Filtered by vendor Drupal Subscriptions
Total 853 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2013-1946 2 Drupal, Restful Web Services Project 2 Drupal, Restful Web Services 2025-04-12 N/A
The RESTful Web Services (RESTWS) module 7.x-1.x before 7.x-1.3 and 7.x-2.x before 7.x-2.0-alpha5 for Drupal, when page caching is enabled and anonymous users are assigned RESTWS permissions, allows remote attackers to cause a denial of service via a GET request with an HTTP Accept header set to a non-HTML type, which can "interfere with Drupal's page cache."
CVE-2014-2983 2 Debian, Drupal 2 Debian Linux, Drupal 2025-04-12 N/A
Drupal 6.x before 6.31 and 7.x before 7.27 does not properly isolate the cached data of different anonymous users, which allows remote anonymous users to obtain sensitive interim form input information in opportunistic situations via unspecified vectors.
CVE-2015-3234 2 Debian, Drupal 2 Debian Linux, Drupal 2025-04-12 N/A
The OpenID module in Drupal 6.x before 6.36 and 7.x before 7.38 allows remote attackers to log into other users' accounts by leveraging an OpenID identity from certain providers, as demonstrated by the Verisign, LiveJournal, and StackExchange providers.
CVE-2015-3233 1 Drupal 1 Drupal 2025-04-12 N/A
Open redirect vulnerability in the Overlay module in Drupal 7.x before 7.38 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.
CVE-2013-4178 2 Drupal, Google Authenticator Login Project 2 Drupal, Ga Login 2025-04-12 N/A
The Google Authenticator login module 6.x-1.x before 6.x-1.2 and 7.x-1.x before 7.x-1.4 for Drupal allows remote attackers to obtain access by replaying the username, password, and one-time password (OTP).
CVE-2014-8078 1 Drupal 1 Print 2025-04-12 N/A
Cross-site scripting (XSS) vulnerability in the Print (aka Printer, e-mail and PDF versions) module 6.x-1.x before 6.x-1.19, 7.x-1.x before 7.x-1.3, and 7.x-2.x before 7.x-2.0 for Drupal allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via vectors related to nodes.
CVE-2014-3704 2 Debian, Drupal 2 Debian Linux, Drupal 2025-04-12 N/A
The expandArguments function in the database abstraction API in Drupal core 7.x before 7.32 does not properly construct prepared statements, which allows remote attackers to conduct SQL injection attacks via an array containing crafted keys.
CVE-2014-7978 1 Drupal 1 Bluemasters 2025-04-12 N/A
Cross-site scripting (XSS) vulnerability in the BlueMasters theme 7.x-2.x before 7.x-2.1 for Drupal allows remote authenticated users with the "administer themes" permission to inject arbitrary web script or HTML via vectors related to theme settings.
CVE-2012-4553 1 Drupal 1 Drupal 2025-04-11 N/A
Drupal 7.x before 7.16 allows remote attackers to obtain sensitive information and possibly re-install Drupal and execute arbitrary PHP code via an external database server, related to "transient conditions."
CVE-2013-5937 2 Click2sell, Drupal 2 Click2sell Suite Module, Drupal 2025-04-11 N/A
Cross-site request forgery (CSRF) vulnerability in the Click2Sell Suite module 6.x-1.x for Drupal allows remote attackers to hijack the authentication of administrators for requests that delete database information via vectors involving the Drupal Form API.
CVE-2013-5315 2 Drupal, Ows 2 Drupal, Scald 2025-04-11 N/A
Cross-site scripting (XSS) vulnerability in the Resource Manager in the MEE submodule (mee.module) in the Scald module 6.x-1.x before 6.x-1.0-beta3 and 7.x-1.x before 7.x-1.1 for Drupal allows remote attackers to inject arbitrary web script or HTML via the atom title, a different vector than CVE-2013-4174.
CVE-2012-4500 2 Drupal, Nancy Wichmann 2 Drupal, Announcements 2025-04-11 N/A
The Announcements module 6.x-1.x before 6.x-1.5 for Drupal allows remote authenticated users with the "access announcements" permission to bypass node access restrictions and possibly have other unspecified impact.
CVE-2012-4499 2 Drupal, Matthias Hutterer 2 Drupal, Email 2025-04-11 N/A
The contact formatter page in the Email Field module 6.x-1.x before 6.x-1.2 and 7.x-1.x before 7.x-1.1 for Drupal allows remote attackers to email the stored address in the entity via unspecified vectors.
CVE-2012-2710 2 Drupal, John Albin 2 Drupal, Zen 2025-04-11 N/A
Cross-site scripting (XSS) vulnerability in the Zen module 6.x-1.x before 6.x-1.1 for Drupal, when "Append the content title to the end of the breadcrumb" is enabled, allows remote attackers to inject arbitrary web script or HTML via the content title in a breadcrumb.
CVE-2010-1536 2 Drupal, Mearra 2 Drupal, Addthis 2025-04-11 N/A
Cross-site scripting (XSS) vulnerability in the AddThis Button module 5.x before 5.x-2.2 and 6.x before 6.x-2.9 for Drupal allows remote authenticated users, with administer addthis privileges, to inject arbitrary web script or HTML via unspecified vectors.
CVE-2013-1781 2 Devsaran, Drupal 2 Professional Theme, Drupal 2025-04-11 N/A
Cross-site scripting (XSS) vulnerability in the 3 slide gallery in the Professional theme before 7.x-1.4 for Drupal allows remote authenticated users with the administer themes permission to inject arbitrary web script or HTML via unspecified vectors.
CVE-2012-4498 2 Drupal, Morbus Iff 2 Drupal, Activism 2025-04-11 N/A
The Activism module 6.x-2.x before 6.x-2.1 for Drupal does not properly restrict access to the "Campaign" content type, which might allow remote attackers to bypass access restrictions and possibly have other unspecified impact.
CVE-2013-1782 2 Devsaran, Drupal 2 Responsive Blog, Drupal 2025-04-11 N/A
Cross-site scripting (XSS) vulnerability in the Responsive Blog Theme 7.x-1.x before 7.x-1.6 for Drupal allows remote authenticated users with the administer themes permission to inject arbitrary web script or HTML via vectors related to social icons.
CVE-2012-3799 2 Blaine Lang, Drupal 2 Maestro, Drupal 2025-04-11 N/A
Multiple cross-site request forgery (CSRF) vulnerabilities in the Maestro module 7.x-1.x before 7.x-1.2 for Drupal allow remote attackers to hijack the authentication of administrators for requests that (1) change workflows or (2) insert cross-site scripting (XSS) sequences.
CVE-2012-4496 2 Drupal, Inclind 2 Drupal, Custom Pub 2025-04-11 N/A
Cross-site scripting (XSS) vulnerability in the Custom Publishing Options module 6.x-1.x before 6.x-1.4 for Drupal allows remote authenticated users with the "administer nodes" permission to inject arbitrary web script or HTML via the status labels parameter.