Vulmon
Recent Vulnerabilities
Product List
Research Posts
Trends
Blog
About
Contact
Vulmon Alerts
By Relevance
By Risk Score
By Publish Date
drupal upload module vulnerabilities and exploits
(subscribe to this query)
7.2
CVSSv3
CVE-2022-25277
Drupal core sanitizes filenames with dangerous extensions upon upload (reference: SA-CORE-2020-012) and strips leading and trailing dots from filenames to prevent uploading server configuration files (reference: SA-CORE-2019-010). However, the protections for these two vulnerabil...
Drupal Drupal
9.8
CVSSv3
CVE-2020-13675
Drupal's JSON:API and REST/File modules allow file uploads through their HTTP APIs. The modules do not correctly run all file validation, which causes an access bypass vulnerability. An attacker might be able to upload files that bypass the file validation process implemente...
Drupal Drupal
5.4
CVSSv3
CVE-2019-6341
In Drupal 7 versions before 7.65; Drupal 8.6 versions before 8.6.13;Drupal 8.5 versions before 8.5.14. Under certain circumstances the File module/subsystem allows a malicious user to upload a file that can trigger a cross-site scripting (XSS) vulnerability.
Drupal Drupal
Debian Debian Linux 8.0
Fedoraproject Fedora 28
Fedoraproject Fedora 29
6.5
CVSSv3
CVE-2017-6922
In Drupal core 8.x before 8.3.4 and Drupal core 7.x before 7.56; Private files that have been uploaded by an anonymous user but not permanently attached to content on the site should only be visible to the anonymous user that uploaded them, rather than all anonymous users. Drupal...
Drupal Drupal
Debian Debian Linux 8.0
Debian Debian Linux 9.0
5.9
CVSSv3
CVE-2017-6921
In Drupal 8 before 8.3.4; The file REST resource does not properly validate some fields when manipulating files. A site is only affected by this if the site has the RESTful Web Services (rest) module enabled, the file REST resource is enabled and allows PATCH requests, and an att...
Drupal Drupal
8.1
CVSSv3
CVE-2016-3162
The File module in Drupal 7.x prior to 7.43 and 8.x prior to 8.0.4 allows remote authenticated users to bypass access restrictions and read, delete, or substitute a link to a file uploaded to an unprocessed form by leveraging permission to create content or comment and upload fil...
Drupal Drupal 7.0
Drupal Drupal 7.40
Drupal Drupal 7.16
Drupal Drupal 7.21
Drupal Drupal 7.18
Drupal Drupal 7.15
Drupal Drupal 7.38
Drupal Drupal 7.41
Drupal Drupal 7.3
Drupal Drupal 7.17
Drupal Drupal 7.8
Drupal Drupal 7.13
Drupal Drupal 7.35
Drupal Drupal 7.20
Drupal Drupal 7.5
Drupal Drupal 7.10
Drupal Drupal 7.30
Drupal Drupal 7.27
Drupal Drupal 7.6
Drupal Drupal 7.12
Drupal Drupal 7.34
Drupal Drupal 7.9
NA
CVE-2015-6665
Cross-site scripting (XSS) vulnerability in the Ajax handler in Drupal 7.x prior to 7.39 and the Ctools module 6.x-1.x prior to 6.x-1.14 for Drupal allows remote malicious users to inject arbitrary web script or HTML via vectors involving a whitelisted HTML element, possibly rela...
Fedoraproject Fedora 22
Fedoraproject Fedora 23
Fedoraproject Fedora 21
Drupal Drupal 7.0
Drupal Drupal 7.16
Drupal Drupal 7.21
Drupal Drupal 7.18
Drupal Drupal 7.15
Drupal Drupal 7.38
Drupal Drupal 7.3
Drupal Drupal 7.17
Drupal Drupal 7.8
Drupal Drupal 7.13
Drupal Drupal 7.35
Drupal Drupal 7.20
Drupal Drupal 7.5
Drupal Drupal 7.10
Drupal Drupal 7.30
Drupal Drupal 7.27
Drupal Drupal 7.6
Drupal Drupal 7.12
Drupal Drupal 7.34
NA
CVE-2015-4379
Cross-site request forgery (CSRF) vulnerability in the Webform Multiple File Upload module 6.x-1.x prior to 6.x-1.3 and 7.x-1.x prior to 7.x-1.3 for Drupal allows remote malicious users to hijack the authentication of certain users for requests that delete files via unspecified v...
Webform Multiple File Upload Project Webform Multiple File Upload 6.x-1.0
Webform Multiple File Upload Project Webform Multiple File Upload 7.x-1.2
Webform Multiple File Upload Project Webform Multiple File Upload 7.x-1.x
Webform Multiple File Upload Project Webform Multiple File Upload 6.x-1.2
Webform Multiple File Upload Project Webform Multiple File Upload 6.x-1.1
NA
CVE-2015-2087
Unrestricted file upload vulnerability in the Avatar Uploader module prior to 6.x-1.3 for Drupal allows remote authenticated users to execute arbitrary PHP code by uploading a file with a PHP extension, then accessing it via unspecified vectors.
Avatar Uploader Project Avatar Uploader
NA
CVE-2013-0206
Unrestricted file upload vulnerability in the Live CSS module 6.x-2.x prior to 6.x-2.1 and 7.x-2.x prior to 7.x-2.7 for Drupal allows remote authenticated users with the "administer CSS" permissions to execute arbitrary code by uploading a file with an executable extens...
Guy Bedford Live Css 6.x-2.0
Guy Bedford Live Css 7.x-2.0
Guy Bedford Live Css 7.x-2.0-beta1
Guy Bedford Live Css 7.x-2.1
Guy Bedford Live Css 7.x-2.2
Guy Bedford Live Css 7.x-2.3
Guy Bedford Live Css 7.x-2.4
Guy Bedford Live Css 7.x-2.5
Guy Bedford Live Css 7.x-2.6
Guy Bedford Live Css 7.x-2.x-dev
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-23692
CVE-2012-1823
memory leak
CVE-2024-0627
CVE-2024-31402
privilege escalation
CVE-2024-36418
remote code execution
CVE-2024-27844
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started
1
2
3
4
NEXT »