Vulnerabilities (CVE)

Filtered by vendor Drupal Subscribe
Filtered by product Drupal
Total 721 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2013-0258 2 Drupal, Google Authenticator Login Project 2 Drupal, Ga Login 2025-04-11 6.8 MEDIUM N/A
The Google Authenticator login (ga_login) module 7.x before 7.x-1.3 for Drupal, when multi-factor authentication is enabled, allows remote attackers to bypass authentication for accounts without an associated Google Authenticator token by logging in with the username.
CVE-2013-5964 2 Drupal, Joachim Noreiko 2 Drupal, Flag Module 2025-04-11 2.1 LOW N/A
Cross-site scripting (XSS) vulnerability in the administration page in the Flag module 7.x-3.x before 7.x-3.1 for Drupal allows remote authenticated users with the "Administer flags" permission to inject arbitrary web script or HTML via the flag title.
CVE-2012-5590 2 Drupal, Scripthead 2 Drupal, Webmail Plus 2025-04-11 7.5 HIGH N/A
SQL injection vulnerability in the Webmail Plus module for Drupal allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
CVE-2013-0206 2 Drupal, Guy Bedford 2 Drupal, Live Css 2025-04-11 6.0 MEDIUM N/A
Unrestricted file upload vulnerability in the Live CSS module 6.x-2.x before 6.x-2.1 and 7.x-2.x before 7.x-2.7 for Drupal allows remote authenticated users with the "administer CSS" permissions to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in an unspecified directory.
CVE-2013-2123 2 Drupal, Node Access User Reference Project 2 Drupal, Nodeaccess Userreference Module 2025-04-11 5.8 MEDIUM N/A
The Node access user reference module 6.x-3.x before 6.x-3.5 and 7.x-3.x before 7.x-3.10 for Drupal does not properly restrict access to content containing a user reference field when the author update/delete grants are enabled and the author's user account is deleted, which allows remote attackers to modify the content via unspecified vectors.
CVE-2012-5652 1 Drupal 1 Drupal 2025-04-11 5.0 MEDIUM N/A
Drupal 6.x before 6.27 allows remote attackers to obtain sensitive information about uploaded files via a (1) RSS feed or (2) search result.
CVE-2013-2122 2 Drupal, Quade 2 Drupal, Edit Limit 2025-04-11 5.0 MEDIUM N/A
The Edit Limit module 7.x-1.x before 7.x-1.3 for Drupal does not properly restrict access to comments, which allows remote authenticated users with the "edit comments" permission to edit arbitrary comments of other users via unspecified vectors.
CVE-2012-2084 2 Drupal, Joao Ventura 2 Drupal, Print 2025-04-11 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in the Printer, email and PDF versions module 6.x-1.x before 6.x-1.15 and 7.x-1.x before 7.x-1.0 for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, probably the PATH_INFO.
CVE-2012-6583 2 Drupal, Imagemenu Project 2 Drupal, Imagemenu 2025-04-11 2.1 LOW N/A
Cross-site scripting (XSS) vulnerability in the Imagemenu module 6.x-1.x before 6.x-1.4 for Drupal allows remote authenticated users with the "administer imagemenu" permission to inject arbitrary web script or HTML via an image file name.
CVE-2012-2068 2 Drupal, Tiger-fish 2 Drupal, Fancy Slide 2025-04-11 2.1 LOW N/A
Multiple cross-site scripting (XSS) vulnerabilities in fancy_slide.module in the Fancy Slide module before 6.x-2.7 for Drupal allow remote authenticated users with the administer fancy_slide permission to inject arbitrary web script or HTML via the (1) node_title or (2) nodequeue_title parameter.
CVE-2012-2716 2 David Stosik, Drupal 2 Comment Moderation, Drupal 2025-04-11 6.8 MEDIUM N/A
Cross-site request forgery (CSRF) vulnerability in the Comment Moderation module 6.x-1.x before 6.x-1.1 for Drupal allows remote attackers to hijack the authentication of administrators for requests that publish comments.
CVE-2009-4773 2 Drupal, Ubercart 2 Drupal, Ubercart 2025-04-11 6.8 MEDIUM N/A
Cross-site request forgery (CSRF) vulnerability in the order-management functionality in the Ubercart module 5.x before 5.x-1.9 and 6.x before 6.x-2.1 for Drupal allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.
CVE-2012-2703 2 Drupal, John Franklin 2 Drupal, Advertisement 2025-04-11 2.6 LOW N/A
Cross-site scripting (XSS) vulnerability in the Advertisement module 6.x-2.x before 6.x-2.3 for Drupal, when debug mode is enabled, allows remote attackers to inject arbitrary web script or HTML via vectors related to the "$conf variable in settings.php."
CVE-2012-1652 3 Drupal, Wim Leers, Wimleers 3 Drupal, Hierarchical Select, Hierarchical Select 2025-04-11 2.1 LOW N/A
Cross-site scripting (XSS) vulnerability in the Hierarchical Select module 6.x-3.x before 6.x-3.8 for Drupal allows remote authenticated users with administer taxonomy permissions to inject arbitrary web script or HTML via unspecified vectors related to "the vocabulary's help text."
CVE-2012-4479 2 David Alkire, Drupal 2 Drag \& Drop Gallery, Drupal 2025-04-11 7.5 HIGH N/A
SQL injection vulnerability in the Drag & Drop Gallery module 6.x for Drupal allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
CVE-2013-1907 2 Acquia, Drupal 3 Commons, Commons Group, Drupal 2025-04-11 5.0 MEDIUM N/A
The Commons Group module before 7.x-3.1 for Drupal, as used in the Commons module before 7.x-3.1, does not properly restrict access to groups, which allows remote attackers to post arbitrary content to groups via unspecified vectors.
CVE-2010-2724 2 Drupal, Wimleers 2 Drupal, Hierarchical Select 2025-04-11 2.1 LOW N/A
Cross-site scripting (XSS) vulnerability in the Hierarchical Select module 5.x before 5.x-3.2 and 6.x before 6.x-3.2 for Drupal allows remote authenticated users, with administer taxonomy permissions, to inject arbitrary web script or HTML via unspecified vectors in the hierarchical_select form.
CVE-2012-1660 2 Drupal, Nathan Haug 2 Drupal, Webform 2025-04-11 2.1 LOW N/A
Multiple cross-site scripting (XSS) vulnerabilities in components/select.inc in the Webform module 6.x-3.x before 6.x-3.17 and 7.x-3.x before 7.x-3.17 for Drupal, when the "Select (or other)" module is enabled, allow remote authenticated users with the create webform content permission to inject arbitrary web script or HTML via vectors related to (1) checkboxes or (2) radios.
CVE-2013-2036 2 Drupal, Yoran Brault 2 Drupal, Filebrowser 2025-04-11 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in the Filebrowser module 6.x-2.x before 6.x-2.2 for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, related to "lists of files."
CVE-2007-6752 1 Drupal 1 Drupal 2025-04-11 6.8 MEDIUM N/A
Cross-site request forgery (CSRF) vulnerability in Drupal 7.12 and earlier allows remote attackers to hijack the authentication of arbitrary users for requests that end a session via the user/logout URI. NOTE: the vendor disputes the significance of this issue, by considering the "security benefit against platform complexity and performance impact" and concluding that a change to the logout behavior is not planned because "for most sites it is not worth the trade-off.