Search criteria
75 vulnerabilities found for Drupal by Drupal
CVE-2026-0749 (GCVE-0-2026-0749)
Vulnerability from cvelistv5 – Published: 2026-01-28 18:56 – Updated: 2026-01-28 19:12
VLAI?
Title
Cross-Site Scripting Vulnerability in Drupal Form Builder Module
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Form Builder allows Cross-Site Scripting (XSS).This issue affects Drupal: from 7.X-1.0 through 7.X-1.22.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Credits
Yonatan Offek (poiu)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-0749",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-28T19:12:13.895295Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T19:12:36.742Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/form_builder",
"defaultStatus": "unaffected",
"packageName": "Form Builder",
"product": "Drupal",
"repo": "https://git.drupalcode.org/project/form_builder",
"vendor": "Drupal",
"versions": [
{
"lessThanOrEqual": "7.x-1.22",
"status": "affected",
"version": "7.x-1.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Yonatan Offek (poiu)"
}
],
"datePublic": "2025-05-14T07:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Drupal Form Builder allows Cross-Site Scripting (XSS).\u003cp\u003eThis issue affects Drupal: from 7.X-1.0 through 7.X-1.22.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Drupal Form Builder allows Cross-Site Scripting (XSS).This issue affects Drupal: from 7.X-1.0 through 7.X-1.22."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "LOW",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T18:56:05.806Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://www.herodevs.com/vulnerability-directory/cve-2026-0749"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://d7es.tag1.com/security-advisories/form-builder-less-critical-cross-site-scripting"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Cross-Site Scripting Vulnerability in Drupal Form Builder Module",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-0749",
"datePublished": "2026-01-28T18:56:05.806Z",
"dateReserved": "2026-01-08T19:51:10.879Z",
"dateUpdated": "2026-01-28T19:12:36.742Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-12848 (GCVE-0-2025-12848)
Vulnerability from cvelistv5 – Published: 2025-11-26 01:28 – Updated: 2025-11-26 14:19
VLAI?
Title
XSS vulnerability when rendering filename in Webform Multiform
Summary
Webform Multiple File Upload module for Drupal 7.x contains a cross-site scripting (XSS) vulnerability in the file name renderer. An unauthenticated attacker can exploit this vulnerability by uploading a file with a malicious
filename containing JavaScript code (e.g., "<img src=1 onerror=alert(document.domain)>") to a Webform node with a Multifile field where file type validation is disabled. This allows the execution of arbitrary scripts
in the context of the victim's browser.
The issue is present in a third-party library and has been addressed in a patch available at https://github.com/fyneworks/multifile/pull/44 . Users are advised to apply the provided patch or update to a fixed version of the module.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
| URL | Tags | |
|---|---|---|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-12848",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-26T14:18:51.075955Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-26T14:19:01.182Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/webform_multifile",
"defaultStatus": "unaffected",
"packageName": "Webform Multifile Upload",
"product": "Drupal",
"repo": "https://git.drupalcode.org/project/webform_multifile",
"vendor": "Drupal",
"versions": [
{
"status": "affected",
"version": "7.x"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Webform Multiple File Upload module for Drupal 7.x contains a cross-site scripting (XSS) vulnerability in the file name renderer. An unauthenticated attacker can exploit this vulnerability by uploading a file with a malicious\u003cbr\u003efilename containing JavaScript code (e.g., \"\u0026lt;img src=1 onerror=alert(document.domain)\u0026gt;\") to a Webform node with a Multifile field where file type validation is disabled. This allows the execution of arbitrary scripts\u003cbr\u003ein the context of the victim\u0027s browser.\u003cbr\u003e \u003cbr\u003eThe issue is present in a third-party library and has been addressed in a patch available at\u0026nbsp;\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://github.com/fyneworks/multifile/pull/44\"\u003ehttps://github.com/fyneworks/multifile/pull/44\u003c/a\u003e. Users are advised to apply the provided patch or update to a fixed version of the module.\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "Webform Multiple File Upload module for Drupal 7.x contains a cross-site scripting (XSS) vulnerability in the file name renderer. An unauthenticated attacker can exploit this vulnerability by uploading a file with a malicious\nfilename containing JavaScript code (e.g., \"\u003cimg src=1 onerror=alert(document.domain)\u003e\") to a Webform node with a Multifile field where file type validation is disabled. This allows the execution of arbitrary scripts\nin the context of the victim\u0027s browser.\n \nThe issue is present in a third-party library and has been addressed in a patch available at\u00a0 https://github.com/fyneworks/multifile/pull/44 . Users are advised to apply the provided patch or update to a fixed version of the module."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "USER",
"Safety": "NEGLIGIBLE",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "AMBER",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"valueDensity": "DIFFUSE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/S:N/R:U/V:D/RE:L/U:Amber",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "LOW"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-26T01:28:33.628Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/node/3105204"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "XSS vulnerability when rendering filename in Webform Multiform",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2025-12848",
"datePublished": "2025-11-26T01:28:33.628Z",
"dateReserved": "2025-11-06T21:09:12.402Z",
"dateUpdated": "2025-11-26T14:19:01.182Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CERTFR-2025-AVI-1003
Vulnerability from certfr_avis - Published: 2025-11-13 - Updated: 2025-11-13
De multiples vulnérabilités ont été découvertes dans Drupal. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un déni de service à distance et une atteinte à la confidentialité des données.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
References
| Title | Publication Time | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Drupal versions 11.2.x ant\u00e9rieures \u00e0 11.2.8",
"product": {
"name": "Drupal",
"vendor": {
"name": "Drupal",
"scada": false
}
}
},
{
"description": "Drupal versions ant\u00e9rieures \u00e0 10.4.9",
"product": {
"name": "Drupal",
"vendor": {
"name": "Drupal",
"scada": false
}
}
},
{
"description": "Drupal versions 11.1.x ant\u00e9rieures \u00e0 11.1.9",
"product": {
"name": "Drupal",
"vendor": {
"name": "Drupal",
"scada": false
}
}
},
{
"description": "Drupal versions 10.5.x ant\u00e9rieures \u00e0 10.5.6",
"product": {
"name": "Drupal",
"vendor": {
"name": "Drupal",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2025-13080",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-13080"
},
{
"name": "CVE-2025-13083",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-13083"
},
{
"name": "CVE-2025-13082",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-13082"
},
{
"name": "CVE-2025-13081",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-13081"
}
],
"initial_release_date": "2025-11-13T00:00:00",
"last_revision_date": "2025-11-13T00:00:00",
"links": [],
"reference": "CERTFR-2025-AVI-1003",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2025-11-13T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Drupal. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, un d\u00e9ni de service \u00e0 distance et une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans Drupal",
"vendor_advisories": [
{
"published_at": "2025-11-12",
"title": "Bulletin de s\u00e9curit\u00e9 Drupal SA-CORE-2025-007",
"url": "https://drupal.org/sa-core-2025-007"
},
{
"published_at": "2025-11-12",
"title": "Bulletin de s\u00e9curit\u00e9 Drupal SA-CORE-2025-006",
"url": "https://drupal.org/sa-core-2025-006"
},
{
"published_at": "2025-11-12",
"title": "Bulletin de s\u00e9curit\u00e9 Drupal SA-CORE-2025-005",
"url": "https://drupal.org/sa-core-2025-005"
},
{
"published_at": "2025-11-12",
"title": "Bulletin de s\u00e9curit\u00e9 Drupal SA-CORE-2025-008",
"url": "https://drupal.org/sa-core-2025-008"
}
]
}
CERTFR-2025-AVI-0225
Vulnerability from certfr_avis - Published: 2025-03-20 - Updated: 2025-03-20
Une vulnérabilité a été découverte dans Drupal. Elle permet à un attaquant de provoquer une injection de code indirecte à distance (XSS).
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Drupal versions 10.4.x ant\u00e9rieures \u00e0 10.4.5",
"product": {
"name": "Drupal",
"vendor": {
"name": "Drupal",
"scada": false
}
}
},
{
"description": "Drupal versions ant\u00e9rieures \u00e0 10.3.14",
"product": {
"name": "Drupal",
"vendor": {
"name": "Drupal",
"scada": false
}
}
},
{
"description": "Drupal versions 11.0.x ant\u00e9rieures \u00e0 11.0.13",
"product": {
"name": "Drupal",
"vendor": {
"name": "Drupal",
"scada": false
}
}
},
{
"description": "Drupal versions 11.1.x ant\u00e9rieures \u00e0 11.1.5",
"product": {
"name": "Drupal",
"vendor": {
"name": "Drupal",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [],
"initial_release_date": "2025-03-20T00:00:00",
"last_revision_date": "2025-03-20T00:00:00",
"links": [],
"reference": "CERTFR-2025-AVI-0225",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2025-03-20T00:00:00.000000"
}
],
"risks": [
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
}
],
"summary": "Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 d\u00e9couverte dans Drupal. Elle permet \u00e0 un attaquant de provoquer une injection de code indirecte \u00e0 distance (XSS).",
"title": "Vuln\u00e9rabilit\u00e9 dans Drupal",
"vendor_advisories": [
{
"published_at": "2025-03-19",
"title": "Bulletin de s\u00e9curit\u00e9 Drupal SA-CORE-2025-004",
"url": "https://drupal.org/sa-core-2025-004"
}
]
}
CERTFR-2025-AVI-0149
Vulnerability from certfr_avis - Published: 2025-02-20 - Updated: 2025-02-20
De multiples vulnérabilités ont été découvertes dans Drupal. Certaines d'entre elles permettent à un attaquant de provoquer une injection de code indirecte à distance (XSS), un contournement de la politique de sécurité et un problème de sécurité non spécifié par l'éditeur.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
References
| Title | Publication Time | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Drupal versions 10.4.x ant\u00e9rieures \u00e0 10.4.3",
"product": {
"name": "Drupal",
"vendor": {
"name": "Drupal",
"scada": false
}
}
},
{
"description": "Drupal versions 11.1.x ant\u00e9rieures \u00e0 11.1.3",
"product": {
"name": "Drupal",
"vendor": {
"name": "Drupal",
"scada": false
}
}
},
{
"description": "Drupal versions 11.0.x ant\u00e9rieures \u00e0 11.0.12",
"product": {
"name": "Drupal",
"vendor": {
"name": "Drupal",
"scada": false
}
}
},
{
"description": "Drupal versions ant\u00e9rieures \u00e0 10.3.13",
"product": {
"name": "Drupal",
"vendor": {
"name": "Drupal",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [],
"initial_release_date": "2025-02-20T00:00:00",
"last_revision_date": "2025-02-20T00:00:00",
"links": [],
"reference": "CERTFR-2025-AVI-0149",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2025-02-20T00:00:00.000000"
}
],
"risks": [
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
},
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Drupal. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une injection de code indirecte \u00e0 distance (XSS), un contournement de la politique de s\u00e9curit\u00e9 et un probl\u00e8me de s\u00e9curit\u00e9 non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans Drupal",
"vendor_advisories": [
{
"published_at": "2025-02-19",
"title": "Bulletin de s\u00e9curit\u00e9 Drupal SA-CORE-2025-003",
"url": "https://drupal.org/sa-core-2025-003"
},
{
"published_at": "2025-02-19",
"title": "Bulletin de s\u00e9curit\u00e9 Drupal SA-CORE-2025-001",
"url": "https://drupal.org/sa-core-2025-001"
},
{
"published_at": "2025-02-19",
"title": "Bulletin de s\u00e9curit\u00e9 Drupal SA-CORE-2025-002",
"url": "https://drupal.org/sa-core-2025-002"
}
]
}
CERTFR-2024-AVI-1009
Vulnerability from certfr_avis - Published: 2024-11-21 - Updated: 2024-11-21
De multiples vulnérabilités ont été découvertes dans Drupal. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, une atteinte à l'intégrité des données et une injection de code indirecte à distance (XSS).
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
L'éditeur précise que les versions de Drupal 8, 9 et 10 antérieures à 10.2 ne sont plus supportées et ne recevront pas de correctifs.
Impacted products
References
| Title | Publication Time | Tags | ||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Drupal versions 10.2.x ant\u00e9rieures \u00e0 10.2.11",
"product": {
"name": "Drupal",
"vendor": {
"name": "Drupal",
"scada": false
}
}
},
{
"description": "Drupal versions 11.0.x ant\u00e9rieures \u00e0 11.0.8",
"product": {
"name": "Drupal",
"vendor": {
"name": "Drupal",
"scada": false
}
}
},
{
"description": "Drupal versions 10.3.x ant\u00e9rieures \u00e0 10.3.9",
"product": {
"name": "Drupal",
"vendor": {
"name": "Drupal",
"scada": false
}
}
}
],
"affected_systems_content": "L\u0027\u00e9diteur pr\u00e9cise que les versions de Drupal 8, 9 et 10 ant\u00e9rieures \u00e0 10.2 ne sont plus support\u00e9es et ne recevront pas de correctifs. ",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [],
"initial_release_date": "2024-11-21T00:00:00",
"last_revision_date": "2024-11-21T00:00:00",
"links": [],
"reference": "CERTFR-2024-AVI-1009",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2024-11-21T00:00:00.000000"
}
],
"risks": [
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Drupal. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, une atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es et une injection de code indirecte \u00e0 distance (XSS).",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans Drupal",
"vendor_advisories": [
{
"published_at": "2024-11-20",
"title": "Bulletin de s\u00e9curit\u00e9 Drupal SA-CORE-2024-006",
"url": "https://drupal.org/sa-core-2024-006"
},
{
"published_at": "2024-11-20",
"title": "Bulletin de s\u00e9curit\u00e9 Drupal SA-CORE-2024-007",
"url": "https://drupal.org/sa-core-2024-007"
},
{
"published_at": "2024-11-20",
"title": "Bulletin de s\u00e9curit\u00e9 Drupal SA-CORE-2024-004",
"url": "https://drupal.org/sa-core-2024-004"
},
{
"published_at": "2024-11-20",
"title": "Bulletin de s\u00e9curit\u00e9 Drupal SA-CORE-2024-003",
"url": "https://drupal.org/sa-core-2024-003"
},
{
"published_at": "2024-11-20",
"title": "Bulletin de s\u00e9curit\u00e9 Drupal SA-CORE-2024-005",
"url": "https://drupal.org/sa-core-2024-005"
},
{
"published_at": "2024-11-20",
"title": "Bulletin de s\u00e9curit\u00e9 Drupal SA-CORE-2024-008",
"url": "https://drupal.org/sa-core-2024-008"
}
]
}
CERTFR-2024-AVI-0894
Vulnerability from certfr_avis - Published: 2024-10-17 - Updated: 2024-10-17
Une vulnérabilité ont été découverte dans Drupal Core. Elle permet à un attaquant de provoquer un déni de service à distance.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Drupal versions 10.2.x ant\u00e9rieures \u00e0 10.2.10",
"product": {
"name": "Drupal",
"vendor": {
"name": "Drupal",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [],
"initial_release_date": "2024-10-17T00:00:00",
"last_revision_date": "2024-10-17T00:00:00",
"links": [],
"reference": "CERTFR-2024-AVI-0894",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2024-10-17T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
}
],
"summary": "Une vuln\u00e9rabilit\u00e9 ont \u00e9t\u00e9 d\u00e9couverte dans Drupal Core. Elle permet \u00e0 un attaquant de provoquer un d\u00e9ni de service \u00e0 distance.",
"title": "Vuln\u00e9rabilit\u00e9 dans Drupal Core",
"vendor_advisories": [
{
"published_at": "2024-10-16",
"title": "Bulletin de s\u00e9curit\u00e9 Drupal SA-CORE-2024-002",
"url": "https://drupal.org/sa-core-2024-002"
}
]
}
CERTFR-2023-AVI-0330
Vulnerability from certfr_avis - Published: 2023-04-20 - Updated: 2023-04-20
Une vulnérabilité a été découverte dans Drupal Core. Elle permet à un attaquant de provoquer un contournement de la politique de sécurité.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Drupal 9.4.x ant\u00e9rieures \u00e0 9.4.14",
"product": {
"name": "Drupal",
"vendor": {
"name": "Drupal",
"scada": false
}
}
},
{
"description": "Drupal 10.0.x ant\u00e9rieures \u00e0 10.0.8",
"product": {
"name": "Drupal",
"vendor": {
"name": "Drupal",
"scada": false
}
}
},
{
"description": "Drupal versions 7.x ant\u00e9rieures \u00e0 7.96",
"product": {
"name": "Drupal",
"vendor": {
"name": "Drupal",
"scada": false
}
}
},
{
"description": "Drupal 9.5.x ant\u00e9rieures \u00e0 9.5.8",
"product": {
"name": "Drupal",
"vendor": {
"name": "Drupal",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [],
"initial_release_date": "2023-04-20T00:00:00",
"last_revision_date": "2023-04-20T00:00:00",
"links": [],
"reference": "CERTFR-2023-AVI-0330",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2023-04-20T00:00:00.000000"
}
],
"risks": [
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
}
],
"summary": "Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 d\u00e9couverte dans Drupal Core. Elle permet \u00e0 un\nattaquant de provoquer un contournement de la politique de s\u00e9curit\u00e9.\n",
"title": "Vuln\u00e9rabilit\u00e9 dans Drupal Core",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Drupal sa-core-2023-005 du 19 avril 2023",
"url": "https://www.drupal.org/sa-core-2023-005"
}
]
}
CERTFR-2023-AVI-0039
Vulnerability from certfr_avis - Published: 2023-01-19 - Updated: 2023-01-19
Une vulnérabilité a été découverte dans Drupal Core. Elle permet à un attaquant de provoquer une atteinte à la confidentialité des données.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Drupal 9.4.x versions ant\u00e9rieures \u00e0 9.4.10",
"product": {
"name": "Drupal",
"vendor": {
"name": "Drupal",
"scada": false
}
}
},
{
"description": "Drupal 10.0.x versions ant\u00e9rieures \u00e0 10.0.2",
"product": {
"name": "Drupal",
"vendor": {
"name": "Drupal",
"scada": false
}
}
},
{
"description": "Drupal 9.5.x versions ant\u00e9rieures \u00e0 9.5.2",
"product": {
"name": "Drupal",
"vendor": {
"name": "Drupal",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [],
"initial_release_date": "2023-01-19T00:00:00",
"last_revision_date": "2023-01-19T00:00:00",
"links": [],
"reference": "CERTFR-2023-AVI-0039",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2023-01-19T00:00:00.000000"
}
],
"risks": [
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 d\u00e9couverte dans Drupal Core. Elle permet \u00e0 un\nattaquant de provoquer une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es.\n",
"title": "Vuln\u00e9rabilit\u00e9 dans Drupal Core",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Drupal sa-core-2023-001 du 18 janvier 2023",
"url": "https://www.drupal.org/sa-core-2023-001"
}
]
}
CERTFR-2022-AVI-866
Vulnerability from certfr_avis - Published: 2022-09-29 - Updated: 2022-09-29
Une vulnérabilité a été découverte dans Drupal core. Elle permet à un attaquant de provoquer un contournement de la politique de sécurité et une atteinte à la confidentialité des données.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Drupal versions 9.3.x versions ant\u00e9rieures \u00e0 9.3.22",
"product": {
"name": "Drupal",
"vendor": {
"name": "Drupal",
"scada": false
}
}
},
{
"description": "Drupal versions 9.4.x versions ant\u00e9rieures \u00e0 9.4.7",
"product": {
"name": "Drupal",
"vendor": {
"name": "Drupal",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2022-39261",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-39261"
}
],
"initial_release_date": "2022-09-29T00:00:00",
"last_revision_date": "2022-09-29T00:00:00",
"links": [],
"reference": "CERTFR-2022-AVI-866",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2022-09-29T00:00:00.000000"
}
],
"risks": [
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 d\u00e9couverte dans Drupal core. Elle permet \u00e0 un\nattaquant de provoquer un contournement de la politique de s\u00e9curit\u00e9 et\nune atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es.\n",
"title": "Vuln\u00e9rabilit\u00e9 dans Drupal core",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Drupal sa-core-2022-016 du 28 septembre 2022",
"url": "https://www.drupal.org/sa-core-2022-016"
}
]
}
CERTFR-2022-AVI-501
Vulnerability from certfr_avis - Published: 2022-05-27 - Updated: 2022-05-27
Une vulnérabilité a été découverte dans Drupal Core. Elle permet à un attaquant de provoquer un contournement de la politique de sécurité et une atteinte à la confidentialité des données.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Drupal versions 9.3.x ant\u00e9rieures \u00e0 9.3.14",
"product": {
"name": "Drupal",
"vendor": {
"name": "Drupal",
"scada": false
}
}
},
{
"description": "Drupal versions 9.2.x ant\u00e9rieures \u00e0 9.2.20",
"product": {
"name": "Drupal",
"vendor": {
"name": "Drupal",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2022-29248",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-29248"
}
],
"initial_release_date": "2022-05-27T00:00:00",
"last_revision_date": "2022-05-27T00:00:00",
"links": [],
"reference": "CERTFR-2022-AVI-501",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2022-05-27T00:00:00.000000"
}
],
"risks": [
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 d\u00e9couverte dans Drupal Core. Elle permet \u00e0 un\nattaquant de provoquer un contournement de la politique de s\u00e9curit\u00e9 et\nune atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es.\n",
"title": "Vuln\u00e9rabilit\u00e9 dans Drupal Core",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Drupal sa-core-2022-010 du 25 mai 2022",
"url": "https://www.drupal.org/sa-core-2022-010"
}
]
}
CERTFR-2021-AVI-625
Vulnerability from certfr_avis - Published: 2021-08-13 - Updated: 2021-08-13
De multiples vulnérabilités ont été découvertes dans Drupal. Elles permettent à un attaquant de provoquer une atteinte à l'intégrité des données, une atteinte à la confidentialité des données et une injection de code indirecte à distance (XSS).
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Drupal 9.1.x versions ant\u00e9rieures \u00e0 9.1.12",
"product": {
"name": "Drupal",
"vendor": {
"name": "Drupal",
"scada": false
}
}
},
{
"description": "Drupal 8.9.x versions ant\u00e9rieures \u00e0 8.9.18",
"product": {
"name": "Drupal",
"vendor": {
"name": "Drupal",
"scada": false
}
}
},
{
"description": "Drupal 9.2.x versions ant\u00e9rieures \u00e0 9.2.4",
"product": {
"name": "Drupal",
"vendor": {
"name": "Drupal",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [],
"initial_release_date": "2021-08-13T00:00:00",
"last_revision_date": "2021-08-13T00:00:00",
"links": [],
"reference": "CERTFR-2021-AVI-625",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2021-08-13T00:00:00.000000"
}
],
"risks": [
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Drupal. Elles\npermettent \u00e0 un attaquant de provoquer une atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des\ndonn\u00e9es, une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es et une injection\nde code indirecte \u00e0 distance (XSS).\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans Drupal",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Drupal sa-core-2021-005 du 12 ao\u00fbt 2021",
"url": "https://www.drupal.org/sa-core-2021-005"
}
]
}
CERTFR-2020-AVI-381
Vulnerability from certfr_avis - Published: 2020-06-19 - Updated: 2020-06-19
De multiples vulnérabilités ont été découvertes dans Drupal. Elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un contournement de la politique de sécurité et une injection de requêtes illégitimes par rebond (CSRF).
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
References
| Title | Publication Time | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Drupal versions 9.x ant\u00e9rieures \u00e0 9.0.1",
"product": {
"name": "Drupal",
"vendor": {
"name": "Drupal",
"scada": false
}
}
},
{
"description": "Drupal versions 8.9.x ant\u00e9rieures \u00e0 8.9.1",
"product": {
"name": "Drupal",
"vendor": {
"name": "Drupal",
"scada": false
}
}
},
{
"description": "Drupal versions 8.8.x ant\u00e9rieures \u00e0 8.8.8",
"product": {
"name": "Drupal",
"vendor": {
"name": "Drupal",
"scada": false
}
}
},
{
"description": "Drupal versions 7.x ant\u00e9rieures \u00e0 7.72",
"product": {
"name": "Drupal",
"vendor": {
"name": "Drupal",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2020-13665",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-13665"
},
{
"name": "CVE-2020-13664",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-13664"
},
{
"name": "CVE-2020-13663",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-13663"
}
],
"initial_release_date": "2020-06-19T00:00:00",
"last_revision_date": "2020-06-19T00:00:00",
"links": [],
"reference": "CERTFR-2020-AVI-381",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2020-06-19T00:00:00.000000"
}
],
"risks": [
{
"description": "Injection de requ\u00eates ill\u00e9gitimes par rebond (CSRF)"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Drupal. Elles\npermettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire\n\u00e0 distance, un contournement de la politique de s\u00e9curit\u00e9 et une\ninjection de requ\u00eates ill\u00e9gitimes par rebond (CSRF).\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans Drupal",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Drupal sa-core-2020-005 du 17 juin 2020",
"url": "https://www.drupal.org/sa-core-2020-005"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Drupal sa-core-2020-004 du 17 juin 2020",
"url": "https://www.drupal.org/sa-core-2020-004"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Drupal sa-core-2020-006 du 17 juin 2020",
"url": "https://www.drupal.org/sa-core-2020-006"
}
]
}
CERTFR-2020-AVI-310
Vulnerability from certfr_avis - Published: 2020-05-22 - Updated: 2020-05-22
De multiples vulnérabilités ont été découvertes dans Drupal. Elles permettent à un attaquant de provoquer un contournement de la politique de sécurité et une injection de code indirecte à distance (XSS).
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
References
| Title | Publication Time | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Drupal core versions ant\u00e9rieures \u00e0 7.70",
"product": {
"name": "Drupal",
"vendor": {
"name": "Drupal",
"scada": false
}
}
},
{
"description": "Drupal core versions 8.8.x ant\u00e9rieures \u00e0 8.8.6",
"product": {
"name": "Drupal",
"vendor": {
"name": "Drupal",
"scada": false
}
}
},
{
"description": "Drupal core versions 8.x ant\u00e9rieures \u00e0 ant\u00e9rieures \u00e0 8.7.14",
"product": {
"name": "Drupal",
"vendor": {
"name": "Drupal",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2020-11022",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-11022"
},
{
"name": "CVE-2020-11023",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-11023"
}
],
"initial_release_date": "2020-05-22T00:00:00",
"last_revision_date": "2020-05-22T00:00:00",
"links": [],
"reference": "CERTFR-2020-AVI-310",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2020-05-22T00:00:00.000000"
}
],
"risks": [
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Drupal. Elles\npermettent \u00e0 un attaquant de provoquer un contournement de la politique\nde s\u00e9curit\u00e9 et une injection de code indirecte \u00e0 distance (XSS).\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans Drupal",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Drupal sa-core-2020-002 du 20 mai 2020",
"url": "https://www.drupal.org/sa-core-2020-002"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Drupal sa-core-2020-003 du 20 mai 2020",
"url": "https://www.drupal.org/sa-core-2020-003"
}
]
}
CERTFR-2020-AVI-163
Vulnerability from certfr_avis - Published: 2020-03-19 - Updated: 2020-03-19
Une vulnérabilité a été découverte dans Drupal . Elle permet à un attaquant de provoquer une injection de code indirecte à distance (XSS).
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Drupal 8.8.x versions ant\u00e9rieures \u00e0 8.8.4",
"product": {
"name": "Drupal",
"vendor": {
"name": "Drupal",
"scada": false
}
}
},
{
"description": "Drupal 8.7.x versions ant\u00e9rieures \u00e0 8.7.12",
"product": {
"name": "Drupal",
"vendor": {
"name": "Drupal",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [],
"initial_release_date": "2020-03-19T00:00:00",
"last_revision_date": "2020-03-19T00:00:00",
"links": [],
"reference": "CERTFR-2020-AVI-163",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2020-03-19T00:00:00.000000"
}
],
"risks": [
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
}
],
"summary": "Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 d\u00e9couverte dans Drupal . Elle permet \u00e0 un\nattaquant de provoquer une injection de code indirecte \u00e0 distance (XSS).\n",
"title": "Vuln\u00e9rabilit\u00e9 dans Drupal",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Drupal sa-core-2020-001 du 18 mars 2020",
"url": "https://www.drupal.org/sa-core-2020-001"
}
]
}
CERTFR-2019-AVI-645
Vulnerability from certfr_avis - Published: 2019-12-19 - Updated: 2019-12-19
De multiples vulnérabilités ont été découvertes dans Drupal. Elles permettent à un attaquant de provoquer un problème de sécurité non spécifié par l'éditeur.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
References
| Title | Publication Time | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Drupal 7.x versions ant\u00e9rieures \u00e0 7.69",
"product": {
"name": "Drupal",
"vendor": {
"name": "Drupal",
"scada": false
}
}
},
{
"description": "Drupal 8.8.x versions ant\u00e9rieures \u00e0 8.8.1",
"product": {
"name": "Drupal",
"vendor": {
"name": "Drupal",
"scada": false
}
}
},
{
"description": "Drupal 8.7.x versions ant\u00e9rieures \u00e0 8.7.11",
"product": {
"name": "Drupal",
"vendor": {
"name": "Drupal",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [],
"initial_release_date": "2019-12-19T00:00:00",
"last_revision_date": "2019-12-19T00:00:00",
"links": [],
"reference": "CERTFR-2019-AVI-645",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2019-12-19T00:00:00.000000"
}
],
"risks": [
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Drupal. Elles\npermettent \u00e0 un attaquant de provoquer un probl\u00e8me de s\u00e9curit\u00e9 non\nsp\u00e9cifi\u00e9 par l\u0027\u00e9diteur.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans Drupal",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Drupal sa-core-2019-012 du 18 d\u00e9cembre 2019",
"url": "https://www.drupal.org/sa-core-2019-012"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Drupal sa-core-2019-011 du 18 d\u00e9cembre 2019",
"url": "https://www.drupal.org/sa-core-2019-011"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Drupal sa-core-2019-010 du 18 d\u00e9cembre 2019",
"url": "https://www.drupal.org/sa-core-2019-010"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Drupal sa-core-2019-009 du 18 d\u00e9cembre 2019",
"url": "https://www.drupal.org/sa-core-2019-009"
}
]
}
CERTFR-2019-AVI-347
Vulnerability from certfr_avis - Published: 2019-07-18 - Updated: 2019-07-18
Une vulnérabilité a été découverte dans Drupal. Elle permet à un attaquant de provoquer un contournement de la politique de sécurité.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneReferences
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Drupal 8.7.4",
"product": {
"name": "Drupal",
"vendor": {
"name": "Drupal",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2019-6342",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-6342"
}
],
"initial_release_date": "2019-07-18T00:00:00",
"last_revision_date": "2019-07-18T00:00:00",
"links": [],
"reference": "CERTFR-2019-AVI-347",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2019-07-18T00:00:00.000000"
}
],
"risks": [
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
}
],
"summary": "Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 d\u00e9couverte dans Drupal. Elle permet \u00e0 un\nattaquant de provoquer un contournement de la politique de s\u00e9curit\u00e9.\n",
"title": "Vuln\u00e9rabilit\u00e9 dans Drupal",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Drupal sa-core-2019-008 du 17 juillet 2019",
"url": "https://www.drupal.org/sa-core-2019-008"
}
]
}
CERTFR-2019-AVI-199
Vulnerability from certfr_avis - Published: 2019-05-09 - Updated: 2019-05-09
Une vulnérabilité a été découverte dans Drupal . Elle permet à un attaquant de provoquer un contournement de la politique de sécurité.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Drupal versions 8.7 ant\u00e9rieures \u00e0 8.7.1",
"product": {
"name": "Drupal",
"vendor": {
"name": "Drupal",
"scada": false
}
}
},
{
"description": "Drupal versions 7 ant\u00e9rieures \u00e0 7.67",
"product": {
"name": "Drupal",
"vendor": {
"name": "Drupal",
"scada": false
}
}
},
{
"description": "Drupal versions 8 ant\u00e9rieures \u00e0 8.6.x",
"product": {
"name": "Drupal",
"vendor": {
"name": "Drupal",
"scada": false
}
}
},
{
"description": "Drupal versions 8.6 ant\u00e9rieures \u00e0 8.6.16",
"product": {
"name": "Drupal",
"vendor": {
"name": "Drupal",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2019-11831",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11831"
}
],
"initial_release_date": "2019-05-09T00:00:00",
"last_revision_date": "2019-05-09T00:00:00",
"links": [],
"reference": "CERTFR-2019-AVI-199",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2019-05-09T00:00:00.000000"
}
],
"risks": [
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
}
],
"summary": "Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 d\u00e9couverte dans Drupal . Elle permet \u00e0 un\nattaquant de provoquer un contournement de la politique de s\u00e9curit\u00e9.\n",
"title": "Vuln\u00e9rabilit\u00e9 dans Drupal",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Drupal SA-CORE-2019-007 du 08 mai 2019",
"url": "https://www.drupal.org/sa-core-2019-007"
}
]
}
CERTFR-2019-AVI-180
Vulnerability from certfr_avis - Published: 2019-04-18 - Updated: 2019-04-18
De multiples vulnérabilités ont été découvertes dans Drupal. Elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance et une injection de code indirecte à distance (XSS).
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
References
| Title | Publication Time | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Drupal Core versions 8.5.x ant\u00e9rieures \u00e0 8.5.15",
"product": {
"name": "Drupal",
"vendor": {
"name": "Drupal",
"scada": false
}
}
},
{
"description": "Drupal Core versions 8.6.x ant\u00e9rieures \u00e0 8.6.15",
"product": {
"name": "Drupal",
"vendor": {
"name": "Drupal",
"scada": false
}
}
},
{
"description": "Drupal Core versions 7.x ant\u00e9rieures \u00e0 7.66",
"product": {
"name": "Drupal",
"vendor": {
"name": "Drupal",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2019-10910",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-10910"
},
{
"name": "CVE-2019-10911",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-10911"
},
{
"name": "CVE-2019-10909",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-10909"
}
],
"initial_release_date": "2019-04-18T00:00:00",
"last_revision_date": "2019-04-18T00:00:00",
"links": [],
"reference": "CERTFR-2019-AVI-180",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2019-04-18T00:00:00.000000"
}
],
"risks": [
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Drupal. Elles\npermettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire\n\u00e0 distance et une injection de code indirecte \u00e0 distance (XSS).\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans Drupal",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Drupal sa-core-2019-005 du 17 avril 2019",
"url": "https://www.drupal.org/sa-core-2019-005"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Drupal sa-core-2019-006 du 17 avril 2019",
"url": "https://www.drupal.org/sa-core-2019-006"
}
]
}
CERTFR-2019-AVI-119
Vulnerability from certfr_avis - Published: 2019-03-21 - Updated: 2019-03-21
Une vulnérabilité a été découverte dans Drupal. Elle permet à un attaquant de provoquer une injection de code indirecte à distance (XSS).
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Drupal 7 versions ant\u00e9rieures \u00e0 Drupal 7.65",
"product": {
"name": "Drupal",
"vendor": {
"name": "Drupal",
"scada": false
}
}
},
{
"description": "Drupal 8.6 versions ant\u00e9rieures \u00e0 8.6.13",
"product": {
"name": "Drupal",
"vendor": {
"name": "Drupal",
"scada": false
}
}
},
{
"description": "Drupal versions ant\u00e9rieures \u00e0 8.5.14",
"product": {
"name": "Drupal",
"vendor": {
"name": "Drupal",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [],
"initial_release_date": "2019-03-21T00:00:00",
"last_revision_date": "2019-03-21T00:00:00",
"links": [],
"reference": "CERTFR-2019-AVI-119",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2019-03-21T00:00:00.000000"
}
],
"risks": [
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
}
],
"summary": "Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 d\u00e9couverte dans Drupal. Elle permet \u00e0 un\nattaquant de provoquer une injection de code indirecte \u00e0 distance (XSS).\n",
"title": "Vuln\u00e9rabilit\u00e9 dans Drupal",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Drupal SA-CORE-2019-004 du 20 mars 2019",
"url": "https://www.drupal.org/sa-core-2019-004"
}
]
}
CERTFR-2019-AVI-074
Vulnerability from certfr_avis - Published: 2019-02-21 - Updated: 2019-02-21
Une vulnérabilité a été découverte dans Drupal. Elle permet à un attaquant de provoquer une exécution de code arbitraire à distance.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Drupal versions 8.6.x ant\u00e9rieures \u00e0 8.6.10",
"product": {
"name": "Drupal",
"vendor": {
"name": "Drupal",
"scada": false
}
}
},
{
"description": "Drupal versions 8.5.x, ou plus anciennes, ant\u00e9rieures \u00e0 8.5.11",
"product": {
"name": "Drupal",
"vendor": {
"name": "Drupal",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2019-6340",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-6340"
}
],
"initial_release_date": "2019-02-21T00:00:00",
"last_revision_date": "2019-02-21T00:00:00",
"links": [],
"reference": "CERTFR-2019-AVI-074",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2019-02-21T00:00:00.000000"
}
],
"risks": [
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
}
],
"summary": "Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 d\u00e9couverte dans Drupal. Elle permet \u00e0 un\nattaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance.\n",
"title": "Vuln\u00e9rabilit\u00e9 dans Drupal",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Drupal SA-CORE-2019-003 du 20 f\u00e9vrier 2019",
"url": "https://www.drupal.org/sa-core-2019-003"
}
]
}
CERTFR-2019-AVI-027
Vulnerability from certfr_avis - Published: 2019-01-17 - Updated: 2019-01-17
De multiples vulnérabilités ont été découvertes dans Drupal. Elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance et une atteinte à la confidentialité des données.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
References
| Title | Publication Time | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Drupal versions 8.6.x ant\u00e9rieures \u00e0 8.6.6.",
"product": {
"name": "Drupal",
"vendor": {
"name": "Drupal",
"scada": false
}
}
},
{
"description": "Drupal versions 8.5.x ant\u00e9rieures \u00e0 8.5.9.",
"product": {
"name": "Drupal",
"vendor": {
"name": "Drupal",
"scada": false
}
}
},
{
"description": "Drupal versions 7.x ant\u00e9rieures \u00e0 7.62.",
"product": {
"name": "Drupal",
"vendor": {
"name": "Drupal",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2018-1000888",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-1000888"
}
],
"initial_release_date": "2019-01-17T00:00:00",
"last_revision_date": "2019-01-17T00:00:00",
"links": [],
"reference": "CERTFR-2019-AVI-027",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2019-01-17T00:00:00.000000"
}
],
"risks": [
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Drupal. Elles\npermettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire\n\u00e0 distance et une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans Drupal",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Drupal sa-core-2019-001 du 16 janvier 2019",
"url": "https://www.drupal.org/sa-core-2019-001"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Drupal sa-core-2019-002 du 16 janvier 2019",
"url": "https://www.drupal.org/sa-core-2019-002"
}
]
}
CERTFR-2018-AVI-501
Vulnerability from certfr_avis - Published: 2018-10-18 - Updated: 2018-10-18
De multiples vulnérabilités ont été découvertes dans Drupal . Elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance et un contournement de la politique de sécurité.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Drupal Core versions 8.6.x ant\u00e9rieures \u00e0 8.6.2",
"product": {
"name": "Drupal",
"vendor": {
"name": "Drupal",
"scada": false
}
}
},
{
"description": "Drupal Core versions 8.5.x ant\u00e9rieures \u00e0 8.5.8",
"product": {
"name": "Drupal",
"vendor": {
"name": "Drupal",
"scada": false
}
}
},
{
"description": "Drupal Core versions 7.x ant\u00e9rieures \u00e0 7.60",
"product": {
"name": "Drupal",
"vendor": {
"name": "Drupal",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [],
"initial_release_date": "2018-10-18T00:00:00",
"last_revision_date": "2018-10-18T00:00:00",
"links": [],
"reference": "CERTFR-2018-AVI-501",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2018-10-18T00:00:00.000000"
}
],
"risks": [
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Drupal . Elles\npermettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire\n\u00e0 distance et un contournement de la politique de s\u00e9curit\u00e9.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans Drupal",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Drupal sa-core-2018-006 du 17 octobre 2018",
"url": "https://www.drupal.org/sa-core-2018-006"
}
]
}
CERTFR-2018-AVI-370
Vulnerability from certfr_avis - Published: 2018-08-02 - Updated: 2018-08-02
Une vulnérabilité a été découverte dans Drupal. Elle permet à un attaquant de provoquer un contournement de la politique de sécurité.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneReferences
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Drupal versions 8.x ant\u00e9rieures \u00e0 8.5.6.",
"product": {
"name": "Drupal",
"vendor": {
"name": "Drupal",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2018-14773",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-14773"
}
],
"initial_release_date": "2018-08-02T00:00:00",
"last_revision_date": "2018-08-02T00:00:00",
"links": [],
"reference": "CERTFR-2018-AVI-370",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2018-08-02T00:00:00.000000"
}
],
"risks": [
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
}
],
"summary": "Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 d\u00e9couverte dans Drupal. Elle permet \u00e0 un\nattaquant de provoquer un contournement de la politique de s\u00e9curit\u00e9.\n",
"title": "Vuln\u00e9rabilit\u00e9 dans Drupal",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Drupal SA-CORE-2018-005 du 1 ao\u00fbt 2018",
"url": "https://www.drupal.org/SA-CORE-2018-005"
}
]
}
CERTFR-2018-AVI-204
Vulnerability from certfr_avis - Published: 2018-04-26 - Updated: 2018-04-26
Une vulnérabilité a été découverte dans Drupal. Elle permet à un attaquant de provoquer une exécution de code arbitraire à distance.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Drupal toutes versions sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "Drupal",
"vendor": {
"name": "Drupal",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2018-7602",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-7602"
}
],
"initial_release_date": "2018-04-26T00:00:00",
"last_revision_date": "2018-04-26T00:00:00",
"links": [],
"reference": "CERTFR-2018-AVI-204",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2018-04-26T00:00:00.000000"
}
],
"risks": [
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
}
],
"summary": "Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 d\u00e9couverte dans Drupal. Elle permet \u00e0 un\nattaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance.\n",
"title": "Vuln\u00e9rabilit\u00e9 dans Drupal",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Drupal SA-CORE-2018-004 du 25 avril 2018",
"url": "https://www.drupal.org/sa-core-2018-004"
}
]
}
CERTFR-2018-AVI-193
Vulnerability from certfr_avis - Published: 2018-04-19 - Updated: 2018-04-19
Une vulnérabilité a été découverte dans Drupal . Elle permet à un attaquant de provoquer une injection de code indirecte à distance (XSS).
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Drupal Core versions 8.4.x ant\u00e9rieures \u00e0 8.4.7",
"product": {
"name": "Drupal",
"vendor": {
"name": "Drupal",
"scada": false
}
}
},
{
"description": "Drupal Core versions 8.5.x ant\u00e9rieures \u00e0 8.5.2",
"product": {
"name": "Drupal",
"vendor": {
"name": "Drupal",
"scada": false
}
}
},
{
"description": "Drupal versions 7.x avec CKEditor versions ant\u00e9rieures \u00e0 4.9.2",
"product": {
"name": "Drupal",
"vendor": {
"name": "Drupal",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [],
"initial_release_date": "2018-04-19T00:00:00",
"last_revision_date": "2018-04-19T00:00:00",
"links": [],
"reference": "CERTFR-2018-AVI-193",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2018-04-19T00:00:00.000000"
}
],
"risks": [
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
}
],
"summary": "Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 d\u00e9couverte dans Drupal . Elle permet \u00e0 un\nattaquant de provoquer une injection de code indirecte \u00e0 distance (XSS).\n",
"title": "Vuln\u00e9rabilit\u00e9 dans Drupal",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Drupal sa-core-2018-003 du 18 avril 2018",
"url": "https://www.drupal.org/sa-core-2018-003"
}
]
}
CERTFR-2018-AVI-158
Vulnerability from certfr_avis - Published: 2018-03-29 - Updated: 2018-03-29
Une vulnérabilité a été découverte dans Drupal. Elle permet à un attaquant de provoquer une exécution de code arbitraire à distance.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
References
| Title | Publication Time | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Drupal toutes versions sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "Drupal",
"vendor": {
"name": "Drupal",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2018-7600",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-7600"
}
],
"initial_release_date": "2018-03-29T00:00:00",
"last_revision_date": "2018-03-29T00:00:00",
"links": [
{
"title": "Foire aux questions sur la vuln\u00e9rabilit\u00e9s CVE-2018-7600",
"url": "https://groups.drupal.org/security/faq-2018-002"
}
],
"reference": "CERTFR-2018-AVI-158",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2018-03-29T00:00:00.000000"
}
],
"risks": [
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
}
],
"summary": "Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 d\u00e9couverte dans Drupal. Elle permet \u00e0 un\nattaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance.\n",
"title": "Vuln\u00e9rabilit\u00e9 dans Drupal",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Drupal SA-CORE-2018-002 du 28 mars 2018",
"url": "https://www.drupal.org/sa-core-2018-002"
}
]
}
CERTFR-2018-AVI-099
Vulnerability from certfr_avis - Published: 2018-02-22 - Updated: 2018-02-22
De multiples vulnérabilités ont été découvertes dans Drupal . Elles permettent à un attaquant de provoquer un contournement de la politique de sécurité, une atteinte à l'intégrité des données et une injection de code indirecte à distance (XSS).
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Drupal Core versions 7.x ant\u00e9rieures \u00e0 7.57",
"product": {
"name": "Drupal",
"vendor": {
"name": "Drupal",
"scada": false
}
}
},
{
"description": "Drupal Core versions 8.x ant\u00e9rieures \u00e0 8.4.5",
"product": {
"name": "Drupal",
"vendor": {
"name": "Drupal",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [],
"initial_release_date": "2018-02-22T00:00:00",
"last_revision_date": "2018-02-22T00:00:00",
"links": [],
"reference": "CERTFR-2018-AVI-099",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2018-02-22T00:00:00.000000"
}
],
"risks": [
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Drupal . Elles\npermettent \u00e0 un attaquant de provoquer un contournement de la politique\nde s\u00e9curit\u00e9, une atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es et une injection de\ncode indirecte \u00e0 distance (XSS).\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans Drupal",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Drupal sa-core-2018-001 du 21 f\u00e9vrier 2018",
"url": "https://www.drupal.org/sa-core-2018-001"
}
]
}
JVNDB-2024-000004
Vulnerability from jvndb - Published: 2024-01-16 13:41 - Updated:2024-03-12 17:33
Severity ?
Summary
Drupal vulnerable to improper handling of structural elements
Details
Drupal provided by Drupal.org contains an improper handling of structural elements vulnerability (CWE-237).
Shiga Takuma of BroadBand Security Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
References
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2024/JVNDB-2024-000004.html",
"dc:date": "2024-03-12T17:33+09:00",
"dcterms:issued": "2024-01-16T13:41+09:00",
"dcterms:modified": "2024-03-12T17:33+09:00",
"description": "Drupal provided by Drupal.org contains an improper handling of structural elements vulnerability (CWE-237).\r\n\r\nShiga Takuma of BroadBand Security Inc. reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2024/JVNDB-2024-000004.html",
"sec:cpe": {
"#text": "cpe:/a:drupal:drupal",
"@product": "Drupal",
"@vendor": "Drupal",
"@version": "2.2"
},
"sec:cvss": [
{
"@score": "5.0",
"@severity": "Medium",
"@type": "Base",
"@vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"@version": "2.0"
},
{
"@score": "5.3",
"@severity": "Medium",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"@version": "3.0"
}
],
"sec:identifier": "JVNDB-2024-000004",
"sec:references": [
{
"#text": "https://jvn.jp/en/jp/JVN63383723/index.html",
"@id": "JVN#63383723",
"@source": "JVN"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2024-22362",
"@id": "CVE-2024-22362",
"@source": "CVE"
},
{
"#text": "https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-22362",
"@id": "CVE-2024-22362",
"@source": "NVD"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-Other",
"@title": "No Mapping(CWE-Other)"
}
],
"title": "Drupal vulnerable to improper handling of structural elements"
}
CERTFR-2018-ALE-005
Vulnerability from certfr_alerte - Published: 2018-03-29 - Updated: 2018-07-30
Le 28 mars 2018, l'éditeur du système de gestion de contenu Drupal a publié un avis de sécurité concernant une vulnérabilité critique dans Drupal core. L'avis SA-CORE-2018-002 indique que les systèmes Drupal en versions 7.x, 8.5.x, mais également les systèmes n'étant plus supportés (version 8.3.x, 8.4.x et 6), sont affectés par une vulnérabilité hautement critique pouvant mener à la compromission complète d'un site web basé sur Drupal.
Cette vulnérabilité, identifiée en tant que CVE-2018-7600, permettrait à un visiteur d'un site vulnérable d'accéder à toutes les données contenues sur le site, de les modifier et de les supprimer, et ce sans authentification.
Le CERT-FR recommande d'appliquer au plus tôt les correctifs de sécurité mis à disposition par Drupal.
[ Mise à jour du 16 avril 2018]
Le 12 avril 2018, une preuve de concept exploitant la vulnérabilité CVE-2018-7600 a été publiée publiquement sur Github. Depuis, le CERT-FR constate des tentatives d'exploitation.
Au vu de la facilité d'exploitation et de la criticité de cette vulnérabilité, le CERT-FR a décidé de rouvrir l'alerte CERTFR-2018-ALE-005 et rappelle qu'il est nécessaire d'appliquer les correctifs déjà disponibles immédiatement.
[ Mise à jour du 26 avril 2018]
Le 25 avril, l'éditeur de Drupal a publié un nouveau bulletin d'alerte concernant une vulnérabilité similaire à la CVE-2018-7600, la CVE-2018-7602. Cette vulnérabilité permet une exécution de code arbitraire à distance et a été signalée comme exploitée très peu de temps après sa publication. Le CERT-FR conseille l'application immédiate des correctifs fournis par l'éditeur. Il est à noter que l'application des correctifs de la vulnérabilité CVE-2018-7602 nécessite l'installation préalable de ceux de la CVE-2018-7600.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
References
| Title | Publication Time | Tags | |||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Drupal versions 8.5.x ant\u00e9rieures \u00e0 8.5.3",
"product": {
"name": "Drupal",
"vendor": {
"name": "Drupal",
"scada": false
}
}
},
{
"description": "Drupal versions 7.x ant\u00e9rieures \u00e0 7.59",
"product": {
"name": "Drupal",
"vendor": {
"name": "Drupal",
"scada": false
}
}
},
{
"description": "Drupal versions 8.4.x ant\u00e9rieures \u00e0 8.4.8",
"product": {
"name": "Drupal",
"vendor": {
"name": "Drupal",
"scada": false
}
}
},
{
"description": "Drupal version 6",
"product": {
"name": "Drupal",
"vendor": {
"name": "Drupal",
"scada": false
}
}
}
],
"affected_systems_content": null,
"closed_at": "2018-07-30",
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2018-7600",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-7600"
},
{
"name": "CVE-2018-7602",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-7602"
}
],
"initial_release_date": "2018-03-29T00:00:00",
"last_revision_date": "2018-07-30T00:00:00",
"links": [
{
"title": "Avis CERT-FR CERTFR-2018-AVI-158 Vuln\u00e9rabilit\u00e9 dans Drupal",
"url": "http://www.cert.ssi.gouv.fr/avis/CERTFR-2018-AVI-158"
},
{
"title": "Billet de blogue Checkpoint",
"url": "https://research.checkpoint.com/uncovering-drupalgeddon-2/"
},
{
"title": "Billet de blogue SANS",
"url": "https://isc.sans.edu/forums/diary/Drupal+CVE20187600+PoC+is+Public/23549/"
},
{
"title": "Avis CERT-FR CERTFR-2018-AVI-204 Vuln\u00e9rabilit\u00e9 dans Drupal",
"url": "http://www.cert.ssi.gouv.fr/avis/CERTFR-2018-AVI-204"
}
],
"reference": "CERTFR-2018-ALE-005",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2018-03-29T00:00:00.000000"
},
{
"description": "Modification d\u0027un lien",
"revision_date": "2018-04-06T00:00:00.000000"
},
{
"description": "Cl\u00f4ture de l\u0027alerte",
"revision_date": "2018-04-06T00:00:00.000000"
},
{
"description": "Rouverture de l\u0027alerte suite \u00e0 la publication du PoC, ajout de liens",
"revision_date": "2018-04-16T00:00:00.000000"
},
{
"description": "Ajout de la CVE-2018-7602",
"revision_date": "2018-04-26T00:00:00.000000"
},
{
"description": "Modification du titre de l\u0027alerte",
"revision_date": "2018-04-26T00:00:00.000000"
},
{
"description": "Cl\u00f4ture de l\u0027alerte",
"revision_date": "2018-07-30T00:00:00.000000"
}
],
"risks": [
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
}
],
"summary": "Le 28 mars 2018, l\u0027\u00e9diteur du syst\u00e8me de gestion de contenu Drupal a\npubli\u00e9 un avis de s\u00e9curit\u00e9 concernant une vuln\u00e9rabilit\u00e9 critique dans\nDrupal core. L\u0027avis SA-CORE-2018-002 indique que les syst\u00e8mes Drupal en\nversions 7.x, 8.5.x, mais \u00e9galement les syst\u00e8mes n\u0027\u00e9tant plus support\u00e9s\n(version 8.3.x, 8.4.x et 6), sont affect\u00e9s par une vuln\u00e9rabilit\u00e9\nhautement critique pouvant mener \u00e0 la compromission compl\u00e8te d\u0027un site\nweb bas\u00e9 sur Drupal.\n\nCette vuln\u00e9rabilit\u00e9, identifi\u00e9e en tant que CVE-2018-7600, permettrait \u00e0\nun visiteur d\u0027un site vuln\u00e9rable d\u0027acc\u00e9der \u00e0 toutes les donn\u00e9es\ncontenues sur le site, de les modifier et de les supprimer, et ce sans\nauthentification.\n\nLe CERT-FR recommande d\u0027appliquer au plus t\u00f4t les correctifs de s\u00e9curit\u00e9\nmis \u00e0 disposition par Drupal.\n\n\u003cstrong\u003e\\[ Mise \u00e0 jour du 16 avril 2018\\]\u003c/strong\u003e\n\nLe 12 avril 2018, une preuve de concept exploitant la vuln\u00e9rabilit\u00e9\nCVE-2018-7600 a \u00e9t\u00e9 publi\u00e9e publiquement sur Github. Depuis, le CERT-FR\nconstate des tentatives d\u0027exploitation.\n\nAu vu de la facilit\u00e9 d\u0027exploitation et de la criticit\u00e9 de cette\nvuln\u00e9rabilit\u00e9, le CERT-FR a d\u00e9cid\u00e9 de rouvrir\nl\u0027alerte\u00a0CERTFR-2018-ALE-005 et rappelle qu\u0027il est n\u00e9cessaire\nd\u0027appliquer les correctifs d\u00e9j\u00e0 disponibles imm\u00e9diatement.\n\n\u003cstrong\u003e\\[ Mise \u00e0 jour du 26 avril 2018\\]\u003c/strong\u003e\n\nLe 25 avril, l\u0027\u00e9diteur de Drupal a publi\u00e9 un nouveau bulletin d\u0027alerte\nconcernant une vuln\u00e9rabilit\u00e9 similaire \u00e0 la CVE-2018-7600, la\nCVE-2018-7602. Cette vuln\u00e9rabilit\u00e9 permet une ex\u00e9cution de code\narbitraire \u00e0 distance et a \u00e9t\u00e9 signal\u00e9e comme exploit\u00e9e tr\u00e8s peu de\ntemps apr\u00e8s sa publication. Le CERT-FR conseille l\u0027application imm\u00e9diate\ndes correctifs fournis par l\u0027\u00e9diteur. Il est \u00e0 noter que l\u0027application\ndes correctifs de la vuln\u00e9rabilit\u00e9 CVE-2018-7602 n\u00e9cessite\nl\u0027installation pr\u00e9alable de ceux de la CVE-2018-7600.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans Drupal",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Drupal SA-CORE-2018-004 du 25 avril 2018",
"url": "https://www.drupal.org/sa-core-2018-004"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Drupal SA-CORE-2018-002 du 28 mars 2018",
"url": "https://www.drupal.org/sa-core-2018-002"
},
{
"published_at": null,
"title": "Foire aux questions Drupal pour l\u0027avis de s\u00e9curit\u00e9 SA-CORE-2018-002",
"url": "https://groups.drupal.org/security/faq-2018-002"
}
]
}