Vulnerabilities (CVE)

Filtered by vendor Drupal Subscribe
Total 851 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2009-3568 3 Dave Reid, Drupal, Gabor Hojtsy 3 Commentrss, Drupal, Commentrss 2025-04-09 5.0 MEDIUM N/A
Comment RSS 5.x before 5.x-2.2 and 6.x before 6.x-2.2, a module for Drupal, does not properly enforce permissions when a link is added to the RSS feed, which allows remote attackers to obtain the node title and possibly other sensitive content by reading the feed.
CVE-2009-4429 2 Alexander Hass, Drupal 2 Sections Module, Drupal 2025-04-09 3.5 LOW N/A
Cross-site scripting (XSS) vulnerability in the Sections module 5.x before 5.x-1.3 and 6.x before 6.x-1.3 for Drupal allows remote authenticated users with "administer sections" privileges to inject arbitrary web script or HTML via a section name (aka the Name field).
CVE-2009-3488 2 Drupal, Ron Jerome 2 Drupal, Bibliography 2025-04-09 2.1 LOW N/A
Cross-site scripting (XSS) vulnerability in the Bibliography (aka Biblio) module 6.x-1.6 for Drupal allows remote authenticated users, with certain content-creation privileges, to inject arbitrary web script or HTML via the Title field, probably a different vulnerability than CVE-2009-3479.
CVE-2009-3656 2 Drupal, Tim Nelson 2 Drupal, Shared Sign-on 2025-04-09 6.8 MEDIUM N/A
Cross-site request forgery (CSRF) vulnerability in Shared Sign-On 5.x and 6.x, a module for Drupal, allows remote attackers to hijack the authentication of arbitrary users via unknown vectors.
CVE-2008-4710 1 Drupal 2 Drupal, Stock Module 2025-04-09 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in the stock quotes page in Stock 6.x before 6.x-1.0, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2009-4520 2 Drupal, Kristof De Jaeger 2 Drupal, Commentreference 2025-04-09 5.0 MEDIUM N/A
The CCK Comment Reference module 5.x before 5.x-1.2 and 6.x before 6.x-1.3, a module for Drupal, allows remote attackers to bypass intended access restrictions and read comments by using the autocomplete path.
CVE-2006-7109 1 Drupal 1 Imce Module 2025-04-09 6.5 MEDIUM N/A
Unrestricted file upload vulnerability in IMCE before 1.6, a Drupal module, allows remote authenticated users to upload arbitrary PHP code via a filename with a double extension such as .php.gif.
CVE-2009-4042 2 Drupal, Marek Sotak 2 Drupal, Rootcandy 2025-04-09 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in the RootCandy theme 6.x before 6.x-1.5 for Drupal allows remote attackers to inject arbitrary web script or HTML via the URI.
CVE-2009-4532 2 Drupal, Nathan Haug 2 Drupal, Webform 2025-04-09 3.5 LOW N/A
Cross-site scripting (XSS) vulnerability in the Webform module 5.x before 5.x-2.8 and 6.x before 6.x-2.8, a module for Drupal, allows remote authenticated users, with webform creation privileges, to inject arbitrary web script or HTML via a field label.
CVE-2009-4044 2 Bruno Massa, Drupal 2 Web Services, Drupal 2025-04-09 7.5 HIGH N/A
The Web Services module 6.x for Drupal does not perform the expected access control, which allows remote attackers to make unspecified use of an API via unknown vectors.
CVE-2008-6384 1 Drupal 1 Comment Mail 2025-04-09 6.8 MEDIUM N/A
Multiple cross-site request forgery (CSRF) vulnerabilities in Comment Mail 5.x before 5.x-1.1, a module for Drupal, allow remote attackers to hijack the authentication of administrators.
CVE-2008-6171 1 Drupal 1 Drupal 2025-04-09 9.3 HIGH N/A
includes/bootstrap.inc in Drupal 5.x before 5.12 and 6.x before 6.6, when the server is configured for "IP-based virtual hosts," allows remote attackers to include and execute arbitrary files via the HTTP Host header.
CVE-2009-3920 2 Drupal, Sean Robertson 2 Drupal, Crmngp 2025-04-09 5.0 MEDIUM N/A
An administration page in the NGP COO/CWP Integration (crmngp) module 6.x before 6.x-1.12 for Drupal does not perform the expected access control, which allows remote attackers to read log information via unspecified vectors.
CVE-2008-3740 1 Drupal 1 Drupal 2025-04-09 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in the output filter in Drupal 5.x before 5.10 and 6.x before 6.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2009-3780 2 Ashok Modi, Drupal 2 Abuse, Drupal 2025-04-09 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in Abuse 5.x before 5.x-2.1 and 6.x before 6.x-1.1-alpha1, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2009-1035 2 Drupal, Jake Gordon 2 Drupal, Tasks 2025-04-09 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in the Tasklist module 5.x-1.x before 5.x-1.3 and 5.x-2.x before 5.x-2.0-alpha1, a module for Drupal, allows remote authenticated users to inject arbitrary web script or HTML via Cascading Style Sheets (CSS).
CVE-2009-3479 2 Drupal, Ron Jerome 2 Drupal, Bibliography 2025-04-09 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in Bibliography (Biblio) 5.x before 5.x-1.17 and 6.x before 6.x-1.6, a module for Drupal, allows remote attackers, with "create content displayed by the Bibliography module" permissions, to inject arbitrary web script or HTML via a title.
CVE-2007-5593 2 Drupal, Fedoraproject 2 Drupal, Fedora 2025-04-09 6.8 MEDIUM N/A
install.php in Drupal 5.x before 5.3, when the configured database server is not reachable, allows remote attackers to execute arbitrary code via vectors that cause settings.php to be modified.
CVE-2008-6413 2 Drupal, Ticklespace 2 Drupal, Answers Module 2025-04-09 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in the Answers module 5.x-1.x-dev and possibly other 5.x versions, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via a Simple Answer to a question.
CVE-2009-3919 2 Drupal, Sean Robertson 2 Drupal, Crmngp 2025-04-09 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in the NGP COO/CWP Integration (crmngp) module 6.x before 6.x-1.12 for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified "user-supplied information."