PT-2025-47342

Name of the Vulnerable Software and Affected Versions Drupal Email TFA versions prior to 2.0.6 Description An authentication bypass issue exists in Drupal Email TFA, allowing functionality bypass through an alternate path or channel. The issue impacts the Email TFA module. Recommendations Update ...

Drupal Email TFA 安全漏洞

Drupal Email TFA is a Drupal community module that provides email-based two-factor authentication functionality for Drupal. A security vulnerability exists in Drupal Email TFA versions prior to 2.0.6 that stems from bypassing authentication using an alternate path or channel, which could lead to...

Drupal core 安全漏洞

Drupal core is a free, open source content management system developed in PHP by the Drupal community. A security vulnerability in Drupal core versions prior to 10.4.9, 10.5.0 through 10.5.6, 11.0.0 through 11.1.9, and 11.2.0 through 11.2.8 stems from the use of browser caches that contain...

Drupal core 安全漏洞

Drupal core is a free, open source content management system developed in PHP by the Drupal community. A security vulnerability exists in Drupal core versions prior to 10.4.9, 10.5.0 through 10.5.6, 11.0.0 through 11.1.9, and 11.2.0 through 11.2.8, which stems from an improperly controlled...

PT-2025-47345

Name of the Vulnerable Software and Affected Versions Drupal versions 8.0.0 through 10.4.9 Drupal versions 10.5.0 through 10.5.6 Drupal versions 11.0.0 through 11.1.9 Drupal versions 11.2.0 through 11.2.7 Description Drupal core contains an improperly controlled modification of...

PT-2025-47346

Name of the Vulnerable Software and Affected Versions Drupal versions 8.0.0 through 10.4.9 Drupal versions 10.5.0 through 10.5.6 Drupal versions 11.0.0 through 11.1.9 Drupal versions 11.2.0 through 11.2.8 Description A flaw exists in Drupal core that allows for content spoofing through a user...

Drupal Simple multi step form 安全漏洞

Drupal Simple multi step form is a form module for the Drupal community. A security vulnerability exists in Drupal Simple multi step form versions prior to 2.0.0, which stems from improper input neutralization during page generation and could lead to a cross-site scripting attack...

PT-2025-47343

Name of the Vulnerable Software and Affected Versions Drupal Simple multi step form versions prior to 2.0.0 Description A flaw exists in Drupal Simple multi step form that allows for Cross-Site Scripting XSS. This issue is due to improper neutralization of input during web page generation. The...

Drupal 8.0.x < 10.4.9 Multiple Vulnerabilities

According to its self-reported version number, the detected Drupal application is affected by multiple vulnerabilities : - Drupal Core has a rarely used feature, provided by an underlying library, which allows certain attributes of incoming HTTP requests to be overridden. - Drupal core contains a...

Drupal 10.5.x < 10.5.6 Multiple Vulnerabilities

According to its self-reported version number, the detected Drupal application is affected by multiple vulnerabilities : - Drupal Core has a rarely used feature, provided by an underlying library, which allows certain attributes of incoming HTTP requests to be overridden. - Drupal core contains a...

Drupal 11.2.x < 11.2.8 Multiple Vulnerabilities

According to its self-reported version number, the detected Drupal application is affected by multiple vulnerabilities : - Drupal Core has a rarely used feature, provided by an underlying library, which allows certain attributes of incoming HTTP requests to be overridden. - Drupal core contains a...

Drupal 11.0.x < 11.1.9 Multiple Vulnerabilities

According to its self-reported version number, the detected Drupal application is affected by multiple vulnerabilities : - Drupal Core has a rarely used feature, provided by an underlying library, which allows certain attributes of incoming HTTP requests to be overridden. - Drupal core contains a...

Drupal Multiple Vulnerabilities (SA-CORE-2025-005 - SA-CORE-2025-008)

Drupal is prone to multiple vulnerabilities. SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:drupal:drupal"; ifdescription...

DRUPAL-CORE-2025-008

The core system module handles downloads of private and temporary files. Contrib modules can define additional kinds of files schemes that may also be handled by the system module. In some cases, files may be served with the HTTP header Cache-Control: public when they should be uncacheable. This...

DRUPAL-CORE-2025-007

By generating and tricking a user into visiting a malicious URL, an attacker can perform site defacement. The defacement is not stored and is only present when the URL has been crafted for that purpose. Only the defacement is present, so no other site content such as branding is rendered...

DRUPAL-CORE-2025-006

Drupal core contains a chain of methods that is exploitable when an insecure deserialization vulnerability exists on the site. This so-called "gadget chain" presents no direct threat, but is a vector that can be used to achieve remote code execution if the application deserializes untrusted data...

DRUPAL-CORE-2025-005

Drupal Core has a rarely used feature, provided by an underlying library, which allows certain attributes of incoming HTTP requests to be overridden. This functionality can be abused in a way that may cause Drupal to cache response data that it should not. This can lead to legitimate requests...

Drupal core 8.0.0-10.4.8,10.5.0-10.5.5,11.0.0-11.1.8,11.2.0-11.2.7 - Unauthenticated Denial of Service Attack vulnerability

Unauthenticated Denial of Service Attack vulnerability discovered by Dragos Dumitrescu dragos-dumi in WordPress Core Drupal versions 8.0.0-10.4.8,10.5.0-10.5.5,11.0.0-11.1.8,11.2.0-11.2.7...

Drupal core - Moderately critical - Defacement - SA-CORE-2025-007

By generating and tricking a user into visiting a malicious URL, an attacker can perform site defacement. The defacement is not stored and is only present when the URL has been crafted for that purpose. Only the defacement is present, so no other site content such as branding is rendered...

Drupal core - Moderately critical - Information disclosure - SA-CORE-2025-008

The core system module handles downloads of private and temporary files. Contrib modules can define additional kinds of files schemes that may also be handled by the system module. In some cases, files may be served with the HTTP header Cache-Control: public when they should be uncacheable. This...