Filtered by vendor Drupal
Subscriptions
Total
887 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2010-2158 | 2 Drupal, Speedtech | 2 Drupal, Storm | 2025-04-11 | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in the Storm module 5.x and 6.x before 6.x-1.33 for Drupal allow remote authenticated users, with certain module privileges, to inject arbitrary web script or HTML via the (1) fullname, (2) phone, or (3) im parameter in a stormperson action to index.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. | ||||
| CVE-2010-3686 | 2 Drupal, Peter Wolanin | 2 Drupal, Openid | 2025-04-11 | N/A |
| The OpenID module in Drupal 6.x before 6.18, and the OpenID module 5.x before 5.x-1.4 for Drupal, violates the OpenID 2.0 protocol by not ensuring that fields are signed, which allows remote attackers to bypass authentication by leveraging an assertion from an OpenID provider. | ||||
| CVE-2012-2731 | 2 Drupal, Richardo Ante | 2 Drupal, Ubercart Ajax Cart | 2025-04-11 | N/A |
| The Ubercart AJAX Cart 6.x-2.x before 6.x-2.1 for Drupal stores the PHP session id in the JavaScript settings array in page loads, which might allow remote attackers to obtain sensitive information by sniffing or reading the cache of the HTML of a webpage. | ||||
| CVE-2011-0771 | 2 Drupal, Janrain | 2 Drupal, Rpx | 2025-04-11 | N/A |
| The Janrain Engage (formerly RPX) module 6.x-1.3 for Drupal does not validate the file for a profile image, which allows remote authenticated users to conduct cross-site scripting (XSS) attacks and possibly execute arbitrary PHP code by causing a crafted avatar to be downloaded from an external login provider site. | ||||
| CVE-2012-3799 | 2 Blaine Lang, Drupal | 2 Maestro, Drupal | 2025-04-11 | N/A |
| Multiple cross-site request forgery (CSRF) vulnerabilities in the Maestro module 7.x-1.x before 7.x-1.2 for Drupal allow remote attackers to hijack the authentication of administrators for requests that (1) change workflows or (2) insert cross-site scripting (XSS) sequences. | ||||
| CVE-2012-0826 | 1 Drupal | 1 Drupal | 2025-04-11 | N/A |
| Cross-site request forgery (CSRF) vulnerability in the Aggregator module in Drupal 6.x before 6.23 and 7.x before 7.11 allows remote attackers to hijack the authentication of unspecified victims for requests that update feeds and possibly cause a denial of service (loss of updates due to rate limit) via unspecified vectors. | ||||
| CVE-2011-1662 | 2 Drupal, Icanlocalize | 2 Drupal, Translation Management | 2025-04-11 | N/A |
| Cross-site scripting (XSS) vulnerability in Translation Management module 6.x before 6.x-1.21 for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | ||||
| CVE-2012-3802 | 2 Drupal, Peter Pokrivcak | 2 Drupal, Post Affiliate Pro | 2025-04-11 | N/A |
| Unspecified vulnerability in the Post Affiliate Pro (PAP) module for Drupal allows remote authenticated users to read the commissions of other users via unknown attack vectors. | ||||
| CVE-2012-4470 | 2 Drupal, Philip Ludlam | 2 Drupal, Listhandler | 2025-04-11 | N/A |
| The Listhandler module 6.x-1.x before 6.x-1.1 for Drupal does not properly check permissions when importing emails, which allows remote comment authors to bypass access restrictions and possibly have other unspecified impact. | ||||
| CVE-2012-2728 | 2 Drupal, Ronan Dowling | 2 Drupal, Node Hierarchy | 2025-04-11 | N/A |
| Multiple cross-site request forgery (CSRF) vulnerabilities in the Node Hierarchy module 6.x-1.x before 6.x-1.5 for Drupal allow remote attackers to hijack the authentication of administrators for requests that change a node hierarchy position via an (1) up or (2) down action. | ||||
| CVE-2012-4471 | 2 Dominique Clause, Drupal | 2 Search Autocomplete, Drupal | 2025-04-11 | N/A |
| The Search Autocomplete module 7.x-2.x before 7.x-2.4 for Drupal does not properly restrict access to the module admin page, which allows remote attackers to disable an autocompletion or change the priority order via unspecified vectors. | ||||
| CVE-2013-6386 | 1 Drupal | 1 Drupal | 2025-04-11 | N/A |
| Drupal 6.x before 6.29 and 7.x before 7.24 uses the PHP mt_rand function to generate random numbers, which uses predictable seeds and allows remote attackers to predict security strings and bypass intended restrictions via a brute force attack. | ||||
| CVE-2012-4473 | 2 Christian Johansson, Drupal | 2 Restrict Node Page View, Drupal | 2025-04-11 | N/A |
| The Restrict node page view module 7.x-1.x before 7.x-1.2 for Drupal allows remote authenticated users with the "view any node page" or "view any node {type} page" permission to access unpublished nodes via a direct request. | ||||
| CVE-2010-3022 | 1 Drupal | 1 Devel Module | 2025-04-11 | N/A |
| Cross-site scripting (XSS) vulnerability in the Performance logging module in the Devel module 5.x before 5.x-1.3 and 6.x before 6.x-1.21 for Drupal allows remote authenticated users, with add url aliases and report access permissions, to inject arbitrary web script or HTML via crafted node paths in a URL. | ||||
| CVE-2012-2719 | 2 Blaine Lang, Drupal | 2 Filedepot, Drupal | 2025-04-11 | N/A |
| The filedepot module 6.x-1.x before 6.x-1.3 for Drupal, when accessed using multiple different browsers from the same IP address, causes Internet Explorer sessions to "switch users" when uploading a file, which has unspecified impact possibly involving file uploads to the wrong user directory, aka "Session Management Vulnerability." | ||||
| CVE-2012-4475 | 2 Drupal, Security Questions Project | 2 Drupal, Security Questions | 2025-04-11 | N/A |
| The Security Questions module for Drupal 6.x-1.x before 6.x-1.1 and 7.x-1.x before 7.x-1.1 does not properly restrict access, which allows remote attackers to edit an arbitrary user's questions and answers via unspecified vectors. | ||||
| CVE-2012-4476 | 2 David Alkire, Drupal | 2 Drag \& Drop Gallery, Drupal | 2025-04-11 | N/A |
| Cross-site scripting (XSS) vulnerability in the Drag & Drop Gallery module 6.x for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | ||||
| CVE-2009-5096 | 2 Drupal, Khalid Baheyeldin | 2 Drupal, Flag Content | 2025-04-11 | N/A |
| Cross-site scripting (XSS) vulnerability in the Flag Content module 5.x-2.x before 5.x-2.10 for Drupal allows remote attackers to inject arbitrary web script or HTML via the Reason parameter. | ||||
| CVE-2012-4484 | 2 Drupal, Trexart | 2 Drupal, Campaignmonitor | 2025-04-11 | N/A |
| Cross-site scripting (XSS) vulnerability in the administrative interface in the Campaign Monitor module before 6.x-2.5 for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. NOTE: this refers to an issue in an independently developed Drupal module, and NOT an issue in the Campaign Monitor software itself (described on the campaignmonitor.com web site). | ||||
| CVE-2012-2718 | 2 Drupal, Drupal-id | 2 Drupal, Counter Module | 2025-04-11 | N/A |
| SQL injection vulnerability in the Counter module for Drupal allows remote attackers to execute arbitrary SQL commands via unspecified vectors related to "recording visits." | ||||