723 results (0.003 seconds)

CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0

Insertion of Sensitive Information into Log File vulnerability in Frédéric GILLES FG Drupal to WordPress.This issue affects FG Drupal to WordPress: from n/a through 3.70.3. The FG Drupal to WordPress plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.70.3 via log files. This makes it possible for unauthenticated attackers to extract sensitive data from log files. • https://patchstack.com/database/vulnerability/fg-drupal-to-wp/wordpress-fg-drupal-to-wordpress-plugin-3-70-3-sensitive-data-exposure-via-log-file-vulnerability?_s_id=cve • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-532: Insertion of Sensitive Information into Log File •

CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0

Drupal contains a vulnerability with improper handling of structural elements. If this vulnerability is exploited, an attacker may be able to cause a denial-of-service (DoS) condition. Drupal contiene una vulnerabilidad con manejo inadecuado de elementos estructurales. Si se aprovecha esta vulnerabilidad, un atacante puede provocar una condición de denegación de servicio (DoS). • https://github.com/drupal/drupal https://jvn.jp/en/jp/JVN63383723 https://www.drupal.org https://www.drupal.org/about/core/policies/core-release-cycles/schedule •

CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0

In certain scenarios, Drupal's JSON:API module will output error backtraces. With some configurations, this may cause sensitive information to be cached and made available to anonymous users, leading to privilege escalation. This vulnerability only affects sites with the JSON:API module enabled, and can be mitigated by uninstalling JSON:API. The core REST and contributed GraphQL modules are not affected. En ciertos escenarios, el módulo JSON:API de Drupal generará seguimientos de errores. Con algunas configuraciones, esto puede hacer que la información confidencial se almacene en caché y se ponga a disposición de usuarios anónimos, lo que lleva a una escalada de privilegios. Esta vulnerabilidad solo afecta a los sitios con el módulo JSON:API habilitado y se puede mitigar desinstalando JSON:API. • https://www.drupal.org/sa-core-2023-006 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •

CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0

Drupal core's form API has a vulnerability where certain contributed or custom modules' forms may be vulnerable to improper input validation. This could allow an attacker to inject disallowed values or overwrite data. Affected forms are uncommon, but in certain cases an attacker could alter critical or sensitive data. • https://www.drupal.org/sa-core-2022-008 • CWE-20: Improper Input Validation •

CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0

Drupal 9.3 implemented a generic entity access API for entity revisions. However, this API was not completely integrated with existing permissions, resulting in some possible access bypass for users who have access to use revisions of content generally, but who do not have access to individual items of node and media content. This vulnerability only affects sites using Drupal's revision system. • https://www.drupal.org/sa-core-2022-009 • CWE-863: Incorrect Authorization •