Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2007-1035

Summary
Assigner-mitre
Assigner Org ID-8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At-21 Feb, 2007 | 11:00
Updated At-07 Aug, 2024 | 12:43
Rejected At-
Credits

Unspecified vulnerability in certain demonstration scripts in getID3 1.7.1, as used in the Mediafield and Audio modules for Drupal, allows remote attackers to read and delete arbitrary files, list arbitrary directories, and write to empty files or .mp3 files via unknown vectors.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:mitre
Assigner Org ID:8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At:21 Feb, 2007 | 11:00
Updated At:07 Aug, 2024 | 12:43
Rejected At:
▼CVE Numbering Authority (CNA)

Unspecified vulnerability in certain demonstration scripts in getID3 1.7.1, as used in the Mediafield and Audio modules for Drupal, allows remote attackers to read and delete arbitrary files, list arbitrary directories, and write to empty files or .mp3 files via unknown vectors.

Affected Products
Vendor
n/a
Product
n/a
Versions
Affected
  • n/a
Problem Types
TypeCWE IDDescription
textN/An/a
Type: text
CWE ID: N/A
Description: n/a
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://exchange.xforce.ibmcloud.com/vulnerabilities/32542
vdb-entry
x_refsource_XF
http://www.vupen.com/english/advisories/2007/0635
vdb-entry
x_refsource_VUPEN
http://www.securityfocus.com/bid/22587
vdb-entry
x_refsource_BID
http://drupal.org/node/119385
x_refsource_CONFIRM
http://blamcast.net/articles/highly-critical-security-flaws-in-drupal-audio-module
x_refsource_MISC
http://osvdb.org/35161
vdb-entry
x_refsource_OSVDB
Hyperlink: https://exchange.xforce.ibmcloud.com/vulnerabilities/32542
Resource:
vdb-entry
x_refsource_XF
Hyperlink: http://www.vupen.com/english/advisories/2007/0635
Resource:
vdb-entry
x_refsource_VUPEN
Hyperlink: http://www.securityfocus.com/bid/22587
Resource:
vdb-entry
x_refsource_BID
Hyperlink: http://drupal.org/node/119385
Resource:
x_refsource_CONFIRM
Hyperlink: http://blamcast.net/articles/highly-critical-security-flaws-in-drupal-audio-module
Resource:
x_refsource_MISC
Hyperlink: http://osvdb.org/35161
Resource:
vdb-entry
x_refsource_OSVDB
▼Authorized Data Publishers (ADP)
CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://exchange.xforce.ibmcloud.com/vulnerabilities/32542
vdb-entry
x_refsource_XF
x_transferred
http://www.vupen.com/english/advisories/2007/0635
vdb-entry
x_refsource_VUPEN
x_transferred
http://www.securityfocus.com/bid/22587
vdb-entry
x_refsource_BID
x_transferred
http://drupal.org/node/119385
x_refsource_CONFIRM
x_transferred
http://blamcast.net/articles/highly-critical-security-flaws-in-drupal-audio-module
x_refsource_MISC
x_transferred
http://osvdb.org/35161
vdb-entry
x_refsource_OSVDB
x_transferred
Hyperlink: https://exchange.xforce.ibmcloud.com/vulnerabilities/32542
Resource:
vdb-entry
x_refsource_XF
x_transferred
Hyperlink: http://www.vupen.com/english/advisories/2007/0635
Resource:
vdb-entry
x_refsource_VUPEN
x_transferred
Hyperlink: http://www.securityfocus.com/bid/22587
Resource:
vdb-entry
x_refsource_BID
x_transferred
Hyperlink: http://drupal.org/node/119385
Resource:
x_refsource_CONFIRM
x_transferred
Hyperlink: http://blamcast.net/articles/highly-critical-security-flaws-in-drupal-audio-module
Resource:
x_refsource_MISC
x_transferred
Hyperlink: http://osvdb.org/35161
Resource:
vdb-entry
x_refsource_OSVDB
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cve@mitre.org
Published At:21 Feb, 2007 | 11:28
Updated At:29 Jul, 2017 | 01:30

Unspecified vulnerability in certain demonstration scripts in getID3 1.7.1, as used in the Mediafield and Audio modules for Drupal, allows remote attackers to read and delete arbitrary files, list arbitrary directories, and write to empty files or .mp3 files via unknown vectors.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary2.07.5HIGH
AV:N/AC:L/Au:N/C:P/I:P/A:P
Type: Primary
Version: 2.0
Base score: 7.5
Base severity: HIGH
Vector:
AV:N/AC:L/Au:N/C:P/I:P/A:P
CPE Matches
The Drupal Association
drupal
>>audio_module>>*
cpe:2.3:a:drupal:audio_module:*:*:*:*:*:*:*:*
The Drupal Association
drupal
>>getid3>>1.7.1
cpe:2.3:a:drupal:getid3:1.7.1:*:*:*:*:*:*:*
The Drupal Association
drupal
>>mediafield_module>>*
cpe:2.3:a:drupal:mediafield_module:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
NVD-CWE-OtherPrimarynvd@nist.gov
CWE ID: NVD-CWE-Other
Type: Primary
Source: nvd@nist.gov
Evaluator Description
Evaluator Impact

This vulnerability affects the following versions of Drupal Mediafield Module: Drupal, Mediafield Module, 4.7.x-1.x-dev Drupal, Mediafield Module, 5.x-1.x-dev This vulnerability affects the following versions of Drupal Audio Module: Drupal, Audio Module, 4.7.x-1.x-dev Drupal, Audio Module, 5.x-0.2 Drupal, Audio Module, 5.x-0.x-dev

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
http://blamcast.net/articles/highly-critical-security-flaws-in-drupal-audio-modulecve@mitre.org
N/A
http://drupal.org/node/119385cve@mitre.org
Patch
Vendor Advisory
http://osvdb.org/35161cve@mitre.org
N/A
http://www.securityfocus.com/bid/22587cve@mitre.org
Patch
http://www.vupen.com/english/advisories/2007/0635cve@mitre.org
N/A
https://exchange.xforce.ibmcloud.com/vulnerabilities/32542cve@mitre.org
N/A
Hyperlink: http://blamcast.net/articles/highly-critical-security-flaws-in-drupal-audio-module
Source: cve@mitre.org
Resource: N/A
Hyperlink: http://drupal.org/node/119385
Source: cve@mitre.org
Resource:
Patch
Vendor Advisory
Hyperlink: http://osvdb.org/35161
Source: cve@mitre.org
Resource: N/A
Hyperlink: http://www.securityfocus.com/bid/22587
Source: cve@mitre.org
Resource:
Patch
Hyperlink: http://www.vupen.com/english/advisories/2007/0635
Source: cve@mitre.org
Resource: N/A
Hyperlink: https://exchange.xforce.ibmcloud.com/vulnerabilities/32542
Source: cve@mitre.org
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

69Records found
CVE-2006-2742
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.97% / 75.65%
||
7 Day CHG~0.00%
Published-01 Jun, 2006 | 10:00
Updated-03 Apr, 2025 | 01:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SQL injection vulnerability in Drupal 4.6.x before 4.6.7 and 4.7.0 allows remote attackers to execute arbitrary SQL commands via the (1) count and (2) from variables to (a) database.mysql.inc, (b) database.pgsql.inc, and (c) database.mysqli.inc.

Action-Not Available
Vendor-n/aThe Drupal Association
Product-drupaln/a
CVE-2006-2831
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-4.25% / 88.35%
||
7 Day CHG~0.00%
Published-06 Jun, 2006 | 00:00
Updated-03 Apr, 2025 | 01:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Drupal 4.6.x before 4.6.8 and 4.7.x before 4.7.2, when running under certain Apache configurations such as when FileInfo overrides are disabled within .htaccess, allows remote attackers to execute arbitrary code by uploading a file with multiple extensions, a variant of CVE-2006-2743.

Action-Not Available
Vendor-n/aThe Drupal Association
Product-drupaln/a
CVE-2005-1921
Matching Score-8
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-8
Assigner-Red Hat, Inc.
CVSS Score-7.5||HIGH
EPSS-86.90% / 99.39%
||
7 Day CHG~0.00%
Published-01 Jul, 2005 | 04:00
Updated-03 Apr, 2025 | 01:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Eval injection vulnerability in PEAR XML_RPC 1.3.0 and earlier (aka XML-RPC or xmlrpc) and PHPXMLRPC (aka XML-RPC For PHP or php-xmlrpc) 1.1 and earlier, as used in products such as (1) WordPress, (2) Serendipity, (3) Drupal, (4) egroupware, (5) MailWatch, (6) TikiWiki, (7) phpWebSite, (8) Ampache, and others, allows remote attackers to execute arbitrary PHP code via an XML file, which is not properly sanitized before being used in an eval statement.

Action-Not Available
Vendor-tikigggeekn/aDebian GNU/LinuxThe Drupal AssociationThe PHP Group
Product-xml_rpcdrupaltikiwiki_cms\/groupwaredebian_linuxphpxmlrpcn/a
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2005-1871
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.74% / 72.01%
||
7 Day CHG~0.00%
Published-07 Jun, 2005 | 04:00
Updated-03 Apr, 2025 | 01:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Unknown vulnerability in the privilege system in Drupal 4.4.0 through 4.6.0, when public registration is enabled, allows remote attackers to gain privileges, due to an "input check" that "is not implemented properly."

Action-Not Available
Vendor-n/aThe Drupal Association
Product-drupaln/a
CVE-2014-1475
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.67% / 70.37%
||
7 Day CHG~0.00%
Published-24 Jan, 2014 | 18:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The OpenID module in Drupal 6.x before 6.30 and 7.x before 7.26 allows remote OpenID users to authenticate as other users via unspecified vectors.

Action-Not Available
Vendor-n/aThe Drupal Association
Product-drupaln/a
CVE-2013-2247
Matching Score-8
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-8
Assigner-Red Hat, Inc.
CVSS Score-7.5||HIGH
EPSS-0.44% / 62.41%
||
7 Day CHG~0.00%
Published-28 Aug, 2013 | 15:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Fast Permissions Administration module 6.x-2.x before 6.x-2.5 and 7.x-2.x before 7.x-2.3 for Drupal does not properly restrict access to the modal content callback, which allows remote attackers to obtain unspecified access to the permissions edit form.

Action-Not Available
Vendor-fast_permissions_administration_projectn/aThe Drupal Association
Product-drupalfast_permission_administrationn/a
CVE-2019-6339
Matching Score-8
Assigner-Drupal.org
ShareView Details
Matching Score-8
Assigner-Drupal.org
CVSS Score-9.8||CRITICAL
EPSS-78.50% / 98.99%
||
7 Day CHG~0.00%
Published-22 Jan, 2019 | 15:00
Updated-16 Sep, 2024 | 20:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
PHAR stream wrapper Arbitrary PHP code execution

In Drupal Core versions 7.x prior to 7.62, 8.6.x prior to 8.6.6 and 8.5.x prior to 8.5.9; A remote code execution vulnerability exists in PHP's built-in phar stream wrapper when performing file operations on an untrusted phar:// URI. Some Drupal code (core, contrib, and custom) may be performing file operations on insufficiently validated user input, thereby being exposed to this vulnerability. This vulnerability is mitigated by the fact that such code paths typically require access to an administrative permission or an atypical configuration.

Action-Not Available
Vendor-Debian GNU/LinuxThe Drupal Association
Product-debian_linuxdrupalDrupal core
CWE ID-CWE-20
Improper Input Validation
CVE-2012-5590
Matching Score-8
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-8
Assigner-Red Hat, Inc.
CVSS Score-7.5||HIGH
EPSS-0.38% / 58.69%
||
7 Day CHG~0.00%
Published-26 Dec, 2012 | 17:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SQL injection vulnerability in the Webmail Plus module for Drupal allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

Action-Not Available
Vendor-scriptheadn/aThe Drupal Association
Product-webmail_plusdrupaln/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2012-2730
Matching Score-8
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-8
Assigner-Red Hat, Inc.
CVSS Score-7.5||HIGH
EPSS-0.26% / 49.37%
||
7 Day CHG~0.00%
Published-27 Jun, 2012 | 00:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Protected Node module 6.x-1.x before 6.x-1.6 for Drupal does not properly "protect node access when nodes are accessed outside of the standard node view," which allows remote attackers to bypass intended access restrictions.

Action-Not Available
Vendor-alexis_wilken/aThe Drupal Association
Product-protected_nodedrupaln/a
CVE-2012-2303
Matching Score-8
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-8
Assigner-Red Hat, Inc.
CVSS Score-7.5||HIGH
EPSS-0.83% / 73.65%
||
7 Day CHG~0.00%
Published-18 Jul, 2012 | 18:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Spaces module 6.x-3.x before 6.x-3.4 for Drupal does not enforce permissions on non-object pages, which allows remote attackers to obtain sensitive information and possibly have other impacts via unspecified vectors to the (1) Spaces or (2) Spaces OG module.

Action-Not Available
Vendor-florian_webern/aThe Drupal Association
Product-drupalspacesn/a
CVE-2011-2687
Matching Score-8
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-8
Assigner-Red Hat, Inc.
CVSS Score-7.5||HIGH
EPSS-0.76% / 72.33%
||
7 Day CHG~0.00%
Published-27 Jul, 2011 | 01:29
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Drupal 7.x before 7.3 allows remote attackers to bypass intended node_access restrictions via vectors related to a listing that shows nodes but lacks a JOIN clause for the node table.

Action-Not Available
Vendor-n/aThe Drupal Association
Product-drupaln/a
CVE-2011-2715
Matching Score-8
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-8
Assigner-Red Hat, Inc.
CVSS Score-9.8||CRITICAL
EPSS-0.50% / 64.92%
||
7 Day CHG~0.00%
Published-14 Jan, 2020 | 21:22
Updated-06 Aug, 2024 | 23:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An SQL Injection vulnerability exists in Drupal 6.20 with Data 6.x-1.0-alpha14 due to insufficient sanitization of table names or column names.

Action-Not Available
Vendor-The Drupal Association
Product-datadrupalData-module
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2019-11831
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-3.02% / 86.10%
||
7 Day CHG-0.24%
Published-09 May, 2019 | 03:52
Updated-04 Aug, 2024 | 23:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The PharStreamWrapper (aka phar-stream-wrapper) package 2.x before 2.1.1 and 3.x before 3.1.1 for TYPO3 does not prevent directory traversal, which allows attackers to bypass a deserialization protection mechanism, as demonstrated by a phar:///path/bad.phar/../good.phar URL.

Action-Not Available
Vendor-n/aDebian GNU/LinuxThe Drupal AssociationTYPO3 AssociationJoomla!Fedora Project
Product-pharstreamwrapperdebian_linuxjoomla\!fedoradrupaln/a
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2019-10910
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-17.61% / 94.84%
||
7 Day CHG~0.00%
Published-16 May, 2019 | 21:31
Updated-04 Aug, 2024 | 22:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, when service ids allow user input, this could allow for SQL Injection and remote code execution. This is related to symfony/dependency-injection.

Action-Not Available
Vendor-sensiolabsn/aThe Drupal Association
Product-drupalsymfonyn/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2018-7600
Matching Score-8
Assigner-Drupal.org
ShareView Details
Matching Score-8
Assigner-Drupal.org
CVSS Score-9.8||CRITICAL
EPSS-94.47% / 100.00%
||
7 Day CHG~0.00%
Published-29 Mar, 2018 | 07:00
Updated-30 Jul, 2025 | 01:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2022-05-03||Apply updates per vendor instructions.

Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations.

Action-Not Available
Vendor-n/aDebian GNU/LinuxThe Drupal Association
Product-drupaldebian_linuxDrupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1Drupal Core
CWE ID-CWE-20
Improper Input Validation
CVE-2009-4296
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.71% / 71.25%
||
7 Day CHG~0.00%
Published-11 Dec, 2009 | 19:00
Updated-17 Sep, 2024 | 03:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SQL injection vulnerability in the Taxonomy Timer module 5.x-1.8 and earlier and 6.x-alpha1 and earlier for Drupal allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

Action-Not Available
Vendor-brian_millern/aThe Drupal Association
Product-drupaltaxonomy_timern/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2009-2075
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.41% / 60.76%
||
7 Day CHG~0.00%
Published-16 Jun, 2009 | 19:00
Updated-17 Sep, 2024 | 04:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Nodequeue 5.x before 5.x-2.7 and 6.x before 6.x-2.2, a module for Drupal, does not properly restrict access when displaying node titles, which has unknown impact and attack vectors.

Action-Not Available
Vendor-angrydonutsn/aThe Drupal Association
Product-nodequeuedrupaln/a
CWE ID-CWE-264
Not Available
CVE-2018-7602
Matching Score-8
Assigner-Drupal.org
ShareView Details
Matching Score-8
Assigner-Drupal.org
CVSS Score-9.8||CRITICAL
EPSS-94.19% / 99.91%
||
7 Day CHG~0.00%
Published-19 Jul, 2018 | 17:00
Updated-30 Jul, 2025 | 01:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2022-05-04||Apply updates per vendor instructions.
Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-004

A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being compromised. This vulnerability is related to Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002. Both SA-CORE-2018-002 and this vulnerability are being exploited in the wild.

Action-Not Available
Vendor-Debian GNU/LinuxThe Drupal Association
Product-drupaldebian_linuxcoreCore
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2015-6659
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-11.84% / 93.47%
||
7 Day CHG~0.00%
Published-24 Aug, 2015 | 14:00
Updated-12 Apr, 2025 | 10:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SQL injection vulnerability in the SQL comment filtering system in the Database API in Drupal 7.x before 7.39 allows remote attackers to execute arbitrary SQL commands via an SQL comment.

Action-Not Available
Vendor-n/aThe Drupal Association
Product-drupaln/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
  • Previous
  • 1
  • 2
  • Next
Details not found