CVSS: 9.8EPSS: 0%CPEs: 3EXPL: 0CVE-2024-55636 – Drupal core - Less critical - Gadget chain - SA-CORE-2024-006
https://notcve.org/view.php?id=CVE-2024-55636
09 Dec 2024 — Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection.This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8. Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection.This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8. Drupal core contains a chain of methods that is exploitable when an insecure deserialization vulnerability exist... • https://www.drupal.org/sa-core-2024-006 • CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-55635 – Drupal core - Critical - Cross Site Scripting - SA-CORE-2024-005
https://notcve.org/view.php?id=CVE-2024-55635
09 Dec 2024 — Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Drupal Core allows Cross-Site Scripting (XSS).This issue affects Drupal Core: from 7.0 before 7.102. • https://www.drupal.org/sa-core-2024-005 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.1EPSS: 0%CPEs: 3EXPL: 0CVE-2024-55634 – Drupal core - Moderately critical - Access bypass - SA-CORE-2024-004
https://notcve.org/view.php?id=CVE-2024-55634
09 Dec 2024 — A vulnerability in Drupal Core allows Privilege Escalation.This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8. • https://www.drupal.org/sa-core-2024-004 • CWE-178: Improper Handling of Case Sensitivity CWE-289: Authentication Bypass by Alternate Name •
CVSS: 5.4EPSS: 0%CPEs: 3EXPL: 0CVE-2024-12393 – Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2024-003
https://notcve.org/view.php?id=CVE-2024-12393
09 Dec 2024 — Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Drupal Core allows Cross-Site Scripting (XSS).This issue affects Drupal Core: from 8.8.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8. • https://www.drupal.org/sa-core-2024-003 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-11942 – Drupal core - Moderately critical - Improper error handling - SA-CORE-2024-002
https://notcve.org/view.php?id=CVE-2024-11942
05 Dec 2024 — A vulnerability in Drupal Core allows File Manipulation.This issue affects Drupal Core: from 10.0.0 before 10.2.10. • https://www.drupal.org/sa-core-2024-002 • CWE-390: Detection of Error Condition Without Action •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2024-11941 – Drupal core - Moderately critical - Denial of Service - SA-CORE-2024-001
https://notcve.org/view.php?id=CVE-2024-11941
05 Dec 2024 — A vulnerability in Drupal Core allows Excessive Allocation.This issue affects Drupal Core: from 10.2.0 before 10.2.2, from 10.1.0 before 10.1.8. • https://www.drupal.org/sa-core-2024-001 • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •
CVSS: 5.3EPSS: 58%CPEs: 1EXPL: 1CVE-2024-45440
https://notcve.org/view.php?id=CVE-2024-45440
29 Aug 2024 — core/authorize.php in Drupal 11.x-dev allows Full Path Disclosure (even when error logging is None) if the value of hash_salt is file_get_contents of a file that does not exist. • https://github.com/w0r1i0g1ht/CVE-2024-45440 • CWE-209: Generation of Error Message Containing Sensitive Information •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-31247 – WordPress FG Drupal to WordPress plugin <= 3.70.3 - Sensitive Data Exposure via Log File vulnerability
https://notcve.org/view.php?id=CVE-2024-31247
05 Apr 2024 — Insertion of Sensitive Information into Log File vulnerability in Frédéric GILLES FG Drupal to WordPress.This issue affects FG Drupal to WordPress: from n/a through 3.70.3. The FG Drupal to WordPress plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.70.3 via log files. This makes it possible for unauthenticated attackers to extract sensitive data from log files. • https://patchstack.com/database/vulnerability/fg-drupal-to-wp/wordpress-fg-drupal-to-wordpress-plugin-3-70-3-sensitive-data-exposure-via-log-file-vulnerability?_s_id=cve • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-22362
https://notcve.org/view.php?id=CVE-2024-22362
16 Jan 2024 — Drupal contains a vulnerability with improper handling of structural elements. If this vulnerability is exploited, an attacker may be able to cause a denial-of-service (DoS) condition. Drupal contiene una vulnerabilidad con manejo inadecuado de elementos estructurales. Si se aprovecha esta vulnerabilidad, un atacante puede provocar una condición de denegación de servicio (DoS). • https://github.com/drupal/drupal •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2023-5256 – Drupal core - Critical - Cache poisoning - SA-CORE-2023-006
https://notcve.org/view.php?id=CVE-2023-5256
28 Sep 2023 — In certain scenarios, Drupal's JSON:API module will output error backtraces. With some configurations, this may cause sensitive information to be cached and made available to anonymous users, leading to privilege escalation. This vulnerability only affects sites with the JSON:API module enabled, and can be mitigated by uninstalling JSON:API. The core REST and contributed GraphQL modules are not affected. En ciertos escenarios, el módulo JSON:API de Drupal generará seguimientos de errores. • https://www.drupal.org/sa-core-2023-006 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •