CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2017-6921 – File REST resource does not properly validate
https://notcve.org/view.php?id=CVE-2017-6921
15 Jan 2019 — In Drupal 8 prior to 8.3.4; The file REST resource does not properly validate some fields when manipulating files. A site is only affected by this if the site has the RESTful Web Services (rest) module enabled, the file REST resource is enabled and allows PATCH requests, and an attacker can get or register a user account on the site with permissions to upload files and to modify the file resource. En Drupal 8, en versiones anteriores a la 8.3.4, el recurso de archivo REST no valida correctamente algunos cam... • http://www.securityfocus.com/bid/99222 • CWE-20: Improper Input Validation •
CVSS: 7.4EPSS: 0%CPEs: 1EXPL: 0CVE-2017-6924 – REST API can bypass comment approval - Access Bypass - Moderately Critical
https://notcve.org/view.php?id=CVE-2017-6924
15 Jan 2019 — In Drupal 8 prior to 8.3.7; When using the REST API, users without the correct permission can post comments via REST that are approved even if the user does not have permission to post approved comments. This issue only affects sites that have the RESTful Web Services (rest) module enabled, the comment entity REST resource enabled, and where an attacker can access a user account on the site with permissions to post comments, or where anonymous users can post comments. Al emplear la API REST en Drupal 8, en ... • http://www.securityfocus.com/bid/100368 • CWE-269: Improper Privilege Management •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2017-6925
https://notcve.org/view.php?id=CVE-2017-6925
15 Jan 2019 — In versions of Drupal 8 core prior to 8.3.7; There is a vulnerability in the entity access system that could allow unwanted access to view, create, update, or delete entities. This only affects entities that do not use or do not have UUIDs, and entities that have different access restrictions on different revisions of the same entity. En versiones de Drupal 8 core anteriores a la 8.3.7, hay una vulnerabilidad en el sistema de acceso de entidades que podría permitir el acceso no deseado para visualizar, crea... • http://www.securityfocus.com/bid/100368 •
CVSS: 9.8EPSS: 3%CPEs: 1EXPL: 0CVE-2017-6920
https://notcve.org/view.php?id=CVE-2017-6920
06 Aug 2018 — Drupal core 8 before versions 8.3.4 allows remote attackers to execute arbitrary code due to the PECL YAML parser not handling PHP objects safely during certain operations. Drupal core 8 en versiones anteriores a la 8.3.4 permite que los atacantes remotos ejecuten código arbitrario debido a que el analizador PECL YAML no maneja objetos PHP de forma segura durante determinadas operaciones. • http://www.securityfocus.com/bid/99211 • CWE-19: Data Processing Errors •
CVSS: 6.5EPSS: 78%CPEs: 9EXPL: 0CVE-2018-14773 – Debian Security Advisory 4441-1
https://notcve.org/view.php?id=CVE-2018-14773
03 Aug 2018 — An issue was discovered in Http Foundation in Symfony 2.7.0 through 2.7.48, 2.8.0 through 2.8.43, 3.3.0 through 3.3.17, 3.4.0 through 3.4.13, 4.0.0 through 4.0.13, and 4.1.0 through 4.1.2. It arises from support for a (legacy) IIS header that lets users override the path in the request URL via the X-Original-URL or X-Rewrite-URL HTTP request header. These headers are designed for IIS support, but it's not verified that the server is in fact running IIS, which means anybody who can send these requests to an ... • http://www.securityfocus.com/bid/104943 •
CVSS: 9.8EPSS: 96%CPEs: 6EXPL: 9CVE-2018-7602 – Drupal Core Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2018-7602
26 Apr 2018 — A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being compromised. This vulnerability is related to Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002. Both SA-CORE-2018-002 and this vulnerability are being exploited in the wild. Existe una vulnerabilidad de ejecución remota de código en múltiples subsistemas de Drupal en v... • https://packetstorm.news/files/id/147380 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 0CVE-2018-9861 – Ubuntu Security Notice USN-5340-1
https://notcve.org/view.php?id=CVE-2018-9861
19 Apr 2018 — Cross-site scripting (XSS) vulnerability in the Enhanced Image (aka image2) plugin for CKEditor (in versions 4.5.10 through 4.9.1; fixed in 4.9.2), as used in Drupal 8 before 8.4.7 and 8.5.x before 8.5.2 and other products, allows remote attackers to inject arbitrary web script through a crafted IMG element. Vulnerabilidad Cross-Site Scripting (XSS) en el plugin Enhanced Image (también conocido como image2) para CKEditor (de la versión 4.5.10 a la 4.9.1; solucionado en la versión 4.9.2), tal y como se emple... • http://www.securityfocus.com/bid/103924 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 97%CPEs: 7EXPL: 44CVE-2018-7600 – Drupal Core Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2018-7600
29 Mar 2018 — Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations. Drupal en versiones anteriores a la 7.58, 8.x anteriores a la 8.3.9, 8.4.x anteriores a la 8.4.6 y 8.5.x anteriores a la 8.5.1 permite que los atacantes remotos ejecuten código arbitrario debido a un problema que afecta a múltiples subsistemas con configuraciones de módulos por defect... • https://packetstorm.news/files/id/147247 • CWE-20: Improper Input Validation •
CVSS: 6.1EPSS: 0%CPEs: 5EXPL: 0CVE-2017-6929
https://notcve.org/view.php?id=CVE-2017-6929
01 Mar 2018 — A jQuery cross site scripting vulnerability is present when making Ajax requests to untrusted domains. This vulnerability is mitigated by the fact that it requires contributed or custom modules in order to exploit. For Drupal 8, this vulnerability was already fixed in Drupal 8.4.0 in the Drupal core upgrade to jQuery 3. For Drupal 7, it is fixed in the current release (Drupal 7.57) for jQuery 1.4.4 (the version that ships with Drupal 7 core) as well as for other newer versions of jQuery that might be used o... • https://lists.debian.org/debian-lts-announce/2018/02/msg00030.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 5EXPL: 0CVE-2017-6927
https://notcve.org/view.php?id=CVE-2017-6927
01 Mar 2018 — Drupal 8.4.x versions before 8.4.5 and Drupal 7.x versions before 7.57 has a Drupal.checkPlain() JavaScript function which is used to escape potentially dangerous text before outputting it to HTML (as JavaScript output does not typically go through Twig autoescaping). This function does not correctly handle all methods of injecting malicious HTML, leading to a cross-site scripting vulnerability under certain circumstances. The PHP functions which Drupal provides for HTML escaping are not affected. Las versi... • http://www.securityfocus.com/bid/103138 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •