| The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them. |
|
 |
|
|
Computer vulnerabilities of Drupal Core
Drupal Core: Cross Site Scripting via File Module/Subsystem
Synthesis of the vulnerability
An attacker can trigger a Cross Site Scripting via File Module/Subsystem of Drupal Core, in order to run JavaScript code in the context of the web site.
Impacted products: Debian, Drupal Core, Fedora, IBM API Connect, I-Connect, Synology DSM.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 20/03/2019.
Identifiers: CVE-2019-6341, DLA-1746-1, DRUPAL-SA-CORE-2019-004, DSA-4412-1, FEDORA-2019-2fbce03df3, FEDORA-2019-35589cfcb5, ibm10879443, Synology-SA-19:13, VIGILANCE-VUL-28786, ZDI-19-291.
Description of the vulnerability
The Core module can be installed on Drupal.
However, it does not filter received data via File Module/Subsystem before inserting them in generated HTML documents.
An attacker can therefore trigger a Cross Site Scripting via File Module/Subsystem of Drupal Core, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial) |
Drupal Core: code execution via Phar Stream Wrapper
Synthesis of the vulnerability
An attacker can use a vulnerability via Phar Stream Wrapper of Drupal Core, in order to run code.
Impacted products: Debian, Drupal Core, Fedora.
Severity: 2/4.
Consequences: user access/rights.
Provenance: user account.
Creation date: 17/01/2019.
Identifiers: CERTFR-2019-AVI-027, CVE-2019-6339, DLA-1659-1, DRUPAL-SA-CORE-2019-001, DRUPAL-SA-CORE-2019-002, DSA-4370-1, FEDORA-2019-0c1d62bf5b, FEDORA-2019-82df33e428, VIGILANCE-VUL-28299, ZDI-19-130.
Description of the vulnerability
An attacker can use a vulnerability via Phar Stream Wrapper of Drupal Core, in order to run code.
Full Vigil@nce bulletin... (Free trial) |
Symfony: information disclosure via X-Original-URL / X-Rewrite-URL
Synthesis of the vulnerability
An attacker can bypass access restrictions to data via X-Original-URL / X-Rewrite-URL of Symfony, in order to obtain sensitive information.
Impacted products: Debian, Drupal Core, Fedora, Symfony.
Severity: 3/4.
Consequences: data reading.
Provenance: internet client.
Creation date: 02/08/2018.
Identifiers: CERTFR-2018-AVI-370, CVE-2018-14773, DLA-1707-1, DRUPAL-SA-CORE-2018-005, DSA-4441-1, FEDORA-2018-4deae442f2, FEDORA-2018-6f3ceeb7cb, FEDORA-2018-732f45d43e, FEDORA-2018-7f43cbdb69, FEDORA-2018-9b54497b6e, FEDORA-2018-9c38d1dc1d, VIGILANCE-VUL-26884.
Description of the vulnerability
An attacker can bypass access restrictions to data via X-Original-URL / X-Rewrite-URL of Symfony, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial) |
Drupal Core: Cross Site Scripting via CKEditor
Synthesis of the vulnerability
An attacker can trigger a Cross Site Scripting via CKEditor of Drupal Core, in order to run JavaScript code in the context of the web site.
Impacted products: Drupal Core.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 19/04/2018.
Identifiers: CERTFR-2018-AVI-193, DRUPAL-SA-CORE-2018-003, VIGILANCE-VUL-25929.
Description of the vulnerability
The Core module can be installed on Drupal.
However, it does not filter received data via CKEditor before inserting them in generated HTML documents.
An attacker can therefore trigger a Cross Site Scripting via CKEditor of Drupal Core, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial) |
Drupal Core: seven vulnerabilities
Synthesis of the vulnerability
An attacker can use several vulnerabilities of Drupal Core.
Impacted products: Debian, Drupal Core, Fedora.
Severity: 2/4.
Consequences: client access/rights, data reading, data creation/edition.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 7.
Creation date: 22/02/2018.
Identifiers: CERTFR-2018-AVI-099, CVE-2017-6926, CVE-2017-6927, CVE-2017-6928, CVE-2017-6929, CVE-2017-6930, CVE-2017-6931, CVE-2017-6932, DLA-1295-1, DRUPAL-SA-CORE-2018-001, DSA-4123-1, FEDORA-2018-143886fdbd, FEDORA-2018-d8269e4262, VIGILANCE-VUL-25346.
Description of the vulnerability
An attacker can use several vulnerabilities of Drupal Core.
Full Vigil@nce bulletin... (Free trial) |
Drupal Core: three vulnerabilities
Synthesis of the vulnerability
An attacker can use several vulnerabilities of Drupal Core.
Impacted products: Drupal Core.
Severity: 3/4.
Consequences: user access/rights, data reading, data creation/edition.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 3.
Creation date: 17/08/2017.
Identifiers: CERTFR-2017-AVI-270, CVE-2017-6923, CVE-2017-6924, CVE-2017-6925, DRUPAL-SA-CORE-2017-004, PSA-2017-002, VIGILANCE-VUL-23558.
Description of the vulnerability
Several vulnerabilities were announced in Drupal Core.
An attacker can bypass security features via Views, in order to obtain sensitive information. [severity:3/4; CVE-2017-6923]
An attacker can bypass security features via REST API, in order to escalate his privileges. [severity:2/4; CVE-2017-6924]
An attacker can bypass access restrictions via Entity Access, in order to read or alter data. [severity:3/4; CVE-2017-6925]
Full Vigil@nce bulletin... (Free trial) |
Drupal Core: three vulnerabilities
Synthesis of the vulnerability
An attacker can use several vulnerabilities of Drupal Core.
Impacted products: Debian, Drupal Core, Fedora.
Severity: 4/4.
Consequences: user access/rights, data reading, data creation/edition.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 3.
Creation date: 22/06/2017.
Identifiers: CERTFR-2017-AVI-192, CVE-2017-6920, CVE-2017-6921, CVE-2017-6922, DLA-1004-1, DRUPAL-SA-CORE-2017-003, DSA-3897-1, FEDORA-2017-38113758e7, FEDORA-2017-e8a2017b3c, VIGILANCE-VUL-23053.
Description of the vulnerability
Several vulnerabilities were announced in Drupal Core.
An attacker can use a vulnerability via PECL YAML, in order to run code. [severity:4/4; CVE-2017-6920]
An attacker can bypass access restrictions via REST, in order to read or alter data. [severity:3/4; CVE-2017-6921]
An attacker can bypass security features via Uploaded Files, in order to obtain sensitive information. [severity:2/4; CVE-2017-6922]
Full Vigil@nce bulletin... (Free trial) |
Drupal Core 8: code execution via PATCH and RESTful Web Services
Synthesis of the vulnerability
An authenticated attacker can use a vulnerability of Drupal Core 8 with PATCH and RESTful Web Services enabled, in order to run code.
Impacted products: Drupal Core, Fedora.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights, user access/rights.
Provenance: user account.
Creation date: 18/04/2017.
Revision date: 20/04/2017.
Identifiers: CERTFR-2017-AVI-124, CVE-2017-6919, DRUPAL-SA-CORE-2017-002, FEDORA-2017-041473e742, FEDORA-2017-e8767a2fbb, PSA-2017-001, VIGILANCE-VUL-22466.
Description of the vulnerability
An authenticated attacker can use a vulnerability of Drupal Core 8 with PATCH and RESTful Web Services enabled, in order to run code.
Full Vigil@nce bulletin... (Free trial) |
Drupal Core: three vulnerabilities
Synthesis of the vulnerability
An attacker can use several vulnerabilities of Drupal Core.
Impacted products: Drupal Core, Fedora.
Severity: 3/4.
Consequences: user access/rights, data reading.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 3.
Creation date: 16/03/2017.
Identifiers: CERTFR-2017-AVI-085, CVE-2017-6377, CVE-2017-6379, CVE-2017-6381, DRUPAL-SA-CORE-2017-001, FEDORA-2017-05010f0b46, FEDORA-2017-9801754fd7, VIGILANCE-VUL-22147.
Description of the vulnerability
Several vulnerabilities were announced in Drupal Core.
An attacker can bypass security features via Inline Private Files, in order to obtain sensitive information. [severity:2/4; CVE-2017-6377]
An attacker can trigger a Cross Site Request Forgery, in order to force the victim to perform operations. [severity:3/4; CVE-2017-6379]
An attacker can use a vulnerability via Development Library, in order to run code. [severity:3/4; CVE-2017-6381]
Full Vigil@nce bulletin... (Free trial) |
Drupal Core: four vulnerabilities
Synthesis of the vulnerability
An attacker can use several vulnerabilities of Drupal Core.
Impacted products: Debian, Drupal Core, Fedora.
Severity: 2/4.
Consequences: data reading, data creation/edition, denial of service on service.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 4.
Creation date: 17/11/2016.
Identifiers: CERTFR-2016-AVI-382, CVE-2016-9449, CVE-2016-9450, CVE-2016-9451, CVE-2016-9452, DLA-715-1, DRUPAL-SA-CORE-2016-005, DSA-3718-1, FEDORA-2016-1cc5edde49, FEDORA-2016-95b1be8a3d, FEDORA-2016-ff9a74c6dc, VIGILANCE-VUL-21142.
Description of the vulnerability
Several vulnerabilities were announced in Drupal Core.
An attacker can bypass security features via term_access, in order to escalate his privileges. [severity:2/4; CVE-2016-9449]
An attacker can poison the cache, to alter the content of the Password Reset Page. [severity:2/4; CVE-2016-9450]
An attacker can deceive the user via Confirmation Forms, in order to redirect him to a malicious site. [severity:1/4; CVE-2016-9451]
An attacker can trigger a fatal error via Transliterate Mechanism, in order to trigger a denial of service. [severity:1/4; CVE-2016-9452]
Full Vigil@nce bulletin... (Free trial) |
Our database contains other pages. You can request a free trial to read them.
Display information about Drupal Core:
|