Filtered by vendor Drupal
Subscribe
Total
842 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2010-3091 | 2 Drupal, Peter Wolanin | 2 Drupal, Openid | 2025-04-11 | 5.0 MEDIUM | N/A |
| The OpenID module in Drupal 6.x before 6.18, and the OpenID module 5.x before 5.x-1.4 for Drupal, violates the OpenID 2.0 protocol by not verifying the openid.return_to value, which allows remote attackers to bypass authentication by leveraging an assertion from an OpenID provider. | |||||
| CVE-2010-3423 | 2 Drupal, Freka | 2 Drupal, Yr Verdata | 2025-04-11 | 7.5 HIGH | N/A |
| SQL injection vulnerability in the Yr Weatherdata module for Drupal 6.x before 6.x-1.6 allows remote attackers to execute arbitrary SQL commands via the sorting method. | |||||
| CVE-2012-4496 | 2 Drupal, Inclind | 2 Drupal, Custom Pub | 2025-04-11 | 2.1 LOW | N/A |
| Cross-site scripting (XSS) vulnerability in the Custom Publishing Options module 6.x-1.x before 6.x-1.4 for Drupal allows remote authenticated users with the "administer nodes" permission to inject arbitrary web script or HTML via the status labels parameter. | |||||
| CVE-2011-1066 | 2 Drupal, Reyero | 2 Drupal, Messaging | 2025-04-11 | 2.6 LOW | N/A |
| Cross-site scripting (XSS) vulnerability in the Messaging module 6.x-2.x before 6.x-2.4 and 6.x-4.x before 6.x-4.0-beta8 for Drupal allows remote attackers with administer messaging permissions to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2013-7067 | 2 Drupal, Mike Stefanello | 2 Drupal, Og Features | 2025-04-11 | 5.8 MEDIUM | N/A |
| The OG Features module 6.x-1.x before 6.x-1.4 for Drupal does not properly override pages that have an access callback set to false, which allows remote attackers to bypass intended access restrictions via a request. | |||||
| CVE-2013-5937 | 2 Click2sell, Drupal | 2 Click2sell Suite Module, Drupal | 2025-04-11 | 6.8 MEDIUM | N/A |
| Cross-site request forgery (CSRF) vulnerability in the Click2Sell Suite module 6.x-1.x for Drupal allows remote attackers to hijack the authentication of administrators for requests that delete database information via vectors involving the Drupal Form API. | |||||
| CVE-2012-1651 | 2 Drupal, Thinkleft | 2 Drupal, Submenu Tree | 2025-04-11 | 3.5 LOW | N/A |
| Cross-site scripting (XSS) vulnerability in the Submenu Tree module before 6.x-1.5 for Drupal allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2012-5007 | 2 Drupal, Wizonesolutions | 2 Drupal, Fillpdf | 2025-04-11 | 5.0 MEDIUM | N/A |
| The Fill PDF module 7.x-1.x before 7.x-1.2 for Drupal allows remote attackers to write to arbitrary PDF files via unspecified vectors related to the fillpdf_merge_pdf function and incorrect arguments, a different vulnerability than CVE-2012-1625. NOTE: some of these details are obtained from third party information. | |||||
| CVE-2012-2061 | 2 Drupal, Nijskens Raf | 2 Drupal, Admintools | 2025-04-11 | 6.8 MEDIUM | N/A |
| Cross-site request forgery (CSRF) vulnerability in the Admin tools module for Drupal allows remote attackers to hijack the authentication of unspecified victims via unknown vectors involving "not checking tokens." | |||||
| CVE-2013-0257 | 2 David Alkire, Drupal | 2 Email2image, Drupal | 2025-04-11 | 5.0 MEDIUM | N/A |
| The email2image module 6.x-1.x and 6.x-2.x for Drupal does not properly restrict access to nodes, which allows remote attackers to read images of user email addresses and email fields. | |||||
| CVE-2012-1634 | 2 Drupal, Hans Nilsson | 2 Drupal, Video Filter | 2025-04-11 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in video_filter.codecs.inc in the Video Filter module 6.x-2.x and 7.x-2.x for Drupal allows remote attackers to inject arbitrary web script or HTML via the EMBEDLOOKUP parameter for Blip.tv links. | |||||
| CVE-2012-2097 | 2 Drupal, Larry Garfield | 2 Drupal, Autosave | 2025-04-11 | 6.8 MEDIUM | N/A |
| Cross-site request forgery (CSRF) vulnerability in the Autosave module 6.x before 6.x-2.10 and 7.x-2.x before 7.x-2.0 for Drupal allows remote attackers to hijack the authentication of arbitrary users for requests involving "submitting saved results to a node." | |||||
| CVE-2012-1656 | 2 Drupal, Wesjones | 2 Drupal, Multisite Search | 2025-04-11 | 6.8 MEDIUM | N/A |
| SQL injection vulnerability in the Multisite Search module 6.x-2.2 for Drupal allows remote authenticated users with certain permissions to execute arbitrary SQL commands via the Site table prefix field. | |||||
| CVE-2012-4477 | 2 David Alkire, Drupal | 2 Drag \& Drop Gallery, Drupal | 2025-04-11 | 5.0 MEDIUM | N/A |
| Unspecified vulnerability in the Drag & Drop Gallery module 6.x for Drupal allows remote attackers to bypass access restrictions via unknown attack vectors. | |||||
| CVE-2012-4489 | 2 Drupal, Mark Burdett | 2 Drupal, Securelogin | 2025-04-11 | 5.8 MEDIUM | N/A |
| Open redirect vulnerability in the securelogin_secure_redirect function in the Secure Login module 7.x-1.x before 7.x-1.3 for Drupal allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the q parameter. | |||||
| CVE-2013-0258 | 2 Drupal, Google Authenticator Login Project | 2 Drupal, Ga Login | 2025-04-11 | 6.8 MEDIUM | N/A |
| The Google Authenticator login (ga_login) module 7.x before 7.x-1.3 for Drupal, when multi-factor authentication is enabled, allows remote attackers to bypass authentication for accounts without an associated Google Authenticator token by logging in with the username. | |||||
| CVE-2013-5964 | 2 Drupal, Joachim Noreiko | 2 Drupal, Flag Module | 2025-04-11 | 2.1 LOW | N/A |
| Cross-site scripting (XSS) vulnerability in the administration page in the Flag module 7.x-3.x before 7.x-3.1 for Drupal allows remote authenticated users with the "Administer flags" permission to inject arbitrary web script or HTML via the flag title. | |||||
| CVE-2012-5590 | 2 Drupal, Scripthead | 2 Drupal, Webmail Plus | 2025-04-11 | 7.5 HIGH | N/A |
| SQL injection vulnerability in the Webmail Plus module for Drupal allows remote attackers to execute arbitrary SQL commands via unspecified vectors. | |||||
| CVE-2013-0206 | 2 Drupal, Guy Bedford | 2 Drupal, Live Css | 2025-04-11 | 6.0 MEDIUM | N/A |
| Unrestricted file upload vulnerability in the Live CSS module 6.x-2.x before 6.x-2.1 and 7.x-2.x before 7.x-2.7 for Drupal allows remote authenticated users with the "administer CSS" permissions to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in an unspecified directory. | |||||
| CVE-2013-2123 | 2 Drupal, Node Access User Reference Project | 2 Drupal, Nodeaccess Userreference Module | 2025-04-11 | 5.8 MEDIUM | N/A |
| The Node access user reference module 6.x-3.x before 6.x-3.5 and 7.x-3.x before 7.x-3.10 for Drupal does not properly restrict access to content containing a user reference field when the author update/delete grants are enabled and the author's user account is deleted, which allows remote attackers to modify the content via unspecified vectors. | |||||