Filtered by vendor Drupal
Subscriptions
Filtered by product Drupal
Subscriptions
Total
711 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2016-7570 | 1 Drupal | 1 Drupal | 2025-04-12 | N/A |
| Drupal 8.x before 8.1.10 does not properly check for "Administer comments" permission, which allows remote authenticated users to set the visibility of comments for arbitrary nodes by leveraging rights to edit those nodes. | ||||
| CVE-2015-2559 | 2 Debian, Drupal | 2 Debian Linux, Drupal | 2025-04-12 | N/A |
| Drupal 6.x before 6.35 and 7.x before 7.35 allows remote authenticated users to reset the password of other accounts by leveraging an account with the same password hash as another account and a crafted password reset URL. | ||||
| CVE-2013-1946 | 2 Drupal, Restful Web Services Project | 2 Drupal, Restful Web Services | 2025-04-12 | N/A |
| The RESTful Web Services (RESTWS) module 7.x-1.x before 7.x-1.3 and 7.x-2.x before 7.x-2.0-alpha5 for Drupal, when page caching is enabled and anonymous users are assigned RESTWS permissions, allows remote attackers to cause a denial of service via a GET request with an HTTP Accept header set to a non-HTML type, which can "interfere with Drupal's page cache." | ||||
| CVE-2013-4177 | 2 Drupal, Google Authenticator Login Project | 2 Drupal, Ga Login | 2025-04-12 | N/A |
| The Google Authenticator login module 6.x-1.x before 6.x-1.2 and 7.x-1.x before 7.x-1.4 for Drupal does not properly identify user account names, which might allow remote attackers to bypass the two-factor authentication requirement via unspecified vectors. | ||||
| CVE-2013-4380 | 2 Drupal, Mediafront | 2 Drupal, Mediafront | 2025-04-12 | N/A |
| Cross-site scripting (XSS) vulnerability in the MediaFront module 6.x-1.x before 6.x-1.6, 7.x-1.x before 7.x-1.6, and 7.x-2.x before 7.x-2.1 for Drupal allows remote authenticated users with the "administer mediafront" permission to inject arbitrary web script or HTML via the preset settings. | ||||
| CVE-2013-4498 | 2 Drupal, Florian Weber | 2 Drupal, Spaces | 2025-04-12 | N/A |
| The Spaces OG submodule in the Spaces module 6.x-3.x before 6.x-3.7 for Drupal does not properly delete organic group group spaces content when using the option to move to a new group, which causes the content to be "orphaned" and allows remote authenticated users with the "access content" permission to obtain sensitive information via vectors involving a rebuild access for the site or content. | ||||
| CVE-2013-7302 | 2 Drupal, Ubercart | 2 Drupal, Ubercart | 2025-04-12 | N/A |
| Session fixation vulnerability in the Ubercart module 6.x-2.x before 6.x-2.13 and 7.x-3.x before 7.x-3.6 for Drupal, when the "Log in new customers after checkout" option is enabled, allows remote attackers to hijack web sessions by leveraging knowledge of the original session ID. | ||||
| CVE-2014-2983 | 2 Debian, Drupal | 2 Debian Linux, Drupal | 2025-04-12 | N/A |
| Drupal 6.x before 6.31 and 7.x before 7.27 does not properly isolate the cached data of different anonymous users, which allows remote anonymous users to obtain sensitive interim form input information in opportunistic situations via unspecified vectors. | ||||
| CVE-2014-5019 | 1 Drupal | 1 Drupal | 2025-04-12 | N/A |
| The multisite feature in Drupal 6.x before 6.32 and 7.x before 7.29 allows remote attackers to cause a denial of service via a crafted HTTP Host header, related to determining which configuration file to use. | ||||
| CVE-2012-1060 | 2 Drupal, Rik De Boer | 2 Drupal, Revisioning | 2025-04-11 | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in revisioning_theme.inc in the Taxonomy module in the Revisioning module 6.x-3.13 and other versions before 6.x-3.14 for Drupal allow remote authenticated users with certain privileges to inject arbitrary web script or HTML via the (1) tags or (2) term parameters. | ||||
| CVE-2012-1057 | 2 Drupal, Sean Robertson | 2 Drupal, Forward | 2025-04-11 | N/A |
| Cross-site request forgery (CSRF) vulnerability in the clickthrough tracking functionality in the Forward module 6.x-1.x before 6.x-1.21 and 7.x-1.x before 7.x-1.3 for Drupal allows remote attackers to hijack the authentication of administrators for requests that increase node rankings via the tracking code, possibly related to improper "flood control." | ||||
| CVE-2012-1588 | 1 Drupal | 1 Drupal | 2025-04-11 | N/A |
| Algorithmic complexity vulnerability in the _filter_url function in the text filtering system (modules/filter/filter.module) in Drupal 7.x before 7.14 allows remote authenticated users with certain roles to cause a denial of service (CPU consumption) via a long email address. | ||||
| CVE-2012-0914 | 2 Drupal, Earl Miles | 2 Drupal, Panels | 2025-04-11 | N/A |
| Cross-site scripting (XSS) vulnerability in display_renderers/panels_renderer_editor.class.php in the admin view in the Panels module 6.x-2.x before 6.x-3.10 and 7.x-3.x before 7.x-3.0 for Drupal allows remote authenticated users with certain privileges to inject arbitrary web script or HTML via the Region title. | ||||
| CVE-2012-0826 | 1 Drupal | 1 Drupal | 2025-04-11 | N/A |
| Cross-site request forgery (CSRF) vulnerability in the Aggregator module in Drupal 6.x before 6.23 and 7.x before 7.11 allows remote attackers to hijack the authentication of unspecified victims for requests that update feeds and possibly cause a denial of service (loss of updates due to rate limit) via unspecified vectors. | ||||
| CVE-2012-1056 | 2 Drupal, Sean Robertson | 2 Drupal, Forward | 2025-04-11 | N/A |
| The Forward module 6.x-1.x before 6.x-1.21 and 7.x-1.x before 7.x-1.3 for Drupal does not properly enforce permissions for (1) Recent forwards, (2) Most forwarded, or (3) Dynamic blocks, which allows remote attackers to obtain node titles via unspecified vectors. | ||||
| CVE-2012-1589 | 1 Drupal | 1 Drupal | 2025-04-11 | N/A |
| Open redirect vulnerability in the Form API in Drupal 7.x before 7.13 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via crafted parameters in a destination URL. | ||||
| CVE-2011-5189 | 2 Drupal, Svendecabooter | 2 Drupal, Webform Validation | 2025-04-11 | N/A |
| Cross-site scripting (XSS) vulnerability in the Webform Validation module 6.x-1.x before 6.x-1.5 and 7.x-1.x before 7.x-1.1 for Drupal allows remote authenticated users with permissions to "update Webform nodes" to inject arbitrary web script or HTML via unspecified vectors. | ||||
| CVE-2011-5188 | 2 Drupal, Tag1consulting | 2 Drupal, Support Timer | 2025-04-11 | N/A |
| Cross-site scripting (XSS) vulnerability in the Support Timer module 6.x-1.x before 6.x-1.4 for Drupal allows remote authenticated users with the "track time spent" permission to inject arbitrary web script or HTML via unspecified vectors. | ||||
| CVE-2012-0827 | 1 Drupal | 1 Drupal | 2025-04-11 | N/A |
| The File module in Drupal 7.x before 7.11, when using unspecified field access modules, allows remote authenticated users to read arbitrary private files that are associated with restricted fields via unspecified vectors. | ||||
| CVE-2011-5030 | 2 Drupal, Valthbald | 2 Drupal, Meta Tags Quick | 2025-04-11 | N/A |
| Cross-site scripting (XSS) vulnerability in the Meta tags quick module 7.x-2.x before 7.x-2.3 for Drupal allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via unspecified vectors, probably related to "names of entity bundles." | ||||