Drupal Archives - Standoutmedia A/S

Drupal core – Highly critical – SQL injection – SA-CORE-2026-004

Skrevet den 22. maj 202629. maj 2026 af i Drupal

Drupal core includes a database abstraction API to ensure that queries executed against the database are sanitized to prevent SQL injection attacks.

A vulnerability in this API allows an attacker to send specially crafted requests, resulting in arbitrary SQL injection for sites using PostgreSQL databases. This can lead to information disclosure, and in some cases privilege escalation, remote code execution, or other attacks.

This vulnerability affects the following application versions:

Drupal 8.0.0
Drupal 8.0.1
Drupal 8.0.2
Drupal 8.0.3
Drupal 8.0.4
Drupal 8.0.5
Drupal 8.0.6
Drupal 8.1.0
Drupal 8.1.1
Drupal 8.1.2
Drupal 8.1.3
Drupal 8.1.4
Drupal 8.1.5
Drupal 8.1.6
Drupal 8.1.7
Drupal 8.1.8
Drupal 8.1.9
Drupal 8.1.10
Drupal 8.2.0
Drupal 8.2.1
Drupal 8.2.2
Drupal 8.2.3
Drupal 8.2.4
Drupal 8.2.5
Drupal 8.2.6
Drupal 8.2.7
Drupal 8.2.8
Drupal 8.3.0
Drupal 8.3.1
Drupal 8.3.2
Drupal 8.3.3
Drupal 8.3.4
Drupal 8.3.5
Drupal 8.3.6
Drupal 8.3.7
Drupal 8.3.8
Drupal 8.3.9
Drupal 8.4.0
Drupal 8.4.1
Drupal 8.4.2
Drupal 8.4.3
Drupal 8.4.4
Drupal 8.4.5
Drupal 8.4.6
Drupal 8.4.7
Drupal 8.4.8
Drupal 8.5.0
Drupal 8.5.1
Drupal 8.5.2
Drupal 8.5.3
Drupal 8.5.4
Drupal 8.5.5
Drupal 8.5.6
Drupal 8.5.7
Drupal 8.5.8
Drupal 8.5.9
Drupal 8.5.10
Drupal 8.5.11
Drupal 8.5.12
Drupal 8.5.13
Drupal 8.5.14
Drupal 8.5.15
Drupal 8.6.0
Drupal 8.6.1
Drupal 8.6.2
Drupal 8.6.3
Drupal 8.6.4
Drupal 8.6.5
Drupal 8.6.6
Drupal 8.6.7
Drupal 8.6.8
Drupal 8.6.9
Drupal 8.6.10
Drupal 8.6.11
Drupal 8.6.12
Drupal 8.6.13
Drupal 8.6.14
Drupal 8.6.15
Drupal 8.6.16
Drupal 8.6.17
Drupal 8.6.18
Drupal 8.7.0
Drupal 8.7.1
Drupal 8.7.2
Drupal 8.7.3
Drupal 8.7.4
Drupal 8.7.5
Drupal 8.7.6
Drupal 8.7.7
Drupal 8.7.8
Drupal 8.7.9
Drupal 8.7.10
Drupal 8.7.11
Drupal 8.7.12
Drupal 8.7.13
Drupal 8.7.14
Drupal 8.8.0
Drupal 8.8.1
Drupal 8.8.2
Drupal 8.8.3
Drupal 8.8.4
Drupal 8.8.5
Drupal 8.8.6
Drupal 8.8.7
Drupal 8.8.8
Drupal 8.8.9
Drupal 8.8.10
Drupal 8.8.11
Drupal 8.8.12
Drupal 8.9.0
Drupal 8.9.1
Drupal 8.9.2
Drupal 8.9.3
Drupal 8.9.4
Drupal 8.9.5
Drupal 8.9.6
Drupal 8.9.7
Drupal 8.9.8
Drupal 8.9.9
Drupal 8.9.10
Drupal 8.9.11
Drupal 8.9.12
Drupal 8.9.13
Drupal 8.9.14
Drupal 8.9.15
Drupal 8.9.16
Drupal 8.9.17
Drupal 8.9.18
Drupal 8.9.19
Drupal 8.9.20
Drupal 9.0.0
Drupal 9.0.1
Drupal 9.0.2
Drupal 9.0.3
Drupal 9.0.4
Drupal 9.0.5
Drupal 9.0.6
Drupal 9.0.7
Drupal 9.0.8
Drupal 9.0.9
Drupal 9.0.10
Drupal 9.0.11
Drupal 9.0.12
Drupal 9.0.13
Drupal 9.0.14
Drupal 9.1.0
Drupal 9.1.1
Drupal 9.1.2
Drupal 9.1.3
Drupal 9.1.4
Drupal 9.1.5
Drupal 9.1.6
Drupal 9.1.7
Drupal 9.1.8
Drupal 9.1.9
Drupal 9.1.10
Drupal 9.1.11
Drupal 9.1.12
Drupal 9.1.13
Drupal 9.1.14
Drupal 9.1.15
Drupal 9.2.0
Drupal 9.2.1
Drupal 9.2.2
Drupal 9.2.3
Drupal 9.2.4
Drupal 9.2.5
Drupal 9.2.6
Drupal 9.2.7
Drupal 9.2.8
Drupal 9.2.9
Drupal 9.2.10
Drupal 9.2.11
Drupal 9.2.12
Drupal 9.2.13
Drupal 9.2.14
Drupal 9.2.15
Drupal 9.2.16
Drupal 9.2.17
Drupal 9.2.18
Drupal 9.2.19
Drupal 9.2.20
Drupal 9.2.21
Drupal 9.3.0
Drupal 9.3.1
Drupal 9.3.2
Drupal 9.3.3
Drupal 9.3.4
Drupal 9.3.5
Drupal 9.3.6
Drupal 9.3.7
Drupal 9.3.8
Drupal 9.3.9
Drupal 9.3.10
Drupal 9.3.11
Drupal 9.3.12
Drupal 9.3.13
Drupal 9.3.14
Drupal 9.3.15
Drupal 9.3.16
Drupal 9.3.17
Drupal 9.3.18
Drupal 9.3.19
Drupal 9.3.20
Drupal 9.3.21
Drupal 9.3.22
Drupal 9.4.0
Drupal 9.4.1
Drupal 9.4.2
Drupal 9.4.3
Drupal 9.4.4
Drupal 9.4.5
Drupal 9.4.6
Drupal 9.4.7
Drupal 9.4.8
Drupal 9.4.9
Drupal 9.4.10
Drupal 9.4.11
Drupal 9.4.12
Drupal 9.4.13
Drupal 9.4.14
Drupal 9.4.15
Drupal 9.5.0
Drupal 9.5.1
Drupal 9.5.2
Drupal 9.5.3
Drupal 9.5.4
Drupal 9.5.5
Drupal 9.5.6
Drupal 9.5.7
Drupal 9.5.8
Drupal 9.5.9
Drupal 9.5.10
Drupal 9.5.11
Drupal 10.0.0
Drupal 10.0.1
Drupal 10.0.2
Drupal 10.0.3
Drupal 10.0.4
Drupal 10.0.5
Drupal 10.0.6
Drupal 10.0.7
Drupal 10.0.8
Drupal 10.0.9
Drupal 10.0.10
Drupal 10.0.11
Drupal 10.1.0
Drupal 10.1.1
Drupal 10.1.2
Drupal 10.1.3
Drupal 10.1.4
Drupal 10.1.5
Drupal 10.1.6
Drupal 10.1.7
Drupal 10.1.8
Drupal 10.2.0
Drupal 10.2.1
Drupal 10.2.2
Drupal 10.2.3
Drupal 10.2.4
Drupal 10.2.5
Drupal 10.2.6
Drupal 10.2.7
Drupal 10.2.8
Drupal 10.2.9
Drupal 10.2.10
Drupal 10.2.11
Drupal 10.2.12
Drupal 10.3.0
Drupal 10.3.1
Drupal 10.3.2
Drupal 10.3.3
Drupal 10.3.4
Drupal 10.3.5
Drupal 10.3.6
Drupal 10.3.7
Drupal 10.3.8
Drupal 10.3.9
Drupal 10.3.10
Drupal 10.3.11
Drupal 10.3.12
Drupal 10.3.13
Drupal 10.3.14
Drupal 10.4.0
Drupal 10.4.1
Drupal 10.4.2
Drupal 10.4.3
Drupal 10.4.4
Drupal 10.4.5
Drupal 10.4.6
Drupal 10.4.7
Drupal 10.4.8
Drupal 10.4.9
Drupal 10.4.10
Drupal 10.5.0
Drupal 10.5.1
Drupal 10.5.2
Drupal 10.5.3
Drupal 10.5.4
Drupal 10.5.5
Drupal 10.5.6
Drupal 10.5.7
Drupal 10.5.8
Drupal 10.5.9
Drupal 10.6.0
Drupal 10.6.1
Drupal 10.6.2
Drupal 10.6.3
Drupal 10.6.4
Drupal 10.6.5
Drupal 10.6.6
Drupal 10.6.7
Drupal 10.6.8
Drupal 11.0.0
Drupal 11.0.1
Drupal 11.0.2
Drupal 11.0.3
Drupal 11.0.4
Drupal 11.0.5
Drupal 11.0.6
Drupal 11.0.7
Drupal 11.0.8
Drupal 11.0.9
Drupal 11.0.10
Drupal 11.0.11
Drupal 11.0.12
Drupal 11.0.13
Drupal 11.1.0
Drupal 11.1.1
Drupal 11.1.2
Drupal 11.1.3
Drupal 11.1.4
Drupal 11.1.5
Drupal 11.1.6
Drupal 11.1.7
Drupal 11.1.8
Drupal 11.1.9
Drupal 11.1.10
Drupal 11.2.0
Drupal 11.2.1
Drupal 11.2.2
Drupal 11.2.3
Drupal 11.2.4
Drupal 11.2.5
Drupal 11.2.6
Drupal 11.2.7
Drupal 11.2.8
Drupal 11.2.9
Drupal 11.2.10
Drupal 11.2.11
Drupal 11.2.12
Drupal 11.2.13
Drupal 11.3.0
Drupal 11.3.1
Drupal 11.3.2
Drupal 11.3.3
Drupal 11.3.4
Drupal 11.3.5
Drupal 11.3.6
Drupal 11.3.7
Drupal 11.3.8
Drupal 11.3.9
Drupal 11.3.10
Drupal 11.3.11

Drupal core – Moderately critical – Defacement – SA-CORE-2025-007

Skrevet den 17. november 2025 af i Drupal

By generating and tricking a user into visiting a malicious URL, an attacker can perform site defacement.

The defacement is not stored and is only present when the URL has been crafted for that purpose. Only the defacement is present, so no other site content (such as branding) is rendered.

This vulnerability affects the following application versions:

Drupal 8.0.0
Drupal 8.0.1
Drupal 8.0.2
Drupal 8.0.3
Drupal 8.0.4
Drupal 8.0.5
Drupal 8.0.6
Drupal 8.1.0
Drupal 8.1.1
Drupal 8.1.2
Drupal 8.1.3
Drupal 8.1.4
Drupal 8.1.5
Drupal 8.1.6
Drupal 8.1.7
Drupal 8.1.8
Drupal 8.1.9
Drupal 8.1.10
Drupal 8.2.0
Drupal 8.2.1
Drupal 8.2.2
Drupal 8.2.3
Drupal 8.2.4
Drupal 8.2.5
Drupal 8.2.6
Drupal 8.2.7
Drupal 8.2.8
Drupal 8.3.0
Drupal 8.3.1
Drupal 8.3.2
Drupal 8.3.3
Drupal 8.3.4
Drupal 8.3.5
Drupal 8.3.6
Drupal 8.3.7
Drupal 8.3.8
Drupal 8.3.9
Drupal 8.4.0
Drupal 8.4.1
Drupal 8.4.2
Drupal 8.4.3
Drupal 8.4.4
Drupal 8.4.5
Drupal 8.4.6
Drupal 8.4.7
Drupal 8.4.8
Drupal 8.5.0
Drupal 8.5.1
Drupal 8.5.2
Drupal 8.5.3
Drupal 8.5.4
Drupal 8.5.5
Drupal 8.5.6
Drupal 8.5.7
Drupal 8.5.8
Drupal 8.5.9
Drupal 8.5.10
Drupal 8.5.11
Drupal 8.5.12
Drupal 8.5.13
Drupal 8.5.14
Drupal 8.5.15
Drupal 8.6.0
Drupal 8.6.1
Drupal 8.6.2
Drupal 8.6.3
Drupal 8.6.4
Drupal 8.6.5
Drupal 8.6.6
Drupal 8.6.7
Drupal 8.6.8
Drupal 8.6.9
Drupal 8.6.10
Drupal 8.6.11
Drupal 8.6.12
Drupal 8.6.13
Drupal 8.6.14
Drupal 8.6.15
Drupal 8.6.16
Drupal 8.6.17
Drupal 8.6.18
Drupal 8.7.0
Drupal 8.7.1
Drupal 8.7.2
Drupal 8.7.3
Drupal 8.7.4
Drupal 8.7.5
Drupal 8.7.6
Drupal 8.7.7
Drupal 8.7.8
Drupal 8.7.9
Drupal 8.7.10
Drupal 8.7.11
Drupal 8.7.12
Drupal 8.7.13
Drupal 8.7.14
Drupal 8.8.0
Drupal 8.8.1
Drupal 8.8.2
Drupal 8.8.3
Drupal 8.8.4
Drupal 8.8.5
Drupal 8.8.6
Drupal 8.8.7
Drupal 8.8.8
Drupal 8.8.9
Drupal 8.8.10
Drupal 8.8.11
Drupal 8.8.12
Drupal 8.9.0
Drupal 8.9.1
Drupal 8.9.2
Drupal 8.9.3
Drupal 8.9.4
Drupal 8.9.5
Drupal 8.9.6
Drupal 8.9.7
Drupal 8.9.8
Drupal 8.9.9
Drupal 8.9.10
Drupal 8.9.11
Drupal 8.9.12
Drupal 8.9.13
Drupal 8.9.14
Drupal 8.9.15
Drupal 8.9.16
Drupal 8.9.17
Drupal 8.9.18
Drupal 8.9.19
Drupal 8.9.20
Drupal 9.0.0
Drupal 9.0.1
Drupal 9.0.2
Drupal 9.0.3
Drupal 9.0.4
Drupal 9.0.5
Drupal 9.0.6
Drupal 9.0.7
Drupal 9.0.8
Drupal 9.0.9
Drupal 9.0.10
Drupal 9.0.11
Drupal 9.0.12
Drupal 9.0.13
Drupal 9.0.14
Drupal 9.1.0
Drupal 9.1.1
Drupal 9.1.2
Drupal 9.1.3
Drupal 9.1.4
Drupal 9.1.5
Drupal 9.1.6
Drupal 9.1.7
Drupal 9.1.8
Drupal 9.1.9
Drupal 9.1.10
Drupal 9.1.11
Drupal 9.1.12
Drupal 9.1.13
Drupal 9.1.14
Drupal 9.1.15
Drupal 9.2.0
Drupal 9.2.1
Drupal 9.2.2
Drupal 9.2.3
Drupal 9.2.4
Drupal 9.2.5
Drupal 9.2.6
Drupal 9.2.7
Drupal 9.2.8
Drupal 9.2.9
Drupal 9.2.10
Drupal 9.2.11
Drupal 9.2.12
Drupal 9.2.13
Drupal 9.2.14
Drupal 9.2.15
Drupal 9.2.16
Drupal 9.2.17
Drupal 9.2.18
Drupal 9.2.19
Drupal 9.2.20
Drupal 9.2.21
Drupal 9.3.0
Drupal 9.3.1
Drupal 9.3.2
Drupal 9.3.3
Drupal 9.3.4
Drupal 9.3.5
Drupal 9.3.6
Drupal 9.3.7
Drupal 9.3.8
Drupal 9.3.9
Drupal 9.3.10
Drupal 9.3.11
Drupal 9.3.12
Drupal 9.3.13
Drupal 9.3.14
Drupal 9.3.15
Drupal 9.3.16
Drupal 9.3.17
Drupal 9.3.18
Drupal 9.3.19
Drupal 9.3.20
Drupal 9.3.21
Drupal 9.3.22
Drupal 9.4.0
Drupal 9.4.1
Drupal 9.4.2
Drupal 9.4.3
Drupal 9.4.4
Drupal 9.4.5
Drupal 9.4.6
Drupal 9.4.7
Drupal 9.4.8
Drupal 9.4.9
Drupal 9.4.10
Drupal 9.4.11
Drupal 9.4.12
Drupal 9.4.13
Drupal 9.4.14
Drupal 9.4.15
Drupal 9.5.0
Drupal 9.5.1
Drupal 9.5.2
Drupal 9.5.3
Drupal 9.5.4
Drupal 9.5.5
Drupal 9.5.6
Drupal 9.5.7
Drupal 9.5.8
Drupal 9.5.9
Drupal 9.5.10
Drupal 9.5.11
Drupal 10.0.0
Drupal 10.0.1
Drupal 10.0.2
Drupal 10.0.3
Drupal 10.0.4
Drupal 10.0.5
Drupal 10.0.6
Drupal 10.0.7
Drupal 10.0.8
Drupal 10.0.9
Drupal 10.0.10
Drupal 10.0.11
Drupal 10.1.0
Drupal 10.1.1
Drupal 10.1.2
Drupal 10.1.3
Drupal 10.1.4
Drupal 10.1.5
Drupal 10.1.6
Drupal 10.1.7
Drupal 10.1.8
Drupal 10.2.0
Drupal 10.2.1
Drupal 10.2.2
Drupal 10.2.3
Drupal 10.2.4
Drupal 10.2.5
Drupal 10.2.6
Drupal 10.2.7
Drupal 10.2.8
Drupal 10.2.9
Drupal 10.2.10
Drupal 10.2.11
Drupal 10.2.12
Drupal 10.3.0
Drupal 10.3.1
Drupal 10.3.2
Drupal 10.3.3
Drupal 10.3.4
Drupal 10.3.5
Drupal 10.3.6
Drupal 10.3.7
Drupal 10.3.8
Drupal 10.3.9
Drupal 10.3.10
Drupal 10.3.11
Drupal 10.3.12
Drupal 10.3.13
Drupal 10.3.14
Drupal 10.4.0
Drupal 10.4.1
Drupal 10.4.2
Drupal 10.4.3
Drupal 10.4.4
Drupal 10.4.5
Drupal 10.4.6
Drupal 10.4.7
Drupal 10.4.8
Drupal 10.5.0
Drupal 10.5.1
Drupal 10.5.2
Drupal 10.5.3
Drupal 10.5.4
Drupal 10.5.5
Drupal 11.0.0
Drupal 11.0.1
Drupal 11.0.2
Drupal 11.0.3
Drupal 11.0.4
Drupal 11.0.5
Drupal 11.0.6
Drupal 11.0.7
Drupal 11.0.8
Drupal 11.0.9
Drupal 11.0.10
Drupal 11.0.11
Drupal 11.0.12
Drupal 11.0.13
Drupal 11.1.0
Drupal 11.1.1
Drupal 11.1.2
Drupal 11.1.3
Drupal 11.1.4
Drupal 11.1.5
Drupal 11.1.6
Drupal 11.1.7
Drupal 11.1.8
Drupal 11.2.0
Drupal 11.2.1
Drupal 11.2.2
Drupal 11.2.3
Drupal 11.2.4
Drupal 11.2.5
Drupal 11.2.6
Drupal 11.2.7

Drupal core – Moderately critical – Gadget chain – SA-CORE-2025-006

Skrevet den 17. november 2025 af i Drupal

Drupal core contains a chain of methods that is exploitable when an insecure deserialization vulnerability exists on the site. This so-called “gadget chain” presents no direct threat, but is a vector that can be used to achieve remote code execution if the application deserializes untrusted data due to another vulnerability.

This vulnerability affects the following application versions:

Drupal 8.0.0
Drupal 8.0.1
Drupal 8.0.2
Drupal 8.0.3
Drupal 8.0.4
Drupal 8.0.5
Drupal 8.0.6
Drupal 8.1.0
Drupal 8.1.1
Drupal 8.1.2
Drupal 8.1.3
Drupal 8.1.4
Drupal 8.1.5
Drupal 8.1.6
Drupal 8.1.7
Drupal 8.1.8
Drupal 8.1.9
Drupal 8.1.10
Drupal 8.2.0
Drupal 8.2.1
Drupal 8.2.2
Drupal 8.2.3
Drupal 8.2.4
Drupal 8.2.5
Drupal 8.2.6
Drupal 8.2.7
Drupal 8.2.8
Drupal 8.3.0
Drupal 8.3.1
Drupal 8.3.2
Drupal 8.3.3
Drupal 8.3.4
Drupal 8.3.5
Drupal 8.3.6
Drupal 8.3.7
Drupal 8.3.8
Drupal 8.3.9
Drupal 8.4.0
Drupal 8.4.1
Drupal 8.4.2
Drupal 8.4.3
Drupal 8.4.4
Drupal 8.4.5
Drupal 8.4.6
Drupal 8.4.7
Drupal 8.4.8
Drupal 8.5.0
Drupal 8.5.1
Drupal 8.5.2
Drupal 8.5.3
Drupal 8.5.4
Drupal 8.5.5
Drupal 8.5.6
Drupal 8.5.7
Drupal 8.5.8
Drupal 8.5.9
Drupal 8.5.10
Drupal 8.5.11
Drupal 8.5.12
Drupal 8.5.13
Drupal 8.5.14
Drupal 8.5.15
Drupal 8.6.0
Drupal 8.6.1
Drupal 8.6.2
Drupal 8.6.3
Drupal 8.6.4
Drupal 8.6.5
Drupal 8.6.6
Drupal 8.6.7
Drupal 8.6.8
Drupal 8.6.9
Drupal 8.6.10
Drupal 8.6.11
Drupal 8.6.12
Drupal 8.6.13
Drupal 8.6.14
Drupal 8.6.15
Drupal 8.6.16
Drupal 8.6.17
Drupal 8.6.18
Drupal 8.7.0
Drupal 8.7.1
Drupal 8.7.2
Drupal 8.7.3
Drupal 8.7.4
Drupal 8.7.5
Drupal 8.7.6
Drupal 8.7.7
Drupal 8.7.8
Drupal 8.7.9
Drupal 8.7.10
Drupal 8.7.11
Drupal 8.7.12
Drupal 8.7.13
Drupal 8.7.14
Drupal 8.8.0
Drupal 8.8.1
Drupal 8.8.2
Drupal 8.8.3
Drupal 8.8.4
Drupal 8.8.5
Drupal 8.8.6
Drupal 8.8.7
Drupal 8.8.8
Drupal 8.8.9
Drupal 8.8.10
Drupal 8.8.11
Drupal 8.8.12
Drupal 8.9.0
Drupal 8.9.1
Drupal 8.9.2
Drupal 8.9.3
Drupal 8.9.4
Drupal 8.9.5
Drupal 8.9.6
Drupal 8.9.7
Drupal 8.9.8
Drupal 8.9.9
Drupal 8.9.10
Drupal 8.9.11
Drupal 8.9.12
Drupal 8.9.13
Drupal 8.9.14
Drupal 8.9.15
Drupal 8.9.16
Drupal 8.9.17
Drupal 8.9.18
Drupal 8.9.19
Drupal 8.9.20
Drupal 9.0.0
Drupal 9.0.1
Drupal 9.0.2
Drupal 9.0.3
Drupal 9.0.4
Drupal 9.0.5
Drupal 9.0.6
Drupal 9.0.7
Drupal 9.0.8
Drupal 9.0.9
Drupal 9.0.10
Drupal 9.0.11
Drupal 9.0.12
Drupal 9.0.13
Drupal 9.0.14
Drupal 9.1.0
Drupal 9.1.1
Drupal 9.1.2
Drupal 9.1.3
Drupal 9.1.4
Drupal 9.1.5
Drupal 9.1.6
Drupal 9.1.7
Drupal 9.1.8
Drupal 9.1.9
Drupal 9.1.10
Drupal 9.1.11
Drupal 9.1.12
Drupal 9.1.13
Drupal 9.1.14
Drupal 9.1.15
Drupal 9.2.0
Drupal 9.2.1
Drupal 9.2.2
Drupal 9.2.3
Drupal 9.2.4
Drupal 9.2.5
Drupal 9.2.6
Drupal 9.2.7
Drupal 9.2.8
Drupal 9.2.9
Drupal 9.2.10
Drupal 9.2.11
Drupal 9.2.12
Drupal 9.2.13
Drupal 9.2.14
Drupal 9.2.15
Drupal 9.2.16
Drupal 9.2.17
Drupal 9.2.18
Drupal 9.2.19
Drupal 9.2.20
Drupal 9.2.21
Drupal 9.3.0
Drupal 9.3.1
Drupal 9.3.2
Drupal 9.3.3
Drupal 9.3.4
Drupal 9.3.5
Drupal 9.3.6
Drupal 9.3.7
Drupal 9.3.8
Drupal 9.3.9
Drupal 9.3.10
Drupal 9.3.11
Drupal 9.3.12
Drupal 9.3.13
Drupal 9.3.14
Drupal 9.3.15
Drupal 9.3.16
Drupal 9.3.17
Drupal 9.3.18
Drupal 9.3.19
Drupal 9.3.20
Drupal 9.3.21
Drupal 9.3.22
Drupal 9.4.0
Drupal 9.4.1
Drupal 9.4.2
Drupal 9.4.3
Drupal 9.4.4
Drupal 9.4.5
Drupal 9.4.6
Drupal 9.4.7
Drupal 9.4.8
Drupal 9.4.9
Drupal 9.4.10
Drupal 9.4.11
Drupal 9.4.12
Drupal 9.4.13
Drupal 9.4.14
Drupal 9.4.15
Drupal 9.5.0
Drupal 9.5.1
Drupal 9.5.2
Drupal 9.5.3
Drupal 9.5.4
Drupal 9.5.5
Drupal 9.5.6
Drupal 9.5.7
Drupal 9.5.8
Drupal 9.5.9
Drupal 9.5.10
Drupal 9.5.11
Drupal 10.0.0
Drupal 10.0.1
Drupal 10.0.2
Drupal 10.0.3
Drupal 10.0.4
Drupal 10.0.5
Drupal 10.0.6
Drupal 10.0.7
Drupal 10.0.8
Drupal 10.0.9
Drupal 10.0.10
Drupal 10.0.11
Drupal 10.1.0
Drupal 10.1.1
Drupal 10.1.2
Drupal 10.1.3
Drupal 10.1.4
Drupal 10.1.5
Drupal 10.1.6
Drupal 10.1.7
Drupal 10.1.8
Drupal 10.2.0
Drupal 10.2.1
Drupal 10.2.2
Drupal 10.2.3
Drupal 10.2.4
Drupal 10.2.5
Drupal 10.2.6
Drupal 10.2.7
Drupal 10.2.8
Drupal 10.2.9
Drupal 10.2.10
Drupal 10.2.11
Drupal 10.2.12
Drupal 10.3.0
Drupal 10.3.1
Drupal 10.3.2
Drupal 10.3.3
Drupal 10.3.4
Drupal 10.3.5
Drupal 10.3.6
Drupal 10.3.7
Drupal 10.3.8
Drupal 10.3.9
Drupal 10.3.10
Drupal 10.3.11
Drupal 10.3.12
Drupal 10.3.13
Drupal 10.3.14
Drupal 10.4.0
Drupal 10.4.1
Drupal 10.4.2
Drupal 10.4.3
Drupal 10.4.4
Drupal 10.4.5
Drupal 10.4.6
Drupal 10.4.7
Drupal 10.4.8
Drupal 10.5.0
Drupal 10.5.1
Drupal 10.5.2
Drupal 10.5.3
Drupal 10.5.4
Drupal 10.5.5
Drupal 11.0.0
Drupal 11.0.1
Drupal 11.0.2
Drupal 11.0.3
Drupal 11.0.4
Drupal 11.0.5
Drupal 11.0.6
Drupal 11.0.7
Drupal 11.0.8
Drupal 11.0.9
Drupal 11.0.10
Drupal 11.0.11
Drupal 11.0.12
Drupal 11.0.13
Drupal 11.1.0
Drupal 11.1.1
Drupal 11.1.2
Drupal 11.1.3
Drupal 11.1.4
Drupal 11.1.5
Drupal 11.1.6
Drupal 11.1.7
Drupal 11.1.8
Drupal 11.2.0
Drupal 11.2.1
Drupal 11.2.2
Drupal 11.2.3
Drupal 11.2.4
Drupal 11.2.5
Drupal 11.2.6
Drupal 11.2.7

Drupal Moderately critical – Denial of Service – SA-CORE-2025-005

Skrevet den 17. november 2025 af i Drupal

Drupal Core has a rarely used feature, provided by an underlying library, which allows certain attributes of incoming HTTP requests to be overridden.

This functionality can be abused in a way that may cause Drupal to cache response data that it should not. This can lead to legitimate requests receiving inappropriate cached responses (cache poisoning).

This vulnerability affects the following application versions:

Drupal 8.3.9
Drupal 8.4.6
Drupal 8.4.7
Drupal 8.4.8
Drupal 8.5.1
Drupal 8.5.2
Drupal 8.5.3
Drupal 8.5.4
Drupal 8.5.5
Drupal 8.5.6
Drupal 8.5.7
Drupal 8.5.8
Drupal 8.5.9
Drupal 8.5.10
Drupal 8.5.11
Drupal 8.5.12
Drupal 8.5.13
Drupal 8.5.14
Drupal 8.5.15
Drupal 8.6.0
Drupal 8.6.1
Drupal 8.6.2
Drupal 8.6.3
Drupal 8.6.4
Drupal 8.6.5
Drupal 8.6.6
Drupal 8.6.7
Drupal 8.6.8
Drupal 8.6.9
Drupal 8.6.10
Drupal 8.6.11
Drupal 8.6.12
Drupal 8.6.13
Drupal 8.6.14
Drupal 8.6.15
Drupal 8.6.16
Drupal 8.6.17
Drupal 8.6.18
Drupal 8.7.0
Drupal 8.7.1
Drupal 8.7.2
Drupal 8.7.3
Drupal 8.7.4
Drupal 8.7.5
Drupal 8.7.6
Drupal 8.7.7
Drupal 8.7.8
Drupal 8.7.9
Drupal 8.7.10
Drupal 8.7.11
Drupal 8.7.12
Drupal 8.7.13
Drupal 8.7.14
Drupal 8.8.0
Drupal 8.8.1
Drupal 8.8.2
Drupal 8.8.3
Drupal 8.8.4
Drupal 8.8.5
Drupal 8.8.6
Drupal 8.8.7
Drupal 8.8.8
Drupal 8.8.9
Drupal 8.8.10
Drupal 8.8.11
Drupal 8.8.12
Drupal 8.9.0
Drupal 8.9.1
Drupal 8.9.2
Drupal 8.9.3
Drupal 8.9.4
Drupal 8.9.5
Drupal 8.9.6
Drupal 8.9.7
Drupal 8.9.8
Drupal 8.9.9
Drupal 8.9.10
Drupal 8.9.11
Drupal 8.9.12
Drupal 8.9.13
Drupal 8.9.14
Drupal 8.9.15
Drupal 8.9.16
Drupal 8.9.17
Drupal 8.9.18
Drupal 8.9.19
Drupal 8.9.20
Drupal 9.0.0
Drupal 9.0.1
Drupal 9.0.2
Drupal 9.0.3
Drupal 9.0.4
Drupal 9.0.5
Drupal 9.0.6
Drupal 9.0.7
Drupal 9.0.8
Drupal 9.0.9
Drupal 9.0.10
Drupal 9.0.11
Drupal 9.0.12
Drupal 9.0.13
Drupal 9.0.14
Drupal 9.1.0
Drupal 9.1.1
Drupal 9.1.2
Drupal 9.1.3
Drupal 9.1.4
Drupal 9.1.5
Drupal 9.1.6
Drupal 9.1.7
Drupal 9.1.8
Drupal 9.1.9
Drupal 9.1.10
Drupal 9.1.11
Drupal 9.1.12
Drupal 9.1.13
Drupal 9.1.14
Drupal 9.1.15
Drupal 9.2.0
Drupal 9.2.1
Drupal 9.2.2
Drupal 9.2.3
Drupal 9.2.4
Drupal 9.2.5
Drupal 9.2.6
Drupal 9.2.7
Drupal 9.2.8
Drupal 9.2.9
Drupal 9.2.10
Drupal 9.2.11
Drupal 9.2.12
Drupal 9.2.13
Drupal 9.2.14
Drupal 9.2.15
Drupal 9.2.16
Drupal 9.2.17
Drupal 9.2.18
Drupal 9.2.19
Drupal 9.2.20
Drupal 9.2.21
Drupal 9.3.0
Drupal 9.3.1
Drupal 9.3.2
Drupal 9.3.3
Drupal 9.3.4
Drupal 9.3.5
Drupal 9.3.6
Drupal 9.3.7
Drupal 9.3.8
Drupal 9.3.9
Drupal 9.3.10
Drupal 9.3.11
Drupal 9.3.12
Drupal 9.3.13
Drupal 9.3.14
Drupal 9.3.15
Drupal 9.3.16
Drupal 9.3.17
Drupal 9.3.18
Drupal 9.3.19
Drupal 9.3.20
Drupal 9.3.21
Drupal 9.3.22
Drupal 9.4.0
Drupal 9.4.1
Drupal 9.4.2
Drupal 9.4.3
Drupal 9.4.4
Drupal 9.4.5
Drupal 9.4.6
Drupal 9.4.7
Drupal 9.4.8
Drupal 9.4.9
Drupal 9.4.10
Drupal 9.4.11
Drupal 9.4.12
Drupal 9.4.13
Drupal 9.4.14
Drupal 9.4.15
Drupal 9.5.0
Drupal 9.5.1
Drupal 9.5.2
Drupal 9.5.3
Drupal 9.5.4
Drupal 9.5.5
Drupal 9.5.6
Drupal 9.5.7
Drupal 9.5.8
Drupal 9.5.9
Drupal 9.5.10
Drupal 9.5.11
Drupal 10.0.0
Drupal 10.0.1
Drupal 10.0.2
Drupal 10.0.3
Drupal 10.0.4
Drupal 10.0.5
Drupal 10.0.6
Drupal 10.0.7
Drupal 10.0.8
Drupal 10.0.9
Drupal 10.0.10
Drupal 10.0.11
Drupal 10.1.0
Drupal 10.1.1
Drupal 10.1.2
Drupal 10.1.3
Drupal 10.1.4
Drupal 10.1.5
Drupal 10.1.6
Drupal 10.1.7
Drupal 10.1.8
Drupal 10.2.0
Drupal 10.2.1
Drupal 10.2.2
Drupal 10.2.3
Drupal 10.2.4
Drupal 10.2.5
Drupal 10.2.6
Drupal 10.2.7
Drupal 10.2.8
Drupal 10.2.9
Drupal 10.2.10
Drupal 10.2.11
Drupal 10.2.12
Drupal 10.3.0
Drupal 10.3.1
Drupal 10.3.2
Drupal 10.3.3
Drupal 10.3.4
Drupal 10.3.5
Drupal 10.3.6
Drupal 10.3.7
Drupal 10.3.8
Drupal 10.3.9
Drupal 10.3.10
Drupal 10.3.11
Drupal 10.3.12
Drupal 10.3.13
Drupal 10.3.14
Drupal 10.4.0
Drupal 10.4.1
Drupal 10.4.2
Drupal 10.4.3
Drupal 10.4.4
Drupal 10.4.5
Drupal 10.4.6
Drupal 10.4.7
Drupal 10.4.8
Drupal 10.5.0
Drupal 10.5.1
Drupal 10.5.2
Drupal 10.5.3
Drupal 10.5.4
Drupal 10.5.5
Drupal 11.0.0
Drupal 11.0.1
Drupal 11.0.2
Drupal 11.0.3
Drupal 11.0.4
Drupal 11.0.5
Drupal 11.0.6
Drupal 11.0.7
Drupal 11.0.8
Drupal 11.0.9
Drupal 11.0.10
Drupal 11.0.11
Drupal 11.0.12
Drupal 11.0.13
Drupal 11.1.0
Drupal 11.1.1
Drupal 11.1.2
Drupal 11.1.3
Drupal 11.1.4
Drupal 11.1.5
Drupal 11.1.6
Drupal 11.1.7
Drupal 11.1.8
Drupal 11.2.0
Drupal 11.2.1
Drupal 11.2.2
Drupal 11.2.3
Drupal 11.2.4
Drupal 11.2.5
Drupal 11.2.6
Drupal 11.2.7

Drupal core – Moderately critical – Information disclosure – SA-CORE-2025-008

Skrevet den 17. november 2025 af i Drupal

The system module handles downloads of private and temporary files, but may serve them with a Cache-Control: public header when they should be uncacheable. This could allow sensitive files to be cached and disclosed to unauthorized users.

This vulnerability affects the following application versions:

Drupal 8.0.0
Drupal 8.0.1
Drupal 8.0.2
Drupal 8.0.3
Drupal 8.0.4
Drupal 8.0.5
Drupal 8.0.6
Drupal 8.1.0
Drupal 8.1.1
Drupal 8.1.2
Drupal 8.1.3
Drupal 8.1.4
Drupal 8.1.5
Drupal 8.1.6
Drupal 8.1.7
Drupal 8.1.8
Drupal 8.1.9
Drupal 8.1.10
Drupal 8.2.0
Drupal 8.2.1
Drupal 8.2.2
Drupal 8.2.3
Drupal 8.2.4
Drupal 8.2.5
Drupal 8.2.6
Drupal 8.2.7
Drupal 8.2.8
Drupal 8.3.0
Drupal 8.3.1
Drupal 8.3.2
Drupal 8.3.3
Drupal 8.3.4
Drupal 8.3.5
Drupal 8.3.6
Drupal 8.3.7
Drupal 8.3.8
Drupal 8.3.9
Drupal 8.4.0
Drupal 8.4.1
Drupal 8.4.2
Drupal 8.4.3
Drupal 8.4.4
Drupal 8.4.5
Drupal 8.4.6
Drupal 8.4.7
Drupal 8.4.8
Drupal 8.5.0
Drupal 8.5.1
Drupal 8.5.2
Drupal 8.5.3
Drupal 8.5.4
Drupal 8.5.5
Drupal 8.5.6
Drupal 8.5.7
Drupal 8.5.8
Drupal 8.5.9
Drupal 8.5.10
Drupal 8.5.11
Drupal 8.5.12
Drupal 8.5.13
Drupal 8.5.14
Drupal 8.5.15
Drupal 8.6.0
Drupal 8.6.1
Drupal 8.6.2
Drupal 8.6.3
Drupal 8.6.4
Drupal 8.6.5
Drupal 8.6.6
Drupal 8.6.7
Drupal 8.6.8
Drupal 8.6.9
Drupal 8.6.10
Drupal 8.6.11
Drupal 8.6.12
Drupal 8.6.13
Drupal 8.6.14
Drupal 8.6.15
Drupal 8.6.16
Drupal 8.6.17
Drupal 8.6.18
Drupal 8.7.0
Drupal 8.7.1
Drupal 8.7.2
Drupal 8.7.3
Drupal 8.7.4
Drupal 8.7.5
Drupal 8.7.6
Drupal 8.7.7
Drupal 8.7.8
Drupal 8.7.9
Drupal 8.7.10
Drupal 8.7.11
Drupal 8.7.12
Drupal 8.7.13
Drupal 8.7.14
Drupal 8.8.0
Drupal 8.8.1
Drupal 8.8.2
Drupal 8.8.3
Drupal 8.8.4
Drupal 8.8.5
Drupal 8.8.6
Drupal 8.8.7
Drupal 8.8.8
Drupal 8.8.9
Drupal 8.8.10
Drupal 8.8.11
Drupal 8.8.12
Drupal 8.9.0
Drupal 8.9.1
Drupal 8.9.2
Drupal 8.9.3
Drupal 8.9.4
Drupal 8.9.5
Drupal 8.9.6
Drupal 8.9.7
Drupal 8.9.8
Drupal 8.9.9
Drupal 8.9.10
Drupal 8.9.11
Drupal 8.9.12
Drupal 8.9.13
Drupal 8.9.14
Drupal 8.9.15
Drupal 8.9.16
Drupal 8.9.17
Drupal 8.9.18
Drupal 8.9.19
Drupal 8.9.20
Drupal 9.0.0
Drupal 9.0.1
Drupal 9.0.2
Drupal 9.0.3
Drupal 9.0.4
Drupal 9.0.5
Drupal 9.0.6
Drupal 9.0.7
Drupal 9.0.8
Drupal 9.0.9
Drupal 9.0.10
Drupal 9.0.11
Drupal 9.0.12
Drupal 9.0.13
Drupal 9.0.14
Drupal 9.1.0
Drupal 9.1.1
Drupal 9.1.2
Drupal 9.1.3
Drupal 9.1.4
Drupal 9.1.5
Drupal 9.1.6
Drupal 9.1.7
Drupal 9.1.8
Drupal 9.1.9
Drupal 9.1.10
Drupal 9.1.11
Drupal 9.1.12
Drupal 9.1.13
Drupal 9.1.14
Drupal 9.1.15
Drupal 9.2.0
Drupal 9.2.1
Drupal 9.2.2
Drupal 9.2.3
Drupal 9.2.4
Drupal 9.2.5
Drupal 9.2.6
Drupal 9.2.7
Drupal 9.2.8
Drupal 9.2.9
Drupal 9.2.10
Drupal 9.2.11
Drupal 9.2.12
Drupal 9.2.13
Drupal 9.2.14
Drupal 9.2.15
Drupal 9.2.16
Drupal 9.2.17
Drupal 9.2.18
Drupal 9.2.19
Drupal 9.2.20
Drupal 9.2.21
Drupal 9.3.0
Drupal 9.3.1
Drupal 9.3.2
Drupal 9.3.3
Drupal 9.3.4
Drupal 9.3.5
Drupal 9.3.6
Drupal 9.3.7
Drupal 9.3.8
Drupal 9.3.9
Drupal 9.3.10
Drupal 9.3.11
Drupal 9.3.12
Drupal 9.3.13
Drupal 9.3.14
Drupal 9.3.15
Drupal 9.3.16
Drupal 9.3.17
Drupal 9.3.18
Drupal 9.3.19
Drupal 9.3.20
Drupal 9.3.21
Drupal 9.3.22
Drupal 9.4.0
Drupal 9.4.1
Drupal 9.4.2
Drupal 9.4.3
Drupal 9.4.4
Drupal 9.4.5
Drupal 9.4.6
Drupal 9.4.7
Drupal 9.4.8
Drupal 9.4.9
Drupal 9.4.10
Drupal 9.4.11
Drupal 9.4.12
Drupal 9.4.13
Drupal 9.4.14
Drupal 9.4.15
Drupal 9.5.0
Drupal 9.5.1
Drupal 9.5.2
Drupal 9.5.3
Drupal 9.5.4
Drupal 9.5.5
Drupal 9.5.6
Drupal 9.5.7
Drupal 9.5.8
Drupal 9.5.9
Drupal 9.5.10
Drupal 9.5.11
Drupal 10.0.0
Drupal 10.0.1
Drupal 10.0.2
Drupal 10.0.3
Drupal 10.0.4
Drupal 10.0.5
Drupal 10.0.6
Drupal 10.0.7
Drupal 10.0.8
Drupal 10.0.9
Drupal 10.0.10
Drupal 10.0.11
Drupal 10.1.0
Drupal 10.1.1
Drupal 10.1.2
Drupal 10.1.3
Drupal 10.1.4
Drupal 10.1.5
Drupal 10.1.6
Drupal 10.1.7
Drupal 10.1.8
Drupal 10.2.0
Drupal 10.2.1
Drupal 10.2.2
Drupal 10.2.3
Drupal 10.2.4
Drupal 10.2.5
Drupal 10.2.6
Drupal 10.2.7
Drupal 10.2.8
Drupal 10.2.9
Drupal 10.2.10
Drupal 10.2.11
Drupal 10.2.12
Drupal 10.3.0
Drupal 10.3.1
Drupal 10.3.2
Drupal 10.3.3
Drupal 10.3.4
Drupal 10.3.5
Drupal 10.3.6
Drupal 10.3.7
Drupal 10.3.8
Drupal 10.3.9
Drupal 10.3.10
Drupal 10.3.11
Drupal 10.3.12
Drupal 10.3.13
Drupal 10.3.14
Drupal 10.4.0
Drupal 10.4.1
Drupal 10.4.2
Drupal 10.4.3
Drupal 10.4.4
Drupal 10.4.5
Drupal 10.4.6
Drupal 10.4.7
Drupal 10.4.8
Drupal 10.5.0
Drupal 10.5.1
Drupal 10.5.2
Drupal 10.5.3
Drupal 10.5.4
Drupal 10.5.5
Drupal 11.0.0
Drupal 11.0.1
Drupal 11.0.2
Drupal 11.0.3
Drupal 11.0.4
Drupal 11.0.5
Drupal 11.0.6
Drupal 11.0.7
Drupal 11.0.8
Drupal 11.0.9
Drupal 11.0.10
Drupal 11.0.11
Drupal 11.0.12
Drupal 11.0.13
Drupal 11.1.0
Drupal 11.1.1
Drupal 11.1.2
Drupal 11.1.3
Drupal 11.1.4
Drupal 11.1.5
Drupal 11.1.6
Drupal 11.1.7
Drupal 11.1.8
Drupal 11.2.0
Drupal 11.2.1
Drupal 11.2.2
Drupal 11.2.3
Drupal 11.2.4
Drupal 11.2.5
Drupal 11.2.6
Drupal 11.2.7

Drupal – Cross Site Scripting – SA-CORE-2025-004

Skrevet den 25. marts 202524. maj 2026 af i Drupal

Drupal core Link field attributes are not sufficiently sanitized, which can lead to a Cross Site Scripting vulnerability (XSS).

This vulnerability affects the following application versions:

Drupal 8.0.0
Drupal 8.0.1
Drupal 8.0.2
Drupal 8.0.3
Drupal 8.0.4
Drupal 8.0.5
Drupal 8.0.6
Drupal 8.1.0
Drupal 8.1.1
Drupal 8.1.2
Drupal 8.1.3
Drupal 8.1.4
Drupal 8.1.5
Drupal 8.1.6
Drupal 8.1.7
Drupal 8.1.8
Drupal 8.1.9
Drupal 8.1.10
Drupal 8.2.0
Drupal 8.2.1
Drupal 8.2.2
Drupal 8.2.3
Drupal 8.2.4
Drupal 8.2.5
Drupal 8.2.6
Drupal 8.2.7
Drupal 8.2.8
Drupal 8.3.0
Drupal 8.3.1
Drupal 8.3.2
Drupal 8.3.3
Drupal 8.3.4
Drupal 8.3.5
Drupal 8.3.6
Drupal 8.3.7
Drupal 8.3.8
Drupal 8.3.9
Drupal 8.4.0
Drupal 8.4.1
Drupal 8.4.2
Drupal 8.4.3
Drupal 8.4.4
Drupal 8.4.5
Drupal 8.4.6
Drupal 8.4.7
Drupal 8.4.8
Drupal 8.5.0
Drupal 8.5.1
Drupal 8.5.2
Drupal 8.5.3
Drupal 8.5.4
Drupal 8.5.5
Drupal 8.5.6
Drupal 8.5.7
Drupal 8.5.8
Drupal 8.5.9
Drupal 8.5.10
Drupal 8.5.11
Drupal 8.5.12
Drupal 8.5.13
Drupal 8.5.14
Drupal 8.5.15
Drupal 8.6.0
Drupal 8.6.1
Drupal 8.6.2
Drupal 8.6.3
Drupal 8.6.4
Drupal 8.6.5
Drupal 8.6.6
Drupal 8.6.7
Drupal 8.6.8
Drupal 8.6.9
Drupal 8.6.10
Drupal 8.6.11
Drupal 8.6.12
Drupal 8.6.13
Drupal 8.6.14
Drupal 8.6.15
Drupal 8.6.16
Drupal 8.6.17
Drupal 8.6.18
Drupal 8.7.0
Drupal 8.7.1
Drupal 8.7.2
Drupal 8.7.3
Drupal 8.7.4
Drupal 8.7.5
Drupal 8.7.6
Drupal 8.7.7
Drupal 8.7.8
Drupal 8.7.9
Drupal 8.7.10
Drupal 8.7.11
Drupal 8.7.12
Drupal 8.7.13
Drupal 8.7.14
Drupal 8.8.0
Drupal 8.8.1
Drupal 8.8.2
Drupal 8.8.3
Drupal 8.8.4
Drupal 8.8.5
Drupal 8.8.6
Drupal 8.8.7
Drupal 8.8.8
Drupal 8.8.9
Drupal 8.8.10
Drupal 8.8.11
Drupal 8.8.12
Drupal 8.9.0
Drupal 8.9.1
Drupal 8.9.2
Drupal 8.9.3
Drupal 8.9.4
Drupal 8.9.5
Drupal 8.9.6
Drupal 8.9.7
Drupal 8.9.8
Drupal 8.9.9
Drupal 8.9.10
Drupal 8.9.11
Drupal 8.9.12
Drupal 8.9.13
Drupal 8.9.14
Drupal 8.9.15
Drupal 8.9.16
Drupal 8.9.17
Drupal 8.9.18
Drupal 8.9.19
Drupal 8.9.20
Drupal 9.0.0
Drupal 9.0.1
Drupal 9.0.2
Drupal 9.0.3
Drupal 9.0.4
Drupal 9.0.5
Drupal 9.0.6
Drupal 9.0.7
Drupal 9.0.8
Drupal 9.0.9
Drupal 9.0.10
Drupal 9.0.11
Drupal 9.0.12
Drupal 9.0.13
Drupal 9.0.14
Drupal 9.1.0
Drupal 9.1.1
Drupal 9.1.2
Drupal 9.1.3
Drupal 9.1.4
Drupal 9.1.5
Drupal 9.1.6
Drupal 9.1.7
Drupal 9.1.8
Drupal 9.1.9
Drupal 9.1.10
Drupal 9.1.11
Drupal 9.1.12
Drupal 9.1.13
Drupal 9.1.14
Drupal 9.1.15
Drupal 9.2.0
Drupal 9.2.1
Drupal 9.2.2
Drupal 9.2.3
Drupal 9.2.4
Drupal 9.2.5
Drupal 9.2.6
Drupal 9.2.7
Drupal 9.2.8
Drupal 9.2.9
Drupal 9.2.10
Drupal 9.2.11
Drupal 9.2.12
Drupal 9.2.13
Drupal 9.2.14
Drupal 9.2.15
Drupal 9.2.16
Drupal 9.2.17
Drupal 9.2.18
Drupal 9.2.19
Drupal 9.2.20
Drupal 9.2.21
Drupal 9.3.0
Drupal 9.3.1
Drupal 9.3.2
Drupal 9.3.3
Drupal 9.3.4
Drupal 9.3.5
Drupal 9.3.6
Drupal 9.3.7
Drupal 9.3.8
Drupal 9.3.9
Drupal 9.3.10
Drupal 9.3.11
Drupal 9.3.12
Drupal 9.3.13
Drupal 9.3.14
Drupal 9.3.15
Drupal 9.3.16
Drupal 9.3.17
Drupal 9.3.18
Drupal 9.3.19
Drupal 9.3.20
Drupal 9.3.21
Drupal 9.3.22
Drupal 9.4.0
Drupal 9.4.1
Drupal 9.4.2
Drupal 9.4.3
Drupal 9.4.4
Drupal 9.4.5
Drupal 9.4.6
Drupal 9.4.7
Drupal 9.4.8
Drupal 9.4.9
Drupal 9.4.10
Drupal 9.4.11
Drupal 9.4.12
Drupal 9.4.13
Drupal 9.4.14
Drupal 9.4.15
Drupal 9.5.0
Drupal 9.5.1
Drupal 9.5.2
Drupal 9.5.3
Drupal 9.5.4
Drupal 9.5.5
Drupal 9.5.6
Drupal 9.5.7
Drupal 9.5.8
Drupal 9.5.9
Drupal 9.5.10
Drupal 9.5.11
Drupal 10.0.0
Drupal 10.0.1
Drupal 10.0.2
Drupal 10.0.3
Drupal 10.0.4
Drupal 10.0.5
Drupal 10.0.6
Drupal 10.0.7
Drupal 10.0.8
Drupal 10.0.9
Drupal 10.0.10
Drupal 10.0.11
Drupal 10.1.0
Drupal 10.1.1
Drupal 10.1.2
Drupal 10.1.3
Drupal 10.1.4
Drupal 10.1.5
Drupal 10.1.6
Drupal 10.1.7
Drupal 10.1.8
Drupal 10.2.0
Drupal 10.2.1
Drupal 10.2.2
Drupal 10.2.3
Drupal 10.2.4
Drupal 10.2.5
Drupal 10.2.6
Drupal 10.2.7
Drupal 10.2.8
Drupal 10.2.9
Drupal 10.2.10
Drupal 10.2.11
Drupal 10.2.12
Drupal 10.3.0
Drupal 10.3.1
Drupal 10.3.2
Drupal 10.3.3
Drupal 10.3.4
Drupal 10.3.5
Drupal 10.3.6
Drupal 10.3.7
Drupal 10.3.8
Drupal 10.3.9
Drupal 10.3.10
Drupal 10.3.11
Drupal 10.3.12
Drupal 10.3.13
Drupal 10.3.14
Drupal 10.4.0
Drupal 10.4.1
Drupal 10.4.2
Drupal 10.4.3
Drupal 10.4.4
Drupal 10.4.5
Drupal 10.4.6
Drupal 10.4.7
Drupal 10.4.8
Drupal 10.4.9
Drupal 10.4.10
Drupal 11.0.0
Drupal 11.0.1
Drupal 11.0.2
Drupal 11.0.3
Drupal 11.0.4
Drupal 11.0.5
Drupal 11.0.6
Drupal 11.0.7
Drupal 11.0.8
Drupal 11.0.9
Drupal 11.0.10
Drupal 11.0.11
Drupal 11.0.12
Drupal 11.0.13
Drupal 11.1.0
Drupal 11.1.1
Drupal 11.1.2
Drupal 11.1.3
Drupal 11.1.4
Drupal 11.1.5
Drupal 11.1.6

Drupal – Moderately critical – Gadget Chain – SA-CORE-2025-003

Skrevet den 21. februar 202513. juni 2025 af i Drupal

Drupal core contains a potential PHP Object Injection vulnerability that (if combined with another exploit) could lead to Arbitrary File Inclusion. Techniques exist to escalate this attack to Remote Code Execution. It is not directly exploitable.

This vulnerability affects the following application versions:

Drupal 8.0.0
Drupal 8.0.1
Drupal 8.0.2
Drupal 8.0.3
Drupal 8.0.4
Drupal 8.0.5
Drupal 8.0.6
Drupal 8.1.0
Drupal 8.1.1
Drupal 8.1.2
Drupal 8.1.3
Drupal 8.1.4
Drupal 8.1.5
Drupal 8.1.6
Drupal 8.1.7
Drupal 8.1.8
Drupal 8.1.9
Drupal 8.1.10
Drupal 8.2.0
Drupal 8.2.1
Drupal 8.2.2
Drupal 8.2.3
Drupal 8.2.4
Drupal 8.2.5
Drupal 8.2.6
Drupal 8.2.7
Drupal 8.2.8
Drupal 8.3.0
Drupal 8.3.1
Drupal 8.3.2
Drupal 8.3.3
Drupal 8.3.4
Drupal 8.3.5
Drupal 8.3.6
Drupal 8.3.7
Drupal 8.3.8
Drupal 8.3.9
Drupal 8.4.0
Drupal 8.4.1
Drupal 8.4.2
Drupal 8.4.3
Drupal 8.4.4
Drupal 8.4.5
Drupal 8.4.6
Drupal 8.4.7
Drupal 8.4.8
Drupal 8.5.0
Drupal 8.5.1
Drupal 8.5.2
Drupal 8.5.3
Drupal 8.5.4
Drupal 8.5.5
Drupal 8.5.6
Drupal 8.5.7
Drupal 8.5.8
Drupal 8.5.9
Drupal 8.5.10
Drupal 8.5.11
Drupal 8.5.12
Drupal 8.5.13
Drupal 8.5.14
Drupal 8.5.15
Drupal 8.6.0
Drupal 8.6.1
Drupal 8.6.2
Drupal 8.6.3
Drupal 8.6.4
Drupal 8.6.5
Drupal 8.6.6
Drupal 8.6.7
Drupal 8.6.8
Drupal 8.6.9
Drupal 8.6.10
Drupal 8.6.11
Drupal 8.6.12
Drupal 8.6.13
Drupal 8.6.14
Drupal 8.6.15
Drupal 8.6.16
Drupal 8.6.17
Drupal 8.6.18
Drupal 8.7.0
Drupal 8.7.1
Drupal 8.7.2
Drupal 8.7.3
Drupal 8.7.4
Drupal 8.7.5
Drupal 8.7.6
Drupal 8.7.7
Drupal 8.7.8
Drupal 8.7.9
Drupal 8.7.10
Drupal 8.7.11
Drupal 8.7.12
Drupal 8.7.13
Drupal 8.7.14
Drupal 8.8.0
Drupal 8.8.1
Drupal 8.8.2
Drupal 8.8.3
Drupal 8.8.4
Drupal 8.8.5
Drupal 8.8.6
Drupal 8.8.7
Drupal 8.8.8
Drupal 8.8.9
Drupal 8.8.10
Drupal 8.8.11
Drupal 8.8.12
Drupal 8.9.0
Drupal 8.9.1
Drupal 8.9.2
Drupal 8.9.3
Drupal 8.9.4
Drupal 8.9.5
Drupal 8.9.6
Drupal 8.9.7
Drupal 8.9.8
Drupal 8.9.9
Drupal 8.9.10
Drupal 8.9.11
Drupal 8.9.12
Drupal 8.9.13
Drupal 8.9.14
Drupal 8.9.15
Drupal 8.9.16
Drupal 8.9.17
Drupal 8.9.18
Drupal 8.9.19
Drupal 8.9.20
Drupal 9.0.0
Drupal 9.0.1
Drupal 9.0.2
Drupal 9.0.3
Drupal 9.0.4
Drupal 9.0.5
Drupal 9.0.6
Drupal 9.0.7
Drupal 9.0.8
Drupal 9.0.9
Drupal 9.0.10
Drupal 9.0.11
Drupal 9.0.12
Drupal 9.0.13
Drupal 9.0.14
Drupal 9.1.0
Drupal 9.1.1
Drupal 9.1.2
Drupal 9.1.3
Drupal 9.1.4
Drupal 9.1.5
Drupal 9.1.6
Drupal 9.1.7
Drupal 9.1.8
Drupal 9.1.9
Drupal 9.1.10
Drupal 9.1.11
Drupal 9.1.12
Drupal 9.1.13
Drupal 9.1.14
Drupal 9.1.15
Drupal 9.2.0
Drupal 9.2.1
Drupal 9.2.2
Drupal 9.2.3
Drupal 9.2.4
Drupal 9.2.5
Drupal 9.2.6
Drupal 9.2.7
Drupal 9.2.8
Drupal 9.2.9
Drupal 9.2.10
Drupal 9.2.11
Drupal 9.2.12
Drupal 9.2.13
Drupal 9.2.14
Drupal 9.2.15
Drupal 9.2.16
Drupal 9.2.17
Drupal 9.2.18
Drupal 9.2.19
Drupal 9.2.20
Drupal 9.2.21
Drupal 9.3.0
Drupal 9.3.1
Drupal 9.3.2
Drupal 9.3.3
Drupal 9.3.4
Drupal 9.3.5
Drupal 9.3.6
Drupal 9.3.7
Drupal 9.3.8
Drupal 9.3.9
Drupal 9.3.10
Drupal 9.3.11
Drupal 9.3.12
Drupal 9.3.13
Drupal 9.3.14
Drupal 9.3.15
Drupal 9.3.16
Drupal 9.3.17
Drupal 9.3.18
Drupal 9.3.19
Drupal 9.3.20
Drupal 9.3.21
Drupal 9.3.22
Drupal 9.4.0
Drupal 9.4.1
Drupal 9.4.2
Drupal 9.4.3
Drupal 9.4.4
Drupal 9.4.5
Drupal 9.4.6
Drupal 9.4.7
Drupal 9.4.8
Drupal 9.4.9
Drupal 9.4.10
Drupal 9.4.11
Drupal 9.4.12
Drupal 9.4.13
Drupal 9.4.14
Drupal 9.4.15
Drupal 9.5.0
Drupal 9.5.1
Drupal 9.5.2
Drupal 9.5.3
Drupal 9.5.4
Drupal 9.5.5
Drupal 9.5.6
Drupal 9.5.7
Drupal 9.5.8
Drupal 9.5.9
Drupal 9.5.10
Drupal 9.5.11
Drupal 10.0.0
Drupal 10.0.1
Drupal 10.0.2
Drupal 10.0.3
Drupal 10.0.4
Drupal 10.0.5
Drupal 10.0.6
Drupal 10.0.7
Drupal 10.0.8
Drupal 10.0.9
Drupal 10.0.10
Drupal 10.0.11
Drupal 10.1.0
Drupal 10.1.1
Drupal 10.1.2
Drupal 10.1.3
Drupal 10.1.4
Drupal 10.1.5
Drupal 10.1.6
Drupal 10.1.7
Drupal 10.1.8
Drupal 10.2.0
Drupal 10.2.1
Drupal 10.2.2
Drupal 10.2.3
Drupal 10.2.4
Drupal 10.2.5
Drupal 10.2.6
Drupal 10.2.7
Drupal 10.2.8
Drupal 10.2.9
Drupal 10.2.10
Drupal 10.2.11
Drupal 10.2.12
Drupal 10.3.0
Drupal 10.3.1
Drupal 10.3.2
Drupal 10.3.3
Drupal 10.3.4
Drupal 10.3.5
Drupal 10.3.6
Drupal 10.3.7
Drupal 10.3.8
Drupal 10.3.9
Drupal 10.3.10
Drupal 10.3.11
Drupal 10.3.12
Drupal 10.4.0
Drupal 10.4.1
Drupal 10.4.2
Drupal 11.0.0
Drupal 11.0.1
Drupal 11.0.2
Drupal 11.0.3
Drupal 11.0.4
Drupal 11.0.5
Drupal 11.0.6
Drupal 11.0.7
Drupal 11.0.8
Drupal 11.0.9
Drupal 11.0.10
Drupal 11.0.11
Drupal 11.1.0
Drupal 11.1.1
Drupal 11.1.2

Drupal – Critical – Cross site scripting – SA-CORE-2025-001

Skrevet den 21. februar 2025 af i Drupal

Drupal core doesn’t sufficiently filter error messages under certain circumstances, leading to a reflected Cross Site Scripting vulnerability (XSS).

Security risk: Critical 17 ∕ 25 AC:Basic/A:None/CI:Some/II:Some/E:Proof/TD:All

This vulnerability affects the following application versions:

Drupal 8.4.0
Drupal 8.4.1
Drupal 8.4.2
Drupal 8.4.3
Drupal 8.4.4
Drupal 8.4.5
Drupal 8.4.6
Drupal 8.4.7
Drupal 8.4.8
Drupal 8.5.0
Drupal 8.5.1
Drupal 8.5.2
Drupal 8.5.3
Drupal 8.5.4
Drupal 8.5.5
Drupal 8.5.6
Drupal 8.5.7
Drupal 8.5.8
Drupal 8.5.9
Drupal 8.5.10
Drupal 8.5.11
Drupal 8.5.12
Drupal 8.5.13
Drupal 8.5.14
Drupal 8.5.15
Drupal 8.6.0
Drupal 8.6.1
Drupal 8.6.2
Drupal 8.6.3
Drupal 8.6.4
Drupal 8.6.5
Drupal 8.6.6
Drupal 8.6.7
Drupal 8.6.8
Drupal 8.6.9
Drupal 8.6.10
Drupal 8.6.11
Drupal 8.6.12
Drupal 8.6.13
Drupal 8.6.14
Drupal 8.6.15
Drupal 8.6.16
Drupal 8.6.17
Drupal 8.6.18
Drupal 8.7.0
Drupal 8.7.1
Drupal 8.7.2
Drupal 8.7.3
Drupal 8.7.4
Drupal 8.7.5
Drupal 8.7.6
Drupal 8.7.7
Drupal 8.7.8
Drupal 8.7.9
Drupal 8.7.10
Drupal 8.7.11
Drupal 8.7.12
Drupal 8.7.13
Drupal 8.7.14
Drupal 8.8.0
Drupal 8.8.1
Drupal 8.8.2
Drupal 8.8.3
Drupal 8.8.4
Drupal 8.8.5
Drupal 8.8.6
Drupal 8.8.7
Drupal 8.8.8
Drupal 8.8.9
Drupal 8.8.10
Drupal 8.8.11
Drupal 8.8.12
Drupal 8.9.0
Drupal 8.9.1
Drupal 8.9.2
Drupal 8.9.3
Drupal 8.9.4
Drupal 8.9.5
Drupal 8.9.6
Drupal 8.9.7
Drupal 8.9.8
Drupal 8.9.9
Drupal 8.9.10
Drupal 8.9.11
Drupal 8.9.12
Drupal 8.9.13
Drupal 8.9.14
Drupal 8.9.15
Drupal 8.9.16
Drupal 8.9.17
Drupal 8.9.18
Drupal 8.9.19
Drupal 8.9.20
Drupal 9.0.0
Drupal 9.0.1
Drupal 9.0.2
Drupal 9.0.3
Drupal 9.0.4
Drupal 9.0.5
Drupal 9.0.6
Drupal 9.0.7
Drupal 9.0.8
Drupal 9.0.9
Drupal 9.0.10
Drupal 9.0.11
Drupal 9.0.12
Drupal 9.0.13
Drupal 9.0.14
Drupal 9.1.0
Drupal 9.1.1
Drupal 9.1.2
Drupal 9.1.3
Drupal 9.1.4
Drupal 9.1.5
Drupal 9.1.6
Drupal 9.1.7
Drupal 9.1.8
Drupal 9.1.9
Drupal 9.1.10
Drupal 9.1.11
Drupal 9.1.12
Drupal 9.1.13
Drupal 9.1.14
Drupal 9.1.15
Drupal 9.2.0
Drupal 9.2.1
Drupal 9.2.2
Drupal 9.2.3
Drupal 9.2.4
Drupal 9.2.5
Drupal 9.2.6
Drupal 9.2.7
Drupal 9.2.8
Drupal 9.2.9
Drupal 9.2.10
Drupal 9.2.11
Drupal 9.2.12
Drupal 9.2.13
Drupal 9.2.14
Drupal 9.2.15
Drupal 9.2.16
Drupal 9.2.17
Drupal 9.2.18
Drupal 9.2.19
Drupal 9.2.20
Drupal 9.2.21
Drupal 9.3.0
Drupal 9.3.1
Drupal 9.3.2
Drupal 9.3.3
Drupal 9.3.4
Drupal 9.3.5
Drupal 9.3.6
Drupal 9.3.7
Drupal 9.3.8
Drupal 9.3.9
Drupal 9.3.10
Drupal 9.3.11
Drupal 9.3.12
Drupal 9.3.13
Drupal 9.3.14
Drupal 9.3.15
Drupal 9.3.16
Drupal 9.3.17
Drupal 9.3.18
Drupal 9.3.19
Drupal 9.3.20
Drupal 9.3.21
Drupal 9.3.22
Drupal 9.4.0
Drupal 9.4.1
Drupal 9.4.2
Drupal 9.4.3
Drupal 9.4.4
Drupal 9.4.5
Drupal 9.4.6
Drupal 9.4.7
Drupal 9.4.8
Drupal 9.4.9
Drupal 9.4.10
Drupal 9.4.11
Drupal 9.4.12
Drupal 9.4.13
Drupal 9.4.14
Drupal 9.4.15
Drupal 9.5.0
Drupal 9.5.1
Drupal 9.5.2
Drupal 9.5.3
Drupal 9.5.4
Drupal 9.5.5
Drupal 9.5.6
Drupal 9.5.7
Drupal 9.5.8
Drupal 9.5.9
Drupal 9.5.10
Drupal 9.5.11
Drupal 10.0.0
Drupal 10.0.1
Drupal 10.0.2
Drupal 10.0.3
Drupal 10.0.4
Drupal 10.0.5
Drupal 10.0.6
Drupal 10.0.7
Drupal 10.0.8
Drupal 10.0.9
Drupal 10.0.10
Drupal 10.0.11
Drupal 10.1.0
Drupal 10.1.1
Drupal 10.1.2
Drupal 10.1.3
Drupal 10.1.4
Drupal 10.1.5
Drupal 10.1.6
Drupal 10.1.7
Drupal 10.1.8
Drupal 10.2.0
Drupal 10.2.1
Drupal 10.2.2
Drupal 10.2.3
Drupal 10.2.4
Drupal 10.2.5
Drupal 10.2.6
Drupal 10.2.7
Drupal 10.2.8
Drupal 10.2.9
Drupal 10.2.10
Drupal 10.2.11
Drupal 10.2.12
Drupal 10.3.0
Drupal 10.3.1
Drupal 10.3.2
Drupal 10.3.3
Drupal 10.3.4
Drupal 10.3.5
Drupal 10.3.6
Drupal 10.3.7
Drupal 10.3.8
Drupal 10.3.9
Drupal 10.3.10
Drupal 10.3.11
Drupal 10.3.12
Drupal 10.4.0
Drupal 10.4.1
Drupal 10.4.2
Drupal 11.0.0
Drupal 11.0.1
Drupal 11.0.2
Drupal 11.0.3
Drupal 11.0.4
Drupal 11.0.5
Drupal 11.0.6
Drupal 11.0.7
Drupal 11.0.8
Drupal 11.0.9
Drupal 11.0.10
Drupal 11.0.11
Drupal 11.1.0
Drupal 11.1.1
Drupal 11.1.2

Drupal – Moderately critical – Access bypass – SA-CORE-2025-002

Skrevet den 21. februar 2025 af i Drupal

Bulk operations allow authorized users to modify several nodes at once from the Content page (/admin/content). A site builder can also add bulk operations to other pages using Views.

Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default

This vulnerability affects the following application versions:

Drupal 8.4.0
Drupal 8.4.1
Drupal 8.4.2
Drupal 8.4.3
Drupal 8.4.4
Drupal 8.4.5
Drupal 8.4.6
Drupal 8.4.7
Drupal 8.4.8
Drupal 8.5.0
Drupal 8.5.1
Drupal 8.5.2
Drupal 8.5.3
Drupal 8.5.4
Drupal 8.5.5
Drupal 8.5.6
Drupal 8.5.7
Drupal 8.5.8
Drupal 8.5.9
Drupal 8.5.10
Drupal 8.5.11
Drupal 8.5.12
Drupal 8.5.13
Drupal 8.5.14
Drupal 8.5.15
Drupal 8.6.0
Drupal 8.6.1
Drupal 8.6.2
Drupal 8.6.3
Drupal 8.6.4
Drupal 8.6.5
Drupal 8.6.6
Drupal 8.6.7
Drupal 8.6.8
Drupal 8.6.9
Drupal 8.6.10
Drupal 8.6.11
Drupal 8.6.12
Drupal 8.6.13
Drupal 8.6.14
Drupal 8.6.15
Drupal 8.6.16
Drupal 8.6.17
Drupal 8.6.18
Drupal 8.7.0
Drupal 8.7.1
Drupal 8.7.2
Drupal 8.7.3
Drupal 8.7.4
Drupal 8.7.5
Drupal 8.7.6
Drupal 8.7.7
Drupal 8.7.8
Drupal 8.7.9
Drupal 8.7.10
Drupal 8.7.11
Drupal 8.7.12
Drupal 8.7.13
Drupal 8.7.14
Drupal 8.8.0
Drupal 8.8.1
Drupal 8.8.2
Drupal 8.8.3
Drupal 8.8.4
Drupal 8.8.5
Drupal 8.8.6
Drupal 8.8.7
Drupal 8.8.8
Drupal 8.8.9
Drupal 8.8.10
Drupal 8.8.11
Drupal 8.8.12
Drupal 8.9.0
Drupal 8.9.1
Drupal 8.9.2
Drupal 8.9.3
Drupal 8.9.4
Drupal 8.9.5
Drupal 8.9.6
Drupal 8.9.7
Drupal 8.9.8
Drupal 8.9.9
Drupal 8.9.10
Drupal 8.9.11
Drupal 8.9.12
Drupal 8.9.13
Drupal 8.9.14
Drupal 8.9.15
Drupal 8.9.16
Drupal 8.9.17
Drupal 8.9.18
Drupal 8.9.19
Drupal 8.9.20
Drupal 9.0.0
Drupal 9.0.1
Drupal 9.0.2
Drupal 9.0.3
Drupal 9.0.4
Drupal 9.0.5
Drupal 9.0.6
Drupal 9.0.7
Drupal 9.0.8
Drupal 9.0.9
Drupal 9.0.10
Drupal 9.0.11
Drupal 9.0.12
Drupal 9.0.13
Drupal 9.0.14
Drupal 9.1.0
Drupal 9.1.1
Drupal 9.1.2
Drupal 9.1.3
Drupal 9.1.4
Drupal 9.1.5
Drupal 9.1.6
Drupal 9.1.7
Drupal 9.1.8
Drupal 9.1.9
Drupal 9.1.10
Drupal 9.1.11
Drupal 9.1.12
Drupal 9.1.13
Drupal 9.1.14
Drupal 9.1.15
Drupal 9.2.0
Drupal 9.2.1
Drupal 9.2.2
Drupal 9.2.3
Drupal 9.2.4
Drupal 9.2.5
Drupal 9.2.6
Drupal 9.2.7
Drupal 9.2.8
Drupal 9.2.9
Drupal 9.2.10
Drupal 9.2.11
Drupal 9.2.12
Drupal 9.2.13
Drupal 9.2.14
Drupal 9.2.15
Drupal 9.2.16
Drupal 9.2.17
Drupal 9.2.18
Drupal 9.2.19
Drupal 9.2.20
Drupal 9.2.21
Drupal 9.3.0
Drupal 9.3.1
Drupal 9.3.2
Drupal 9.3.3
Drupal 9.3.4
Drupal 9.3.5
Drupal 9.3.6
Drupal 9.3.7
Drupal 9.3.8
Drupal 9.3.9
Drupal 9.3.10
Drupal 9.3.11
Drupal 9.3.12
Drupal 9.3.13
Drupal 9.3.14
Drupal 9.3.15
Drupal 9.3.16
Drupal 9.3.17
Drupal 9.3.18
Drupal 9.3.19
Drupal 9.3.20
Drupal 9.3.21
Drupal 9.3.22
Drupal 9.4.0
Drupal 9.4.1
Drupal 9.4.2
Drupal 9.4.3
Drupal 9.4.4
Drupal 9.4.5
Drupal 9.4.6
Drupal 9.4.7
Drupal 9.4.8
Drupal 9.4.9
Drupal 9.4.10
Drupal 9.4.11
Drupal 9.4.12
Drupal 9.4.13
Drupal 9.4.14
Drupal 9.4.15
Drupal 9.5.0
Drupal 9.5.1
Drupal 9.5.2
Drupal 9.5.3
Drupal 9.5.4
Drupal 9.5.5
Drupal 9.5.6
Drupal 9.5.7
Drupal 9.5.8
Drupal 9.5.9
Drupal 9.5.10
Drupal 9.5.11
Drupal 10.0.0
Drupal 10.0.1
Drupal 10.0.2
Drupal 10.0.3
Drupal 10.0.4
Drupal 10.0.5
Drupal 10.0.6
Drupal 10.0.7
Drupal 10.0.8
Drupal 10.0.9
Drupal 10.0.10
Drupal 10.0.11
Drupal 10.1.0
Drupal 10.1.1
Drupal 10.1.2
Drupal 10.1.3
Drupal 10.1.4
Drupal 10.1.5
Drupal 10.1.6
Drupal 10.1.7
Drupal 10.1.8
Drupal 10.2.0
Drupal 10.2.1
Drupal 10.2.2
Drupal 10.2.3
Drupal 10.2.4
Drupal 10.2.5
Drupal 10.2.6
Drupal 10.2.7
Drupal 10.2.8
Drupal 10.2.9
Drupal 10.2.10
Drupal 10.2.11
Drupal 10.2.12
Drupal 10.3.0
Drupal 10.3.1
Drupal 10.3.2
Drupal 10.3.3
Drupal 10.3.4
Drupal 10.3.5
Drupal 10.3.6
Drupal 10.3.7
Drupal 10.3.8
Drupal 10.3.9
Drupal 10.3.10
Drupal 10.3.11
Drupal 10.3.12
Drupal 10.4.0
Drupal 10.4.1
Drupal 10.4.2
Drupal 11.0.0
Drupal 11.0.1
Drupal 11.0.2
Drupal 11.0.3
Drupal 11.0.4
Drupal 11.0.5
Drupal 11.0.6
Drupal 11.0.7
Drupal 11.0.8
Drupal 11.0.9
Drupal 11.0.10
Drupal 11.0.11
Drupal 11.1.0
Drupal 11.1.1
Drupal 11.1.2

Drupal – gadget chain PHP object injection

Skrevet den 3. december 2024 af i Drupal

Drupal core contains a potential PHP Object Injection vulnerability that (if combined with another exploit) could lead to Remote Code Execution. It is not directly exploitable.

This vulnerability affects the following application versions:

Drupal 7.0
Drupal 7.1
Drupal 7.2
Drupal 7.3
Drupal 7.4
Drupal 7.5
Drupal 7.6
Drupal 7.7
Drupal 7.8
Drupal 7.9
Drupal 7.10
Drupal 7.11
Drupal 7.12
Drupal 7.13
Drupal 7.14
Drupal 7.15
Drupal 7.16
Drupal 7.17
Drupal 7.18
Drupal 7.19
Drupal 7.20
Drupal 7.21
Drupal 7.22
Drupal 7.23
Drupal 7.24
Drupal 7.25
Drupal 7.26
Drupal 7.27
Drupal 7.28
Drupal 7.29
Drupal 7.30
Drupal 7.31
Drupal 7.32
Drupal 7.33
Drupal 7.34
Drupal 7.35
Drupal 7.36
Drupal 7.37
Drupal 7.38
Drupal 7.39
Drupal 7.40
Drupal 7.41
Drupal 7.42
Drupal 7.43
Drupal 7.44
Drupal 7.50
Drupal 7.51
Drupal 7.52
Drupal 7.53
Drupal 7.54
Drupal 7.55
Drupal 7.56
Drupal 7.57
Drupal 7.58
Drupal 7.59
Drupal 7.60
Drupal 7.61
Drupal 7.62
Drupal 7.63
Drupal 7.64
Drupal 7.65
Drupal 7.66
Drupal 7.67
Drupal 7.68
Drupal 7.69
Drupal 7.70
Drupal 7.71
Drupal 7.72
Drupal 7.73
Drupal 7.74
Drupal 7.75
Drupal 7.76
Drupal 7.77
Drupal 7.78
Drupal 7.79
Drupal 7.80
Drupal 7.81
Drupal 7.82
Drupal 7.83
Drupal 7.84
Drupal 7.85
Drupal 7.86
Drupal 7.87
Drupal 7.88
Drupal 7.89
Drupal 7.90
Drupal 7.91
Drupal 7.92
Drupal 7.93
Drupal 7.94
Drupal 7.95
Drupal 7.96
Drupal 7.97
Drupal 7.98
Drupal 7.99
Drupal 7.100
Drupal 7.101

Drupal core – Gadget Chain – ViewExecutable

Skrevet den 27. november 2024 af i Drupal

Drupal core contains a potential PHP Object Injection vulnerability that (if combined with another exploit) could lead to Remote Code Execution. It is not directly exploitable. SA-CORE-2024-007

This vulnerability affects the following application versions:

Drupal 9.4.2
Drupal 9.4.3
Drupal 9.4.4
Drupal 9.4.5
Drupal 9.4.6
Drupal 9.4.7
Drupal 9.4.8
Drupal 9.4.9
Drupal 9.4.10
Drupal 9.4.11
Drupal 9.4.12
Drupal 9.4.13
Drupal 9.4.14
Drupal 9.4.15
Drupal 9.5.0
Drupal 9.5.1
Drupal 9.5.2
Drupal 9.5.3
Drupal 9.5.4
Drupal 9.5.5
Drupal 9.5.6
Drupal 9.5.7
Drupal 9.5.8
Drupal 9.5.9
Drupal 9.5.10
Drupal 9.5.11
Drupal 10.0.0
Drupal 10.0.1
Drupal 10.0.2
Drupal 10.0.3
Drupal 10.0.4
Drupal 10.0.5
Drupal 10.0.6
Drupal 10.0.7
Drupal 10.0.8
Drupal 10.0.9
Drupal 10.0.10
Drupal 10.0.11
Drupal 10.1.0
Drupal 10.1.1
Drupal 10.1.2
Drupal 10.1.3
Drupal 10.1.4
Drupal 10.1.5
Drupal 10.1.6
Drupal 10.1.7
Drupal 10.1.8
Drupal 10.2.0
Drupal 10.2.1
Drupal 10.2.2
Drupal 10.2.3
Drupal 10.2.4
Drupal 10.2.5
Drupal 10.2.6
Drupal 10.2.7
Drupal 10.2.8
Drupal 10.2.9
Drupal 10.2.10
Drupal 10.3.0
Drupal 10.3.1
Drupal 10.3.2
Drupal 10.3.3
Drupal 10.3.4
Drupal 10.3.5
Drupal 10.3.6
Drupal 10.3.7
Drupal 10.3.8
Drupal 11.0.0
Drupal 11.0.1
Drupal 11.0.2
Drupal 11.0.3
Drupal 11.0.4
Drupal 11.0.5
Drupal 11.0.6
Drupal 11.0.7

Drupal core – moderately critical – Gadget chain

Skrevet den 27. november 2024 af i Drupal

Drupal core contains a potential PHP Object Injection vulnerability that (if combined with another exploit) could lead to Remote Code Execution. It is not directly exploitable.

This vulnerability affects the following application versions:

Drupal 8.0.0
Drupal 8.0.1
Drupal 8.0.2
Drupal 8.0.3
Drupal 8.0.4
Drupal 8.0.5
Drupal 8.0.6
Drupal 8.1.0
Drupal 8.1.1
Drupal 8.1.2
Drupal 8.1.3
Drupal 8.1.4
Drupal 8.1.5
Drupal 8.1.6
Drupal 8.1.7
Drupal 8.1.8
Drupal 8.1.9
Drupal 8.1.10
Drupal 8.2.0
Drupal 8.2.1
Drupal 8.2.2
Drupal 8.2.3
Drupal 8.2.4
Drupal 8.2.5
Drupal 8.2.6
Drupal 8.2.7
Drupal 8.2.8
Drupal 8.3.0
Drupal 8.3.1
Drupal 8.3.2
Drupal 8.3.3
Drupal 8.3.4
Drupal 8.3.5
Drupal 8.3.6
Drupal 8.3.7
Drupal 8.3.8
Drupal 8.3.9
Drupal 8.4.0
Drupal 8.4.1
Drupal 8.4.2
Drupal 8.4.3
Drupal 8.4.4
Drupal 8.4.5
Drupal 8.4.6
Drupal 8.4.7
Drupal 8.4.8
Drupal 8.5.0
Drupal 8.5.1
Drupal 8.5.2
Drupal 8.5.3
Drupal 8.5.4
Drupal 8.5.5
Drupal 8.5.6
Drupal 8.5.7
Drupal 8.5.8
Drupal 8.5.9
Drupal 8.5.10
Drupal 8.5.11
Drupal 8.5.12
Drupal 8.5.13
Drupal 8.5.14
Drupal 8.5.15
Drupal 8.6.0
Drupal 8.6.1
Drupal 8.6.2
Drupal 8.6.3
Drupal 8.6.4
Drupal 8.6.5
Drupal 8.6.6
Drupal 8.6.7
Drupal 8.6.8
Drupal 8.6.9
Drupal 8.6.10
Drupal 8.6.11
Drupal 8.6.12
Drupal 8.6.13
Drupal 8.6.14
Drupal 8.6.15
Drupal 8.6.16
Drupal 8.6.17
Drupal 8.6.18
Drupal 8.7.0
Drupal 8.7.1
Drupal 8.7.2
Drupal 8.7.3
Drupal 8.7.4
Drupal 8.7.5
Drupal 8.7.6
Drupal 8.7.7
Drupal 8.7.8
Drupal 8.7.9
Drupal 8.7.10
Drupal 8.7.11
Drupal 8.7.12
Drupal 8.7.13
Drupal 8.7.14
Drupal 8.8.0
Drupal 8.8.1
Drupal 8.8.2
Drupal 8.8.3
Drupal 8.8.4
Drupal 8.8.5
Drupal 8.8.6
Drupal 8.8.7
Drupal 8.8.8
Drupal 8.8.9
Drupal 8.8.10
Drupal 8.8.11
Drupal 8.8.12
Drupal 8.9.0
Drupal 8.9.1
Drupal 8.9.2
Drupal 8.9.3
Drupal 8.9.4
Drupal 8.9.5
Drupal 8.9.6
Drupal 8.9.7
Drupal 8.9.8
Drupal 8.9.9
Drupal 8.9.10
Drupal 8.9.11
Drupal 8.9.12
Drupal 8.9.13
Drupal 8.9.14
Drupal 8.9.15
Drupal 8.9.16
Drupal 8.9.17
Drupal 8.9.18
Drupal 8.9.19
Drupal 8.9.20
Drupal 9.0.0
Drupal 9.0.1
Drupal 9.0.2
Drupal 9.0.3
Drupal 9.0.4
Drupal 9.0.5
Drupal 9.0.6
Drupal 9.0.7
Drupal 9.0.8
Drupal 9.0.9
Drupal 9.0.10
Drupal 9.0.11
Drupal 9.0.12
Drupal 9.0.13
Drupal 9.0.14
Drupal 9.1.0
Drupal 9.1.1
Drupal 9.1.2
Drupal 9.1.3
Drupal 9.1.4
Drupal 9.1.5
Drupal 9.1.6
Drupal 9.1.7
Drupal 9.1.8
Drupal 9.1.9
Drupal 9.1.10
Drupal 9.1.11
Drupal 9.1.12
Drupal 9.1.13
Drupal 9.1.14
Drupal 9.1.15
Drupal 9.2.0
Drupal 9.2.1
Drupal 9.2.2
Drupal 9.2.3
Drupal 9.2.4
Drupal 9.2.5
Drupal 9.2.6
Drupal 9.2.7
Drupal 9.2.8
Drupal 9.2.9
Drupal 9.2.10
Drupal 9.2.11
Drupal 9.2.12
Drupal 9.2.13
Drupal 9.2.14
Drupal 9.2.15
Drupal 9.2.16
Drupal 9.2.17
Drupal 9.2.18
Drupal 9.2.19
Drupal 9.2.20
Drupal 9.2.21
Drupal 9.3.0
Drupal 9.3.1
Drupal 9.3.2
Drupal 9.3.3
Drupal 9.3.4
Drupal 9.3.5
Drupal 9.3.6
Drupal 9.3.7
Drupal 9.3.8
Drupal 9.3.9
Drupal 9.3.10
Drupal 9.3.11
Drupal 9.3.12
Drupal 9.3.13
Drupal 9.3.14
Drupal 9.3.15
Drupal 9.3.16
Drupal 9.3.17
Drupal 9.3.18
Drupal 9.3.19
Drupal 9.3.20
Drupal 9.3.21
Drupal 9.3.22
Drupal 9.4.0
Drupal 9.4.1
Drupal 9.4.2
Drupal 9.4.3
Drupal 9.4.4
Drupal 9.4.5
Drupal 9.4.6
Drupal 9.4.7
Drupal 9.4.8
Drupal 9.4.9
Drupal 9.4.10
Drupal 9.4.11
Drupal 9.4.12
Drupal 9.4.13
Drupal 9.4.14
Drupal 9.4.15
Drupal 9.5.0
Drupal 9.5.1
Drupal 9.5.2
Drupal 9.5.3
Drupal 9.5.4
Drupal 9.5.5
Drupal 9.5.6
Drupal 9.5.7
Drupal 9.5.8
Drupal 9.5.9
Drupal 9.5.10
Drupal 9.5.11
Drupal 10.0.0
Drupal 10.0.1
Drupal 10.0.2
Drupal 10.0.3
Drupal 10.0.4
Drupal 10.0.5
Drupal 10.0.6
Drupal 10.0.7
Drupal 10.0.8
Drupal 10.0.9
Drupal 10.0.10
Drupal 10.0.11
Drupal 10.1.0
Drupal 10.1.1
Drupal 10.1.2
Drupal 10.1.3
Drupal 10.1.4
Drupal 10.1.5
Drupal 10.1.6
Drupal 10.1.7
Drupal 10.1.8
Drupal 10.2.0
Drupal 10.2.1
Drupal 10.2.2
Drupal 10.2.3
Drupal 10.2.4
Drupal 10.2.5
Drupal 10.2.6
Drupal 10.2.7
Drupal 10.2.8
Drupal 10.2.9
Drupal 10.2.10
Drupal 10.3.0
Drupal 10.3.1
Drupal 10.3.2
Drupal 10.3.3
Drupal 10.3.4
Drupal 10.3.5
Drupal 10.3.6
Drupal 10.3.7
Drupal 10.3.8

Less critical – Gadget chain

Skrevet den 27. november 202418. oktober 2025 af i Drupal

Drupal core contains a potential PHP Object Injection vulnerability that (if combined with another exploit) could lead to Artbitrary File Deletion. It is not directly exploitable.

This issue is mitigated by the fact that in order to be exploitable, a separate vulnerability must be present that allows an attacker to pass unsafe input to unserialize(). There are no such known exploits in Drupal core.

This vulnerability affects the following application versions:

Drupal 9.5.6
Drupal 9.5.7
Drupal 9.5.8
Drupal 9.5.9
Drupal 9.5.10
Drupal 9.5.11
Drupal 10.0.6
Drupal 10.0.7
Drupal 10.0.8
Drupal 10.0.9
Drupal 10.0.10
Drupal 10.0.11
Drupal 10.1.0
Drupal 10.1.1
Drupal 10.1.2
Drupal 10.1.3
Drupal 10.1.4
Drupal 10.1.5
Drupal 10.1.6
Drupal 10.1.7
Drupal 10.1.8
Drupal 10.2.0
Drupal 10.2.1
Drupal 10.2.2
Drupal 10.2.3
Drupal 10.2.4
Drupal 10.2.5
Drupal 10.2.6
Drupal 10.2.7
Drupal 10.2.8
Drupal 10.2.9
Drupal 10.2.10
Drupal 10.3.0
Drupal 10.3.1
Drupal 10.3.2
Drupal 10.3.3
Drupal 10.3.4
Drupal 10.3.5
Drupal 10.3.6
Drupal 10.3.7
Drupal 10.3.8
Drupal 11.0.0
Drupal 11.0.1
Drupal 11.0.2
Drupal 11.0.3
Drupal 11.0.4
Drupal 11.0.5
Drupal 11.0.6
Drupal 11.0.7

Drupal core – Critical – Cross Site Scripting

Skrevet den 27. november 2024 af i Drupal

Drupal 7 core’s Overlay module doesn’t safely handle user input, leading to reflected cross-site scripting under certain circumstances.

Only sites with the Overlay module enabled are affected by this vulnerability.

This vulnerability affects the following application versions:

Drupal 7.0
Drupal 7.1
Drupal 7.2
Drupal 7.3
Drupal 7.4
Drupal 7.5
Drupal 7.6
Drupal 7.7
Drupal 7.8
Drupal 7.9
Drupal 7.10
Drupal 7.11
Drupal 7.12
Drupal 7.13
Drupal 7.14
Drupal 7.15
Drupal 7.16
Drupal 7.17
Drupal 7.18
Drupal 7.19
Drupal 7.20
Drupal 7.21
Drupal 7.22
Drupal 7.23
Drupal 7.24
Drupal 7.25
Drupal 7.26
Drupal 7.27
Drupal 7.28
Drupal 7.29
Drupal 7.30
Drupal 7.31
Drupal 7.32
Drupal 7.33
Drupal 7.34
Drupal 7.35
Drupal 7.36
Drupal 7.37
Drupal 7.38
Drupal 7.39
Drupal 7.40
Drupal 7.41
Drupal 7.42
Drupal 7.43
Drupal 7.44
Drupal 7.50
Drupal 7.51
Drupal 7.52
Drupal 7.53
Drupal 7.54
Drupal 7.55
Drupal 7.56
Drupal 7.57
Drupal 7.58
Drupal 7.59
Drupal 7.60
Drupal 7.61
Drupal 7.62
Drupal 7.63
Drupal 7.64
Drupal 7.65
Drupal 7.66
Drupal 7.67
Drupal 7.68
Drupal 7.69
Drupal 7.70
Drupal 7.71
Drupal 7.72
Drupal 7.73
Drupal 7.74
Drupal 7.75
Drupal 7.76
Drupal 7.77
Drupal 7.78
Drupal 7.79
Drupal 7.80
Drupal 7.81
Drupal 7.82
Drupal 7.83
Drupal 7.84
Drupal 7.85
Drupal 7.86
Drupal 7.87
Drupal 7.88
Drupal 7.89
Drupal 7.90
Drupal 7.91
Drupal 7.92
Drupal 7.93
Drupal 7.94
Drupal 7.95
Drupal 7.96
Drupal 7.97
Drupal 7.98
Drupal 7.99
Drupal 7.100
Drupal 7.101

Access bypass

Skrevet den 27. november 2024 af i Drupal

Drupal’s uniqueness checking for certain user fields is inconsistent depending on the database engine and its collation.

As a result, a user may be able to register with the same email address as another user.

This may lead to data integrity issues.

This vulnerability affects the following application versions:

Drupal 8.0.0
Drupal 8.0.1
Drupal 8.0.2
Drupal 8.0.3
Drupal 8.0.4
Drupal 8.0.5
Drupal 8.0.6
Drupal 8.1.0
Drupal 8.1.1
Drupal 8.1.2
Drupal 8.1.3
Drupal 8.1.4
Drupal 8.1.5
Drupal 8.1.6
Drupal 8.1.7
Drupal 8.1.8
Drupal 8.1.9
Drupal 8.1.10
Drupal 8.2.0
Drupal 8.2.1
Drupal 8.2.2
Drupal 8.2.3
Drupal 8.2.4
Drupal 8.2.5
Drupal 8.2.6
Drupal 8.2.7
Drupal 8.2.8
Drupal 8.3.0
Drupal 8.3.1
Drupal 8.3.2
Drupal 8.3.3
Drupal 8.3.4
Drupal 8.3.5
Drupal 8.3.6
Drupal 8.3.7
Drupal 8.3.8
Drupal 8.3.9
Drupal 8.4.0
Drupal 8.4.1
Drupal 8.4.2
Drupal 8.4.3
Drupal 8.4.4
Drupal 8.4.5
Drupal 8.4.6
Drupal 8.4.7
Drupal 8.4.8
Drupal 8.5.0
Drupal 8.5.1
Drupal 8.5.2
Drupal 8.5.3
Drupal 8.5.4
Drupal 8.5.5
Drupal 8.5.6
Drupal 8.5.7
Drupal 8.5.8
Drupal 8.5.9
Drupal 8.5.10
Drupal 8.5.11
Drupal 8.5.12
Drupal 8.5.13
Drupal 8.5.14
Drupal 8.5.15
Drupal 8.6.0
Drupal 8.6.1
Drupal 8.6.2
Drupal 8.6.3
Drupal 8.6.4
Drupal 8.6.5
Drupal 8.6.6
Drupal 8.6.7
Drupal 8.6.8
Drupal 8.6.9
Drupal 8.6.10
Drupal 8.6.11
Drupal 8.6.12
Drupal 8.6.13
Drupal 8.6.14
Drupal 8.6.15
Drupal 8.6.16
Drupal 8.6.17
Drupal 8.6.18
Drupal 8.7.0
Drupal 8.7.1
Drupal 8.7.2
Drupal 8.7.3
Drupal 8.7.4
Drupal 8.7.5
Drupal 8.7.6
Drupal 8.7.7
Drupal 8.7.8
Drupal 8.7.9
Drupal 8.7.10
Drupal 8.7.11
Drupal 8.7.12
Drupal 8.7.13
Drupal 8.7.14
Drupal 8.8.0
Drupal 8.8.1
Drupal 8.8.2
Drupal 8.8.3
Drupal 8.8.4
Drupal 8.8.5
Drupal 8.8.6
Drupal 8.8.7
Drupal 8.8.8
Drupal 8.8.9
Drupal 8.8.10
Drupal 8.8.11
Drupal 8.8.12
Drupal 8.9.0
Drupal 8.9.1
Drupal 8.9.2
Drupal 8.9.3
Drupal 8.9.4
Drupal 8.9.5
Drupal 8.9.6
Drupal 8.9.7
Drupal 8.9.8
Drupal 8.9.9
Drupal 8.9.10
Drupal 8.9.11
Drupal 8.9.12
Drupal 8.9.13
Drupal 8.9.14
Drupal 8.9.15
Drupal 8.9.16
Drupal 8.9.17
Drupal 8.9.18
Drupal 8.9.19
Drupal 8.9.20
Drupal 9.0.0
Drupal 9.0.1
Drupal 9.0.2
Drupal 9.0.3
Drupal 9.0.4
Drupal 9.0.5
Drupal 9.0.6
Drupal 9.0.7
Drupal 9.0.8
Drupal 9.0.9
Drupal 9.0.10
Drupal 9.0.11
Drupal 9.0.12
Drupal 9.0.13
Drupal 9.0.14
Drupal 9.1.0
Drupal 9.1.1
Drupal 9.1.2
Drupal 9.1.3
Drupal 9.1.4
Drupal 9.1.5
Drupal 9.1.6
Drupal 9.1.7
Drupal 9.1.8
Drupal 9.1.9
Drupal 9.1.10
Drupal 9.1.11
Drupal 9.1.12
Drupal 9.1.13
Drupal 9.1.14
Drupal 9.1.15
Drupal 9.2.0
Drupal 9.2.1
Drupal 9.2.2
Drupal 9.2.3
Drupal 9.2.4
Drupal 9.2.5
Drupal 9.2.6
Drupal 9.2.7
Drupal 9.2.8
Drupal 9.2.9
Drupal 9.2.10
Drupal 9.2.11
Drupal 9.2.12
Drupal 9.2.13
Drupal 9.2.14
Drupal 9.2.15
Drupal 9.2.16
Drupal 9.2.17
Drupal 9.2.18
Drupal 9.2.19
Drupal 9.2.20
Drupal 9.2.21
Drupal 9.3.0
Drupal 9.3.1
Drupal 9.3.2
Drupal 9.3.3
Drupal 9.3.4
Drupal 9.3.5
Drupal 9.3.6
Drupal 9.3.7
Drupal 9.3.8
Drupal 9.3.9
Drupal 9.3.10
Drupal 9.3.11
Drupal 9.3.12
Drupal 9.3.13
Drupal 9.3.14
Drupal 9.3.15
Drupal 9.3.16
Drupal 9.3.17
Drupal 9.3.18
Drupal 9.3.19
Drupal 9.3.20
Drupal 9.3.21
Drupal 9.3.22
Drupal 9.4.0
Drupal 9.4.1
Drupal 9.4.2
Drupal 9.4.3
Drupal 9.4.4
Drupal 9.4.5
Drupal 9.4.6
Drupal 9.4.7
Drupal 9.4.8
Drupal 9.4.9
Drupal 9.4.10
Drupal 9.4.11
Drupal 9.4.12
Drupal 9.4.13
Drupal 9.4.14
Drupal 9.4.15
Drupal 9.5.0
Drupal 9.5.1
Drupal 9.5.2
Drupal 9.5.3
Drupal 9.5.4
Drupal 9.5.5
Drupal 9.5.6
Drupal 9.5.7
Drupal 9.5.8
Drupal 9.5.9
Drupal 9.5.10
Drupal 9.5.11
Drupal 10.0.0
Drupal 10.0.1
Drupal 10.0.2
Drupal 10.0.3
Drupal 10.0.4
Drupal 10.0.5
Drupal 10.0.6
Drupal 10.0.7
Drupal 10.0.8
Drupal 10.0.9
Drupal 10.0.10
Drupal 10.0.11
Drupal 10.1.0
Drupal 10.1.1
Drupal 10.1.2
Drupal 10.1.3
Drupal 10.1.4
Drupal 10.1.5
Drupal 10.1.6
Drupal 10.1.7
Drupal 10.1.8
Drupal 10.2.0
Drupal 10.2.1
Drupal 10.2.2
Drupal 10.2.3
Drupal 10.2.4
Drupal 10.2.5
Drupal 10.2.6
Drupal 10.2.7
Drupal 10.2.8
Drupal 10.2.9
Drupal 10.2.10
Drupal 10.3.0
Drupal 10.3.1
Drupal 10.3.2
Drupal 10.3.3
Drupal 10.3.4
Drupal 10.3.5
Drupal 10.3.6
Drupal 10.3.7
Drupal 10.3.8
Drupal 11.0.0
Drupal 11.0.1
Drupal 11.0.2
Drupal 11.0.3
Drupal 11.0.4
Drupal 11.0.5
Drupal 11.0.6
Drupal 11.0.7

Moderately critical – Cross Site Scripting

Skrevet den 27. november 202418. oktober 2025 af i Drupal

Drupal uses JavaScript to render status messages in some cases and configurations. In certain situations, the status messages are not adequately sanitized.

This vulnerability affects the following application versions:

Drupal 8.8.0
Drupal 8.8.1
Drupal 8.8.2
Drupal 8.8.3
Drupal 8.8.4
Drupal 8.8.5
Drupal 8.8.6
Drupal 8.8.7
Drupal 8.8.8
Drupal 8.8.9
Drupal 8.8.10
Drupal 8.8.11
Drupal 8.8.12
Drupal 8.9.0
Drupal 8.9.1
Drupal 8.9.2
Drupal 8.9.3
Drupal 8.9.4
Drupal 8.9.5
Drupal 8.9.6
Drupal 8.9.7
Drupal 8.9.8
Drupal 8.9.9
Drupal 8.9.10
Drupal 8.9.11
Drupal 8.9.12
Drupal 8.9.13
Drupal 8.9.14
Drupal 8.9.15
Drupal 8.9.16
Drupal 8.9.17
Drupal 8.9.18
Drupal 8.9.19
Drupal 8.9.20
Drupal 9.0.0
Drupal 9.0.1
Drupal 9.0.2
Drupal 9.0.3
Drupal 9.0.4
Drupal 9.0.5
Drupal 9.0.6
Drupal 9.0.7
Drupal 9.0.8
Drupal 9.0.9
Drupal 9.0.10
Drupal 9.0.11
Drupal 9.0.12
Drupal 9.0.13
Drupal 9.0.14
Drupal 9.1.0
Drupal 9.1.1
Drupal 9.1.2
Drupal 9.1.3
Drupal 9.1.4
Drupal 9.1.5
Drupal 9.1.6
Drupal 9.1.7
Drupal 9.1.8
Drupal 9.1.9
Drupal 9.1.10
Drupal 9.1.11
Drupal 9.1.12
Drupal 9.1.13
Drupal 9.1.14
Drupal 9.1.15
Drupal 9.2.0
Drupal 9.2.1
Drupal 9.2.2
Drupal 9.2.3
Drupal 9.2.4
Drupal 9.2.5
Drupal 9.2.6
Drupal 9.2.7
Drupal 9.2.8
Drupal 9.2.9
Drupal 9.2.10
Drupal 9.2.11
Drupal 9.2.12
Drupal 9.2.13
Drupal 9.2.14
Drupal 9.2.15
Drupal 9.2.16
Drupal 9.2.17
Drupal 9.2.18
Drupal 9.2.19
Drupal 9.2.20
Drupal 9.2.21
Drupal 9.3.0
Drupal 9.3.1
Drupal 9.3.2
Drupal 9.3.3
Drupal 9.3.4
Drupal 9.3.5
Drupal 9.3.6
Drupal 9.3.7
Drupal 9.3.8
Drupal 9.3.9
Drupal 9.3.10
Drupal 9.3.11
Drupal 9.3.12
Drupal 9.3.13
Drupal 9.3.14
Drupal 9.3.15
Drupal 9.3.16
Drupal 9.3.17
Drupal 9.3.18
Drupal 9.3.19
Drupal 9.3.20
Drupal 9.3.21
Drupal 9.3.22
Drupal 9.4.0
Drupal 9.4.1
Drupal 9.4.2
Drupal 9.4.3
Drupal 9.4.4
Drupal 9.4.5
Drupal 9.4.6
Drupal 9.4.7
Drupal 9.4.8
Drupal 9.4.9
Drupal 9.4.10
Drupal 9.4.11
Drupal 9.4.12
Drupal 9.4.13
Drupal 9.4.14
Drupal 9.4.15
Drupal 9.5.0
Drupal 9.5.1
Drupal 9.5.2
Drupal 9.5.3
Drupal 9.5.4
Drupal 9.5.5
Drupal 9.5.6
Drupal 9.5.7
Drupal 9.5.8
Drupal 9.5.9
Drupal 9.5.10
Drupal 9.5.11
Drupal 10.0.0
Drupal 10.0.1
Drupal 10.0.2
Drupal 10.0.3
Drupal 10.0.4
Drupal 10.0.5
Drupal 10.0.6
Drupal 10.0.7
Drupal 10.0.8
Drupal 10.0.9
Drupal 10.0.10
Drupal 10.0.11
Drupal 10.1.0
Drupal 10.1.1
Drupal 10.1.2
Drupal 10.1.3
Drupal 10.1.4
Drupal 10.1.5
Drupal 10.1.6
Drupal 10.1.7
Drupal 10.1.8
Drupal 10.2.0
Drupal 10.2.1
Drupal 10.2.2
Drupal 10.2.3
Drupal 10.2.4
Drupal 10.2.5
Drupal 10.2.6
Drupal 10.2.7
Drupal 10.2.8
Drupal 10.2.9
Drupal 10.2.10
Drupal 10.3.0
Drupal 10.3.1
Drupal 10.3.2
Drupal 10.3.3
Drupal 10.3.4
Drupal 10.3.5
Drupal 10.3.6
Drupal 10.3.7
Drupal 10.3.8
Drupal 11.0.0
Drupal 11.0.1
Drupal 11.0.2
Drupal 11.0.3
Drupal 11.0.4
Drupal 11.0.5
Drupal 11.0.6
Drupal 11.0.7

Drupal core – Improper error handling – SA-CORE-2024-002

Skrevet den 21. oktober 202420. november 2024 af i Drupal

Under certain uncommon site configurations, a bug in the CKEditor 5 module can cause some image uploads to move the entire webroot to a different location on the file system. This could be exploited by a malicious user to take down a site.

This vulnerability affects the following application versions:

Drupal 10.0.0
Drupal 10.0.1
Drupal 10.0.2
Drupal 10.0.3
Drupal 10.0.4
Drupal 10.0.5
Drupal 10.0.6
Drupal 10.0.7
Drupal 10.0.8
Drupal 10.0.9
Drupal 10.0.10
Drupal 10.0.11
Drupal 10.1.0
Drupal 10.1.1
Drupal 10.1.2
Drupal 10.1.3
Drupal 10.1.4
Drupal 10.1.5
Drupal 10.1.6
Drupal 10.1.7
Drupal 10.1.8
Drupal 10.2.0
Drupal 10.2.1
Drupal 10.2.2
Drupal 10.2.3
Drupal 10.2.4
Drupal 10.2.5
Drupal 10.2.6
Drupal 10.2.7
Drupal 10.2.8
Drupal 10.2.9

Denial of Service via comment module

Skrevet den 18. januar 202420. november 2024 af i Drupal

The Comment module allows users to reply to comments. In certain cases, an attacker could make comment reply requests that would trigger a denial of service (DOS).

This vulnerability affects the following application versions:

Drupal 8.0.0
Drupal 8.0.1
Drupal 8.0.2
Drupal 8.0.3
Drupal 8.0.4
Drupal 8.0.5
Drupal 8.0.6
Drupal 8.1.0
Drupal 8.1.1
Drupal 8.1.2
Drupal 8.1.3
Drupal 8.1.4
Drupal 8.1.5
Drupal 8.1.6
Drupal 8.1.7
Drupal 8.1.8
Drupal 8.1.9
Drupal 8.1.10
Drupal 8.2.0
Drupal 8.2.1
Drupal 8.2.2
Drupal 8.2.3
Drupal 8.2.4
Drupal 8.2.5
Drupal 8.2.6
Drupal 8.2.7
Drupal 8.2.8
Drupal 8.3.0
Drupal 8.3.1
Drupal 8.3.2
Drupal 8.3.3
Drupal 8.3.4
Drupal 8.3.5
Drupal 8.3.6
Drupal 8.3.7
Drupal 8.3.8
Drupal 8.3.9
Drupal 8.4.0
Drupal 8.4.1
Drupal 8.4.2
Drupal 8.4.3
Drupal 8.4.4
Drupal 8.4.5
Drupal 8.4.6
Drupal 8.4.7
Drupal 8.4.8
Drupal 8.5.0
Drupal 8.5.1
Drupal 8.5.2
Drupal 8.5.3
Drupal 8.5.4
Drupal 8.5.5
Drupal 8.5.6
Drupal 8.5.7
Drupal 8.5.8
Drupal 8.5.9
Drupal 8.5.10
Drupal 8.5.11
Drupal 8.5.12
Drupal 8.5.13
Drupal 8.5.14
Drupal 8.5.15
Drupal 8.6.0
Drupal 8.6.1
Drupal 8.6.2
Drupal 8.6.3
Drupal 8.6.4
Drupal 8.6.5
Drupal 8.6.6
Drupal 8.6.7
Drupal 8.6.8
Drupal 8.6.9
Drupal 8.6.10
Drupal 8.6.11
Drupal 8.6.12
Drupal 8.6.13
Drupal 8.6.14
Drupal 8.6.15
Drupal 8.6.16
Drupal 8.6.17
Drupal 8.6.18
Drupal 8.7.0
Drupal 8.7.1
Drupal 8.7.2
Drupal 8.7.3
Drupal 8.7.4
Drupal 8.7.5
Drupal 8.7.6
Drupal 8.7.7
Drupal 8.7.8
Drupal 8.7.9
Drupal 8.7.10
Drupal 8.7.11
Drupal 8.7.12
Drupal 8.7.13
Drupal 8.7.14
Drupal 8.8.0
Drupal 8.8.1
Drupal 8.8.2
Drupal 8.8.3
Drupal 8.8.4
Drupal 8.8.5
Drupal 8.8.6
Drupal 8.8.7
Drupal 8.8.8
Drupal 8.8.9
Drupal 8.8.10
Drupal 8.8.11
Drupal 8.8.12
Drupal 8.9.0
Drupal 8.9.1
Drupal 8.9.2
Drupal 8.9.3
Drupal 8.9.4
Drupal 8.9.5
Drupal 8.9.6
Drupal 8.9.7
Drupal 8.9.8
Drupal 8.9.9
Drupal 8.9.10
Drupal 8.9.11
Drupal 8.9.12
Drupal 8.9.13
Drupal 8.9.14
Drupal 8.9.15
Drupal 8.9.16
Drupal 8.9.17
Drupal 8.9.18
Drupal 8.9.19
Drupal 8.9.20
Drupal 9.0.0
Drupal 9.0.1
Drupal 9.0.2
Drupal 9.0.3
Drupal 9.0.4
Drupal 9.0.5
Drupal 9.0.6
Drupal 9.0.7
Drupal 9.0.8
Drupal 9.0.9
Drupal 9.0.10
Drupal 9.0.11
Drupal 9.0.12
Drupal 9.0.13
Drupal 9.0.14
Drupal 9.1.0
Drupal 9.1.1
Drupal 9.1.2
Drupal 9.1.3
Drupal 9.1.4
Drupal 9.1.5
Drupal 9.1.6
Drupal 9.1.7
Drupal 9.1.8
Drupal 9.1.9
Drupal 9.1.10
Drupal 9.1.11
Drupal 9.1.12
Drupal 9.1.13
Drupal 9.1.14
Drupal 9.1.15
Drupal 9.2.0
Drupal 9.2.1
Drupal 9.2.2
Drupal 9.2.3
Drupal 9.2.4
Drupal 9.2.5
Drupal 9.2.6
Drupal 9.2.7
Drupal 9.2.8
Drupal 9.2.9
Drupal 9.2.10
Drupal 9.2.11
Drupal 9.2.12
Drupal 9.2.13
Drupal 9.2.14
Drupal 9.2.15
Drupal 9.2.16
Drupal 9.2.17
Drupal 9.2.18
Drupal 9.2.19
Drupal 9.2.20
Drupal 9.2.21
Drupal 9.3.0
Drupal 9.3.1
Drupal 9.3.2
Drupal 9.3.3
Drupal 9.3.4
Drupal 9.3.5
Drupal 9.3.6
Drupal 9.3.7
Drupal 9.3.8
Drupal 9.3.9
Drupal 9.3.10
Drupal 9.3.11
Drupal 9.3.12
Drupal 9.3.13
Drupal 9.3.14
Drupal 9.3.15
Drupal 9.3.16
Drupal 9.3.17
Drupal 9.3.18
Drupal 9.3.19
Drupal 9.3.20
Drupal 9.3.21
Drupal 9.3.22
Drupal 9.4.0
Drupal 9.4.1
Drupal 9.4.2
Drupal 9.4.3
Drupal 9.4.4
Drupal 9.4.5
Drupal 9.4.6
Drupal 9.4.7
Drupal 9.4.8
Drupal 9.4.9
Drupal 9.4.10
Drupal 9.4.11
Drupal 9.4.12
Drupal 9.4.13
Drupal 9.4.14
Drupal 9.4.15
Drupal 9.5.0
Drupal 9.5.1
Drupal 9.5.2
Drupal 9.5.3
Drupal 9.5.4
Drupal 9.5.5
Drupal 9.5.6
Drupal 9.5.7
Drupal 9.5.8
Drupal 9.5.9
Drupal 9.5.10
Drupal 9.5.11
Drupal 10.0.0
Drupal 10.0.1
Drupal 10.0.2
Drupal 10.0.3
Drupal 10.0.4
Drupal 10.0.5
Drupal 10.0.6
Drupal 10.0.7
Drupal 10.0.8
Drupal 10.0.9
Drupal 10.0.10
Drupal 10.0.11
Drupal 10.1.0
Drupal 10.1.1
Drupal 10.1.2
Drupal 10.1.3
Drupal 10.1.4
Drupal 10.1.5
Drupal 10.1.6
Drupal 10.1.7
Drupal 10.2.0
Drupal 10.2.1

Drupal – Critical – Cache poisoning – SA-CORE-2023-006

Skrevet den 26. september 202320. november 2024 af i Drupal

In certain scenarios, Drupal’s JSON:API module will output error backtraces. With some configurations, this may cause sensitive information to be cached and made available to anonymous users, leading to privilege escalation.

This vulnerability affects the following application versions:

Drupal 8.8.0
Drupal 8.8.1
Drupal 8.8.2
Drupal 8.8.3
Drupal 8.8.4
Drupal 8.8.5
Drupal 8.8.6
Drupal 8.8.7
Drupal 8.8.8
Drupal 8.8.9
Drupal 8.8.10
Drupal 8.8.11
Drupal 8.8.12
Drupal 8.9.0
Drupal 8.9.1
Drupal 8.9.2
Drupal 8.9.3
Drupal 8.9.4
Drupal 8.9.5
Drupal 8.9.6
Drupal 8.9.7
Drupal 8.9.8
Drupal 8.9.9
Drupal 8.9.10
Drupal 8.9.11
Drupal 8.9.12
Drupal 8.9.13
Drupal 8.9.14
Drupal 8.9.15
Drupal 8.9.16
Drupal 8.9.17
Drupal 8.9.18
Drupal 8.9.19
Drupal 8.9.20
Drupal 9.0.0
Drupal 9.0.1
Drupal 9.0.2
Drupal 9.0.3
Drupal 9.0.4
Drupal 9.0.5
Drupal 9.0.6
Drupal 9.0.7
Drupal 9.0.8
Drupal 9.0.9
Drupal 9.0.10
Drupal 9.0.11
Drupal 9.0.12
Drupal 9.0.13
Drupal 9.0.14
Drupal 9.1.0
Drupal 9.1.1
Drupal 9.1.2
Drupal 9.1.3
Drupal 9.1.4
Drupal 9.1.5
Drupal 9.1.6
Drupal 9.1.7
Drupal 9.1.8
Drupal 9.1.9
Drupal 9.1.10
Drupal 9.1.11
Drupal 9.1.12
Drupal 9.1.13
Drupal 9.1.14
Drupal 9.1.15
Drupal 9.2.0
Drupal 9.2.1
Drupal 9.2.2
Drupal 9.2.3
Drupal 9.2.4
Drupal 9.2.5
Drupal 9.2.6
Drupal 9.2.7
Drupal 9.2.8
Drupal 9.2.9
Drupal 9.2.10
Drupal 9.2.11
Drupal 9.2.12
Drupal 9.2.13
Drupal 9.2.14
Drupal 9.2.15
Drupal 9.2.16
Drupal 9.2.17
Drupal 9.2.18
Drupal 9.2.19
Drupal 9.2.20
Drupal 9.2.21
Drupal 9.3.0
Drupal 9.3.1
Drupal 9.3.2
Drupal 9.3.3
Drupal 9.3.4
Drupal 9.3.5
Drupal 9.3.6
Drupal 9.3.7
Drupal 9.3.8
Drupal 9.3.9
Drupal 9.3.10
Drupal 9.3.11
Drupal 9.3.12
Drupal 9.3.13
Drupal 9.3.14
Drupal 9.3.15
Drupal 9.3.16
Drupal 9.3.17
Drupal 9.3.18
Drupal 9.3.19
Drupal 9.3.20
Drupal 9.3.21
Drupal 9.3.22
Drupal 9.4.0
Drupal 9.4.1
Drupal 9.4.2
Drupal 9.4.3
Drupal 9.4.4
Drupal 9.4.5
Drupal 9.4.6
Drupal 9.4.7
Drupal 9.4.8
Drupal 9.4.9
Drupal 9.4.10
Drupal 9.4.11
Drupal 9.4.12
Drupal 9.4.13
Drupal 9.4.14
Drupal 9.4.15
Drupal 9.5.0
Drupal 9.5.1
Drupal 9.5.2
Drupal 9.5.3
Drupal 9.5.4
Drupal 9.5.5
Drupal 9.5.6
Drupal 9.5.7
Drupal 9.5.8
Drupal 9.5.9
Drupal 9.5.10
Drupal 10.0.0
Drupal 10.0.1
Drupal 10.0.2
Drupal 10.0.3
Drupal 10.0.4
Drupal 10.0.5
Drupal 10.0.6
Drupal 10.0.7
Drupal 10.0.8
Drupal 10.0.9
Drupal 10.0.10
Drupal 10.1.0
Drupal 10.1.1
Drupal 10.1.2
Drupal 10.1.3

Access bypass – SA-CORE-2023-005

Skrevet den 25. april 202320. november 2024 af i Drupal

The file download facility doesn’t sufficiently sanitize file paths in certain situations. This may result in users gaining access to private files that they should not have access to.

This vulnerability affects the following application versions:

Drupal 7.0
Drupal 7.1
Drupal 7.2
Drupal 7.3
Drupal 7.4
Drupal 7.5
Drupal 7.6
Drupal 7.7
Drupal 7.8
Drupal 7.9
Drupal 7.10
Drupal 7.11
Drupal 7.12
Drupal 7.13
Drupal 7.14
Drupal 7.15
Drupal 7.16
Drupal 7.17
Drupal 7.18
Drupal 7.19
Drupal 7.20
Drupal 7.21
Drupal 7.22
Drupal 7.23
Drupal 7.24
Drupal 7.25
Drupal 7.26
Drupal 7.27
Drupal 7.28
Drupal 7.29
Drupal 7.30
Drupal 7.31
Drupal 7.32
Drupal 7.33
Drupal 7.34
Drupal 7.35
Drupal 7.36
Drupal 7.37
Drupal 7.38
Drupal 7.39
Drupal 7.40
Drupal 7.41
Drupal 7.42
Drupal 7.43
Drupal 7.44
Drupal 7.50
Drupal 7.51
Drupal 7.52
Drupal 7.53
Drupal 7.54
Drupal 7.55
Drupal 7.56
Drupal 7.57
Drupal 7.58
Drupal 7.59
Drupal 7.60
Drupal 7.61
Drupal 7.62
Drupal 7.63
Drupal 7.64
Drupal 7.65
Drupal 7.66
Drupal 7.67
Drupal 7.68
Drupal 7.69
Drupal 7.70
Drupal 7.71
Drupal 7.72
Drupal 7.73
Drupal 7.74
Drupal 7.75
Drupal 7.76
Drupal 7.77
Drupal 7.78
Drupal 7.79
Drupal 7.80
Drupal 7.81
Drupal 7.82
Drupal 7.83
Drupal 7.84
Drupal 7.85
Drupal 7.86
Drupal 7.87
Drupal 7.88
Drupal 7.89
Drupal 7.90
Drupal 7.91
Drupal 7.92
Drupal 7.93
Drupal 7.94
Drupal 7.95
Drupal 8.8.0
Drupal 8.8.1
Drupal 8.8.2
Drupal 8.8.3
Drupal 8.8.4
Drupal 8.8.5
Drupal 8.8.6
Drupal 8.8.7
Drupal 8.8.8
Drupal 8.8.9
Drupal 8.8.10
Drupal 8.8.11
Drupal 8.8.12
Drupal 8.9.0
Drupal 8.9.1
Drupal 8.9.2
Drupal 8.9.3
Drupal 8.9.4
Drupal 8.9.5
Drupal 8.9.6
Drupal 8.9.7
Drupal 8.9.8
Drupal 8.9.9
Drupal 8.9.10
Drupal 8.9.11
Drupal 8.9.12
Drupal 8.9.13
Drupal 8.9.14
Drupal 8.9.15
Drupal 8.9.16
Drupal 8.9.17
Drupal 8.9.18
Drupal 8.9.19
Drupal 8.9.20
Drupal 9.0.0
Drupal 9.0.1
Drupal 9.0.2
Drupal 9.0.3
Drupal 9.0.4
Drupal 9.0.5
Drupal 9.0.6
Drupal 9.0.7
Drupal 9.0.8
Drupal 9.0.9
Drupal 9.0.10
Drupal 9.0.11
Drupal 9.0.12
Drupal 9.0.13
Drupal 9.0.14
Drupal 9.1.0
Drupal 9.1.1
Drupal 9.1.2
Drupal 9.1.3
Drupal 9.1.4
Drupal 9.1.5
Drupal 9.1.6
Drupal 9.1.7
Drupal 9.1.8
Drupal 9.1.9
Drupal 9.1.10
Drupal 9.1.11
Drupal 9.1.12
Drupal 9.1.13
Drupal 9.1.14
Drupal 9.1.15
Drupal 9.2.0
Drupal 9.2.1
Drupal 9.2.2
Drupal 9.2.3
Drupal 9.2.4
Drupal 9.2.5
Drupal 9.2.6
Drupal 9.2.7
Drupal 9.2.8
Drupal 9.2.9
Drupal 9.2.10
Drupal 9.2.11
Drupal 9.2.12
Drupal 9.2.13
Drupal 9.2.14
Drupal 9.2.15
Drupal 9.2.16
Drupal 9.2.17
Drupal 9.2.18
Drupal 9.2.19
Drupal 9.2.20
Drupal 9.2.21
Drupal 9.3.0
Drupal 9.3.1
Drupal 9.3.2
Drupal 9.3.3
Drupal 9.3.4
Drupal 9.3.5
Drupal 9.3.6
Drupal 9.3.7
Drupal 9.3.8
Drupal 9.3.9
Drupal 9.3.10
Drupal 9.3.11
Drupal 9.3.12
Drupal 9.3.13
Drupal 9.3.14
Drupal 9.3.15
Drupal 9.3.16
Drupal 9.3.17
Drupal 9.3.18
Drupal 9.3.19
Drupal 9.3.20
Drupal 9.3.21
Drupal 9.3.22
Drupal 9.4.0
Drupal 9.4.1
Drupal 9.4.2
Drupal 9.4.3
Drupal 9.4.4
Drupal 9.4.5
Drupal 9.4.6
Drupal 9.4.7
Drupal 9.4.8
Drupal 9.4.9
Drupal 9.4.10
Drupal 9.4.11
Drupal 9.4.12
Drupal 9.4.13
Drupal 9.5.0
Drupal 9.5.1
Drupal 9.5.2
Drupal 9.5.3
Drupal 9.5.4
Drupal 9.5.5
Drupal 9.5.6
Drupal 9.5.7
Drupal 10.0.0
Drupal 10.0.1
Drupal 10.0.2
Drupal 10.0.3
Drupal 10.0.4
Drupal 10.0.5
Drupal 10.0.6
Drupal 10.0.7

Access bypass – SA-CORE-2023-004

Skrevet den 18. marts 202320. november 2024 af i Drupal

Drupal core provides a page that outputs the markup from phpinfo() to assist with diagnosing PHP configuration. If an attacker was able to achieve an XSS exploit against a privileged user, they may be able to use the phpinfo page to access sensitive information that could be used to escalate the attack.

This vulnerability affects the following application versions:

Drupal 7.0
Drupal 7.1
Drupal 7.2
Drupal 7.3
Drupal 7.4
Drupal 7.5
Drupal 7.6
Drupal 7.7
Drupal 7.8
Drupal 7.9
Drupal 7.10
Drupal 7.11
Drupal 7.12
Drupal 7.13
Drupal 7.14
Drupal 7.15
Drupal 7.16
Drupal 7.17
Drupal 7.18
Drupal 7.19
Drupal 7.20
Drupal 7.21
Drupal 7.22
Drupal 7.23
Drupal 7.24
Drupal 7.25
Drupal 7.26
Drupal 7.27
Drupal 7.28
Drupal 7.29
Drupal 7.30
Drupal 7.31
Drupal 7.32
Drupal 7.33
Drupal 7.34
Drupal 7.35
Drupal 7.36
Drupal 7.37
Drupal 7.38
Drupal 7.39
Drupal 7.40
Drupal 7.41
Drupal 7.42
Drupal 7.43
Drupal 7.44
Drupal 7.50
Drupal 7.51
Drupal 7.52
Drupal 7.53
Drupal 7.54
Drupal 7.55
Drupal 7.56
Drupal 7.57
Drupal 7.58
Drupal 7.59
Drupal 7.60
Drupal 7.61
Drupal 7.62
Drupal 7.63
Drupal 7.64
Drupal 7.65
Drupal 7.66
Drupal 7.67
Drupal 7.68
Drupal 7.69
Drupal 7.70
Drupal 7.71
Drupal 7.72
Drupal 7.73
Drupal 7.74
Drupal 7.75
Drupal 7.76
Drupal 7.77
Drupal 7.78
Drupal 7.79
Drupal 7.80
Drupal 7.81
Drupal 7.82
Drupal 7.83
Drupal 7.84
Drupal 7.85
Drupal 7.86
Drupal 7.87
Drupal 7.88
Drupal 7.89
Drupal 7.90
Drupal 7.91
Drupal 7.92
Drupal 7.93
Drupal 7.94
Drupal 8.0.0
Drupal 8.0.1
Drupal 8.0.2
Drupal 8.0.3
Drupal 8.0.4
Drupal 8.0.5
Drupal 8.0.6
Drupal 8.1.0
Drupal 8.1.1
Drupal 8.1.2
Drupal 8.1.3
Drupal 8.1.4
Drupal 8.1.5
Drupal 8.1.6
Drupal 8.1.7
Drupal 8.1.8
Drupal 8.1.9
Drupal 8.1.10
Drupal 8.2.0
Drupal 8.2.1
Drupal 8.2.2
Drupal 8.2.3
Drupal 8.2.4
Drupal 8.2.5
Drupal 8.2.6
Drupal 8.2.7
Drupal 8.2.8
Drupal 8.3.0
Drupal 8.3.1
Drupal 8.3.2
Drupal 8.3.3
Drupal 8.3.4
Drupal 8.3.5
Drupal 8.3.6
Drupal 8.3.7
Drupal 8.3.8
Drupal 8.3.9
Drupal 8.4.0
Drupal 8.4.1
Drupal 8.4.2
Drupal 8.4.3
Drupal 8.4.4
Drupal 8.4.5
Drupal 8.4.6
Drupal 8.4.7
Drupal 8.4.8
Drupal 8.5.0
Drupal 8.5.1
Drupal 8.5.2
Drupal 8.5.3
Drupal 8.5.4
Drupal 8.5.5
Drupal 8.5.6
Drupal 8.5.7
Drupal 8.5.8
Drupal 8.5.9
Drupal 8.5.10
Drupal 8.5.11
Drupal 8.5.12
Drupal 8.5.13
Drupal 8.5.14
Drupal 8.5.15
Drupal 8.6.0
Drupal 8.6.1
Drupal 8.6.2
Drupal 8.6.3
Drupal 8.6.4
Drupal 8.6.5
Drupal 8.6.6
Drupal 8.6.7
Drupal 8.6.8
Drupal 8.6.9
Drupal 8.6.10
Drupal 8.6.11
Drupal 8.6.12
Drupal 8.6.13
Drupal 8.6.14
Drupal 8.6.15
Drupal 8.6.16
Drupal 8.6.17
Drupal 8.6.18
Drupal 8.7.0
Drupal 8.7.1
Drupal 8.7.2
Drupal 8.7.3
Drupal 8.7.4
Drupal 8.7.5
Drupal 8.7.6
Drupal 8.7.7
Drupal 8.7.8
Drupal 8.7.9
Drupal 8.7.10
Drupal 8.7.11
Drupal 8.7.12
Drupal 8.7.13
Drupal 8.7.14
Drupal 8.8.0
Drupal 8.8.1
Drupal 8.8.2
Drupal 8.8.3
Drupal 8.8.4
Drupal 8.8.5
Drupal 8.8.6
Drupal 8.8.7
Drupal 8.8.8
Drupal 8.8.9
Drupal 8.8.10
Drupal 8.8.11
Drupal 8.8.12
Drupal 8.9.0
Drupal 8.9.1
Drupal 8.9.2
Drupal 8.9.3
Drupal 8.9.4
Drupal 8.9.5
Drupal 8.9.6
Drupal 8.9.7
Drupal 8.9.8
Drupal 8.9.9
Drupal 8.9.10
Drupal 8.9.11
Drupal 8.9.12
Drupal 8.9.13
Drupal 8.9.14
Drupal 8.9.15
Drupal 8.9.16
Drupal 8.9.17
Drupal 8.9.18
Drupal 8.9.19
Drupal 8.9.20
Drupal 9.0.0
Drupal 9.0.1
Drupal 9.0.2
Drupal 9.0.3
Drupal 9.0.4
Drupal 9.0.5
Drupal 9.0.6
Drupal 9.0.7
Drupal 9.0.8
Drupal 9.0.9
Drupal 9.0.10
Drupal 9.0.11
Drupal 9.0.12
Drupal 9.0.13
Drupal 9.0.14
Drupal 9.1.0
Drupal 9.1.1
Drupal 9.1.2
Drupal 9.1.3
Drupal 9.1.4
Drupal 9.1.5
Drupal 9.1.6
Drupal 9.1.7
Drupal 9.1.8
Drupal 9.1.9
Drupal 9.1.10
Drupal 9.1.11
Drupal 9.1.12
Drupal 9.1.13
Drupal 9.1.14
Drupal 9.1.15
Drupal 9.2.0
Drupal 9.2.1
Drupal 9.2.2
Drupal 9.2.3
Drupal 9.2.4
Drupal 9.2.5
Drupal 9.2.6
Drupal 9.2.7
Drupal 9.2.8
Drupal 9.2.9
Drupal 9.2.10
Drupal 9.2.11
Drupal 9.2.12
Drupal 9.2.13
Drupal 9.2.14
Drupal 9.2.15
Drupal 9.2.16
Drupal 9.2.17
Drupal 9.2.18
Drupal 9.2.19
Drupal 9.2.20
Drupal 9.2.21
Drupal 9.3.0
Drupal 9.3.1
Drupal 9.3.2
Drupal 9.3.3
Drupal 9.3.4
Drupal 9.3.5
Drupal 9.3.6
Drupal 9.3.7
Drupal 9.3.8
Drupal 9.3.9
Drupal 9.3.10
Drupal 9.3.11
Drupal 9.3.12
Drupal 9.3.13
Drupal 9.3.14
Drupal 9.3.15
Drupal 9.3.16
Drupal 9.3.17
Drupal 9.3.18
Drupal 9.3.19
Drupal 9.3.20
Drupal 9.3.21
Drupal 9.3.22
Drupal 9.4.0
Drupal 9.4.1
Drupal 9.4.2
Drupal 9.4.3
Drupal 9.4.4
Drupal 9.4.5
Drupal 9.4.6
Drupal 9.4.7
Drupal 9.4.8
Drupal 9.4.9
Drupal 9.4.10
Drupal 9.4.11
Drupal 9.5.0
Drupal 9.5.1
Drupal 9.5.2
Drupal 9.5.3
Drupal 9.5.4
Drupal 10.0.0
Drupal 10.0.1
Drupal 10.0.2
Drupal 10.0.3
Drupal 10.0.4

Information Disclosure – SA-CORE-2023-003

Skrevet den 18. marts 202318. oktober 2025 af i Drupal

The language module provides a Language switcher block which can be placed to provide links to quickly switch between different languages.

The URL of unpublished translations may be disclosed. When used in conjunction with a module like Pathauto, this may reveal the title of unpublished content.

This vulnerability affects the following application versions:

Drupal 8.0.0
Drupal 8.0.1
Drupal 8.0.2
Drupal 8.0.3
Drupal 8.0.4
Drupal 8.0.5
Drupal 8.0.6
Drupal 8.1.0
Drupal 8.1.1
Drupal 8.1.2
Drupal 8.1.3
Drupal 8.1.4
Drupal 8.1.5
Drupal 8.1.6
Drupal 8.1.7
Drupal 8.1.8
Drupal 8.1.9
Drupal 8.1.10
Drupal 8.2.0
Drupal 8.2.1
Drupal 8.2.2
Drupal 8.2.3
Drupal 8.2.4
Drupal 8.2.5
Drupal 8.2.6
Drupal 8.2.7
Drupal 8.2.8
Drupal 8.3.0
Drupal 8.3.1
Drupal 8.3.2
Drupal 8.3.3
Drupal 8.3.4
Drupal 8.3.5
Drupal 8.3.6
Drupal 8.3.7
Drupal 8.3.8
Drupal 8.3.9
Drupal 8.4.0
Drupal 8.4.1
Drupal 8.4.2
Drupal 8.4.3
Drupal 8.4.4
Drupal 8.4.5
Drupal 8.4.6
Drupal 8.4.7
Drupal 8.4.8
Drupal 8.5.0
Drupal 8.5.1
Drupal 8.5.2
Drupal 8.5.3
Drupal 8.5.4
Drupal 8.5.5
Drupal 8.5.6
Drupal 8.5.7
Drupal 8.5.8
Drupal 8.5.9
Drupal 8.5.10
Drupal 8.5.11
Drupal 8.5.12
Drupal 8.5.13
Drupal 8.5.14
Drupal 8.5.15
Drupal 8.6.0
Drupal 8.6.1
Drupal 8.6.2
Drupal 8.6.3
Drupal 8.6.4
Drupal 8.6.5
Drupal 8.6.6
Drupal 8.6.7
Drupal 8.6.8
Drupal 8.6.9
Drupal 8.6.10
Drupal 8.6.11
Drupal 8.6.12
Drupal 8.6.13
Drupal 8.6.14
Drupal 8.6.15
Drupal 8.6.16
Drupal 8.6.17
Drupal 8.6.18
Drupal 8.7.0
Drupal 8.7.1
Drupal 8.7.2
Drupal 8.7.3
Drupal 8.7.4
Drupal 8.7.5
Drupal 8.7.6
Drupal 8.7.7
Drupal 8.7.8
Drupal 8.7.9
Drupal 8.7.10
Drupal 8.7.11
Drupal 8.7.12
Drupal 8.7.13
Drupal 8.7.14
Drupal 8.8.0
Drupal 8.8.1
Drupal 8.8.2
Drupal 8.8.3
Drupal 8.8.4
Drupal 8.8.5
Drupal 8.8.6
Drupal 8.8.7
Drupal 8.8.8
Drupal 8.8.9
Drupal 8.8.10
Drupal 8.8.11
Drupal 8.8.12
Drupal 8.9.0
Drupal 8.9.1
Drupal 8.9.2
Drupal 8.9.3
Drupal 8.9.4
Drupal 8.9.5
Drupal 8.9.6
Drupal 8.9.7
Drupal 8.9.8
Drupal 8.9.9
Drupal 8.9.10
Drupal 8.9.11
Drupal 8.9.12
Drupal 8.9.13
Drupal 8.9.14
Drupal 8.9.15
Drupal 8.9.16
Drupal 8.9.17
Drupal 8.9.18
Drupal 8.9.19
Drupal 8.9.20
Drupal 9.0.0
Drupal 9.0.1
Drupal 9.0.2
Drupal 9.0.3
Drupal 9.0.4
Drupal 9.0.5
Drupal 9.0.6
Drupal 9.0.7
Drupal 9.0.8
Drupal 9.0.9
Drupal 9.0.10
Drupal 9.0.11
Drupal 9.0.12
Drupal 9.0.13
Drupal 9.0.14
Drupal 9.1.0
Drupal 9.1.1
Drupal 9.1.2
Drupal 9.1.3
Drupal 9.1.4
Drupal 9.1.5
Drupal 9.1.6
Drupal 9.1.7
Drupal 9.1.8
Drupal 9.1.9
Drupal 9.1.10
Drupal 9.1.11
Drupal 9.1.12
Drupal 9.1.13
Drupal 9.1.14
Drupal 9.1.15
Drupal 9.2.0
Drupal 9.2.1
Drupal 9.2.2
Drupal 9.2.3
Drupal 9.2.4
Drupal 9.2.5
Drupal 9.2.6
Drupal 9.2.7
Drupal 9.2.8
Drupal 9.2.9
Drupal 9.2.10
Drupal 9.2.11
Drupal 9.2.12
Drupal 9.2.13
Drupal 9.2.14
Drupal 9.2.15
Drupal 9.2.16
Drupal 9.2.17
Drupal 9.2.18
Drupal 9.2.19
Drupal 9.2.20
Drupal 9.2.21
Drupal 9.3.0
Drupal 9.3.1
Drupal 9.3.2
Drupal 9.3.3
Drupal 9.3.4
Drupal 9.3.5
Drupal 9.3.6
Drupal 9.3.7
Drupal 9.3.8
Drupal 9.3.9
Drupal 9.3.10
Drupal 9.3.11
Drupal 9.3.12
Drupal 9.3.13
Drupal 9.3.14
Drupal 9.3.15
Drupal 9.3.16
Drupal 9.3.17
Drupal 9.3.18
Drupal 9.3.19
Drupal 9.3.20
Drupal 9.3.21
Drupal 9.3.22
Drupal 9.4.0
Drupal 9.4.1
Drupal 9.4.2
Drupal 9.4.3
Drupal 9.4.4
Drupal 9.4.5
Drupal 9.4.6
Drupal 9.4.7
Drupal 9.4.8
Drupal 9.4.9
Drupal 9.4.10
Drupal 9.4.11
Drupal 9.5.0
Drupal 9.5.1
Drupal 9.5.2
Drupal 9.5.3
Drupal 9.5.4
Drupal 10.0.0
Drupal 10.0.1
Drupal 10.0.2
Drupal 10.0.3
Drupal 10.0.4

Information Disclosure – SA-CORE-2023-002

Skrevet den 18. marts 202318. oktober 2025 af i Drupal

The Media module does not properly check entity access in some circumstances. This may result in users seeing thumbnails of media items they do not have access to, including for private files.

This vulnerability affects the following application versions:

Drupal 8.5.0
Drupal 8.5.1
Drupal 8.5.2
Drupal 8.5.3
Drupal 8.5.4
Drupal 8.5.5
Drupal 8.5.6
Drupal 8.5.7
Drupal 8.5.8
Drupal 8.5.9
Drupal 8.5.10
Drupal 8.5.11
Drupal 8.5.12
Drupal 8.5.13
Drupal 8.5.14
Drupal 8.5.15
Drupal 8.6.0
Drupal 8.6.1
Drupal 8.6.2
Drupal 8.6.3
Drupal 8.6.4
Drupal 8.6.5
Drupal 8.6.6
Drupal 8.6.7
Drupal 8.6.8
Drupal 8.6.9
Drupal 8.6.10
Drupal 8.6.11
Drupal 8.6.12
Drupal 8.6.13
Drupal 8.6.14
Drupal 8.6.15
Drupal 8.6.16
Drupal 8.6.17
Drupal 8.6.18
Drupal 8.7.0
Drupal 8.7.1
Drupal 8.7.2
Drupal 8.7.3
Drupal 8.7.4
Drupal 8.7.5
Drupal 8.7.6
Drupal 8.7.7
Drupal 8.7.8
Drupal 8.7.9
Drupal 8.7.10
Drupal 8.7.11
Drupal 8.7.12
Drupal 8.7.13
Drupal 8.7.14
Drupal 8.8.0
Drupal 8.8.1
Drupal 8.8.2
Drupal 8.8.3
Drupal 8.8.4
Drupal 8.8.5
Drupal 8.8.6
Drupal 8.8.7
Drupal 8.8.8
Drupal 8.8.9
Drupal 8.8.10
Drupal 8.8.11
Drupal 8.8.12
Drupal 8.9.0
Drupal 8.9.1
Drupal 8.9.2
Drupal 8.9.3
Drupal 8.9.4
Drupal 8.9.5
Drupal 8.9.6
Drupal 8.9.7
Drupal 8.9.8
Drupal 8.9.9
Drupal 8.9.10
Drupal 8.9.11
Drupal 8.9.12
Drupal 8.9.13
Drupal 8.9.14
Drupal 8.9.15
Drupal 8.9.16
Drupal 8.9.17
Drupal 8.9.18
Drupal 8.9.19
Drupal 8.9.20
Drupal 9.0.0
Drupal 9.0.1
Drupal 9.0.2
Drupal 9.0.3
Drupal 9.0.4
Drupal 9.0.5
Drupal 9.0.6
Drupal 9.0.7
Drupal 9.0.8
Drupal 9.0.9
Drupal 9.0.10
Drupal 9.0.11
Drupal 9.0.12
Drupal 9.0.13
Drupal 9.0.14
Drupal 9.1.0
Drupal 9.1.1
Drupal 9.1.2
Drupal 9.1.3
Drupal 9.1.4
Drupal 9.1.5
Drupal 9.1.6
Drupal 9.1.7
Drupal 9.1.8
Drupal 9.1.9
Drupal 9.1.10
Drupal 9.1.11
Drupal 9.1.12
Drupal 9.1.13
Drupal 9.1.14
Drupal 9.1.15
Drupal 9.2.0
Drupal 9.2.1
Drupal 9.2.2
Drupal 9.2.3
Drupal 9.2.4
Drupal 9.2.5
Drupal 9.2.6
Drupal 9.2.7
Drupal 9.2.8
Drupal 9.2.9
Drupal 9.2.10
Drupal 9.2.11
Drupal 9.2.12
Drupal 9.2.13
Drupal 9.2.14
Drupal 9.2.15
Drupal 9.2.16
Drupal 9.2.17
Drupal 9.2.18
Drupal 9.2.19
Drupal 9.2.20
Drupal 9.2.21
Drupal 9.3.0
Drupal 9.3.1
Drupal 9.3.2
Drupal 9.3.3
Drupal 9.3.4
Drupal 9.3.5
Drupal 9.3.6
Drupal 9.3.7
Drupal 9.3.8
Drupal 9.3.9
Drupal 9.3.10
Drupal 9.3.11
Drupal 9.3.12
Drupal 9.3.13
Drupal 9.3.14
Drupal 9.3.15
Drupal 9.3.16
Drupal 9.3.17
Drupal 9.3.18
Drupal 9.3.19
Drupal 9.3.20
Drupal 9.3.21
Drupal 9.3.22
Drupal 9.4.0
Drupal 9.4.1
Drupal 9.4.2
Drupal 9.4.3
Drupal 9.4.4
Drupal 9.4.5
Drupal 9.4.6
Drupal 9.4.7
Drupal 9.4.8
Drupal 9.4.9
Drupal 9.4.10
Drupal 9.4.11
Drupal 9.5.0
Drupal 9.5.1
Drupal 9.5.2
Drupal 9.5.3
Drupal 9.5.4
Drupal 10.0.0
Drupal 10.0.1
Drupal 10.0.2
Drupal 10.0.3
Drupal 10.0.4

Information Disclosure in Media Library module – SA-CORE-2023-001

Skrevet den 20. januar 202318. oktober 2025 af i Drupal

The Media Library module does not properly check entity access in some circumstances. This may result in users with access to edit content seeing metadata about media items they are not authorized to access.

This vulnerability affects the following application versions:

Drupal 8.6.0
Drupal 8.6.1
Drupal 8.6.2
Drupal 8.6.3
Drupal 8.6.4
Drupal 8.6.5
Drupal 8.6.6
Drupal 8.6.7
Drupal 8.6.8
Drupal 8.6.9
Drupal 8.6.10
Drupal 8.6.11
Drupal 8.6.12
Drupal 8.6.13
Drupal 8.6.14
Drupal 8.6.15
Drupal 8.6.16
Drupal 8.6.17
Drupal 8.6.18
Drupal 8.7.0
Drupal 8.7.1
Drupal 8.7.2
Drupal 8.7.3
Drupal 8.7.4
Drupal 8.7.5
Drupal 8.7.6
Drupal 8.7.7
Drupal 8.7.8
Drupal 8.7.9
Drupal 8.7.10
Drupal 8.7.11
Drupal 8.7.12
Drupal 8.7.13
Drupal 8.7.14
Drupal 8.8.0
Drupal 8.8.1
Drupal 8.8.2
Drupal 8.8.3
Drupal 8.8.4
Drupal 8.8.5
Drupal 8.8.6
Drupal 8.8.7
Drupal 8.8.8
Drupal 8.8.9
Drupal 8.8.10
Drupal 8.8.11
Drupal 8.8.12
Drupal 8.9.0
Drupal 8.9.1
Drupal 8.9.2
Drupal 8.9.3
Drupal 8.9.4
Drupal 8.9.5
Drupal 8.9.6
Drupal 8.9.7
Drupal 8.9.8
Drupal 8.9.9
Drupal 8.9.10
Drupal 8.9.11
Drupal 8.9.12
Drupal 8.9.13
Drupal 8.9.14
Drupal 8.9.15
Drupal 8.9.16
Drupal 8.9.17
Drupal 8.9.18
Drupal 8.9.19
Drupal 8.9.20
Drupal 9.0.0
Drupal 9.0.1
Drupal 9.0.2
Drupal 9.0.3
Drupal 9.0.4
Drupal 9.0.5
Drupal 9.0.6
Drupal 9.0.7
Drupal 9.0.8
Drupal 9.0.9
Drupal 9.0.10
Drupal 9.0.11
Drupal 9.0.12
Drupal 9.0.13
Drupal 9.0.14
Drupal 9.1.0
Drupal 9.1.1
Drupal 9.1.2
Drupal 9.1.3
Drupal 9.1.4
Drupal 9.1.5
Drupal 9.1.6
Drupal 9.1.7
Drupal 9.1.8
Drupal 9.1.9
Drupal 9.1.10
Drupal 9.1.11
Drupal 9.1.12
Drupal 9.1.13
Drupal 9.1.14
Drupal 9.1.15
Drupal 9.2.0
Drupal 9.2.1
Drupal 9.2.2
Drupal 9.2.3
Drupal 9.2.4
Drupal 9.2.5
Drupal 9.2.6
Drupal 9.2.7
Drupal 9.2.8
Drupal 9.2.9
Drupal 9.2.10
Drupal 9.2.11
Drupal 9.2.12
Drupal 9.2.13
Drupal 9.2.14
Drupal 9.2.15
Drupal 9.2.16
Drupal 9.2.17
Drupal 9.2.18
Drupal 9.2.19
Drupal 9.2.20
Drupal 9.2.21
Drupal 9.3.0
Drupal 9.3.1
Drupal 9.3.2
Drupal 9.3.3
Drupal 9.3.4
Drupal 9.3.5
Drupal 9.3.6
Drupal 9.3.7
Drupal 9.3.8
Drupal 9.3.9
Drupal 9.3.10
Drupal 9.3.11
Drupal 9.3.12
Drupal 9.3.13
Drupal 9.3.14
Drupal 9.3.15
Drupal 9.3.16
Drupal 9.3.17
Drupal 9.3.18
Drupal 9.3.19
Drupal 9.3.20
Drupal 9.3.21
Drupal 9.3.22
Drupal 9.4.0
Drupal 9.4.1
Drupal 9.4.2
Drupal 9.4.3
Drupal 9.4.4
Drupal 9.4.5
Drupal 9.4.6
Drupal 9.4.7
Drupal 9.4.8
Drupal 9.4.9
Drupal 9.5.0
Drupal 9.5.1
Drupal 10.0.0
Drupal 10.0.1

Multiple vulnerabilities – SA-CORE-2022-016

Skrevet den 30. september 202218. oktober 2025 af i Drupal

Official Description: Multiple vulnerabilities are possible if an untrusted user has access to write Twig code, including potential unauthorized read access to private files, the contents of other files on the server, or database credentials.

This vulnerability affects the following application versions:

Drupal 8.2.0
Drupal 8.2.1
Drupal 8.2.2
Drupal 8.2.3
Drupal 8.2.4
Drupal 8.2.5
Drupal 8.2.6
Drupal 8.2.7
Drupal 8.2.8
Drupal 8.3.0
Drupal 8.3.1
Drupal 8.3.2
Drupal 8.3.3
Drupal 8.3.4
Drupal 8.3.5
Drupal 8.3.6
Drupal 8.3.7
Drupal 8.3.8
Drupal 8.3.9
Drupal 8.4.0
Drupal 8.4.1
Drupal 8.4.2
Drupal 8.4.3
Drupal 8.4.4
Drupal 8.4.5
Drupal 8.4.6
Drupal 8.4.7
Drupal 8.4.8
Drupal 8.5.0
Drupal 8.5.1
Drupal 8.5.2
Drupal 8.5.3
Drupal 8.5.4
Drupal 8.5.5
Drupal 8.5.6
Drupal 8.5.7
Drupal 8.5.8
Drupal 8.5.9
Drupal 8.5.10
Drupal 8.5.11
Drupal 8.5.12
Drupal 8.5.13
Drupal 8.5.14
Drupal 8.5.15
Drupal 8.6.0
Drupal 8.6.1
Drupal 8.6.2
Drupal 8.6.3
Drupal 8.6.4
Drupal 8.6.5
Drupal 8.6.6
Drupal 8.6.7
Drupal 8.6.8
Drupal 8.6.9
Drupal 8.6.10
Drupal 8.6.11
Drupal 8.6.12
Drupal 8.6.13
Drupal 8.6.14
Drupal 8.6.15
Drupal 8.6.16
Drupal 8.6.17
Drupal 8.6.18
Drupal 8.7.0
Drupal 8.7.1
Drupal 8.7.2
Drupal 8.7.3
Drupal 8.7.4
Drupal 8.7.5
Drupal 8.7.6
Drupal 8.7.7
Drupal 8.7.8
Drupal 8.7.9
Drupal 8.7.10
Drupal 8.7.11
Drupal 8.7.12
Drupal 8.7.13
Drupal 8.7.14
Drupal 8.8.0
Drupal 8.8.1
Drupal 8.8.2
Drupal 8.8.3
Drupal 8.8.4
Drupal 8.8.5
Drupal 8.8.6
Drupal 8.8.7
Drupal 8.8.8
Drupal 8.8.9
Drupal 8.8.10
Drupal 8.8.11
Drupal 8.8.12
Drupal 8.9.0
Drupal 8.9.1
Drupal 8.9.2
Drupal 8.9.3
Drupal 8.9.4
Drupal 8.9.5
Drupal 8.9.6
Drupal 8.9.7
Drupal 8.9.8
Drupal 8.9.9
Drupal 8.9.10
Drupal 8.9.11
Drupal 8.9.12
Drupal 8.9.13
Drupal 8.9.14
Drupal 8.9.15
Drupal 8.9.16
Drupal 8.9.17
Drupal 8.9.18
Drupal 8.9.19
Drupal 8.9.20
Drupal 9.0.0
Drupal 9.0.1
Drupal 9.0.2
Drupal 9.0.3
Drupal 9.0.4
Drupal 9.0.5
Drupal 9.0.6
Drupal 9.0.7
Drupal 9.0.8
Drupal 9.0.9
Drupal 9.0.10
Drupal 9.0.11
Drupal 9.0.12
Drupal 9.0.13
Drupal 9.0.14
Drupal 9.1.0
Drupal 9.1.1
Drupal 9.1.2
Drupal 9.1.3
Drupal 9.1.4
Drupal 9.1.5
Drupal 9.1.6
Drupal 9.1.7
Drupal 9.1.8
Drupal 9.1.9
Drupal 9.1.10
Drupal 9.1.11
Drupal 9.1.12
Drupal 9.1.13
Drupal 9.1.14
Drupal 9.1.15
Drupal 9.2.0
Drupal 9.2.1
Drupal 9.2.2
Drupal 9.2.3
Drupal 9.2.4
Drupal 9.2.5
Drupal 9.2.6
Drupal 9.2.7
Drupal 9.2.8
Drupal 9.2.9
Drupal 9.2.10
Drupal 9.2.11
Drupal 9.2.12
Drupal 9.2.13
Drupal 9.2.14
Drupal 9.2.15
Drupal 9.2.16
Drupal 9.2.17
Drupal 9.2.18
Drupal 9.2.19
Drupal 9.2.20
Drupal 9.2.21
Drupal 9.3.0
Drupal 9.3.1
Drupal 9.3.2
Drupal 9.3.3
Drupal 9.3.4
Drupal 9.3.5
Drupal 9.3.6
Drupal 9.3.7
Drupal 9.3.8
Drupal 9.3.9
Drupal 9.3.10
Drupal 9.3.11
Drupal 9.3.12
Drupal 9.3.13
Drupal 9.3.14
Drupal 9.3.15
Drupal 9.3.16
Drupal 9.3.17
Drupal 9.3.18
Drupal 9.3.19
Drupal 9.3.20
Drupal 9.3.21
Drupal 9.4.0
Drupal 9.4.1
Drupal 9.4.2
Drupal 9.4.3
Drupal 9.4.4
Drupal 9.4.5
Drupal 9.4.6

Access bypass – SA-CORE-2022-013

Skrevet den 27. juli 202220. november 2024 af i Drupal

Under certain circumstances, the Drupal core form API evaluates form element access incorrectly. This may lead to a user being able to alter data they should not have access to. No forms provided by Drupal core are known to be vulnerable. However, forms added through contributed or custom modules or themes may be affected.

This vulnerability affects the following application versions:

Drupal 8.0.0
Drupal 8.0.1
Drupal 8.0.2
Drupal 8.0.3
Drupal 8.0.4
Drupal 8.0.5
Drupal 8.0.6
Drupal 8.1.0
Drupal 8.1.1
Drupal 8.1.2
Drupal 8.1.3
Drupal 8.1.4
Drupal 8.1.5
Drupal 8.1.6
Drupal 8.1.7
Drupal 8.1.8
Drupal 8.1.9
Drupal 8.1.10
Drupal 8.2.0
Drupal 8.2.1
Drupal 8.2.2
Drupal 8.2.3
Drupal 8.2.4
Drupal 8.2.5
Drupal 8.2.6
Drupal 8.2.7
Drupal 8.2.8
Drupal 8.3.0
Drupal 8.3.1
Drupal 8.3.2
Drupal 8.3.3
Drupal 8.3.4
Drupal 8.3.5
Drupal 8.3.6
Drupal 8.3.7
Drupal 8.3.8
Drupal 8.3.9
Drupal 8.4.0
Drupal 8.4.1
Drupal 8.4.2
Drupal 8.4.3
Drupal 8.4.4
Drupal 8.4.5
Drupal 8.4.6
Drupal 8.4.7
Drupal 8.4.8
Drupal 8.5.0
Drupal 8.5.1
Drupal 8.5.2
Drupal 8.5.3
Drupal 8.5.4
Drupal 8.5.5
Drupal 8.5.6
Drupal 8.5.7
Drupal 8.5.8
Drupal 8.5.9
Drupal 8.5.10
Drupal 8.5.11
Drupal 8.5.12
Drupal 8.5.13
Drupal 8.5.14
Drupal 8.5.15
Drupal 8.6.0
Drupal 8.6.1
Drupal 8.6.2
Drupal 8.6.3
Drupal 8.6.4
Drupal 8.6.5
Drupal 8.6.6
Drupal 8.6.7
Drupal 8.6.8
Drupal 8.6.9
Drupal 8.6.10
Drupal 8.6.11
Drupal 8.6.12
Drupal 8.6.13
Drupal 8.6.14
Drupal 8.6.15
Drupal 8.6.16
Drupal 8.6.17
Drupal 8.6.18
Drupal 8.7.0
Drupal 8.7.1
Drupal 8.7.2
Drupal 8.7.3
Drupal 8.7.4
Drupal 8.7.5
Drupal 8.7.6
Drupal 8.7.7
Drupal 8.7.8
Drupal 8.7.9
Drupal 8.7.10
Drupal 8.7.11
Drupal 8.7.12
Drupal 8.7.13
Drupal 8.7.14
Drupal 8.8.0
Drupal 8.8.1
Drupal 8.8.2
Drupal 8.8.3
Drupal 8.8.4
Drupal 8.8.5
Drupal 8.8.6
Drupal 8.8.7
Drupal 8.8.8
Drupal 8.8.9
Drupal 8.8.10
Drupal 8.8.11
Drupal 8.8.12
Drupal 8.9.0
Drupal 8.9.1
Drupal 8.9.2
Drupal 8.9.3
Drupal 8.9.4
Drupal 8.9.5
Drupal 8.9.6
Drupal 8.9.7
Drupal 8.9.8
Drupal 8.9.9
Drupal 8.9.10
Drupal 8.9.11
Drupal 8.9.12
Drupal 8.9.13
Drupal 8.9.14
Drupal 8.9.15
Drupal 8.9.16
Drupal 8.9.17
Drupal 8.9.18
Drupal 8.9.19
Drupal 8.9.20
Drupal 9.0.0
Drupal 9.0.1
Drupal 9.0.2
Drupal 9.0.3
Drupal 9.0.4
Drupal 9.0.5
Drupal 9.0.6
Drupal 9.0.7
Drupal 9.0.8
Drupal 9.0.9
Drupal 9.0.10
Drupal 9.0.11
Drupal 9.0.12
Drupal 9.0.13
Drupal 9.0.14
Drupal 9.1.0
Drupal 9.1.1
Drupal 9.1.2
Drupal 9.1.3
Drupal 9.1.4
Drupal 9.1.5
Drupal 9.1.6
Drupal 9.1.7
Drupal 9.1.8
Drupal 9.1.9
Drupal 9.1.10
Drupal 9.1.11
Drupal 9.1.12
Drupal 9.1.13
Drupal 9.1.14
Drupal 9.1.15
Drupal 9.2.0
Drupal 9.2.1
Drupal 9.2.2
Drupal 9.2.3
Drupal 9.2.4
Drupal 9.2.5
Drupal 9.2.6
Drupal 9.2.7
Drupal 9.2.8
Drupal 9.2.9
Drupal 9.2.10
Drupal 9.2.11
Drupal 9.2.12
Drupal 9.2.13
Drupal 9.2.14
Drupal 9.2.15
Drupal 9.2.16
Drupal 9.2.17
Drupal 9.2.18
Drupal 9.2.19
Drupal 9.2.20
Drupal 9.2.21
Drupal 9.3.0
Drupal 9.3.1
Drupal 9.3.2
Drupal 9.3.3
Drupal 9.3.4
Drupal 9.3.5
Drupal 9.3.6
Drupal 9.3.7
Drupal 9.3.8
Drupal 9.3.9
Drupal 9.3.10
Drupal 9.3.11
Drupal 9.3.12
Drupal 9.3.13
Drupal 9.3.14
Drupal 9.3.15
Drupal 9.3.16
Drupal 9.3.17
Drupal 9.3.18
Drupal 9.4.0
Drupal 9.4.1
Drupal 9.4.2

Information disclosure – SA-CORE-2022-012

Skrevet den 27. juli 202218. oktober 2025 af i Drupal

In some situations, the Image module does not correctly check access to image files not stored in the standard public files directory when generating derivative images using the image styles system.

This vulnerability affects the following application versions:

Drupal 7.0
Drupal 7.1
Drupal 7.2
Drupal 7.3
Drupal 7.4
Drupal 7.5
Drupal 7.6
Drupal 7.7
Drupal 7.8
Drupal 7.9
Drupal 7.10
Drupal 7.11
Drupal 7.12
Drupal 7.13
Drupal 7.14
Drupal 7.15
Drupal 7.16
Drupal 7.17
Drupal 7.18
Drupal 7.19
Drupal 7.20
Drupal 7.21
Drupal 7.22
Drupal 7.23
Drupal 7.24
Drupal 7.25
Drupal 7.26
Drupal 7.27
Drupal 7.28
Drupal 7.29
Drupal 7.30
Drupal 7.31
Drupal 7.32
Drupal 7.33
Drupal 7.34
Drupal 7.35
Drupal 7.36
Drupal 7.37
Drupal 7.38
Drupal 7.39
Drupal 7.40
Drupal 7.41
Drupal 7.42
Drupal 7.43
Drupal 7.44
Drupal 7.50
Drupal 7.51
Drupal 7.52
Drupal 7.53
Drupal 7.54
Drupal 7.55
Drupal 7.56
Drupal 7.57
Drupal 7.58
Drupal 7.59
Drupal 7.60
Drupal 7.61
Drupal 7.62
Drupal 7.63
Drupal 7.64
Drupal 7.65
Drupal 7.66
Drupal 7.67
Drupal 7.68
Drupal 7.69
Drupal 7.70
Drupal 7.71
Drupal 7.72
Drupal 7.73
Drupal 7.74
Drupal 7.75
Drupal 7.76
Drupal 7.77
Drupal 7.78
Drupal 7.79
Drupal 7.80
Drupal 7.81
Drupal 7.82
Drupal 7.83
Drupal 7.84
Drupal 7.85
Drupal 7.86
Drupal 7.87
Drupal 7.88
Drupal 7.89
Drupal 7.90
Drupal 8.8.0
Drupal 8.8.1
Drupal 8.8.2
Drupal 8.8.3
Drupal 8.8.4
Drupal 8.8.5
Drupal 8.8.6
Drupal 8.8.7
Drupal 8.8.8
Drupal 8.8.9
Drupal 8.8.10
Drupal 8.8.11
Drupal 8.8.12
Drupal 8.9.0
Drupal 8.9.1
Drupal 8.9.2
Drupal 8.9.3
Drupal 8.9.4
Drupal 8.9.5
Drupal 8.9.6
Drupal 8.9.7
Drupal 8.9.8
Drupal 8.9.9
Drupal 8.9.10
Drupal 8.9.11
Drupal 8.9.12
Drupal 8.9.13
Drupal 8.9.14
Drupal 8.9.15
Drupal 8.9.16
Drupal 8.9.17
Drupal 8.9.18
Drupal 8.9.19
Drupal 8.9.20
Drupal 9.0.0
Drupal 9.0.1
Drupal 9.0.2
Drupal 9.0.3
Drupal 9.0.4
Drupal 9.0.5
Drupal 9.0.6
Drupal 9.0.7
Drupal 9.0.8
Drupal 9.0.9
Drupal 9.0.10
Drupal 9.0.11
Drupal 9.0.12
Drupal 9.0.13
Drupal 9.0.14
Drupal 9.1.0
Drupal 9.1.1
Drupal 9.1.2
Drupal 9.1.3
Drupal 9.1.4
Drupal 9.1.5
Drupal 9.1.6
Drupal 9.1.7
Drupal 9.1.8
Drupal 9.1.9
Drupal 9.1.10
Drupal 9.1.11
Drupal 9.1.12
Drupal 9.1.13
Drupal 9.1.14
Drupal 9.1.15
Drupal 9.2.0
Drupal 9.2.1
Drupal 9.2.2
Drupal 9.2.3
Drupal 9.2.4
Drupal 9.2.5
Drupal 9.2.6
Drupal 9.2.7
Drupal 9.2.8
Drupal 9.2.9
Drupal 9.2.10
Drupal 9.2.11
Drupal 9.2.12
Drupal 9.2.13
Drupal 9.2.14
Drupal 9.2.15
Drupal 9.2.16
Drupal 9.2.17
Drupal 9.2.18
Drupal 9.2.19
Drupal 9.2.20
Drupal 9.2.21
Drupal 9.3.0
Drupal 9.3.1
Drupal 9.3.2
Drupal 9.3.3
Drupal 9.3.4
Drupal 9.3.5
Drupal 9.3.6
Drupal 9.3.7
Drupal 9.3.8
Drupal 9.3.9
Drupal 9.3.10
Drupal 9.3.11
Drupal 9.3.12
Drupal 9.3.13
Drupal 9.3.14
Drupal 9.3.15
Drupal 9.3.16
Drupal 9.3.17
Drupal 9.3.18
Drupal 9.4.0
Drupal 9.4.1
Drupal 9.4.2

Arbitrary PHP code execution – SA-CORE-2022-014

Skrevet den 27. juli 202220. november 2024 af i Drupal

If the site was configured to allow the upload of files with an htaccess extension, these files’ filenames would not be properly sanitized. This could allow bypassing the protections provided by Drupal core’s default .htaccess files and possible remote code execution on Apache web servers. This issue is mitigated by the fact that it requires a field administrator to explicitly configure a file field to allow htaccess as an extension (restricted permission), or a contributed module or custom code that overrides allowed file uploads.

This vulnerability affects the following application versions:

Drupal 9.2.0
Drupal 9.2.1
Drupal 9.2.2
Drupal 9.2.3
Drupal 9.2.4
Drupal 9.2.5
Drupal 9.2.6
Drupal 9.2.7
Drupal 9.2.8
Drupal 9.2.9
Drupal 9.2.10
Drupal 9.2.11
Drupal 9.2.12
Drupal 9.2.13
Drupal 9.2.14
Drupal 9.2.15
Drupal 9.2.16
Drupal 9.2.17
Drupal 9.2.18
Drupal 9.2.19
Drupal 9.2.20
Drupal 9.2.21
Drupal 9.3.0
Drupal 9.3.1
Drupal 9.3.2
Drupal 9.3.3
Drupal 9.3.4
Drupal 9.3.5
Drupal 9.3.6
Drupal 9.3.7
Drupal 9.3.8
Drupal 9.3.9
Drupal 9.3.10
Drupal 9.3.11
Drupal 9.3.12
Drupal 9.3.13
Drupal 9.3.14
Drupal 9.3.15
Drupal 9.3.16
Drupal 9.3.17
Drupal 9.3.18
Drupal 9.4.0
Drupal 9.4.1
Drupal 9.4.2

Multiple vulnerabilities – SA-CORE-2022-015

Skrevet den 27. juli 202218. oktober 2025 af i Drupal

Official Description: The Media oEmbed iframe route does not properly validate the iframe domain setting, which allows embeds to be displayed in the context of the primary domain. Under certain circumstances, this could lead to cross-site scripting, leaked cookies, or other vulnerabilities.

This vulnerability affects the following application versions:

Drupal 8.6.0
Drupal 8.6.1
Drupal 8.6.2
Drupal 8.6.3
Drupal 8.6.4
Drupal 8.6.5
Drupal 8.6.6
Drupal 8.6.7
Drupal 8.6.8
Drupal 8.6.9
Drupal 8.6.10
Drupal 8.6.11
Drupal 8.6.12
Drupal 8.6.13
Drupal 8.6.14
Drupal 8.6.15
Drupal 8.6.16
Drupal 8.6.17
Drupal 8.6.18
Drupal 8.7.0
Drupal 8.7.1
Drupal 8.7.2
Drupal 8.7.3
Drupal 8.7.4
Drupal 8.7.5
Drupal 8.7.6
Drupal 8.7.7
Drupal 8.7.8
Drupal 8.7.9
Drupal 8.7.10
Drupal 8.7.11
Drupal 8.7.12
Drupal 8.7.13
Drupal 8.7.14
Drupal 8.8.0
Drupal 8.8.1
Drupal 8.8.2
Drupal 8.8.3
Drupal 8.8.4
Drupal 8.8.5
Drupal 8.8.6
Drupal 8.8.7
Drupal 8.8.8
Drupal 8.8.9
Drupal 8.8.10
Drupal 8.8.11
Drupal 8.8.12
Drupal 8.9.0
Drupal 8.9.1
Drupal 8.9.2
Drupal 8.9.3
Drupal 8.9.4
Drupal 8.9.5
Drupal 8.9.6
Drupal 8.9.7
Drupal 8.9.8
Drupal 8.9.9
Drupal 8.9.10
Drupal 8.9.11
Drupal 8.9.12
Drupal 8.9.13
Drupal 8.9.14
Drupal 8.9.15
Drupal 8.9.16
Drupal 8.9.17
Drupal 8.9.18
Drupal 8.9.19
Drupal 8.9.20
Drupal 9.0.0
Drupal 9.0.1
Drupal 9.0.2
Drupal 9.0.3
Drupal 9.0.4
Drupal 9.0.5
Drupal 9.0.6
Drupal 9.0.7
Drupal 9.0.8
Drupal 9.0.9
Drupal 9.0.10
Drupal 9.0.11
Drupal 9.0.12
Drupal 9.0.13
Drupal 9.0.14
Drupal 9.1.0
Drupal 9.1.1
Drupal 9.1.2
Drupal 9.1.3
Drupal 9.1.4
Drupal 9.1.5
Drupal 9.1.6
Drupal 9.1.7
Drupal 9.1.8
Drupal 9.1.9
Drupal 9.1.10
Drupal 9.1.11
Drupal 9.1.12
Drupal 9.1.13
Drupal 9.1.14
Drupal 9.1.15
Drupal 9.2.0
Drupal 9.2.1
Drupal 9.2.2
Drupal 9.2.3
Drupal 9.2.4
Drupal 9.2.5
Drupal 9.2.6
Drupal 9.2.7
Drupal 9.2.8
Drupal 9.2.9
Drupal 9.2.10
Drupal 9.2.11
Drupal 9.2.12
Drupal 9.2.13
Drupal 9.2.14
Drupal 9.2.15
Drupal 9.2.16
Drupal 9.2.17
Drupal 9.2.18
Drupal 9.2.19
Drupal 9.2.20
Drupal 9.2.21
Drupal 9.3.0
Drupal 9.3.1
Drupal 9.3.2
Drupal 9.3.3
Drupal 9.3.4
Drupal 9.3.5
Drupal 9.3.6
Drupal 9.3.7
Drupal 9.3.8
Drupal 9.3.9
Drupal 9.3.10
Drupal 9.3.11
Drupal 9.3.12
Drupal 9.3.13
Drupal 9.3.14
Drupal 9.3.15
Drupal 9.3.16
Drupal 9.3.17
Drupal 9.3.18
Drupal 9.4.0
Drupal 9.4.1
Drupal 9.4.2

Access bypass – SA-CORE-2022-009

Skrevet den 21. april 202220. november 2024 af i Drupal

Drupal 9.3 implemented a generic entity access API for entity revisions. However, this API was not completely integrated with existing permissions, resulting in some possible access bypass for users who have access to use revisions of content generally, but who do not have access to individual items of node and media content.

This vulnerability affects the following application versions:

Drupal 9.3.0
Drupal 9.3.1
Drupal 9.3.2
Drupal 9.3.3
Drupal 9.3.4
Drupal 9.3.5
Drupal 9.3.6
Drupal 9.3.7
Drupal 9.3.8
Drupal 9.3.9
Drupal 9.3.10
Drupal 9.3.11

Improper input validation – SA-CORE-2022-008

Skrevet den 21. april 202218. oktober 2025 af i Drupal

Drupal core’s form API has a vulnerability where certain contributed or custom modules’ forms may be vulnerable to improper input validation. This could allow an attacker to inject disallowed values or overwrite data. Affected forms are uncommon, but in certain cases an attacker could alter critical or sensitive data.It is not known if there are affected forms within core itself, but contributed and custom project forms could be affected. Applying this patch will fix those forms.

This vulnerability affects the following application versions:

Drupal 8.0.0
Drupal 8.0.1
Drupal 8.0.2
Drupal 8.0.3
Drupal 8.0.4
Drupal 8.0.5
Drupal 8.0.6
Drupal 8.1.0
Drupal 8.1.1
Drupal 8.1.2
Drupal 8.1.3
Drupal 8.1.4
Drupal 8.1.5
Drupal 8.1.6
Drupal 8.1.7
Drupal 8.1.8
Drupal 8.1.9
Drupal 8.1.10
Drupal 8.2.0
Drupal 8.2.1
Drupal 8.2.2
Drupal 8.2.3
Drupal 8.2.4
Drupal 8.2.5
Drupal 8.2.6
Drupal 8.2.7
Drupal 8.2.8
Drupal 8.3.0
Drupal 8.3.1
Drupal 8.3.2
Drupal 8.3.3
Drupal 8.3.4
Drupal 8.3.5
Drupal 8.3.6
Drupal 8.3.7
Drupal 8.3.8
Drupal 8.3.9
Drupal 8.4.0
Drupal 8.4.1
Drupal 8.4.2
Drupal 8.4.3
Drupal 8.4.4
Drupal 8.4.5
Drupal 8.4.6
Drupal 8.4.7
Drupal 8.4.8
Drupal 8.5.0
Drupal 8.5.1
Drupal 8.5.2
Drupal 8.5.3
Drupal 8.5.4
Drupal 8.5.5
Drupal 8.5.6
Drupal 8.5.7
Drupal 8.5.8
Drupal 8.5.9
Drupal 8.5.10
Drupal 8.5.11
Drupal 8.5.12
Drupal 8.5.13
Drupal 8.5.14
Drupal 8.5.15
Drupal 8.6.0
Drupal 8.6.1
Drupal 8.6.2
Drupal 8.6.3
Drupal 8.6.4
Drupal 8.6.5
Drupal 8.6.6
Drupal 8.6.7
Drupal 8.6.8
Drupal 8.6.9
Drupal 8.6.10
Drupal 8.6.11
Drupal 8.6.12
Drupal 8.6.13
Drupal 8.6.14
Drupal 8.6.15
Drupal 8.6.16
Drupal 8.6.17
Drupal 8.6.18
Drupal 8.7.0
Drupal 8.7.1
Drupal 8.7.2
Drupal 8.7.3
Drupal 8.7.4
Drupal 8.7.5
Drupal 8.7.6
Drupal 8.7.7
Drupal 8.7.8
Drupal 8.7.9
Drupal 8.7.10
Drupal 8.7.11
Drupal 8.7.12
Drupal 8.7.13
Drupal 8.7.14
Drupal 8.8.0
Drupal 8.8.1
Drupal 8.8.2
Drupal 8.8.3
Drupal 8.8.4
Drupal 8.8.5
Drupal 8.8.6
Drupal 8.8.7
Drupal 8.8.8
Drupal 8.8.9
Drupal 8.8.10
Drupal 8.8.11
Drupal 8.8.12
Drupal 8.9.0
Drupal 8.9.1
Drupal 8.9.2
Drupal 8.9.3
Drupal 8.9.4
Drupal 8.9.5
Drupal 8.9.6
Drupal 8.9.7
Drupal 8.9.8
Drupal 8.9.9
Drupal 8.9.10
Drupal 8.9.11
Drupal 8.9.12
Drupal 8.9.13
Drupal 8.9.14
Drupal 8.9.15
Drupal 8.9.16
Drupal 8.9.17
Drupal 8.9.18
Drupal 8.9.19
Drupal 8.9.20
Drupal 9.0.0
Drupal 9.0.1
Drupal 9.0.2
Drupal 9.0.3
Drupal 9.0.4
Drupal 9.0.5
Drupal 9.0.6
Drupal 9.0.7
Drupal 9.0.8
Drupal 9.0.9
Drupal 9.0.10
Drupal 9.0.11
Drupal 9.0.12
Drupal 9.0.13
Drupal 9.0.14
Drupal 9.1.0
Drupal 9.1.1
Drupal 9.1.2
Drupal 9.1.3
Drupal 9.1.4
Drupal 9.1.5
Drupal 9.1.6
Drupal 9.1.7
Drupal 9.1.8
Drupal 9.1.9
Drupal 9.1.10
Drupal 9.1.11
Drupal 9.1.12
Drupal 9.1.13
Drupal 9.1.14
Drupal 9.1.15
Drupal 9.2.0
Drupal 9.2.1
Drupal 9.2.2
Drupal 9.2.3
Drupal 9.2.4
Drupal 9.2.5
Drupal 9.2.6
Drupal 9.2.7
Drupal 9.2.8
Drupal 9.2.9
Drupal 9.2.10
Drupal 9.2.11
Drupal 9.2.12
Drupal 9.2.13
Drupal 9.2.14
Drupal 9.2.15
Drupal 9.2.16
Drupal 9.2.17
Drupal 9.3.0
Drupal 9.3.1
Drupal 9.3.2
Drupal 9.3.3
Drupal 9.3.4
Drupal 9.3.5
Drupal 9.3.6
Drupal 9.3.7
Drupal 9.3.8
Drupal 9.3.9
Drupal 9.3.10
Drupal 9.3.11

Improper input validation in Drupal core form

Skrevet den 18. februar 202218. oktober 2025 af i Drupal

This vulnerability affects the following application versions:

Drupal 7.0
Drupal 7.1
Drupal 7.2
Drupal 7.3
Drupal 7.4
Drupal 7.5
Drupal 7.6
Drupal 7.7
Drupal 7.8
Drupal 7.9
Drupal 7.10
Drupal 7.11
Drupal 7.12
Drupal 7.13
Drupal 7.14
Drupal 7.15
Drupal 7.16
Drupal 7.17
Drupal 7.18
Drupal 7.19
Drupal 7.20
Drupal 7.21
Drupal 7.22
Drupal 7.23
Drupal 7.24
Drupal 7.25
Drupal 7.26
Drupal 7.27
Drupal 7.28
Drupal 7.29
Drupal 7.30
Drupal 7.31
Drupal 7.32
Drupal 7.33
Drupal 7.34
Drupal 7.35
Drupal 7.36
Drupal 7.37
Drupal 7.38
Drupal 7.39
Drupal 7.40
Drupal 7.41
Drupal 7.42
Drupal 7.43
Drupal 7.44
Drupal 7.50
Drupal 7.51
Drupal 7.52
Drupal 7.53
Drupal 7.54
Drupal 7.55
Drupal 7.56
Drupal 7.57
Drupal 7.58
Drupal 7.59
Drupal 7.60
Drupal 7.61
Drupal 7.62
Drupal 7.63
Drupal 7.64
Drupal 7.65
Drupal 7.66
Drupal 7.67
Drupal 7.68
Drupal 7.69
Drupal 7.70
Drupal 7.71
Drupal 7.72
Drupal 7.73
Drupal 7.74
Drupal 7.75
Drupal 7.76
Drupal 7.77
Drupal 7.78
Drupal 7.79
Drupal 7.80
Drupal 7.81
Drupal 7.82
Drupal 7.83
Drupal 7.84
Drupal 7.85
Drupal 7.86
Drupal 7.87
Drupal 8.0.0
Drupal 8.0.1
Drupal 8.0.2
Drupal 8.0.3
Drupal 8.0.4
Drupal 8.0.5
Drupal 8.0.6
Drupal 8.1.0
Drupal 8.1.1
Drupal 8.1.2
Drupal 8.1.3
Drupal 8.1.4
Drupal 8.1.5
Drupal 8.1.6
Drupal 8.1.7
Drupal 8.1.8
Drupal 8.1.9
Drupal 8.1.10
Drupal 8.2.0
Drupal 8.2.1
Drupal 8.2.2
Drupal 8.2.3
Drupal 8.2.4
Drupal 8.2.5
Drupal 8.2.6
Drupal 8.2.7
Drupal 8.2.8
Drupal 8.3.0
Drupal 8.3.1
Drupal 8.3.2
Drupal 8.3.3
Drupal 8.3.4
Drupal 8.3.5
Drupal 8.3.6
Drupal 8.3.7
Drupal 8.3.8
Drupal 8.3.9
Drupal 8.4.0
Drupal 8.4.1
Drupal 8.4.2
Drupal 8.4.3
Drupal 8.4.4
Drupal 8.4.5
Drupal 8.4.6
Drupal 8.4.7
Drupal 8.4.8
Drupal 8.5.0
Drupal 8.5.1
Drupal 8.5.2
Drupal 8.5.3
Drupal 8.5.4
Drupal 8.5.5
Drupal 8.5.6
Drupal 8.5.7
Drupal 8.5.8
Drupal 8.5.9
Drupal 8.5.10
Drupal 8.5.11
Drupal 8.5.12
Drupal 8.5.13
Drupal 8.5.14
Drupal 8.5.15
Drupal 8.6.0
Drupal 8.6.1
Drupal 8.6.2
Drupal 8.6.3
Drupal 8.6.4
Drupal 8.6.5
Drupal 8.6.6
Drupal 8.6.7
Drupal 8.6.8
Drupal 8.6.9
Drupal 8.6.10
Drupal 8.6.11
Drupal 8.6.12
Drupal 8.6.13
Drupal 8.6.14
Drupal 8.6.15
Drupal 8.6.16
Drupal 8.6.17
Drupal 8.6.18
Drupal 8.7.0
Drupal 8.7.1
Drupal 8.7.2
Drupal 8.7.3
Drupal 8.7.4
Drupal 8.7.5
Drupal 8.7.6
Drupal 8.7.7
Drupal 8.7.8
Drupal 8.7.9
Drupal 8.7.10
Drupal 8.7.11
Drupal 8.7.12
Drupal 8.7.13
Drupal 8.7.14
Drupal 8.8.0
Drupal 8.8.1
Drupal 8.8.2
Drupal 8.8.3
Drupal 8.8.4
Drupal 8.8.5
Drupal 8.8.6
Drupal 8.8.7
Drupal 8.8.8
Drupal 8.8.9
Drupal 8.8.10
Drupal 8.8.11
Drupal 8.8.12
Drupal 8.9.0
Drupal 8.9.1
Drupal 8.9.2
Drupal 8.9.3
Drupal 8.9.4
Drupal 8.9.5
Drupal 8.9.6
Drupal 8.9.7
Drupal 8.9.8
Drupal 8.9.9
Drupal 8.9.10
Drupal 8.9.11
Drupal 8.9.12
Drupal 8.9.13
Drupal 8.9.14
Drupal 8.9.15
Drupal 8.9.16
Drupal 8.9.17
Drupal 8.9.18
Drupal 8.9.19
Drupal 8.9.20
Drupal 9.0.0
Drupal 9.0.1
Drupal 9.0.2
Drupal 9.0.3
Drupal 9.0.4
Drupal 9.0.5
Drupal 9.0.6
Drupal 9.0.7
Drupal 9.0.8
Drupal 9.0.9
Drupal 9.0.10
Drupal 9.0.11
Drupal 9.0.12
Drupal 9.0.13
Drupal 9.0.14
Drupal 9.1.0
Drupal 9.1.1
Drupal 9.1.2
Drupal 9.1.3
Drupal 9.1.4
Drupal 9.1.5
Drupal 9.1.6
Drupal 9.1.7
Drupal 9.1.8
Drupal 9.1.9
Drupal 9.1.10
Drupal 9.1.11
Drupal 9.1.12
Drupal 9.1.13
Drupal 9.1.14
Drupal 9.1.15
Drupal 9.2.0
Drupal 9.2.1
Drupal 9.2.2
Drupal 9.2.3
Drupal 9.2.4
Drupal 9.2.5
Drupal 9.2.6
Drupal 9.2.7
Drupal 9.2.8
Drupal 9.2.9
Drupal 9.2.10
Drupal 9.2.11
Drupal 9.2.12
Drupal 9.3.0
Drupal 9.3.1
Drupal 9.3.2
Drupal 9.3.3
Drupal 9.3.4
Drupal 9.3.5

Information disclosure in Quick Edit module

Skrevet den 18. februar 202218. oktober 2025 af i Drupal

The Quick Edit module does not properly check entity access in some circumstances. This could result in users with the “access in-place editing” permission viewing some content they are are not authorized to access.

This vulnerability affects the following application versions:

Drupal 8.0.0
Drupal 8.0.1
Drupal 8.0.2
Drupal 8.0.3
Drupal 8.0.4
Drupal 8.0.5
Drupal 8.0.6
Drupal 8.1.0
Drupal 8.1.1
Drupal 8.1.2
Drupal 8.1.3
Drupal 8.1.4
Drupal 8.1.5
Drupal 8.1.6
Drupal 8.1.7
Drupal 8.1.8
Drupal 8.1.9
Drupal 8.1.10
Drupal 8.2.0
Drupal 8.2.1
Drupal 8.2.2
Drupal 8.2.3
Drupal 8.2.4
Drupal 8.2.5
Drupal 8.2.6
Drupal 8.2.7
Drupal 8.2.8
Drupal 8.3.0
Drupal 8.3.1
Drupal 8.3.2
Drupal 8.3.3
Drupal 8.3.4
Drupal 8.3.5
Drupal 8.3.6
Drupal 8.3.7
Drupal 8.3.8
Drupal 8.3.9
Drupal 8.4.0
Drupal 8.4.1
Drupal 8.4.2
Drupal 8.4.3
Drupal 8.4.4
Drupal 8.4.5
Drupal 8.4.6
Drupal 8.4.7
Drupal 8.4.8
Drupal 8.5.0
Drupal 8.5.1
Drupal 8.5.2
Drupal 8.5.3
Drupal 8.5.4
Drupal 8.5.5
Drupal 8.5.6
Drupal 8.5.7
Drupal 8.5.8
Drupal 8.5.9
Drupal 8.5.10
Drupal 8.5.11
Drupal 8.5.12
Drupal 8.5.13
Drupal 8.5.14
Drupal 8.5.15
Drupal 8.6.0
Drupal 8.6.1
Drupal 8.6.2
Drupal 8.6.3
Drupal 8.6.4
Drupal 8.6.5
Drupal 8.6.6
Drupal 8.6.7
Drupal 8.6.8
Drupal 8.6.9
Drupal 8.6.10
Drupal 8.6.11
Drupal 8.6.12
Drupal 8.6.13
Drupal 8.6.14
Drupal 8.6.15
Drupal 8.6.16
Drupal 8.6.17
Drupal 8.6.18
Drupal 8.7.0
Drupal 8.7.1
Drupal 8.7.2
Drupal 8.7.3
Drupal 8.7.4
Drupal 8.7.5
Drupal 8.7.6
Drupal 8.7.7
Drupal 8.7.8
Drupal 8.7.9
Drupal 8.7.10
Drupal 8.7.11
Drupal 8.7.12
Drupal 8.7.13
Drupal 8.7.14
Drupal 8.8.0
Drupal 8.8.1
Drupal 8.8.2
Drupal 8.8.3
Drupal 8.8.4
Drupal 8.8.5
Drupal 8.8.6
Drupal 8.8.7
Drupal 8.8.8
Drupal 8.8.9
Drupal 8.8.10
Drupal 8.8.11
Drupal 8.8.12
Drupal 8.9.0
Drupal 8.9.1
Drupal 8.9.2
Drupal 8.9.3
Drupal 8.9.4
Drupal 8.9.5
Drupal 8.9.6
Drupal 8.9.7
Drupal 8.9.8
Drupal 8.9.9
Drupal 8.9.10
Drupal 8.9.11
Drupal 8.9.12
Drupal 8.9.13
Drupal 8.9.14
Drupal 8.9.15
Drupal 8.9.16
Drupal 8.9.17
Drupal 8.9.18
Drupal 8.9.19
Drupal 8.9.20
Drupal 9.0.0
Drupal 9.0.1
Drupal 9.0.2
Drupal 9.0.3
Drupal 9.0.4
Drupal 9.0.5
Drupal 9.0.6
Drupal 9.0.7
Drupal 9.0.8
Drupal 9.0.9
Drupal 9.0.10
Drupal 9.0.11
Drupal 9.0.12
Drupal 9.0.13
Drupal 9.0.14
Drupal 9.1.0
Drupal 9.1.1
Drupal 9.1.2
Drupal 9.1.3
Drupal 9.1.4
Drupal 9.1.5
Drupal 9.1.6
Drupal 9.1.7
Drupal 9.1.8
Drupal 9.1.9
Drupal 9.1.10
Drupal 9.1.11
Drupal 9.1.12
Drupal 9.1.13
Drupal 9.1.14
Drupal 9.1.15
Drupal 9.2.0
Drupal 9.2.1
Drupal 9.2.2
Drupal 9.2.3
Drupal 9.2.4
Drupal 9.2.5
Drupal 9.2.6
Drupal 9.2.7
Drupal 9.2.8
Drupal 9.2.9
Drupal 9.2.10
Drupal 9.2.11
Drupal 9.2.12
Drupal 9.3.0
Drupal 9.3.1
Drupal 9.3.2
Drupal 9.3.3
Drupal 9.3.4
Drupal 9.3.5

[SA-CORE-2021-006] Cross Site Request Forgery

Skrevet den 18. september 202118. oktober 2025 af i Drupal

The Drupal core Media module allows embedding internal and external media in content fields. In certain circumstances, the filter could allow an unprivileged user to inject HTML into a page when it is accessed by a trusted user with permission to embed media. In some cases, this could lead to cross-site scripting.

CVE-2020-13673

This vulnerability affects the following application versions:

Drupal 8.8.0
Drupal 8.8.1
Drupal 8.8.2
Drupal 8.8.3
Drupal 8.8.4
Drupal 8.8.5
Drupal 8.8.6
Drupal 8.8.7
Drupal 8.8.8
Drupal 8.8.9
Drupal 8.8.10
Drupal 8.8.11
Drupal 8.8.12
Drupal 8.9.0
Drupal 8.9.1
Drupal 8.9.2
Drupal 8.9.3
Drupal 8.9.4
Drupal 8.9.5
Drupal 8.9.6
Drupal 8.9.7
Drupal 8.9.8
Drupal 8.9.9
Drupal 8.9.10
Drupal 8.9.11
Drupal 8.9.12
Drupal 8.9.13
Drupal 8.9.14
Drupal 8.9.15
Drupal 8.9.16
Drupal 8.9.17
Drupal 8.9.18
Drupal 9.0.0
Drupal 9.0.1
Drupal 9.0.2
Drupal 9.0.3
Drupal 9.0.4
Drupal 9.0.5
Drupal 9.0.6
Drupal 9.0.7
Drupal 9.0.8
Drupal 9.0.9
Drupal 9.0.10
Drupal 9.0.11
Drupal 9.0.12
Drupal 9.0.13
Drupal 9.0.14
Drupal 9.1.0
Drupal 9.1.1
Drupal 9.1.2
Drupal 9.1.3
Drupal 9.1.4
Drupal 9.1.5
Drupal 9.1.6
Drupal 9.1.7
Drupal 9.1.8
Drupal 9.1.9
Drupal 9.1.10
Drupal 9.1.11
Drupal 9.1.12
Drupal 9.2.0
Drupal 9.2.1
Drupal 9.2.2
Drupal 9.2.3
Drupal 9.2.4
Drupal 9.2.5

[SA-CORE-2021-007] Cross Site Request Forgery

Skrevet den 18. september 202118. oktober 2025 af i Drupal

The QuickEdit module does not properly validate access to routes, which could allow cross-site request forgery under some circumstances and lead to possible data integrity issues.

Sites are only affected if the QuickEdit module (which comes with the Standard profile) is installed. Removing the “access in-place editing” permission from untrusted users will not fully mitigate the vulnerability.

CVE-2020-13674

This vulnerability affects the following application versions:

Drupal 8.0.0
Drupal 8.0.1
Drupal 8.0.2
Drupal 8.0.3
Drupal 8.0.4
Drupal 8.0.5
Drupal 8.0.6
Drupal 8.1.0
Drupal 8.1.1
Drupal 8.1.2
Drupal 8.1.3
Drupal 8.1.4
Drupal 8.1.5
Drupal 8.1.6
Drupal 8.1.7
Drupal 8.1.8
Drupal 8.1.9
Drupal 8.1.10
Drupal 8.2.0
Drupal 8.2.1
Drupal 8.2.2
Drupal 8.2.3
Drupal 8.2.4
Drupal 8.2.5
Drupal 8.2.6
Drupal 8.2.7
Drupal 8.2.8
Drupal 8.3.0
Drupal 8.3.1
Drupal 8.3.2
Drupal 8.3.3
Drupal 8.3.4
Drupal 8.3.5
Drupal 8.3.6
Drupal 8.3.7
Drupal 8.3.8
Drupal 8.3.9
Drupal 8.4.0
Drupal 8.4.1
Drupal 8.4.2
Drupal 8.4.3
Drupal 8.4.4
Drupal 8.4.5
Drupal 8.4.6
Drupal 8.4.7
Drupal 8.4.8
Drupal 8.5.0
Drupal 8.5.1
Drupal 8.5.2
Drupal 8.5.3
Drupal 8.5.4
Drupal 8.5.5
Drupal 8.5.6
Drupal 8.5.7
Drupal 8.5.8
Drupal 8.5.9
Drupal 8.5.10
Drupal 8.5.11
Drupal 8.5.12
Drupal 8.5.13
Drupal 8.5.14
Drupal 8.5.15
Drupal 8.6.0
Drupal 8.6.1
Drupal 8.6.2
Drupal 8.6.3
Drupal 8.6.4
Drupal 8.6.5
Drupal 8.6.6
Drupal 8.6.7
Drupal 8.6.8
Drupal 8.6.9
Drupal 8.6.10
Drupal 8.6.11
Drupal 8.6.12
Drupal 8.6.13
Drupal 8.6.14
Drupal 8.6.15
Drupal 8.6.16
Drupal 8.6.17
Drupal 8.6.18
Drupal 8.7.0
Drupal 8.7.1
Drupal 8.7.2
Drupal 8.7.3
Drupal 8.7.4
Drupal 8.7.5
Drupal 8.7.6
Drupal 8.7.7
Drupal 8.7.8
Drupal 8.7.9
Drupal 8.7.10
Drupal 8.7.11
Drupal 8.7.12
Drupal 8.7.13
Drupal 8.7.14
Drupal 8.8.0
Drupal 8.8.1
Drupal 8.8.2
Drupal 8.8.3
Drupal 8.8.4
Drupal 8.8.5
Drupal 8.8.6
Drupal 8.8.7
Drupal 8.8.8
Drupal 8.8.9
Drupal 8.8.10
Drupal 8.8.11
Drupal 8.8.12
Drupal 8.9.0
Drupal 8.9.1
Drupal 8.9.2
Drupal 8.9.3
Drupal 8.9.4
Drupal 8.9.5
Drupal 8.9.6
Drupal 8.9.7
Drupal 8.9.8
Drupal 8.9.9
Drupal 8.9.10
Drupal 8.9.11
Drupal 8.9.12
Drupal 8.9.13
Drupal 8.9.14
Drupal 8.9.15
Drupal 8.9.16
Drupal 8.9.17
Drupal 8.9.18
Drupal 9.0.0
Drupal 9.0.1
Drupal 9.0.2
Drupal 9.0.3
Drupal 9.0.4
Drupal 9.0.5
Drupal 9.0.6
Drupal 9.0.7
Drupal 9.0.8
Drupal 9.0.9
Drupal 9.0.10
Drupal 9.0.11
Drupal 9.0.12
Drupal 9.0.13
Drupal 9.0.14
Drupal 9.1.0
Drupal 9.1.1
Drupal 9.1.2
Drupal 9.1.3
Drupal 9.1.4
Drupal 9.1.5
Drupal 9.1.6
Drupal 9.1.7
Drupal 9.1.8
Drupal 9.1.9
Drupal 9.1.10
Drupal 9.1.11
Drupal 9.1.12
Drupal 9.2.0
Drupal 9.2.1
Drupal 9.2.2
Drupal 9.2.3
Drupal 9.2.4
Drupal 9.2.5

[SA-CORE-2021-008] Access bypass

Skrevet den 18. september 202118. oktober 2025 af i Drupal

Drupal’s JSON:API and REST/File modules allow file uploads through their HTTP APIs. The modules do not correctly run all file validation, which causes an access bypass vulnerability. An attacker might be able to upload files that bypass the file validation process implemented by modules on the site.

This vulnerability affects the following application versions:

Drupal 8.6.0
Drupal 8.6.1
Drupal 8.6.2
Drupal 8.6.3
Drupal 8.6.4
Drupal 8.6.5
Drupal 8.6.6
Drupal 8.6.7
Drupal 8.6.8
Drupal 8.6.9
Drupal 8.6.10
Drupal 8.6.11
Drupal 8.6.12
Drupal 8.6.13
Drupal 8.6.14
Drupal 8.6.15
Drupal 8.6.16
Drupal 8.6.17
Drupal 8.6.18
Drupal 8.7.0
Drupal 8.7.1
Drupal 8.7.2
Drupal 8.7.3
Drupal 8.7.4
Drupal 8.7.5
Drupal 8.7.6
Drupal 8.7.7
Drupal 8.7.8
Drupal 8.7.9
Drupal 8.7.10
Drupal 8.7.11
Drupal 8.7.12
Drupal 8.7.13
Drupal 8.7.14
Drupal 8.8.0
Drupal 8.8.1
Drupal 8.8.2
Drupal 8.8.3
Drupal 8.8.4
Drupal 8.8.5
Drupal 8.8.6
Drupal 8.8.7
Drupal 8.8.8
Drupal 8.8.9
Drupal 8.8.10
Drupal 8.8.11
Drupal 8.8.12
Drupal 8.9.0
Drupal 8.9.1
Drupal 8.9.2
Drupal 8.9.3
Drupal 8.9.4
Drupal 8.9.5
Drupal 8.9.6
Drupal 8.9.7
Drupal 8.9.8
Drupal 8.9.9
Drupal 8.9.10
Drupal 8.9.11
Drupal 8.9.12
Drupal 8.9.13
Drupal 8.9.14
Drupal 8.9.15
Drupal 8.9.16
Drupal 8.9.17
Drupal 8.9.18
Drupal 9.0.0
Drupal 9.0.1
Drupal 9.0.2
Drupal 9.0.3
Drupal 9.0.4
Drupal 9.0.5
Drupal 9.0.6
Drupal 9.0.7
Drupal 9.0.8
Drupal 9.0.9
Drupal 9.0.10
Drupal 9.0.11
Drupal 9.0.12
Drupal 9.0.13
Drupal 9.0.14
Drupal 9.1.0
Drupal 9.1.1
Drupal 9.1.2
Drupal 9.1.3
Drupal 9.1.4
Drupal 9.1.5
Drupal 9.1.6
Drupal 9.1.7
Drupal 9.1.8
Drupal 9.1.9
Drupal 9.1.10
Drupal 9.1.11
Drupal 9.1.12
Drupal 9.2.0
Drupal 9.2.1
Drupal 9.2.2
Drupal 9.2.3
Drupal 9.2.4
Drupal 9.2.5

[SA-CORE-2021-009] Access bypass

Skrevet den 18. september 202118. oktober 2025 af i Drupal

The QuickEdit module does not properly check access to fields in some circumstances, which can lead to unintended disclosure of field data.

Sites are only affected if the QuickEdit module (which comes with the Standard profile) is installed.

This vulnerability affects the following application versions:

Drupal 8.0.0
Drupal 8.0.1
Drupal 8.0.2
Drupal 8.0.3
Drupal 8.0.4
Drupal 8.0.5
Drupal 8.0.6
Drupal 8.1.0
Drupal 8.1.1
Drupal 8.1.2
Drupal 8.1.3
Drupal 8.1.4
Drupal 8.1.5
Drupal 8.1.6
Drupal 8.1.7
Drupal 8.1.8
Drupal 8.1.9
Drupal 8.1.10
Drupal 8.2.0
Drupal 8.2.1
Drupal 8.2.2
Drupal 8.2.3
Drupal 8.2.4
Drupal 8.2.5
Drupal 8.2.6
Drupal 8.2.7
Drupal 8.2.8
Drupal 8.3.0
Drupal 8.3.1
Drupal 8.3.2
Drupal 8.3.3
Drupal 8.3.4
Drupal 8.3.5
Drupal 8.3.6
Drupal 8.3.7
Drupal 8.3.8
Drupal 8.3.9
Drupal 8.4.0
Drupal 8.4.1
Drupal 8.4.2
Drupal 8.4.3
Drupal 8.4.4
Drupal 8.4.5
Drupal 8.4.6
Drupal 8.4.7
Drupal 8.4.8
Drupal 8.5.0
Drupal 8.5.1
Drupal 8.5.2
Drupal 8.5.3
Drupal 8.5.4
Drupal 8.5.5
Drupal 8.5.6
Drupal 8.5.7
Drupal 8.5.8
Drupal 8.5.9
Drupal 8.5.10
Drupal 8.5.11
Drupal 8.5.12
Drupal 8.5.13
Drupal 8.5.14
Drupal 8.5.15
Drupal 8.6.0
Drupal 8.6.1
Drupal 8.6.2
Drupal 8.6.3
Drupal 8.6.4
Drupal 8.6.5
Drupal 8.6.6
Drupal 8.6.7
Drupal 8.6.8
Drupal 8.6.9
Drupal 8.6.10
Drupal 8.6.11
Drupal 8.6.12
Drupal 8.6.13
Drupal 8.6.14
Drupal 8.6.15
Drupal 8.6.16
Drupal 8.6.17
Drupal 8.6.18
Drupal 8.7.0
Drupal 8.7.1
Drupal 8.7.2
Drupal 8.7.3
Drupal 8.7.4
Drupal 8.7.5
Drupal 8.7.6
Drupal 8.7.7
Drupal 8.7.8
Drupal 8.7.9
Drupal 8.7.10
Drupal 8.7.11
Drupal 8.7.12
Drupal 8.7.13
Drupal 8.7.14
Drupal 8.8.0
Drupal 8.8.1
Drupal 8.8.2
Drupal 8.8.3
Drupal 8.8.4
Drupal 8.8.5
Drupal 8.8.6
Drupal 8.8.7
Drupal 8.8.8
Drupal 8.8.9
Drupal 8.8.10
Drupal 8.8.11
Drupal 8.8.12
Drupal 8.9.0
Drupal 8.9.1
Drupal 8.9.2
Drupal 8.9.3
Drupal 8.9.4
Drupal 8.9.5
Drupal 8.9.6
Drupal 8.9.7
Drupal 8.9.8
Drupal 8.9.9
Drupal 8.9.10
Drupal 8.9.11
Drupal 8.9.12
Drupal 8.9.13
Drupal 8.9.14
Drupal 8.9.15
Drupal 8.9.16
Drupal 8.9.17
Drupal 8.9.18
Drupal 9.0.0
Drupal 9.0.1
Drupal 9.0.2
Drupal 9.0.3
Drupal 9.0.4
Drupal 9.0.5
Drupal 9.0.6
Drupal 9.0.7
Drupal 9.0.8
Drupal 9.0.9
Drupal 9.0.10
Drupal 9.0.11
Drupal 9.0.12
Drupal 9.0.13
Drupal 9.0.14
Drupal 9.1.0
Drupal 9.1.1
Drupal 9.1.2
Drupal 9.1.3
Drupal 9.1.4
Drupal 9.1.5
Drupal 9.1.6
Drupal 9.1.7
Drupal 9.1.8
Drupal 9.1.9
Drupal 9.1.10
Drupal 9.1.11
Drupal 9.1.12
Drupal 9.2.0
Drupal 9.2.1
Drupal 9.2.2
Drupal 9.2.3
Drupal 9.2.4
Drupal 9.2.5

[SA-CORE-2021-010] Access Bypass

Skrevet den 18. september 202118. oktober 2025 af i Drupal

Under some circumstances, the Drupal core JSON:API module does not properly restrict access to certain content, which may result in unintended access bypass.

Sites that do not have the JSON:API module enabled are not affected.

CVE-2020-13677

This vulnerability affects the following application versions:

Drupal 8.8.0
Drupal 8.8.1
Drupal 8.8.2
Drupal 8.8.3
Drupal 8.8.4
Drupal 8.8.5
Drupal 8.8.6
Drupal 8.8.7
Drupal 8.8.8
Drupal 8.8.9
Drupal 8.8.10
Drupal 8.8.11
Drupal 8.8.12
Drupal 8.9.0
Drupal 8.9.1
Drupal 8.9.2
Drupal 8.9.3
Drupal 8.9.4
Drupal 8.9.5
Drupal 8.9.6
Drupal 8.9.7
Drupal 8.9.8
Drupal 8.9.9
Drupal 8.9.10
Drupal 8.9.11
Drupal 8.9.12
Drupal 8.9.13
Drupal 8.9.14
Drupal 8.9.15
Drupal 8.9.16
Drupal 8.9.17
Drupal 8.9.18
Drupal 9.0.0
Drupal 9.0.1
Drupal 9.0.2
Drupal 9.0.3
Drupal 9.0.4
Drupal 9.0.5
Drupal 9.0.6
Drupal 9.0.7
Drupal 9.0.8
Drupal 9.0.9
Drupal 9.0.10
Drupal 9.0.11
Drupal 9.0.12
Drupal 9.0.13
Drupal 9.0.14
Drupal 9.1.0
Drupal 9.1.1
Drupal 9.1.2
Drupal 9.1.3
Drupal 9.1.4
Drupal 9.1.5
Drupal 9.1.6
Drupal 9.1.7
Drupal 9.1.8
Drupal 9.1.9
Drupal 9.1.10
Drupal 9.1.11
Drupal 9.1.12
Drupal 9.2.0
Drupal 9.2.1
Drupal 9.2.2
Drupal 9.2.3
Drupal 9.2.4
Drupal 9.2.5

[SA-CORE-2021-004] Security update third-party library Archive_Tar

Skrevet den 23. juli 202118. oktober 2025 af i Drupal

The Drupal project uses the PEAR Archive_Tar library, which had released a security update that impacts Drupal.

The vulnerability is mitigated by the fact that Drupal core’s use of the Archive_Tar library is not vulnerable, as it does not permit symlinks. On the other hand, exploitation was possible if contribution or custom code used the library to extract tar archives (for example .tar, .tar.gz, .bz2, or .tlz) which come from a potentially untrusted source.

This vulnerability affects the following application versions:

Drupal 7.69
Drupal 7.70
Drupal 7.71
Drupal 7.72
Drupal 7.73
Drupal 7.74
Drupal 7.75
Drupal 7.76
Drupal 7.77
Drupal 7.78
Drupal 7.79
Drupal 7.80
Drupal 7.81

[SA-CORE-2021-002] Extended XSS attribute sanitize filter to prevent cross-site scripting

Skrevet den 22. april 202118. oktober 2025 af i Drupal

Drupal core’s sanitize API failed to properly filter cross-site scripting under certain circumstances.

This vulnerability affects the following application versions:

Drupal 7.0
Drupal 7.1
Drupal 7.2
Drupal 7.3
Drupal 7.4
Drupal 7.5
Drupal 7.6
Drupal 7.7
Drupal 7.8
Drupal 7.9
Drupal 7.10
Drupal 7.11
Drupal 7.12
Drupal 7.13
Drupal 7.14
Drupal 7.15
Drupal 7.16
Drupal 7.17
Drupal 7.18
Drupal 7.19
Drupal 7.20
Drupal 7.21
Drupal 7.22
Drupal 7.23
Drupal 7.24
Drupal 7.25
Drupal 7.26
Drupal 7.27
Drupal 7.28
Drupal 7.29
Drupal 7.30
Drupal 7.31
Drupal 7.32
Drupal 7.33
Drupal 7.34
Drupal 7.35
Drupal 7.36
Drupal 7.37
Drupal 7.38
Drupal 7.39
Drupal 7.40
Drupal 7.41
Drupal 7.42
Drupal 7.43
Drupal 7.44
Drupal 7.50
Drupal 7.51
Drupal 7.52
Drupal 7.53
Drupal 7.54
Drupal 7.55
Drupal 7.56
Drupal 7.57
Drupal 7.58
Drupal 7.59
Drupal 7.60
Drupal 7.61
Drupal 7.62
Drupal 7.63
Drupal 7.64
Drupal 7.65
Drupal 7.66
Drupal 7.67
Drupal 7.68
Drupal 7.69
Drupal 7.70
Drupal 7.71
Drupal 7.72
Drupal 7.73
Drupal 7.74
Drupal 7.75
Drupal 7.76
Drupal 7.77
Drupal 7.78
Drupal 7.79
Drupal 8.0.0
Drupal 8.0.1
Drupal 8.0.2
Drupal 8.0.3
Drupal 8.0.4
Drupal 8.0.5
Drupal 8.0.6
Drupal 8.1.0
Drupal 8.1.1
Drupal 8.1.2
Drupal 8.1.3
Drupal 8.1.4
Drupal 8.1.5
Drupal 8.1.6
Drupal 8.1.7
Drupal 8.1.8
Drupal 8.1.9
Drupal 8.1.10
Drupal 8.2.0
Drupal 8.2.1
Drupal 8.2.2
Drupal 8.2.3
Drupal 8.2.4
Drupal 8.2.5
Drupal 8.2.6
Drupal 8.2.7
Drupal 8.2.8
Drupal 8.3.0
Drupal 8.3.1
Drupal 8.3.2
Drupal 8.3.3
Drupal 8.3.4
Drupal 8.3.5
Drupal 8.3.6
Drupal 8.3.7
Drupal 8.3.8
Drupal 8.3.9
Drupal 8.4.0
Drupal 8.4.1
Drupal 8.4.2
Drupal 8.4.3
Drupal 8.4.4
Drupal 8.4.5
Drupal 8.4.6
Drupal 8.4.7
Drupal 8.4.8
Drupal 8.5.0
Drupal 8.5.1
Drupal 8.5.2
Drupal 8.5.3
Drupal 8.5.4
Drupal 8.5.5
Drupal 8.5.6
Drupal 8.5.7
Drupal 8.5.8
Drupal 8.5.9
Drupal 8.5.10
Drupal 8.5.11
Drupal 8.5.12
Drupal 8.5.13
Drupal 8.5.14
Drupal 8.5.15
Drupal 8.6.0
Drupal 8.6.1
Drupal 8.6.2
Drupal 8.6.3
Drupal 8.6.4
Drupal 8.6.5
Drupal 8.6.6
Drupal 8.6.7
Drupal 8.6.8
Drupal 8.6.9
Drupal 8.6.10
Drupal 8.6.11
Drupal 8.6.12
Drupal 8.6.13
Drupal 8.6.14
Drupal 8.6.15
Drupal 8.6.16
Drupal 8.6.17
Drupal 8.6.18
Drupal 8.7.0
Drupal 8.7.1
Drupal 8.7.2
Drupal 8.7.3
Drupal 8.7.4
Drupal 8.7.5
Drupal 8.7.6
Drupal 8.7.7
Drupal 8.7.8
Drupal 8.7.9
Drupal 8.7.10
Drupal 8.7.11
Drupal 8.7.12
Drupal 8.7.13
Drupal 8.7.14
Drupal 8.8.0
Drupal 8.8.1
Drupal 8.8.2
Drupal 8.8.3
Drupal 8.8.4
Drupal 8.8.5
Drupal 8.8.6
Drupal 8.8.7
Drupal 8.8.8
Drupal 8.8.9
Drupal 8.8.10
Drupal 8.8.11
Drupal 8.8.12
Drupal 8.9.0
Drupal 8.9.1
Drupal 8.9.2
Drupal 8.9.3
Drupal 8.9.4
Drupal 8.9.5
Drupal 8.9.6
Drupal 8.9.7
Drupal 8.9.8
Drupal 8.9.9
Drupal 8.9.10
Drupal 8.9.11
Drupal 8.9.12
Drupal 8.9.13
Drupal 9.0.0
Drupal 9.0.1
Drupal 9.0.2
Drupal 9.0.3
Drupal 9.0.4
Drupal 9.0.5
Drupal 9.0.6
Drupal 9.0.7
Drupal 9.0.8
Drupal 9.0.9
Drupal 9.0.10
Drupal 9.0.11
Drupal 9.1.0
Drupal 9.1.1
Drupal 9.1.2
Drupal 9.1.3
Drupal 9.1.4
Drupal 9.1.5
Drupal 9.1.6

[SA-CORE-2020-012] Remote code execution

Skrevet den 21. november 202018. oktober 2025 af i Drupal

Drupal core did not properly sanitize certain filenames on uploaded files, which could lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations.

This vulnerability affects the following application versions:

Drupal 7.0
Drupal 7.1
Drupal 7.2
Drupal 7.3
Drupal 7.4
Drupal 7.5
Drupal 7.6
Drupal 7.7
Drupal 7.8
Drupal 7.9
Drupal 7.10
Drupal 7.11
Drupal 7.12
Drupal 7.13
Drupal 7.14
Drupal 7.15
Drupal 7.16
Drupal 7.17
Drupal 7.18
Drupal 7.19
Drupal 7.20
Drupal 7.21
Drupal 7.22
Drupal 7.23
Drupal 7.24
Drupal 7.25
Drupal 7.26
Drupal 7.27
Drupal 7.28
Drupal 7.29
Drupal 7.30
Drupal 7.31
Drupal 7.32
Drupal 7.33
Drupal 7.34
Drupal 7.35
Drupal 7.36
Drupal 7.37
Drupal 7.38
Drupal 7.39
Drupal 7.40
Drupal 7.41
Drupal 7.42
Drupal 7.43
Drupal 7.44
Drupal 7.50
Drupal 7.51
Drupal 7.52
Drupal 7.53
Drupal 7.54
Drupal 7.55
Drupal 7.56
Drupal 7.57
Drupal 7.58
Drupal 7.59
Drupal 7.60
Drupal 7.61
Drupal 7.62
Drupal 7.63
Drupal 7.64
Drupal 7.65
Drupal 7.66
Drupal 7.67
Drupal 7.68
Drupal 7.69
Drupal 7.70
Drupal 7.71
Drupal 7.72
Drupal 7.73
Drupal 8.0.0
Drupal 8.0.1
Drupal 8.0.2
Drupal 8.0.3
Drupal 8.0.4
Drupal 8.0.5
Drupal 8.0.6
Drupal 8.1.0
Drupal 8.1.1
Drupal 8.1.2
Drupal 8.1.3
Drupal 8.1.4
Drupal 8.1.5
Drupal 8.1.6
Drupal 8.1.7
Drupal 8.1.8
Drupal 8.1.9
Drupal 8.1.10
Drupal 8.2.0
Drupal 8.2.1
Drupal 8.2.2
Drupal 8.2.3
Drupal 8.2.4
Drupal 8.2.5
Drupal 8.2.6
Drupal 8.2.7
Drupal 8.2.8
Drupal 8.3.0
Drupal 8.3.1
Drupal 8.3.2
Drupal 8.3.3
Drupal 8.3.4
Drupal 8.3.5
Drupal 8.3.6
Drupal 8.3.7
Drupal 8.3.8
Drupal 8.3.9
Drupal 8.4.0
Drupal 8.4.1
Drupal 8.4.2
Drupal 8.4.3
Drupal 8.4.4
Drupal 8.4.5
Drupal 8.4.6
Drupal 8.4.7
Drupal 8.4.8
Drupal 8.5.0
Drupal 8.5.1
Drupal 8.5.2
Drupal 8.5.3
Drupal 8.5.4
Drupal 8.5.5
Drupal 8.5.6
Drupal 8.5.7
Drupal 8.5.8
Drupal 8.5.9
Drupal 8.5.10
Drupal 8.5.11
Drupal 8.5.12
Drupal 8.5.13
Drupal 8.5.14
Drupal 8.5.15
Drupal 8.6.0
Drupal 8.6.1
Drupal 8.6.2
Drupal 8.6.3
Drupal 8.6.4
Drupal 8.6.5
Drupal 8.6.6
Drupal 8.6.7
Drupal 8.6.8
Drupal 8.6.9
Drupal 8.6.10
Drupal 8.6.11
Drupal 8.6.12
Drupal 8.6.13
Drupal 8.6.14
Drupal 8.6.15
Drupal 8.6.16
Drupal 8.6.17
Drupal 8.6.18
Drupal 8.7.0
Drupal 8.7.1
Drupal 8.7.2
Drupal 8.7.3
Drupal 8.7.4
Drupal 8.7.5
Drupal 8.7.6
Drupal 8.7.7
Drupal 8.7.8
Drupal 8.7.9
Drupal 8.7.10
Drupal 8.7.11
Drupal 8.7.12
Drupal 8.7.13
Drupal 8.7.14
Drupal 8.8.0
Drupal 8.8.1
Drupal 8.8.2
Drupal 8.8.3
Drupal 8.8.4
Drupal 8.8.5
Drupal 8.8.6
Drupal 8.8.7
Drupal 8.8.8
Drupal 8.8.9
Drupal 8.8.10
Drupal 8.9.0
Drupal 8.9.1
Drupal 8.9.2
Drupal 8.9.3
Drupal 8.9.4
Drupal 8.9.5
Drupal 8.9.6
Drupal 8.9.7
Drupal 8.9.8
Drupal 9.0.0
Drupal 9.0.1
Drupal 9.0.2
Drupal 9.0.3
Drupal 9.0.4
Drupal 9.0.5
Drupal 9.0.6
Drupal 9.0.7

[SA-CORE-2020-009] Cross-site scripting (XSS) vulnerability under certain circumstances

Skrevet den 21. september 202018. oktober 2025 af i Drupal

An attacker could leverage the way that HTML is rendered for affected forms in order to exploit the vulnerability.

This vulnerability affects the following application versions:

Drupal 8.0.0
Drupal 8.0.1
Drupal 8.0.2
Drupal 8.0.3
Drupal 8.0.4
Drupal 8.0.5
Drupal 8.0.6
Drupal 8.1.0
Drupal 8.1.1
Drupal 8.1.2
Drupal 8.1.3
Drupal 8.1.4
Drupal 8.1.5
Drupal 8.1.6
Drupal 8.1.7
Drupal 8.1.8
Drupal 8.1.9
Drupal 8.1.10
Drupal 8.2.0
Drupal 8.2.1
Drupal 8.2.2
Drupal 8.2.3
Drupal 8.2.4
Drupal 8.2.5
Drupal 8.2.6
Drupal 8.2.7
Drupal 8.2.8
Drupal 8.3.0
Drupal 8.3.1
Drupal 8.3.2
Drupal 8.3.3
Drupal 8.3.4
Drupal 8.3.5
Drupal 8.3.6
Drupal 8.3.7
Drupal 8.3.8
Drupal 8.3.9
Drupal 8.4.0
Drupal 8.4.1
Drupal 8.4.2
Drupal 8.4.3
Drupal 8.4.4
Drupal 8.4.5
Drupal 8.4.6
Drupal 8.4.7
Drupal 8.4.8
Drupal 8.5.0
Drupal 8.5.1
Drupal 8.5.2
Drupal 8.5.3
Drupal 8.5.4
Drupal 8.5.5
Drupal 8.5.6
Drupal 8.5.7
Drupal 8.5.8
Drupal 8.5.9
Drupal 8.5.10
Drupal 8.5.11
Drupal 8.5.12
Drupal 8.5.13
Drupal 8.5.14
Drupal 8.5.15
Drupal 8.6.0
Drupal 8.6.1
Drupal 8.6.2
Drupal 8.6.3
Drupal 8.6.4
Drupal 8.6.5
Drupal 8.6.6
Drupal 8.6.7
Drupal 8.6.8
Drupal 8.6.9
Drupal 8.6.10
Drupal 8.6.11
Drupal 8.6.12
Drupal 8.6.13
Drupal 8.6.14
Drupal 8.6.15
Drupal 8.6.16
Drupal 8.6.17
Drupal 8.6.18
Drupal 8.7.0
Drupal 8.7.1
Drupal 8.7.2
Drupal 8.7.3
Drupal 8.7.4
Drupal 8.7.5
Drupal 8.7.6
Drupal 8.7.7
Drupal 8.7.8
Drupal 8.7.9
Drupal 8.7.10
Drupal 8.7.11
Drupal 8.7.12
Drupal 8.7.13
Drupal 8.7.14
Drupal 8.8.0
Drupal 8.8.1
Drupal 8.8.2
Drupal 8.8.3
Drupal 8.8.4
Drupal 8.8.5
Drupal 8.8.6
Drupal 8.8.7
Drupal 8.8.8
Drupal 8.8.9
Drupal 8.9.0
Drupal 8.9.1
Drupal 8.9.2
Drupal 8.9.3
Drupal 8.9.4
Drupal 8.9.5
Drupal 9.0.0
Drupal 9.0.1
Drupal 9.0.2
Drupal 9.0.3
Drupal 9.0.4
Drupal 9.0.5

[SA-CORE-2020-008] Access bypass vulnerability workspaces

Skrevet den 20. september 202018. oktober 2025 af i Drupal

The Workspaces module didn’t sufficiently check access permissions when switching workspaces, leading to an access bypass vulnerability. An attacker could be able to see content before the site owner intends people to see the content.

This vulnerability affects the following application versions:

Drupal 8.8.0
Drupal 8.8.1
Drupal 8.8.2
Drupal 8.8.3
Drupal 8.8.4
Drupal 8.8.5
Drupal 8.8.6
Drupal 8.8.7
Drupal 8.8.8
Drupal 8.8.9
Drupal 8.9.0
Drupal 8.9.1
Drupal 8.9.2
Drupal 8.9.3
Drupal 8.9.4
Drupal 8.9.5
Drupal 9.0.0
Drupal 9.0.1
Drupal 9.0.2
Drupal 9.0.3
Drupal 9.0.4
Drupal 9.0.5

[SA-CORE-2020-011] Vulnerability existed in the File module

Skrevet den 20. september 202018. oktober 2025 af i Drupal

A vulnerability existed in the File module which allowed an attacker to gain access to the file metadata of a permanent private file that they do not have access to by guessing the ID of the file.

This vulnerability affects the following application versions:

Drupal 8.0.0
Drupal 8.0.1
Drupal 8.0.2
Drupal 8.0.3
Drupal 8.0.4
Drupal 8.0.5
Drupal 8.0.6
Drupal 8.1.0
Drupal 8.1.1
Drupal 8.1.2
Drupal 8.1.3
Drupal 8.1.4
Drupal 8.1.5
Drupal 8.1.6
Drupal 8.1.7
Drupal 8.1.8
Drupal 8.1.9
Drupal 8.1.10
Drupal 8.2.0
Drupal 8.2.1
Drupal 8.2.2
Drupal 8.2.3
Drupal 8.2.4
Drupal 8.2.5
Drupal 8.2.6
Drupal 8.2.7
Drupal 8.2.8
Drupal 8.3.0
Drupal 8.3.1
Drupal 8.3.2
Drupal 8.3.3
Drupal 8.3.4
Drupal 8.3.5
Drupal 8.3.6
Drupal 8.3.7
Drupal 8.3.8
Drupal 8.3.9
Drupal 8.4.0
Drupal 8.4.1
Drupal 8.4.2
Drupal 8.4.3
Drupal 8.4.4
Drupal 8.4.5
Drupal 8.4.6
Drupal 8.4.7
Drupal 8.4.8
Drupal 8.5.0
Drupal 8.5.1
Drupal 8.5.2
Drupal 8.5.3
Drupal 8.5.4
Drupal 8.5.5
Drupal 8.5.6
Drupal 8.5.7
Drupal 8.5.8
Drupal 8.5.9
Drupal 8.5.10
Drupal 8.5.11
Drupal 8.5.12
Drupal 8.5.13
Drupal 8.5.14
Drupal 8.5.15
Drupal 8.6.0
Drupal 8.6.1
Drupal 8.6.2
Drupal 8.6.3
Drupal 8.6.4
Drupal 8.6.5
Drupal 8.6.6
Drupal 8.6.7
Drupal 8.6.8
Drupal 8.6.9
Drupal 8.6.10
Drupal 8.6.11
Drupal 8.6.12
Drupal 8.6.13
Drupal 8.6.14
Drupal 8.6.15
Drupal 8.6.16
Drupal 8.6.17
Drupal 8.6.18
Drupal 8.7.0
Drupal 8.7.1
Drupal 8.7.2
Drupal 8.7.3
Drupal 8.7.4
Drupal 8.7.5
Drupal 8.7.6
Drupal 8.7.7
Drupal 8.7.8
Drupal 8.7.9
Drupal 8.7.10
Drupal 8.7.11
Drupal 8.7.12
Drupal 8.7.13
Drupal 8.7.14
Drupal 8.8.0
Drupal 8.8.1
Drupal 8.8.2
Drupal 8.8.3
Drupal 8.8.4
Drupal 8.8.5
Drupal 8.8.6
Drupal 8.8.7
Drupal 8.8.8
Drupal 8.8.9
Drupal 8.9.0
Drupal 8.9.1
Drupal 8.9.2
Drupal 8.9.3
Drupal 8.9.4
Drupal 8.9.5
Drupal 9.0.0
Drupal 9.0.1
Drupal 9.0.2
Drupal 9.0.3
Drupal 9.0.4
Drupal 9.0.5

[SA-CORE-2020-007] Added escaping to the API to prevent XSS attack

Skrevet den 20. september 202018. oktober 2025 af i Drupal

The Drupal AJAX API did not disable JSONP by default, which could lead to cross-site scripting.

This vulnerability affects the following application versions:

Drupal 8.0.0
Drupal 8.0.1
Drupal 8.0.2
Drupal 8.0.3
Drupal 8.0.4
Drupal 8.0.5
Drupal 8.0.6
Drupal 8.1.0
Drupal 8.1.1
Drupal 8.1.2
Drupal 8.1.3
Drupal 8.1.4
Drupal 8.1.5
Drupal 8.1.6
Drupal 8.1.7
Drupal 8.1.8
Drupal 8.1.9
Drupal 8.1.10
Drupal 8.2.0
Drupal 8.2.1
Drupal 8.2.2
Drupal 8.2.3
Drupal 8.2.4
Drupal 8.2.5
Drupal 8.2.6
Drupal 8.2.7
Drupal 8.2.8
Drupal 8.3.0
Drupal 8.3.1
Drupal 8.3.2
Drupal 8.3.3
Drupal 8.3.4
Drupal 8.3.5
Drupal 8.3.6
Drupal 8.3.7
Drupal 8.3.8
Drupal 8.3.9
Drupal 8.4.0
Drupal 8.4.1
Drupal 8.4.2
Drupal 8.4.3
Drupal 8.4.4
Drupal 8.4.5
Drupal 8.4.6
Drupal 8.4.7
Drupal 8.4.8
Drupal 8.5.0
Drupal 8.5.1
Drupal 8.5.2
Drupal 8.5.3
Drupal 8.5.4
Drupal 8.5.5
Drupal 8.5.6
Drupal 8.5.7
Drupal 8.5.8
Drupal 8.5.9
Drupal 8.5.10
Drupal 8.5.11
Drupal 8.5.12
Drupal 8.5.13
Drupal 8.5.14
Drupal 8.5.15
Drupal 8.6.0
Drupal 8.6.1
Drupal 8.6.2
Drupal 8.6.3
Drupal 8.6.4
Drupal 8.6.5
Drupal 8.6.6
Drupal 8.6.7
Drupal 8.6.8
Drupal 8.6.9
Drupal 8.6.10
Drupal 8.6.11
Drupal 8.6.12
Drupal 8.6.13
Drupal 8.6.14
Drupal 8.6.15
Drupal 8.6.16
Drupal 8.6.17
Drupal 8.6.18
Drupal 8.7.0
Drupal 8.7.1
Drupal 8.7.2
Drupal 8.7.3
Drupal 8.7.4
Drupal 8.7.5
Drupal 8.7.6
Drupal 8.7.7
Drupal 8.7.8
Drupal 8.7.9
Drupal 8.7.10
Drupal 8.7.11
Drupal 8.7.12
Drupal 8.7.13
Drupal 8.7.14
Drupal 8.8.0
Drupal 8.8.1
Drupal 8.8.2
Drupal 8.8.3
Drupal 8.8.4
Drupal 8.8.5
Drupal 8.8.6
Drupal 8.8.7
Drupal 8.8.8
Drupal 8.8.9
Drupal 8.9.0
Drupal 8.9.1
Drupal 8.9.2
Drupal 8.9.3
Drupal 8.9.4
Drupal 8.9.5
Drupal 9.0.0
Drupal 9.0.1
Drupal 9.0.2
Drupal 9.0.3
Drupal 9.0.4
Drupal 9.0.5

[SA-CORE-2020-010] Added filtering for allowed HTML to prevent XSS

Skrevet den 20. september 202018. oktober 2025 af i Drupal

Drupal core’s built-in CKEditor image caption functionality was vulnerable to XSS.

This vulnerability affects the following application versions:

Drupal 8.0.0
Drupal 8.0.1
Drupal 8.0.2
Drupal 8.0.3
Drupal 8.0.4
Drupal 8.0.5
Drupal 8.0.6
Drupal 8.1.0
Drupal 8.1.1
Drupal 8.1.2
Drupal 8.1.3
Drupal 8.1.4
Drupal 8.1.5
Drupal 8.1.6
Drupal 8.1.7
Drupal 8.1.8
Drupal 8.1.9
Drupal 8.1.10
Drupal 8.2.0
Drupal 8.2.1
Drupal 8.2.2
Drupal 8.2.3
Drupal 8.2.4
Drupal 8.2.5
Drupal 8.2.6
Drupal 8.2.7
Drupal 8.2.8
Drupal 8.3.0
Drupal 8.3.1
Drupal 8.3.2
Drupal 8.3.3
Drupal 8.3.4
Drupal 8.3.5
Drupal 8.3.6
Drupal 8.3.7
Drupal 8.3.8
Drupal 8.3.9
Drupal 8.4.0
Drupal 8.4.1
Drupal 8.4.2
Drupal 8.4.3
Drupal 8.4.4
Drupal 8.4.5
Drupal 8.4.6
Drupal 8.4.7
Drupal 8.4.8
Drupal 8.5.0
Drupal 8.5.1
Drupal 8.5.2
Drupal 8.5.3
Drupal 8.5.4
Drupal 8.5.5
Drupal 8.5.6
Drupal 8.5.7
Drupal 8.5.8
Drupal 8.5.9
Drupal 8.5.10
Drupal 8.5.11
Drupal 8.5.12
Drupal 8.5.13
Drupal 8.5.14
Drupal 8.5.15
Drupal 8.6.0
Drupal 8.6.1
Drupal 8.6.2
Drupal 8.6.3
Drupal 8.6.4
Drupal 8.6.5
Drupal 8.6.6
Drupal 8.6.7
Drupal 8.6.8
Drupal 8.6.9
Drupal 8.6.10
Drupal 8.6.11
Drupal 8.6.12
Drupal 8.6.13
Drupal 8.6.14
Drupal 8.6.15
Drupal 8.6.16
Drupal 8.6.17
Drupal 8.6.18
Drupal 8.7.0
Drupal 8.7.1
Drupal 8.7.2
Drupal 8.7.3
Drupal 8.7.4
Drupal 8.7.5
Drupal 8.7.6
Drupal 8.7.7
Drupal 8.7.8
Drupal 8.7.9
Drupal 8.7.10
Drupal 8.7.11
Drupal 8.7.12
Drupal 8.7.13
Drupal 8.7.14
Drupal 8.8.0
Drupal 8.8.1
Drupal 8.8.2
Drupal 8.8.3
Drupal 8.8.4
Drupal 8.8.5
Drupal 8.8.6
Drupal 8.8.7
Drupal 8.8.8
Drupal 8.8.9
Drupal 8.9.0
Drupal 8.9.1
Drupal 8.9.2
Drupal 8.9.3
Drupal 8.9.4
Drupal 8.9.5
Drupal 9.0.0
Drupal 9.0.1
Drupal 9.0.2
Drupal 9.0.3
Drupal 9.0.4
Drupal 9.0.5

[SA-CORE-2020-004] Cross Site Request Forgery

Skrevet den 20. juni 202018. oktober 2025 af i Drupal

The Drupal core Form API didn’t properly handle certain form input from cross-site requests, which could lead to other vulnerabilities.

This vulnerability affects the following application versions:

Drupal 7.0
Drupal 7.1
Drupal 7.2
Drupal 7.3
Drupal 7.4
Drupal 7.5
Drupal 7.6
Drupal 7.7
Drupal 7.8
Drupal 7.9
Drupal 7.10
Drupal 7.11
Drupal 7.12
Drupal 7.13
Drupal 7.14
Drupal 7.15
Drupal 7.16
Drupal 7.17
Drupal 7.18
Drupal 7.19
Drupal 7.20
Drupal 7.21
Drupal 7.22
Drupal 7.23
Drupal 7.24
Drupal 7.25
Drupal 7.26
Drupal 7.27
Drupal 7.28
Drupal 7.29
Drupal 7.30
Drupal 7.31
Drupal 7.32
Drupal 7.33
Drupal 7.34
Drupal 7.35
Drupal 7.36
Drupal 7.37
Drupal 7.38
Drupal 7.39
Drupal 7.40
Drupal 7.41
Drupal 7.42
Drupal 7.43
Drupal 7.44
Drupal 7.50
Drupal 7.51
Drupal 7.52
Drupal 7.53
Drupal 7.54
Drupal 7.55
Drupal 7.56
Drupal 7.57
Drupal 7.58
Drupal 7.59
Drupal 7.60
Drupal 7.61
Drupal 7.62
Drupal 7.63
Drupal 7.64
Drupal 7.65
Drupal 7.66
Drupal 7.67
Drupal 7.68
Drupal 7.69
Drupal 7.70
Drupal 7.71
Drupal 8.0.0
Drupal 8.0.1
Drupal 8.0.2
Drupal 8.0.3
Drupal 8.0.4
Drupal 8.0.5
Drupal 8.0.6
Drupal 8.1.0
Drupal 8.1.1
Drupal 8.1.2
Drupal 8.1.3
Drupal 8.1.4
Drupal 8.1.5
Drupal 8.1.6
Drupal 8.1.7
Drupal 8.1.8
Drupal 8.1.9
Drupal 8.1.10
Drupal 8.2.0
Drupal 8.2.1
Drupal 8.2.2
Drupal 8.2.3
Drupal 8.2.4
Drupal 8.2.5
Drupal 8.2.6
Drupal 8.2.7
Drupal 8.2.8
Drupal 8.3.0
Drupal 8.3.1
Drupal 8.3.2
Drupal 8.3.3
Drupal 8.3.4
Drupal 8.3.5
Drupal 8.3.6
Drupal 8.3.7
Drupal 8.3.8
Drupal 8.3.9
Drupal 8.4.0
Drupal 8.4.1
Drupal 8.4.2
Drupal 8.4.3
Drupal 8.4.4
Drupal 8.4.5
Drupal 8.4.6
Drupal 8.4.7
Drupal 8.4.8
Drupal 8.5.0
Drupal 8.5.1
Drupal 8.5.2
Drupal 8.5.3
Drupal 8.5.4
Drupal 8.5.5
Drupal 8.5.6
Drupal 8.5.7
Drupal 8.5.8
Drupal 8.5.9
Drupal 8.5.10
Drupal 8.5.11
Drupal 8.5.12
Drupal 8.5.13
Drupal 8.5.14
Drupal 8.5.15
Drupal 8.6.0
Drupal 8.6.1
Drupal 8.6.2
Drupal 8.6.3
Drupal 8.6.4
Drupal 8.6.5
Drupal 8.6.6
Drupal 8.6.7
Drupal 8.6.8
Drupal 8.6.9
Drupal 8.6.10
Drupal 8.6.11
Drupal 8.6.12
Drupal 8.6.13
Drupal 8.6.14
Drupal 8.6.15
Drupal 8.6.16
Drupal 8.6.17
Drupal 8.6.18
Drupal 8.7.0
Drupal 8.7.1
Drupal 8.7.2
Drupal 8.7.3
Drupal 8.7.4
Drupal 8.7.5
Drupal 8.7.6
Drupal 8.7.7
Drupal 8.7.8
Drupal 8.7.9
Drupal 8.7.10
Drupal 8.7.11
Drupal 8.7.12
Drupal 8.7.13
Drupal 8.7.14
Drupal 8.8.0
Drupal 8.8.1
Drupal 8.8.2
Drupal 8.8.3
Drupal 8.8.4
Drupal 8.8.5
Drupal 8.8.6
Drupal 8.8.7
Drupal 8.9.0
Drupal 9.0.0

[SA-CORE-2020-006 ] Access bypass

Skrevet den 20. juni 202018. oktober 2025 af i Drupal

JSON:API PATCH requests could bypass validation for certain fields.

By default, JSON:API works in a read-only mode which makes it impossible to exploit the vulnerability. Only sites that have the read_only set to FALSE under jsonapi.settings config were vulnerable.

This vulnerability affects the following application versions:

Drupal 8.7.0
Drupal 8.7.1
Drupal 8.7.2
Drupal 8.7.3
Drupal 8.7.4
Drupal 8.7.5
Drupal 8.7.6
Drupal 8.7.7
Drupal 8.7.8
Drupal 8.7.9
Drupal 8.7.10
Drupal 8.7.11
Drupal 8.7.12
Drupal 8.7.13
Drupal 8.7.14
Drupal 8.8.0
Drupal 8.8.1
Drupal 8.8.2
Drupal 8.8.3
Drupal 8.8.4
Drupal 8.8.5
Drupal 8.8.6
Drupal 8.8.7
Drupal 8.9.0
Drupal 9.0.0

[SA-CORE-2020-005] Arbitrary PHP code execution

Skrevet den 20. juni 202018. oktober 2025 af i Drupal

Drupal 8 and 9 had a remote code execution vulnerability under certain circumstances.

An attacker could trick an administrator into visiting a malicious site that could result in creating a carefully named directory on the file system. With this directory in place, an attacker could attempt to brute force a remote code execution vulnerability.

Windows servers were most likely to be affected.

This vulnerability affects the following application versions:

Drupal 8.0.0
Drupal 8.0.1
Drupal 8.0.2
Drupal 8.0.3
Drupal 8.0.4
Drupal 8.0.5
Drupal 8.0.6
Drupal 8.1.0
Drupal 8.1.1
Drupal 8.1.2
Drupal 8.1.3
Drupal 8.1.4
Drupal 8.1.5
Drupal 8.1.6
Drupal 8.1.7
Drupal 8.1.8
Drupal 8.1.9
Drupal 8.1.10
Drupal 8.2.0
Drupal 8.2.1
Drupal 8.2.2
Drupal 8.2.3
Drupal 8.2.4
Drupal 8.2.5
Drupal 8.2.6
Drupal 8.2.7
Drupal 8.2.8
Drupal 8.3.0
Drupal 8.3.1
Drupal 8.3.2
Drupal 8.3.3
Drupal 8.3.4
Drupal 8.3.5
Drupal 8.3.6
Drupal 8.3.7
Drupal 8.3.8
Drupal 8.3.9
Drupal 8.4.0
Drupal 8.4.1
Drupal 8.4.2
Drupal 8.4.3
Drupal 8.4.4
Drupal 8.4.5
Drupal 8.4.6
Drupal 8.4.7
Drupal 8.4.8
Drupal 8.5.0
Drupal 8.5.1
Drupal 8.5.2
Drupal 8.5.3
Drupal 8.5.4
Drupal 8.5.5
Drupal 8.5.6
Drupal 8.5.7
Drupal 8.5.8
Drupal 8.5.9
Drupal 8.5.10
Drupal 8.5.11
Drupal 8.5.12
Drupal 8.5.13
Drupal 8.5.14
Drupal 8.5.15
Drupal 8.6.0
Drupal 8.6.1
Drupal 8.6.2
Drupal 8.6.3
Drupal 8.6.4
Drupal 8.6.5
Drupal 8.6.6
Drupal 8.6.7
Drupal 8.6.8
Drupal 8.6.9
Drupal 8.6.10
Drupal 8.6.11
Drupal 8.6.12
Drupal 8.6.13
Drupal 8.6.14
Drupal 8.6.15
Drupal 8.6.16
Drupal 8.6.17
Drupal 8.6.18
Drupal 8.7.0
Drupal 8.7.1
Drupal 8.7.2
Drupal 8.7.3
Drupal 8.7.4
Drupal 8.7.5
Drupal 8.7.6
Drupal 8.7.7
Drupal 8.7.8
Drupal 8.7.9
Drupal 8.7.10
Drupal 8.7.11
Drupal 8.7.12
Drupal 8.7.13
Drupal 8.7.14
Drupal 8.8.0
Drupal 8.8.1
Drupal 8.8.2
Drupal 8.8.3
Drupal 8.8.4
Drupal 8.8.5
Drupal 8.8.6
Drupal 8.8.7
Drupal 8.9.0
Drupal 9.0.0

[SA-CORE-2020-003] Open Redirect

Skrevet den 21. maj 202018. oktober 2025 af i Drupal

Drupal 7 has an Open Redirect vulnerability. For example, a user could be tricked into visiting a specially crafted link which would redirect them to an arbitrary external URL.

The vulnerability was caused by insufficient validation of the destination query parameter in the drupal_goto() function.

This vulnerability affects the following application versions:

Drupal 7.0
Drupal 7.1
Drupal 7.2
Drupal 7.3
Drupal 7.4
Drupal 7.5
Drupal 7.6
Drupal 7.7
Drupal 7.8
Drupal 7.9
Drupal 7.10
Drupal 7.11
Drupal 7.12
Drupal 7.13
Drupal 7.14
Drupal 7.15
Drupal 7.16
Drupal 7.17
Drupal 7.18
Drupal 7.19
Drupal 7.20
Drupal 7.21
Drupal 7.22
Drupal 7.23
Drupal 7.24
Drupal 7.25
Drupal 7.26
Drupal 7.27
Drupal 7.28
Drupal 7.29
Drupal 7.30
Drupal 7.31
Drupal 7.32
Drupal 7.33
Drupal 7.34
Drupal 7.35
Drupal 7.36
Drupal 7.37
Drupal 7.38
Drupal 7.39
Drupal 7.40
Drupal 7.41
Drupal 7.42
Drupal 7.43
Drupal 7.44
Drupal 7.50
Drupal 7.51
Drupal 7.52
Drupal 7.53
Drupal 7.54
Drupal 7.55
Drupal 7.56
Drupal 7.57
Drupal 7.58
Drupal 7.59
Drupal 7.60
Drupal 7.61
Drupal 7.62
Drupal 7.63
Drupal 7.64
Drupal 7.65
Drupal 7.66
Drupal 7.67
Drupal 7.68
Drupal 7.69

[SA-CORE-2019-011] The Media Library module had an access bypass vulnerability

Skrevet den 20. december 201918. oktober 2025 af i Drupal

The Media Library module had a security vulnerability whereby it didn’t sufficiently restrict access to media items in certain configurations.

This vulnerability affects the following application versions:

Drupal 8.7.0
Drupal 8.7.1
Drupal 8.7.2
Drupal 8.7.3
Drupal 8.7.4
Drupal 8.7.5
Drupal 8.7.6
Drupal 8.7.7
Drupal 8.7.8
Drupal 8.7.9
Drupal 8.7.10
Drupal 8.8.0
Drupal 8.8.1

[SA-CORE-2019-010] file_save_upload() function did not strip the leading and trailing dot (‘.’) from filenames

Skrevet den 20. december 201918. oktober 2025 af i Drupal

Users with the ability to upload files with any extension in conjunction with contributed modules may be able to use this to upload system files such as .htaccess in order to bypass protections afforded by Drupal’s default .htaccess file.

This vulnerability affects the following application versions:

Drupal 8.0.0
Drupal 8.0.1
Drupal 8.0.2
Drupal 8.0.3
Drupal 8.0.4
Drupal 8.0.5
Drupal 8.0.6
Drupal 8.1.0
Drupal 8.1.1
Drupal 8.1.2
Drupal 8.1.3
Drupal 8.1.4
Drupal 8.1.5
Drupal 8.1.6
Drupal 8.1.7
Drupal 8.1.8
Drupal 8.1.9
Drupal 8.1.10
Drupal 8.2.0
Drupal 8.2.1
Drupal 8.2.2
Drupal 8.2.3
Drupal 8.2.4
Drupal 8.2.5
Drupal 8.2.6
Drupal 8.2.7
Drupal 8.2.8
Drupal 8.3.0
Drupal 8.3.1
Drupal 8.3.2
Drupal 8.3.3
Drupal 8.3.4
Drupal 8.3.5
Drupal 8.3.6
Drupal 8.3.7
Drupal 8.3.8
Drupal 8.3.9
Drupal 8.4.0
Drupal 8.4.1
Drupal 8.4.2
Drupal 8.4.3
Drupal 8.4.4
Drupal 8.4.5
Drupal 8.4.6
Drupal 8.4.7
Drupal 8.4.8
Drupal 8.5.0
Drupal 8.5.1
Drupal 8.5.2
Drupal 8.5.3
Drupal 8.5.4
Drupal 8.5.5
Drupal 8.5.6
Drupal 8.5.7
Drupal 8.5.8
Drupal 8.5.9
Drupal 8.5.10
Drupal 8.5.11
Drupal 8.5.12
Drupal 8.5.13
Drupal 8.5.14
Drupal 8.5.15
Drupal 8.6.0
Drupal 8.6.1
Drupal 8.6.2
Drupal 8.6.3
Drupal 8.6.4
Drupal 8.6.5
Drupal 8.6.6
Drupal 8.6.7
Drupal 8.6.8
Drupal 8.6.9
Drupal 8.6.10
Drupal 8.6.11
Drupal 8.6.12
Drupal 8.6.13
Drupal 8.6.14
Drupal 8.6.15
Drupal 8.6.16
Drupal 8.6.17
Drupal 8.6.18
Drupal 8.7.0
Drupal 8.7.1
Drupal 8.7.2
Drupal 8.7.3
Drupal 8.7.4
Drupal 8.7.5
Drupal 8.7.6
Drupal 8.7.7
Drupal 8.7.8
Drupal 8.7.9
Drupal 8.7.10
Drupal 8.8.0
Drupal 8.8.1

[SA-CORE-2019-009] Visit to install.php could cause cached data to become corrupted

Skrevet den 20. december 201918. oktober 2025 af i Drupal

This could cause a site to be impaired until caches were rebuilt.

This vulnerability affects the following application versions:

Drupal 8.0.0
Drupal 8.0.1
Drupal 8.0.2
Drupal 8.0.3
Drupal 8.0.4
Drupal 8.0.5
Drupal 8.0.6
Drupal 8.1.0
Drupal 8.1.1
Drupal 8.1.2
Drupal 8.1.3
Drupal 8.1.4
Drupal 8.1.5
Drupal 8.1.6
Drupal 8.1.7
Drupal 8.1.8
Drupal 8.1.9
Drupal 8.1.10
Drupal 8.2.0
Drupal 8.2.1
Drupal 8.2.2
Drupal 8.2.3
Drupal 8.2.4
Drupal 8.2.5
Drupal 8.2.6
Drupal 8.2.7
Drupal 8.2.8
Drupal 8.3.0
Drupal 8.3.1
Drupal 8.3.2
Drupal 8.3.3
Drupal 8.3.4
Drupal 8.3.5
Drupal 8.3.6
Drupal 8.3.7
Drupal 8.3.8
Drupal 8.3.9
Drupal 8.4.0
Drupal 8.4.1
Drupal 8.4.2
Drupal 8.4.3
Drupal 8.4.4
Drupal 8.4.5
Drupal 8.4.6
Drupal 8.4.7
Drupal 8.4.8
Drupal 8.5.0
Drupal 8.5.1
Drupal 8.5.2
Drupal 8.5.3
Drupal 8.5.4
Drupal 8.5.5
Drupal 8.5.6
Drupal 8.5.7
Drupal 8.5.8
Drupal 8.5.9
Drupal 8.5.10
Drupal 8.5.11
Drupal 8.5.12
Drupal 8.5.13
Drupal 8.5.14
Drupal 8.5.15
Drupal 8.6.0
Drupal 8.6.1
Drupal 8.6.2
Drupal 8.6.3
Drupal 8.6.4
Drupal 8.6.5
Drupal 8.6.6
Drupal 8.6.7
Drupal 8.6.8
Drupal 8.6.9
Drupal 8.6.10
Drupal 8.6.11
Drupal 8.6.12
Drupal 8.6.13
Drupal 8.6.14
Drupal 8.6.15
Drupal 8.6.16
Drupal 8.6.17
Drupal 8.6.18
Drupal 8.7.0
Drupal 8.7.1
Drupal 8.7.2
Drupal 8.7.3
Drupal 8.7.4
Drupal 8.7.5
Drupal 8.7.6
Drupal 8.7.7
Drupal 8.7.8
Drupal 8.7.9
Drupal 8.7.10
Drupal 8.8.0
Drupal 8.8.1

[SA-CORE-2019-012] Security update third-party library Archive_Tar

Skrevet den 20. december 201918. oktober 2025 af i Drupal

Multiple vulnerabilities were possible if Drupal is configured to allow .tar, .tar.gz, .bz2 or .tlz file uploads and processes them.

This vulnerability affects the following application versions:

Drupal 8.0.0
Drupal 8.0.1
Drupal 8.0.2
Drupal 8.0.3
Drupal 8.0.4
Drupal 8.0.5
Drupal 8.0.6
Drupal 8.1.0
Drupal 8.1.1
Drupal 8.1.2
Drupal 8.1.3
Drupal 8.1.4
Drupal 8.1.5
Drupal 8.1.6
Drupal 8.1.7
Drupal 8.1.8
Drupal 8.1.9
Drupal 8.1.10
Drupal 8.2.0
Drupal 8.2.1
Drupal 8.2.2
Drupal 8.2.3
Drupal 8.2.4
Drupal 8.2.5
Drupal 8.2.6
Drupal 8.2.7
Drupal 8.2.8
Drupal 8.3.0
Drupal 8.3.1
Drupal 8.3.2
Drupal 8.3.3
Drupal 8.3.4
Drupal 8.3.5
Drupal 8.3.6
Drupal 8.3.7
Drupal 8.3.8
Drupal 8.3.9
Drupal 8.4.0
Drupal 8.4.1
Drupal 8.4.2
Drupal 8.4.3
Drupal 8.4.4
Drupal 8.4.5
Drupal 8.4.6
Drupal 8.4.7
Drupal 8.4.8
Drupal 8.5.0
Drupal 8.5.1
Drupal 8.5.2
Drupal 8.5.3
Drupal 8.5.4
Drupal 8.5.5
Drupal 8.5.6
Drupal 8.5.7
Drupal 8.5.8
Drupal 8.5.9
Drupal 8.5.10
Drupal 8.5.11
Drupal 8.5.12
Drupal 8.5.13
Drupal 8.5.14
Drupal 8.5.15
Drupal 8.6.0
Drupal 8.6.1
Drupal 8.6.2
Drupal 8.6.3
Drupal 8.6.4
Drupal 8.6.5
Drupal 8.6.6
Drupal 8.6.7
Drupal 8.6.8
Drupal 8.6.9
Drupal 8.6.10
Drupal 8.6.11
Drupal 8.6.12
Drupal 8.6.13
Drupal 8.6.14
Drupal 8.6.15
Drupal 8.6.16
Drupal 8.6.17
Drupal 8.6.18
Drupal 8.7.0
Drupal 8.7.1
Drupal 8.7.2
Drupal 8.7.3
Drupal 8.7.4
Drupal 8.7.5
Drupal 8.7.6
Drupal 8.7.7
Drupal 8.7.8
Drupal 8.7.9
Drupal 8.7.10
Drupal 8.8.0
Drupal 8.8.1

[SA-CORE-2019-004] Cross Site Scripting in the File module/subsystem

Skrevet den 22. marts 201918. oktober 2025 af i Drupal

Under certain circumstances the File module/subsystem allowed a malicious user to upload a file that could trigger a cross-site scripting (XSS) vulnerability.

Part of security release SA-CORE-2019-004

This vulnerability affects the following application versions:

Drupal 6.0
Drupal 6.1
Drupal 6.2
Drupal 6.3
Drupal 6.4
Drupal 6.5
Drupal 6.6
Drupal 6.7
Drupal 6.8
Drupal 6.9
Drupal 6.10
Drupal 6.11
Drupal 6.12
Drupal 6.13
Drupal 6.14
Drupal 6.15
Drupal 6.16
Drupal 6.17
Drupal 6.18
Drupal 6.19
Drupal 6.20
Drupal 6.21
Drupal 6.22
Drupal 6.23
Drupal 6.24
Drupal 6.25
Drupal 6.26
Drupal 6.27
Drupal 6.28
Drupal 6.29
Drupal 6.30
Drupal 6.31
Drupal 6.32
Drupal 6.33
Drupal 6.34
Drupal 6.35
Drupal 6.36
Drupal 6.37
Drupal 6.38
Drupal 7.0
Drupal 7.1
Drupal 7.2
Drupal 7.3
Drupal 7.4
Drupal 7.5
Drupal 7.6
Drupal 7.7
Drupal 7.8
Drupal 7.9
Drupal 7.10
Drupal 7.11
Drupal 7.12
Drupal 7.13
Drupal 7.14
Drupal 7.15
Drupal 7.16
Drupal 7.17
Drupal 7.18
Drupal 7.19
Drupal 7.20
Drupal 7.21
Drupal 7.22
Drupal 7.23
Drupal 7.24
Drupal 7.25
Drupal 7.26
Drupal 7.27
Drupal 7.28
Drupal 7.29
Drupal 7.30
Drupal 7.31
Drupal 7.32
Drupal 7.33
Drupal 7.34
Drupal 7.35
Drupal 7.36
Drupal 7.37
Drupal 7.38
Drupal 7.39
Drupal 7.40
Drupal 7.41
Drupal 7.42
Drupal 7.43
Drupal 7.44
Drupal 7.50
Drupal 7.51
Drupal 7.52
Drupal 7.53
Drupal 7.54
Drupal 7.55
Drupal 7.56
Drupal 7.57
Drupal 7.58
Drupal 7.59
Drupal 7.60
Drupal 7.61
Drupal 7.62
Drupal 7.63
Drupal 7.64
Drupal 8.0.0
Drupal 8.0.1
Drupal 8.0.2
Drupal 8.0.3
Drupal 8.0.4
Drupal 8.0.5
Drupal 8.0.6
Drupal 8.1.0
Drupal 8.1.1
Drupal 8.1.2
Drupal 8.1.3
Drupal 8.1.4
Drupal 8.1.5
Drupal 8.1.6
Drupal 8.1.7
Drupal 8.1.8
Drupal 8.1.9
Drupal 8.1.10
Drupal 8.2.0
Drupal 8.2.1
Drupal 8.2.2
Drupal 8.2.3
Drupal 8.2.4
Drupal 8.2.5
Drupal 8.2.6
Drupal 8.2.7
Drupal 8.2.8
Drupal 8.3.0
Drupal 8.3.1
Drupal 8.3.2
Drupal 8.3.3
Drupal 8.3.4
Drupal 8.3.5
Drupal 8.3.6
Drupal 8.3.7
Drupal 8.3.8
Drupal 8.3.9
Drupal 8.4.0
Drupal 8.4.1
Drupal 8.4.2
Drupal 8.4.3
Drupal 8.4.4
Drupal 8.4.5
Drupal 8.4.6
Drupal 8.4.7
Drupal 8.4.8
Drupal 8.5.0
Drupal 8.5.1
Drupal 8.5.2
Drupal 8.5.3
Drupal 8.5.4
Drupal 8.5.5
Drupal 8.5.6
Drupal 8.5.7
Drupal 8.5.8
Drupal 8.5.9
Drupal 8.5.10
Drupal 8.5.11
Drupal 8.5.12
Drupal 8.5.13
Drupal 8.6.0
Drupal 8.6.1
Drupal 8.6.2
Drupal 8.6.3
Drupal 8.6.4
Drupal 8.6.5
Drupal 8.6.6
Drupal 8.6.7
Drupal 8.6.8
Drupal 8.6.9
Drupal 8.6.10
Drupal 8.6.11
Drupal 8.6.12

[SA-CORE-2019-003] Remote Code Execution – 2

Skrevet den 23. februar 201918. oktober 2025 af i Drupal

Some field types did not properly sanitize data from non-form sources. This could lead to arbitrary PHP code execution in some cases.

Author’s note: The vulnerability for “drupal/core/modules/hal/src/Normalizer/FieldItemNormalizer.php” might also be detected for versions higher than 8.6.9. This occurs because Drupal developers shipped a security fix in a separate file, but Patchman is only able to modify files (to Patch them), not create new ones on your system. As a result, our only option was to back-port the fix into an existing application file. Regrettably, the file which hosts the solution may also exist in later Drupal versions not affected by the vulnerability. If your application runs on Drupal 8.6.10 or above, and you see this detection, it does not necessarily imply a vulnerability, but neither will a subsequent Patch have any negative impact.

This vulnerability affects the following application versions:

Drupal 8.2.0
Drupal 8.2.1
Drupal 8.2.2
Drupal 8.2.3
Drupal 8.2.4
Drupal 8.2.5
Drupal 8.2.6
Drupal 8.2.7
Drupal 8.2.8
Drupal 8.3.0
Drupal 8.3.1
Drupal 8.3.2
Drupal 8.3.3
Drupal 8.3.4
Drupal 8.3.5
Drupal 8.3.6
Drupal 8.3.7
Drupal 8.3.8
Drupal 8.3.9
Drupal 8.4.0
Drupal 8.4.1
Drupal 8.4.2
Drupal 8.4.3
Drupal 8.4.4
Drupal 8.4.5
Drupal 8.4.6
Drupal 8.4.7
Drupal 8.4.8
Drupal 8.5.0
Drupal 8.5.1
Drupal 8.5.2
Drupal 8.5.3
Drupal 8.5.4
Drupal 8.5.5
Drupal 8.5.6
Drupal 8.5.7
Drupal 8.5.8
Drupal 8.5.9
Drupal 8.5.10
Drupal 8.5.11
Drupal 8.5.12
Drupal 8.5.13
Drupal 8.5.14
Drupal 8.5.15
Drupal 8.6.0
Drupal 8.6.1
Drupal 8.6.2
Drupal 8.6.3
Drupal 8.6.4
Drupal 8.6.5
Drupal 8.6.6
Drupal 8.6.7
Drupal 8.6.8
Drupal 8.6.9
Drupal 8.6.10
Drupal 8.6.11
Drupal 8.6.12
Drupal 8.6.13
Drupal 8.6.14
Drupal 8.6.15
Drupal 8.6.16
Drupal 8.6.17
Drupal 8.6.18
Drupal 8.7.0
Drupal 8.7.1
Drupal 8.7.2
Drupal 8.7.3
Drupal 8.7.4
Drupal 8.7.5
Drupal 8.7.6
Drupal 8.7.7
Drupal 8.7.8
Drupal 8.7.9
Drupal 8.7.10
Drupal 8.7.11
Drupal 8.7.12
Drupal 8.7.13
Drupal 8.7.14
Drupal 8.8.0
Drupal 8.8.1
Drupal 8.8.2
Drupal 8.8.3
Drupal 8.8.4
Drupal 8.8.5
Drupal 8.8.6
Drupal 8.8.7
Drupal 8.8.8
Drupal 8.8.9
Drupal 8.8.10
Drupal 8.8.11
Drupal 8.8.12
Drupal 8.9.0
Drupal 8.9.1
Drupal 8.9.2
Drupal 8.9.3
Drupal 8.9.4
Drupal 8.9.5
Drupal 8.9.6
Drupal 8.9.7
Drupal 8.9.8
Drupal 8.9.9
Drupal 8.9.10
Drupal 8.9.11
Drupal 8.9.12
Drupal 8.9.13
Drupal 8.9.14
Drupal 9.0.0
Drupal 9.0.1
Drupal 9.0.2
Drupal 9.0.3
Drupal 9.0.4
Drupal 9.0.5
Drupal 9.0.6
Drupal 9.0.7
Drupal 9.0.8
Drupal 9.0.9
Drupal 9.0.10
Drupal 9.0.11
Drupal 9.0.12
Drupal 9.0.13
Drupal 9.0.14
Drupal 9.1.0
Drupal 9.1.1
Drupal 9.1.2
Drupal 9.1.3

[SA-CORE-2019-003] Remote Code Execution

Skrevet den 22. februar 201918. oktober 2025 af i Drupal

Some field types did not properly sanitize data from non-form sources. This could lead to arbitrary PHP code execution in some cases.

This vulnerability affects the following application versions:

Drupal 8.0.0
Drupal 8.0.1
Drupal 8.0.2
Drupal 8.0.3
Drupal 8.0.4
Drupal 8.0.5
Drupal 8.0.6
Drupal 8.1.0
Drupal 8.1.1
Drupal 8.1.2
Drupal 8.1.3
Drupal 8.1.4
Drupal 8.1.5
Drupal 8.1.6
Drupal 8.1.7
Drupal 8.1.8
Drupal 8.1.9
Drupal 8.1.10
Drupal 8.2.0
Drupal 8.2.1
Drupal 8.2.2
Drupal 8.2.3
Drupal 8.2.4
Drupal 8.2.5
Drupal 8.2.6
Drupal 8.2.7
Drupal 8.2.8
Drupal 8.3.0
Drupal 8.3.1
Drupal 8.3.2
Drupal 8.3.3
Drupal 8.3.4
Drupal 8.3.5
Drupal 8.3.6
Drupal 8.3.7
Drupal 8.3.8
Drupal 8.3.9
Drupal 8.4.0
Drupal 8.4.1
Drupal 8.4.2
Drupal 8.4.3
Drupal 8.4.4
Drupal 8.4.5
Drupal 8.4.6
Drupal 8.4.7
Drupal 8.4.8
Drupal 8.5.0
Drupal 8.5.1
Drupal 8.5.2
Drupal 8.5.3
Drupal 8.5.4
Drupal 8.5.5
Drupal 8.5.6
Drupal 8.5.7
Drupal 8.5.8
Drupal 8.5.9
Drupal 8.5.10
Drupal 8.6.0
Drupal 8.6.1
Drupal 8.6.2
Drupal 8.6.3
Drupal 8.6.4
Drupal 8.6.5
Drupal 8.6.6
Drupal 8.6.7
Drupal 8.6.8
Drupal 8.6.9

[SA-CORE-2019-002] Arbitrary PHP code execution

Skrevet den 18. januar 201918. oktober 2025 af i Drupal

A remote code execution vulnerability existed in PHP’s built-in phar stream wrapper when performing file operations on an untrusted phar:// URI.

Some Drupal code (core, contrib, and custom) could be performing file operations on insufficiently validated user input, thereby being exposed to this vulnerability.

This vulnerability is mitigated by the fact that such code paths typically require access to an administrative permission or an atypical configuration.

Part of security release SA-CORE-2019-002

This vulnerability affects the following application versions:

Drupal 6.0
Drupal 6.1
Drupal 6.2
Drupal 6.3
Drupal 6.4
Drupal 6.5
Drupal 6.6
Drupal 6.7
Drupal 6.8
Drupal 6.9
Drupal 6.10
Drupal 6.11
Drupal 6.12
Drupal 6.13
Drupal 6.14
Drupal 6.15
Drupal 6.16
Drupal 6.17
Drupal 6.18
Drupal 6.19
Drupal 6.20
Drupal 6.21
Drupal 6.22
Drupal 6.23
Drupal 6.24
Drupal 6.25
Drupal 6.26
Drupal 6.27
Drupal 6.28
Drupal 6.29
Drupal 6.30
Drupal 6.31
Drupal 6.32
Drupal 6.33
Drupal 6.34
Drupal 6.35
Drupal 6.36
Drupal 6.37
Drupal 6.38
Drupal 7.0
Drupal 7.1
Drupal 7.2
Drupal 7.3
Drupal 7.4
Drupal 7.5
Drupal 7.6
Drupal 7.7
Drupal 7.8
Drupal 7.9
Drupal 7.10
Drupal 7.11
Drupal 7.12
Drupal 7.13
Drupal 7.14
Drupal 7.15
Drupal 7.16
Drupal 7.17
Drupal 7.18
Drupal 7.19
Drupal 7.20
Drupal 7.21
Drupal 7.22
Drupal 7.23
Drupal 7.24
Drupal 7.25
Drupal 7.26
Drupal 7.27
Drupal 7.28
Drupal 7.29
Drupal 7.30
Drupal 7.31
Drupal 7.32
Drupal 7.33
Drupal 7.34
Drupal 7.35
Drupal 7.36
Drupal 7.37
Drupal 7.38
Drupal 7.39
Drupal 7.40
Drupal 7.41
Drupal 7.42
Drupal 7.43
Drupal 7.44
Drupal 7.50
Drupal 7.51
Drupal 7.52
Drupal 7.53
Drupal 7.54
Drupal 7.55
Drupal 7.56
Drupal 7.57
Drupal 7.58
Drupal 7.59
Drupal 7.60
Drupal 7.61
Drupal 8.0.0
Drupal 8.0.1
Drupal 8.0.2
Drupal 8.0.3
Drupal 8.0.4
Drupal 8.0.5
Drupal 8.0.6
Drupal 8.1.0
Drupal 8.1.1
Drupal 8.1.2
Drupal 8.1.3
Drupal 8.1.4
Drupal 8.1.5
Drupal 8.1.6
Drupal 8.1.7
Drupal 8.1.8
Drupal 8.1.9
Drupal 8.1.10
Drupal 8.2.0
Drupal 8.2.1
Drupal 8.2.2
Drupal 8.2.3
Drupal 8.2.4
Drupal 8.2.5
Drupal 8.2.6
Drupal 8.2.7
Drupal 8.2.8
Drupal 8.3.0
Drupal 8.3.1
Drupal 8.3.2
Drupal 8.3.3
Drupal 8.3.4
Drupal 8.3.5
Drupal 8.3.6
Drupal 8.3.7
Drupal 8.3.8
Drupal 8.3.9
Drupal 8.4.0
Drupal 8.4.1
Drupal 8.4.2
Drupal 8.4.3
Drupal 8.4.4
Drupal 8.4.5
Drupal 8.4.6
Drupal 8.4.7
Drupal 8.4.8
Drupal 8.5.0
Drupal 8.5.1
Drupal 8.5.2
Drupal 8.5.3
Drupal 8.5.4
Drupal 8.5.5
Drupal 8.5.6
Drupal 8.5.7
Drupal 8.5.8
Drupal 8.6.0
Drupal 8.6.1
Drupal 8.6.2
Drupal 8.6.3
Drupal 8.6.4
Drupal 8.6.5

Contextual Links validation

Skrevet den 22. oktober 201820. november 2024 af i Drupal

The Contextual Links module didn’t sufficiently validate the requested contextual links.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission “access contextual links”.

Part of Security release SA-CORE-2018-006.

This vulnerability affects the following application versions:

Drupal 8.0.0
Drupal 8.0.1
Drupal 8.0.2
Drupal 8.0.3
Drupal 8.0.4
Drupal 8.0.5
Drupal 8.0.6
Drupal 8.1.0
Drupal 8.1.1
Drupal 8.1.2
Drupal 8.1.3
Drupal 8.1.4
Drupal 8.1.5
Drupal 8.1.6
Drupal 8.1.7
Drupal 8.1.8
Drupal 8.1.9
Drupal 8.1.10
Drupal 8.2.0
Drupal 8.2.1
Drupal 8.2.2
Drupal 8.2.3
Drupal 8.2.4
Drupal 8.2.5
Drupal 8.2.6
Drupal 8.2.7
Drupal 8.2.8
Drupal 8.3.0
Drupal 8.3.1
Drupal 8.3.2
Drupal 8.3.3
Drupal 8.3.4
Drupal 8.3.5
Drupal 8.3.6
Drupal 8.3.7
Drupal 8.3.8
Drupal 8.3.9
Drupal 8.4.0
Drupal 8.4.1
Drupal 8.4.2
Drupal 8.4.3
Drupal 8.4.4
Drupal 8.4.5
Drupal 8.4.6
Drupal 8.4.7
Drupal 8.4.8
Drupal 8.5.0
Drupal 8.5.1
Drupal 8.5.2
Drupal 8.5.3
Drupal 8.5.4
Drupal 8.5.5
Drupal 8.5.6
Drupal 8.5.7
Drupal 8.6.0
Drupal 8.6.1

External URL injection through URL aliases

Skrevet den 22. oktober 201820. november 2024 af i Drupal

In certain circumstances the user could enter a particular path that triggered an open redirect to a malicious URL.

While this issue was mitigated by the fact that the user needed the administer paths permission to exploit,

the path module has been patched to prevent malicious usage.

Part of security release SA-CORE-2018-006

This vulnerability affects the following application versions:

Drupal 7.0
Drupal 7.1
Drupal 7.2
Drupal 7.3
Drupal 7.4
Drupal 7.5
Drupal 7.6
Drupal 7.7
Drupal 7.8
Drupal 7.9
Drupal 7.10
Drupal 7.11
Drupal 7.12
Drupal 7.13
Drupal 7.14
Drupal 7.15
Drupal 7.16
Drupal 7.17
Drupal 7.18
Drupal 7.19
Drupal 7.20
Drupal 7.21
Drupal 7.22
Drupal 7.23
Drupal 7.24
Drupal 7.25
Drupal 7.26
Drupal 7.27
Drupal 7.28
Drupal 7.29
Drupal 7.30
Drupal 7.31
Drupal 7.32
Drupal 7.33
Drupal 7.34
Drupal 7.35
Drupal 7.36
Drupal 7.37
Drupal 7.38
Drupal 7.39
Drupal 7.40
Drupal 7.41
Drupal 7.42
Drupal 7.43
Drupal 7.44
Drupal 7.50
Drupal 7.51
Drupal 7.52
Drupal 7.53
Drupal 7.54
Drupal 7.55
Drupal 7.56
Drupal 7.57
Drupal 7.58
Drupal 7.59
Drupal 8.0.0
Drupal 8.0.1
Drupal 8.0.2
Drupal 8.0.3
Drupal 8.0.4
Drupal 8.0.5
Drupal 8.0.6
Drupal 8.1.0
Drupal 8.1.1
Drupal 8.1.2
Drupal 8.1.3
Drupal 8.1.4
Drupal 8.1.5
Drupal 8.1.6
Drupal 8.1.7
Drupal 8.1.8
Drupal 8.1.9
Drupal 8.1.10
Drupal 8.2.0
Drupal 8.2.1
Drupal 8.2.2
Drupal 8.2.3
Drupal 8.2.4
Drupal 8.2.5
Drupal 8.2.6
Drupal 8.2.7
Drupal 8.2.8
Drupal 8.3.0
Drupal 8.3.1
Drupal 8.3.2
Drupal 8.3.3
Drupal 8.3.4
Drupal 8.3.5
Drupal 8.3.6
Drupal 8.3.7
Drupal 8.3.8
Drupal 8.3.9
Drupal 8.4.0
Drupal 8.4.1
Drupal 8.4.2
Drupal 8.4.3
Drupal 8.4.4
Drupal 8.4.5
Drupal 8.4.6
Drupal 8.4.7
Drupal 8.4.8
Drupal 8.5.0
Drupal 8.5.1
Drupal 8.5.2
Drupal 8.5.3
Drupal 8.5.4
Drupal 8.5.5
Drupal 8.5.6
Drupal 8.5.7
Drupal 8.6.0
Drupal 8.6.1

Injection in DefaultMailSystem::mail()

Skrevet den 22. oktober 201818. oktober 2025 af i Drupal

When sending email some variables were not being sanitized for shell arguments, which could lead to remote code execution.

Part of security release SA-CORE-2018-006

This vulnerability affects the following application versions:

Drupal 7.0
Drupal 7.1
Drupal 7.2
Drupal 7.3
Drupal 7.4
Drupal 7.5
Drupal 7.6
Drupal 7.7
Drupal 7.8
Drupal 7.9
Drupal 7.10
Drupal 7.11
Drupal 7.12
Drupal 7.13
Drupal 7.14
Drupal 7.15
Drupal 7.16
Drupal 7.17
Drupal 7.18
Drupal 7.19
Drupal 7.20
Drupal 7.21
Drupal 7.22
Drupal 7.23
Drupal 7.24
Drupal 7.25
Drupal 7.26
Drupal 7.27
Drupal 7.28
Drupal 7.29
Drupal 7.30
Drupal 7.31
Drupal 7.32
Drupal 7.33
Drupal 7.34
Drupal 7.35
Drupal 7.36
Drupal 7.37
Drupal 7.38
Drupal 7.39
Drupal 7.40
Drupal 7.41
Drupal 7.42
Drupal 7.43
Drupal 7.44
Drupal 7.50
Drupal 7.51
Drupal 7.52
Drupal 7.53
Drupal 7.54
Drupal 7.55
Drupal 7.56
Drupal 7.57
Drupal 7.58
Drupal 7.59
Drupal 8.0.0
Drupal 8.0.1
Drupal 8.0.2
Drupal 8.0.3
Drupal 8.0.4
Drupal 8.0.5
Drupal 8.0.6
Drupal 8.1.0
Drupal 8.1.1
Drupal 8.1.2
Drupal 8.1.3
Drupal 8.1.4
Drupal 8.1.5
Drupal 8.1.6
Drupal 8.1.7
Drupal 8.1.8
Drupal 8.1.9
Drupal 8.1.10
Drupal 8.2.0
Drupal 8.2.1
Drupal 8.2.2
Drupal 8.2.3
Drupal 8.2.4
Drupal 8.2.5
Drupal 8.2.6
Drupal 8.2.7
Drupal 8.2.8
Drupal 8.3.0
Drupal 8.3.1
Drupal 8.3.2
Drupal 8.3.3
Drupal 8.3.4
Drupal 8.3.5
Drupal 8.3.6
Drupal 8.3.7
Drupal 8.3.8
Drupal 8.3.9
Drupal 8.4.0
Drupal 8.4.1
Drupal 8.4.2
Drupal 8.4.3
Drupal 8.4.4
Drupal 8.4.5
Drupal 8.4.6
Drupal 8.4.7
Drupal 8.4.8
Drupal 8.5.0
Drupal 8.5.1
Drupal 8.5.2
Drupal 8.5.3
Drupal 8.5.4
Drupal 8.5.5
Drupal 8.5.6
Drupal 8.5.7
Drupal 8.6.0
Drupal 8.6.1

Anonymous open redirect

Skrevet den 22. oktober 201820. november 2024 af i Drupal

Drupal core and contributed modules frequently use a “destination” query string parameter in URLs to redirect users to a new destination after completing an action on the current page.

Under certain circumstances, malicious users can use this parameter to construct a URL that will trick users into being redirected to a 3rd party website, thereby exposing the users to potential social engineering attacks.

Part of security release SA-CORE-2018-006

This vulnerability affects the following application versions:

Drupal 8.0.0
Drupal 8.0.1
Drupal 8.0.2
Drupal 8.0.3
Drupal 8.0.4
Drupal 8.0.5
Drupal 8.0.6
Drupal 8.1.0
Drupal 8.1.1
Drupal 8.1.2
Drupal 8.1.3
Drupal 8.1.4
Drupal 8.1.5
Drupal 8.1.6
Drupal 8.1.7
Drupal 8.1.8
Drupal 8.1.9
Drupal 8.1.10
Drupal 8.2.0
Drupal 8.2.1
Drupal 8.2.2
Drupal 8.2.3
Drupal 8.2.4
Drupal 8.2.5
Drupal 8.2.6
Drupal 8.2.7
Drupal 8.2.8
Drupal 8.3.0
Drupal 8.3.1
Drupal 8.3.2
Drupal 8.3.3
Drupal 8.3.4
Drupal 8.3.5
Drupal 8.3.6
Drupal 8.3.7
Drupal 8.3.8
Drupal 8.3.9
Drupal 8.4.0
Drupal 8.4.1
Drupal 8.4.2
Drupal 8.4.3
Drupal 8.4.4
Drupal 8.4.5
Drupal 8.4.6
Drupal 8.4.7
Drupal 8.4.8
Drupal 8.5.0
Drupal 8.5.1
Drupal 8.5.2
Drupal 8.5.3
Drupal 8.5.4
Drupal 8.5.5
Drupal 8.5.6
Drupal 8.5.7
Drupal 8.6.0
Drupal 8.6.1

Content moderation

Skrevet den 22. oktober 201820. november 2024 af i Drupal

In some conditions, content moderation fails to check a users access to use certain transitions, leading to an access bypass.

In order to fix this issue, the following changes have been made to content moderation which may have implications for backwards compatibility:

ModerationStateConstraintValidator

Two additional services have been injected into this service. Anyone subclassing this service must ensure these additional dependencies are passed to the constructor, if the constructor has been overridden.

StateTransitionValidationInterface

An additional method has been added to this interface. Implementations of this interface which do not extend the StateTransitionValidation should implement this method.

Implementations which do extend from the StateTransitionValidation should ensure any behavioural changes they have made are also reflected in this new method.

User permissions

Previously users who didn’t have access to use any content moderation transitions were granted implicit access to update content provided the state of the content did not change. Now access to an associated transition will be validated for all users in scenarios where the state of content does not change between revisions.

This vulnerability affects the following application versions:

Drupal 8.2.0
Drupal 8.2.1
Drupal 8.2.2
Drupal 8.2.3
Drupal 8.2.4
Drupal 8.2.5
Drupal 8.2.6
Drupal 8.2.7
Drupal 8.2.8
Drupal 8.3.0
Drupal 8.3.1
Drupal 8.3.2
Drupal 8.3.3
Drupal 8.3.4
Drupal 8.3.5
Drupal 8.3.6
Drupal 8.3.7
Drupal 8.3.8
Drupal 8.3.9
Drupal 8.4.0
Drupal 8.4.1
Drupal 8.4.2
Drupal 8.4.3
Drupal 8.4.4
Drupal 8.4.5
Drupal 8.4.6
Drupal 8.4.7
Drupal 8.4.8
Drupal 8.5.0
Drupal 8.5.1
Drupal 8.5.2
Drupal 8.5.3
Drupal 8.5.4
Drupal 8.5.5
Drupal 8.5.6
Drupal 8.5.7
Drupal 8.6.0
Drupal 8.6.1

Remote Code Execution vulnerability within multiple subsystem

Skrevet den 26. april 201818. oktober 2025 af i Drupal

A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allowed attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being compromised.

Part of security release SA-CORE-2018-004

This vulnerability affects the following application versions:

Drupal 7.0
Drupal 7.1
Drupal 7.2
Drupal 7.3
Drupal 7.4
Drupal 7.5
Drupal 7.6
Drupal 7.7
Drupal 7.8
Drupal 7.9
Drupal 7.10
Drupal 7.11
Drupal 7.12
Drupal 7.13
Drupal 7.14
Drupal 7.15
Drupal 7.16
Drupal 7.17
Drupal 7.18
Drupal 7.19
Drupal 7.20
Drupal 7.21
Drupal 7.22
Drupal 7.23
Drupal 7.24
Drupal 7.25
Drupal 7.26
Drupal 7.27
Drupal 7.28
Drupal 7.29
Drupal 7.30
Drupal 7.31
Drupal 7.32
Drupal 7.33
Drupal 7.34
Drupal 7.35
Drupal 7.36
Drupal 7.37
Drupal 7.38
Drupal 7.39
Drupal 7.40
Drupal 7.41
Drupal 7.42
Drupal 7.43
Drupal 7.44
Drupal 7.50
Drupal 7.51
Drupal 7.52
Drupal 7.53
Drupal 7.54
Drupal 7.55
Drupal 7.56
Drupal 7.57
Drupal 7.58
Drupal 8.0.0
Drupal 8.0.1
Drupal 8.0.2
Drupal 8.0.3
Drupal 8.0.4
Drupal 8.0.5
Drupal 8.0.6
Drupal 8.1.0
Drupal 8.1.1
Drupal 8.1.2
Drupal 8.1.3
Drupal 8.1.4
Drupal 8.1.5
Drupal 8.1.6
Drupal 8.1.7
Drupal 8.1.8
Drupal 8.1.9
Drupal 8.1.10
Drupal 8.2.0
Drupal 8.2.1
Drupal 8.2.2
Drupal 8.2.3
Drupal 8.2.4
Drupal 8.2.5
Drupal 8.2.6
Drupal 8.2.7
Drupal 8.2.8
Drupal 8.3.0
Drupal 8.3.1
Drupal 8.3.2
Drupal 8.3.3
Drupal 8.3.4
Drupal 8.3.5
Drupal 8.3.6
Drupal 8.3.7
Drupal 8.3.8
Drupal 8.3.9
Drupal 8.4.0
Drupal 8.4.1
Drupal 8.4.2
Drupal 8.4.3
Drupal 8.4.4
Drupal 8.4.5
Drupal 8.4.6
Drupal 8.4.7
Drupal 8.5.0
Drupal 8.5.1
Drupal 8.5.2

Cross Site Scripting in CKEditor

Skrevet den 24. april 201820. november 2024 af i Drupal

CKEditor, a third-party JavaScript library included in Drupal core, has fixed a cross-site scripting (XSS) vulnerability. The vulnerability stemmed from the fact that it was possible to execute XSS inside CKEditor when using the image2 plugin (which Drupal 8 core also uses).

Part of security release SA-CORE-2018-003

This vulnerability affects the following application versions:

Drupal 8.3.0
Drupal 8.3.1
Drupal 8.3.2
Drupal 8.3.3
Drupal 8.3.4
Drupal 8.3.5
Drupal 8.3.6
Drupal 8.3.7
Drupal 8.3.8
Drupal 8.3.9
Drupal 8.4.0
Drupal 8.4.1
Drupal 8.4.2
Drupal 8.4.3
Drupal 8.4.4
Drupal 8.4.5
Drupal 8.4.6
Drupal 8.5.0
Drupal 8.5.1

[CVE-2018-7600] Remote Code Execution vulnerability

Skrevet den 3. april 201820. november 2024 af i Drupal

A remote code execution vulnerability existed within multiple subsystems of Drupal 7.x and 8.x. This potentially allowed attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised.

Part of security release SA-CORE-2018-002

This vulnerability affects the following application versions:

Drupal 6.0
Drupal 6.1
Drupal 6.2
Drupal 6.3
Drupal 6.4
Drupal 6.5
Drupal 6.6
Drupal 6.7
Drupal 6.8
Drupal 6.9
Drupal 6.10
Drupal 6.11
Drupal 6.12
Drupal 6.13
Drupal 6.14
Drupal 6.15
Drupal 6.16
Drupal 6.17
Drupal 6.18
Drupal 6.19
Drupal 6.20
Drupal 6.21
Drupal 6.22
Drupal 6.23
Drupal 6.24
Drupal 6.25
Drupal 6.26
Drupal 6.27
Drupal 6.28
Drupal 6.29
Drupal 6.30
Drupal 6.31
Drupal 6.32
Drupal 6.33
Drupal 6.34
Drupal 6.35
Drupal 6.36
Drupal 6.37
Drupal 6.38
Drupal 7.0
Drupal 7.1
Drupal 7.2
Drupal 7.3
Drupal 7.4
Drupal 7.5
Drupal 7.6
Drupal 7.7
Drupal 7.8
Drupal 7.9
Drupal 7.10
Drupal 7.11
Drupal 7.12
Drupal 7.13
Drupal 7.14
Drupal 7.15
Drupal 7.16
Drupal 7.17
Drupal 7.18
Drupal 7.19
Drupal 7.20
Drupal 7.21
Drupal 7.22
Drupal 7.23
Drupal 7.24
Drupal 7.25
Drupal 7.26
Drupal 7.27
Drupal 7.28
Drupal 7.29
Drupal 7.30
Drupal 7.31
Drupal 7.32
Drupal 7.33
Drupal 7.34
Drupal 7.35
Drupal 7.36
Drupal 7.37
Drupal 7.38
Drupal 7.39
Drupal 7.40
Drupal 7.41
Drupal 7.42
Drupal 7.43
Drupal 7.44
Drupal 7.50
Drupal 7.51
Drupal 7.52
Drupal 7.53
Drupal 7.54
Drupal 7.55
Drupal 7.56
Drupal 7.57

CVE-2018-7600 Remote Code Execution vulnerability

Skrevet den 29. marts 201820. november 2024 af i Drupal

Part of security release SA-CORE-2018-002

This vulnerability affects the following application versions:

Drupal 8.0.0
Drupal 8.0.1
Drupal 8.0.2
Drupal 8.0.3
Drupal 8.0.4
Drupal 8.0.5
Drupal 8.0.6
Drupal 8.1.0
Drupal 8.1.1
Drupal 8.1.2
Drupal 8.1.3
Drupal 8.1.4
Drupal 8.1.5
Drupal 8.1.6
Drupal 8.1.7
Drupal 8.1.8
Drupal 8.1.9
Drupal 8.1.10
Drupal 8.2.0
Drupal 8.2.1
Drupal 8.2.2
Drupal 8.2.3
Drupal 8.2.4
Drupal 8.2.5
Drupal 8.2.6
Drupal 8.2.7
Drupal 8.2.8
Drupal 8.3.0
Drupal 8.3.1
Drupal 8.3.2
Drupal 8.3.3
Drupal 8.3.4
Drupal 8.3.5
Drupal 8.3.6
Drupal 8.3.7
Drupal 8.3.8
Drupal 8.4.0
Drupal 8.4.1
Drupal 8.4.2
Drupal 8.4.3
Drupal 8.4.4
Drupal 8.4.5
Drupal 8.5.0

[CVE-2017-6932] External link injection on 404 pages when linking to the current page

Skrevet den 23. februar 201820. november 2024 af i Drupal

Drupal core had an external link injection vulnerability when the language switcher block was used. A similar vulnerability existed in various custom and contributed modules. This vulnerability could allow an attacker to trick users into unwillingly navigating to an external site.

Part of security release SA-CORE-2018-001

This vulnerability affects the following application versions:

Drupal 6.0
Drupal 6.1
Drupal 6.2
Drupal 6.3
Drupal 6.4
Drupal 6.5
Drupal 6.6
Drupal 6.7
Drupal 6.8
Drupal 6.9
Drupal 6.10
Drupal 6.11
Drupal 6.12
Drupal 6.13
Drupal 6.14
Drupal 6.15
Drupal 6.16
Drupal 6.17
Drupal 6.18
Drupal 6.19
Drupal 6.20
Drupal 6.21
Drupal 6.22
Drupal 6.23
Drupal 6.24
Drupal 6.25
Drupal 6.26
Drupal 6.27
Drupal 6.28
Drupal 6.29
Drupal 6.30
Drupal 6.31
Drupal 6.32
Drupal 6.33
Drupal 6.34
Drupal 6.35
Drupal 6.36
Drupal 6.37
Drupal 6.38
Drupal 7.0
Drupal 7.1
Drupal 7.2
Drupal 7.3
Drupal 7.4
Drupal 7.5
Drupal 7.6
Drupal 7.7
Drupal 7.8
Drupal 7.9
Drupal 7.10
Drupal 7.11
Drupal 7.12
Drupal 7.13
Drupal 7.14
Drupal 7.15
Drupal 7.16
Drupal 7.17
Drupal 7.18
Drupal 7.19
Drupal 7.20
Drupal 7.21
Drupal 7.22
Drupal 7.23
Drupal 7.24
Drupal 7.25
Drupal 7.26
Drupal 7.27
Drupal 7.28
Drupal 7.29
Drupal 7.30
Drupal 7.31
Drupal 7.32
Drupal 7.33
Drupal 7.34
Drupal 7.35
Drupal 7.36
Drupal 7.37
Drupal 7.38
Drupal 7.39
Drupal 7.40
Drupal 7.41
Drupal 7.42
Drupal 7.43
Drupal 7.44
Drupal 7.50
Drupal 7.51
Drupal 7.52
Drupal 7.53
Drupal 7.54
Drupal 7.55
Drupal 7.56

[SA-CORE-2018-001] JavaScript cross-site scripting prevention is incomplete

Skrevet den 23. februar 201818. oktober 2025 af i Drupal

Drupal has a Drupal.checkPlain() JavaScript function which is used to escape potentially dangerous text before outputting it to HTML. This function does not correctly handle all methods of injecting malicious HTML, leading to a cross-site scripting vulnerability under certain circumstances.

The PHP functions which Drupal provides for HTML escaping are not affected.

This vulnerability affects the following application versions:

Drupal 6.0
Drupal 6.1
Drupal 6.2
Drupal 6.3
Drupal 6.4
Drupal 6.5
Drupal 6.6
Drupal 6.7
Drupal 6.8
Drupal 6.9
Drupal 6.10
Drupal 6.11
Drupal 6.12
Drupal 6.13
Drupal 6.14
Drupal 6.15
Drupal 6.16
Drupal 6.17
Drupal 6.18
Drupal 6.19
Drupal 6.20
Drupal 6.21
Drupal 6.22
Drupal 6.23
Drupal 6.24
Drupal 6.25
Drupal 6.26
Drupal 6.27
Drupal 6.28
Drupal 6.29
Drupal 6.30
Drupal 6.31
Drupal 6.32
Drupal 6.33
Drupal 6.34
Drupal 6.35
Drupal 6.36
Drupal 6.37
Drupal 6.38
Drupal 7.0
Drupal 7.1
Drupal 7.2
Drupal 7.3
Drupal 7.4
Drupal 7.5
Drupal 7.6
Drupal 7.7
Drupal 7.8
Drupal 7.9
Drupal 7.10
Drupal 7.11
Drupal 7.12
Drupal 7.13
Drupal 7.14
Drupal 7.15
Drupal 7.16
Drupal 7.17
Drupal 7.18
Drupal 7.19
Drupal 7.20
Drupal 7.21
Drupal 7.22
Drupal 7.23
Drupal 7.24
Drupal 7.25
Drupal 7.26
Drupal 7.27
Drupal 7.28
Drupal 7.29
Drupal 7.30
Drupal 7.31
Drupal 7.32
Drupal 7.33
Drupal 7.34
Drupal 7.35
Drupal 7.36
Drupal 7.37
Drupal 7.38
Drupal 7.39
Drupal 7.40
Drupal 7.41
Drupal 7.42
Drupal 7.43
Drupal 7.44
Drupal 7.50
Drupal 7.51
Drupal 7.52
Drupal 7.53
Drupal 7.54
Drupal 7.55
Drupal 7.56
Drupal 8.0.0
Drupal 8.0.1
Drupal 8.0.2
Drupal 8.0.3
Drupal 8.0.4
Drupal 8.0.5
Drupal 8.0.6
Drupal 8.1.0
Drupal 8.1.1
Drupal 8.1.2
Drupal 8.1.3
Drupal 8.1.4
Drupal 8.1.5
Drupal 8.1.6
Drupal 8.1.7
Drupal 8.1.8
Drupal 8.1.9
Drupal 8.1.10
Drupal 8.2.0
Drupal 8.2.1
Drupal 8.2.2
Drupal 8.2.3
Drupal 8.2.4
Drupal 8.2.5
Drupal 8.2.6
Drupal 8.2.7
Drupal 8.2.8
Drupal 8.3.0
Drupal 8.3.1
Drupal 8.3.2
Drupal 8.3.3
Drupal 8.3.4
Drupal 8.3.5
Drupal 8.3.6
Drupal 8.3.7
Drupal 8.4.0
Drupal 8.4.1
Drupal 8.4.2
Drupal 8.4.3
Drupal 8.4.4

[CVE-2017-6928] Private file access bypass

Skrevet den 23. februar 201820. november 2024 af i Drupal

When using Drupal’s private file system, Drupal will check to make sure a user has access to a file before allowing the user to view or download it. This check fails under certain conditions in which one module was trying to grant access to the file and another is trying to deny it, leading to an access bypass vulnerability.

This vulnerability is mitigated by the fact that it only occurs for unusual site configurations.

Part of security release SA-CORE-2018-001

This vulnerability affects the following application versions:

Drupal 7.0
Drupal 7.1
Drupal 7.2
Drupal 7.3
Drupal 7.4
Drupal 7.5
Drupal 7.6
Drupal 7.7
Drupal 7.8
Drupal 7.9
Drupal 7.10
Drupal 7.11
Drupal 7.12
Drupal 7.13
Drupal 7.14
Drupal 7.15
Drupal 7.16
Drupal 7.17
Drupal 7.18
Drupal 7.19
Drupal 7.20
Drupal 7.21
Drupal 7.22
Drupal 7.23
Drupal 7.24
Drupal 7.25
Drupal 7.26
Drupal 7.27
Drupal 7.28
Drupal 7.29
Drupal 7.30
Drupal 7.31
Drupal 7.32
Drupal 7.33
Drupal 7.34
Drupal 7.35
Drupal 7.36
Drupal 7.37
Drupal 7.38
Drupal 7.39
Drupal 7.40
Drupal 7.41
Drupal 7.42
Drupal 7.43
Drupal 7.44
Drupal 7.50
Drupal 7.51
Drupal 7.52
Drupal 7.53
Drupal 7.54
Drupal 7.55
Drupal 7.56

[CVE-2017-6926] Comment reply form allowed access to restricted content

Skrevet den 23. februar 201820. november 2024 af i Drupal

Users with permission to post comments were able to view content and comments they do not have access to, and are also able to add comments to this content.

This vulnerability is mitigated by the fact that the comment system must be enabled and the attacker must have permission to post comments.

Part of security release SA-CORE-2018-001

This vulnerability affects the following application versions:

Drupal 8.0.0
Drupal 8.0.1
Drupal 8.0.2
Drupal 8.0.3
Drupal 8.0.4
Drupal 8.0.5
Drupal 8.0.6
Drupal 8.1.0
Drupal 8.1.1
Drupal 8.1.2
Drupal 8.1.3
Drupal 8.1.4
Drupal 8.1.5
Drupal 8.1.6
Drupal 8.1.7
Drupal 8.1.8
Drupal 8.1.9
Drupal 8.1.10
Drupal 8.2.0
Drupal 8.2.1
Drupal 8.2.2
Drupal 8.2.3
Drupal 8.2.4
Drupal 8.2.5
Drupal 8.2.6
Drupal 8.2.7
Drupal 8.2.8
Drupal 8.3.0
Drupal 8.3.1
Drupal 8.3.2
Drupal 8.3.3
Drupal 8.3.4
Drupal 8.3.5
Drupal 8.3.6
Drupal 8.3.7
Drupal 8.4.0
Drupal 8.4.1
Drupal 8.4.2
Drupal 8.4.3
Drupal 8.4.4

[CVE-2017-6930] Language fallback could be incorrect on multilingual sites with node access restrictions

Skrevet den 23. februar 201820. november 2024 af i Drupal

When using node access controls with a multilingual site, Drupal marks the untranslated version of a node as the default fallback for access queries. This fallback is used for languages that do not yet have a translated version of the created node. This could result in an access bypass vulnerability.

This issue is mitigated by the fact that it only applies to sites that a) use the Content Translation module; and b) use a node access module such as Domain Access which implement hook_node_access_records().

Part of security release SA-CORE-2018-001

This vulnerability affects the following application versions:

Drupal 8.0.0
Drupal 8.0.1
Drupal 8.0.2
Drupal 8.0.3
Drupal 8.0.4
Drupal 8.0.5
Drupal 8.0.6
Drupal 8.1.0
Drupal 8.1.1
Drupal 8.1.2
Drupal 8.1.3
Drupal 8.1.4
Drupal 8.1.5
Drupal 8.1.6
Drupal 8.1.7
Drupal 8.1.8
Drupal 8.1.9
Drupal 8.1.10
Drupal 8.2.0
Drupal 8.2.1
Drupal 8.2.2
Drupal 8.2.3
Drupal 8.2.4
Drupal 8.2.5
Drupal 8.2.6
Drupal 8.2.7
Drupal 8.2.8
Drupal 8.3.0
Drupal 8.3.1
Drupal 8.3.2
Drupal 8.3.3
Drupal 8.3.4
Drupal 8.3.5
Drupal 8.3.6
Drupal 8.3.7
Drupal 8.4.0
Drupal 8.4.1
Drupal 8.4.2
Drupal 8.4.3
Drupal 8.4.4

[CVE-2017-6928] Settings Tray access bypass

Skrevet den 23. februar 201820. november 2024 af i Drupal

The Settings Tray module had a vulnerability that allowed users to update certain data that they did not have the permissions for.

If you had implemented a Settings Tray form in contrib or a custom module, the correct access checks should be added. This release fixes the only two implementations in core, but did not harden against other such bypasses.

This vulnerability could be mitigated by disabling the Settings Tray module.

Part of security release SA-CORE-2018-001

This vulnerability affects the following application versions:

Drupal 8.2.0
Drupal 8.2.1
Drupal 8.2.2
Drupal 8.2.3
Drupal 8.2.4
Drupal 8.2.5
Drupal 8.2.6
Drupal 8.2.7
Drupal 8.2.8
Drupal 8.3.0
Drupal 8.3.1
Drupal 8.3.2
Drupal 8.3.3
Drupal 8.3.4
Drupal 8.3.5
Drupal 8.3.6
Drupal 8.3.7
Drupal 8.4.0
Drupal 8.4.1
Drupal 8.4.2
Drupal 8.4.3
Drupal 8.4.4

[SA-CORE-2018-001] jQuery vulnerability with untrusted domains

Skrevet den 23. februar 201818. oktober 2025 af i Drupal

A jQuery cross site scripting vulnerability is present when making Ajax requests to untrusted domains. This vulnerability is mitigated by the fact that it requires contributed or custom modules in order to exploit.

This vulnerability affects the following application versions:

Drupal 6.0
Drupal 6.1
Drupal 6.2
Drupal 6.3
Drupal 6.4
Drupal 6.5
Drupal 6.6
Drupal 6.7
Drupal 6.8
Drupal 6.9
Drupal 6.10
Drupal 6.11
Drupal 6.12
Drupal 6.13
Drupal 6.14
Drupal 6.15
Drupal 6.16
Drupal 6.17
Drupal 6.18
Drupal 6.19
Drupal 6.20
Drupal 6.21
Drupal 6.22
Drupal 6.23
Drupal 6.24
Drupal 6.25
Drupal 6.26
Drupal 6.27
Drupal 6.28
Drupal 6.29
Drupal 6.30
Drupal 6.31
Drupal 6.32
Drupal 6.33
Drupal 6.34
Drupal 6.35
Drupal 6.36
Drupal 6.37
Drupal 6.38
Drupal 7.0
Drupal 7.1
Drupal 7.2
Drupal 7.3
Drupal 7.4
Drupal 7.5
Drupal 7.6
Drupal 7.7
Drupal 7.8
Drupal 7.9
Drupal 7.10
Drupal 7.11
Drupal 7.12
Drupal 7.13
Drupal 7.14
Drupal 7.15
Drupal 7.16
Drupal 7.17
Drupal 7.18
Drupal 7.19
Drupal 7.20
Drupal 7.21
Drupal 7.22
Drupal 7.23
Drupal 7.24
Drupal 7.25
Drupal 7.26
Drupal 7.27
Drupal 7.28
Drupal 7.29
Drupal 7.30
Drupal 7.31
Drupal 7.32
Drupal 7.33
Drupal 7.34
Drupal 7.35
Drupal 7.36
Drupal 7.37
Drupal 7.38
Drupal 7.39
Drupal 7.40
Drupal 7.41
Drupal 7.42
Drupal 7.43
Drupal 7.44
Drupal 7.50
Drupal 7.51
Drupal 7.52
Drupal 7.53
Drupal 7.54
Drupal 7.55
Drupal 7.56

[CVE-2017-6925] Entity access bypass for entities that did not have UUIDs or had protected revisions

Skrevet den 17. august 201720. november 2024 af i Drupal

There was a vulnerability in the entity access system that could allow unwanted access to view, create, update, or delete entities. This only affected entities that did not use or did not have UUIDs, and entities that had different access restrictions on different revisions of the same entity.

Part of security release SA-CORE-2017-004

This vulnerability affects the following application versions:

Drupal 8.0.0
Drupal 8.0.1
Drupal 8.0.2
Drupal 8.0.3
Drupal 8.0.4
Drupal 8.0.5
Drupal 8.0.6
Drupal 8.1.0
Drupal 8.1.1
Drupal 8.1.2
Drupal 8.1.3
Drupal 8.1.4
Drupal 8.1.5
Drupal 8.1.6
Drupal 8.1.7
Drupal 8.1.8
Drupal 8.1.9
Drupal 8.1.10
Drupal 8.2.0
Drupal 8.2.1
Drupal 8.2.2
Drupal 8.2.3
Drupal 8.2.4
Drupal 8.2.5
Drupal 8.2.6
Drupal 8.2.7
Drupal 8.2.8
Drupal 8.3.0
Drupal 8.3.1
Drupal 8.3.2
Drupal 8.3.3
Drupal 8.3.4
Drupal 8.3.5
Drupal 8.3.6

[CVE-2017-6923] Views access bypass

Skrevet den 17. august 201720. november 2024 af i Drupal

When created a view, you could optionally use Ajax to update the displayed data via filter parameters. The views subsystem/module did not restrict access to the Ajax endpoint to only views configured to use Ajax. This is mitigated if you have access restrictions on the view.

It is best practice to always include some form of access restrictions on all views, even if you are using another module to display them.

Part of security release SA-CORE-2017-004

This vulnerability affects the following application versions:

Drupal 8.0.0
Drupal 8.0.1
Drupal 8.0.2
Drupal 8.0.3
Drupal 8.0.4
Drupal 8.0.5
Drupal 8.0.6
Drupal 8.1.0
Drupal 8.1.1
Drupal 8.1.2
Drupal 8.1.3
Drupal 8.1.4
Drupal 8.1.5
Drupal 8.1.6
Drupal 8.1.7
Drupal 8.1.8
Drupal 8.1.9
Drupal 8.1.10
Drupal 8.2.0
Drupal 8.2.1
Drupal 8.2.2
Drupal 8.2.3
Drupal 8.2.4
Drupal 8.2.5
Drupal 8.2.6
Drupal 8.2.7
Drupal 8.2.8
Drupal 8.3.0
Drupal 8.3.1
Drupal 8.3.2
Drupal 8.3.3
Drupal 8.3.4
Drupal 8.3.5
Drupal 8.3.6

[CVE-2017-6924] REST API could bypass comment approval

Skrevet den 17. august 201720. november 2024 af i Drupal

When using the REST API, users without the correct permission could post comments via REST that were approved even if the user did not have permission to post approved comments.

This issue only affected sites that have the RESTful Web Services (rest) module enabled, the comment entity REST resource enabled, and where an attacker could access a user account on the site with permissions to post comments, or where anonymous users could post comments.

Part of security release SA-CORE-2017-004

This vulnerability affects the following application versions:

Drupal 8.0.0
Drupal 8.0.1
Drupal 8.0.2
Drupal 8.0.3
Drupal 8.0.4
Drupal 8.0.5
Drupal 8.0.6
Drupal 8.1.0
Drupal 8.1.1
Drupal 8.1.2
Drupal 8.1.3
Drupal 8.1.4
Drupal 8.1.5
Drupal 8.1.6
Drupal 8.1.7
Drupal 8.1.8
Drupal 8.1.9
Drupal 8.1.10
Drupal 8.2.0
Drupal 8.2.1
Drupal 8.2.2
Drupal 8.2.3
Drupal 8.2.4
Drupal 8.2.5
Drupal 8.2.6
Drupal 8.2.7
Drupal 8.2.8
Drupal 8.3.0
Drupal 8.3.1
Drupal 8.3.2
Drupal 8.3.3
Drupal 8.3.4
Drupal 8.3.5
Drupal 8.3.6

[CVE-2017-6920] PECL YAML parser unsafe object handling

Skrevet den 22. juni 201720. november 2024 af i Drupal

PECL YAML parser did not handle PHP objects safely during certain operations within Drupal core. This could lead to remote code execution.

Part of security release SA-CORE-2017-003

This vulnerability affects the following application versions:

Drupal 8.0.0
Drupal 8.0.1
Drupal 8.0.2
Drupal 8.0.3
Drupal 8.0.4
Drupal 8.0.5
Drupal 8.0.6
Drupal 8.1.0
Drupal 8.1.1
Drupal 8.1.2
Drupal 8.1.3
Drupal 8.1.4
Drupal 8.1.5
Drupal 8.1.6
Drupal 8.1.7
Drupal 8.1.8
Drupal 8.1.9
Drupal 8.1.10
Drupal 8.2.0
Drupal 8.2.1
Drupal 8.2.2
Drupal 8.2.3
Drupal 8.2.4
Drupal 8.2.5
Drupal 8.2.6
Drupal 8.2.7
Drupal 8.2.8
Drupal 8.3.0
Drupal 8.3.1
Drupal 8.3.2
Drupal 8.3.3

[CVE-2017-6922] Files uploaded by anonymous users into a private file system could be accessed by other anonymous users

Skrevet den 22. juni 201720. november 2024 af i Drupal

Private files that had been uploaded by an anonymous user but not permanently attached to content on the site should only be visible to the anonymous user that uploaded them, rather than all anonymous users. Drupal core did not previously provide this protection, allowing an access bypass vulnerability to occur. This issue is mitigated by the fact that in order to be affected, the site must allow anonymous users to upload files into a private file system.

The security team has also received reports that this vulnerability is being exploited for spam purposes, similar to the scenario discussed in PSA-2016-003 for the public file system.

Part of security release SA-CORE-2017-003

This vulnerability affects the following application versions:

Drupal 7.0
Drupal 7.1
Drupal 7.2
Drupal 7.3
Drupal 7.4
Drupal 7.5
Drupal 7.6
Drupal 7.7
Drupal 7.8
Drupal 7.9
Drupal 7.10
Drupal 7.11
Drupal 7.12
Drupal 7.13
Drupal 7.14
Drupal 7.15
Drupal 7.16
Drupal 7.17
Drupal 7.18
Drupal 7.19
Drupal 7.20
Drupal 7.21
Drupal 7.22
Drupal 7.23
Drupal 7.24
Drupal 7.25
Drupal 7.26
Drupal 7.27
Drupal 7.28
Drupal 7.29
Drupal 7.30
Drupal 7.31
Drupal 7.32
Drupal 7.33
Drupal 7.34
Drupal 7.35
Drupal 7.36
Drupal 7.37
Drupal 7.38
Drupal 7.39
Drupal 7.40
Drupal 7.41
Drupal 7.42
Drupal 7.43
Drupal 7.44
Drupal 7.50
Drupal 7.51
Drupal 7.52
Drupal 7.53
Drupal 7.54
Drupal 7.55
Drupal 8.0.0
Drupal 8.0.1
Drupal 8.0.2
Drupal 8.0.3
Drupal 8.0.4
Drupal 8.0.5
Drupal 8.0.6
Drupal 8.1.0
Drupal 8.1.1
Drupal 8.1.2
Drupal 8.1.3
Drupal 8.1.4
Drupal 8.1.5
Drupal 8.1.6
Drupal 8.1.7
Drupal 8.1.8
Drupal 8.1.9
Drupal 8.1.10
Drupal 8.2.0
Drupal 8.2.1
Drupal 8.2.2
Drupal 8.2.3
Drupal 8.2.4
Drupal 8.2.5
Drupal 8.2.6
Drupal 8.2.7
Drupal 8.2.8
Drupal 8.3.0
Drupal 8.3.1
Drupal 8.3.2
Drupal 8.3.3

[CVE-2017-6921] File REST resource does not properly validate

Skrevet den 22. juni 201720. november 2024 af i Drupal

The file REST resource did not properly validate some fields when manipulating files. A site was only affected by this if the site has the RESTful Web Services (rest) module enabled, the file REST resource is enabled and allows PATCH requests, and an attacker can get or register a user account on the site with permissions to upload files and to modify the file resource.

Part of security release SA-CORE-2017-003

This vulnerability affects the following application versions:

Drupal 8.1.2
Drupal 8.1.3
Drupal 8.1.4
Drupal 8.1.5
Drupal 8.1.6
Drupal 8.1.7
Drupal 8.1.8
Drupal 8.1.9
Drupal 8.1.10
Drupal 8.2.0
Drupal 8.2.1
Drupal 8.2.2
Drupal 8.2.3
Drupal 8.2.4
Drupal 8.2.5
Drupal 8.2.6
Drupal 8.2.7
Drupal 8.2.8
Drupal 8.3.0
Drupal 8.3.1
Drupal 8.3.2
Drupal 8.3.3

[CVE-2017-6919] Access bypass RESTful Web Services

Skrevet den 19. april 201720. november 2024 af i Drupal

This was a critical access bypass vulnerability. A site was only affected by this when the following conditions were met:

– The site has the RESTful Web Services (rest) module enabled.

– The site allows PATCH requests.

– An attacker can get or register a user account on the site.

Part of security release SA-CORE-2017-002

This vulnerability affects the following application versions:

Drupal 8.0.0
Drupal 8.0.1
Drupal 8.0.2
Drupal 8.0.3
Drupal 8.0.4
Drupal 8.0.5
Drupal 8.0.6
Drupal 8.1.0
Drupal 8.1.1
Drupal 8.1.2
Drupal 8.1.3
Drupal 8.1.4
Drupal 8.1.5
Drupal 8.1.6
Drupal 8.1.7
Drupal 8.1.8
Drupal 8.1.9
Drupal 8.1.10
Drupal 8.2.0
Drupal 8.2.1
Drupal 8.2.2
Drupal 8.2.3
Drupal 8.2.4
Drupal 8.2.5
Drupal 8.2.6
Drupal 8.2.7
Drupal 8.3.0

[CVE-2017-6379] Some admin paths were not protected with a CSRF token

Skrevet den 16. marts 201720. november 2024 af i Drupal

Some administrative paths did not include protection for CSRF. This would allow an attacker to disable some blocks on a site. This issue is mitigated by the fact that users would have to know the block ID.

Part of security release SA-CORE-2017-001

This vulnerability affects the following application versions:

Drupal 8.0.0
Drupal 8.0.1
Drupal 8.0.2
Drupal 8.0.3
Drupal 8.0.4
Drupal 8.0.5
Drupal 8.0.6
Drupal 8.1.0
Drupal 8.1.1
Drupal 8.1.2
Drupal 8.1.3
Drupal 8.1.4
Drupal 8.1.5
Drupal 8.1.6
Drupal 8.1.7
Drupal 8.1.8
Drupal 8.1.9
Drupal 8.1.10
Drupal 8.2.0
Drupal 8.2.1
Drupal 8.2.2
Drupal 8.2.3
Drupal 8.2.4
Drupal 8.2.5
Drupal 8.2.6

[CVE-2017-6377] Editor module incorrectly checked access to inline private files

Skrevet den 16. marts 201720. november 2024 af i Drupal

When added a private file via a configured text editor (like CKEditor), the editor would not correctly check access for the file being attached, resulted in an access bypass.

Part of security patch SA-CORE-2017-001

This vulnerability affects the following application versions:

Drupal 8.2.2
Drupal 8.2.3
Drupal 8.2.4
Drupal 8.2.5
Drupal 8.2.6

[CVE-2016-9451] Confirmation forms allowed external URLs to be injected

Skrevet den 18. november 201620. november 2024 af i Drupal

Under certain circumstances, malicious users could construct a URL to a confirmation form that would trick users into being redirected to a 3rd party website after interacting with the form, thereby exposing the users to potential social engineering attacks.

Part of security release SA-CORE-2016-005

This vulnerability affects the following application versions:

Drupal 7.0
Drupal 7.1
Drupal 7.2
Drupal 7.3
Drupal 7.4
Drupal 7.5
Drupal 7.6
Drupal 7.7
Drupal 7.8
Drupal 7.9
Drupal 7.10
Drupal 7.11
Drupal 7.12
Drupal 7.13
Drupal 7.14
Drupal 7.15
Drupal 7.16
Drupal 7.17
Drupal 7.18
Drupal 7.19
Drupal 7.20
Drupal 7.21
Drupal 7.22
Drupal 7.23
Drupal 7.24
Drupal 7.25
Drupal 7.26
Drupal 7.27
Drupal 7.28
Drupal 7.29
Drupal 7.30
Drupal 7.31
Drupal 7.32
Drupal 7.33
Drupal 7.34
Drupal 7.35
Drupal 7.36
Drupal 7.37
Drupal 7.38
Drupal 7.39
Drupal 7.40
Drupal 7.41
Drupal 7.42
Drupal 7.43
Drupal 7.44
Drupal 7.50
Drupal 7.51

[CVE-2016-9450] Incorrect cache context on password reset page

Skrevet den 18. november 201620. november 2024 af i Drupal

The user password reset form in Drupal 8.x before 8.2.3 allows remote attackers to conduct cache poisoning attacks by leveraging failure to specify a correct cache context.

Part of security release SA-CORE-2016-005

This vulnerability affects the following application versions:

Drupal 8.0.0
Drupal 8.0.1
Drupal 8.0.2
Drupal 8.0.3
Drupal 8.0.4
Drupal 8.0.5
Drupal 8.0.6
Drupal 8.1.0
Drupal 8.1.1
Drupal 8.1.2
Drupal 8.1.3
Drupal 8.1.4
Drupal 8.1.5
Drupal 8.1.6
Drupal 8.1.7
Drupal 8.1.8
Drupal 8.1.9
Drupal 8.1.10
Drupal 8.2.0
Drupal 8.2.1
Drupal 8.2.2

[CVE-2016-9452] Denial of service via transliterate mechanism

Skrevet den 18. november 201620. november 2024 af i Drupal

A specially crafted URL could cause a denial of service via the transliterate mechanism.

Part of security release SA-CORE-2016-005

This vulnerability affects the following application versions:

Drupal 8.0.0
Drupal 8.0.1
Drupal 8.0.2
Drupal 8.0.3
Drupal 8.0.4
Drupal 8.0.5
Drupal 8.0.6
Drupal 8.1.0
Drupal 8.1.1
Drupal 8.1.2
Drupal 8.1.3
Drupal 8.1.4
Drupal 8.1.5
Drupal 8.1.6
Drupal 8.1.7
Drupal 8.1.8
Drupal 8.1.9
Drupal 8.1.10
Drupal 8.2.0
Drupal 8.2.1
Drupal 8.2.2

Inconsistent name for term access query

Skrevet den 18. november 201618. oktober 2025 af i Drupal

Drupal provides a mechanism to alter database SELECT queries before they are executed. Contributed and custom modules may use this mechanism to restrict access to certain entities by implementing hook_query_alter() or hook_query_TAG_alter() in order to add additional conditions. Queries can be distinguished by means of query tags. As the documentation on EntityFieldQuery::addTag() suggests, access-tags on entity queries normally follow the form ENTITY_TYPE_access (e.g. node_access). However, the taxonomy module’s access query tag predated this system and used term_access as the query tag instead of taxonomy_term_access.

As a result, before this security release modules wishing to restrict access to taxonomy terms may have implemented an unsupported tag, or needed to look for both tags (term_access and taxonomy_term_access) in order to be compatible with queries generated both by Drupal core as well as those generated by contributed modules like Entity Reference. Otherwise information on taxonomy terms might have been disclosed to unprivileged users.

Part of security release SA-CORE-2016-005

This vulnerability affects the following application versions:

Drupal 7.0
Drupal 7.1
Drupal 7.2
Drupal 7.3
Drupal 7.4
Drupal 7.5
Drupal 7.6
Drupal 7.7
Drupal 7.8
Drupal 7.9
Drupal 7.10
Drupal 7.11
Drupal 7.12
Drupal 7.13
Drupal 7.14
Drupal 7.15
Drupal 7.16
Drupal 7.17
Drupal 7.18
Drupal 7.19
Drupal 7.20
Drupal 7.21
Drupal 7.22
Drupal 7.23
Drupal 7.24
Drupal 7.25
Drupal 7.26
Drupal 7.27
Drupal 7.28
Drupal 7.29
Drupal 7.30
Drupal 7.31
Drupal 7.32
Drupal 7.33
Drupal 7.34
Drupal 7.35
Drupal 7.36
Drupal 7.37
Drupal 7.38
Drupal 7.39
Drupal 7.40
Drupal 7.41
Drupal 7.42
Drupal 7.43
Drupal 7.44
Drupal 7.50
Drupal 7.51
Drupal 8.0.0
Drupal 8.0.1
Drupal 8.0.2
Drupal 8.0.3
Drupal 8.0.4
Drupal 8.0.5
Drupal 8.0.6
Drupal 8.1.0
Drupal 8.1.1
Drupal 8.1.2
Drupal 8.1.3
Drupal 8.1.4
Drupal 8.1.5
Drupal 8.1.6
Drupal 8.1.7
Drupal 8.1.8
Drupal 8.1.9
Drupal 8.1.10
Drupal 8.2.0
Drupal 8.2.1
Drupal 8.2.2

[SA-CORE-2016-004] Cross-site Scripting in http exceptions

Skrevet den 22. september 201618. oktober 2025 af i Drupal

An attacker could create a specially crafted url, which could execute arbitrary code in the victim’s browser if loaded. Drupal was not properly sanitizing an exception

This vulnerability affects the following application versions:

Drupal 8.1.0
Drupal 8.1.1
Drupal 8.1.2
Drupal 8.1.3
Drupal 8.1.4
Drupal 8.1.5
Drupal 8.1.6
Drupal 8.1.7
Drupal 8.1.8
Drupal 8.1.9

[CVE-2016-7570] Users without “Administer comments” could set comment visibility on nodes they can edit

Skrevet den 22. september 201620. november 2024 af i Drupal

Users who have rights to edit a node, can set the visibility on comments for that node. This should be restricted to those who have the administer comments permission.

Part of security patch SA-CORE-2016-004

This vulnerability affects the following application versions:

Drupal 8.0.0
Drupal 8.0.1
Drupal 8.0.2
Drupal 8.0.3
Drupal 8.0.4
Drupal 8.0.5
Drupal 8.0.6
Drupal 8.1.0
Drupal 8.1.1
Drupal 8.1.2
Drupal 8.1.3
Drupal 8.1.4
Drupal 8.1.5
Drupal 8.1.6
Drupal 8.1.7
Drupal 8.1.8
Drupal 8.1.9

[CVE-2016-7572] Full config export could be downloaded without administrative permissions

Skrevet den 22. september 201620. november 2024 af i Drupal

The system.temporary route would allow the download of a full config export. The full config export should be limited to those with Export configuration permission.

Part of security release SA-CORE-2016-004

This vulnerability affects the following application versions:

Drupal 8.0.0
Drupal 8.0.1
Drupal 8.0.2
Drupal 8.0.3
Drupal 8.0.4
Drupal 8.0.5
Drupal 8.0.6
Drupal 8.1.0
Drupal 8.1.1
Drupal 8.1.2
Drupal 8.1.3
Drupal 8.1.4
Drupal 8.1.5
Drupal 8.1.6
Drupal 8.1.7
Drupal 8.1.8
Drupal 8.1.9

[CVE-2016-5385] Guzzle library vulnerability allowed a hacker to set 3rd party proxy

Skrevet den 18. juli 201620. november 2024 af i Drupal

Drupal 8 uses the third-party PHP library Guzzle for making server-side HTTP requests. An attacker could provide a proxy server that Guzzle will use. The details of this are explained at https://httpoxy.org/.

Part of security release SA-CORE-2016-003

This vulnerability affects the following application versions:

Drupal 8.0.0
Drupal 8.0.1
Drupal 8.0.2
Drupal 8.0.3
Drupal 8.0.4
Drupal 8.0.5
Drupal 8.0.6
Drupal 8.1.0
Drupal 8.1.1
Drupal 8.1.2
Drupal 8.1.3
Drupal 8.1.4
Drupal 8.1.5
Drupal 8.1.6

[CVE-2016-3169] Saving user accounts could sometimes grant the user all roles

Skrevet den 29. juni 201620. november 2024 af i Drupal

A hacker may acquire administrator rights using a custom Drupal module hat performs a form rebuild during submission of the user profile form.

Part of security release SA-CORE-2016-001

This vulnerability affects the following application versions:

Drupal 5.0
Drupal 5.1
Drupal 5.2
Drupal 5.3
Drupal 5.4
Drupal 5.5
Drupal 5.6
Drupal 5.7
Drupal 5.8
Drupal 5.9
Drupal 5.10
Drupal 5.11
Drupal 5.12
Drupal 5.13
Drupal 5.14
Drupal 5.15
Drupal 5.16
Drupal 5.17
Drupal 5.18
Drupal 5.19
Drupal 5.20
Drupal 5.21
Drupal 5.22
Drupal 5.23
Drupal 6.0
Drupal 6.1
Drupal 6.2
Drupal 6.3
Drupal 6.4
Drupal 6.5
Drupal 6.6
Drupal 6.7
Drupal 6.8
Drupal 6.9
Drupal 6.10
Drupal 6.11
Drupal 6.12
Drupal 6.13
Drupal 6.14
Drupal 6.15
Drupal 6.16
Drupal 6.17
Drupal 6.18
Drupal 6.19
Drupal 6.20
Drupal 6.21
Drupal 6.22
Drupal 6.23
Drupal 6.24
Drupal 6.25
Drupal 6.26
Drupal 6.27
Drupal 6.28
Drupal 6.29
Drupal 6.30
Drupal 6.31
Drupal 6.32
Drupal 6.33
Drupal 6.34
Drupal 6.35
Drupal 6.36
Drupal 6.37
Drupal 6.38
Drupal 7.0
Drupal 7.1
Drupal 7.2
Drupal 7.3
Drupal 7.4
Drupal 7.5
Drupal 7.6
Drupal 7.7
Drupal 7.8
Drupal 7.9
Drupal 7.10
Drupal 7.11
Drupal 7.12
Drupal 7.13
Drupal 7.14
Drupal 7.15
Drupal 7.16
Drupal 7.17
Drupal 7.18
Drupal 7.19
Drupal 7.20
Drupal 7.21
Drupal 7.22
Drupal 7.23
Drupal 7.24
Drupal 7.25
Drupal 7.26
Drupal 7.27
Drupal 7.28
Drupal 7.29
Drupal 7.30
Drupal 7.31
Drupal 7.32
Drupal 7.33
Drupal 7.34
Drupal 7.35
Drupal 7.36
Drupal 7.37
Drupal 7.38
Drupal 7.39
Drupal 7.40
Drupal 7.41
Drupal 7.42
Drupal 7.43

[CVE-2016-3171] Session data truncation could lead to unserialization of user provided data

Skrevet den 18. maj 201620. november 2024 af i Drupal

On certain older versions of PHP, user-provided data stored in a Drupal session may be unserialized leading to possible remote code execution.

This issue is mitigated by the fact that it requires an unusual set of circumstances to exploit and depends on the particular Drupal code that is running on the site. It is also believed to be mitigated by upgrading to PHP 5.4.45, 5.5.29, 5.6.13, or any higher version.

Part of security release SA-CORE-2016-001

This vulnerability affects the following application versions:

Drupal 6.0
Drupal 6.1
Drupal 6.2
Drupal 6.3
Drupal 6.4
Drupal 6.5
Drupal 6.6
Drupal 6.7
Drupal 6.8
Drupal 6.9
Drupal 6.10
Drupal 6.11
Drupal 6.12
Drupal 6.14
Drupal 6.15
Drupal 6.16
Drupal 6.17
Drupal 6.18

[CVE-2016-3169] Saving user accounts could sometimes grant the user all roles

Skrevet den 18. maj 201620. november 2024 af i Drupal

Some specific contributed or custom code may call Drupal’s user_save() API in a manner different than Drupal core. Depending on the data that has been added to a form or the array prior to saving, this could lead to a user gaining all roles on a site.

This issue is mitigated by the fact that it requires contributed or custom code that calls user_save() with an explicit category and code that loads all roles into the array.

Part of security release SA-CORE-2016-001

This vulnerability affects the following application versions:

Drupal 6.0
Drupal 6.1
Drupal 6.2
Drupal 6.3
Drupal 6.4
Drupal 6.5
Drupal 6.6
Drupal 6.7
Drupal 6.8
Drupal 6.9

[20140224] Reflected file download vulnerability

Skrevet den 18. maj 201620. november 2024 af i Drupal

Drupal core has a reflected file download vulnerability that could allow an attacker to trick a user into downloading and running a file with arbitrary JSON-encoded content.

This vulnerability is mitigated by the fact that the victim must be a site administrator and that the full version of the attack only works with certain web browsers.

https://www.drupal.org/SA-CORE-2016-001

This vulnerability affects the following application versions:

Drupal 7.0
Drupal 7.1
Drupal 7.2
Drupal 7.3
Drupal 7.4
Drupal 7.5
Drupal 7.6
Drupal 7.7
Drupal 7.8
Drupal 7.9
Drupal 7.10
Drupal 7.11
Drupal 7.12
Drupal 7.13
Drupal 7.14
Drupal 7.15
Drupal 7.16
Drupal 7.17
Drupal 7.18
Drupal 7.19
Drupal 7.20
Drupal 7.21
Drupal 7.22
Drupal 7.23
Drupal 7.24

[CVE-2016-3169] Saving user accounts could sometimes grant the user all roles

Skrevet den 7. marts 201620. november 2024 af i Drupal

This issue is mitigated by the fact that it requires contributed or custom code that calls user_save() with an explicit category and code that loads all roles into the array.

Part of security release SA-CORE-2016-001

This vulnerability affects the following application versions:

Drupal 6.10
Drupal 6.11
Drupal 6.12
Drupal 6.13
Drupal 6.14
Drupal 6.15
Drupal 6.16
Drupal 6.17
Drupal 6.18
Drupal 6.19
Drupal 6.20
Drupal 6.21
Drupal 6.22
Drupal 6.23
Drupal 6.24
Drupal 6.25
Drupal 6.26
Drupal 6.27
Drupal 6.28
Drupal 6.29
Drupal 6.30
Drupal 6.31
Drupal 6.32
Drupal 6.33
Drupal 6.34
Drupal 6.35
Drupal 6.36
Drupal 6.37
Drupal 7.0
Drupal 7.1
Drupal 7.2
Drupal 7.3
Drupal 7.4
Drupal 7.5
Drupal 7.6
Drupal 7.7
Drupal 7.8
Drupal 7.9
Drupal 7.10
Drupal 7.11
Drupal 7.12
Drupal 7.13
Drupal 7.14
Drupal 7.15
Drupal 7.16
Drupal 7.17
Drupal 7.18
Drupal 7.19
Drupal 7.20
Drupal 7.21
Drupal 7.22
Drupal 7.23
Drupal 7.24
Drupal 7.25
Drupal 7.26
Drupal 7.27
Drupal 7.28
Drupal 7.29
Drupal 7.30
Drupal 7.31
Drupal 7.32
Drupal 7.33
Drupal 7.34
Drupal 7.35
Drupal 7.36
Drupal 7.37
Drupal 7.38
Drupal 7.39
Drupal 7.40
Drupal 7.41
Drupal 7.42

[20140224] Reflected file download vulnerability

Skrevet den 3. marts 201620. november 2024 af i Drupal

Drupal core has a reflected file download vulnerability that could allow an attacker to trick a user into downloading and running a file with arbitrary JSON-encoded content.

This vulnerability is mitigated by the fact that the victim must be a site administrator and that the full version of the attack only works with certain web browsers.

https://www.drupal.org/SA-CORE-2016-001

This vulnerability affects the following application versions:

Drupal 6.0
Drupal 6.1
Drupal 6.2
Drupal 6.3
Drupal 6.4
Drupal 6.5
Drupal 6.6
Drupal 6.7
Drupal 6.8
Drupal 6.9
Drupal 6.10
Drupal 6.11
Drupal 6.12
Drupal 6.13
Drupal 6.14
Drupal 6.15
Drupal 6.16
Drupal 6.17
Drupal 6.18
Drupal 6.19
Drupal 6.20
Drupal 6.21
Drupal 6.22
Drupal 6.23
Drupal 6.24
Drupal 6.25
Drupal 6.26
Drupal 6.27
Drupal 6.28
Drupal 6.29
Drupal 6.30
Drupal 6.31
Drupal 6.32
Drupal 6.33
Drupal 6.34
Drupal 6.35
Drupal 6.36
Drupal 6.37
Drupal 7.25
Drupal 7.26
Drupal 7.27
Drupal 7.28
Drupal 7.29
Drupal 7.30
Drupal 7.31
Drupal 7.32
Drupal 7.33
Drupal 7.34
Drupal 7.35
Drupal 7.36
Drupal 7.37
Drupal 7.38
Drupal 7.39
Drupal 7.40
Drupal 7.41
Drupal 7.42

[CVE-2016-3170] Email address could be matched to an account

Skrevet den 3. marts 201620. november 2024 af i Drupal

In certain configurations where a user’s email addresses could be used to log in instead of their username, links to “have you forgotten your password” could reveal the username associated with a particular email address, leading to an information disclosure vulnerability.

This issue is mitigated by the fact that it requires a contributed module to be installed that permits logging in with an email address, and that it is only relevant on sites where usernames are typically chosen to hide the users’ real-life identities.

Part of security release SA-CORE-2016-001

This vulnerability affects the following application versions:

Drupal 7.0
Drupal 7.1
Drupal 7.2
Drupal 7.3
Drupal 7.4
Drupal 7.5
Drupal 7.6
Drupal 7.7
Drupal 7.8
Drupal 7.9
Drupal 7.10
Drupal 7.11
Drupal 7.12
Drupal 7.13
Drupal 7.14
Drupal 7.15
Drupal 7.16
Drupal 7.17
Drupal 7.18
Drupal 7.19
Drupal 7.20
Drupal 7.21
Drupal 7.22
Drupal 7.23
Drupal 7.24
Drupal 7.25
Drupal 7.26
Drupal 7.27
Drupal 7.28
Drupal 7.29
Drupal 7.30
Drupal 7.31
Drupal 7.32
Drupal 7.33
Drupal 7.34
Drupal 7.35
Drupal 7.36
Drupal 7.37
Drupal 7.38
Drupal 7.39
Drupal 7.40
Drupal 7.41
Drupal 7.42
Drupal 8.0.0
Drupal 8.0.1
Drupal 8.0.2
Drupal 8.0.3

[CVE-2016-3166] HTTP header injection using line breaks

Skrevet den 3. marts 201620. november 2024 af i Drupal

A vulnerability in the drupal_set_header() function allowed an HTTP header injection attack to be performed if user-generated content was passed as a header value on sites running PHP versions older than 5.1.2. If the content contains line breaks the user may be able to set arbitrary headers of their own choosing.

This vulnerability is mitigated by the fact that most hosts have newer versions of PHP installed, and that it requires a module to be installed on the site that allows user-submitted data to appear in HTTP headers.

Part of security release SA-CORE-2016-001

This vulnerability affects the following application versions:

Drupal 6.0
Drupal 6.1
Drupal 6.2
Drupal 6.3
Drupal 6.4
Drupal 6.5
Drupal 6.6
Drupal 6.7
Drupal 6.8
Drupal 6.9
Drupal 6.10
Drupal 6.11
Drupal 6.12
Drupal 6.13
Drupal 6.14
Drupal 6.15
Drupal 6.16
Drupal 6.17
Drupal 6.18
Drupal 6.19
Drupal 6.20
Drupal 6.21
Drupal 6.22
Drupal 6.23
Drupal 6.24
Drupal 6.25
Drupal 6.26
Drupal 6.27
Drupal 6.28
Drupal 6.29
Drupal 6.30
Drupal 6.31
Drupal 6.32
Drupal 6.33
Drupal 6.34
Drupal 6.35
Drupal 6.36
Drupal 6.37

[CVE-2016-3163] Brute force amplification attacks via XML-RPC (XML-RPC server – Drupal 6 and 7 – Moderately Critical)

Skrevet den 29. februar 201620. november 2024 af i Drupal

The XML-RPC system allowed a large number of calls to the same method to be made at once, which could be used as an enabling factor in brute force attacks (for example, attempting to determine user passwords by submitting a large number of password variations at once).

This vulnerability is mitigated by the fact that you must have enabled a module that provides an XML-RPC method that was vulnerable to brute-forcing. There are no such modules in Drupal 7 core, but Drupal 6 core is vulnerable via the Blog API module. It is additionally mitigated if flood control protection is in place for the method in question.

Part of security release SA-CORE-2016-001

This vulnerability affects the following application versions:

Drupal 6.0
Drupal 6.1
Drupal 6.2
Drupal 6.3
Drupal 6.4
Drupal 6.5
Drupal 6.6
Drupal 6.7
Drupal 6.8
Drupal 6.9
Drupal 6.10
Drupal 6.11
Drupal 6.12
Drupal 6.13
Drupal 6.14
Drupal 6.15
Drupal 6.16
Drupal 6.17
Drupal 6.18
Drupal 6.19
Drupal 6.20
Drupal 6.21
Drupal 6.22
Drupal 6.23
Drupal 6.24
Drupal 6.25
Drupal 6.26
Drupal 6.27
Drupal 6.28
Drupal 6.29
Drupal 6.30
Drupal 6.31
Drupal 6.32
Drupal 6.33
Drupal 6.34
Drupal 6.35
Drupal 6.36
Drupal 6.37
Drupal 7.0
Drupal 7.1
Drupal 7.2
Drupal 7.3
Drupal 7.4
Drupal 7.5
Drupal 7.6
Drupal 7.7
Drupal 7.8
Drupal 7.9
Drupal 7.10
Drupal 7.11
Drupal 7.12
Drupal 7.13
Drupal 7.14
Drupal 7.15
Drupal 7.16
Drupal 7.17
Drupal 7.18
Drupal 7.19
Drupal 7.20
Drupal 7.21
Drupal 7.22
Drupal 7.23
Drupal 7.24
Drupal 7.25
Drupal 7.26
Drupal 7.27
Drupal 7.28
Drupal 7.29
Drupal 7.30
Drupal 7.31
Drupal 7.32
Drupal 7.33
Drupal 7.34
Drupal 7.35
Drupal 7.36
Drupal 7.37
Drupal 7.38
Drupal 7.39
Drupal 7.40
Drupal 7.41
Drupal 7.42

[CVE-2016-3162] File upload access bypass and denial of service

Skrevet den 29. februar 201620. november 2024 af i Drupal

A vulnerability existed in the File module that allowed a malicious user to view, delete or substitute a link to a file that the victim had uploaded to a form while the form had not yet been submitted and processed. If an attacker carried out this attack continuously, all file uploads to a site could be blocked by deleting all temporary files before they could be saved.

This vulnerability is mitigated by the fact that the attacker must have permission to create content or comment and upload files as part of that process.

Part of security release SA-CORE-2016-001

This vulnerability affects the following application versions:

Drupal 7.0
Drupal 7.1
Drupal 7.2
Drupal 7.3
Drupal 7.4
Drupal 7.5
Drupal 7.6
Drupal 7.7
Drupal 7.8
Drupal 7.9
Drupal 7.10
Drupal 7.11
Drupal 7.12
Drupal 7.13
Drupal 7.14
Drupal 7.15
Drupal 7.16
Drupal 7.17
Drupal 7.18
Drupal 7.19
Drupal 7.20
Drupal 7.21
Drupal 7.22
Drupal 7.23
Drupal 7.24
Drupal 7.25
Drupal 7.26
Drupal 7.27
Drupal 7.28
Drupal 7.29
Drupal 7.30
Drupal 7.31
Drupal 7.32
Drupal 7.33
Drupal 7.34
Drupal 7.35
Drupal 7.36
Drupal 7.37
Drupal 7.38
Drupal 7.39
Drupal 7.40
Drupal 7.41
Drupal 7.42
Drupal 8.0.0
Drupal 8.0.1
Drupal 8.0.2
Drupal 8.0.3

[CVE-2016-3164] Open redirect via path manipulation

Skrevet den 29. februar 201620. november 2024 af i Drupal

The current path could be populated with an external URL. This could lead to open redirect vulnerabilities.

This vulnerability is mitigated by the fact that it would only occur in combination with custom code, or in certain cases if a user submits a form shown on a 404 page with a specially crafted URL.

For Drupal 6, this patch also solves: Open redirect via double-encoded ‘destination’ parameter

The drupal_goto() function in Drupal 6 improperly decodes the contents of $_REQUEST[‘destination’] before using it, which allows the function’s open redirect protection to be bypassed and allows an attacker to initiate a redirect to an arbitrary external URL.

This vulnerability is mitigated by that fact that the attack is not possible for sites running on PHP 5.4.7 or greater.

Part of security release SA-CORE-2016-001

This vulnerability affects the following application versions:

Drupal 6.0
Drupal 6.1
Drupal 6.2
Drupal 6.3
Drupal 6.4
Drupal 6.5
Drupal 6.6
Drupal 6.7
Drupal 6.8
Drupal 6.9
Drupal 6.10
Drupal 6.11
Drupal 6.12
Drupal 6.13
Drupal 6.14
Drupal 6.15
Drupal 6.16
Drupal 6.17
Drupal 6.18
Drupal 6.19
Drupal 6.20
Drupal 6.21
Drupal 6.22
Drupal 6.23
Drupal 6.24
Drupal 6.25
Drupal 6.26
Drupal 6.27
Drupal 6.28
Drupal 6.29
Drupal 6.30
Drupal 6.31
Drupal 6.32
Drupal 6.33
Drupal 6.34
Drupal 6.35
Drupal 6.36
Drupal 6.37
Drupal 7.0
Drupal 7.1
Drupal 7.2
Drupal 7.3
Drupal 7.4
Drupal 7.5
Drupal 7.6
Drupal 7.7
Drupal 7.8
Drupal 7.9
Drupal 7.10
Drupal 7.11
Drupal 7.12
Drupal 7.13
Drupal 7.14
Drupal 7.15
Drupal 7.16
Drupal 7.17
Drupal 7.18
Drupal 7.19
Drupal 7.20
Drupal 7.21
Drupal 7.22
Drupal 7.23
Drupal 7.24
Drupal 7.25
Drupal 7.26
Drupal 7.27
Drupal 7.28
Drupal 7.29
Drupal 7.30
Drupal 7.31
Drupal 7.32
Drupal 7.33
Drupal 7.34
Drupal 7.35
Drupal 7.36
Drupal 7.37
Drupal 7.38
Drupal 7.39
Drupal 7.40
Drupal 7.41
Drupal 7.42
Drupal 8.0.0
Drupal 8.0.1
Drupal 8.0.2
Drupal 8.0.3

[CVE-2016-3165] Form API ignores access restrictions on submit buttons

Skrevet den 29. februar 201620. november 2024 af i Drupal

An access bypass vulnerability was found that allows input to be submitted, for example using JavaScript, for form button elements that a user is not supposed to have access to because the button was blocked by setting #access to FALSE in the server-side form definition.

This vulnerability is mitigated by the fact that the attacker must have access to submit a form that has such buttons defined for it (for example, a form that both administrators and non-administrators can access, but where administrators have additional buttons available to them).

Part of security release SA-CORE-2016-001

This vulnerability affects the following application versions:

Drupal 6.0
Drupal 6.1
Drupal 6.2
Drupal 6.3
Drupal 6.4
Drupal 6.5
Drupal 6.6
Drupal 6.7
Drupal 6.8
Drupal 6.9
Drupal 6.10
Drupal 6.11
Drupal 6.12
Drupal 6.13
Drupal 6.14
Drupal 6.15
Drupal 6.16
Drupal 6.17
Drupal 6.18
Drupal 6.19
Drupal 6.20
Drupal 6.21
Drupal 6.22
Drupal 6.23
Drupal 6.24
Drupal 6.25
Drupal 6.26
Drupal 6.27
Drupal 6.28
Drupal 6.29
Drupal 6.30
Drupal 6.31
Drupal 6.32
Drupal 6.33
Drupal 6.34
Drupal 6.35
Drupal 6.36
Drupal 6.37

[CVE-2016-3171] Session data truncation could lead to unserialization of user provided data

Skrevet den 29. februar 201620. november 2024 af i Drupal

On certain older versions of PHP, user-provided data stored in a Drupal session may be unserialized leading to possible remote code execution.

Part of security release SA-CORE-2016-001

This vulnerability affects the following application versions:

Drupal 6.14
Drupal 6.15
Drupal 6.16
Drupal 6.17
Drupal 6.18
Drupal 6.19
Drupal 6.20
Drupal 6.21
Drupal 6.22
Drupal 6.23
Drupal 6.24
Drupal 6.25
Drupal 6.26
Drupal 6.27
Drupal 6.28
Drupal 6.29
Drupal 6.30
Drupal 6.31
Drupal 6.32
Drupal 6.33
Drupal 6.34
Drupal 6.35
Drupal 6.36
Drupal 6.37

Open redirect through URL destination parameter

Skrevet den 21. marts 201518. oktober 2025 af i Drupal

Drupal core frequently uses a “destination” query string parameter in URLs to redirect users to a new destination after completing an action on the current page. Under certain circumstances, malicious users can use this parameter to construct a URL that will trick users into being redirected to a 3rd party website, thereby exposing the users to potential social engineering attacks.

This vulnerability affects the following application versions:

Drupal 6.0
Drupal 6.1
Drupal 6.2
Drupal 6.3
Drupal 6.4
Drupal 6.5
Drupal 6.6
Drupal 6.7
Drupal 6.8
Drupal 6.9
Drupal 6.10
Drupal 6.11
Drupal 6.12
Drupal 6.13
Drupal 6.14
Drupal 6.15
Drupal 6.16
Drupal 6.17
Drupal 6.18
Drupal 6.19
Drupal 6.20
Drupal 6.21
Drupal 6.22
Drupal 6.23
Drupal 6.24
Drupal 6.25
Drupal 6.26
Drupal 6.27
Drupal 6.28
Drupal 6.29
Drupal 6.30
Drupal 6.31
Drupal 6.32
Drupal 6.33
Drupal 6.34
Drupal 7.0
Drupal 7.1
Drupal 7.2
Drupal 7.3
Drupal 7.4
Drupal 7.5
Drupal 7.6
Drupal 7.7
Drupal 7.8
Drupal 7.9
Drupal 7.10
Drupal 7.11
Drupal 7.12
Drupal 7.13
Drupal 7.14
Drupal 7.15
Drupal 7.16
Drupal 7.17
Drupal 7.18
Drupal 7.19
Drupal 7.20
Drupal 7.21
Drupal 7.22
Drupal 7.23
Drupal 7.24
Drupal 7.25
Drupal 7.26
Drupal 7.27
Drupal 7.28
Drupal 7.29
Drupal 7.30
Drupal 7.31
Drupal 7.32
Drupal 7.33
Drupal 7.34

[CVE-2015-2559] Access bypass through password reset URL

Skrevet den 19. marts 201520. november 2024 af i Drupal

Password reset URLs could be forged under certain circumstances, allowing an attacker to gain access to another user’s account without knowing the account’s password.

Part of security release SA-CORE-2015-001

This vulnerability affects the following application versions:

Drupal 6.0
Drupal 6.1
Drupal 6.2
Drupal 6.3
Drupal 6.4
Drupal 6.5
Drupal 6.6
Drupal 6.7
Drupal 6.8
Drupal 6.9
Drupal 6.10
Drupal 6.11
Drupal 6.12
Drupal 6.13
Drupal 6.14
Drupal 6.15
Drupal 6.16
Drupal 6.17
Drupal 6.18
Drupal 6.19
Drupal 6.20
Drupal 6.21
Drupal 6.22
Drupal 6.23
Drupal 6.24
Drupal 6.25
Drupal 6.26
Drupal 6.27
Drupal 6.28
Drupal 6.29
Drupal 6.30
Drupal 6.31
Drupal 6.32
Drupal 6.33
Drupal 6.34
Drupal 7.0
Drupal 7.1
Drupal 7.2
Drupal 7.3
Drupal 7.4
Drupal 7.5
Drupal 7.6
Drupal 7.7
Drupal 7.8
Drupal 7.9
Drupal 7.10
Drupal 7.11
Drupal 7.12
Drupal 7.13
Drupal 7.14
Drupal 7.15
Drupal 7.16
Drupal 7.17
Drupal 7.18
Drupal 7.19
Drupal 7.20
Drupal 7.21
Drupal 7.22
Drupal 7.23
Drupal 7.24
Drupal 7.25
Drupal 7.26
Drupal 7.27
Drupal 7.28
Drupal 7.29
Drupal 7.30
Drupal 7.31
Drupal 7.32
Drupal 7.33
Drupal 7.34

[CVE-2014-5019] Denial of service with malicious HTTP Host header

Skrevet den 4. marts 2015 af stom_admin i Drupal

Drupal core’s multisite feature dynamically determines which configuration file to use based on the HTTP Host header. The HTTP Host header validation does not sufficiently check maliciously-crafted header values. An attacker could cause Drupal to include and execute specifically named files outside of its root directory.

Part of security release SA-CORE-2014-003

This vulnerability affects the following application versions:

Drupal 5.0
Drupal 5.1
Drupal 5.2
Drupal 5.3
Drupal 5.4
Drupal 5.5
Drupal 5.6
Drupal 5.7
Drupal 5.8
Drupal 5.9
Drupal 5.10
Drupal 5.11
Drupal 5.12
Drupal 6.0
Drupal 6.1
Drupal 6.2
Drupal 6.3
Drupal 6.4
Drupal 6.5
Drupal 6.6

Reflected XSS in error message

Skrevet den 4. marts 201518. oktober 2025 af i Drupal

A reflected cross site scripting vulnerability was discovered in Drupal’s error handler. Drupal displays PHP errors in the messages area, and a specially crafted URL can cause malicious scripts to be injected into the message. The issue can be mitigated by disabling on-screen error display at admin/settings/error-reporting. This is the recommended setting for production sites.

https://drupal.org/node/1168756

This vulnerability affects the following application versions:

Drupal 6.0
Drupal 6.1
Drupal 6.2
Drupal 6.3
Drupal 6.4
Drupal 6.5
Drupal 6.6
Drupal 6.7
Drupal 6.8
Drupal 6.9
Drupal 6.10
Drupal 6.11
Drupal 6.12
Drupal 6.13
Drupal 6.14
Drupal 6.15
Drupal 6.16
Drupal 6.17
Drupal 6.18
Drupal 6.19
Drupal 6.20

XSS vulnerability in image module

Skrevet den 4. marts 2015 af stom_admin i Drupal

Image field descriptions are not properly sanitized before they are printed to HTML, thereby exposing a cross-site scripting vulnerability.

This vulnerability affects the following application versions:

Drupal 7.0
Drupal 7.1
Drupal 7.2
Drupal 7.3
Drupal 7.4
Drupal 7.5
Drupal 7.6
Drupal 7.7
Drupal 7.8
Drupal 7.9
Drupal 7.10
Drupal 7.11
Drupal 7.12
Drupal 7.13
Drupal 7.14
Drupal 7.15
Drupal 7.16
Drupal 7.17
Drupal 7.18
Drupal 7.19
Drupal 7.20
Drupal 7.21
Drupal 7.22
Drupal 7.23

Incorrect filter allowing XSS

Skrevet den 4. marts 201518. oktober 2025 af i Drupal

A bug in the output filter employed by Drupal makes it possible for malicious users to insert script code into pages.

https://drupal.org/node/295053

This vulnerability affects the following application versions:

Drupal 6.0
Drupal 6.1
Drupal 6.2
Drupal 6.3

XSS in color module

Skrevet den 4. marts 2015 af stom_admin i Drupal

When using re-colorable themes, color inputs are not sanitized. Malicious color values can be used to insert arbitrary CSS and script code. Successful exploitation requires the “Administer themes” permission.

https://drupal.org/node/1168756

This vulnerability affects the following application versions:

Drupal 5.0
Drupal 5.1
Drupal 5.2
Drupal 5.3
Drupal 5.4
Drupal 5.5
Drupal 5.6
Drupal 5.7
Drupal 5.8
Drupal 5.9
Drupal 5.10
Drupal 5.11
Drupal 5.12
Drupal 5.13
Drupal 5.14
Drupal 5.15
Drupal 5.16
Drupal 5.17
Drupal 5.18
Drupal 5.19
Drupal 5.20
Drupal 5.21
Drupal 5.22
Drupal 5.23
Drupal 6.0
Drupal 6.1
Drupal 6.2
Drupal 6.3
Drupal 6.4
Drupal 6.5
Drupal 6.6
Drupal 6.7
Drupal 6.8
Drupal 6.9
Drupal 6.10
Drupal 6.11
Drupal 6.12
Drupal 6.13
Drupal 6.14
Drupal 6.15
Drupal 6.16
Drupal 6.17
Drupal 6.18
Drupal 6.19
Drupal 6.20

[CVE-2013-0245] Titles and content of nodes avaible in book module printer friendly version

Skrevet den 4. marts 201520. november 2024 af i Drupal

A vulnerability was identified that exposes the title or, in some cases, the content of nodes that the user should not have access to.

Part of security release SA-CORE-2013-001

This vulnerability affects the following application versions:

Drupal 7.0
Drupal 7.1
Drupal 7.2
Drupal 7.3
Drupal 7.4
Drupal 7.5
Drupal 7.6
Drupal 7.7
Drupal 7.8
Drupal 7.9
Drupal 7.10
Drupal 7.11
Drupal 7.12
Drupal 7.13
Drupal 7.14
Drupal 7.15
Drupal 7.16
Drupal 7.17
Drupal 7.18

[CVE-2014-5266 + CVE-2014-5267] Denial of Service in OpenID module

Skrevet den 4. marts 2015 af stom_admin i Drupal

Drupal includes an OpenID module which is publicly available. The PHP XML parser used by this endpoint was vulnerable to an XML entity expansion attack and other related XML payload attacks which could cause CPU and memory exhaustion and the site’s database to reach the maximum number of open connections. Any of these may lead to the site becoming unavailable or unresponsive (denial of service). This vulnerability only affected sites that have the OpenID module enabled.

Part of security release SA-CORE-2014-004

This vulnerability affects the following application versions:

Drupal 6.0
Drupal 6.1
Drupal 6.2
Drupal 6.3
Drupal 6.4
Drupal 6.5
Drupal 6.6
Drupal 6.7
Drupal 6.8
Drupal 6.9
Drupal 6.10
Drupal 6.11
Drupal 6.12
Drupal 6.13
Drupal 6.14
Drupal 6.15
Drupal 6.16
Drupal 6.17
Drupal 6.18
Drupal 6.19
Drupal 6.20
Drupal 6.21
Drupal 6.22
Drupal 6.23
Drupal 6.24
Drupal 6.25
Drupal 6.26
Drupal 6.27
Drupal 6.28
Drupal 6.29
Drupal 6.30
Drupal 6.31
Drupal 6.32
Drupal 7.0
Drupal 7.1
Drupal 7.2
Drupal 7.3
Drupal 7.4
Drupal 7.5
Drupal 7.6
Drupal 7.7
Drupal 7.8
Drupal 7.9
Drupal 7.10
Drupal 7.11
Drupal 7.12
Drupal 7.13
Drupal 7.14
Drupal 7.15
Drupal 7.16
Drupal 7.17
Drupal 7.18
Drupal 7.19
Drupal 7.20
Drupal 7.21
Drupal 7.22
Drupal 7.23
Drupal 7.24
Drupal 7.25
Drupal 7.26
Drupal 7.27
Drupal 7.28
Drupal 7.29
Drupal 7.30

XSS vulnerability in Color module

Skrevet den 4. marts 2015 af stom_admin i Drupal

https://drupal.org/node/1168756

This vulnerability affects the following application versions:

Drupal 7.0

[CVE-2012-5653] Arbitrary PHP code execution in file upload modules

Skrevet den 4. marts 201520. november 2024 af i Drupal

Drupal core’s file upload feature blocks the upload of many files that could be executed on the server by munging the filename. A malicious user could name a file in a manner that bypasses this munging of the filename in Drupal’s input validation.

Part of security release SA-CORE-2012-004

This vulnerability affects the following application versions:

Drupal 6.0
Drupal 6.1
Drupal 6.2
Drupal 6.6
Drupal 6.7
Drupal 6.8
Drupal 6.9
Drupal 6.10
Drupal 6.11
Drupal 6.12
Drupal 6.13
Drupal 6.14
Drupal 6.15
Drupal 6.16
Drupal 6.17
Drupal 6.18
Drupal 6.19
Drupal 6.20
Drupal 6.21
Drupal 6.22
Drupal 6.23
Drupal 6.24
Drupal 6.25
Drupal 6.26

File inclusion in bootstrap.inc

Skrevet den 4. marts 2015 af stom_admin i Drupal

On a server configured for IP-based virtual hosts, Drupal may be caused to include and execute specifically named files outside of its root directory.

Part of security release SA-2008-067

This vulnerability affects the following application versions:

Drupal 6.0
Drupal 6.1
Drupal 6.2
Drupal 6.3
Drupal 6.4
Drupal 6.5

XSS in contact module

Skrevet den 4. marts 2015 af stom_admin i Drupal

The Contact module does not correctly handle certain user input when displaying category information. Users privileged to create contact categories can insert arbitrary HTML and script code into the contact module administration page. Such a cross-site scripting attack may lead to the malicious user gaining administrative access.

https://drupal.org/node/661586

This vulnerability affects the following application versions:

Drupal 6.0
Drupal 6.1
Drupal 6.2
Drupal 6.3
Drupal 6.4
Drupal 6.5
Drupal 6.6
Drupal 6.7
Drupal 6.8
Drupal 6.9
Drupal 6.10
Drupal 6.11
Drupal 6.12
Drupal 6.13
Drupal 6.14

[CVE-2014-3704] SQL injection in database abstraction layer

Skrevet den 4. marts 201520. november 2024 af i Drupal

Drupal 7 includes a database abstraction API to ensure that queries executed against the database are sanitized to prevent SQL injection attacks.

A vulnerability in this API allowed an attacker to send specially crafted requests resulting in arbitrary SQL execution. Depending on the content of the requests this could lead to privilege escalation, arbitrary PHP execution, or other attacks.

This vulnerability could be exploited by anonymous users.

Part of security release SA-CORE-2014-005

This vulnerability affects the following application versions:

Drupal 7.0
Drupal 7.1
Drupal 7.2
Drupal 7.3
Drupal 7.4
Drupal 7.5
Drupal 7.6
Drupal 7.7
Drupal 7.8
Drupal 7.9
Drupal 7.10
Drupal 7.11
Drupal 7.12
Drupal 7.13
Drupal 7.14
Drupal 7.15
Drupal 7.16
Drupal 7.17
Drupal 7.18
Drupal 7.19
Drupal 7.20
Drupal 7.21
Drupal 7.22
Drupal 7.23
Drupal 7.24
Drupal 7.25
Drupal 7.26
Drupal 7.27
Drupal 7.28
Drupal 7.29
Drupal 7.30
Drupal 7.31

[CVE-2014-5265] Denial of Service in XML-RPC module

Skrevet den 4. marts 2015 af stom_admin i Drupal

Drupal includes an XML-RPC endpoint which is publicly available (xmlrpc.php). The PHP XML parser used by this XML-RPC endpoint was vulnerable to an XML entity expansion attack and other related XML payload attacks which could cause CPU and memory exhaustion and the site’s database to reach the maximum number of open connections. Any of these may lead to the site becoming unavailable or unresponsive (denial of service).

All Drupal sites were vulnerable to this attack whether XML-RPC is used or not.

Part of security release SA-CORE-2014-004

This vulnerability affects the following application versions:

Drupal 5.0
Drupal 5.1
Drupal 5.2
Drupal 5.3
Drupal 5.4
Drupal 5.5
Drupal 5.6
Drupal 5.7
Drupal 5.8
Drupal 5.9
Drupal 5.10
Drupal 5.11
Drupal 5.12
Drupal 5.13
Drupal 5.14
Drupal 5.15
Drupal 5.16
Drupal 5.17
Drupal 5.18
Drupal 5.19
Drupal 5.20
Drupal 5.21
Drupal 5.22
Drupal 5.23
Drupal 6.0
Drupal 6.1
Drupal 6.2
Drupal 6.3
Drupal 6.4
Drupal 6.5
Drupal 6.6
Drupal 6.7
Drupal 6.8
Drupal 6.9
Drupal 6.10
Drupal 6.11
Drupal 6.12
Drupal 6.13
Drupal 6.14
Drupal 6.15
Drupal 6.16
Drupal 6.17
Drupal 6.18
Drupal 6.19
Drupal 6.20
Drupal 6.21
Drupal 6.22
Drupal 6.23
Drupal 6.24
Drupal 6.25
Drupal 6.26
Drupal 6.27
Drupal 6.28
Drupal 6.29
Drupal 6.30
Drupal 6.31
Drupal 6.32
Drupal 7.0
Drupal 7.1
Drupal 7.2
Drupal 7.3
Drupal 7.4
Drupal 7.5
Drupal 7.6
Drupal 7.7
Drupal 7.8
Drupal 7.9
Drupal 7.10
Drupal 7.11
Drupal 7.12
Drupal 7.13
Drupal 7.14
Drupal 7.15
Drupal 7.16
Drupal 7.17
Drupal 7.18
Drupal 7.19
Drupal 7.20
Drupal 7.21
Drupal 7.22
Drupal 7.23
Drupal 7.24
Drupal 7.25
Drupal 7.26
Drupal 7.27
Drupal 7.28
Drupal 7.29
Drupal 7.30

Arbitrary file uploads via BlogAPI

Skrevet den 4. marts 201520. november 2024 af i Drupal

The BlogAPI module did not validate the extension of uploaded files, enabled users with the “administer content with blog api” permission to upload harmful files.

Part of security release SA-2008-047

This vulnerability affects the following application versions:

Drupal 6.0
Drupal 6.1
Drupal 6.2
Drupal 6.3

BlogAPI access bypass

Skrevet den 4. marts 201520. november 2024 af i Drupal

The BlogAPI module did not implement correct validation for certain content fields, allowing for values to be set for fields which would otherwise be inaccessible on an internal Drupal form.

Part of security release SA-2008-060

This vulnerability affects the following application versions:

Drupal 6.0
Drupal 6.1
Drupal 6.2
Drupal 6.3
Drupal 6.4

[CVE-2012-0825] OpenID did verifying signed attributes in SREG and AX

Skrevet den 4. marts 201520. november 2024 af i Drupal

A group of security researchers identified a flaw in how some OpenID relying parties implement Attribute Exchange (AX). Not verifying that attributes being passed through AX have been signed could allow an attacker to modify users’ information.

Part of security release SA-CORE-2012-001

This vulnerability affects the following application versions:

Drupal 6.0
Drupal 6.1
Drupal 6.2
Drupal 6.3
Drupal 6.4
Drupal 6.5
Drupal 6.6
Drupal 6.7
Drupal 6.8
Drupal 6.9
Drupal 6.10
Drupal 6.11
Drupal 6.12
Drupal 6.13
Drupal 6.14
Drupal 6.15
Drupal 6.16
Drupal 6.17
Drupal 6.18
Drupal 6.19
Drupal 6.20
Drupal 6.21
Drupal 6.22

XSS in menu administration

Skrevet den 4. marts 2015 af stom_admin i Drupal

The Menu module does not correctly handle certain user input when displaying the menu administration overview. Users privileged to create new menus can insert arbitrary HTML and script code into the menu module administration page. Such a cross-site scripting attack may lead to the malicious user gaining administrative access.

https://drupal.org/node/661586

This vulnerability affects the following application versions:

Drupal 6.0
Drupal 6.1
Drupal 6.2
Drupal 6.3
Drupal 6.4
Drupal 6.5
Drupal 6.6
Drupal 6.7
Drupal 6.8
Drupal 6.9
Drupal 6.10
Drupal 6.11
Drupal 6.12
Drupal 6.13
Drupal 6.14

[CVE-2014-9015] Session hijacking used empty session keys

Skrevet den 4. marts 201520. november 2024 af i Drupal

A specially crafted request could give a user access to another user’s session, allowing an attacker to hijack a random session.

This attack was known to be possible on certain Drupal 7 sites which serve both HTTP and HTTPS content (“mixed-mode”), but it was possible there are other attack vectors for both Drupal 6 and Drupal 7.

Part of security release SA-CORE-2014-006

This vulnerability affects the following application versions:

Drupal 6.0
Drupal 6.1
Drupal 6.2
Drupal 6.3
Drupal 6.4
Drupal 6.5
Drupal 6.6
Drupal 6.7
Drupal 6.8
Drupal 6.9
Drupal 6.10
Drupal 6.11
Drupal 6.12
Drupal 6.13
Drupal 6.14
Drupal 6.15
Drupal 6.16
Drupal 6.17
Drupal 6.18
Drupal 6.19
Drupal 6.20
Drupal 6.21
Drupal 6.22
Drupal 6.23
Drupal 6.24
Drupal 6.25
Drupal 6.26
Drupal 6.27
Drupal 6.28
Drupal 6.29
Drupal 6.30
Drupal 6.31
Drupal 6.32
Drupal 6.33
Drupal 7.0
Drupal 7.1
Drupal 7.2
Drupal 7.3
Drupal 7.4
Drupal 7.5
Drupal 7.6
Drupal 7.7
Drupal 7.8
Drupal 7.9
Drupal 7.10
Drupal 7.11
Drupal 7.12
Drupal 7.13
Drupal 7.14
Drupal 7.15
Drupal 7.16
Drupal 7.17
Drupal 7.18
Drupal 7.19
Drupal 7.20
Drupal 7.21
Drupal 7.22
Drupal 7.23
Drupal 7.24
Drupal 7.25
Drupal 7.26
Drupal 7.27
Drupal 7.28
Drupal 7.29
Drupal 7.30
Drupal 7.31
Drupal 7.32
Drupal 7.33

OpenID authentication bypass

Skrevet den 4. marts 201518. oktober 2025 af i Drupal

The OpenID module didn’t implement all the required verifications from the OpenID 2.0 protocol and was vulnerable to a number of attacks.

Specifically:

– OpenID should verify that a “openid.response_nonce” had not already been used for an assertion by the OpenID provider

– OpenID should verify the value of openid.return_to as obtained from the OpenID provider

– OpenID must verify that all fields that were required to be signed were signed

These specification violations allowed malicious sites to harvest positive assertions from OpenID providers and used them on sites using the OpenID module to obtain access to preexisting accounts bound to the harvested OpenIDs. Intercepted assertions from OpenID providers could also be replayed and used to obtain access to user accounts bound to the intercepted OpenIDs.

Part of security release SA-CORE-2010-002

This vulnerability affects the following application versions:

Drupal 6.0
Drupal 6.1
Drupal 6.2
Drupal 6.3
Drupal 6.4
Drupal 6.5
Drupal 6.6
Drupal 6.7
Drupal 6.8
Drupal 6.9
Drupal 6.10
Drupal 6.11
Drupal 6.12
Drupal 6.13
Drupal 6.14
Drupal 6.15
Drupal 6.16
Drupal 6.17

XSS in titles

Skrevet den 4. marts 2015 af stom_admin i Drupal

Titles are not escaped prior to being displayed on content edit forms, allowing users to inject arbitrary HTML and script code into these pages.

http://www.cvedetails.com/cve/CVE-2008-1133/

https://drupal.org/node/227608

This vulnerability affects the following application versions:

Drupal 6.0

[CVE-2012-2153] Incomplete check in content administration

Skrevet den 4. marts 201520. november 2024 af i Drupal

Drupal core provides the ability to list nodes on a site at admin/content. Drupal core failed to confirm a user viewing that page had access to each node in the list. This vulnerability only concerns sites running a contributed node access module and is mitigated by the fact that users must have a role with the “Access the content overview page” permission. Unpublished nodes were not displayed to users who only had the “Access the content overview page” permission.

Part of security release SA-CORE-2012-002

This vulnerability affects the following application versions:

Drupal 7.0
Drupal 7.1
Drupal 7.2
Drupal 7.3
Drupal 7.4
Drupal 7.5
Drupal 7.6
Drupal 7.7
Drupal 7.8
Drupal 7.9
Drupal 7.10
Drupal 7.11
Drupal 7.12

[CVE-2012-5651] Blocked users visible in module search

Skrevet den 4. marts 201520. november 2024 af i Drupal

A vulnerability was identified that allowed blocked users to appear in user search results, even when the search results are viewed by unprivileged users.

Part of security release SA-CORE-2012-004

This vulnerability affects the following application versions:

Drupal 6.0
Drupal 6.1
Drupal 6.2
Drupal 6.3
Drupal 6.4
Drupal 6.5
Drupal 6.6
Drupal 6.7
Drupal 6.8
Drupal 6.9
Drupal 6.10
Drupal 6.11
Drupal 6.12
Drupal 6.13
Drupal 6.14
Drupal 6.15
Drupal 6.16
Drupal 6.17
Drupal 6.18
Drupal 6.19
Drupal 6.20
Drupal 6.21
Drupal 6.22
Drupal 6.23
Drupal 6.24
Drupal 6.25
Drupal 6.26

[CVE-2012-5652] Incorrect permission check in file search

Skrevet den 4. marts 201520. november 2024 af i Drupal

A vulnerability was identified that allows information about uploaded files to be displayed in RSS feeds and search results to users that do not have the “view uploaded files” permission.

Part of security release SA-CORE-2012-004

This vulnerability affects the following application versions:

Drupal 6.0
Drupal 6.1
Drupal 6.2
Drupal 6.3
Drupal 6.4
Drupal 6.5
Drupal 6.6
Drupal 6.7
Drupal 6.8
Drupal 6.9
Drupal 6.10
Drupal 6.11
Drupal 6.12
Drupal 6.13
Drupal 6.14
Drupal 6.15
Drupal 6.16
Drupal 6.17
Drupal 6.18
Drupal 6.19
Drupal 6.20
Drupal 6.21
Drupal 6.22
Drupal 6.23
Drupal 6.24
Drupal 6.25
Drupal 6.26

[CVE-2014-9016] DoS by hashing large passwords

Skrevet den 4. marts 201520. november 2024 af i Drupal

Drupal 7 includes a password hashing API to ensure that user supplied passwords are not stored in plain text.

A vulnerability in this API allowed an attacker to send specially crafted requests resulting in CPU and memory exhaustion. This may lead to the site becoming unavailable or unresponsive (denial of service).

This vulnerability could be exploited by anonymous users.

Part of security release SA-CORE-2014-006

This vulnerability affects the following application versions:

Drupal 7.0
Drupal 7.1
Drupal 7.2
Drupal 7.3
Drupal 7.4
Drupal 7.5
Drupal 7.6
Drupal 7.7
Drupal 7.8
Drupal 7.9
Drupal 7.10
Drupal 7.11
Drupal 7.12
Drupal 7.13
Drupal 7.14
Drupal 7.15
Drupal 7.16
Drupal 7.17
Drupal 7.18
Drupal 7.19
Drupal 7.20
Drupal 7.21
Drupal 7.22
Drupal 7.23
Drupal 7.24
Drupal 7.25
Drupal 7.26
Drupal 7.27
Drupal 7.28
Drupal 7.29
Drupal 7.30
Drupal 7.31
Drupal 7.32
Drupal 7.33

Cross-site scripting Form API optgroups

Skrevet den 4. marts 201520. november 2024 af i Drupal

A cross-site scripting vulnerability was found due to Drupal’s form API failing to sanitize option group labels in select elements.

https://www.drupal.org/SA-CORE-2014-003

This vulnerability affects the following application versions:

Drupal 5.0
Drupal 5.1
Drupal 5.2
Drupal 5.3
Drupal 5.4
Drupal 5.5
Drupal 5.6
Drupal 5.7
Drupal 5.8
Drupal 5.9
Drupal 5.10
Drupal 5.11
Drupal 5.12
Drupal 5.13
Drupal 5.14
Drupal 5.15
Drupal 5.16
Drupal 5.17
Drupal 5.18
Drupal 5.19
Drupal 5.20
Drupal 5.21
Drupal 5.22
Drupal 5.23
Drupal 6.0
Drupal 6.1
Drupal 6.2
Drupal 6.3
Drupal 6.4
Drupal 6.5
Drupal 6.6
Drupal 6.7
Drupal 6.8
Drupal 6.9
Drupal 6.10
Drupal 6.11
Drupal 6.12
Drupal 6.13
Drupal 6.14
Drupal 6.15
Drupal 6.16
Drupal 6.17
Drupal 6.18
Drupal 6.19
Drupal 6.20
Drupal 6.21
Drupal 6.22
Drupal 6.23
Drupal 6.24
Drupal 6.25
Drupal 6.26
Drupal 6.27
Drupal 6.28
Drupal 6.29
Drupal 6.30
Drupal 6.31
Drupal 7.0
Drupal 7.1
Drupal 7.2
Drupal 7.3
Drupal 7.4
Drupal 7.5
Drupal 7.6
Drupal 7.7
Drupal 7.8
Drupal 7.9
Drupal 7.10
Drupal 7.11
Drupal 7.12
Drupal 7.13
Drupal 7.14
Drupal 7.15
Drupal 7.16
Drupal 7.17
Drupal 7.18
Drupal 7.19
Drupal 7.20
Drupal 7.21
Drupal 7.22
Drupal 7.23
Drupal 7.24
Drupal 7.25
Drupal 7.26
Drupal 7.27
Drupal 7.28

[CVE-2012-0825] OpenID did not verify signed attributes in SREG and AX

Skrevet den 4. marts 201520. november 2024 af i Drupal

Part of security release SA-CORE-2012-001

This vulnerability affects the following application versions:

Drupal 7.0
Drupal 7.1
Drupal 7.2
Drupal 7.3
Drupal 7.4
Drupal 7.5
Drupal 7.6
Drupal 7.7
Drupal 7.8
Drupal 7.9
Drupal 7.10

OpenID impersonation

Skrevet den 4. marts 201518. oktober 2025 af i Drupal

The OpenID module was not a compliant implementation of the OpenID Authentication 2.0 specification. An implementation error allowed a user to access the account of another user when they share the same OpenID 2.0 provider.

Part of security release SA-CORE-2009-008

This vulnerability affects the following application versions:

Drupal 6.0
Drupal 6.1
Drupal 6.2
Drupal 6.3
Drupal 6.4
Drupal 6.5
Drupal 6.6
Drupal 6.7
Drupal 6.8
Drupal 6.9
Drupal 6.10
Drupal 6.11
Drupal 6.12
Drupal 6.13

XSS in vocabulary

Skrevet den 4. marts 2015 af stom_admin i Drupal

The taxonomy module allows users with the ‘administer taxonomy’ permission to inject arbitrary HTML and script code in the help text of any vocabulary.

https://drupal.org/node/461886

This vulnerability affects the following application versions:

Drupal 6.0
Drupal 6.1
Drupal 6.2
Drupal 6.3
Drupal 6.4
Drupal 6.5
Drupal 6.6
Drupal 6.7
Drupal 6.8
Drupal 6.9
Drupal 6.10
Drupal 6.11

Access bypass through incomplete security token validation

Skrevet den 4. marts 201520. november 2024 af i Drupal

The function drupal_valid_token() could return TRUE for invalid tokens if the caller did not make sure that the token is a string.

Part of security release SA-CORE-2013-003

This vulnerability affects the following application versions:

Drupal 6.0
Drupal 6.1
Drupal 6.2
Drupal 6.3
Drupal 6.4
Drupal 6.5
Drupal 6.6
Drupal 6.7
Drupal 6.8
Drupal 6.9
Drupal 6.10
Drupal 6.11
Drupal 6.12
Drupal 6.13
Drupal 6.14
Drupal 6.15
Drupal 6.16
Drupal 6.17
Drupal 6.18
Drupal 6.19
Drupal 6.20
Drupal 6.21
Drupal 6.22
Drupal 6.23
Drupal 6.24
Drupal 6.25
Drupal 6.26
Drupal 6.27
Drupal 6.28
Drupal 7.0
Drupal 7.1
Drupal 7.2
Drupal 7.3
Drupal 7.4
Drupal 7.5
Drupal 7.6
Drupal 7.7
Drupal 7.8
Drupal 7.9
Drupal 7.10
Drupal 7.11
Drupal 7.12
Drupal 7.13
Drupal 7.14
Drupal 7.15
Drupal 7.16
Drupal 7.17
Drupal 7.18
Drupal 7.19
Drupal 7.20
Drupal 7.21
Drupal 7.22
Drupal 7.23

[CVE-2014-5020] Access bypass in file module

Skrevet den 4. marts 2015 af stom_admin i Drupal

The File module included in Drupal 7 core allowed attaching files to pieces of content. The module didn’t sufficiently check permission to view the attached file when attaching a file that was previously uploaded. This could allow attackers to gain access to private files.

Part of security release SA-CORE-2014-003

This vulnerability affects the following application versions:

Drupal 5.0
Drupal 5.1
Drupal 5.2
Drupal 5.3
Drupal 5.4
Drupal 5.5
Drupal 5.6
Drupal 5.7
Drupal 5.10
Drupal 5.11
Drupal 5.12
Drupal 5.13
Drupal 5.14
Drupal 5.15
Drupal 5.16
Drupal 5.17
Drupal 5.18
Drupal 5.19
Drupal 5.20
Drupal 5.21
Drupal 5.22
Drupal 5.23
Drupal 6.0
Drupal 6.1
Drupal 6.2
Drupal 6.3
Drupal 6.4
Drupal 6.5
Drupal 6.6
Drupal 6.7
Drupal 6.8
Drupal 6.9
Drupal 6.10
Drupal 6.11
Drupal 6.12
Drupal 6.13
Drupal 6.14
Drupal 6.15
Drupal 6.16
Drupal 6.17
Drupal 6.18
Drupal 6.19
Drupal 6.20
Drupal 6.21
Drupal 6.22
Drupal 6.23
Drupal 6.24
Drupal 6.25
Drupal 6.26
Drupal 6.27
Drupal 6.28
Drupal 6.29
Drupal 6.30
Drupal 6.31
Drupal 7.0
Drupal 7.1
Drupal 7.2
Drupal 7.3
Drupal 7.4
Drupal 7.5
Drupal 7.6
Drupal 7.7
Drupal 7.8
Drupal 7.9
Drupal 7.10
Drupal 7.11
Drupal 7.12
Drupal 7.13
Drupal 7.14
Drupal 7.15
Drupal 7.16
Drupal 7.17
Drupal 7.18
Drupal 7.19
Drupal 7.20
Drupal 7.21
Drupal 7.22
Drupal 7.23
Drupal 7.24
Drupal 7.25
Drupal 7.26
Drupal 7.27
Drupal 7.28

[CVE-2012-5653] Arbitrary PHP code execution in file upload modules

Skrevet den 4. marts 201520. november 2024 af i Drupal

Part of security release SA-CORE-2012-004

This vulnerability affects the following application versions:

Drupal 7.0
Drupal 7.1
Drupal 7.2
Drupal 7.3
Drupal 7.4
Drupal 7.5
Drupal 7.6
Drupal 7.7
Drupal 7.8
Drupal 7.9
Drupal 7.10
Drupal 7.11
Drupal 7.12
Drupal 7.13
Drupal 7.14
Drupal 7.15
Drupal 7.16
Drupal 7.17

Blocked user session regeneration

Skrevet den 4. marts 201520. november 2024 af i Drupal

Under certain circumstances, a user with an open session that was blocked could maintain his/her session on the Drupal site, despite being blocked.

Part of security release SA-CORE-2010-001

This vulnerability affects the following application versions:

Drupal 6.0
Drupal 6.1
Drupal 6.2
Drupal 6.3
Drupal 6.4
Drupal 6.5
Drupal 6.6
Drupal 6.7
Drupal 6.8
Drupal 6.9
Drupal 6.10
Drupal 6.11
Drupal 6.12
Drupal 6.13
Drupal 6.14
Drupal 6.15

[CVE-2013-6385] Naive CSRF protection in Forms API

Skrevet den 4. marts 201520. november 2024 af i Drupal

Drupal’s form API has built-in cross-site request forgery (CSRF) validation, and also allows any module to perform its own validation on the form. In certain common cases, form validation functions may executed unsafe operations.

Part of security release SA-CORE-2013-003

This vulnerability affects the following application versions:

Drupal 6.0
Drupal 6.1
Drupal 6.2
Drupal 6.3
Drupal 6.4
Drupal 6.5
Drupal 6.6
Drupal 6.7
Drupal 6.8
Drupal 6.9
Drupal 6.10
Drupal 6.11
Drupal 6.12
Drupal 6.13
Drupal 6.14
Drupal 6.15
Drupal 6.16
Drupal 6.17
Drupal 6.18
Drupal 6.19
Drupal 6.20
Drupal 6.21
Drupal 6.22
Drupal 6.23
Drupal 6.24
Drupal 6.25
Drupal 6.26
Drupal 6.27
Drupal 6.28
Drupal 7.0
Drupal 7.1
Drupal 7.2
Drupal 7.3
Drupal 7.4
Drupal 7.5
Drupal 7.6
Drupal 7.7
Drupal 7.8
Drupal 7.9
Drupal 7.10
Drupal 7.11
Drupal 7.12
Drupal 7.13
Drupal 7.14
Drupal 7.15
Drupal 7.16
Drupal 7.17
Drupal 7.18
Drupal 7.19
Drupal 7.20
Drupal 7.21
Drupal 7.22
Drupal 7.23

Injected code execution prevention

Skrevet den 4. marts 201518. oktober 2025 af i Drupal

Drupal core attempted to add a “defense in depth” protection to prevent script execution by placing a .htaccess file into the files directories that stopped execution of PHP scripts on the Apache web server. This protection is only necessary if there is a vulnerability on the site or on a server that allowed users to upload malicious files. The configuration in the .htaccess file did not prevent code execution on certain Apache web server configurations.

Part of security release SA-CORE-2013-003

This vulnerability affects the following application versions:

Drupal 6.0
Drupal 6.1
Drupal 6.2
Drupal 6.3
Drupal 6.4
Drupal 6.5
Drupal 6.6
Drupal 6.7
Drupal 6.8
Drupal 6.9
Drupal 6.10
Drupal 6.11
Drupal 6.12
Drupal 6.13
Drupal 6.14
Drupal 6.15
Drupal 6.16
Drupal 6.17
Drupal 6.18
Drupal 6.19
Drupal 6.20
Drupal 6.21
Drupal 6.22
Drupal 6.23
Drupal 6.24
Drupal 6.25
Drupal 6.26
Drupal 6.27
Drupal 6.28
Drupal 7.0
Drupal 7.1
Drupal 7.2
Drupal 7.3
Drupal 7.4
Drupal 7.5
Drupal 7.6
Drupal 7.7
Drupal 7.8
Drupal 7.9
Drupal 7.10
Drupal 7.11
Drupal 7.12
Drupal 7.13
Drupal 7.14
Drupal 7.15
Drupal 7.16
Drupal 7.17
Drupal 7.18
Drupal 7.19
Drupal 7.20
Drupal 7.21
Drupal 7.22
Drupal 7.23

[CVE-2012-1588] Denial of Service using filter function

Skrevet den 4. marts 201520. november 2024 af i Drupal

Drupal core’s text filtering system provides several features including removing inappropriate HTML tags and automatically linking content that appears to be a link. A pattern in Drupal’s text matching was found to be inefficient with certain specially crafted strings. This vulnerability is mitigated by the fact that users must have the ability to post content sent to the filter system such as a role with the “post comments” or “Forum topic: Create new content” permission.

Part of security release SA-CORE-2012-002

This vulnerability affects the following application versions:

Drupal 7.0
Drupal 7.1
Drupal 7.2
Drupal 7.3
Drupal 7.4
Drupal 7.5
Drupal 7.6
Drupal 7.7
Drupal 7.8
Drupal 7.9
Drupal 7.10
Drupal 7.11
Drupal 7.12

SQL injection hardening

Skrevet den 4. marts 201518. oktober 2025 af i Drupal

A parameter passed into the node access API was not properly escaped or validated before being used in SQL queries.

Part of security release SA-CORE-2009-001

This vulnerability affects the following application versions:

Drupal 6.0
Drupal 6.1
Drupal 6.2
Drupal 6.3
Drupal 6.4
Drupal 6.5
Drupal 6.6
Drupal 6.7
Drupal 6.8

[CVE-2013-0316] Denial of service in image module

Skrevet den 4. marts 201520. november 2024 af i Drupal

Drupal core’s Image module allows for the on-demand generation of image derivatives. This capability could be abused by requesting a large number of new derivatives which could fill up the server disk space, and which could cause a very high CPU load. Either of these effects may lead to the site becoming unavailable or unresponsive.

Part of security release SA-CORE-2013-002

This vulnerability affects the following application versions:

Drupal 7.0
Drupal 7.1
Drupal 7.2
Drupal 7.3
Drupal 7.4
Drupal 7.5
Drupal 7.6
Drupal 7.7
Drupal 7.8
Drupal 7.9
Drupal 7.10
Drupal 7.11
Drupal 7.12
Drupal 7.13
Drupal 7.14
Drupal 7.15
Drupal 7.16
Drupal 7.17
Drupal 7.18
Drupal 7.19
Drupal 7.20

XSS in forum module

Skrevet den 4. marts 2015 af stom_admin i Drupal

The Forum module does not correctly handle certain arguments obtained from the URL. By enticing a suitably privileged user to visit a specially crafted URL, a malicious user is able to insert arbitrary HTML and script code into forum pages. Such a cross-site scripting attack may lead to the malicious user gaining administrative access.

https://drupal.org/node/507572

This vulnerability affects the following application versions:

Drupal 6.0
Drupal 6.1
Drupal 6.2
Drupal 6.3
Drupal 6.4
Drupal 6.5
Drupal 6.6
Drupal 6.7
Drupal 6.8
Drupal 6.9
Drupal 6.10
Drupal 6.11
Drupal 6.12

XSS in title of book

Skrevet den 4. marts 2015 af stom_admin i Drupal

The title of book pages is not always properly escaped, enabling users with the “create book content” permission or the permission to edit any node in the book hierarchy to insert arbitrary HTML and script code into pages. Such a Cross Site Scripting attack may lead to the attacker gaining administrator access.

https://drupal.org/node/324824

This vulnerability affects the following application versions:

Drupal 6.0
Drupal 6.1
Drupal 6.2
Drupal 6.3
Drupal 6.4
Drupal 6.5

[CVE-2012-0826] CSRF vulnerability in Aggregator module

Skrevet den 4. marts 201520. november 2024 af i Drupal

An XSRF vulnerability could force an aggregator feed to update. Since some services were rate-limited (e.g. Twitter limits requests to 150 per hour) this could lead to a denial of service.

Part of security release SA-CORE-2012-001

This vulnerability affects the following application versions:

Drupal 7.0
Drupal 7.1
Drupal 7.2
Drupal 7.3
Drupal 7.4
Drupal 7.5
Drupal 7.6
Drupal 7.7
Drupal 7.8
Drupal 7.9
Drupal 7.10

Comment unpublishing bypass

Skrevet den 4. marts 201520. november 2024 af i Drupal

The module supports unpublishing comments by privileged users. Users with the “post comments without approval” permission however could craft a URL which allowed them to republish previously unpublished comments.

Part of security release SA-CORE-2010-002

This vulnerability affects the following application versions:

Drupal 6.0
Drupal 6.1
Drupal 6.2
Drupal 6.3
Drupal 6.4
Drupal 6.5
Drupal 6.6
Drupal 6.7
Drupal 6.8
Drupal 6.9
Drupal 6.10
Drupal 6.11
Drupal 6.12
Drupal 6.13
Drupal 6.14
Drupal 6.15
Drupal 6.16
Drupal 6.17

CSRF in update functions

Skrevet den 4. marts 201520. november 2024 af i Drupal

The update system was vulnerable to cross site request forgeries. Malicious users may cause the superuser to execute old updates that may damage the database.

Part of security release SA-2008-073

This vulnerability affects the following application versions:

Drupal 6.0
Drupal 6.1
Drupal 6.2
Drupal 6.3
Drupal 6.4
Drupal 6.5
Drupal 6.6

Privilege escalation for users having translate content permission

Skrevet den 4. marts 201518. oktober 2025 af i Drupal

The Content Translation module for Drupal 6.x enables users to make a translation of an existing item of content (a node). In that process the existing node’s content was copied into the new node’s submission form.

The module contained a flaw that allowed a user with the ‘translate content’ permission to potentially bypass normal viewing access restrictions, for example allowing the user to see the content of unpublished nodes even if they did not have permission to view unpublished nodes.

Part of security release SA-CORE-2009-001

This vulnerability affects the following application versions:

Drupal 6.0
Drupal 6.1
Drupal 6.2
Drupal 6.3
Drupal 6.4
Drupal 6.5
Drupal 6.6
Drupal 6.7
Drupal 6.8

Unvalidated form redirect in users

Skrevet den 4. marts 2015 af stom_admin i Drupal

Drupal core’s Form API allows users to set a destination, but failed to validate that the URL was internal to the site. This weakness could be abused to redirect the login to a remote site with a malicious script that harvests the login credentials and redirects to the live site. This vulnerability is mitigated only by the end user’s ability to recognize a URL with malicious query parameters to avoid the social engineering required to exploit the problem.

http://www.cvedetails.com/cve/CVE-2012-1589/

https://drupal.org/node/1557938

This vulnerability affects the following application versions:

Drupal 7.0
Drupal 7.1
Drupal 7.2
Drupal 7.3
Drupal 7.4
Drupal 7.5
Drupal 7.6
Drupal 7.7
Drupal 7.8
Drupal 7.9
Drupal 7.10
Drupal 7.11
Drupal 7.12

Access bypass in File module

Skrevet den 4. marts 201520. november 2024 af i Drupal

When using private files in combination with a node access module, the File module allows unrestricted access to private files.

Part of security release SA-CORE-2011-001

This vulnerability affects the following application versions:

Drupal 7.0

Access bypass in node listings

Skrevet den 4. marts 201520. november 2024 af i Drupal

Drupal 7.x before 7.3 allows remote attackers to bypass intended node_access restrictions via vectors related to a listing that shows nodes but lacks a JOIN clause for the node table.

http://www.cvedetails.com/cve/CVE-2011-2687/

https://drupal.org/node/1204582

This vulnerability affects the following application versions:

Drupal 7.0
Drupal 7.1
Drupal 7.2

[CVE-2011-2726] Access bypass in private file fields on comments

Skrevet den 4. marts 201520. november 2024 af i Drupal

Access bypass in private file fields on comments.

Drupal 7 contains two new features: the ability to attach File upload fields to any entity type in the system and the ability to point individual File upload fields to the private file directory.

If a Drupal site was using these features on comments, and the parent node was denied access (either by a node access module or by being unpublished), the file attached to the comment could still be downloaded by non-privileged users if they know or guess its direct URL.

Part of security release SA-CORE-2011-003

This vulnerability affects the following application versions:

Drupal 7.0
Drupal 7.1
Drupal 7.2
Drupal 7.3
Drupal 7.4

Session fixation

Skrevet den 4. marts 201518. oktober 2025 af i Drupal

When contributed modules such as Workflow NG terminate the current request during a login event, user module was not able to regenerate the user’s session. This may lead to a session fixation attack, when a malicious user was able to control another users’ initial session ID. As the session was not regenerated, the malicious user may use the ‘fixed’ session ID after the victim authenticates and would have the same access. This issue affects both Drupal 5 and Drupal 6.

Part of security release SA-2008-044

This vulnerability affects the following application versions:

Drupal 6.0
Drupal 6.1
Drupal 6.2

Code uploading

Skrevet den 4. marts 201520. november 2024 af i Drupal

File uploads with certain extensions were not correctly processed by the File API. This may lead to the creation of files that were executable by Apache. The .htaccess that was saved into the files directory by Drupal should normally prevent execution. The files were only executable when the server was configured to ignore the directives in the .htaccess file.

Part of security release SA-CORE-2009-008

This vulnerability affects the following application versions:

Drupal 6.0
Drupal 6.1
Drupal 6.2
Drupal 6.3
Drupal 6.4
Drupal 6.5
Drupal 6.6
Drupal 6.7
Drupal 6.8
Drupal 6.9
Drupal 6.10
Drupal 6.11
Drupal 6.12
Drupal 6.13

Signature change filter bypass

Skrevet den 4. marts 201518. oktober 2025 af i Drupal

User signatures have no separate input format, they use the format of the comment with which they are displayed. A user will no longer be able to edit a comment when an administrator changes the comment’s input format to a format that is not accessible to the user. However they will still be able to modify their signature, which will then be processed by the new input format.

If the new format is very permissive, via their signature, the user may be able to insert arbitrary HTML and script code into pages or, when the PHP filter is enabled for the new format, execute PHP code.

Part of security release SA-CORE-2009-007

This vulnerability affects the following application versions:

Drupal 6.0
Drupal 6.1
Drupal 6.2
Drupal 6.3
Drupal 6.4
Drupal 6.5
Drupal 6.6
Drupal 6.7
Drupal 6.8
Drupal 6.9
Drupal 6.10
Drupal 6.11
Drupal 6.12

[CVE-2012-0826] CSRF vulnerability in aggregator module

Skrevet den 4. marts 201520. november 2024 af i Drupal

A CSRF vulnerability could force an aggregator feed to update. Since some services were rate-limited (e.g. Twitter limits requests to 150 per hour) this could lead to a denial of service.

Part of security release SA-CORE-2012-001

This vulnerability affects the following application versions:

Drupal 6.0
Drupal 6.1
Drupal 6.2
Drupal 6.3
Drupal 6.4
Drupal 6.5
Drupal 6.6
Drupal 6.7
Drupal 6.8
Drupal 6.9
Drupal 6.10
Drupal 6.11
Drupal 6.12
Drupal 6.13
Drupal 6.14
Drupal 6.15
Drupal 6.16
Drupal 6.17
Drupal 6.18
Drupal 6.19
Drupal 6.20
Drupal 6.21
Drupal 6.22

[CVE-2012-4553] Information disclosure in OpenID module

Skrevet den 4. marts 201520. november 2024 af i Drupal

For sites using the core OpenID module, an information disclosure vulnerability was identified that allowed an attacker to read files on the local filesystem by attempting to log in to the site using a malicious OpenID server.

Part of security release SA-CORE-2012-003

This vulnerability affects the following application versions:

Drupal 7.0
Drupal 7.1
Drupal 7.2
Drupal 7.3
Drupal 7.4
Drupal 7.5
Drupal 7.6
Drupal 7.7
Drupal 7.8
Drupal 7.9
Drupal 7.10
Drupal 7.11
Drupal 7.12
Drupal 7.13
Drupal 7.14
Drupal 7.15

File upload access bypass

Skrevet den 4. marts 2015 af stom_admin i Drupal

A logic error in the core upload module validation allowed unprivileged users to attach files to content. This bug affects Drupal 6.x only.

Part of security release SA-2008-060

This vulnerability affects the following application versions:

Drupal 6.0
Drupal 6.1
Drupal 6.2
Drupal 6.3
Drupal 6.4

CSRF in frontpage forms

Skrevet den 4. marts 201520. november 2024 af i Drupal

Drupal core also had a very limited information disclosure vulnerability under very specific conditions. If a user was tricked into visiting the site via a specially crafted URL and then submits a form (such as the search box) from that page, the information in their form submission may be directed to a third-party site determined by the URL and thus disclosed to the third party. The third party site may then execute a CSRF attack against the submitted form.

This vulnerability is limited to forms present on the frontpage. The user login form is not vulnerable.

Part of security release SA-CORE-2009-005

This vulnerability affects the following application versions:

Drupal 6.0
Drupal 6.1
Drupal 6.2
Drupal 6.3
Drupal 6.4
Drupal 6.5
Drupal 6.6
Drupal 6.7
Drupal 6.8
Drupal 6.9
Drupal 6.10

[CVE-2013-0246] Incorrect image permissions set in image module

Skrevet den 4. marts 201520. november 2024 af i Drupal

Drupal core provides the ability to have private files, including images. A vulnerability was identified in which derivative images (which Drupal automatically creates from these images based on “image styles” and which may differ, for example, in size or saturation) did not always receive the same protection. Under some circumstances, this would allow users to access image derivatives for images they should not be able to view.

Part of security release SA-CORE-2013-001

This vulnerability affects the following application versions:

Drupal 7.0
Drupal 7.1
Drupal 7.2
Drupal 7.3
Drupal 7.4
Drupal 7.5
Drupal 7.6
Drupal 7.7
Drupal 7.8
Drupal 7.9
Drupal 7.10
Drupal 7.11
Drupal 7.12
Drupal 7.13
Drupal 7.14
Drupal 7.15
Drupal 7.16
Drupal 7.17
Drupal 7.18

Profile filters were bypassed if profile pictures were enabled

Skrevet den 4. marts 201518. oktober 2025 af i Drupal

When user profile pictures were enabled, the default user profile validation function would be bypassed, possibly allowing invalid user names or e-mail addresses to be submitted.

Part of security release SA-CORE-2009-001

This vulnerability affects the following application versions:

Drupal 6.0
Drupal 6.1
Drupal 6.2
Drupal 6.3
Drupal 6.4
Drupal 6.5
Drupal 6.6
Drupal 6.7
Drupal 6.8

[CVE-2012-5651] Blocked users visible in search module

Skrevet den 4. marts 201520. november 2024 af i Drupal

A vulnerability was identified that allowed blocked users to appear in user search results, even when the search results are viewed by unprivileged users.

Onderdeel van security release SA-CORE-2012-004

This vulnerability affects the following application versions:

Drupal 7.0
Drupal 7.1
Drupal 7.2
Drupal 7.3
Drupal 7.4
Drupal 7.5
Drupal 7.6
Drupal 7.7
Drupal 7.8
Drupal 7.9
Drupal 7.10
Drupal 7.11
Drupal 7.12
Drupal 7.13
Drupal 7.14
Drupal 7.15
Drupal 7.16
Drupal 7.17

CSRF in cached forms

Skrevet den 4. marts 201520. november 2024 af i Drupal

Drupal forms contains a token to protect against cross site request forgeries (CSRF). The token may not been validated properly for cached forms and forms containing AHAH elements.

Part of security release SA-2008-047

This vulnerability affects the following application versions:

Drupal 6.0
Drupal 6.1
Drupal 6.2
Drupal 6.3

Locale module XSS

Skrevet den 4. marts 201518. oktober 2025 af i Drupal

Locale module and dependent contributed modules do not sanitize the display of language codes, native and English language names properly. While these usually come from a preselected list, arbitrary administrator input is allowed. This vulnerability is mitigated by the fact that the attacker must have a role with the ‘administer languages’ permission.

https://drupal.org/node/731710

This vulnerability affects the following application versions:

Drupal 6.0
Drupal 6.1
Drupal 6.2
Drupal 6.3
Drupal 6.4
Drupal 6.5
Drupal 6.6
Drupal 6.7
Drupal 6.8
Drupal 6.9
Drupal 6.10
Drupal 6.11
Drupal 6.12
Drupal 6.13
Drupal 6.14
Drupal 6.15

Password leaked in URL

Skrevet den 4. marts 201518. oktober 2025 af i Drupal

When an anonymous user fails to login due to mistyping his username or password, and the page he is on contains a sortable table, the (incorrect) username and password were included in links on the table. If the user visits these links the password may then be leaked to external sites via the HTTP referer.

In addition, if the anonymous user is enticed to visit the site via a specially crafted URL while the Drupal page cache is enabled, a malicious user could be able to retrieve the (incorrect) username and password from the page cache.

Part of security release SA-CORE-2009-007

This vulnerability affects the following application versions:

Drupal 6.0
Drupal 6.1
Drupal 6.2
Drupal 6.3
Drupal 6.4
Drupal 6.5
Drupal 6.6
Drupal 6.7
Drupal 6.8
Drupal 6.9
Drupal 6.10
Drupal 6.11
Drupal 6.12

[CVE-2012-0827] Limited access bypass in File module

Skrevet den 4. marts 201520. november 2024 af i Drupal

When using private files in combination with certain field access modules, the File module would allow users to download the file even if they did not have access to view the field it was attached to.

Part of security release SA-CORE-2012-001

This vulnerability affects the following application versions:

Drupal 7.0
Drupal 7.1
Drupal 7.2
Drupal 7.3
Drupal 7.4
Drupal 7.5
Drupal 7.6
Drupal 7.7
Drupal 7.8
Drupal 7.9
Drupal 7.10

[CVE-2012-4553] Possible reinstall of Drupal (and resulting PHP code execution)

Skrevet den 4. marts 201520. november 2024 af i Drupal

A bug in the installer code was identified that allows an attacker to re-install Drupal using an external database server under certain transient conditions. This could allow the attacker to execute arbitrary PHP code on the original server.

Part of security release SA-CORE-2012-003

This vulnerability affects the following application versions:

Drupal 7.0
Drupal 7.1
Drupal 7.2
Drupal 7.3
Drupal 7.4
Drupal 7.5
Drupal 7.6
Drupal 7.7
Drupal 7.8
Drupal 7.9
Drupal 7.10
Drupal 7.11
Drupal 7.12
Drupal 7.13
Drupal 7.14
Drupal 7.15

[CVE-2015-3234] OpenID impersonation vulnerability

Skrevet den 4. marts 201520. november 2024 af i Drupal

A vulnerability was present in the OpenID module that allowed a malicious user to log in as other users on the site, including administrators, and hijack their accounts.

Part of security release SA-CORE-2015-002

This vulnerability affects the following application versions:

Drupal 6.0
Drupal 6.1
Drupal 6.2
Drupal 6.3
Drupal 6.4
Drupal 6.5
Drupal 6.6
Drupal 6.7
Drupal 6.8
Drupal 6.9
Drupal 6.10
Drupal 6.11
Drupal 6.12
Drupal 6.13
Drupal 6.14
Drupal 6.15
Drupal 6.16
Drupal 6.17
Drupal 6.18
Drupal 6.19
Drupal 6.20
Drupal 6.21
Drupal 6.22
Drupal 6.23
Drupal 6.24
Drupal 6.25
Drupal 6.26
Drupal 6.27
Drupal 6.28
Drupal 6.29
Drupal 7.0
Drupal 7.1
Drupal 7.2
Drupal 7.3
Drupal 7.4
Drupal 7.5
Drupal 7.6
Drupal 7.7
Drupal 7.8
Drupal 7.9
Drupal 7.10
Drupal 7.11
Drupal 7.12
Drupal 7.13
Drupal 7.14
Drupal 7.15
Drupal 7.16
Drupal 7.17
Drupal 7.18
Drupal 7.19
Drupal 7.20
Drupal 7.21
Drupal 7.22
Drupal 7.23
Drupal 7.24
Drupal 7.25

[CVE-2013-0245] Titles and content of nodes avaible in book module printer friendly version

Skrevet den 4. marts 201520. november 2024 af i Drupal

A vulnerability was identified that exposes the title or, in some cases, the content of nodes that the user should not have access to.

Part of security release SA-CORE-2013-001

This vulnerability affects the following application versions:

Drupal 6.0
Drupal 6.1
Drupal 6.2
Drupal 6.3
Drupal 6.4
Drupal 6.5
Drupal 6.6
Drupal 6.7
Drupal 6.8
Drupal 6.9
Drupal 6.10
Drupal 6.11
Drupal 6.12
Drupal 6.13
Drupal 6.14
Drupal 6.15
Drupal 6.16
Drupal 6.17
Drupal 6.18
Drupal 6.19
Drupal 6.20
Drupal 6.21
Drupal 6.22
Drupal 6.23
Drupal 6.24
Drupal 6.25
Drupal 6.26
Drupal 6.27

Information disclosure through improper form data isolation

Skrevet den 4. marts 201518. oktober 2025 af i Drupal

Drupal did not properly isolate the cached data of different anonymous users, which allowed remote anonymous users to obtain sensitive interim form input information in opportunistic situations via unspecified vectors.

http://www.cvedetails.com/cve/CVE-2014-2983/

This vulnerability affects the following application versions:

Drupal 6.0
Drupal 6.1
Drupal 6.2
Drupal 6.3
Drupal 6.4
Drupal 6.5
Drupal 6.6
Drupal 6.7
Drupal 6.8
Drupal 6.9
Drupal 6.10
Drupal 6.11
Drupal 6.12
Drupal 6.13
Drupal 6.14
Drupal 6.15
Drupal 6.16
Drupal 6.17
Drupal 6.18
Drupal 6.19
Drupal 6.20
Drupal 6.21
Drupal 6.22
Drupal 6.23
Drupal 6.24
Drupal 6.25
Drupal 6.26
Drupal 6.27
Drupal 6.28
Drupal 6.29
Drupal 6.30
Drupal 7.0
Drupal 7.1
Drupal 7.2
Drupal 7.3
Drupal 7.9
Drupal 7.10
Drupal 7.11
Drupal 7.12
Drupal 7.13
Drupal 7.14
Drupal 7.15
Drupal 7.16
Drupal 7.17
Drupal 7.18
Drupal 7.19
Drupal 7.20
Drupal 7.21
Drupal 7.22
Drupal 7.23
Drupal 7.24
Drupal 7.25
Drupal 7.26

Installation XSS

Skrevet den 4. marts 201518. oktober 2025 af i Drupal

A user-supplied value is directly output during installation allowing a malicious user to craft a URL and perform a cross-site scripting attack. The exploit can only be conducted on sites not yet installed.

https://drupal.org/node/731710

This vulnerability affects the following application versions:

Drupal 6.0
Drupal 6.1
Drupal 6.2
Drupal 6.3
Drupal 6.4
Drupal 6.5
Drupal 6.6
Drupal 6.7
Drupal 6.8
Drupal 6.9
Drupal 6.10
Drupal 6.11
Drupal 6.12
Drupal 6.13
Drupal 6.14
Drupal 6.15

[CVE-2012-1590] Incomplete forum list access check

Skrevet den 4. marts 201520. november 2024 af i Drupal

Drupal core’s forum lists failed to check user access to nodes when displaying them in the forum overview page. If an unpublished node was the most recently updated in a forum then users who should not have access to unpublished forum posts were still be able to see meta-data about the forum post such as the post title.

Part of security release SA-CORE-2012-002

This vulnerability affects the following application versions:

Drupal 7.0
Drupal 7.1
Drupal 7.2
Drupal 7.3
Drupal 7.4
Drupal 7.5
Drupal 7.6
Drupal 7.7
Drupal 7.8
Drupal 7.9
Drupal 7.10
Drupal 7.11
Drupal 7.12

Open redirect in drupal_goto()

Skrevet den 4. marts 201518. oktober 2025 af i Drupal

The API function drupal_goto() is susceptible to a phishing attack. An attacker could formulate a redirect in a way that gets the Drupal site to send the user to an arbitrarily provided URL. No user submitted data will be sent to that URL.

https://drupal.org/node/731710

This vulnerability affects the following application versions:

Drupal 6.0
Drupal 6.1
Drupal 6.2
Drupal 6.3
Drupal 6.4
Drupal 6.5
Drupal 6.6
Drupal 6.7
Drupal 6.8
Drupal 6.9
Drupal 6.10
Drupal 6.11
Drupal 6.12
Drupal 6.13
Drupal 6.14
Drupal 6.15

Open redirect in overlay module

Skrevet den 4. marts 201518. oktober 2025 af i Drupal

The Overlay module displays administrative pages as a layer over the current page (using JavaScript), rather than replacing the page in the browser window. The Overlay module did not sufficiently validate URLs prior to displaying their contents, leading to an open redirect vulnerability.

This vulnerability affects the following application versions:

Drupal 7.0
Drupal 7.1
Drupal 7.2
Drupal 7.3
Drupal 7.4
Drupal 7.5
Drupal 7.6
Drupal 7.7
Drupal 7.8
Drupal 7.9
Drupal 7.10
Drupal 7.11
Drupal 7.12
Drupal 7.13
Drupal 7.14
Drupal 7.15
Drupal 7.16
Drupal 7.17
Drupal 7.18
Drupal 7.19
Drupal 7.20
Drupal 7.21
Drupal 7.22
Drupal 7.23

File inclusion when running in Windows

Skrevet den 4. marts 2015 af stom_admin i Drupal

This vulnerability exists on Windows, regardless of the type of webserver (Apache, IIS) used.

The Drupal theme system takes URL arguments into account when selecting a template file to use for page rendering. While doing so, it didn’t take into account how Windows arrives at a canonicalized path. This enabled malicious users to include files, readable by the webserver and located on the same volume as Drupal, and to execute PHP contained within those files. For example: If a site has uploads enabled, an attacker may upload a file containing PHP code and cause it to be included on a subsequent request by manipulating the URL used to access the site.

Part of security release SA-CORE-2009-004

This vulnerability affects the following application versions:

Drupal 6.0
Drupal 6.1
Drupal 6.3
Drupal 6.4
Drupal 6.5
Drupal 6.6
Drupal 6.7
Drupal 6.8
Drupal 6.9

Privilege escalation in user module

Skrevet den 4. marts 201518. oktober 2025 af i Drupal

A deficiency in the user module allowed users who had been blocked by access rules to continue logging into the site under certain conditions.

Part of security release SA-2008-060

This vulnerability affects the following application versions:

Drupal 6.0
Drupal 6.1
Drupal 6.2
Drupal 6.3
Drupal 6.4

XSS in OpenID

Skrevet den 4. marts 2015 af stom_admin i Drupal

Some values from OpenID providers are output without being properly escaped, allowing malicious providers to insert arbitrary script and HTML code (XSS) into user pages. This issue affects Drupal 6.x only.

filter_xss_admin() has been hardened to prevent use of the object HTML tag in administrator input.

http://www.cvedetails.com/cve/CVE-2008-3218/

https://drupal.org/node/280571

This vulnerability affects the following application versions:

Drupal 6.0
Drupal 6.1
Drupal 6.2

[CVE-2013-6386] Weakness in pseudorandom number generation using mt_rand()

Skrevet den 4. marts 201520. november 2024 af i Drupal

Drupal core directly used the mt_rand() pseudorandom number generator for generating security related strings used in several core modules. It was found that brute force tools could determine the seeds making these strings predictable under certain circumstances.

Part of security release SA-CORE-2013-003

This vulnerability affects the following application versions:

Drupal 6.0
Drupal 6.1
Drupal 6.2
Drupal 6.3
Drupal 6.4
Drupal 6.5
Drupal 6.6
Drupal 6.7
Drupal 6.8
Drupal 6.9
Drupal 6.10
Drupal 6.11
Drupal 6.12
Drupal 6.13
Drupal 6.14
Drupal 6.15
Drupal 6.16
Drupal 6.17
Drupal 6.18
Drupal 6.19
Drupal 6.20
Drupal 6.21
Drupal 6.22
Drupal 6.23
Drupal 6.24
Drupal 6.25
Drupal 6.26
Drupal 6.27
Drupal 6.28
Drupal 7.0
Drupal 7.1
Drupal 7.2
Drupal 7.3
Drupal 7.4
Drupal 7.5
Drupal 7.6
Drupal 7.7
Drupal 7.8
Drupal 7.9
Drupal 7.10
Drupal 7.11
Drupal 7.12
Drupal 7.13
Drupal 7.14
Drupal 7.15
Drupal 7.16
Drupal 7.17
Drupal 7.18
Drupal 7.19
Drupal 7.20
Drupal 7.21
Drupal 7.22
Drupal 7.23

[CVE-2014-1476] Access bypass vulnerability in taxonomy module

Skrevet den 4. marts 201520. november 2024 af i Drupal

The Taxonomy module provides various listing pages which display content tagged with a particular taxonomy term. Custom or contributed modules may also provide similar lists. Under certain circumstances, unpublished content could appear on these pages and would be visible to users who should not have permission to see it.

Part of security release SA-CORE-2014-001

This vulnerability affects the following application versions:

Drupal 7.15
Drupal 7.16
Drupal 7.17
Drupal 7.18
Drupal 7.19
Drupal 7.20
Drupal 7.21
Drupal 7.22
Drupal 7.23
Drupal 7.24
Drupal 7.25

[CVE-2014-5019] Denial of service with malicious HTTP Host header

Skrevet den 4. marts 2015 af stom_admin i Drupal

Drupal core’s multisite feature dynamically determines which configuration file to use based on the HTTP Host header. The HTTP Host header validation did not sufficiently check maliciously-crafted header values, thereby exposing a denial of service vulnerability. This vulnerability also affected sites that didn’t actually use the multisite feature.

Part of security release SA-CORE-2014-003

This vulnerability affects the following application versions:

Drupal 5.13
Drupal 5.14
Drupal 5.15
Drupal 5.16
Drupal 5.17
Drupal 5.18
Drupal 5.19
Drupal 5.20
Drupal 5.21
Drupal 5.22
Drupal 5.23
Drupal 6.7
Drupal 6.8
Drupal 6.9
Drupal 6.10
Drupal 6.11
Drupal 6.12
Drupal 6.13
Drupal 6.14
Drupal 6.15
Drupal 6.16
Drupal 6.17
Drupal 6.18
Drupal 6.19
Drupal 6.20
Drupal 6.21
Drupal 6.22
Drupal 6.23
Drupal 6.24
Drupal 6.25
Drupal 6.26
Drupal 6.27
Drupal 6.28
Drupal 6.29
Drupal 6.30
Drupal 6.31
Drupal 7.0
Drupal 7.1
Drupal 7.2
Drupal 7.3
Drupal 7.4
Drupal 7.5
Drupal 7.6
Drupal 7.7
Drupal 7.8
Drupal 7.9
Drupal 7.10
Drupal 7.11
Drupal 7.12
Drupal 7.13
Drupal 7.14
Drupal 7.15
Drupal 7.16
Drupal 7.17
Drupal 7.18
Drupal 7.20
Drupal 7.21
Drupal 7.22
Drupal 7.23
Drupal 7.24
Drupal 7.25
Drupal 7.26
Drupal 7.27
Drupal 7.28

XSS vulnerability in color module

Skrevet den 4. marts 2015 af stom_admin i Drupal

A malicious attacker could trick an authenticated administrative user into visiting a page containing specific JavaScript that could lead to a reflected cross-site scripting attack via JavaScript execution in CSS.

This vulnerability affects the following application versions:

Drupal 7.0
Drupal 7.1
Drupal 7.2
Drupal 7.3
Drupal 7.4
Drupal 7.5
Drupal 7.6
Drupal 7.7
Drupal 7.8
Drupal 7.9
Drupal 7.10
Drupal 7.11
Drupal 7.12
Drupal 7.13
Drupal 7.14
Drupal 7.15
Drupal 7.16
Drupal 7.17
Drupal 7.18
Drupal 7.19
Drupal 7.20
Drupal 7.21
Drupal 7.22
Drupal 7.23

SQL injection in numeric placeholder

Skrevet den 4. marts 201518. oktober 2025 af i Drupal

Schema API used an inappropriate placeholder for ‘numeric’ fields enabling SQL injection when user-supplied data was used for such fields. This issue affects Drupal 6 only.

Part of security release SA-2008-044

This vulnerability affects the following application versions:

Drupal 6.0
Drupal 6.1
Drupal 6.2

File download access bypass

Skrevet den 4. marts 2015 af stom_admin i Drupal

The upload module looked up files for download in the database and serves them for download after access checking. However, it did not account for the fact that certain database configurations would not consider case differences in file names. If a malicious user uploaded a file which only differs in letter case, access would be granted for the earlier upload regardless of actual file access to that.

Part of security release SA-CORE-2010-002

This vulnerability affects the following application versions:

Drupal 6.0
Drupal 6.1
Drupal 6.2
Drupal 6.3
Drupal 6.4
Drupal 6.5
Drupal 6.6
Drupal 6.7
Drupal 6.8
Drupal 6.9
Drupal 6.10
Drupal 6.11
Drupal 6.12
Drupal 6.13
Drupal 6.14
Drupal 6.15
Drupal 6.16
Drupal 6.17

XSS in Actions

Skrevet den 4. marts 2015 af stom_admin i Drupal

Users with “administer actions permission” can enter action descriptions and messages which are not properly filtered on output. Users with content and taxonomy tag submission permissions can create nodes and taxonomy terms which are not properly sanitized for inclusion in action messages and inject arbitrary HTML and script code into Drupal pages. Such a cross-site scripting attack may lead to the malicious user gaining administrative access.

https://drupal.org/node/880476

This vulnerability affects the following application versions:

Drupal 6.0
Drupal 6.1
Drupal 6.2
Drupal 6.3
Drupal 6.4
Drupal 6.5
Drupal 6.6
Drupal 6.7
Drupal 6.8
Drupal 6.9
Drupal 6.10
Drupal 6.11
Drupal 6.12
Drupal 6.13
Drupal 6.14
Drupal 6.15
Drupal 6.16
Drupal 6.17

Upload module vulnerabilities

Skrevet den 4. marts 2015 af stom_admin i Drupal

The Upload module in Drupal 6 contained privilege escalation vulnerabilities for users with the “upload files” permission. This cuould lead to users being able to edit nodes which they were normally not allowed to, delete any file to which the webserver had sufficient rights, and download attachments of nodes to which they had no access. Harmful files may also be uploaded via cross site request forgeries (CSRF).

Part of security release SA-2008-047

This vulnerability affects the following application versions:

Drupal 6.0
Drupal 6.1
Drupal 6.2
Drupal 6.3

UTF-7 UTF-8 XSS in title

Skrevet den 4. marts 2015 af stom_admin i Drupal

When outputting user-supplied data Drupal strips potentially dangerous HTML attributes and tags or escapes characters which have a special meaning in HTML. This output filtering secures the site against cross site scripting attacks via user input.

Certain byte sequences that are valid in the UTF-8 specification are potentially dangerous when interpreted as UTF-7. Internet Explorer 6 and 7 may decode these characters as UTF-7 if they appear before the tag that specifies the page content as UTF-8, despite the fact that Drupal also sends a real HTTP header specifying the content as UTF-8. This behaviour enables malicious users to insert and execute Javascript in the context of the website if site visitors are allowed to post content.

https://drupal.org/node/449078

This vulnerability affects the following application versions:

Drupal 6.0
Drupal 6.1
Drupal 6.2
Drupal 6.3
Drupal 6.4
Drupal 6.5
Drupal 6.6
Drupal 6.7
Drupal 6.8
Drupal 6.9
Drupal 6.10
Drupal 6.11

Privilege escalation in menu system

Skrevet den 4. marts 201518. oktober 2025 af i Drupal

The menu system routes page requests to appropriate handlers. It also determines whether a user had access to pages based on several criteria, such as permissions assigned to a role. Drupal 6 features an entirely revised menu system, including changes to the way access was dealt with, which if not properly understood by developers could lead to vulnerabilities. This security release provides a more secure access behaviour by default, and fixes incorrectly set menu items in Drupal core.

Access to some pages was not appropriately controlled:

– Any user could edit profile pages of other users.

– Users who could view administration pages were able to edit content types.

– The tracker and blog pages expose information to users without the “access content” permission.

Part of security release SA-2008-026

This vulnerability affects the following application versions:

Drupal 6.0
Drupal 6.1

XSS after deleting input format

Skrevet den 4. marts 2015 af stom_admin i Drupal

When an input format is deleted, not all existing content on a site is updated to reflect this deletion. Such content is then displayed unfiltered. This may lead to cross site scripting attacks when harmful tags are no longer stripped from ‘malicious’ content that was posted earlier.

https://drupal.org/node/345441

This vulnerability affects the following application versions:

Drupal 6.0
Drupal 6.1
Drupal 6.2
Drupal 6.3
Drupal 6.5
Drupal 6.6

CSRF in administrative actions

Skrevet den 4. marts 201520. november 2024 af i Drupal

Translated strings (5.x, 6.x) and OpenID identities (6.x) were immediately deleted upon accessing a properly formatted URL, making such deletion vulnerable to cross site request forgeries (CSRF). This may lead to unintended deletion of translated strings or OpenID identities when a sufficiently privileged user visits a page or site created by a malicious person.

Part of security release SA-2008-044

This vulnerability affects the following application versions:

Drupal 6.0
Drupal 6.1
Drupal 6.2

[CVE-2012-1591] Disallowed viewing of private images

Skrevet den 4. marts 201520. november 2024 af i Drupal

Drupal core provides the ability to have private files, including images, and Image Styles which create derivative images from an original image that may differ, for example, in size or saturation. Drupal core failed to properly terminate the page request for cached image styles allowing users to access image derivatives for images they should not be able to view. Furthermore, Drupal didn’t set the right headers to prevent image styles from being cached in the browser.

Part of security release SA-CORE-2012-002

This vulnerability affects the following application versions:

Drupal 7.0
Drupal 7.1
Drupal 7.2
Drupal 7.3
Drupal 7.4
Drupal 7.5
Drupal 7.6
Drupal 7.7
Drupal 7.8
Drupal 7.9
Drupal 7.10
Drupal 7.11
Drupal 7.12

CSRF allowing adding of OpenID identities to an account

Skrevet den 4. marts 201520. november 2024 af i Drupal

The core OpenID module did not correctly implement Form API for the form that allowed one to link user accounts with OpenID identifiers. A malicious user was therefore able to use cross site request forgeries to add attacker controlled OpenID identities to existing accounts. These OpenID identities could then be used to gain access to the affected accounts.

Part of security release SA-CORE-2009-008

This vulnerability affects the following application versions:

Drupal 6.0
Drupal 6.1
Drupal 6.2
Drupal 6.3
Drupal 6.4
Drupal 6.5
Drupal 6.6
Drupal 6.7
Drupal 6.8
Drupal 6.9
Drupal 6.10
Drupal 6.11
Drupal 6.12
Drupal 6.13