Filtered by vendor Drupal
Subscriptions
Filtered by product Drupal
Subscriptions
Total
729 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2012-2307 | 2 Drupal, Plaatsoft | 2 Drupal, Addressbook | 2025-04-11 | N/A |
| Cross-site request forgery (CSRF) vulnerability in the Addressbook module for Drupal 6.x-4.2 and earlier allows remote attackers to hijack the authentication of unspecified victims via unknown vectors. | ||||
| CVE-2014-1607 | 1 Drupal | 1 Drupal | 2025-04-11 | N/A |
| Cross-site scripting (XSS) vulnerability in the EventCalendar module for Drupal 7.14 allows remote attackers to inject arbitrary web script or HTML via the year parameter to eventcalander/. NOTE: this issue has been disputed by the Drupal Security Team; it may be site-specific. If so, then this CVE will be REJECTed in the future | ||||
| CVE-2013-6388 | 1 Drupal | 1 Drupal | 2025-04-11 | N/A |
| Cross-site scripting (XSS) vulnerability in the Color module in Drupal 7.x before 7.24 allows remote attackers to inject arbitrary web script or HTML via vectors related to CSS. | ||||
| CVE-2012-1651 | 2 Drupal, Thinkleft | 2 Drupal, Submenu Tree | 2025-04-11 | N/A |
| Cross-site scripting (XSS) vulnerability in the Submenu Tree module before 6.x-1.5 for Drupal allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. | ||||
| CVE-2013-6387 | 1 Drupal | 1 Drupal | 2025-04-11 | N/A |
| Cross-site scripting (XSS) vulnerability in the Image module in Drupal 7.x before 7.24 allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via the description field. | ||||
| CVE-2013-6386 | 1 Drupal | 1 Drupal | 2025-04-11 | N/A |
| Drupal 6.x before 6.29 and 7.x before 7.24 uses the PHP mt_rand function to generate random numbers, which uses predictable seeds and allows remote attackers to predict security strings and bypass intended restrictions via a brute force attack. | ||||
| CVE-2012-1650 | 2 Drupal, Giantrobot | 2 Drupal, Zipcart | 2025-04-11 | N/A |
| The ZipCart module 6.x before 6.x-1.4 for Drupal checks the "access content" permission instead of the "access ZipCart downloads" permission when building archives, which allows remote authenticated users with access content permission to bypass intended access restrictions. | ||||
| CVE-2010-0752 | 2 Drupal, Earl Dunovant | 2 Drupal, Week | 2025-04-11 | N/A |
| The week_post_page function in the Weekly Archive by Node Type module 6.x before 6.x-2.7 for Drupal does not properly implement node access restrictions when constructing SQL queries, which allows remote attackers to read restricted node listings via unspecified vectors. | ||||
| CVE-2013-5965 | 2 Adcisolutions, Drupal | 2 Node View Permissions, Drupal | 2025-04-11 | N/A |
| The Node View Permissions module 7.x-1.x before 7.x-1.2 for Drupal does not properly implement the hook_query_alter function, which might allow remote attackers to obtain sensitive information by reading a node listing. | ||||
| CVE-2013-5964 | 2 Drupal, Joachim Noreiko | 2 Drupal, Flag Module | 2025-04-11 | N/A |
| Cross-site scripting (XSS) vulnerability in the administration page in the Flag module 7.x-3.x before 7.x-3.1 for Drupal allows remote authenticated users with the "Administer flags" permission to inject arbitrary web script or HTML via the flag title. | ||||
| CVE-2012-1649 | 2 Danielb, Drupal | 2 Cool Aid, Drupal | 2025-04-11 | N/A |
| Cool Aid module before 6.x-1.9 for Drupal does not enforce access restrictions, which allows remote authenticated users with the administer coolaid permission to modify arbitrary pages via unspecified vectors. | ||||
| CVE-2013-4446 | 2 Drupal, Steven Jones | 2 Drupal, Context | 2025-04-11 | N/A |
| The _json_decode function in plugins/context_reaction_block.inc in the Context module 6.x-2.x before 6.x-3.2 and 7.x-3.x before 7.x-3.0 for Drupal, when using a version of PHP that does not support the json_decode function, allows remote attackers to execute arbitrary PHP code via unspecified vectors related to Ajax operations, possibly involving eval injection. | ||||
| CVE-2012-1648 | 2 Danielb, Drupal | 2 Cool Aid, Drupal | 2025-04-11 | N/A |
| Cross-site scripting (XSS) vulnerability in the Cool Aid module before 6.x-1.9 for Drupal allows remote authenticated users with the administer coolaid permission to inject arbitrary web script or HTML via unspecified vectors. | ||||
| CVE-2010-0697 | 2 Drupal, Ilya Ivanchenko | 2 Drupal, Itweak Upload | 2025-04-11 | N/A |
| Cross-site scripting (XSS) vulnerability in the iTweak Upload module 6.x-1.x before 6.x-1.2 and 6.x-2.x before 6.x-2.3 for Drupal allows remote authenticated users, with create content and upload file permissions, to inject arbitrary web script or HTML via the file name of an uploaded file. | ||||
| CVE-2010-1074 | 2 2bits, Drupal | 2 Currency, Drupal | 2025-04-11 | N/A |
| Cross-site scripting (XSS) vulnerability in the Currency Exchange module before 6.x-1.2 for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, related to watchdog logging. | ||||
| CVE-2013-4445 | 2 Drupal, Steven Jones | 2 Drupal, Context | 2025-04-11 | N/A |
| The json rendering functionality in the Context module 6.x-2.x before 6.x-3.2 and 7.x-3.x before 7.x-3.0 for Drupal uses Drupal's token scheme to restrict access to blocks, which makes it easier for remote authenticated users to guess the access token for a block by leveraging the token from a block to which the user has access. | ||||
| CVE-2013-4383 | 2 Dennis Bruecke, Drupal | 2 Jquery Countdown, Drupal | 2025-04-11 | N/A |
| Cross-site scripting (XSS) vulnerability in the jQuery Countdown module 7.x-1.x before 7.x-1.1 for Drupal allows remote authenticated users with the "access administration pages" permission to inject arbitrary web script or HTML via unspecified vectors. | ||||
| CVE-2012-1644 | 2 Drupal, Gizra | 2 Drupal, Og Vocab | 2025-04-11 | N/A |
| The Organic Groups (OG) Vocabulary module 6.x-1.x before 6.x-1.2 for Drupal allows remote authenticated users with certain administrator permissions to modify the vocabularies of other groups via unspecified vectors. | ||||
| CVE-2013-4379 | 2 Drupal, Sebastien Corbin | 2 Drupal, Make Meeting Scheduler Module | 2025-04-11 | N/A |
| The Make Meeting Scheduler module 6.x-1.x before 6.x-1.3 for Drupal allows remote attackers to bypass intended access restrictions for a poll via a direct request to the node's URL instead of the hashed URL. | ||||
| CVE-2012-1643 | 2 Drupal, Jason Savino | 2 Drupal, Fp | 2025-04-11 | N/A |
| The Faster Permissions module 7.x-2.x before 7.x-1.2 for Drupal does not check the "administer permissions" permission, which allows remote attackers to modify access permissions via unspecified vectors. | ||||