CVSS: 6.1EPSS: 0%CPEs: 5EXPL: 0CVE-2017-6929
https://notcve.org/view.php?id=CVE-2017-6929
01 Mar 2018 — A jQuery cross site scripting vulnerability is present when making Ajax requests to untrusted domains. This vulnerability is mitigated by the fact that it requires contributed or custom modules in order to exploit. For Drupal 8, this vulnerability was already fixed in Drupal 8.4.0 in the Drupal core upgrade to jQuery 3. For Drupal 7, it is fixed in the current release (Drupal 7.57) for jQuery 1.4.4 (the version that ships with Drupal 7 core) as well as for other newer versions of jQuery that might be used o... • https://lists.debian.org/debian-lts-announce/2018/02/msg00030.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2017-6930
https://notcve.org/view.php?id=CVE-2017-6930
01 Mar 2018 — In Drupal versions 8.4.x versions before 8.4.5 when using node access controls with a multilingual site, Drupal marks the untranslated version of a node as the default fallback for access queries. This fallback is used for languages that do not yet have a translated version of the created node. This can result in an access bypass vulnerability. This issue is mitigated by the fact that it only applies to sites that a) use the Content Translation module; and b) use a node access module such as Domain Access w... • https://www.drupal.org/sa-core-2018-001 •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2017-6931
https://notcve.org/view.php?id=CVE-2017-6931
01 Mar 2018 — In Drupal versions 8.4.x versions before 8.4.5 the Settings Tray module has a vulnerability that allows users to update certain data that they do not have the permissions for. If you have implemented a Settings Tray form in contrib or a custom module, the correct access checks should be added. This release fixes the only two implementations in core, but does not harden against other such bypasses. This vulnerability can be mitigated by disabling the Settings Tray module. En las versiones 8.4.x de Drupal ant... • https://www.drupal.org/sa-core-2018-001 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 7.5EPSS: 0%CPEs: 71EXPL: 0CVE-2017-6919
https://notcve.org/view.php?id=CVE-2017-6919
20 Apr 2017 — Drupal 8 before 8.2.8 and 8.3 before 8.3.1 allows critical access bypass by authenticated users if the RESTful Web Services (rest) module is enabled and the site allows PATCH requests. Drupal 8 en versiones anteriores a 8.2.8 y 8.3 en versiones anteriores a 8.3.1 permite elusión de acceso crítica por usuarios autenticados si el módulo RESTful Web Services (resto) está habilitado y el sitio permite solicitudes PATCH. • http://www.securityfocus.com/bid/97941 •
CVSS: 7.5EPSS: 0%CPEs: 12EXPL: 0CVE-2017-6377
https://notcve.org/view.php?id=CVE-2017-6377
16 Mar 2017 — When adding a private file via the editor in Drupal 8.2.x before 8.2.7, the editor will not correctly check access for the file being attached, resulting in an access bypass. Cuando se añade un archivo privado a través del editor en Drupal 8.2.x en versiones anteriores a 8.2.7, el editor no comprobará correctamente el acceso para el archivo que se adjunta, resultando en una elusión de acceso. • http://www.securityfocus.com/bid/96919 • CWE-863: Incorrect Authorization •
CVSS: 7.5EPSS: 0%CPEs: 12EXPL: 0CVE-2017-6379
https://notcve.org/view.php?id=CVE-2017-6379
16 Mar 2017 — Some administrative paths in Drupal 8.2.x before 8.2.7 did not include protection for CSRF. This would allow an attacker to disable some blocks on a site. This issue is mitigated by the fact that users would have to know the block ID. Algunos caminos administrativos en Drupal 8.2.x en versiones anteriores a 8.2.7 no incluyeron protección para CSRF. Esto permitiría a un atacante deshabilitar algunos bloques en un sitio. • http://www.securityfocus.com/bid/96919 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.1EPSS: 5%CPEs: 60EXPL: 0CVE-2017-6381
https://notcve.org/view.php?id=CVE-2017-6381
16 Mar 2017 — A 3rd party development library including with Drupal 8 development dependencies is vulnerable to remote code execution. This is mitigated by the default .htaccess protection against PHP execution, and the fact that Composer development dependencies aren't normal installed. You might be vulnerable to this if you are running a version of Drupal before 8.2.2. To be sure you aren't vulnerable, you can remove the
CVSS: 4.3EPSS: 0%CPEs: 117EXPL: 0CVE-2016-9449
https://notcve.org/view.php?id=CVE-2016-9449
25 Nov 2016 — The taxonomy module in Drupal 7.x before 7.52 and 8.x before 8.2.3 might allow remote authenticated users to obtain sensitive information about taxonomy terms by leveraging inconsistent naming of access query tags. El módulo de taxonomía en Drupal 7.x en versiones anteriores a 7.52 y 8.x en versiones anteriores a 8.2.3 podría permitir a usuarios remotos autenticados obtener información sensible sobre términos de taxonomía aprovechando nomenclatura inconsistente de las etiquetas de consulta de acceso. • http://www.debian.org/security/2016/dsa-3718 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.5EPSS: 0%CPEs: 61EXPL: 0CVE-2016-9450
https://notcve.org/view.php?id=CVE-2016-9450
25 Nov 2016 — The user password reset form in Drupal 8.x before 8.2.3 allows remote attackers to conduct cache poisoning attacks by leveraging failure to specify a correct cache context. El formulario de reseteo de contraseña de usuario en Drupal 8.x en versiones anteriores a 8.2.3 permite a atacantes remotos llevar a cabo ataques de envenenamiento de caché aprovechando un error para especificar un contexto de caché correcto. • http://www.securityfocus.com/bid/94367 • CWE-345: Insufficient Verification of Data Authenticity •
CVSS: 6.5EPSS: 0%CPEs: 61EXPL: 0CVE-2016-9452
https://notcve.org/view.php?id=CVE-2016-9452
25 Nov 2016 — The transliterate mechanism in Drupal 8.x before 8.2.3 allows remote attackers to cause a denial of service via a crafted URL. El mecanismo de transliteración en Drupal 8.x en versiones anteriores a 8.2.3 permite a atacantes remotos provocar una denegación de servicio a través de una URL manipulada. • http://www.securityfocus.com/bid/94367 • CWE-20: Improper Input Validation •