U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Search Results (Refine Search)

Search Parameters:
  • CPE Product Version: cpe:/a:drupal:drupal:7.8
There are 85 matching records.
Displaying matches 21 through 40.
Vuln ID Summary CVSS Severity
CVE-2017-6922

In Drupal core 8.x prior to 8.3.4 and Drupal core 7.x prior to 7.56; Private files that have been uploaded by an anonymous user but not permanently attached to content on the site should only be visible to the anonymous user that uploaded them, rather than all anonymous users. Drupal core did not previously provide this protection, allowing an access bypass vulnerability to occur. This issue is mitigated by the fact that in order to be affected, the site must allow anonymous users to upload files into a private file system.

Published: January 22, 2019; 10:29:00 AM -0500
V3.0: 6.5 MEDIUM
V2.0: 4.0 MEDIUM
CVE-2019-6338

In Drupal Core versions 7.x prior to 7.62, 8.6.x prior to 8.6.6 and 8.5.x prior to 8.5.9; Drupal core uses the third-party PEAR Archive_Tar library. This library has released a security update which impacts some Drupal configurations. Refer to CVE-2018-1000888 for details

Published: January 22, 2019; 9:29:00 AM -0500
V3.0: 8.0 HIGH
V2.0: 6.0 MEDIUM
CVE-2018-7602

A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being compromised. This vulnerability is related to Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002. Both SA-CORE-2018-002 and this vulnerability are being exploited in the wild.

Published: July 19, 2018; 1:29:00 PM -0400
V3.1: 9.8 CRITICAL
V2.0: 7.5 HIGH
CVE-2018-7600

Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations.

Published: March 29, 2018; 3:29:00 AM -0400
V3.0: 9.8 CRITICAL
V2.0: 7.5 HIGH
CVE-2017-6932

Drupal core 7.x versions before 7.57 has an external link injection vulnerability when the language switcher block is used. A similar vulnerability exists in various custom and contributed modules. This vulnerability could allow an attacker to trick users into unwillingly navigating to an external site.

Published: March 01, 2018; 6:29:00 PM -0500
V3.0: 4.7 MEDIUM
V2.0: 5.8 MEDIUM
CVE-2017-6929

A jQuery cross site scripting vulnerability is present when making Ajax requests to untrusted domains. This vulnerability is mitigated by the fact that it requires contributed or custom modules in order to exploit. For Drupal 8, this vulnerability was already fixed in Drupal 8.4.0 in the Drupal core upgrade to jQuery 3. For Drupal 7, it is fixed in the current release (Drupal 7.57) for jQuery 1.4.4 (the version that ships with Drupal 7 core) as well as for other newer versions of jQuery that might be used on the site, for example using the jQuery Update module.

Published: March 01, 2018; 6:29:00 PM -0500
V3.0: 6.1 MEDIUM
V2.0: 4.3 MEDIUM
CVE-2017-6928

Drupal core 7.x versions before 7.57 when using Drupal's private file system, Drupal will check to make sure a user has access to a file before allowing the user to view or download it. This check fails under certain conditions in which one module is trying to grant access to the file and another is trying to deny it, leading to an access bypass vulnerability. This vulnerability is mitigated by the fact that it only occurs for unusual site configurations.

Published: March 01, 2018; 6:29:00 PM -0500
V3.0: 5.3 MEDIUM
V2.0: 3.5 LOW
CVE-2017-6927

Drupal 8.4.x versions before 8.4.5 and Drupal 7.x versions before 7.57 has a Drupal.checkPlain() JavaScript function which is used to escape potentially dangerous text before outputting it to HTML (as JavaScript output does not typically go through Twig autoescaping). This function does not correctly handle all methods of injecting malicious HTML, leading to a cross-site scripting vulnerability under certain circumstances. The PHP functions which Drupal provides for HTML escaping are not affected.

Published: March 01, 2018; 6:29:00 PM -0500
V3.0: 6.1 MEDIUM
V2.0: 4.3 MEDIUM
CVE-2015-7943

Open redirect vulnerability in the Overlay module in Drupal 7.x before 7.41, the jQuery Update module 7.x-2.x before 7.x-2.7 for Drupal, and the LABjs module 7.x-1.x before 7.x-1.8 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-3233.

Published: October 18, 2017; 2:29:00 PM -0400
V3.0: 6.1 MEDIUM
V2.0: 5.8 MEDIUM
CVE-2015-2750

Open redirect vulnerability in URL-related API functions in Drupal 6.x before 6.35 and 7.x before 7.35 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via vectors involving the "//" initial sequence.

Published: September 13, 2017; 12:29:00 PM -0400
V3.0: 6.1 MEDIUM
V2.0: 5.8 MEDIUM
CVE-2015-2749

Open redirect vulnerability in Drupal 6.x before 6.35 and 7.x before 7.35 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the destination parameter.

Published: September 13, 2017; 12:29:00 PM -0400
V3.0: 6.1 MEDIUM
V2.0: 5.8 MEDIUM
CVE-2016-6212

The Views module 7.x-3.x before 7.x-3.14 in Drupal 7.x and the Views module in Drupal 8.x before 8.1.3 might allow remote authenticated users to bypass intended access restrictions and obtain sensitive Statistics information via unspecified vectors.

Published: September 09, 2016; 10:05:09 AM -0400
V3.0: 5.3 MEDIUM
V2.0: 5.0 MEDIUM
CVE-2016-6211

The User module in Drupal 7.x before 7.44 allows remote authenticated users to gain privileges via vectors involving contributed or custom code that triggers a rebuild of the user profile form.

Published: September 09, 2016; 10:05:08 AM -0400
V3.0: 8.8 HIGH
V2.0: 6.5 MEDIUM
CVE-2016-3170

The "have you forgotten your password" links in the User module in Drupal 7.x before 7.43 and 8.x before 8.0.4 allow remote attackers to obtain sensitive username information by leveraging a configuration that permits using an email address to login and a module that permits logging in.

Published: April 12, 2016; 11:59:07 AM -0400
V3.0: 5.3 MEDIUM
V2.0: 5.0 MEDIUM
CVE-2016-3169

The User module in Drupal 6.x before 6.38 and 7.x before 7.43 allows remote attackers to gain privileges by leveraging contributed or custom code that calls the user_save function with an explicit category and loads all roles into the array.

Published: April 12, 2016; 11:59:06 AM -0400
V3.0: 8.1 HIGH
V2.0: 6.8 MEDIUM
CVE-2016-3168

The System module in Drupal 6.x before 6.38 and 7.x before 7.43 might allow remote attackers to hijack the authentication of site administrators for requests that download and run files with arbitrary JSON-encoded content, aka a "reflected file download vulnerability."

Published: April 12, 2016; 11:59:05 AM -0400
V3.0: 6.4 MEDIUM
V2.0: 8.5 HIGH
CVE-2016-3164

Drupal 6.x before 6.38, 7.x before 7.43, and 8.x before 8.0.4 might allow remote attackers to conduct open redirect attacks by leveraging (1) custom code or (2) a form shown on a 404 error page, related to path manipulation.

Published: April 12, 2016; 11:59:02 AM -0400
V3.0: 7.4 HIGH
V2.0: 5.8 MEDIUM
CVE-2016-3163

The XML-RPC system in Drupal 6.x before 6.38 and 7.x before 7.43 might make it easier for remote attackers to conduct brute-force attacks via a large number of calls made at once to the same method.

Published: April 12, 2016; 11:59:01 AM -0400
V3.0: 7.5 HIGH
V2.0: 5.0 MEDIUM
CVE-2016-3162

The File module in Drupal 7.x before 7.43 and 8.x before 8.0.4 allows remote authenticated users to bypass access restrictions and read, delete, or substitute a link to a file uploaded to an unprocessed form by leveraging permission to create content or comment and upload files.

Published: April 12, 2016; 11:59:00 AM -0400
V3.0: 8.1 HIGH
V2.0: 6.5 MEDIUM
CVE-2015-6665

Cross-site scripting (XSS) vulnerability in the Ajax handler in Drupal 7.x before 7.39 and the Ctools module 6.x-1.x before 6.x-1.14 for Drupal allows remote attackers to inject arbitrary web script or HTML via vectors involving a whitelisted HTML element, possibly related to the "a" tag.

Published: August 24, 2015; 10:59:22 AM -0400
V3.x:(not available)
V2.0: 4.3 MEDIUM