Filtered by vendor Drupal
Subscriptions
Total
862 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2012-4498 | 2 Drupal, Morbus Iff | 2 Drupal, Activism | 2025-04-11 | N/A |
| The Activism module 6.x-2.x before 6.x-2.1 for Drupal does not properly restrict access to the "Campaign" content type, which might allow remote attackers to bypass access restrictions and possibly have other unspecified impact. | ||||
| CVE-2013-1784 | 2 Devsaran, Drupal | 2 Clean Theme, Drupal | 2025-04-11 | N/A |
| Cross-site scripting (XSS) vulnerability in the 3 slide gallery in the Clean Theme before 7.x-1.3 for Drupal allows remote authenticated users with the administer themes permission to inject arbitrary web script or HTML via unspecified vectors. | ||||
| CVE-2012-3799 | 2 Blaine Lang, Drupal | 2 Maestro, Drupal | 2025-04-11 | N/A |
| Multiple cross-site request forgery (CSRF) vulnerabilities in the Maestro module 7.x-1.x before 7.x-1.2 for Drupal allow remote attackers to hijack the authentication of administrators for requests that (1) change workflows or (2) insert cross-site scripting (XSS) sequences. | ||||
| CVE-2013-1782 | 2 Devsaran, Drupal | 2 Responsive Blog, Drupal | 2025-04-11 | N/A |
| Cross-site scripting (XSS) vulnerability in the Responsive Blog Theme 7.x-1.x before 7.x-1.6 for Drupal allows remote authenticated users with the administer themes permission to inject arbitrary web script or HTML via vectors related to social icons. | ||||
| CVE-2013-1781 | 2 Devsaran, Drupal | 2 Professional Theme, Drupal | 2025-04-11 | N/A |
| Cross-site scripting (XSS) vulnerability in the 3 slide gallery in the Professional theme before 7.x-1.4 for Drupal allows remote authenticated users with the administer themes permission to inject arbitrary web script or HTML via unspecified vectors. | ||||
| CVE-2012-4496 | 2 Drupal, Inclind | 2 Drupal, Custom Pub | 2025-04-11 | N/A |
| Cross-site scripting (XSS) vulnerability in the Custom Publishing Options module 6.x-1.x before 6.x-1.4 for Drupal allows remote authenticated users with the "administer nodes" permission to inject arbitrary web script or HTML via the status labels parameter. | ||||
| CVE-2012-2710 | 2 Drupal, John Albin | 2 Drupal, Zen | 2025-04-11 | N/A |
| Cross-site scripting (XSS) vulnerability in the Zen module 6.x-1.x before 6.x-1.1 for Drupal, when "Append the content title to the end of the breadcrumb" is enabled, allows remote attackers to inject arbitrary web script or HTML via the content title in a breadcrumb. | ||||
| CVE-2012-2309 | 2 Drupal, Wearepropeople | 2 Drupal, Glossify Internal Links Auto Seo | 2025-04-11 | N/A |
| Cross-site scripting (XSS) vulnerability in the Glossify Internal Links Auto SEO module for Drupal 6.x-2.5 and earlier allows remote authenticated users with certain roles to inject arbitrary web script or HTML via unspecified vectors. | ||||
| CVE-2012-4495 | 2 Drupal, Mime Mail Module Project | 2 Drupal, Mimemail | 2025-04-11 | N/A |
| The Mime Mail module 6.x-1.x before 6.x-1.1 for Drupal does not properly restrict access to files outside Drupal's publish files directory, which allows remote authenticated users to send arbitrary files as attachments. | ||||
| CVE-2012-5652 | 1 Drupal | 1 Drupal | 2025-04-11 | N/A |
| Drupal 6.x before 6.27 allows remote attackers to obtain sensitive information about uploaded files via a (1) RSS feed or (2) search result. | ||||
| CVE-2012-3798 | 2 Bryce Hamrick, Drupal | 2 Janrain Capture, Drupal | 2025-04-11 | N/A |
| The Janrain Capture module 6.x-1.0 and 7.x-1.0 for Drupal, when creating a local user account, allows attackers to obtain part of the initial input used to generate passwords, which makes it easier to conduct brute force password guessing attacks. | ||||
| CVE-2012-4494 | 2 Drupal, Niif | 2 Drupal, Shibb Auth | 2025-04-11 | N/A |
| The Shibboleth authentication module 7.x-4.0 for Drupal does not properly check the active status of users, which allows remote blocked users to access bypass intended access restrictions and possibly have other impacts by logging in. | ||||
| CVE-2010-4521 | 2 Drupal, Earl Miles | 2 Drupal, Views | 2025-04-11 | N/A |
| Cross-site scripting (XSS) vulnerability in the Views module 6.x before 6.x-2.12 for Drupal allows remote attackers to inject arbitrary web script or HTML via a page path. | ||||
| CVE-2010-5276 | 2 Drupal, Memcache Project | 2 Drupal, Memcache | 2025-04-11 | N/A |
| The Memcache module 5.x before 5.x-1.10 and 6.x before 6.x-1.6 for Drupal does not properly handle the $user object in memcache_admin, which might "lead to a role change not being recognized until the user logs in again." | ||||
| CVE-2012-2296 | 2 Drupal, Janrain | 2 Drupal, Rpx | 2025-04-11 | N/A |
| The Janrain Engage (formerly RPX) module for Drupal 6.x-1.x. 6.x-2.x before 6.x-2.2, and 7.x-2.x before 7.x-2.2 stores user profile data from Engage in session tables, which might allow remote attackers to obtain sensitive information by leveraging a separate vulnerability. | ||||
| CVE-2010-3685 | 2 Drupal, Peter Wolanin | 2 Drupal, Openid | 2025-04-11 | N/A |
| The OpenID module in Drupal 6.x before 6.18, and the OpenID module 5.x before 5.x-1.4 for Drupal, violates the OpenID 2.0 protocol by not checking for reuse of openid.response_nonce values, which allows remote attackers to bypass authentication by leveraging an assertion from an OpenID provider. | ||||
| CVE-2012-2708 | 2 Antoine Beaupre, Drupal | 2 Hostmaster, Drupal | 2025-04-11 | N/A |
| Cross-site scripting (XSS) vulnerability in the _hosting_task_log_table function in modules/hosting/task/hosting_task.module in the Hostmaster (Aegir) module 6.x-1.x before 6.x-1.9 for Drupal allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via a Drush log message in a provision task log. | ||||
| CVE-2012-4492 | 2 Drupal, Isaac Sukin | 2 Drupal, Shorten | 2025-04-11 | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in the Shorten URLs module 6.x-1.x before 6.x-1.13 and 7.x-1.x before 7.x-1.2 for Drupal allow remote authenticated users with certain permissions to inject arbitrary web script or HTML via unspecified vectors to the (1) report or (2) Custom Services List page. | ||||
| CVE-2012-2304 | 2 Drupal, Emil Stjerneman | 2 Drupal, Linkit | 2025-04-11 | N/A |
| The Linkit module 7.x-2.x before 7.x-2.3 for Drupal, when using an entity access module, does not check permissions when searching for entities, which allows remote attackers to obtain sensitive information via unspecified vectors. | ||||
| CVE-2010-3686 | 2 Drupal, Peter Wolanin | 2 Drupal, Openid | 2025-04-11 | N/A |
| The OpenID module in Drupal 6.x before 6.18, and the OpenID module 5.x before 5.x-1.4 for Drupal, violates the OpenID 2.0 protocol by not ensuring that fields are signed, which allows remote attackers to bypass authentication by leveraging an assertion from an OpenID provider. | ||||