35 matches found
Design/Logic Flaw
The file download facility doesn't sufficiently sanitize file paths in certain situations. This may result in users gaining access to private files that they should not have access to. Some sites may require configuration changes following this security release. Review the release notes for your...
PT-2023-23267 · Drupal · Drupal
Name of the Vulnerable Software and Affected Versions: Drupal affected versions not specified Description: The file download facility does not sufficiently sanitize file paths in certain situations, potentially allowing users to access private files they should not have access to. Some sites may...
GHSA-RHX9-3QF7-R3J7 Drupal Remote code execution
A 3rd party development library including with Drupal 8 development dependencies is vulnerable to remote code execution. This is mitigated by the default .htaccess protection against PHP execution, and the fact that Composer development dependencies aren't normal installed. You might be vulnerabl...
Drupal Input Validation Vulnerability (SA-CORE-2022-008) - Windows
Drupal is prone to an improper input validation vulnerability. SPDX-FileCopyrightText: 2022 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:drupal:drupal";...
Drupal 7.x < 7.86 Multiple XSS Vulnerabilities (SA-CORE-2022-002) - Linux
Drupal is prone to multiple cross-site scripting XSS vulnerabilities in jQuery UI. Copyright C 2022 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This...
Drupal 8.8.x < 8.8.11 Remote Code Execution
According to its self-reported version, the instance of Drupal running on the remote web server is 7.0.x prior to 7.74, 8.8.x prior to 8.8.11, 8.9.x prior to 8.9.9 or 9.0.x prior to 9.0.8. It is, therefore, affected by a remote code execution due to filenames on uploaded files not properly...
Drupal 8.x < 8.5.15 Multiple Vulnerabilities
According to its self-reported version number, the detected Drupal application is affected by multiple vulnerabilities : - Several flaws exist in third-party Symfony PHP framework. - A flaw exists in third-party jQuery JavaScript library. Note that the scanner has not tested for these issues but...
Drupal cross-site scripting vulnerability (CNVD-2018-05185)
Drupal is a free, open source content management system developed in PHP and maintained by the Drupal community. jQuery is one of the JavaScript libraries used in it. A cross-site scripting vulnerability exists in jQuery in Drupal versions 8 and 7. A remote attacker can exploit this vulnerability...
Multiple vulnerabilities in the Drupal Search API module
Drupal is a free, open source content management system developed in PHP and maintained by the Drupal community.Search API is one of the framework modules used to create search functionality for any Entity of Drupal. Information disclosure vulnerabilities, cross-site scripting vulnerabilities, an...
Drupal Unsupported Version Detection
Binary data 9221.prm...
Drupal Version Detection
Binary data 9209.prm...
Drupal 6.x Detection
Binary data 9210.prm...
UBUNTU-CVE-2013-6389
Open redirect vulnerability in the Overlay module in Drupal 7.x before 7.24 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors...
Drupal-4.7.txt
!/usr/bin/php -q -d shortopentag=on '; / then: http://target/path/files/attach.php.pps?cmd=ls%20-la also, I noticed that from an admin account you can upload .php3 or .php5 files / if $argc6 echo "Usage: php ".$argv0." host path user pass cmd OPTIONS\r\n"; echo "host: target server...
Unintentionally logging credit card transactions
Solar Designer of the Openwall Project reported a security vulnerability in the contributed authorizenet module which is part of the ecommerce package. Credit card information was being stored in a system log file. The system should not be saving this information. Versions affected Please check t...