerability: Multiple vulnerabilities Description Inconsistent name for term access query (Less critical – Drupal 7 and Drupal 8) Drupal provides a mechanism to alter database SELECT queries[…]

Drupal Core – Critical – Multiple Vulnerabilities – SA-CORE-2015-003

Advisory ID: DRUPAL-SA-CORE-2015-003 Project: Drupal core Version: 6.x, 7.x Date: 2015-August-19 Security risk: 18/25 ( Critical) AC:Complex/A:User/CI:All/II:All/E:Proof/TD:All Vulnerability: Cross Site Scripting, Access bypass, SQL Injection, Open Redirect, Multiple vulnerabilities This security advisory fixes multiple vulnerabilities. See below for a list. Cross-site Scripting – Ajax system[…]

Drupal Core – Critical – Access Bypass – SA-CORE-2017-002

Advisory ID: DRUPAL-SA-CORE-2017-002 Project: Drupal core Version: 8.x Date: 2017-April-19 CVEID: CVE-2017-6919 Security risk: 17/25 ( Critical) AC:Basic/A:User/CI:All/II:All/E:Theoretical/TD:Default Vulnerability: Access bypass Description This is a critical access bypass vulnerability. A site is only affected by this if all of the following conditions are met: The[…]

Drupal Core – Critical – Multiple Vulnerabilities – SA-CORE-2016-004

Description Users who have rights to edit a node, can set the visibility on comments for that node. Advisory ID: DRUPAL-SA-CORE-2016-004 Project: Drupal core Version:li 8.x Date: 2016-September-21 Security risk: 18/25 ( Critical) AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:Default Vulnerability: Description Users without “Administer comments” can set comment visibility on[…]

Drupal core – Highly critical – Remote Code Execution – SA-CORE-2019-003

Project:  Drupal core Date:  2019-February-20 Security risk:  Highly critical 20∕25 AC:None/A:None/CI:All/II:All/E:Theoretical/TD:Uncommon Vulnerability:  Remote Code Execution CVE IDs:  CVE-2019-6340 Description:  Some field types do not properly sanitize data from non-form sources. This can lead to arbitrary PHP code execution in some cases. A site is only[…]

Drupal Core – Critical – Multiple Vulnerabilities – SA-CORE-2015-002

Advisory ID: DRUPAL-SA-CORE-2015-002 Project: Drupal core Version: 6.x, 7.x Date: 2015-June-17 Security risk: 15/25 ( Critical) AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:Default Vulnerability: Access bypass, Information Disclosure, Open Redirect, Multiple vulnerabilities Description Impersonation (OpenID module – Drupal 6 and 7 – Critical) A vulnerability was found in the OpenID module[…]

Drupal Core – Moderately Critical – Multiple Vulnerabilities – SA-CORE-2015-001

Advisory ID: DRUPAL-SA-CORE-2015-001 Project: Drupal core Version: 6.x, 7.x Date: 2015-March-18 Security risk: 14/25 ( Moderately Critical) AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:Default Vulnerability: Access bypass, Open Redirect, Multiple vulnerabilities Description Access bypass (Password reset URLs – Drupal 6 and 7) Password reset URLs can be forged under certain circumstances,[…]

Drupal Core – Moderately Critical – Multiple Vulnerabilities – SA-CORE-2014-006

Advisory ID: DRUPAL-SA-CORE-2014-006 Project: Drupal core Version: 6.x, 7.x Date: 2014-November-19 Security risk: 14/25 ( Moderately Critical) AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:Uncommon Vulnerability: Multiple vulnerabilities Description Session hijacking (Drupal 6 and 7) A specially crafted request can give a user access to another user’s session, allowing an attacker to[…]

SA-CORE-2013-003 – Drupal core – Multiple vulnerabilities

Advisory ID: DRUPAL-SA-CORE-2013-003 Project: Drupal core Version: 6.x, 7.x Date: 2013-November-20 Security risk: Highly critical Exploitable from: Remote Vulnerability: Multiple vulnerabilities Description Multiple vulnerabilities were fixed in the supported Drupal core versions 6 and 7. Multiple vulnerabilities due to optimistic cross-site request forgery protection (Form[…]

SA-CORE-2012-003 – Drupal core – Arbitrary PHP code execution and Information disclosure

Advisory ID: DRUPAL-SA-CORE-2012-003 Project: Drupal core Version: 7.x Date: 2012-October-17 Security risk: Highly critical Exploitable from: Remote Vulnerability: Information Disclosure, Arbitrary PHP code execution Description Multiple vulnerabilities were discovered in Drupal core. Arbitrary PHP code execution A bug in the installer code was identified that[…]

SA-CORE-2012-001 – Drupal core multiple vulnerabilities

Advisory ID: DRUPAL-SA-CORE-2012-001 Project: Drupal core Version: 6.x, 7.x Date: 2012-February-01 Security risk: Moderately critical Exploitable from: Remote Vulnerability: Access bypass, Cross Site Request Forgery, Multiple vulnerabilities Description Cross Site Request Forgery vulnerability in Aggregator module CVE: CVE-2012-0826 An XSRF vulnerability can force an aggregator[…]

Drupal core – Highly critical – Remote Code Execution – SA-CORE-2018-004

Project:  Drupal core Date:  2018-April-25 Security risk:  Highly critical 20∕25 AC:Basic/A:User/CI:All/II:All/E:Exploit/TD:Default Vulnerability:  Remote Code Execution Description:  A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could[…]

Drupal core – Moderately critical – Cross Site Scripting – SA-CORE-2018-003

Project:  Drupal core Date:  2018-April-18 Security risk:  Moderately critical 12∕25 AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:Default Vulnerability:  Cross Site Scripting Description:  CKEditor, a third-party JavaScript library included in Drupal core, has fixed a cross-site scripting (XSS) vulnerability. The vulnerability stemmed from the fact that it was possible to execute XSS[…]

Drupal Core – Highly Critical – Injection – SA-CORE-2016-003

Advisory ID: DRUPAL-SA-CORE-2016-003 Project: Drupal core Version: 8.x Date: 2016-July-18 Security risk: 20/25 ( Highly Critical) AC:Basic/A:None/CI:All/II:All/E:Proof/TD:Default Vulnerability: Injection Description Drupal 8 uses the third-party PHP library Guzzle for making server-side HTTP requests. An attacker can provide a proxy server that Guzzle will use. The[…]

Drupal Core – Moderately Critical – Multiple Vulnerabilities – SA-CORE-2016-002

Advisory ID: DRUPAL-SA-CORE-2016-002 Project: Drupal core Version: 7.x, 8.x Date: 2016-June-15 Security risk: 11/25 ( Moderately Critical) AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:Uncommon Vulnerability: Access bypass, Multiple vulnerabilities Description Saving user accounts can sometimes grant the user all roles (User module – Drupal 7 – Moderately Critical) A vulnerability exists[…]

Drupal Core – Critical – Multiple Vulnerabilities – SA-CORE-2016-001

Advisory ID: SA-CORE-2016-001 Project: Drupal core Version: 6.x, 7.x, 8.x Date: 2016-February-24 Security risk: 15/25 ( Critical) AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:All Vulnerability: Multiple vulnerabilities Description File upload access bypass and denial of service (File module – Drupal 7 and 8 – Moderately Critical) A vulnerability exists in the[…]

Drupal Core – Overlay – Less Critical – Open Redirect – SA-CORE-2015-004

Advisory ID: DRUPAL-SA-CORE-2015-004 Project: Drupal core Version: 7.x Date: 2015-October-21 Security risk: 9/25 ( Less Critical) AC:Basic/A:None/CI:None/II:None/E:Theoretical/TD:Default Vulnerability: Open Redirect Description The Overlay module in Drupal core displays administrative pages as a layer over the current page (using JavaScript), rather than replacing the page in[…]

Drupal core – Critical – Third Party Libraries – SA-CORE-2019-001

Project:  Drupal core Date:  2019-January-16 Security risk:  Critical 16∕25 AC:Complex/A:User/CI:All/II:All/E:Proof/TD:Uncommon Vulnerability:  Third Party Libraries Description:  Drupal core uses the third-party PEAR Archive_Tar library. This library has released a security update which impacts some Drupal configurations. Refer to CVE-2018-1000888 for details. Solution:  If you are using[…]

Drupal core – Critical – Arbitrary PHP code execution – SA-CORE-2019-002

Project:  Drupal core Date:  2019-January-16 Security risk:  Critical 16∕25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:All Vulnerability:  Arbitrary PHP code execution Description:  A remote code execution vulnerability exists in PHP’s built-in phar stream wrapper when performing file operations on an untrusted phar:// URI. Some Drupal code (core, contrib, and custom) may[…]

Drupal core – Highly critical – Remote Code Execution – SA-CORE-2018-002

Project:  Drupal core Date:  2018-March-28 Security risk:  Highly critical 21∕25 AC:None/A:None/CI:All/II:All/E:Theoretical/TD:Default Vulnerability:  Remote Code Execution Description:  CVE: CVE-2018-7600 A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site,[…]