Vulnerabilities (CVE)

Filtered by vendor Drupal Subscribe
Filtered by product Drupal
Total 721 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2012-2310 2 Drupal, Oleg Kovalchuk 2 Drupal, Cctags 2025-04-11 3.5 LOW N/A
Cross-site scripting (XSS) vulnerability in the cctags module for Drupal 6.x-1.x before 6.x-1.10 and 7.x-1.x before 7.x-1.10 allows remote authenticated users with certain roles to inject arbitrary web script or HTML via unspecified vectors.
CVE-2012-3800 2 Drupal, Moshe Weitzman 2 Drupal, Organic Groups 2025-04-11 2.1 LOW N/A
Cross-site scripting (XSS) vulnerability in og.js in the Organic Groups (OG) module 6.x-2.x before 6.x-2.4 for Drupal, when used with the Vertical Tabs module, allows remote authenticated users to inject arbitrary web script or HTML via vectors related the group title.
CVE-2011-5188 2 Drupal, Tag1consulting 2 Drupal, Support Timer 2025-04-11 2.1 LOW N/A
Cross-site scripting (XSS) vulnerability in the Support Timer module 6.x-1.x before 6.x-1.4 for Drupal allows remote authenticated users with the "track time spent" permission to inject arbitrary web script or HTML via unspecified vectors.
CVE-2012-2710 2 Drupal, John Albin 2 Drupal, Zen 2025-04-11 2.6 LOW N/A
Cross-site scripting (XSS) vulnerability in the Zen module 6.x-1.x before 6.x-1.1 for Drupal, when "Append the content title to the end of the breadcrumb" is enabled, allows remote attackers to inject arbitrary web script or HTML via the content title in a breadcrumb.
CVE-2013-4379 2 Drupal, Sebastien Corbin 2 Drupal, Make Meeting Scheduler Module 2025-04-11 6.4 MEDIUM N/A
The Make Meeting Scheduler module 6.x-1.x before 6.x-1.3 for Drupal allows remote attackers to bypass intended access restrictions for a poll via a direct request to the node's URL instead of the hashed URL.
CVE-2010-3091 2 Drupal, Peter Wolanin 2 Drupal, Openid 2025-04-11 5.0 MEDIUM N/A
The OpenID module in Drupal 6.x before 6.18, and the OpenID module 5.x before 5.x-1.4 for Drupal, violates the OpenID 2.0 protocol by not verifying the openid.return_to value, which allows remote attackers to bypass authentication by leveraging an assertion from an OpenID provider.
CVE-2010-3423 2 Drupal, Freka 2 Drupal, Yr Verdata 2025-04-11 7.5 HIGH N/A
SQL injection vulnerability in the Yr Weatherdata module for Drupal 6.x before 6.x-1.6 allows remote attackers to execute arbitrary SQL commands via the sorting method.
CVE-2012-4496 2 Drupal, Inclind 2 Drupal, Custom Pub 2025-04-11 2.1 LOW N/A
Cross-site scripting (XSS) vulnerability in the Custom Publishing Options module 6.x-1.x before 6.x-1.4 for Drupal allows remote authenticated users with the "administer nodes" permission to inject arbitrary web script or HTML via the status labels parameter.
CVE-2011-1066 2 Drupal, Reyero 2 Drupal, Messaging 2025-04-11 2.6 LOW N/A
Cross-site scripting (XSS) vulnerability in the Messaging module 6.x-2.x before 6.x-2.4 and 6.x-4.x before 6.x-4.0-beta8 for Drupal allows remote attackers with administer messaging permissions to inject arbitrary web script or HTML via unspecified vectors.
CVE-2013-7067 2 Drupal, Mike Stefanello 2 Drupal, Og Features 2025-04-11 5.8 MEDIUM N/A
The OG Features module 6.x-1.x before 6.x-1.4 for Drupal does not properly override pages that have an access callback set to false, which allows remote attackers to bypass intended access restrictions via a request.
CVE-2013-5937 2 Click2sell, Drupal 2 Click2sell Suite Module, Drupal 2025-04-11 6.8 MEDIUM N/A
Cross-site request forgery (CSRF) vulnerability in the Click2Sell Suite module 6.x-1.x for Drupal allows remote attackers to hijack the authentication of administrators for requests that delete database information via vectors involving the Drupal Form API.
CVE-2012-1651 2 Drupal, Thinkleft 2 Drupal, Submenu Tree 2025-04-11 3.5 LOW N/A
Cross-site scripting (XSS) vulnerability in the Submenu Tree module before 6.x-1.5 for Drupal allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.
CVE-2012-5007 2 Drupal, Wizonesolutions 2 Drupal, Fillpdf 2025-04-11 5.0 MEDIUM N/A
The Fill PDF module 7.x-1.x before 7.x-1.2 for Drupal allows remote attackers to write to arbitrary PDF files via unspecified vectors related to the fillpdf_merge_pdf function and incorrect arguments, a different vulnerability than CVE-2012-1625. NOTE: some of these details are obtained from third party information.
CVE-2012-2061 2 Drupal, Nijskens Raf 2 Drupal, Admintools 2025-04-11 6.8 MEDIUM N/A
Cross-site request forgery (CSRF) vulnerability in the Admin tools module for Drupal allows remote attackers to hijack the authentication of unspecified victims via unknown vectors involving "not checking tokens."
CVE-2013-0257 2 David Alkire, Drupal 2 Email2image, Drupal 2025-04-11 5.0 MEDIUM N/A
The email2image module 6.x-1.x and 6.x-2.x for Drupal does not properly restrict access to nodes, which allows remote attackers to read images of user email addresses and email fields.
CVE-2012-1634 2 Drupal, Hans Nilsson 2 Drupal, Video Filter 2025-04-11 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in video_filter.codecs.inc in the Video Filter module 6.x-2.x and 7.x-2.x for Drupal allows remote attackers to inject arbitrary web script or HTML via the EMBEDLOOKUP parameter for Blip.tv links.
CVE-2012-2097 2 Drupal, Larry Garfield 2 Drupal, Autosave 2025-04-11 6.8 MEDIUM N/A
Cross-site request forgery (CSRF) vulnerability in the Autosave module 6.x before 6.x-2.10 and 7.x-2.x before 7.x-2.0 for Drupal allows remote attackers to hijack the authentication of arbitrary users for requests involving "submitting saved results to a node."
CVE-2012-1656 2 Drupal, Wesjones 2 Drupal, Multisite Search 2025-04-11 6.8 MEDIUM N/A
SQL injection vulnerability in the Multisite Search module 6.x-2.2 for Drupal allows remote authenticated users with certain permissions to execute arbitrary SQL commands via the Site table prefix field.
CVE-2012-4477 2 David Alkire, Drupal 2 Drag \& Drop Gallery, Drupal 2025-04-11 5.0 MEDIUM N/A
Unspecified vulnerability in the Drag & Drop Gallery module 6.x for Drupal allows remote attackers to bypass access restrictions via unknown attack vectors.
CVE-2012-4489 2 Drupal, Mark Burdett 2 Drupal, Securelogin 2025-04-11 5.8 MEDIUM N/A
Open redirect vulnerability in the securelogin_secure_redirect function in the Secure Login module 7.x-1.x before 7.x-1.3 for Drupal allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the q parameter.