The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Drupal Core

computer vulnerability alert CVE-2019-6341

Drupal Core: Cross Site Scripting via File Module/Subsystem

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting via File Module/Subsystem of Drupal Core, in order to run JavaScript code in the context of the web site.
Impacted products: Debian, Drupal Core, Fedora, IBM API Connect, I-Connect, Synology DSM.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 20/03/2019.
Identifiers: CVE-2019-6341, DLA-1746-1, DRUPAL-SA-CORE-2019-004, DSA-4412-1, FEDORA-2019-2fbce03df3, FEDORA-2019-35589cfcb5, ibm10879443, Synology-SA-19:13, VIGILANCE-VUL-28786, ZDI-19-291.

Description of the vulnerability

The Core module can be installed on Drupal.

However, it does not filter received data via File Module/Subsystem before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting via File Module/Subsystem of Drupal Core, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2019-6339

Drupal Core: code execution via Phar Stream Wrapper

Synthesis of the vulnerability

An attacker can use a vulnerability via Phar Stream Wrapper of Drupal Core, in order to run code.
Impacted products: Debian, Drupal Core, Fedora.
Severity: 2/4.
Consequences: user access/rights.
Provenance: user account.
Creation date: 17/01/2019.
Identifiers: CERTFR-2019-AVI-027, CVE-2019-6339, DLA-1659-1, DRUPAL-SA-CORE-2019-001, DRUPAL-SA-CORE-2019-002, DSA-4370-1, FEDORA-2019-0c1d62bf5b, FEDORA-2019-82df33e428, VIGILANCE-VUL-28299, ZDI-19-130.

Description of the vulnerability

An attacker can use a vulnerability via Phar Stream Wrapper of Drupal Core, in order to run code.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2018-14773

Symfony: information disclosure via X-Original-URL / X-Rewrite-URL

Synthesis of the vulnerability

An attacker can bypass access restrictions to data via X-Original-URL / X-Rewrite-URL of Symfony, in order to obtain sensitive information.
Impacted products: Debian, Drupal Core, Fedora, Symfony.
Severity: 3/4.
Consequences: data reading.
Provenance: internet client.
Creation date: 02/08/2018.
Identifiers: CERTFR-2018-AVI-370, CVE-2018-14773, DLA-1707-1, DRUPAL-SA-CORE-2018-005, DSA-4441-1, FEDORA-2018-4deae442f2, FEDORA-2018-6f3ceeb7cb, FEDORA-2018-732f45d43e, FEDORA-2018-7f43cbdb69, FEDORA-2018-9b54497b6e, FEDORA-2018-9c38d1dc1d, VIGILANCE-VUL-26884.

Description of the vulnerability

An attacker can bypass access restrictions to data via X-Original-URL / X-Rewrite-URL of Symfony, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note 25929

Drupal Core: Cross Site Scripting via CKEditor

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting via CKEditor of Drupal Core, in order to run JavaScript code in the context of the web site.
Impacted products: Drupal Core.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 19/04/2018.
Identifiers: CERTFR-2018-AVI-193, DRUPAL-SA-CORE-2018-003, VIGILANCE-VUL-25929.

Description of the vulnerability

The Core module can be installed on Drupal.

However, it does not filter received data via CKEditor before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting via CKEditor of Drupal Core, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2017-6926 CVE-2017-6927 CVE-2017-6928

Drupal Core: seven vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Drupal Core.
Impacted products: Debian, Drupal Core, Fedora.
Severity: 2/4.
Consequences: client access/rights, data reading, data creation/edition.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 7.
Creation date: 22/02/2018.
Identifiers: CERTFR-2018-AVI-099, CVE-2017-6926, CVE-2017-6927, CVE-2017-6928, CVE-2017-6929, CVE-2017-6930, CVE-2017-6931, CVE-2017-6932, DLA-1295-1, DRUPAL-SA-CORE-2018-001, DSA-4123-1, FEDORA-2018-143886fdbd, FEDORA-2018-d8269e4262, VIGILANCE-VUL-25346.

Description of the vulnerability

An attacker can use several vulnerabilities of Drupal Core.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2017-6923 CVE-2017-6924 CVE-2017-6925

Drupal Core: three vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Drupal Core.
Impacted products: Drupal Core.
Severity: 3/4.
Consequences: user access/rights, data reading, data creation/edition.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 3.
Creation date: 17/08/2017.
Identifiers: CERTFR-2017-AVI-270, CVE-2017-6923, CVE-2017-6924, CVE-2017-6925, DRUPAL-SA-CORE-2017-004, PSA-2017-002, VIGILANCE-VUL-23558.

Description of the vulnerability

Several vulnerabilities were announced in Drupal Core.

An attacker can bypass security features via Views, in order to obtain sensitive information. [severity:3/4; CVE-2017-6923]

An attacker can bypass security features via REST API, in order to escalate his privileges. [severity:2/4; CVE-2017-6924]

An attacker can bypass access restrictions via Entity Access, in order to read or alter data. [severity:3/4; CVE-2017-6925]
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2017-6920 CVE-2017-6921 CVE-2017-6922

Drupal Core: three vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Drupal Core.
Impacted products: Debian, Drupal Core, Fedora.
Severity: 4/4.
Consequences: user access/rights, data reading, data creation/edition.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 3.
Creation date: 22/06/2017.
Identifiers: CERTFR-2017-AVI-192, CVE-2017-6920, CVE-2017-6921, CVE-2017-6922, DLA-1004-1, DRUPAL-SA-CORE-2017-003, DSA-3897-1, FEDORA-2017-38113758e7, FEDORA-2017-e8a2017b3c, VIGILANCE-VUL-23053.

Description of the vulnerability

Several vulnerabilities were announced in Drupal Core.

An attacker can use a vulnerability via PECL YAML, in order to run code. [severity:4/4; CVE-2017-6920]

An attacker can bypass access restrictions via REST, in order to read or alter data. [severity:3/4; CVE-2017-6921]

An attacker can bypass security features via Uploaded Files, in order to obtain sensitive information. [severity:2/4; CVE-2017-6922]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2017-6919

Drupal Core 8: code execution via PATCH and RESTful Web Services

Synthesis of the vulnerability

An authenticated attacker can use a vulnerability of Drupal Core 8 with PATCH and RESTful Web Services enabled, in order to run code.
Impacted products: Drupal Core, Fedora.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights, user access/rights.
Provenance: user account.
Creation date: 18/04/2017.
Revision date: 20/04/2017.
Identifiers: CERTFR-2017-AVI-124, CVE-2017-6919, DRUPAL-SA-CORE-2017-002, FEDORA-2017-041473e742, FEDORA-2017-e8767a2fbb, PSA-2017-001, VIGILANCE-VUL-22466.

Description of the vulnerability

An authenticated attacker can use a vulnerability of Drupal Core 8 with PATCH and RESTful Web Services enabled, in order to run code.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2017-6377 CVE-2017-6379 CVE-2017-6381

Drupal Core: three vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Drupal Core.
Impacted products: Drupal Core, Fedora.
Severity: 3/4.
Consequences: user access/rights, data reading.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 3.
Creation date: 16/03/2017.
Identifiers: CERTFR-2017-AVI-085, CVE-2017-6377, CVE-2017-6379, CVE-2017-6381, DRUPAL-SA-CORE-2017-001, FEDORA-2017-05010f0b46, FEDORA-2017-9801754fd7, VIGILANCE-VUL-22147.

Description of the vulnerability

Several vulnerabilities were announced in Drupal Core.

An attacker can bypass security features via Inline Private Files, in order to obtain sensitive information. [severity:2/4; CVE-2017-6377]

An attacker can trigger a Cross Site Request Forgery, in order to force the victim to perform operations. [severity:3/4; CVE-2017-6379]

An attacker can use a vulnerability via Development Library, in order to run code. [severity:3/4; CVE-2017-6381]
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2016-9449 CVE-2016-9450 CVE-2016-9451

Drupal Core: four vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Drupal Core.
Impacted products: Debian, Drupal Core, Fedora.
Severity: 2/4.
Consequences: data reading, data creation/edition, denial of service on service.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 4.
Creation date: 17/11/2016.
Identifiers: CERTFR-2016-AVI-382, CVE-2016-9449, CVE-2016-9450, CVE-2016-9451, CVE-2016-9452, DLA-715-1, DRUPAL-SA-CORE-2016-005, DSA-3718-1, FEDORA-2016-1cc5edde49, FEDORA-2016-95b1be8a3d, FEDORA-2016-ff9a74c6dc, VIGILANCE-VUL-21142.

Description of the vulnerability

Several vulnerabilities were announced in Drupal Core.

An attacker can bypass security features via term_access, in order to escalate his privileges. [severity:2/4; CVE-2016-9449]

An attacker can poison the cache, to alter the content of the Password Reset Page. [severity:2/4; CVE-2016-9450]

An attacker can deceive the user via Confirmation Forms, in order to redirect him to a malicious site. [severity:1/4; CVE-2016-9451]

An attacker can trigger a fatal error via Transliterate Mechanism, in order to trigger a denial of service. [severity:1/4; CVE-2016-9452]
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Drupal Core: