Filtered by vendor Drupal
Subscriptions
Total
862 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2013-1905 | 2 Catalin Florian Radut, Drupal | 2 Zeropoint, Drupal | 2025-04-11 | N/A |
| Cross-site scripting (XSS) vulnerability in the Zero Point theme 7.x-1.x before 7.x-1.9 for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | ||||
| CVE-2010-3685 | 2 Drupal, Peter Wolanin | 2 Drupal, Openid | 2025-04-11 | N/A |
| The OpenID module in Drupal 6.x before 6.18, and the OpenID module 5.x before 5.x-1.4 for Drupal, violates the OpenID 2.0 protocol by not checking for reuse of openid.response_nonce values, which allows remote attackers to bypass authentication by leveraging an assertion from an OpenID provider. | ||||
| CVE-2012-1631 | 2 Databasepublish, Drupal | 2 Admin\, Drupal | 2025-04-11 | N/A |
| Cross-site request forgery (CSRF) vulnerability in the Admin:hover module for Drupal allows remote attackers to hijack the authentication of administrators for requests that unpublish all nodes, and possibly other actions, via unspecified vectors. | ||||
| CVE-2012-3802 | 2 Drupal, Peter Pokrivcak | 2 Drupal, Post Affiliate Pro | 2025-04-11 | N/A |
| Unspecified vulnerability in the Post Affiliate Pro (PAP) module for Drupal allows remote authenticated users to read the commissions of other users via unknown attack vectors. | ||||
| CVE-2012-5586 | 2 Drupal, Marc Ingram | 2 Drupal, Services | 2025-04-11 | N/A |
| The Services module 6.x-3.x before 6.x-3.3 and 7.x-3.x before 7.x-3.3 for Drupal allows remote authenticated users with the "access user profiles" permission to access arbitrary users' emails via vectors related to the "user index method" and "the path to the user resource." | ||||
| CVE-2010-2353 | 2 Drupal, Yves Chedemois | 2 Drupal, Cck | 2025-04-11 | N/A |
| The Node Reference module in Content Construction Kit (CCK) module 6.x before 6.x-2.7 for Drupal does not perform access checks for the source field in the backend URL for the autocomplete widget, which allows remote attackers to discover titles and IDs of controlled nodes. | ||||
| CVE-2012-5704 | 2 Drupal, Justin Dodge | 2 Drupal, Hotblocks | 2025-04-11 | N/A |
| The Hotblocks module 6.x-1.x before 6.x-1.8 for Drupal allows remote authenticated users with the "administer hotblocks" permission to cause a denial of service (infinite loop and time out) via a block that references itself. | ||||
| CVE-2012-5588 | 2 Drupal, Epiqo | 2 Drupal, Email | 2025-04-11 | N/A |
| The Email Field module 6.x-1.x before 6.x-1.3 for Drupal, when using a field permission module and the field contact field formatter is set to the full or teaser display mode, does not properly check permissions, which allows remote attackers to email the stored address via unspecified vectors. | ||||
| CVE-2012-4468 | 2 Drupal, Privatemsg Project | 2 Drupal, Privatemsg | 2025-04-11 | N/A |
| Cross-site scripting (XSS) vulnerability in the Privatemsg module 7.x-1.x before 7.x-1.3 for Drupal allows remote attackers to inject arbitrary web script or HTML via a user name in a private message. | ||||
| CVE-2012-4472 | 2 David Alkire, Drupal | 2 Drag \& Drop Gallery, Drupal | 2025-04-11 | N/A |
| Unrestricted file upload vulnerability in upload.php in the Drag & Drop Gallery module 6.x-1.5 and earlier for Drupal allows remote attackers to execute arbitrary PHP code by uploading a file with an executable extension followed by a safe extension, then accessing it via a direct request to the directory specified by the filedir parameter. | ||||
| CVE-2012-1626 | 2 Drupal, Karen Stevenson | 2 Drupal, Date | 2025-04-11 | N/A |
| SQL injection vulnerability in the conversion form for Events in the Date module 6.x-2.x before 6.x-2.8 for Drupal allows remote authenticated users with the "administer Date Tools" privilege to execute arbitrary SQL commands via unspecified vectors. | ||||
| CVE-2012-5537 | 2 Drupal, Simplenews Scheduler Project | 2 Drupal, Simplenews Scheduler | 2025-04-11 | N/A |
| The Simplenews Scheduler module 6.x-2.x before 6.x-2.4 for Drupal allows remote authenticated users with the "send scheduled newsletters" permission to inject arbitrary PHP code into the scheduling form, which is later executed by cron. | ||||
| CVE-2013-1908 | 3 Acquia, Commons Wikis Project, Drupal | 3 Commons, Commons Wikis, Drupal | 2025-04-11 | N/A |
| The Commons Wikis module before 7.x-3.1 for Drupal, as used in the Commons module before 7.x-3.1, does not properly restrict access to groups, which allows remote attackers to post arbitrary content to groups via unspecified vectors. | ||||
| CVE-2012-4485 | 2 Drupal, Manuel Garcia | 2 Drupal, Galleryformatter | 2025-04-11 | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in the galleryformatter_field_formatter_view functiuon in galleryformatter.tpl.php the Gallery formatter module before 7.x-1.2 for Drupal allow remote authenticated users with permissions to create a node or entity to inject arbitrary web script or HTML via the (1) title or (2) alt parameter. | ||||
| CVE-2012-1625 | 2 Drupal, Wizonesolutions | 2 Drupal, Fillpdf | 2025-04-11 | N/A |
| Eval injection vulnerability in the fillpdf_form_export_decode function in fillpdf.admin.inc in the Fill PDF module 6.x-1.x before 6.x-1.16 and 7.x-1.x before 7.x-1.2 for Drupal allows remote authenticated users with administer PDFs privileges to execute arbitrary PHP code via unspecified vectors. NOTE: Some of these details are obtained from third party information. | ||||
| CVE-2012-1624 | 2 Drupal, Lingotek | 2 Drupal, Lingotek | 2025-04-11 | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in the Lingotek module 6.x-1.x before 6.x-1.40 for Drupal allow remote authenticated users to inject arbitrary web script or HTML when (1) creating or (2) editing page content. | ||||
| CVE-2012-4491 | 2 Drupal, Earl Dunovant | 2 Drupal, Monthly Archive By Node Type | 2025-04-11 | N/A |
| The Monthly Archive by Node Type module 6.x for Drupal does not properly check permissions defined by node_access modules, which allows remote attackers to access restricted nodes via unspecified vectors. | ||||
| CVE-2012-4492 | 2 Drupal, Isaac Sukin | 2 Drupal, Shorten | 2025-04-11 | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in the Shorten URLs module 6.x-1.x before 6.x-1.13 and 7.x-1.x before 7.x-1.2 for Drupal allow remote authenticated users with certain permissions to inject arbitrary web script or HTML via unspecified vectors to the (1) report or (2) Custom Services List page. | ||||
| CVE-2013-1786 | 2 Devsaran, Drupal | 2 Company, Drupal | 2025-04-11 | N/A |
| Cross-site scripting (XSS) vulnerability in the 3 slide gallery in the Company theme before 7.x-1.4 for Drupal allows remote authenticated users with the administer themes permission to inject arbitrary web script or HTML via unspecified vectors. | ||||
| CVE-2012-1627 | 2 Drupal, Marvil07 | 2 Drupal, Vote Up Down | 2025-04-11 | N/A |
| Cross-site scripting (XSS) vulnerability in vud_term.module in the Vote Up/Down module 6.x-2.x before 6.x-2.8 and 6.x-3.x before 6.x-3.1 for Drupal allows remote authenticated users to inject arbitrary web script or HTML via taxonomy terms. | ||||