Search criteria

75 vulnerabilities found for drupal by drupal

CERTFR-2026-AVI-0771

Vulnerability from certfr_avis - Published: 2026-06-18 - Updated: 2026-06-18

De multiples vulnérabilités ont été découvertes dans Drupal. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, une injection SQL (SQLi) et une falsification de requêtes côté serveur (SSRF).

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Impacted products
Vendor Product Description
Drupal Drupal Drupal versions 10.6.x antérieures à 10.6.11
Drupal Drupal Drupal versions antérieures à 10.5.12
Drupal Drupal Drupal versions 11.2.x antérieures à 11.2.14
Drupal Drupal Drupal versions 11.3.x antérieures à 11.3.12
References

Show details on source website

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Drupal versions 10.6.x ant\u00e9rieures \u00e0 10.6.11",
      "product": {
        "name": "Drupal",
        "vendor": {
          "name": "Drupal",
          "scada": false
        }
      }
    },
    {
      "description": "Drupal versions ant\u00e9rieures \u00e0 10.5.12",
      "product": {
        "name": "Drupal",
        "vendor": {
          "name": "Drupal",
          "scada": false
        }
      }
    },
    {
      "description": "Drupal versions 11.2.x ant\u00e9rieures \u00e0 11.2.14",
      "product": {
        "name": "Drupal",
        "vendor": {
          "name": "Drupal",
          "scada": false
        }
      }
    },
    {
      "description": "Drupal versions 11.3.x ant\u00e9rieures \u00e0 11.3.12",
      "product": {
        "name": "Drupal",
        "vendor": {
          "name": "Drupal",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": "",
  "content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
  "cves": [
    {
      "name": "CVE-2026-55803",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-55803"
    },
    {
      "name": "CVE-2026-55807",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-55807"
    },
    {
      "name": "CVE-2026-55808",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-55808"
    },
    {
      "name": "CVE-2026-55804",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-55804"
    },
    {
      "name": "CVE-2026-55806",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-55806"
    }
  ],
  "initial_release_date": "2026-06-18T00:00:00",
  "last_revision_date": "2026-06-18T00:00:00",
  "links": [],
  "reference": "CERTFR-2026-AVI-0771",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2026-06-18T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Injection de code indirecte \u00e0 distance (XSS)"
    },
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "Injection SQL (SQLi)"
    },
    {
      "description": "Falsification de requ\u00eates c\u00f4t\u00e9 serveur (SSRF)"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Drupal. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, une injection SQL (SQLi) et une falsification de requ\u00eates c\u00f4t\u00e9 serveur (SSRF).",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans Drupal",
  "vendor_advisories": [
    {
      "published_at": "2026-06-17",
      "title": "Bulletin de s\u00e9curit\u00e9 Drupal SA-CORE-2026-007",
      "url": "https://drupal.org/sa-core-2026-007"
    },
    {
      "published_at": "2026-06-17",
      "title": "Bulletin de s\u00e9curit\u00e9 Drupal SA-CORE-2026-008",
      "url": "https://drupal.org/sa-core-2026-008"
    },
    {
      "published_at": "2026-06-17",
      "title": "Bulletin de s\u00e9curit\u00e9 Drupal SA-CORE-2019-003",
      "url": "https://drupal.org/sa-core-2026-005"
    },
    {
      "published_at": "2026-06-17",
      "title": "Bulletin de s\u00e9curit\u00e9 Drupal SA-CORE-2026-006",
      "url": "https://drupal.org/sa-core-2026-006"
    },
    {
      "published_at": "2026-06-17",
      "title": "Bulletin de s\u00e9curit\u00e9 Drupal SA-CORE-2026-009",
      "url": "https://drupal.org/sa-core-2026-009"
    }
  ]
}

CERTFR-2026-AVI-0629

Vulnerability from certfr_avis - Published: 2026-05-21 - Updated: 2026-05-21

Une vulnérabilité a été découverte dans Drupal. Elle permet à un attaquant de provoquer une injection SQL (SQLi).

L'éditeur précise que la vulnérabilité CVE-2026-9082 affecte uniquement les applications qui utilisent PostgreSQL comme système de gestion de base de données.
Cependant, il recommande néanmoins l'installation du correctif pour toutes les instances du fait des mises à jour de dépendances également incluses dans les dernières versions.

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

L'éditeur rappelle que les versions 11.1.x, 11.0.x, 10.4.x, 9.x et 8.x sont en fin de vie et ne reçoivent un correctif pour la vulnérabilité CVE-2026-9082 qu'à titre exceptionnel, au vu de sa criticité.
Ces versions n'incluent pas de correctif pour toutes les autres vulnérabilités découvertes depuis leurs fins de support respectives. L'éditeur invite donc à migrer vers une version supportée et à jour.

Impacted products
Vendor Product Description
Drupal Drupal Drupal versions 11.2.x antérieures à 11.2.12
Drupal Drupal Drupal versions 10.6.x antérieures à 10.6.9
Drupal Drupal Drupal versions 10.x antérieures à 10.4.10
Drupal Drupal Drupal versions 9.x antérieures à 9.5 sans le dernier correctif de sécurité
Drupal Drupal Drupal versions 11.3.x antérieures à 11.3.10
Drupal Drupal Drupal versions 11.x antérieures à 11.1.10
Drupal Drupal Drupal versions 8.x antérieures à 8.9 sans le dernier correctif de sécurité
Drupal Drupal Drupal versions 10.5.x antérieures à 10.5.10
References

Show details on source website

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Drupal versions 11.2.x ant\u00e9rieures \u00e0 11.2.12",
      "product": {
        "name": "Drupal",
        "vendor": {
          "name": "Drupal",
          "scada": false
        }
      }
    },
    {
      "description": "Drupal versions 10.6.x ant\u00e9rieures \u00e0 10.6.9",
      "product": {
        "name": "Drupal",
        "vendor": {
          "name": "Drupal",
          "scada": false
        }
      }
    },
    {
      "description": "Drupal versions 10.x ant\u00e9rieures \u00e0 10.4.10",
      "product": {
        "name": "Drupal",
        "vendor": {
          "name": "Drupal",
          "scada": false
        }
      }
    },
    {
      "description": "Drupal versions 9.x ant\u00e9rieures \u00e0 9.5 sans le dernier correctif de s\u00e9curit\u00e9",
      "product": {
        "name": "Drupal",
        "vendor": {
          "name": "Drupal",
          "scada": false
        }
      }
    },
    {
      "description": "Drupal versions 11.3.x ant\u00e9rieures \u00e0 11.3.10",
      "product": {
        "name": "Drupal",
        "vendor": {
          "name": "Drupal",
          "scada": false
        }
      }
    },
    {
      "description": "Drupal versions 11.x ant\u00e9rieures \u00e0 11.1.10",
      "product": {
        "name": "Drupal",
        "vendor": {
          "name": "Drupal",
          "scada": false
        }
      }
    },
    {
      "description": "Drupal versions 8.x ant\u00e9rieures \u00e0 8.9 sans le dernier correctif de s\u00e9curit\u00e9",
      "product": {
        "name": "Drupal",
        "vendor": {
          "name": "Drupal",
          "scada": false
        }
      }
    },
    {
      "description": "Drupal versions 10.5.x ant\u00e9rieures \u00e0 10.5.10",
      "product": {
        "name": "Drupal",
        "vendor": {
          "name": "Drupal",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": "L\u0027\u00e9diteur rappelle que les versions 11.1.x, 11.0.x, 10.4.x, 9.x et 8.x sont en fin de vie et ne re\u00e7oivent un correctif pour la vuln\u00e9rabilit\u00e9 CVE-2026-9082 qu\u0027\u00e0 titre exceptionnel, au vu de sa criticit\u00e9.\u003cbr\u003e\nCes versions n\u0027incluent pas de correctif pour toutes les autres vuln\u00e9rabilit\u00e9s d\u00e9couvertes depuis leurs fins de support respectives. L\u0027\u00e9diteur invite donc \u00e0 migrer vers une version support\u00e9e et \u00e0 jour.",
  "content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
  "cves": [
    {
      "name": "CVE-2026-9082",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-9082"
    }
  ],
  "initial_release_date": "2026-05-21T00:00:00",
  "last_revision_date": "2026-05-21T00:00:00",
  "links": [],
  "reference": "CERTFR-2026-AVI-0629",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2026-05-21T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Injection SQL (SQLi)"
    }
  ],
  "summary": "Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 d\u00e9couverte dans Drupal. Elle permet \u00e0 un attaquant de provoquer une injection SQL (SQLi).\n\nL\u0027\u00e9diteur pr\u00e9cise que la vuln\u00e9rabilit\u00e9 CVE-2026-9082 affecte uniquement les applications qui utilisent PostgreSQL comme syst\u00e8me de gestion de base de donn\u00e9es.\u003cbr\u003e \nCependant, il recommande n\u00e9anmoins l\u0027installation du correctif pour toutes les instances du fait des mises \u00e0 jour de d\u00e9pendances \u00e9galement incluses dans les derni\u00e8res versions.",
  "title": "Vuln\u00e9rabilit\u00e9 dans Drupal",
  "vendor_advisories": [
    {
      "published_at": "2026-05-20",
      "title": "Bulletin de s\u00e9curit\u00e9 Drupal SA-CORE-2026-004",
      "url": "https://drupal.org/sa-core-2026-004"
    }
  ]
}

CERTFR-2026-AVI-0447

Vulnerability from certfr_avis - Published: 2026-04-16 - Updated: 2026-04-16

De multiples vulnérabilités ont été découvertes dans Drupal. Elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, une injection SQL (SQLi) et une injection de code indirecte à distance (XSS).

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

L'éditeur rappelle que les versions 11.1.x, 11.0.x, 10.4.x et antérieures, ainsi que les versions 8 et 9, ne sont plus maintenues et ne recevront donc plus de mises à jour de sécurité.

Impacted products
Vendor Product Description
Drupal Drupal Drupal versions 11.2.x antérieures à 11.2.11
Drupal Drupal Drupal versions 10.6.x antérieures à 10.6.7
Drupal Drupal Drupal versions antérieures à 10.5.9
Drupal Drupal Drupal versions 11.3.x antérieures à 11.3.7
References

Show details on source website

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Drupal versions 11.2.x ant\u00e9rieures \u00e0 11.2.11",
      "product": {
        "name": "Drupal",
        "vendor": {
          "name": "Drupal",
          "scada": false
        }
      }
    },
    {
      "description": "Drupal versions 10.6.x ant\u00e9rieures \u00e0 10.6.7",
      "product": {
        "name": "Drupal",
        "vendor": {
          "name": "Drupal",
          "scada": false
        }
      }
    },
    {
      "description": "Drupal versions ant\u00e9rieures \u00e0 10.5.9",
      "product": {
        "name": "Drupal",
        "vendor": {
          "name": "Drupal",
          "scada": false
        }
      }
    },
    {
      "description": "Drupal versions 11.3.x ant\u00e9rieures \u00e0 11.3.7",
      "product": {
        "name": "Drupal",
        "vendor": {
          "name": "Drupal",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": "L\u0027\u00e9diteur rappelle que les versions 11.1.x, 11.0.x, 10.4.x et ant\u00e9rieures, ainsi que les versions 8 et 9, ne sont plus maintenues et ne recevront donc plus de mises \u00e0 jour de s\u00e9curit\u00e9.",
  "content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
  "cves": [
    {
      "name": "CVE-2026-6365",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-6365"
    },
    {
      "name": "CVE-2026-6367",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-6367"
    },
    {
      "name": "CVE-2026-6366",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-6366"
    }
  ],
  "initial_release_date": "2026-04-16T00:00:00",
  "last_revision_date": "2026-04-16T00:00:00",
  "links": [],
  "reference": "CERTFR-2026-AVI-0447",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2026-04-16T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Injection de code indirecte \u00e0 distance (XSS)"
    },
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "Injection SQL (SQLi)"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Drupal. Elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, une injection SQL (SQLi) et une injection de code indirecte \u00e0 distance (XSS).",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans Drupal",
  "vendor_advisories": [
    {
      "published_at": "2026-04-15",
      "title": "Bulletin de s\u00e9curit\u00e9 Drupal SA-CORE-2026-002",
      "url": "https://drupal.org/sa-core-2026-002"
    },
    {
      "published_at": "2026-04-15",
      "title": "Bulletin de s\u00e9curit\u00e9 Drupal SA-CORE-2026-003",
      "url": "https://drupal.org/sa-core-2026-003"
    },
    {
      "published_at": "2026-04-15",
      "title": "Bulletin de s\u00e9curit\u00e9 Drupal SA-CORE-2026-001",
      "url": "https://drupal.org/sa-core-2026-001"
    }
  ]
}

CERTFR-2025-AVI-1003

Vulnerability from certfr_avis - Published: 2025-11-13 - Updated: 2025-11-13

De multiples vulnérabilités ont été découvertes dans Drupal. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un déni de service à distance et une atteinte à la confidentialité des données.

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Impacted products
Vendor Product Description
Drupal Drupal Drupal versions 11.2.x antérieures à 11.2.8
Drupal Drupal Drupal versions antérieures à 10.4.9
Drupal Drupal Drupal versions 11.1.x antérieures à 11.1.9
Drupal Drupal Drupal versions 10.5.x antérieures à 10.5.6
References

Show details on source website

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Drupal versions 11.2.x ant\u00e9rieures \u00e0 11.2.8",
      "product": {
        "name": "Drupal",
        "vendor": {
          "name": "Drupal",
          "scada": false
        }
      }
    },
    {
      "description": "Drupal versions ant\u00e9rieures \u00e0 10.4.9",
      "product": {
        "name": "Drupal",
        "vendor": {
          "name": "Drupal",
          "scada": false
        }
      }
    },
    {
      "description": "Drupal versions 11.1.x ant\u00e9rieures \u00e0 11.1.9",
      "product": {
        "name": "Drupal",
        "vendor": {
          "name": "Drupal",
          "scada": false
        }
      }
    },
    {
      "description": "Drupal versions 10.5.x ant\u00e9rieures \u00e0 10.5.6",
      "product": {
        "name": "Drupal",
        "vendor": {
          "name": "Drupal",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": "",
  "content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
  "cves": [
    {
      "name": "CVE-2025-13080",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-13080"
    },
    {
      "name": "CVE-2025-13083",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-13083"
    },
    {
      "name": "CVE-2025-13082",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-13082"
    },
    {
      "name": "CVE-2025-13081",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-13081"
    }
  ],
  "initial_release_date": "2025-11-13T00:00:00",
  "last_revision_date": "2025-11-13T00:00:00",
  "links": [],
  "reference": "CERTFR-2025-AVI-1003",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2025-11-13T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "D\u00e9ni de service \u00e0 distance"
    },
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Drupal. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, un d\u00e9ni de service \u00e0 distance et une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es.",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans Drupal",
  "vendor_advisories": [
    {
      "published_at": "2025-11-12",
      "title": "Bulletin de s\u00e9curit\u00e9 Drupal SA-CORE-2025-007",
      "url": "https://drupal.org/sa-core-2025-007"
    },
    {
      "published_at": "2025-11-12",
      "title": "Bulletin de s\u00e9curit\u00e9 Drupal SA-CORE-2025-006",
      "url": "https://drupal.org/sa-core-2025-006"
    },
    {
      "published_at": "2025-11-12",
      "title": "Bulletin de s\u00e9curit\u00e9 Drupal SA-CORE-2025-005",
      "url": "https://drupal.org/sa-core-2025-005"
    },
    {
      "published_at": "2025-11-12",
      "title": "Bulletin de s\u00e9curit\u00e9 Drupal SA-CORE-2025-008",
      "url": "https://drupal.org/sa-core-2025-008"
    }
  ]
}

CERTFR-2025-AVI-0225

Vulnerability from certfr_avis - Published: 2025-03-20 - Updated: 2025-03-20

Une vulnérabilité a été découverte dans Drupal. Elle permet à un attaquant de provoquer une injection de code indirecte à distance (XSS).

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Impacted products
Vendor Product Description
Drupal Drupal Drupal versions 10.4.x antérieures à 10.4.5
Drupal Drupal Drupal versions antérieures à 10.3.14
Drupal Drupal Drupal versions 11.0.x antérieures à 11.0.13
Drupal Drupal Drupal versions 11.1.x antérieures à 11.1.5
References

Show details on source website

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Drupal versions 10.4.x ant\u00e9rieures \u00e0 10.4.5",
      "product": {
        "name": "Drupal",
        "vendor": {
          "name": "Drupal",
          "scada": false
        }
      }
    },
    {
      "description": "Drupal versions ant\u00e9rieures \u00e0 10.3.14",
      "product": {
        "name": "Drupal",
        "vendor": {
          "name": "Drupal",
          "scada": false
        }
      }
    },
    {
      "description": "Drupal versions 11.0.x ant\u00e9rieures \u00e0 11.0.13",
      "product": {
        "name": "Drupal",
        "vendor": {
          "name": "Drupal",
          "scada": false
        }
      }
    },
    {
      "description": "Drupal versions 11.1.x ant\u00e9rieures \u00e0 11.1.5",
      "product": {
        "name": "Drupal",
        "vendor": {
          "name": "Drupal",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": "",
  "content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
  "cves": [],
  "initial_release_date": "2025-03-20T00:00:00",
  "last_revision_date": "2025-03-20T00:00:00",
  "links": [],
  "reference": "CERTFR-2025-AVI-0225",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2025-03-20T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Injection de code indirecte \u00e0 distance (XSS)"
    }
  ],
  "summary": "Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 d\u00e9couverte dans Drupal. Elle permet \u00e0 un attaquant de provoquer une injection de code indirecte \u00e0 distance (XSS).",
  "title": "Vuln\u00e9rabilit\u00e9 dans Drupal",
  "vendor_advisories": [
    {
      "published_at": "2025-03-19",
      "title": "Bulletin de s\u00e9curit\u00e9 Drupal SA-CORE-2025-004",
      "url": "https://drupal.org/sa-core-2025-004"
    }
  ]
}

CERTFR-2025-AVI-0149

Vulnerability from certfr_avis - Published: 2025-02-20 - Updated: 2025-02-20

De multiples vulnérabilités ont été découvertes dans Drupal. Certaines d'entre elles permettent à un attaquant de provoquer une injection de code indirecte à distance (XSS), un contournement de la politique de sécurité et un problème de sécurité non spécifié par l'éditeur.

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Impacted products
Vendor Product Description
Drupal Drupal Drupal versions 10.4.x antérieures à 10.4.3
Drupal Drupal Drupal versions 11.1.x antérieures à 11.1.3
Drupal Drupal Drupal versions 11.0.x antérieures à 11.0.12
Drupal Drupal Drupal versions antérieures à 10.3.13
References

Show details on source website

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Drupal versions 10.4.x ant\u00e9rieures \u00e0 10.4.3",
      "product": {
        "name": "Drupal",
        "vendor": {
          "name": "Drupal",
          "scada": false
        }
      }
    },
    {
      "description": "Drupal versions 11.1.x ant\u00e9rieures \u00e0 11.1.3",
      "product": {
        "name": "Drupal",
        "vendor": {
          "name": "Drupal",
          "scada": false
        }
      }
    },
    {
      "description": "Drupal versions 11.0.x ant\u00e9rieures \u00e0 11.0.12",
      "product": {
        "name": "Drupal",
        "vendor": {
          "name": "Drupal",
          "scada": false
        }
      }
    },
    {
      "description": "Drupal versions ant\u00e9rieures \u00e0 10.3.13",
      "product": {
        "name": "Drupal",
        "vendor": {
          "name": "Drupal",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": "",
  "content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
  "cves": [],
  "initial_release_date": "2025-02-20T00:00:00",
  "last_revision_date": "2025-02-20T00:00:00",
  "links": [],
  "reference": "CERTFR-2025-AVI-0149",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2025-02-20T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Injection de code indirecte \u00e0 distance (XSS)"
    },
    {
      "description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Drupal. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une injection de code indirecte \u00e0 distance (XSS), un contournement de la politique de s\u00e9curit\u00e9 et un probl\u00e8me de s\u00e9curit\u00e9 non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur.",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans Drupal",
  "vendor_advisories": [
    {
      "published_at": "2025-02-19",
      "title": "Bulletin de s\u00e9curit\u00e9 Drupal SA-CORE-2025-003",
      "url": "https://drupal.org/sa-core-2025-003"
    },
    {
      "published_at": "2025-02-19",
      "title": "Bulletin de s\u00e9curit\u00e9 Drupal SA-CORE-2025-001",
      "url": "https://drupal.org/sa-core-2025-001"
    },
    {
      "published_at": "2025-02-19",
      "title": "Bulletin de s\u00e9curit\u00e9 Drupal SA-CORE-2025-002",
      "url": "https://drupal.org/sa-core-2025-002"
    }
  ]
}

CERTFR-2024-AVI-1009

Vulnerability from certfr_avis - Published: 2024-11-21 - Updated: 2024-11-21

De multiples vulnérabilités ont été découvertes dans Drupal. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, une atteinte à l'intégrité des données et une injection de code indirecte à distance (XSS).

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

L'éditeur précise que les versions de Drupal 8, 9 et 10 antérieures à 10.2 ne sont plus supportées et ne recevront pas de correctifs.

Impacted products
Vendor Product Description
Drupal Drupal Drupal versions 10.2.x antérieures à 10.2.11
Drupal Drupal Drupal versions 11.0.x antérieures à 11.0.8
Drupal Drupal Drupal versions 10.3.x antérieures à 10.3.9
References

Show details on source website

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Drupal versions 10.2.x ant\u00e9rieures \u00e0 10.2.11",
      "product": {
        "name": "Drupal",
        "vendor": {
          "name": "Drupal",
          "scada": false
        }
      }
    },
    {
      "description": "Drupal versions 11.0.x ant\u00e9rieures \u00e0 11.0.8",
      "product": {
        "name": "Drupal",
        "vendor": {
          "name": "Drupal",
          "scada": false
        }
      }
    },
    {
      "description": "Drupal versions 10.3.x ant\u00e9rieures \u00e0 10.3.9",
      "product": {
        "name": "Drupal",
        "vendor": {
          "name": "Drupal",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": "L\u0027\u00e9diteur pr\u00e9cise que les versions de Drupal 8, 9 et 10 ant\u00e9rieures \u00e0 10.2 ne sont plus support\u00e9es et ne recevront pas de correctifs. ",
  "content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
  "cves": [],
  "initial_release_date": "2024-11-21T00:00:00",
  "last_revision_date": "2024-11-21T00:00:00",
  "links": [],
  "reference": "CERTFR-2024-AVI-1009",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2024-11-21T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Injection de code indirecte \u00e0 distance (XSS)"
    },
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Drupal. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, une atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es et une injection de code indirecte \u00e0 distance (XSS).",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans Drupal",
  "vendor_advisories": [
    {
      "published_at": "2024-11-20",
      "title": "Bulletin de s\u00e9curit\u00e9 Drupal SA-CORE-2024-006",
      "url": "https://drupal.org/sa-core-2024-006"
    },
    {
      "published_at": "2024-11-20",
      "title": "Bulletin de s\u00e9curit\u00e9 Drupal SA-CORE-2024-007",
      "url": "https://drupal.org/sa-core-2024-007"
    },
    {
      "published_at": "2024-11-20",
      "title": "Bulletin de s\u00e9curit\u00e9 Drupal SA-CORE-2024-004",
      "url": "https://drupal.org/sa-core-2024-004"
    },
    {
      "published_at": "2024-11-20",
      "title": "Bulletin de s\u00e9curit\u00e9 Drupal SA-CORE-2024-003",
      "url": "https://drupal.org/sa-core-2024-003"
    },
    {
      "published_at": "2024-11-20",
      "title": "Bulletin de s\u00e9curit\u00e9 Drupal SA-CORE-2024-005",
      "url": "https://drupal.org/sa-core-2024-005"
    },
    {
      "published_at": "2024-11-20",
      "title": "Bulletin de s\u00e9curit\u00e9 Drupal SA-CORE-2024-008",
      "url": "https://drupal.org/sa-core-2024-008"
    }
  ]
}

CERTFR-2024-AVI-0894

Vulnerability from certfr_avis - Published: 2024-10-17 - Updated: 2024-10-17

Une vulnérabilité ont été découverte dans Drupal Core. Elle permet à un attaquant de provoquer un déni de service à distance.

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Impacted products
Vendor Product Description
Drupal Drupal Drupal versions 10.2.x antérieures à 10.2.10
References

Show details on source website

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Drupal versions 10.2.x ant\u00e9rieures \u00e0 10.2.10",
      "product": {
        "name": "Drupal",
        "vendor": {
          "name": "Drupal",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": "",
  "content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
  "cves": [],
  "initial_release_date": "2024-10-17T00:00:00",
  "last_revision_date": "2024-10-17T00:00:00",
  "links": [],
  "reference": "CERTFR-2024-AVI-0894",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2024-10-17T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "D\u00e9ni de service \u00e0 distance"
    }
  ],
  "summary": "Une vuln\u00e9rabilit\u00e9 ont \u00e9t\u00e9 d\u00e9couverte dans Drupal Core. Elle permet \u00e0 un attaquant de provoquer un d\u00e9ni de service \u00e0 distance.",
  "title": "Vuln\u00e9rabilit\u00e9 dans Drupal Core",
  "vendor_advisories": [
    {
      "published_at": "2024-10-16",
      "title": "Bulletin de s\u00e9curit\u00e9 Drupal SA-CORE-2024-002",
      "url": "https://drupal.org/sa-core-2024-002"
    }
  ]
}

CERTFR-2023-AVI-0330

Vulnerability from certfr_avis - Published: 2023-04-20 - Updated: 2023-04-20

Une vulnérabilité a été découverte dans Drupal Core. Elle permet à un attaquant de provoquer un contournement de la politique de sécurité.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None
Impacted products
Vendor Product Description
Drupal Drupal Drupal 9.4.x antérieures à 9.4.14
Drupal Drupal Drupal 10.0.x antérieures à 10.0.8
Drupal Drupal Drupal versions 7.x antérieures à 7.96
Drupal Drupal Drupal 9.5.x antérieures à 9.5.8
References

Show details on source website

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Drupal 9.4.x ant\u00e9rieures \u00e0 9.4.14",
      "product": {
        "name": "Drupal",
        "vendor": {
          "name": "Drupal",
          "scada": false
        }
      }
    },
    {
      "description": "Drupal 10.0.x ant\u00e9rieures \u00e0 10.0.8",
      "product": {
        "name": "Drupal",
        "vendor": {
          "name": "Drupal",
          "scada": false
        }
      }
    },
    {
      "description": "Drupal versions 7.x ant\u00e9rieures \u00e0 7.96",
      "product": {
        "name": "Drupal",
        "vendor": {
          "name": "Drupal",
          "scada": false
        }
      }
    },
    {
      "description": "Drupal 9.5.x ant\u00e9rieures \u00e0 9.5.8",
      "product": {
        "name": "Drupal",
        "vendor": {
          "name": "Drupal",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [],
  "initial_release_date": "2023-04-20T00:00:00",
  "last_revision_date": "2023-04-20T00:00:00",
  "links": [],
  "reference": "CERTFR-2023-AVI-0330",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2023-04-20T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    }
  ],
  "summary": "Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 d\u00e9couverte dans Drupal Core. Elle permet \u00e0 un\nattaquant de provoquer un contournement de la politique de s\u00e9curit\u00e9.\n",
  "title": "Vuln\u00e9rabilit\u00e9 dans Drupal Core",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Drupal sa-core-2023-005 du 19 avril 2023",
      "url": "https://www.drupal.org/sa-core-2023-005"
    }
  ]
}

CERTFR-2023-AVI-0039

Vulnerability from certfr_avis - Published: 2023-01-19 - Updated: 2023-01-19

Une vulnérabilité a été découverte dans Drupal Core. Elle permet à un attaquant de provoquer une atteinte à la confidentialité des données.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None
Impacted products
Vendor Product Description
Drupal Drupal Drupal 9.4.x versions antérieures à 9.4.10
Drupal Drupal Drupal 10.0.x versions antérieures à 10.0.2
Drupal Drupal Drupal 9.5.x versions antérieures à 9.5.2
References

Show details on source website

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Drupal 9.4.x versions ant\u00e9rieures \u00e0 9.4.10",
      "product": {
        "name": "Drupal",
        "vendor": {
          "name": "Drupal",
          "scada": false
        }
      }
    },
    {
      "description": "Drupal 10.0.x versions ant\u00e9rieures \u00e0 10.0.2",
      "product": {
        "name": "Drupal",
        "vendor": {
          "name": "Drupal",
          "scada": false
        }
      }
    },
    {
      "description": "Drupal 9.5.x versions ant\u00e9rieures \u00e0 9.5.2",
      "product": {
        "name": "Drupal",
        "vendor": {
          "name": "Drupal",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [],
  "initial_release_date": "2023-01-19T00:00:00",
  "last_revision_date": "2023-01-19T00:00:00",
  "links": [],
  "reference": "CERTFR-2023-AVI-0039",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2023-01-19T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    }
  ],
  "summary": "Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 d\u00e9couverte dans Drupal Core. Elle permet \u00e0 un\nattaquant de provoquer une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es.\n",
  "title": "Vuln\u00e9rabilit\u00e9 dans Drupal Core",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Drupal sa-core-2023-001 du 18 janvier 2023",
      "url": "https://www.drupal.org/sa-core-2023-001"
    }
  ]
}

CERTFR-2022-AVI-866

Vulnerability from certfr_avis - Published: 2022-09-29 - Updated: 2022-09-29

Une vulnérabilité a été découverte dans Drupal core. Elle permet à un attaquant de provoquer un contournement de la politique de sécurité et une atteinte à la confidentialité des données.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None
Impacted products
Vendor Product Description
Drupal Drupal Drupal versions 9.3.x versions antérieures à 9.3.22
Drupal Drupal Drupal versions 9.4.x versions antérieures à 9.4.7
References

Show details on source website

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Drupal versions 9.3.x versions ant\u00e9rieures \u00e0 9.3.22",
      "product": {
        "name": "Drupal",
        "vendor": {
          "name": "Drupal",
          "scada": false
        }
      }
    },
    {
      "description": "Drupal versions 9.4.x versions ant\u00e9rieures \u00e0 9.4.7",
      "product": {
        "name": "Drupal",
        "vendor": {
          "name": "Drupal",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2022-39261",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-39261"
    }
  ],
  "initial_release_date": "2022-09-29T00:00:00",
  "last_revision_date": "2022-09-29T00:00:00",
  "links": [],
  "reference": "CERTFR-2022-AVI-866",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2022-09-29T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    }
  ],
  "summary": "Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 d\u00e9couverte dans Drupal core. Elle permet \u00e0 un\nattaquant de provoquer un contournement de la politique de s\u00e9curit\u00e9 et\nune atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es.\n",
  "title": "Vuln\u00e9rabilit\u00e9 dans Drupal core",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Drupal sa-core-2022-016 du 28 septembre 2022",
      "url": "https://www.drupal.org/sa-core-2022-016"
    }
  ]
}

CERTFR-2022-AVI-501

Vulnerability from certfr_avis - Published: 2022-05-27 - Updated: 2022-05-27

Une vulnérabilité a été découverte dans Drupal Core. Elle permet à un attaquant de provoquer un contournement de la politique de sécurité et une atteinte à la confidentialité des données.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None
Impacted products
Vendor Product Description
Drupal Drupal Drupal versions 9.3.x antérieures à 9.3.14
Drupal Drupal Drupal versions 9.2.x antérieures à 9.2.20
References

Show details on source website

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Drupal versions 9.3.x ant\u00e9rieures \u00e0 9.3.14",
      "product": {
        "name": "Drupal",
        "vendor": {
          "name": "Drupal",
          "scada": false
        }
      }
    },
    {
      "description": "Drupal versions 9.2.x ant\u00e9rieures \u00e0 9.2.20",
      "product": {
        "name": "Drupal",
        "vendor": {
          "name": "Drupal",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2022-29248",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-29248"
    }
  ],
  "initial_release_date": "2022-05-27T00:00:00",
  "last_revision_date": "2022-05-27T00:00:00",
  "links": [],
  "reference": "CERTFR-2022-AVI-501",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2022-05-27T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    }
  ],
  "summary": "Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 d\u00e9couverte dans Drupal Core. Elle permet \u00e0 un\nattaquant de provoquer un contournement de la politique de s\u00e9curit\u00e9 et\nune atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es.\n",
  "title": "Vuln\u00e9rabilit\u00e9 dans Drupal Core",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Drupal sa-core-2022-010 du 25 mai 2022",
      "url": "https://www.drupal.org/sa-core-2022-010"
    }
  ]
}

CERTFR-2021-AVI-625

Vulnerability from certfr_avis - Published: 2021-08-13 - Updated: 2021-08-13

De multiples vulnérabilités ont été découvertes dans Drupal. Elles permettent à un attaquant de provoquer une atteinte à l'intégrité des données, une atteinte à la confidentialité des données et une injection de code indirecte à distance (XSS).

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None
Impacted products
Vendor Product Description
Drupal Drupal Drupal 9.1.x versions antérieures à 9.1.12
Drupal Drupal Drupal 8.9.x versions antérieures à 8.9.18
Drupal Drupal Drupal 9.2.x versions antérieures à 9.2.4
References

Show details on source website

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Drupal 9.1.x versions ant\u00e9rieures \u00e0 9.1.12",
      "product": {
        "name": "Drupal",
        "vendor": {
          "name": "Drupal",
          "scada": false
        }
      }
    },
    {
      "description": "Drupal 8.9.x versions ant\u00e9rieures \u00e0 8.9.18",
      "product": {
        "name": "Drupal",
        "vendor": {
          "name": "Drupal",
          "scada": false
        }
      }
    },
    {
      "description": "Drupal 9.2.x versions ant\u00e9rieures \u00e0 9.2.4",
      "product": {
        "name": "Drupal",
        "vendor": {
          "name": "Drupal",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [],
  "initial_release_date": "2021-08-13T00:00:00",
  "last_revision_date": "2021-08-13T00:00:00",
  "links": [],
  "reference": "CERTFR-2021-AVI-625",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2021-08-13T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Injection de code indirecte \u00e0 distance (XSS)"
    },
    {
      "description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Drupal. Elles\npermettent \u00e0 un attaquant de provoquer une atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des\ndonn\u00e9es, une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es et une injection\nde code indirecte \u00e0 distance (XSS).\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans Drupal",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Drupal sa-core-2021-005 du 12 ao\u00fbt 2021",
      "url": "https://www.drupal.org/sa-core-2021-005"
    }
  ]
}

CERTFR-2020-AVI-381

Vulnerability from certfr_avis - Published: 2020-06-19 - Updated: 2020-06-19

De multiples vulnérabilités ont été découvertes dans Drupal. Elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un contournement de la politique de sécurité et une injection de requêtes illégitimes par rebond (CSRF).

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None
Impacted products
Vendor Product Description
Drupal Drupal Drupal versions 9.x antérieures à 9.0.1
Drupal Drupal Drupal versions 8.9.x antérieures à 8.9.1
Drupal Drupal Drupal versions 8.8.x antérieures à 8.8.8
Drupal Drupal Drupal versions 7.x antérieures à 7.72

Show details on source website

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Drupal versions 9.x ant\u00e9rieures \u00e0 9.0.1",
      "product": {
        "name": "Drupal",
        "vendor": {
          "name": "Drupal",
          "scada": false
        }
      }
    },
    {
      "description": "Drupal versions 8.9.x ant\u00e9rieures \u00e0 8.9.1",
      "product": {
        "name": "Drupal",
        "vendor": {
          "name": "Drupal",
          "scada": false
        }
      }
    },
    {
      "description": "Drupal versions 8.8.x ant\u00e9rieures \u00e0 8.8.8",
      "product": {
        "name": "Drupal",
        "vendor": {
          "name": "Drupal",
          "scada": false
        }
      }
    },
    {
      "description": "Drupal versions 7.x ant\u00e9rieures \u00e0 7.72",
      "product": {
        "name": "Drupal",
        "vendor": {
          "name": "Drupal",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2020-13665",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-13665"
    },
    {
      "name": "CVE-2020-13664",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-13664"
    },
    {
      "name": "CVE-2020-13663",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-13663"
    }
  ],
  "initial_release_date": "2020-06-19T00:00:00",
  "last_revision_date": "2020-06-19T00:00:00",
  "links": [],
  "reference": "CERTFR-2020-AVI-381",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2020-06-19T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Injection de requ\u00eates ill\u00e9gitimes par rebond (CSRF)"
    },
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Drupal. Elles\npermettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire\n\u00e0 distance, un contournement de la politique de s\u00e9curit\u00e9 et une\ninjection de requ\u00eates ill\u00e9gitimes par rebond (CSRF).\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans Drupal",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Drupal sa-core-2020-005 du 17 juin 2020",
      "url": "https://www.drupal.org/sa-core-2020-005"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Drupal sa-core-2020-004 du 17 juin 2020",
      "url": "https://www.drupal.org/sa-core-2020-004"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Drupal sa-core-2020-006 du 17 juin 2020",
      "url": "https://www.drupal.org/sa-core-2020-006"
    }
  ]
}

CERTFR-2020-AVI-310

Vulnerability from certfr_avis - Published: 2020-05-22 - Updated: 2020-05-22

De multiples vulnérabilités ont été découvertes dans Drupal. Elles permettent à un attaquant de provoquer un contournement de la politique de sécurité et une injection de code indirecte à distance (XSS).

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None
Impacted products
Vendor Product Description
Drupal Drupal Drupal core versions antérieures à 7.70
Drupal Drupal Drupal core versions 8.8.x antérieures à 8.8.6
Drupal Drupal Drupal core versions 8.x antérieures à antérieures à 8.7.14
References

Show details on source website

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Drupal core versions ant\u00e9rieures \u00e0 7.70",
      "product": {
        "name": "Drupal",
        "vendor": {
          "name": "Drupal",
          "scada": false
        }
      }
    },
    {
      "description": "Drupal core versions 8.8.x ant\u00e9rieures \u00e0 8.8.6",
      "product": {
        "name": "Drupal",
        "vendor": {
          "name": "Drupal",
          "scada": false
        }
      }
    },
    {
      "description": "Drupal core versions 8.x ant\u00e9rieures \u00e0 ant\u00e9rieures \u00e0 8.7.14",
      "product": {
        "name": "Drupal",
        "vendor": {
          "name": "Drupal",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2020-11022",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-11022"
    },
    {
      "name": "CVE-2020-11023",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-11023"
    }
  ],
  "initial_release_date": "2020-05-22T00:00:00",
  "last_revision_date": "2020-05-22T00:00:00",
  "links": [],
  "reference": "CERTFR-2020-AVI-310",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2020-05-22T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Injection de code indirecte \u00e0 distance (XSS)"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Drupal. Elles\npermettent \u00e0 un attaquant de provoquer un contournement de la politique\nde s\u00e9curit\u00e9 et une injection de code indirecte \u00e0 distance (XSS).\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans Drupal",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Drupal sa-core-2020-002 du 20 mai 2020",
      "url": "https://www.drupal.org/sa-core-2020-002"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Drupal sa-core-2020-003 du 20 mai 2020",
      "url": "https://www.drupal.org/sa-core-2020-003"
    }
  ]
}

CERTFR-2020-AVI-163

Vulnerability from certfr_avis - Published: 2020-03-19 - Updated: 2020-03-19

Une vulnérabilité a été découverte dans Drupal . Elle permet à un attaquant de provoquer une injection de code indirecte à distance (XSS).

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None
Impacted products
Vendor Product Description
Drupal Drupal Drupal 8.8.x versions antérieures à 8.8.4
Drupal Drupal Drupal 8.7.x versions antérieures à 8.7.12
References

Show details on source website

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Drupal 8.8.x versions ant\u00e9rieures \u00e0 8.8.4",
      "product": {
        "name": "Drupal",
        "vendor": {
          "name": "Drupal",
          "scada": false
        }
      }
    },
    {
      "description": "Drupal 8.7.x versions ant\u00e9rieures \u00e0 8.7.12",
      "product": {
        "name": "Drupal",
        "vendor": {
          "name": "Drupal",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [],
  "initial_release_date": "2020-03-19T00:00:00",
  "last_revision_date": "2020-03-19T00:00:00",
  "links": [],
  "reference": "CERTFR-2020-AVI-163",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2020-03-19T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Injection de code indirecte \u00e0 distance (XSS)"
    }
  ],
  "summary": "Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 d\u00e9couverte dans Drupal . Elle permet \u00e0 un\nattaquant de provoquer une injection de code indirecte \u00e0 distance (XSS).\n",
  "title": "Vuln\u00e9rabilit\u00e9 dans Drupal",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Drupal sa-core-2020-001 du 18 mars 2020",
      "url": "https://www.drupal.org/sa-core-2020-001"
    }
  ]
}

CERTFR-2019-AVI-645

Vulnerability from certfr_avis - Published: 2019-12-19 - Updated: 2019-12-19

De multiples vulnérabilités ont été découvertes dans Drupal. Elles permettent à un attaquant de provoquer un problème de sécurité non spécifié par l'éditeur.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None
Impacted products
Vendor Product Description
Drupal Drupal Drupal 7.x versions antérieures à 7.69
Drupal Drupal Drupal 8.8.x versions antérieures à 8.8.1
Drupal Drupal Drupal 8.7.x versions antérieures à 8.7.11

Show details on source website

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Drupal 7.x versions ant\u00e9rieures \u00e0 7.69",
      "product": {
        "name": "Drupal",
        "vendor": {
          "name": "Drupal",
          "scada": false
        }
      }
    },
    {
      "description": "Drupal 8.8.x versions ant\u00e9rieures \u00e0 8.8.1",
      "product": {
        "name": "Drupal",
        "vendor": {
          "name": "Drupal",
          "scada": false
        }
      }
    },
    {
      "description": "Drupal 8.7.x versions ant\u00e9rieures \u00e0 8.7.11",
      "product": {
        "name": "Drupal",
        "vendor": {
          "name": "Drupal",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [],
  "initial_release_date": "2019-12-19T00:00:00",
  "last_revision_date": "2019-12-19T00:00:00",
  "links": [],
  "reference": "CERTFR-2019-AVI-645",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2019-12-19T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Drupal. Elles\npermettent \u00e0 un attaquant de provoquer un probl\u00e8me de s\u00e9curit\u00e9 non\nsp\u00e9cifi\u00e9 par l\u0027\u00e9diteur.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans Drupal",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Drupal sa-core-2019-012 du 18 d\u00e9cembre 2019",
      "url": "https://www.drupal.org/sa-core-2019-012"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Drupal sa-core-2019-011 du 18 d\u00e9cembre 2019",
      "url": "https://www.drupal.org/sa-core-2019-011"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Drupal sa-core-2019-010 du 18 d\u00e9cembre 2019",
      "url": "https://www.drupal.org/sa-core-2019-010"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Drupal sa-core-2019-009 du 18 d\u00e9cembre 2019",
      "url": "https://www.drupal.org/sa-core-2019-009"
    }
  ]
}

CERTFR-2019-AVI-347

Vulnerability from certfr_avis - Published: 2019-07-18 - Updated: 2019-07-18

Une vulnérabilité a été découverte dans Drupal. Elle permet à un attaquant de provoquer un contournement de la politique de sécurité.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None
Impacted products
Vendor Product Description
Drupal Drupal Drupal 8.7.4
References

Show details on source website

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Drupal 8.7.4",
      "product": {
        "name": "Drupal",
        "vendor": {
          "name": "Drupal",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2019-6342",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-6342"
    }
  ],
  "initial_release_date": "2019-07-18T00:00:00",
  "last_revision_date": "2019-07-18T00:00:00",
  "links": [],
  "reference": "CERTFR-2019-AVI-347",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2019-07-18T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    }
  ],
  "summary": "Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 d\u00e9couverte dans Drupal. Elle permet \u00e0 un\nattaquant de provoquer un contournement de la politique de s\u00e9curit\u00e9.\n",
  "title": "Vuln\u00e9rabilit\u00e9 dans Drupal",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Drupal sa-core-2019-008 du 17 juillet 2019",
      "url": "https://www.drupal.org/sa-core-2019-008"
    }
  ]
}

CERTFR-2019-AVI-199

Vulnerability from certfr_avis - Published: 2019-05-09 - Updated: 2019-05-09

Une vulnérabilité a été découverte dans Drupal . Elle permet à un attaquant de provoquer un contournement de la politique de sécurité.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None
Impacted products
Vendor Product Description
Drupal Drupal Drupal versions 8.7 antérieures à 8.7.1
Drupal Drupal Drupal versions 7 antérieures à 7.67
Drupal Drupal Drupal versions 8 antérieures à 8.6.x
Drupal Drupal Drupal versions 8.6 antérieures à 8.6.16
References

Show details on source website

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Drupal versions 8.7 ant\u00e9rieures \u00e0 8.7.1",
      "product": {
        "name": "Drupal",
        "vendor": {
          "name": "Drupal",
          "scada": false
        }
      }
    },
    {
      "description": "Drupal versions 7 ant\u00e9rieures \u00e0 7.67",
      "product": {
        "name": "Drupal",
        "vendor": {
          "name": "Drupal",
          "scada": false
        }
      }
    },
    {
      "description": "Drupal versions 8 ant\u00e9rieures \u00e0 8.6.x",
      "product": {
        "name": "Drupal",
        "vendor": {
          "name": "Drupal",
          "scada": false
        }
      }
    },
    {
      "description": "Drupal versions 8.6 ant\u00e9rieures \u00e0 8.6.16",
      "product": {
        "name": "Drupal",
        "vendor": {
          "name": "Drupal",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2019-11831",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-11831"
    }
  ],
  "initial_release_date": "2019-05-09T00:00:00",
  "last_revision_date": "2019-05-09T00:00:00",
  "links": [],
  "reference": "CERTFR-2019-AVI-199",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2019-05-09T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    }
  ],
  "summary": "Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 d\u00e9couverte dans Drupal . Elle permet \u00e0 un\nattaquant de provoquer un contournement de la politique de s\u00e9curit\u00e9.\n",
  "title": "Vuln\u00e9rabilit\u00e9 dans Drupal",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Drupal SA-CORE-2019-007 du 08 mai 2019",
      "url": "https://www.drupal.org/sa-core-2019-007"
    }
  ]
}

CERTFR-2019-AVI-180

Vulnerability from certfr_avis - Published: 2019-04-18 - Updated: 2019-04-18

De multiples vulnérabilités ont été découvertes dans Drupal. Elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance et une injection de code indirecte à distance (XSS).

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None
Impacted products
Vendor Product Description
Drupal Drupal Drupal Core versions 8.5.x antérieures à 8.5.15
Drupal Drupal Drupal Core versions 8.6.x antérieures à 8.6.15
Drupal Drupal Drupal Core versions 7.x antérieures à 7.66
References

Show details on source website

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Drupal Core versions 8.5.x ant\u00e9rieures \u00e0 8.5.15",
      "product": {
        "name": "Drupal",
        "vendor": {
          "name": "Drupal",
          "scada": false
        }
      }
    },
    {
      "description": "Drupal Core versions 8.6.x ant\u00e9rieures \u00e0 8.6.15",
      "product": {
        "name": "Drupal",
        "vendor": {
          "name": "Drupal",
          "scada": false
        }
      }
    },
    {
      "description": "Drupal Core versions 7.x ant\u00e9rieures \u00e0 7.66",
      "product": {
        "name": "Drupal",
        "vendor": {
          "name": "Drupal",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2019-10910",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-10910"
    },
    {
      "name": "CVE-2019-10911",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-10911"
    },
    {
      "name": "CVE-2019-10909",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-10909"
    }
  ],
  "initial_release_date": "2019-04-18T00:00:00",
  "last_revision_date": "2019-04-18T00:00:00",
  "links": [],
  "reference": "CERTFR-2019-AVI-180",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2019-04-18T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Injection de code indirecte \u00e0 distance (XSS)"
    },
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Drupal. Elles\npermettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire\n\u00e0 distance et une injection de code indirecte \u00e0 distance (XSS).\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans Drupal",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Drupal sa-core-2019-005 du 17 avril 2019",
      "url": "https://www.drupal.org/sa-core-2019-005"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Drupal sa-core-2019-006 du 17 avril 2019",
      "url": "https://www.drupal.org/sa-core-2019-006"
    }
  ]
}

CERTFR-2019-AVI-119

Vulnerability from certfr_avis - Published: 2019-03-21 - Updated: 2019-03-21

Une vulnérabilité a été découverte dans Drupal. Elle permet à un attaquant de provoquer une injection de code indirecte à distance (XSS).

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None
Impacted products
Vendor Product Description
Drupal Drupal Drupal 7 versions antérieures à Drupal 7.65
Drupal Drupal Drupal 8.6 versions antérieures à 8.6.13
Drupal Drupal Drupal versions antérieures à 8.5.14
References

Show details on source website

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Drupal 7 versions ant\u00e9rieures \u00e0 Drupal 7.65",
      "product": {
        "name": "Drupal",
        "vendor": {
          "name": "Drupal",
          "scada": false
        }
      }
    },
    {
      "description": "Drupal 8.6 versions ant\u00e9rieures \u00e0 8.6.13",
      "product": {
        "name": "Drupal",
        "vendor": {
          "name": "Drupal",
          "scada": false
        }
      }
    },
    {
      "description": "Drupal versions ant\u00e9rieures \u00e0 8.5.14",
      "product": {
        "name": "Drupal",
        "vendor": {
          "name": "Drupal",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [],
  "initial_release_date": "2019-03-21T00:00:00",
  "last_revision_date": "2019-03-21T00:00:00",
  "links": [],
  "reference": "CERTFR-2019-AVI-119",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2019-03-21T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Injection de code indirecte \u00e0 distance (XSS)"
    }
  ],
  "summary": "Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 d\u00e9couverte dans Drupal. Elle permet \u00e0 un\nattaquant de provoquer une injection de code indirecte \u00e0 distance (XSS).\n",
  "title": "Vuln\u00e9rabilit\u00e9 dans Drupal",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Drupal SA-CORE-2019-004 du 20 mars 2019",
      "url": "https://www.drupal.org/sa-core-2019-004"
    }
  ]
}

CERTFR-2019-AVI-074

Vulnerability from certfr_avis - Published: 2019-02-21 - Updated: 2019-02-21

Une vulnérabilité a été découverte dans Drupal. Elle permet à un attaquant de provoquer une exécution de code arbitraire à distance.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None
Impacted products
Vendor Product Description
Drupal Drupal Drupal versions 8.6.x antérieures à 8.6.10
Drupal Drupal Drupal versions 8.5.x, ou plus anciennes, antérieures à 8.5.11
References

Show details on source website

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Drupal versions 8.6.x ant\u00e9rieures \u00e0 8.6.10",
      "product": {
        "name": "Drupal",
        "vendor": {
          "name": "Drupal",
          "scada": false
        }
      }
    },
    {
      "description": "Drupal versions 8.5.x, ou plus anciennes, ant\u00e9rieures \u00e0 8.5.11",
      "product": {
        "name": "Drupal",
        "vendor": {
          "name": "Drupal",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2019-6340",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-6340"
    }
  ],
  "initial_release_date": "2019-02-21T00:00:00",
  "last_revision_date": "2019-02-21T00:00:00",
  "links": [],
  "reference": "CERTFR-2019-AVI-074",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2019-02-21T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    }
  ],
  "summary": "Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 d\u00e9couverte dans Drupal. Elle permet \u00e0 un\nattaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance.\n",
  "title": "Vuln\u00e9rabilit\u00e9 dans Drupal",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Drupal SA-CORE-2019-003 du 20 f\u00e9vrier 2019",
      "url": "https://www.drupal.org/sa-core-2019-003"
    }
  ]
}

CERTFR-2019-AVI-027

Vulnerability from certfr_avis - Published: 2019-01-17 - Updated: 2019-01-17

De multiples vulnérabilités ont été découvertes dans Drupal. Elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance et une atteinte à la confidentialité des données.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None
Impacted products
Vendor Product Description
Drupal Drupal Drupal versions 8.6.x antérieures à 8.6.6.
Drupal Drupal Drupal versions 8.5.x antérieures à 8.5.9.
Drupal Drupal Drupal versions 7.x antérieures à 7.62.

Show details on source website

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Drupal versions 8.6.x ant\u00e9rieures \u00e0 8.6.6.",
      "product": {
        "name": "Drupal",
        "vendor": {
          "name": "Drupal",
          "scada": false
        }
      }
    },
    {
      "description": "Drupal versions 8.5.x ant\u00e9rieures \u00e0 8.5.9.",
      "product": {
        "name": "Drupal",
        "vendor": {
          "name": "Drupal",
          "scada": false
        }
      }
    },
    {
      "description": "Drupal versions 7.x ant\u00e9rieures \u00e0 7.62.",
      "product": {
        "name": "Drupal",
        "vendor": {
          "name": "Drupal",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2018-1000888",
      "url": "https://www.cve.org/CVERecord?id=CVE-2018-1000888"
    }
  ],
  "initial_release_date": "2019-01-17T00:00:00",
  "last_revision_date": "2019-01-17T00:00:00",
  "links": [],
  "reference": "CERTFR-2019-AVI-027",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2019-01-17T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Drupal. Elles\npermettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire\n\u00e0 distance et une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans Drupal",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Drupal sa-core-2019-001 du 16 janvier 2019",
      "url": "https://www.drupal.org/sa-core-2019-001"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Drupal sa-core-2019-002 du 16 janvier 2019",
      "url": "https://www.drupal.org/sa-core-2019-002"
    }
  ]
}

CERTFR-2018-AVI-501

Vulnerability from certfr_avis - Published: 2018-10-18 - Updated: 2018-10-18

De multiples vulnérabilités ont été découvertes dans Drupal . Elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance et un contournement de la politique de sécurité.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None
Impacted products
Vendor Product Description
Drupal Drupal Drupal Core versions 8.6.x antérieures à 8.6.2
Drupal Drupal Drupal Core versions 8.5.x antérieures à 8.5.8
Drupal Drupal Drupal Core versions 7.x antérieures à 7.60
References

Show details on source website

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Drupal Core versions 8.6.x ant\u00e9rieures \u00e0 8.6.2",
      "product": {
        "name": "Drupal",
        "vendor": {
          "name": "Drupal",
          "scada": false
        }
      }
    },
    {
      "description": "Drupal Core versions 8.5.x ant\u00e9rieures \u00e0 8.5.8",
      "product": {
        "name": "Drupal",
        "vendor": {
          "name": "Drupal",
          "scada": false
        }
      }
    },
    {
      "description": "Drupal Core versions 7.x ant\u00e9rieures \u00e0 7.60",
      "product": {
        "name": "Drupal",
        "vendor": {
          "name": "Drupal",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [],
  "initial_release_date": "2018-10-18T00:00:00",
  "last_revision_date": "2018-10-18T00:00:00",
  "links": [],
  "reference": "CERTFR-2018-AVI-501",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2018-10-18T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Drupal . Elles\npermettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire\n\u00e0 distance et un contournement de la politique de s\u00e9curit\u00e9.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans Drupal",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Drupal sa-core-2018-006 du 17 octobre 2018",
      "url": "https://www.drupal.org/sa-core-2018-006"
    }
  ]
}

CERTFR-2018-AVI-370

Vulnerability from certfr_avis - Published: 2018-08-02 - Updated: 2018-08-02

Une vulnérabilité a été découverte dans Drupal. Elle permet à un attaquant de provoquer un contournement de la politique de sécurité.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None
Impacted products
Vendor Product Description
Drupal Drupal Drupal versions 8.x antérieures à 8.5.6.
References

Show details on source website

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Drupal versions 8.x ant\u00e9rieures \u00e0 8.5.6.",
      "product": {
        "name": "Drupal",
        "vendor": {
          "name": "Drupal",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2018-14773",
      "url": "https://www.cve.org/CVERecord?id=CVE-2018-14773"
    }
  ],
  "initial_release_date": "2018-08-02T00:00:00",
  "last_revision_date": "2018-08-02T00:00:00",
  "links": [],
  "reference": "CERTFR-2018-AVI-370",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2018-08-02T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    }
  ],
  "summary": "Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 d\u00e9couverte dans Drupal. Elle permet \u00e0 un\nattaquant de provoquer un contournement de la politique de s\u00e9curit\u00e9.\n",
  "title": "Vuln\u00e9rabilit\u00e9 dans Drupal",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Drupal SA-CORE-2018-005 du 1 ao\u00fbt 2018",
      "url": "https://www.drupal.org/SA-CORE-2018-005"
    }
  ]
}

CERTFR-2018-AVI-204

Vulnerability from certfr_avis - Published: 2018-04-26 - Updated: 2018-04-26

Une vulnérabilité a été découverte dans Drupal. Elle permet à un attaquant de provoquer une exécution de code arbitraire à distance.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None
Impacted products
Vendor Product Description
Drupal Drupal Drupal toutes versions sans le dernier correctif de sécurité
References

Show details on source website

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Drupal toutes versions sans le dernier correctif de s\u00e9curit\u00e9",
      "product": {
        "name": "Drupal",
        "vendor": {
          "name": "Drupal",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2018-7602",
      "url": "https://www.cve.org/CVERecord?id=CVE-2018-7602"
    }
  ],
  "initial_release_date": "2018-04-26T00:00:00",
  "last_revision_date": "2018-04-26T00:00:00",
  "links": [],
  "reference": "CERTFR-2018-AVI-204",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2018-04-26T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    }
  ],
  "summary": "Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 d\u00e9couverte dans Drupal. Elle permet \u00e0 un\nattaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance.\n",
  "title": "Vuln\u00e9rabilit\u00e9 dans Drupal",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Drupal SA-CORE-2018-004 du 25 avril 2018",
      "url": "https://www.drupal.org/sa-core-2018-004"
    }
  ]
}

CERTFR-2018-AVI-193

Vulnerability from certfr_avis - Published: 2018-04-19 - Updated: 2018-04-19

Une vulnérabilité a été découverte dans Drupal . Elle permet à un attaquant de provoquer une injection de code indirecte à distance (XSS).

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None
Impacted products
Vendor Product Description
Drupal Drupal Drupal Core versions 8.4.x antérieures à 8.4.7
Drupal Drupal Drupal Core versions 8.5.x antérieures à 8.5.2
Drupal Drupal Drupal versions 7.x avec CKEditor versions antérieures à 4.9.2
References

Show details on source website

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Drupal Core versions 8.4.x ant\u00e9rieures \u00e0 8.4.7",
      "product": {
        "name": "Drupal",
        "vendor": {
          "name": "Drupal",
          "scada": false
        }
      }
    },
    {
      "description": "Drupal Core versions 8.5.x ant\u00e9rieures \u00e0 8.5.2",
      "product": {
        "name": "Drupal",
        "vendor": {
          "name": "Drupal",
          "scada": false
        }
      }
    },
    {
      "description": "Drupal versions 7.x avec CKEditor versions ant\u00e9rieures \u00e0 4.9.2",
      "product": {
        "name": "Drupal",
        "vendor": {
          "name": "Drupal",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [],
  "initial_release_date": "2018-04-19T00:00:00",
  "last_revision_date": "2018-04-19T00:00:00",
  "links": [],
  "reference": "CERTFR-2018-AVI-193",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2018-04-19T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Injection de code indirecte \u00e0 distance (XSS)"
    }
  ],
  "summary": "Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 d\u00e9couverte dans Drupal . Elle permet \u00e0 un\nattaquant de provoquer une injection de code indirecte \u00e0 distance (XSS).\n",
  "title": "Vuln\u00e9rabilit\u00e9 dans Drupal",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Drupal sa-core-2018-003 du 18 avril 2018",
      "url": "https://www.drupal.org/sa-core-2018-003"
    }
  ]
}

CERTFR-2018-AVI-158

Vulnerability from certfr_avis - Published: 2018-03-29 - Updated: 2018-03-29

Une vulnérabilité a été découverte dans Drupal. Elle permet à un attaquant de provoquer une exécution de code arbitraire à distance.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None
Impacted products
Vendor Product Description
Drupal Drupal Drupal toutes versions sans le dernier correctif de sécurité

Show details on source website

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Drupal toutes versions sans le dernier correctif de s\u00e9curit\u00e9",
      "product": {
        "name": "Drupal",
        "vendor": {
          "name": "Drupal",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2018-7600",
      "url": "https://www.cve.org/CVERecord?id=CVE-2018-7600"
    }
  ],
  "initial_release_date": "2018-03-29T00:00:00",
  "last_revision_date": "2018-03-29T00:00:00",
  "links": [
    {
      "title": "Foire aux questions sur la vuln\u00e9rabilit\u00e9s CVE-2018-7600",
      "url": "https://groups.drupal.org/security/faq-2018-002"
    }
  ],
  "reference": "CERTFR-2018-AVI-158",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2018-03-29T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    }
  ],
  "summary": "Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 d\u00e9couverte dans Drupal. Elle permet \u00e0 un\nattaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance.\n",
  "title": "Vuln\u00e9rabilit\u00e9 dans Drupal",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Drupal SA-CORE-2018-002 du 28 mars 2018",
      "url": "https://www.drupal.org/sa-core-2018-002"
    }
  ]
}

CVE-2026-0749 (GCVE-0-2026-0749)

Vulnerability from cvelistv5 – Published: 2026-01-28 18:56 – Updated: 2026-01-28 19:12
VLAI?
Title
Cross-Site Scripting Vulnerability in Drupal Form Builder Module
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Form Builder allows Cross-Site Scripting (XSS).This issue affects Drupal: from 7.X-1.0 through 7.X-1.22.
CWE
  • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
Impacted products
Vendor Product Version
Drupal Drupal Affected: 7.x-1.0 , ≤ 7.x-1.22 (custom)
Create a notification for this product.
Credits
Yonatan Offek (poiu)
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-0749",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-28T19:12:13.895295Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-28T19:12:36.742Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://www.drupal.org/project/form_builder",
          "defaultStatus": "unaffected",
          "packageName": "Form Builder",
          "product": "Drupal",
          "repo": "https://git.drupalcode.org/project/form_builder",
          "vendor": "Drupal",
          "versions": [
            {
              "lessThanOrEqual": "7.x-1.22",
              "status": "affected",
              "version": "7.x-1.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Yonatan Offek (poiu)"
        }
      ],
      "datePublic": "2025-05-14T07:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Drupal Form Builder allows Cross-Site Scripting (XSS).\u003cp\u003eThis issue affects Drupal: from 7.X-1.0 through 7.X-1.22.\u003c/p\u003e"
            }
          ],
          "value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Drupal Form Builder allows Cross-Site Scripting (XSS).This issue affects Drupal: from 7.X-1.0 through 7.X-1.22."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-63",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-63 Cross-Site Scripting (XSS)"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 4.8,
            "baseSeverity": "MEDIUM",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "LOW",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "LOW",
            "userInteraction": "ACTIVE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "LOW",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-28T18:56:05.806Z",
        "orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
        "shortName": "drupal"
      },
      "references": [
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://www.herodevs.com/vulnerability-directory/cve-2026-0749"
        },
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://d7es.tag1.com/security-advisories/form-builder-less-critical-cross-site-scripting"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Cross-Site Scripting Vulnerability in Drupal Form Builder Module",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
    "assignerShortName": "drupal",
    "cveId": "CVE-2026-0749",
    "datePublished": "2026-01-28T18:56:05.806Z",
    "dateReserved": "2026-01-08T19:51:10.879Z",
    "dateUpdated": "2026-01-28T19:12:36.742Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-12848 (GCVE-0-2025-12848)

Vulnerability from cvelistv5 – Published: 2025-11-26 01:28 – Updated: 2026-03-26 20:52
VLAI?
Title
XSS vulnerability when rendering filename in Webform Multiform
Summary
Webform Multiple File Upload module for Drupal 7.x contains a cross-site scripting (XSS) vulnerability in the file name renderer. An unauthenticated attacker can exploit this vulnerability by uploading a file with a malicious filename containing JavaScript code (e.g., "<img src=1 onerror=alert(document.domain)>") to a Webform node with a Multifile field where file type validation is disabled. This allows the execution of arbitrary scripts in the context of the victim's browser. The issue is present in a third-party library and has been addressed in a patch available at  https://github.com/fyneworks/multifile/pull/44 . Users are advised to apply the provided patch or update to a fixed version of the module.
CWE
  • CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
Impacted products
Vendor Product Version
Drupal Drupal Affected: 7.x-1.0 , ≤ 7.x-1.6 (custom)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-12848",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-11-26T14:18:51.075955Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-11-26T14:19:01.182Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://www.drupal.org/project/webform_multifile",
          "defaultStatus": "unaffected",
          "packageName": "Webform Multifile Upload",
          "product": "Drupal",
          "repo": "https://git.drupalcode.org/project/webform_multifile",
          "vendor": "Drupal",
          "versions": [
            {
              "lessThanOrEqual": "7.x-1.6",
              "status": "affected",
              "version": "7.x-1.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Webform Multiple File Upload module for Drupal 7.x contains a cross-site scripting (XSS) vulnerability in the file name renderer. An unauthenticated attacker can exploit this vulnerability by uploading a file with a malicious\u003cbr\u003efilename containing JavaScript code (e.g., \"\u0026lt;img src=1 onerror=alert(document.domain)\u0026gt;\") to a Webform node with a Multifile field where file type validation is disabled. This allows the execution of arbitrary scripts\u003cbr\u003ein the context of the victim\u0027s browser.\u003cbr\u003e \u003cbr\u003eThe issue is present in a third-party library and has been addressed in a patch available at\u0026nbsp;\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://github.com/fyneworks/multifile/pull/44\"\u003ehttps://github.com/fyneworks/multifile/pull/44\u003c/a\u003e. Users are advised to apply the provided patch or update to a fixed version of the module.\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e"
            }
          ],
          "value": "Webform Multiple File Upload module for Drupal 7.x contains a cross-site scripting (XSS) vulnerability in the file name renderer. An unauthenticated attacker can exploit this vulnerability by uploading a file with a malicious\nfilename containing JavaScript code (e.g., \"\u003cimg src=1 onerror=alert(document.domain)\u003e\") to a Webform node with a Multifile field where file type validation is disabled. This allows the execution of arbitrary scripts\nin the context of the victim\u0027s browser.\n \nThe issue is present in a third-party library and has been addressed in a patch available at\u00a0 https://github.com/fyneworks/multifile/pull/44 . Users are advised to apply the provided patch or update to a fixed version of the module."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-63",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-63 Cross-Site Scripting (XSS)"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "USER",
            "Safety": "NEGLIGIBLE",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 7,
            "baseSeverity": "HIGH",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "NONE",
            "providerUrgency": "AMBER",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "ACTIVE",
            "valueDensity": "DIFFUSE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/S:N/R:U/V:D/RE:L/U:Amber",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "LOW",
            "vulnerabilityResponseEffort": "LOW"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-26T20:52:30.614Z",
        "orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
        "shortName": "drupal"
      },
      "references": [
        {
          "tags": [
            "issue-tracking"
          ],
          "url": "https://www.drupal.org/node/3105204"
        },
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://www.d7security.org/security-advisories/D7SECURITY-SA-CONTRIB-2025-001/"
        },
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://www.herodevs.com/vulnerability-directory/cve-2025-12848"
        },
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://d7es.tag1.com/security-advisories/webform-multiple-file-upload-critical-cross-site-scripting"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "XSS vulnerability when rendering filename in Webform Multiform",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
    "assignerShortName": "drupal",
    "cveId": "CVE-2025-12848",
    "datePublished": "2025-11-26T01:28:33.628Z",
    "dateReserved": "2025-11-06T21:09:12.402Z",
    "dateUpdated": "2026-03-26T20:52:30.614Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}