|
41
|
6.1
4.3
|
MEDIUM
Network
|
A cross-site scripting (XSS) vulnerability in the HTML Data Processor in CKEditor 4 4.14.0 through 4.16.x before 4.16.1 allows remote attackers to inject executable JavaScript code through a crafted …
|
CWE-79
Cross-site Scripting
|
CVE-2021-33829
|
cpe:2.3:a:drupal:drupal:*:*
|
9.1.0 9.0.0 8.9.0
|
|
|
9.1.9 9.0.14 8.9.16
|
2024-11-21 15:09
2021-06-9
|
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
42
|
5.3
4.3
|
MEDIUM
Network
|
Access bypass vulnerability in of Drupal Core Workspaces allows an attacker to access data without correct permissions. The Workspaces module doesn't sufficiently check access permissions when switch…
|
CWE-276
Incorrect Default Permissions
|
CVE-2020-13667
|
cpe:2.3:a:drupal:drupal:*:*
|
9.0.0 8.9.0 8.8.0
|
|
|
9.0.6 8.9.6 8.8.10
|
2024-11-21 14:01
2021-05-18
|
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
43
|
9.8
7.5
|
CRITICAL
Network
|
Access bypass vulnerability in Drupal Core allows JSON:API when JSON:API is in read/write mode. Only sites that have the read_only set to FALSE under jsonapi.settings config are vulnerable. This issu…
|
NVD-CWE-noinfo
|
CVE-2020-13665
|
cpe:2.3:a:drupal:drupal:*:*
|
9.0.0 8.9.0 8.8.0
|
|
|
9.0.1 8.9.1 8.8.8
|
2024-11-21 14:01
2021-05-6
|
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
44
|
8.8
9.3
|
HIGH
Network
|
Arbitrary PHP code execution vulnerability in Drupal Core under certain circumstances. An attacker could trick an administrator into visiting a malicious site that could result in creating a carefull…
|
CWE-77
Command Injection
|
CVE-2020-13664
|
cpe:2.3:a:drupal:drupal:*:*
|
9.0.0 8.9.0 8.8.0
|
|
|
9.0.1 8.9.1 8.8.8
|
2024-11-21 14:01
2021-05-6
|
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
45
|
6.1
5.8
|
MEDIUM
Network
|
Open Redirect vulnerability in Drupal Core allows a user to be tricked into visiting a specially crafted link which would redirect them to an arbitrary external URL. This issue affects: Drupal Drupal…
|
CWE-601
Open Redirect
|
CVE-2020-13662
|
cpe:2.3:a:drupal:drupal:*:*
|
7.0
|
7.70
|
|
|
2024-11-21 14:01
2021-05-6
|
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
46
|
6.1
4.3
|
MEDIUM
Network
|
Cross-site scripting vulnerability in Drupal Core. Drupal AJAX API does not disable JSONP by default, allowing for an XSS attack. This issue affects: Drupal Drupal Core 7.x versions prior to 7.73; 8.…
|
CWE-79
Cross-site Scripting
|
CVE-2020-13666
|
cpe:2.3:a:drupal:drupal:*:*
|
9.0.0 8.9.0 8.8.0 7.0
|
|
|
9.0.6 8.9.6 8.8.10 7.73
|
2024-11-21 14:01
2021-05-5
|
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
47
|
7.5
5.0
|
HIGH
Network
|
Tar.php in Archive_Tar through 1.4.11 allows write operations with Directory Traversal due to inadequate checking of symbolic links, a related issue to CVE-2020-28948.
|
CWE-22 CWE-59
Path Traversal Link Following
|
CVE-2020-36193
|
cpe:2.3:a:drupal:drupal:*:*
|
9.1.0 9.0.0 7.0 8.9.0
|
|
|
9.1.3 9.0.11 7.78 8.9.13
|
2024-11-21 14:28
2021-01-19
|
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
48
|
8.8
6.5
|
HIGH
Network
|
Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP f…
|
CWE-434
Unrestricted Upload of File with Dangerous Type
|
CVE-2020-13671
|
cpe:2.3:a:drupal:drupal:*:*
|
8.8 8.9 9.0 7.0
|
|
|
8.8.11 8.9.9 9.0.8 7.74
|
2024-11-21 14:01
2020-11-21
|
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
49
|
7.8
6.8
|
HIGH
Local
|
Archive_Tar through 1.4.10 allows an unserialization attack because phar: is blocked but PHAR: is not blocked.
|
CWE-502
Deserialization of Untrusted Data
|
CVE-2020-28948
|
cpe:2.3:a:drupal:drupal:*:*
|
7.0 8.8.0 8.0.0 9.0.0
|
|
|
7.75 8.8.12 8.9.10 9.0.9
|
2024-11-21 14:23
2020-11-20
|
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
50
|
7.8
6.8
|
HIGH
Local
|
Archive_Tar through 1.4.10 has :// filename sanitization only to address phar attacks, and thus any other stream-wrapper attack (such as file:// to overwrite files) can still succeed.
|
NVD-CWE-noinfo
|
CVE-2020-28949
|
cpe:2.3:a:drupal:drupal:*:*
|
7.0 8.8.0 8.0.0 9.0.0
|
|
|
7.75 8.8.12 8.9.10 9.0.9
|
2025-03-8 02:12
2020-11-20
|
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|