Search CVE reports
1 – 10 of 129 results
CVE-2024-45440
Medium prioritycore/authorize.php in Drupal 11.x-dev allows Full Path Disclosure (even when error logging is None) if the value of hash_salt is file_get_contents of a file that does not exist.
1 affected packages
drupal7
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
drupal7 | Not in release | Not in release | Not in release | — | Needs evaluation |
CVE-2024-34481
Medium prioritydrupal-wiki.com Drupal Wiki before 8.31.1 allows XSS via comments, captions, and image titles of a Wiki page.
1 affected packages
drupal7
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
drupal7 | Not in release | Not in release | Not in release | — | Needs evaluation |
CVE-2024-22362
Medium priorityDrupal contains a vulnerability with improper handling of structural elements. If this vulnerability is exploited, an attacker may be able to cause a denial-of-service (DoS) condition.
1 affected packages
drupal7
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
drupal7 | Not in release | Not in release | Not in release | Not in release | Needs evaluation |
CVE-2023-5256
Medium priorityIn certain scenarios, Drupal's JSON:API module will output error backtraces. With some configurations, this may cause sensitive information to be cached and made available to anonymous users, leading to privilege escalation. This...
1 affected packages
drupal7
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
drupal7 | Not in release | Not in release | Not in release | — | Needs evaluation |
CVE-2023-31250
Medium priorityThe file download facility doesn't sufficiently sanitize file paths in certain situations. This may result in users gaining access to private files that they should not have access to. Some sites may require configuration changes...
1 affected packages
drupal7
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
drupal7 | Not in release | Not in release | Not in release | Not in release | Vulnerable |
CVE-2022-25278
Low priorityUnder certain circumstances, the Drupal core form API evaluates form element access incorrectly. This may lead to a user being able to alter data they should not have access to. No forms provided by Drupal core are known to be...
1 affected packages
drupal7
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
drupal7 | Not in release | Not in release | Not in release | Not in release | Needs evaluation |
CVE-2022-25277
Medium priorityDrupal core sanitizes filenames with dangerous extensions upon upload (reference: SA-CORE-2020-012) and strips leading and trailing dots from filenames to prevent uploading server configuration files (reference: SA-CORE-2019-010)....
1 affected packages
drupal7
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
drupal7 | Not in release | Not in release | Not in release | Not in release | Needs evaluation |
CVE-2022-25276
Low priorityThe Media oEmbed iframe route does not properly validate the iframe domain setting, which allows embeds to be displayed in the context of the primary domain. Under certain circumstances, this could lead to cross-site scripting,...
1 affected packages
drupal7
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
drupal7 | Not in release | Not in release | Not in release | Not in release | Needs evaluation |
CVE-2022-25275
Low priorityIn some situations, the Image module does not correctly check access to image files not stored in the standard public files directory when generating derivative images using the image styles system. Access to a non-public file is...
1 affected packages
drupal7
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
drupal7 | Not in release | Not in release | Not in release | Not in release | Needs evaluation |
CVE-2022-25274
Low priorityDrupal 9.3 implemented a generic entity access API for entity revisions. However, this API was not completely integrated with existing permissions, resulting in some possible access bypass for users who have access to...
1 affected packages
drupal7
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
drupal7 | Not in release | Not in release | Not in release | Not in release | Needs evaluation |