Drupal Core vulnerabilities

CVE-2016-3169 [HIGH] CWE-269 Drupal saving user accounts can sometimes grant the user all roles Drupal saving user accounts can sometimes grant the user all roles The User module in Drupal 6.x before 6.38 and 7.x before 7.43 allows remote attackers to gain privileges by leveraging contributed or custom code that calls the user_save function with an explicit category and loads all roles into the array.

CVE-2016-3163 [HIGH] Drupal Brute force amplification attacks via XML-RPC Drupal Brute force amplification attacks via XML-RPC The XML-RPC system in Drupal 6.x before 6.38 and 7.x before 7.43 might make it easier for remote attackers to conduct brute-force attacks via a large number of calls made at once to the same method.

CVE-2017-6379 [HIGH] CWE-352 Drupal Cross-Site Request Forgery (CSRF) Drupal Cross-Site Request Forgery (CSRF) Some administrative paths in Drupal 8.2.x before 8.2.7 did not include protection for CSRF. This would allow an attacker to disable some blocks on a site. This issue is mitigated by the fact that users would have to know the block ID.

CVE-2016-3165 [HIGH] CWE-284 Drupal Form API ignores access restrictions on submit buttons Drupal Form API ignores access restrictions on submit buttons The Form API in Drupal 6.x before 6.38 ignores access restrictions on submit buttons, which might allow remote attackers to bypass intended access restrictions by leveraging permission to submit a form with a button that has "#access" set to FALSE in the server-side form definition.

CVE-2016-3164 [HIGH] Drupal Open Redirect Drupal Open Redirect Drupal 6.x before 6.38, 7.x before 7.43, and 8.x before 8.0.4 might allow remote attackers to conduct open redirect attacks by leveraging (1) custom code or (2) a form shown on a 404 error page, related to path manipulation.

CVE-2016-3167 [HIGH] CWE-601 Drupal Open redirect vulnerability in the drupal_goto function Drupal Open redirect vulnerability in the drupal_goto function Open redirect vulnerability in the drupal_goto function in Drupal 6.x before 6.38, when used with PHP before 5.4.7, allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a double-encoded URL in the "destination" parameter.

CVE-2016-9450 [HIGH] CWE-345 Drupal Incorrect cache context on password reset page Drupal Incorrect cache context on password reset page The user password reset form in Drupal 8.x before 8.2.3 allows remote attackers to conduct cache poisoning attacks by leveraging failure to specify a correct cache context.

CVE-2011-2687 [HIGH] CWE-284 Drupal Access Control Bypass Drupal Access Control Bypass Drupal 7.x before 7.3 allows remote attackers to bypass intended `node_access` restrictions via vectors related to a listing that shows nodes but lacks a JOIN clause for the node table.

CVE-2016-3168 [MEDIUM] Drupal Reflected file download vulnerability Drupal Reflected file download vulnerability The System module in Drupal 6.x before 6.38 and 7.x before 7.43 might allow remote attackers to hijack the authentication of site administrators for requests that download and run files with arbitrary JSON-encoded content, aka a "reflected file download vulnerability."

CVE-2016-9451 [MEDIUM] CWE-601 Drupal Open Redirect Drupal Open Redirect Confirmation forms in Drupal 7.x before 7.52 make it easier for remote authenticated users to conduct open redirect attacks via unspecified vectors.

CVE-2016-3166 [MEDIUM] CWE-113 Drupal CRLF injection vulnerability in the drupal_set_header function Drupal CRLF injection vulnerability in the drupal_set_header function CRLF injection vulnerability in the drupal_set_header function in Drupal 6.x before 6.38, when used with PHP before 5.1.2, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks by leveraging a module that allows user-submitted data to appear in HTTP headers.

CVE-2016-7572 [MEDIUM] Drupal Unprivileged access to config export Drupal Unprivileged access to config export The system.temporary route in Drupal 8.x before 8.1.10 does not properly check for "Export configuration" permission, which allows remote authenticated users to bypass intended access restrictions and read a full config export via unspecified vectors.

CVE-2016-3170 [MEDIUM] CWE-200 Drupal sensitive information disclosure Drupal sensitive information disclosure The "have you forgotten your password" links in the User module in Drupal 7.x before 7.43 and 8.x before 8.0.4 allow remote attackers to obtain sensitive username information by leveraging a configuration that permits using an email address to login and a module that permits logging in.

CVE-2016-9452 [MEDIUM] CWE-20 Drupal Denial of service via transliterate mechanism Drupal Denial of service via transliterate mechanism The transliterate mechanism in Drupal 8.x before 8.2.3 allows remote attackers to cause a denial of service via a crafted URL.

CVE-2016-9449 [MEDIUM] CWE-200 Drupal sensitive information disclosure Drupal sensitive information disclosure The taxonomy module in Drupal 7.x before 7.52 and 8.x before 8.2.3 might allow remote authenticated users to obtain sensitive information about taxonomy terms by leveraging inconsistent naming of access query tags.

CVE-2016-7571 [MEDIUM] CWE-79 Drupal Cross-site scripting (XSS) vulnerability Drupal Cross-site scripting (XSS) vulnerability Cross-site scripting (XSS) vulnerability in Drupal 8.x before 8.1.10 allows remote attackers to inject arbitrary web script or HTML via vectors involving an HTTP exception.

CVE-2016-7570 [MEDIUM] CWE-269 Drupal Users without "Administer comments" can set comment visibility on nodes they can edit Drupal Users without "Administer comments" can set comment visibility on nodes they can edit Drupal 8.x before 8.1.10 does not properly check for "Administer comments" permission, which allows remote authenticated users to set the visibility of comments for arbitrary nodes by leveraging rights to edit those nodes.

CVE-2016-6212 [MEDIUM] CWE-200 Drupal Views can allow unauthorized users to see Statistics information Drupal Views can allow unauthorized users to see Statistics information The Views module 7.x-3.x before 7.x-3.14 in Drupal 7.x and the Views module in Drupal 8.x before 8.1.3 might allow remote authenticated users to bypass intended access restrictions and obtain sensitive Statistics information via unspecified vectors.

CVE-2018-7600 [CRITICAL] CWE-20 Drupal Core Remote Code Execution Vulnerability Drupal Core Remote Code Execution Vulnerability Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations.

CVE-2017-6920 [CRITICAL] CWE-94 Drupal PECL YAML parser unsafe object handling Drupal PECL YAML parser unsafe object handling Drupal core 8 before versions 8.3.4 allows remote attackers to execute arbitrary code due to the PECL YAML parser not handling PHP objects safely during certain operations.