IDCVSSSummaryLast (major) updatePublished
CVE-2010-1074 4.3
Cross-site scripting (XSS) vulnerability in the Currency Exchange module before 6.x-1.2 for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, related to watchdog logging.
17-08-2017 - 01:32 23-03-2010 - 18:30
CVE-2009-3782 3.5
Unspecified vulnerability in Userpoints 6.x before 6.x-1.1, a module for Drupal, allows remote authenticated users with "View own userpoints" permissions to read the userpoint data of arbitrary users via unknown attack vectors.
17-08-2017 - 01:31 26-10-2009 - 17:30
CVE-2009-3654 6.4
Unspecified vulnerability in Boost before 6.x-1.03, a module for Drupal, allows remote attackers to create new webroot directories via unknown attack vectors.
17-08-2017 - 01:31 09-10-2009 - 14:30
CVE-2008-1731 7.5
The Simple Access module for Drupal 5.x through 5.x-1.2-2 does not properly handle the privacy information for nodes, which might allow remote attackers to bypass intended access restrictions, and read or modify nodes, in opportunistic circumstances
08-08-2017 - 01:30 11-04-2008 - 19:05
CVE-2012-1628 3.5
Cross-site scripting (XSS) vulnerability in the SuperCron module for Drupal allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.
29-08-2017 - 01:31 20-09-2012 - 03:46
CVE-2013-1907 5.0
The Commons Group module before 7.x-3.1 for Drupal, as used in the Commons module before 7.x-3.1, does not properly restrict access to groups, which allows remote attackers to post arbitrary content to groups via unspecified vectors.
29-08-2017 - 01:33 16-07-2013 - 18:55
CVE-2013-1908 5.0
The Commons Wikis module before 7.x-3.1 for Drupal, as used in the Commons module before 7.x-3.1, does not properly restrict access to groups, which allows remote attackers to post arbitrary content to groups via unspecified vectors.
17-07-2013 - 04:00 16-07-2013 - 18:55
CVE-2012-4483 5.0
The commons_discussion_views_default_views function in modules/features/commons_discussion/commons_discussion.views_default.inc in the Drupal Commons module 6.x-2.x before 6.x-2.8 for Drupal does not properly enforce intended node access restrictions
13-11-2012 - 05:00 31-10-2012 - 16:55
CVE-2009-3778 7.5
SQL injection vulnerability in Moodle Course List 6.x before 6.x-1.2, a module for Drupal, allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
17-08-2017 - 01:31 26-10-2009 - 17:30
CVE-2012-2720 5.0
The Token Authentication (tokenauth) module 6.x-1.x before 6.x-1.7 for Drupal does not properly revert user sessions, which might allow remote attackers to perform requests with extra privileges.
29-08-2017 - 01:31 27-06-2012 - 00:55
CVE-2012-2729 6.8
Multiple cross-site request forgery (CSRF) vulnerabilities in the SimpleMeta module 6.x-1.x before 6.x-2.0 for Drupal allow remote attackers to hijack the authentication of administrators for requests that (1) delete or (2) add a meta tag entry.
29-08-2017 - 01:31 27-06-2012 - 00:55
CVE-2013-5965 5.0
The Node View Permissions module 7.x-1.x before 7.x-1.2 for Drupal does not properly implement the hook_query_alter function, which might allow remote attackers to obtain sensitive information by reading a node listing.
05-05-2014 - 05:28 30-09-2013 - 21:55
CVE-2010-2002 2.1
Cross-site scripting (XSS) vulnerability in the Wordfilter module 5.x before 5.x-1.1 and 6.x before 6.x-1.1 for Drupal allows remote authenticated users, with "administer words filtered" privileges, to inject arbitrary web script or HTML via the word
21-05-2010 - 04:00 20-05-2010 - 17:30
CVE-2012-1623 5.0
The Registration Codes module before 6.x-2.4 for Drupal does not restrict access to the registration code list, which might allow remote attackers to bypass intended registration restrictions.
08-10-2012 - 04:00 06-10-2012 - 21:55
CVE-2010-2030 4.3
Cross-site scripting (XSS) vulnerability in the External Link Page module 5.x before 5.x-1.0 and 6.x before 6.x-1.2 for Drupal allows remote attackers to inject arbitrary web script or HTML via vectors related to the administration and redirect pages
17-08-2017 - 01:32 24-05-2010 - 19:30
CVE-2012-2726 2.1
Cross-site scripting (XSS) vulnerability in the Protest module 6.x-1.x before 6.x-1.2 or 7.x-1.x before 7.x-1.2 for Drupal allows remote authenticated users with the "administer protest" permission to inject arbitrary web script or HTML via the prote
29-08-2017 - 01:31 27-06-2012 - 00:55
CVE-2012-6573 4.3
Cross-site scripting (XSS) vulnerability in the Apache Solr Autocomplete module 6.x-1.x before 6.x-1.4 and 7.x-1.x before 7.x-1.3 for Drupal allows remote attackers to inject arbitrary web script or HTML via vectors involving autocomplete results.
29-08-2017 - 01:32 25-06-2013 - 18:55
CVE-2012-1654 2.1
Multiple cross-site scripting (XSS) vulnerabilities in the Data module 6.x-1.x before 6.x-1.0 and 7.x-1.x before 7.x-1.0-alpha3 for Drupal allow remote authenticated users with the administer data tables permission to inject arbitrary web script or H
20-12-2012 - 05:00 18-09-2012 - 20:55
CVE-2009-4119 4.3
Cross-site scripting (XSS) vulnerability in Feed Element Mapper module 5.x before 5.x-1.3, 6.x before 6.x-1.3, and 6.x-2.0-alpha before 6.x-2.0-alpha4 for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
17-08-2017 - 01:31 01-12-2009 - 00:30
CVE-2009-4429 3.5
Cross-site scripting (XSS) vulnerability in the Sections module 5.x before 5.x-1.3 and 6.x before 6.x-1.3 for Drupal allows remote authenticated users with "administer sections" privileges to inject arbitrary web script or HTML via a section name (ak
17-08-2017 - 01:31 28-12-2009 - 19:00
CVE-2013-1972 4.3
Cross-site request forgery (CSRF) vulnerability in the elFinder file manager module 6.x-0.x before 6.x-0.8 and 7.x-0.x before 7.x-0.8 for Drupal allows remote attackers to hijack the authentication of unspecified victims to create, modify, or delete
29-08-2017 - 01:33 24-06-2013 - 16:55
CVE-2012-2730 7.5
The Protected Node module 6.x-1.x before 6.x-1.6 for Drupal does not properly "protect node access when nodes are accessed outside of the standard node view," which allows remote attackers to bypass intended access restrictions.
29-08-2017 - 01:31 27-06-2012 - 00:55
CVE-2013-4138 2.1
Cross-site scripting (XSS) vulnerability in the Hatch theme 7.x-1.x before 7.x-1.4 for Drupal allows remote authenticated users with the "Administer content," "Create new article," or "Edit any article type content" permission to inject arbitrary web
19-09-2013 - 01:10 28-08-2013 - 22:55
CVE-2012-1640 2.1
Multiple cross-site scripting (XSS) vulnerabilities in the Managesite module 6.x-1.x before 6.1-1.1 for Drupal allow remote authenticated users with "administer managesite" permissions to inject arbitrary web script or HTML via the title parameter wh
29-08-2017 - 01:31 19-09-2012 - 21:55
CVE-2012-2070 2.1
Cross-site scripting (XSS) vulnerability in the MultiBlock module 6.x-1.x before 6.x-1.4 and 7.x-1.x before 7.x-1.1 for Drupal allows remote authenticated users with the administer blocks permission to inject arbitrary web script or HTML via the bloc
29-08-2017 - 01:31 14-08-2012 - 23:55
CVE-2009-3354 10.0
Multiple unspecified vulnerabilities in the Rest API module for Drupal have unknown impact and attack vectors.
24-09-2009 - 16:30 24-09-2009 - 16:30
CVE-2009-2075 7.5
Nodequeue 5.x before 5.x-2.7 and 6.x before 6.x-2.2, a module for Drupal, does not properly restrict access when displaying node titles, which has unknown impact and attack vectors.
19-06-2009 - 04:00 16-06-2009 - 19:30
CVE-2009-2077 4.0
Drupal 6.x before 6.x-2.6, a module for Drupal, allows remote authenticated users to bypass access restrictions and (1) read unpublished content from anonymous users when a view is already configured to display the content, and (2) read private conte
19-06-2009 - 04:00 16-06-2009 - 19:30
CVE-2009-4062 4.3
Multiple cross-site scripting (XSS) vulnerabilities in the Printfriendly module 6.x before 6.x-1.6 for Drupal allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
17-08-2017 - 01:31 24-11-2009 - 02:30
CVE-2014-1611 4.3
Cross-site scripting (XSS) vulnerability in the Anonymous Posting module 7.x-1.2 and 7.x-1.3 for Drupal allows remote attackers to inject arbitrary web script or HTML via the contact name field.
29-08-2017 - 01:34 30-01-2014 - 18:55
CVE-2012-2707 5.8
The Hostmaster (Aegir) module 6.x-1.x before 6.x-1.9 for Drupal does not properly exit when users do not have access to package/task nodes, which allows remote attackers to bypass intended access restrictions and edit unauthorized nodes.
29-08-2017 - 01:31 27-06-2012 - 00:55
CVE-2012-2708 2.1
Cross-site scripting (XSS) vulnerability in the _hosting_task_log_table function in modules/hosting/task/hosting_task.module in the Hostmaster (Aegir) module 6.x-1.x before 6.x-1.9 for Drupal allows remote authenticated users with certain permissions
29-08-2017 - 01:31 27-06-2012 - 00:55
CVE-2012-6576 4.3
Cross-site scripting (XSS) vulnerability in the PRH Search module 7.x-1.x before 7.x-1.1 for Drupal allows remote attackers from certain sources to inject arbitrary web script or HTML via unspecified vectors.
11-10-2013 - 18:11 27-06-2013 - 20:55
CVE-2009-3648 3.5
Cross-site scripting (XSS) vulnerability in Service Links 6.x-1.0, a module for Drupal, allows remote authenticated users, with 'administer content types' permissions, to inject arbitrary web script or HTML via unspecified vectors when displaying con
17-08-2017 - 01:31 09-10-2009 - 14:30
CVE-2009-3442 5.0
The Meta tags (aka Nodewords) module before 6.x-1.1 for Drupal does not properly follow permissions during assignment of node meta tags, which allows remote attackers to obtain sensitive information via unspecified vectors.
17-08-2017 - 01:31 28-09-2009 - 22:30
CVE-2012-1659 2.1
Cross-site scripting (XSS) vulnerability in the Node Recommendation module 6.x-1.x before 6.x-1.1 for Drupal allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via unspecified vectors.
29-08-2017 - 01:31 18-09-2012 - 20:55
CVE-2009-3780 4.3
Cross-site scripting (XSS) vulnerability in Abuse 5.x before 5.x-2.1 and 6.x before 6.x-1.1-alpha1, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
17-08-2017 - 01:31 26-10-2009 - 17:30
CVE-2009-4514 3.5
Cross-site scripting (XSS) vulnerability in the OpenSocial Shindig-Integrator module 5.x and 6.x before 6.x-2.1, a module for Drupal, allows remote authenticated users, with "create application" privileges, to inject arbitrary web script or HTML via
11-01-2010 - 05:00 31-12-2009 - 19:30
CVE-2012-2725 3.5
classes/Filter/WhitelistedExternalFilter.php in the Authoring HTML module 6.x-1.x before 6.x-1.1 for Drupal does not properly validate sources with the host white list, which allows remote authenticated users to bypass intended access restrictions an
29-08-2017 - 01:31 27-06-2012 - 00:55
CVE-2019-11358 4.3
jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the n
12-06-2019 - 17:29 20-04-2019 - 00:29
CVE-2013-0318 10.0
The admin page in the Banckle Chat module for Drupal does not properly restrict access, which allows remote attackers to bypass intended restrictions via unspecified vectors.
28-03-2013 - 04:00 27-03-2013 - 21:55
CVE-2013-0182 5.0
The Payment module 7.x-1.x before 7.x-1.3 for Drupal does not properly restrict access to payments, which allows remote attackers to read arbitrary payments.
28-03-2013 - 04:00 27-03-2013 - 21:55
CVE-2010-1362 2.1
Cross-site scripting (XSS) vulnerability in the Own Term module 6.x-1.0 for Drupal allows remote authenticated users, with "create additional terms" privileges, to inject arbitrary web script or HTML via the term description field in a term listing p
14-04-2010 - 13:59 13-04-2010 - 18:30
CVE-2008-7150 4.3
Cross-site scripting (XSS) vulnerability in Refine by Taxonomy 5.x before 5.x-0.1, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via a taxonomy term, which is not properly handled by refine_by_taxo when displayin
17-08-2017 - 01:29 01-09-2009 - 16:30
CVE-2012-2719 5.1
The filedepot module 6.x-1.x before 6.x-1.3 for Drupal, when accessed using multiple different browsers from the same IP address, causes Internet Explorer sessions to "switch users" when uploading a file, which has unspecified impact possibly involvi
27-06-2012 - 16:51 27-06-2012 - 00:55
CVE-2012-2723 2.6
Cross-site scripting (XSS) vulnerability in the Maestro module 7.x-1.x before 7.x-1.2 for Drupal allows remote authenticated users with maestro admin permissions to inject arbitrary web script or HTML via unspecified vectors.
29-08-2017 - 01:31 27-06-2012 - 00:55
CVE-2012-3799 5.1
Multiple cross-site request forgery (CSRF) vulnerabilities in the Maestro module 7.x-1.x before 7.x-1.2 for Drupal allow remote attackers to hijack the authentication of administrators for requests that (1) change workflows or (2) insert cross-site s
29-08-2017 - 01:32 27-06-2012 - 00:55
CVE-2012-4486 6.8
Cross-site request forgery (CSRF) vulnerability in the Subuser module before 6.x-1.8 for Drupal allows remote attackers to hijack the authentication of arbitrary users for requests that switch the user to a subuser via unspecified vectors.
06-11-2012 - 05:00 02-11-2012 - 15:55
CVE-2012-4487 4.0
The Subuser module before 6.x-1.8 for Drupal does not properly check "switch subuser" permissions, which allows remote authenticated parent users to change their role by switching to a subuser they created.
05-11-2012 - 14:38 02-11-2012 - 15:55
CVE-2013-4272 4.3
The BOTCHA Spam Prevention module 7.x-1.x before 7.x-1.6, 7.x-2.x before 7.x-2.1, and 7.x-3.x before 7.x-3.3 for Drupal, when the debugging level is set to 5 or 6, logs the content of submitted forms, which allows context-dependent users to obtain se
05-09-2013 - 15:41 28-08-2013 - 22:55
CVE-2013-0259 2.1
Cross-site scripting (XSS) vulnerability in the Boxes module 7.x-1.x before 7.x-1.1 for Drupal allows remote authenticated users with administer or edit boxes permissions to inject arbitrary web script or HTML via the subject parameter.
03-07-2013 - 04:29 27-03-2013 - 21:55
CVE-2012-2063 5.0
The Slidebox module before 7.x-1.4 for Drupal does not properly check permissions, which allows remote attackers to obtain sensitive information via unspecified vectors.
29-08-2017 - 01:31 05-09-2012 - 00:55
CVE-2009-4296 7.5
SQL injection vulnerability in the Taxonomy Timer module 5.x-1.8 and earlier and 6.x-alpha1 and earlier for Drupal allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
14-12-2009 - 05:00 11-12-2009 - 19:30
CVE-2012-2713 6.8
Cross-site request forgery (CSRF) vulnerability in the BrowserID (Mozilla Persona) module 7.x-1.x before 7.x-1.3 for Drupal allows remote attackers to hijack the authentication of arbitrary users for requests that login a user to another web site.
29-08-2017 - 01:31 27-06-2012 - 00:55
CVE-2009-4044 7.5
The Web Services module 6.x for Drupal does not perform the expected access control, which allows remote attackers to make unspecified use of an API via unknown vectors.
17-08-2017 - 01:31 20-11-2009 - 19:30
CVE-2012-2727 5.8
Open redirect vulnerability in the Janrain Capture module 6.x-1.0 and 7.x-1.0 for Drupal, when synchronizing user data, allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the destination paramet
29-08-2017 - 01:31 27-06-2012 - 00:55
CVE-2012-3798 5.0
The Janrain Capture module 6.x-1.0 and 7.x-1.0 for Drupal, when creating a local user account, allows attackers to obtain part of the initial input used to generate passwords, which makes it easier to conduct brute force password guessing attacks.
27-06-2012 - 04:00 27-06-2012 - 00:55
CVE-2012-5548 4.3
Cross-site scripting (XSS) vulnerability in the Time Spent module 6.x and 7.x for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
04-12-2012 - 05:00 03-12-2012 - 21:55
CVE-2012-5549 6.8
Cross-site request forgery (CSRF) vulnerability in the Time Spent module 6.x and 7.x for Drupal allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.
04-12-2012 - 18:38 03-12-2012 - 21:55
CVE-2012-5550 7.5
SQL injection vulnerability in the Time Spent module 6.x and 7.x for Drupal allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
04-12-2012 - 18:39 03-12-2012 - 21:55
CVE-2012-5591 4.3
Cross-site scripting (XSS) vulnerability in the Zero Point module 6.x-1.x before 6.x-1.18 and 7.x-1.x before 7.x-1.4 for Drupal allows remote attackers to inject arbitrary web script or HTML via the path aliases.
27-12-2012 - 05:00 26-12-2012 - 17:55
CVE-2013-1905 4.3
Cross-site scripting (XSS) vulnerability in the Zero Point theme 7.x-1.x before 7.x-1.9 for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
29-08-2017 - 01:33 20-06-2013 - 23:55
CVE-2010-4813 3.5
Cross-site scripting (XSS) vulnerability in the Category Tokens module 6.x before 6.x-1.1 for Drupal allows remote authenticated users with administer taxonomy permissions to inject arbitrary web script or HTML by editing or creating vocabulary names
29-08-2017 - 01:29 08-07-2011 - 22:55
CVE-2009-2291 6.8
Unspecified vulnerability in LoginToboggan 6.x-1.x before 6.x-1.5, a module for Drupal, when "Allow users to login using their e-mail address" is enabled, allows remote blocked users to bypass intended access restrictions via unspecified vectors.
01-07-2009 - 13:00 01-07-2009 - 13:00
CVE-2009-3922 6.8
Multiple cross-site request forgery (CSRF) vulnerabilities in the User Protect module 5.x before 5.x-1.4 and 6.x before 6.x-1.3, a module for Drupal, allow remote attackers to hijack the authentication of administrators for requests that (1) delete t
17-08-2017 - 01:31 09-11-2009 - 17:30
CVE-2015-6665 4.3
Cross-site scripting (XSS) vulnerability in the Ajax handler in Drupal 7.x before 7.39 and the Ctools module 6.x-1.x before 6.x-1.14 for Drupal allows remote attackers to inject arbitrary web script or HTML via vectors involving a whitelisted HTML el
24-12-2016 - 02:59 24-08-2015 - 14:59
CVE-2013-1859 6.4
The Node Parameter Control module 6.x-1.x for Drupal does not properly restrict access to the configuration options, which allows remote attackers to read and edit configuration options via unspecified vectors.
28-03-2013 - 04:00 27-03-2013 - 21:55
CVE-2009-3121 4.3
Cross-site scripting (XSS) vulnerability in the Ajax Table module 5.x for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
17-08-2017 - 01:31 09-09-2009 - 22:30
CVE-2009-3122 6.4
The Ajax Table module 5.x for Drupal does not perform access control, which allows remote attackers to delete arbitrary users and nodes via unspecified vectors.
17-08-2017 - 01:31 09-09-2009 - 22:30
CVE-2012-4473 3.5
The Restrict node page view module 7.x-1.x before 7.x-1.2 for Drupal allows remote authenticated users with the "view any node page" or "view any node {type} page" permission to access unpublished nodes via a direct request.
30-01-2013 - 04:54 30-11-2012 - 22:55
CVE-2012-2705 2.1
The filter_titles function in the Smart Breadcrumb module 6.x-1.x before 6.x-1.3 for Drupal does not properly convert a title to plain-text, which allows remote authenticated users with create or edit node permissions to conduct cross-site scripting
29-08-2017 - 01:31 27-06-2012 - 00:55
CVE-2012-2066 4.3
Cross-site scripting (XSS) vulnerability in the FCKeditor module 6.x-2.x before 6.x-2.3 and the CKEditor module 6.x-1.x before 6.x-1.9 and 7.x-1.x before 7.x-1.7 for Drupal allows remote authenticated users or remote attackers to inject arbitrary web
29-08-2017 - 01:31 05-09-2012 - 00:55
CVE-2012-2067 6.8
Unspecified vulnerability in the CKeditor module 6.x-2.x before 6.x-2.3 and the CKEditor module 6.x-1.x before 6.x-1.9 and 7.x-1.x before 7.x-1.7 for Drupal, when the core PHP module is enabled, allows remote authenticated users or remote attackers t
29-08-2017 - 01:31 05-09-2012 - 00:55
CVE-2018-9861 4.3
Cross-site scripting (XSS) vulnerability in the Enhanced Image (aka image2) plugin for CKEditor (in versions 4.5.10 through 4.9.1; fixed in 4.9.2), as used in Drupal 8 before 8.4.7 and 8.5.x before 8.5.2 and other products, allows remote attackers to
18-07-2019 - 13:15 19-04-2018 - 17:29
CVE-2013-5937 6.8
Cross-site request forgery (CSRF) vulnerability in the Click2Sell Suite module 6.x-1.x for Drupal allows remote attackers to hijack the authentication of administrators for requests that delete database information via vectors involving the Drupal Fo
29-08-2017 - 01:33 25-09-2013 - 14:55
CVE-2013-5938 4.3
Cross-site scripting (XSS) vulnerability in the Click2Sell Suite module 6.x-1.x for Drupal allows remote attackers to inject arbitrary web script or HTML via a confirmation form.
29-08-2017 - 01:33 25-09-2013 - 14:55
CVE-2012-5554 5.0
The default configuration for the Webform CiviCRM Integration module 7.x-3.x before 7.x-3.2 has "Enforce Permissions" disabled, which allows remote attackers to obtain contact information by reading webforms.
04-12-2012 - 05:00 03-12-2012 - 21:55
CVE-2012-1653 3.5
Cross-site scripting (XSS) vulnerability in the Taxonomy Views Integrator (TVI) module 6.x-1.x before 6.x-1.3 for Drupal allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors, related to "views pages."
29-08-2017 - 01:31 19-09-2012 - 19:55
CVE-2012-4474 4.3
Multiple cross-site scripting (XSS) vulnerabilities in the Colorbox Node module 7.x-2.x before 7.x-2.2 for Drupal allow remote attackers to inject arbitrary web script or HTML via unspecified parameters.
30-01-2013 - 04:54 30-11-2012 - 22:55
CVE-2012-1639 3.5
Multiple cross-site scripting (XSS) vulnerabilities in product/commerce_product.module in the Drupal Commerce module for Drupal before 7.x-1.2 allow remote authenticated users to inject arbitrary web script or HTML via the (1) sku or (2) title parame
29-08-2017 - 01:31 01-10-2012 - 20:55
CVE-2012-2116 6.8
Cross-site request forgery (CSRF) vulnerability in the Commerce Reorder module before 7.x-1.1 for Drupal allows remote attackers to hijack the authentication of arbitrary users for requests that add items to the shopping cart.
04-09-2012 - 04:00 31-08-2012 - 22:55
CVE-2012-2297 2.1
Multiple cross-site scripting (XSS) vulnerabilities in the Creative Commons module 6.x-1.x before 6.x-1.1 for Drupal allow remote authenticated users with the administer creative commons permission to inject arbitrary web script or HTML via the (1) c
29-08-2017 - 01:31 26-08-2012 - 21:55
CVE-2013-1393 2.1
Cross-site scripting (XSS) vulnerability in the CurvyCorners module 6.x-1.x and 7.x-1.x for Drupal allows remote authenticated users with the "administer curvycorners" permission to inject arbitrary web script or HTML via unspecified vectors.
29-08-2017 - 01:33 20-06-2013 - 21:55
CVE-2012-6065 4.6
The OM Maximenu module 6.x-1.43 and earlier for Drupal, when the "Title has PHP" option is enabled, allows remote authenticated users with the "Administer OM Maximenu" permission to execute arbitrary PHP code via a "Link Title," a different vulnerabi
04-12-2012 - 05:00 03-12-2012 - 21:55
CVE-2012-5553 2.1
Multiple cross-site scripting (XSS) vulnerabilities in the OM Maximenu module 6.x-1.x before 6.x-1.44 and 7.x-1.x before 7.x-1.44 for Drupal allow remote authenticated users with the "administer OM Maximenu" permission to inject arbitrary web script
04-12-2012 - 05:00 03-12-2012 - 21:55
CVE-2012-1648 2.1
Cross-site scripting (XSS) vulnerability in the Cool Aid module before 6.x-1.9 for Drupal allows remote authenticated users with the administer coolaid permission to inject arbitrary web script or HTML via unspecified vectors.
29-08-2017 - 01:31 09-09-2012 - 21:55
CVE-2012-1649 4.9
Cool Aid module before 6.x-1.9 for Drupal does not enforce access restrictions, which allows remote authenticated users with the administer coolaid permission to modify arbitrary pages via unspecified vectors.
29-08-2017 - 01:31 09-09-2012 - 21:55
CVE-2012-1641 6.0
The finder_import function in the Finder module 6.x-1.x before 6.x-1.26, 7.x-1.x, and 7.x-2.x before 7.x-2.0-alpha8 for Drupal allows remote authenticated users with the administer finder permission to execute arbitrary PHP code via admin/build/finde
29-08-2012 - 04:00 28-08-2012 - 17:55
CVE-2009-3653 3.5
Cross-site scripting (XSS) vulnerability in the additional links interface in XML Sitemap 5.x-1.6, a module for Drupal, allows remote authenticated users, with "administer site configuration" permission, to inject arbitrary web script or HTML via uns
17-08-2017 - 01:31 09-10-2009 - 14:30
CVE-2012-1631 6.8
Cross-site request forgery (CSRF) vulnerability in the Admin:hover module for Drupal allows remote attackers to hijack the authentication of administrators for requests that unpublish all nodes, and possibly other actions, via unspecified vectors.
29-08-2017 - 01:31 20-09-2012 - 03:46
CVE-2009-3568 5.0
Comment RSS 5.x before 5.x-2.2 and 6.x before 6.x-2.2, a module for Drupal, does not properly enforce permissions when a link is added to the RSS feed, which allows remote attackers to obtain the node title and possibly other sensitive content by rea
08-10-2009 - 04:00 06-10-2009 - 20:30
CVE-2012-4472 5.1
Unrestricted file upload vulnerability in upload.php in the Drag & Drop Gallery module 6.x-1.5 and earlier for Drupal allows remote attackers to execute arbitrary PHP code by uploading a file with an executable extension followed by a safe extension,
30-01-2013 - 04:54 30-11-2012 - 22:55
CVE-2012-4476 4.3
Cross-site scripting (XSS) vulnerability in the Drag & Drop Gallery module 6.x for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
03-12-2012 - 05:00 30-11-2012 - 22:55
CVE-2012-4477 5.0
Unspecified vulnerability in the Drag & Drop Gallery module 6.x for Drupal allows remote attackers to bypass access restrictions via unknown attack vectors.
03-12-2012 - 05:00 30-11-2012 - 22:55
CVE-2012-4478 6.8
Cross-site request forgery (CSRF) vulnerability in the Drag & Drop Gallery module 6.x for Drupal allows remote attackers to hijack the authentication of administrators.
03-12-2012 - 19:13 30-11-2012 - 22:55
CVE-2012-4479 7.5
SQL injection vulnerability in the Drag & Drop Gallery module 6.x for Drupal allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
03-12-2012 - 19:24 30-11-2012 - 22:55
CVE-2013-0257 5.0
The email2image module 6.x-1.x and 6.x-2.x for Drupal does not properly restrict access to nodes, which allows remote attackers to read images of user email addresses and email fields.
28-03-2013 - 04:00 27-03-2013 - 21:55
CVE-2012-2716 6.8
Cross-site request forgery (CSRF) vulnerability in the Comment Moderation module 6.x-1.x before 6.x-1.1 for Drupal allows remote attackers to hijack the authentication of administrators for requests that publish comments.
29-08-2017 - 01:31 21-06-2012 - 15:55
CVE-2009-3650 4.3
Cross-site scripting (XSS) vulnerability in Dex 5.x-1.0 and earlier and 6.x-1.0-rc1 and earlier, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
17-08-2017 - 01:31 09-10-2009 - 14:30
CVE-2013-4383 2.1
Cross-site scripting (XSS) vulnerability in the jQuery Countdown module 7.x-1.x before 7.x-1.1 for Drupal allows remote authenticated users with the "access administration pages" permission to inject arbitrary web script or HTML via unspecified vecto
04-02-2014 - 20:40 31-01-2014 - 15:07
CVE-2013-1780 2.1
Cross-site scripting (XSS) vulnerability in the Best Responsive Theme 7.x-1.x before 7.x-1.1 for Drupal allows remote authenticated users with the administer themes permission to inject arbitrary web script or HTML via vectors related to social icons
29-08-2017 - 01:33 27-03-2013 - 21:55
CVE-2013-1783 2.1
Cross-site scripting (XSS) vulnerability in the 3 slide gallery in page--front.tpl.php in the Business theme before 7.x-1.8 for Drupal allows remote authenticated users with the administer themes permission to inject arbitrary web script or HTML via
29-08-2017 - 01:33 27-03-2013 - 21:55
CVE-2013-1784 2.1
Cross-site scripting (XSS) vulnerability in the 3 slide gallery in the Clean Theme before 7.x-1.3 for Drupal allows remote authenticated users with the administer themes permission to inject arbitrary web script or HTML via unspecified vectors.
28-03-2013 - 04:00 27-03-2013 - 21:55
CVE-2013-1786 2.1
Cross-site scripting (XSS) vulnerability in the 3 slide gallery in the Company theme before 7.x-1.4 for Drupal allows remote authenticated users with the administer themes permission to inject arbitrary web script or HTML via unspecified vectors.
28-03-2013 - 04:00 27-03-2013 - 21:55
CVE-2013-1787 2.1
Cross-site scripting (XSS) vulnerability in the 3 slide gallery in the Simple Corporate theme before 7.x-1.4 for Drupal allows remote authenticated users with the administer themes permission to inject arbitrary web script or HTML via unspecified vec
28-03-2013 - 04:00 27-03-2013 - 21:55
CVE-2013-1778 2.1
Cross-site scripting (XSS) vulnerability in the Creative Theme 7.x-1.x before 7.x-1.2 for Drupal allows remote authenticated users with the administer themes permission to inject arbitrary web script or HTML via vectors related to social icons.
28-03-2013 - 04:00 27-03-2013 - 21:55
CVE-2012-4497 2.1
Cross-site scripting (XSS) vulnerability in the "3 slide gallery" in the Elegant Theme module 7.x-1.x before 7.x-1.1 for Drupal allows remote authenticated users with the "administer themes" permission to inject arbitrary web script or HTML via a sli
29-11-2017 - 02:29 02-11-2012 - 15:55
CVE-2013-1779 2.1
Cross-site scripting (XSS) vulnerability in the 3 slide gallery in the Fresh theme before 7.x-1.4 for Drupal allows remote authenticated users with the administer themes permission to inject arbitrary web script or HTML via unspecified vectors.
28-03-2013 - 04:00 27-03-2013 - 21:55
CVE-2013-1781 2.1
Cross-site scripting (XSS) vulnerability in the 3 slide gallery in the Professional theme before 7.x-1.4 for Drupal allows remote authenticated users with the administer themes permission to inject arbitrary web script or HTML via unspecified vectors
28-03-2013 - 04:00 27-03-2013 - 21:55
CVE-2013-1785 2.1
Cross-site scripting (XSS) vulnerability in the 3 slide gallery in the Premium Responsive theme before 7.x-1.6 for Drupal allows remote authenticated users with the administer themes permission to inject arbitrary web script or HTML via unspecified v
28-03-2013 - 04:00 27-03-2013 - 21:55
CVE-2013-1782 2.1
Cross-site scripting (XSS) vulnerability in the Responsive Blog Theme 7.x-1.x before 7.x-1.6 for Drupal allows remote authenticated users with the administer themes permission to inject arbitrary web script or HTML via vectors related to social icons
24-11-2015 - 18:09 27-03-2013 - 21:55
CVE-2013-0323 4.3
Cross-site scripting (XSS) vulnerability in the Display Suite module 7.x-1.x before 7.x-1.7 and 7.x-2.x before 7.x-2.1 for Drupal allows remote attackers to inject arbitrary web script or HTML via the author field.
04-04-2013 - 04:00 27-03-2013 - 21:55
CVE-2012-1629 2.1
Cross-site scripting (XSS) vulnerability in the Taxotouch module for Drupal allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via unspecified vectors.
29-08-2017 - 01:31 20-09-2012 - 03:46
CVE-2012-1638 6.0
SQL injection vulnerability in the Search Autocomplete module before 7.x-2.1 for Drupal allows remote authenticated users with the "use search_autocomplete" permission to execute arbitrary SQL commands via unspecified vectors.
21-09-2012 - 04:00 19-09-2012 - 21:55
CVE-2012-4471 5.0
The Search Autocomplete module 7.x-2.x before 7.x-2.4 for Drupal does not properly restrict access to the module admin page, which allows remote attackers to disable an autocompletion or change the priority order via unspecified vectors.
30-01-2013 - 04:54 30-11-2012 - 22:55
CVE-2009-3206 3.5
Multiple cross-site scripting (XSS) vulnerabilities in the ImageCache module 5.x before 5.x-2.5 and 6.x before 6.x-2.0-beta10, a module for Drupal, allow remote authenticated users, with "administer imagecache" permissions, to inject arbitrary web sc
17-08-2017 - 01:31 16-09-2009 - 17:30
CVE-2009-3207 6.8
The ImageCache module 5.x before 5.x-2.5 and 6.x before 6.x-2.0-beta10, a module for Drupal, when the private file system is used, does not properly perform access control for derivative images, which allows remote attackers to view arbitrary images
17-08-2017 - 01:31 16-09-2009 - 17:30
CVE-2012-2718 7.5
SQL injection vulnerability in the Counter module for Drupal allows remote attackers to execute arbitrary SQL commands via unspecified vectors related to "recording visits."
29-08-2017 - 01:31 21-06-2012 - 15:55
CVE-2008-2998 4.3
Multiple cross-site scripting (XSS) vulnerabilities in the Aggregation module 5.x before 5.x-4.4 for Drupal allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. Per Hyperlink Record 1026625, Drupal core is not affect
08-08-2017 - 01:31 03-07-2008 - 18:41
CVE-2008-2999 7.5
Multiple SQL injection vulnerabilities in the Aggregation module 5.x before 5.x-4.4 for Drupal allow remote attackers to execute arbitrary SQL commands via unspecified vectors. Per Hyperlink Record 1026625, Drupal core is not affected. If you do not
08-08-2017 - 01:31 03-07-2008 - 18:41
CVE-2008-5998 6.0
Multiple SQL injection vulnerabilities in the ajax_checklist_save function in the Ajax Checklist module 5.x before 5.x-1.1 for Drupal allow remote authenticated users, with "update ajax checklists" permissions, to execute arbitrary SQL commands via a
11-10-2018 - 20:56 28-01-2009 - 15:30
CVE-2008-5999 3.5
Cross-site scripting (XSS) vulnerability in the Ajax Checklist module 5.x before 5.x-1.1 for Drupal allows remote authenticated users, with create and edit permissions for posts, to inject arbitrary web script or HTML via unspecified vectors involvin
08-08-2017 - 01:33 28-01-2009 - 15:30
CVE-2008-0462 4.3
Cross-site scripting (XSS) vulnerability in the Archive 5.x before 5.x-1.8 module for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
08-08-2017 - 01:29 25-01-2008 - 16:00
CVE-2007-5621 3.5
Multiple cross-site scripting (XSS) vulnerabilities in the Token module before 4.7.x-1.5, and 5.x before 5.x-1.9, for Drupal; as used by the ASIN Field, e-Commerce, Fullname field for CCK, Invite, Node Relativity, Pathauto, PayPal Node, and Ubercart
29-07-2017 - 01:33 22-10-2007 - 19:46
CVE-2009-1342 4.3
Cross-site scripting (XSS) vulnerability in the CCK comment reference module 6.x before 6.x-1.2, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via certain comment titles associated with a node edit form.
20-04-2009 - 14:30 20-04-2009 - 14:30
CVE-2009-1069 4.3
Multiple cross-site scripting (XSS) vulnerabilities in the node edit form feature in Drupal Content Construction Kit (CCK) 6.x before 6.x-2.2, a module for Drupal, allow remote attackers to inject arbitrary web script or HTML via the (1) titles of ca
17-08-2017 - 01:30 26-03-2009 - 05:51
CVE-2011-2714 4.3
A Cross-Site Scripting vulnerability exists in Drupal 6.20 with Data 6.x-1.0-alpha14 due to insufficient sanitization of table descriptions, field names, or labels before display.
14-01-2020 - 22:15 14-01-2020 - 22:15
CVE-2011-2715 7.5
An SQL Injection vulnerability exists in Drupal 6.20 with Data 6.x-1.0-alpha14 due to insufficient sanitization of table names or column names.
14-01-2020 - 22:15 14-01-2020 - 22:15
CVE-2008-1792 4.3
Cross-site scripting (XSS) vulnerability in the insertion filter in the Flickr Drupal module 5.x before 5.x-1.3 and 6.x before 6.x-1.0-alpha allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
08-08-2017 - 01:30 15-04-2008 - 17:05
CVE-2008-1978 3.5
Cross-site scripting (XSS) vulnerability in the Ubercart 5.x before 5.x-1.0 rc3 module for Drupal allows remote authenticated users to inject arbitrary web script or HTML via node titles related to unspecified product features, a different vector tha
08-08-2017 - 01:30 27-04-2008 - 20:05
CVE-2008-1980 4.3
Cross-site scripting (XSS) vulnerability in E-Publish 5.x before 5.x-1.1 and 6.x before 6.x-1.0 beta1, a Drupal module, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
08-08-2017 - 01:30 27-04-2008 - 20:05
CVE-2008-2629 7.5
SQL injection vulnerability in the LifeType (formerly pLog) module for Drupal allows remote attackers to execute arbitrary SQL commands via the albumId parameter in a ViewAlbum action to index.php.
29-09-2017 - 01:31 10-06-2008 - 00:32
CVE-2008-3661 5.0
Drupal, probably 5.10 and 6.4, does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.
11-10-2018 - 20:49 23-09-2008 - 15:25
CVE-2008-4633 6.0
SQL injection vulnerability in Node Vote 5.x before 5.x-1.1 and 6.x before 6.x-1.0, a module for Drupal, when "Allow user to vote again" is enabled, allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors related t
08-08-2017 - 01:32 21-10-2008 - 01:18
CVE-2008-4710 4.3
Cross-site scripting (XSS) vulnerability in the stock quotes page in Stock 6.x before 6.x-1.0, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
08-08-2017 - 01:32 23-10-2008 - 17:17
CVE-2008-5996 3.5
Cross-site scripting (XSS) vulnerability in the Simplenews module 5.x before 5.x-1.5 and 6.x before 6.x-1.0-beta4, a module for Drupal, allows remote authenticated users, with "administer taxonomy" permissions, to inject arbitrary web script or HTML
08-08-2017 - 01:33 28-01-2009 - 15:30
CVE-2008-6020 7.5
SQL injection vulnerability in the Views module 6.x before 6.x-2.2 for Drupal allows remote attackers to execute arbitrary SQL commands via unspecified vectors related to "an exposed filter on CCK text fields."
08-08-2017 - 01:33 02-02-2009 - 22:00
CVE-2008-6134 7.5
SQL injection vulnerability in EveryBlog 5.x and 6.x, a module for Drupal, allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
17-08-2017 - 01:29 14-02-2009 - 02:30
CVE-2008-6135 4.3
Cross-site scripting (XSS) vulnerability in EveryBlog 5.x and 6.x, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
17-08-2017 - 01:29 14-02-2009 - 02:30
CVE-2008-6137 7.5
EveryBlog 5.x and 6.x, a module for Drupal, allows remote attackers to bypass access restrictions via unknown vectors.
17-08-2017 - 01:29 14-02-2009 - 02:30
CVE-2008-6383 6.0
SQL injection vulnerability in SpeedTech Organization and Resource Manager (Storm) 5.x before 5.x-1.14 and 6.x before 6.x-1.18, a module for Drupal, allows remote authenticated users with storm project access to execute arbitrary SQL commands via uns
17-08-2017 - 01:29 02-03-2009 - 19:30
CVE-2008-6413 4.3
Cross-site scripting (XSS) vulnerability in the Answers module 5.x-1.x-dev and possibly other 5.x versions, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via a Simple Answer to a question.
17-08-2017 - 01:29 06-03-2009 - 11:30
CVE-2008-6835 4.3
Cross-site scripting (XSS) vulnerability in OpenID 5.x before 5.x-1.2, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
29-06-2009 - 04:00 27-06-2009 - 18:47
CVE-2008-6836 6.8
Cross-site request forgery (CSRF) vulnerability in OpenID 5.x before 5x.-1.2, a module for Drupal, allows remote attackers to hijack the authentication of unspecified victims to delete OpenID identities via unknown vectors.
29-06-2009 - 04:00 27-06-2009 - 18:47
CVE-2008-6908 7.5
Services 5.x before 5.x-0.92 and 6.x before 6.x-0.13, a module for Drupal, uses an insecure hash when signing requests, which allows remote attackers to impersonate other users and gain privileges.
17-08-2017 - 01:29 06-08-2009 - 17:30
CVE-2008-6909 6.5
Services 5.x before 5.x-0.92 and 6.x before 6.x-0.13, a module for Drupal, does not sign all required data in requests, which has unspecified impact, probably related to man-in-the-middle attacks that modify critical data and allow remote attackers t
17-08-2017 - 01:29 06-08-2009 - 18:30
CVE-2008-6910 7.5
Services 5.x before 5.x-0.92 and 6.x before 6.x-0.13, a module for Drupal, does not use timeouts for signed requests, which allows remote attackers to impersonate other users and gain privileges via a replay attack that sends the same request.
17-08-2017 - 01:29 06-08-2009 - 18:30
CVE-2008-6972 3.5
Multiple cross-site scripting (XSS) vulnerabilities in Drupal Content Construction Kit (CCK) 5.x through 5.x-1.8 allow remote authenticated users with "administer content" permissions to inject arbitrary web script or HTML via the (1) "field label,"
17-08-2017 - 01:29 13-08-2009 - 16:30
CVE-2008-7151 6.8
Cross-site request forgery (CSRF) vulnerability in Live 5.x before 5.x-0.1, a module for Drupal, allows remote attackers to hijack the authentication of unspecified privileged users for requests that can be leveraged to execute arbitrary PHP code.
17-08-2017 - 01:29 01-09-2009 - 16:30
CVE-2009-0382 4.3
Unspecified vulnerability in Internationalization (i18n) Translation 5.x before 5.x-2.5, a module for Drupal, allows remote attackers with "translate node" permissions to bypass intended access restrictions and read unpublished nodes via unspecified
02-02-2009 - 19:30 02-02-2009 - 19:30
CVE-2009-0817 3.5
Cross-site scripting (XSS) vulnerability in the Protected Node module 5.x before 5.x-1.4 and 6.x before 6.x-1.5, a module for Drupal, allows remote authenticated users with "administer site configuration" permissions to inject arbitrary web script or
17-08-2017 - 01:30 05-03-2009 - 02:30
CVE-2009-0818 3.5
Cross-site scripting (XSS) vulnerability in the taxonomy_theme_admin_table_builder function (taxonomy_theme_admin.inc) in Taxonomy Theme module before 5.x-1.2, a module for Drupal, allows remote authenticated users with the "administer taxonomy" perm
17-08-2017 - 01:30 05-03-2009 - 02:30
CVE-2009-1035 4.3
Cross-site scripting (XSS) vulnerability in the Tasklist module 5.x-1.x before 5.x-1.3 and 5.x-2.x before 5.x-2.0-alpha1, a module for Drupal, allows remote authenticated users to inject arbitrary web script or HTML via Cascading Style Sheets (CSS).
17-08-2017 - 01:30 20-03-2009 - 18:30
CVE-2009-1036 6.8
Cross-site request forgery (CSRF) vulnerability in the Plus 1 module before 6.x-2.6, a module for Drupal, allows remote attackers to cast votes for content via unspecified aspects of the URI.
17-08-2017 - 01:30 20-03-2009 - 18:30
CVE-2009-1037 5.0
Unspecified vulnerability in the Send by e-mail module in the "Printer, e-mail and PDF versions" module 5.x before 5.x-4.4 and 6.x before 6.x-1.4, a module for Drupal, allows remote attackers to send unlimited spam messages via unknown vectors relate
26-03-2009 - 04:00 20-03-2009 - 18:30
CVE-2009-1047 4.3
Cross-site scripting (XSS) vulnerability in the Send by e-mail module in the "Printer, e-mail and PDF versions" module 5.x before 5.x-4.4 and 6.x before 6.x-1.4, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via
01-04-2009 - 05:43 23-03-2009 - 20:00
CVE-2009-1249 4.3
Cross-site scripting (XSS) vulnerability in Feed element mapper 5.x before 5.x-1.1, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via the content title in admin/content/node-type/nodetype/map.
07-04-2009 - 04:00 06-04-2009 - 16:30
CVE-2009-1343 4.3
Cross-site scripting (XSS) vulnerability in the Print (aka Printer, e-mail and PDF versions) module 5.x before 5.x-4.5 and 6.x before 6.x-1.5, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via content titles.
21-04-2009 - 04:00 20-04-2009 - 14:30
CVE-2009-1344 4.3
Cross-site scripting (XSS) vulnerability in the Localization client module 5.x before 5.x-1.2 and 6.x before 6.x-1.7, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via input to the translation functionality.
20-04-2009 - 14:30 20-04-2009 - 14:30
CVE-2009-1501 4.3
Cross-site scripting (XSS) vulnerability in the Exif module 5.x-1.x before 5.x-1.2 and 6.x-1.x-dev before April 13, 2009, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via EXIF tags in an image.
13-05-2009 - 05:28 01-05-2009 - 17:30
CVE-2009-1505 6.5
SQL injection vulnerability in the News Page module 5.x before 5.x-1.2 for Drupal allows remote authenticated users, with News Page nodes create and edit privileges, to execute arbitrary SQL commands via the Include Words (aka keywords) field.
17-08-2017 - 01:30 01-05-2009 - 17:30
CVE-2009-1507 7.5
The Node Access User Reference module 5.x before 5.x-2.0-beta4 and 6.x before 6.x-2.0-beta6, a module for Drupal, interprets an empty CCK user reference as a reference to the anonymous user, which might allow remote attackers to bypass intended acces
13-05-2009 - 05:28 01-05-2009 - 17:30
CVE-2009-1823 2.6
Cross-site scripting (XSS) vulnerability in the Print (aka Printer, e-mail and PDF versions) module 5.x before 5.x-4.7 and 6.x before 6.x-1.7, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML by modifying a document
17-08-2017 - 01:30 29-05-2009 - 16:30
CVE-2009-2074 3.5
Cross-site scripting (XSS) vulnerability in Nodequeue 5.x before 5.x-2.7 and 6.x before 6.x-2.2, a module for Drupal, allows remote authenticated users with administer taxonomy permissions to inject arbitrary web script or HTML via vocabulary names.
17-06-2009 - 04:00 16-06-2009 - 19:30
CVE-2009-2076 3.5
Cross-site scripting (XSS) vulnerability in Views 6.x before 6.x-2.6, a module for Drupal, allows remote authenticated users to inject arbitrary web script or HTML via (1) exposed filters in the Views UI administrative interface and in the (2) view n
29-06-2009 - 04:00 16-06-2009 - 19:30
CVE-2009-2078 4.3
Multiple cross-site scripting (XSS) vulnerabilities in Booktree 5.x before 5.x-7.3 and 6.x before 6.x-1.1, a module for Drupal, allow remote attackers to inject arbitrary web script or HTML via the (1) node title and (2) node body in a tree root page
17-06-2009 - 04:00 16-06-2009 - 19:30
CVE-2009-2079 3.5
Cross-site scripting (XSS) vulnerability in the administrative page interface in Taxonomy manager 5.x before 5.x-1.2 and 6.x before 6.x-1.1, a module for Drupal, allows remote authenticated users, with administer taxonomy privileges or the ability to
17-06-2009 - 04:00 16-06-2009 - 19:30
CVE-2009-2083 3.5
Cross-site scripting (XSS) vulnerability in the term data detail page in Taxonomy manager 5.x before 5.x-1.2, a module for Drupal, allows remote authenticated users, with administer taxonomy privileges or the ability to use free tagging to add taxono
17-06-2009 - 04:00 16-06-2009 - 21:00
CVE-2009-2237 7.5
Unspecified vulnerability in Views Bulk Operations 5.x-1.x before 5.x-1.4 and 6.x-1.x before 6.x-1.7, a module for Drupal, allows remote attackers to bypass intended access restrictions and modify "nodes or classes of nodes" via unknown vectors, prob
17-08-2017 - 01:30 27-06-2009 - 18:47
CVE-2009-2370 4.3
Cross-site scripting (XSS) vulnerability in Advanced Forum 5.x before 5.x-1.1 and 6.x before 6.x-1.1, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
08-07-2009 - 15:30 08-07-2009 - 15:30
CVE-2009-2371 6.5
Advanced Forum 6.x before 6.x-1.1, a module for Drupal, does not prevent users from modifying user signatures after the associated comment format has been changed to an administrator-controlled input format, which allows remote authenticated users to
08-07-2009 - 15:30 08-07-2009 - 15:30
CVE-2009-2572 6.8
Cross-site request forgery (CSRF) vulnerability in the Fivestar module 5.x-1.x before 5.x-1.14 and 6.x-1.x before 6.x-1.14, a module for Drupal, allows remote attackers to hijack the authentication of arbitrary users for requests that cast votes.
17-08-2017 - 01:30 22-07-2009 - 17:30
CVE-2009-2610 3.5
Cross-site scripting (XSS) vulnerability in the Links Related module in the Links Package 5.x before 5.x-1.13 and 6.x before 6.x-1.2, a module for Drupal, allows remote authenticated users to inject arbitrary web script or HTML via the title field.
27-07-2009 - 18:30 27-07-2009 - 18:30
CVE-2009-3156 2.1
Cross-site scripting (XSS) vulnerability in the Date Tools sub-module in the Date module 6.x before 6.x-2.3 for Drupal allows remote authenticated users, with "use date tools" or "administer content types" privileges, to inject arbitrary web script o
17-08-2017 - 01:31 10-09-2009 - 18:30
CVE-2009-3157 3.5
Cross-site scripting (XSS) vulnerability in the Calendar module 6.x before 6.x-2.2 for Drupal allows remote authenticated users, with "create new content types" privileges, to inject arbitrary web script or HTML via the title of a content type.
11-09-2009 - 04:00 10-09-2009 - 18:30
CVE-2009-3210 3.5
Multiple cross-site scripting (XSS) vulnerabilities in the Print (aka Printer, e-mail and PDF versions) module 5.x before 5.x-4.8 and 6.x before 6.x-1.8, a module for Drupal, allow remote authenticated users to inject arbitrary web script or HTML via
17-08-2017 - 01:31 16-09-2009 - 17:30
CVE-2009-3350 10.0
Multiple unspecified vulnerabilities in the Subdomain Manager module for Drupal have unknown impact and attack vectors.
12-10-2009 - 04:00 24-09-2009 - 16:30
CVE-2009-3351 10.0
Multiple unspecified vulnerabilities in the Node Browser module for Drupal have unknown impact and attack vectors.
24-09-2009 - 16:30 24-09-2009 - 16:30
CVE-2009-3352 10.0
Multiple unspecified vulnerabilities in the quota_by_role (Quota by role) module for Drupal have unknown impact and attack vectors.
25-09-2009 - 04:00 24-09-2009 - 16:30
CVE-2009-3353 10.0
Multiple unspecified vulnerabilities in the Node2Node module for Drupal have unknown impact and attack vectors.
29-09-2009 - 04:00 24-09-2009 - 16:30
CVE-2009-3363 4.3
Cross-site scripting (XSS) vulnerability in the BUEditor module 5.x before 5.x-1.2 and 6.x before 6.x-1.4, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via input to the "plain textarea editor."
17-08-2017 - 01:31 24-09-2009 - 16:30
CVE-2009-3435 4.3
Cross-site scripting (XSS) vulnerability in the variable editor in the Devel module 5.x before 5.x-1.2 and 6.x before 6.x-1.18, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via a variable name.
17-08-2017 - 01:31 28-09-2009 - 22:30
CVE-2009-3437 4.3
Cross-site scripting (XSS) vulnerability in the live preview feature in the Markdown Preview module 6.x for Drupal allows remote attackers to inject arbitrary web script or HTML via "Markdown input."
30-09-2009 - 04:00 28-09-2009 - 22:30
CVE-2009-3479 4.3
Cross-site scripting (XSS) vulnerability in Bibliography (Biblio) 5.x before 5.x-1.17 and 6.x before 6.x-1.6, a module for Drupal, allows remote attackers, with "create content displayed by the Bibliography module" permissions, to inject arbitrary we
01-10-2009 - 04:00 30-09-2009 - 15:30
CVE-2009-3488 2.1
Cross-site scripting (XSS) vulnerability in the Bibliography (aka Biblio) module 6.x-1.6 for Drupal allows remote authenticated users, with certain content-creation privileges, to inject arbitrary web script or HTML via the Title field, probably a di
17-08-2017 - 01:31 30-09-2009 - 15:30
CVE-2009-3651 4.3
Cross-site scripting (XSS) vulnerability in the "Monitor browsers' feature in Browscap before 5.x-1.1 and 6.x-1.1, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via the User-Agent HTTP header.
17-08-2017 - 01:31 09-10-2009 - 14:30
CVE-2009-3652 3.5
Cross-site scripting (XSS) vulnerability in Organic Groups (OG) 5.x-7.x before 5.x-7.4, 5.x-8.x before 5.x-8.1, and 6.x-1.x before 6.x-1.4, a module for Drupal, allows remote authenticated users, with create or edit group nodes permissions, to inject
17-08-2017 - 01:31 09-10-2009 - 14:30
CVE-2009-3656 6.8
Cross-site request forgery (CSRF) vulnerability in Shared Sign-On 5.x and 6.x, a module for Drupal, allows remote attackers to hijack the authentication of arbitrary users via unknown vectors.
17-08-2017 - 01:31 09-10-2009 - 14:30
CVE-2009-3657 5.8
Session fixation vulnerability in Shared Sign-On 5.x and 6.x, a module for Drupal, allows remote attackers to hijack web sessions via unspecified vectors.
17-08-2017 - 01:31 09-10-2009 - 14:30
CVE-2009-3779 4.3
Cross-site scripting (XSS) vulnerability in vCard 5.x before 5.x-1.4 and 6.x before 6.x-1.3, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, related to the addition of the theme_vcard funct
17-08-2017 - 01:31 26-10-2009 - 17:30
CVE-2009-3781 7.5
The filefield_file_download function in FileField 6.x-3.1, a module for Drupal, does not properly check node-access permissions for Drupal core private files, which allows remote attackers to access unauthorized files via unspecified vectors.
17-08-2017 - 01:31 26-10-2009 - 17:30
CVE-2009-3783 4.3
Cross-site scripting (XSS) vulnerability in Simplenews Statistics 6.x before 6.x-2.0, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via unspecified vector.
17-08-2017 - 01:31 26-10-2009 - 17:30
CVE-2009-3784 6.8
Open redirect vulnerability in Simplenews Statistics 6.x before 6.x-2.0, a module for Drupal, allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.
27-10-2009 - 04:00 26-10-2009 - 17:30
CVE-2009-3785 6.8
Multiple cross-site request forgery (CSRF) vulnerabilities in Simplenews Statistics 6.x before 6.x-2.0, a module for Drupal, allow remote attackers to hijack the authentication of arbitrary users via unknown vectors.
17-08-2017 - 01:31 26-10-2009 - 17:30
CVE-2009-3786 4.3
Cross-site scripting (XSS) vulnerability in Organic Groups (OG) Vocabulary 5.x before 5.x-1.1 and 6.x before 6.x-1.1, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via the group title.
17-08-2017 - 01:31 26-10-2009 - 17:30
CVE-2009-3914 4.3
Cross-site scripting (XSS) vulnerability in the Temporary Invitation module 5.x before 5.x-2.3 for Drupal allows remote attackers to inject arbitrary web script or HTML via the Name field in an invitation.
17-08-2017 - 01:31 09-11-2009 - 17:30
CVE-2009-3915 4.3
Cross-site scripting (XSS) vulnerability in the "Separate title and URL" formatter in the Link module 5.x before 5.x-2.6 and 6.x before 6.x-2.7, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via the link title fi
17-08-2017 - 01:31 09-11-2009 - 17:30
CVE-2009-3916 4.3
Cross-site scripting (XSS) vulnerability in the Node Hierarchy module 5.x before 5.x-1.3 and 6.x before 6.x-1.3, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via a child node title.
17-08-2017 - 01:31 09-11-2009 - 17:30
CVE-2009-3917 4.3
Cross-site scripting (XSS) vulnerability in the S5 Presentation Player module 6.x-1.x before 6.x-1.1 for Drupal allows remote attackers to inject arbitrary web script or HTML via an unspecified field that is copied to the HTML HEAD element.
17-08-2017 - 01:31 09-11-2009 - 17:30
CVE-2009-3918 4.3
Cross-site scripting (XSS) vulnerability in the Zoomify module 5.x before 5.x-2.2 and 6.x before 6.x-1.4, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via the node title.
17-08-2017 - 01:31 09-11-2009 - 17:30
CVE-2009-3919 4.3
Cross-site scripting (XSS) vulnerability in the NGP COO/CWP Integration (crmngp) module 6.x before 6.x-1.12 for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified "user-supplied information."
17-08-2017 - 01:31 09-11-2009 - 17:30
CVE-2009-3920 5.0
An administration page in the NGP COO/CWP Integration (crmngp) module 6.x before 6.x-1.12 for Drupal does not perform the expected access control, which allows remote attackers to read log information via unspecified vectors.
17-08-2017 - 01:31 09-11-2009 - 17:30
CVE-2009-3921 4.0
The Smartqueue_og module 5.x before 5.x-1.3 and 6.x before 6.x-1.0-rc3, a module for Drupal, does not verify group-node privileges in certain circumstances involving subqueue creation, which allows remote authenticated users to discover arbitrary org
10-11-2009 - 05:00 09-11-2009 - 17:30
CVE-2009-4042 4.3
Cross-site scripting (XSS) vulnerability in the RootCandy theme 6.x before 6.x-1.5 for Drupal allows remote attackers to inject arbitrary web script or HTML via the URI.
17-08-2017 - 01:31 20-11-2009 - 19:30
CVE-2009-4043 4.3
Cross-site scripting (XSS) vulnerability in the AddToAny module 5.x before 5.x-2.4 and 6.x before 6.x-2.4 for Drupal allows remote attackers to inject arbitrary web script or HTML via a node title.
17-08-2017 - 01:31 20-11-2009 - 19:30
CVE-2009-4061 4.3
Multiple cross-site scripting (XSS) vulnerabilities in the Agreement module 6.x before 6.x-1.2 for Drupal allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
17-08-2017 - 01:31 24-11-2009 - 02:30
CVE-2009-4063 4.3
Cross-site scripting (XSS) vulnerability in the Subgroups for Organic Groups (OG) module 5.x before 5.x-4.0 and 5.x before 5.x-3.4 for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified node titles.
17-08-2017 - 01:31 24-11-2009 - 02:30
CVE-2009-4064 4.3
Cross-site scripting (XSS) vulnerability in the Gallery Assist module 6.x before 6.x-1.7 for Drupal allows remote attackers to inject arbitrary web script or HTML via node titles.
17-08-2017 - 01:31 24-11-2009 - 02:30
CVE-2009-4065 4.3
Cross-site scripting (XSS) vulnerability in the settings page in the Strongarm module 6.x before 6.x-1.1 for Drupal allows remote attackers to inject arbitrary web script or HTML via the value field when viewing overridden variables.
17-08-2017 - 01:31 24-11-2009 - 02:30
CVE-2009-4066 6.8
Multiple cross-site request forgery (CSRF) vulnerabilities in the "My Account" feature in PHPList Integration module 5 before 5.x-1.2 and 6 before 6.x-1.1 for Drupal allow remote attackers to hijack the authentication of arbitrary users via vectors r
17-08-2017 - 01:31 24-11-2009 - 02:30
CVE-2009-4207 4.3
Cross-site scripting (XSS) vulnerability in the Webform module 5.x before 5.x-2.7 and 6.x before 6.x-2.7, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via a submission.
08-12-2009 - 05:00 04-12-2009 - 19:30
CVE-2009-4513 3.5
Multiple cross-site scripting (XSS) vulnerabilities in the Workflow module 5.x before 5.x-2.4 and 6.x before 6.x-1.2, a module for Drupal, allow remote authenticated users, with "administer workflow" privileges, to inject arbitrary web script or HTML
17-08-2017 - 01:31 31-12-2009 - 19:30
CVE-2009-4515 5.0
The Storm module 6.x before 6.x-1.25 for Drupal does not enforce privilege requirements for storminvoiceitem nodes, which allows remote attackers to read node titles via unspecified vectors.
08-01-2010 - 20:29 31-12-2009 - 19:30
CVE-2009-4516 4.3
Cross-site scripting (XSS) vulnerability in the FAQ Ask module 5.x and 6.x before 6.x-2.0, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
08-01-2010 - 05:00 31-12-2009 - 19:30
CVE-2009-4517 6.8
Cross-site request forgery (CSRF) vulnerability in the FAQ Ask module 5.x and 6.x before 6.x-2.0, a module for Drupal, allows remote attackers to hijack the authentication of arbitrary users for requests that access unpublished content.
08-01-2010 - 17:50 31-12-2009 - 19:30
CVE-2009-4518 4.3
Cross-site scripting (XSS) vulnerability in the Insert Node module 5.x before 5.x-1.2 for Drupal allows remote attackers to inject arbitrary web script or HTML via an inserted node.
07-01-2010 - 05:00 31-12-2009 - 19:30
CVE-2009-4520 5.0
The CCK Comment Reference module 5.x before 5.x-1.2 and 6.x before 6.x-1.3, a module for Drupal, allows remote attackers to bypass intended access restrictions and read comments by using the autocomplete path.
06-01-2010 - 05:00 31-12-2009 - 19:30
CVE-2009-4524 4.3
Cross-site scripting (XSS) vulnerability in the RealName module 6.x-1.x before 6.x-1.3 for Drupal allows remote attackers to inject arbitrary web script or HTML via a realname (aka real name) element.
17-08-2017 - 01:31 31-12-2009 - 19:30
CVE-2009-4525 4.3
Cross-site scripting (XSS) vulnerability in the Print (aka Printer, e-mail and PDF versions) module 5.x before 5.x-4.9 and 6.x before 6.x-1.9, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via crafted data in a l
17-08-2017 - 01:31 31-12-2009 - 19:30
CVE-2009-4526 5.0
The Send by e-mail sub-module in the Print (aka Printer, e-mail and PDF versions) module 5.x before 5.x-4.9 and 6.x before 6.x-1.9, a module for Drupal, does not properly enforce privilege requirements, which allows remote attackers to read page titl
04-01-2010 - 19:51 31-12-2009 - 19:30
CVE-2009-4527 4.6
The Shibboleth authentication module 5.x before 5.x-3.4 and 6.x before 6.x-3.2, a module for Drupal, does not properly remove statically granted privileges after a logout or other session change, which allows physically proximate attackers to gain pr
17-08-2017 - 01:31 31-12-2009 - 19:30
CVE-2009-4528 6.5
The Organic Groups (OG) Vocabulary module 6.x before 6.x-1.0 for Drupal allows remote authenticated group members to bypass intended access restrictions, and create, modify, or read a vocabulary, via unspecified vectors.
17-08-2017 - 01:31 31-12-2009 - 19:30
CVE-2009-4532 3.5
Cross-site scripting (XSS) vulnerability in the Webform module 5.x before 5.x-2.8 and 6.x before 6.x-2.8, a module for Drupal, allows remote authenticated users, with webform creation privileges, to inject arbitrary web script or HTML via a field lab
17-08-2017 - 01:31 31-12-2009 - 19:30
CVE-2009-4533 5.0
The Webform module 5.x before 5.x-2.8 and 6.x before 6.x-2.8, a module for Drupal, does not prevent caching of a page that contains token placeholders for a default value, which allows remote attackers to read session variables via unspecified vector
17-08-2017 - 01:31 31-12-2009 - 19:30
CVE-2009-4534 4.3
Open redirect vulnerability in the FAQ Ask module 5.x and 6.x before 6.x-2.0, a module for Drupal, allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.
04-01-2010 - 05:00 31-12-2009 - 19:30
CVE-2009-4557 2.1
Cross-site scripting (XSS) vulnerability in the Image Assist module 5.x-1.x before 5.x-1.8, 5.x-2.x before 2.0-alpha4, 6.x-1.x before 6.x-1.1, 6.x-2.x before 2.0-alpha4, and 6.x-3.x-dev before 2009-07-15, a module for Drupal, allows remote authentica
17-08-2017 - 01:31 04-01-2010 - 21:30
CVE-2009-4558 5.0
The Image Assist module 5.x-1.x before 5.x-1.8, 5.x-2.x before 2.0-alpha4, 6.x-1.x before 6.x-1.1, 6.x-2.x before 2.0-alpha4, and 6.x-3.x-dev before 2009-07-15, a module for Drupal, does not properly enforce privilege requirements for unspecified pag
17-08-2017 - 01:31 04-01-2010 - 21:30
CVE-2009-4559 3.5
Cross-site scripting (XSS) vulnerability in the Submitted By module 6.x before 6.x-1.3 for Drupal allows remote authenticated users, with "administer content types" privileges, to inject arbitrary web script or HTML via an input string for "submitted
17-08-2017 - 01:31 04-01-2010 - 21:30
CVE-2009-4602 4.3
Cross-site scripting (XSS) vulnerability in the Randomizer module 5.x through 5.x-1.0 and 6.x through 6.x-1.0, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
13-01-2010 - 05:00 12-01-2010 - 17:30
CVE-2009-4771 5.0
The PayPal Website Payments Standard functionality in the Ubercart module 5.x before 5.x-1.9 and 6.x before 6.x-2.1 for Drupal does not properly validate orders, which allows remote attackers to trigger unspecified "duplicate actions" via unknown vec
17-08-2017 - 01:31 20-04-2010 - 14:30
CVE-2009-4772 4.3
Unspecified vulnerability in the PayPal Website Payments Standard functionality in the Ubercart module 5.x before 5.x-1.9 and 6.x before 6.x-2.1 for Drupal, when a custom checkout completion message is enabled, allows attackers to obtain sensitive in
17-08-2017 - 01:31 20-04-2010 - 14:30
CVE-2009-4773 6.8
Cross-site request forgery (CSRF) vulnerability in the order-management functionality in the Ubercart module 5.x before 5.x-1.9 and 6.x before 6.x-2.1 for Drupal allows remote attackers to hijack the authentication of unspecified victims via unknown
17-08-2017 - 01:31 20-04-2010 - 14:30
CVE-2009-4829 2.1
Cross-site scripting (XSS) vulnerability in the Automated Logout module 6.x-1.x before 6.x-1.7 and 6.x-2.x before 6.x-2.3 for Drupal allows remote authenticated users with administer autologout privileges to inject arbitrary web script or HTML via un
28-04-2010 - 04:00 27-04-2010 - 15:30
CVE-2009-4990 4.3
Cross-site scripting (XSS) vulnerability in the Webform report module 5.x and 6.x for Drupal allows remote attackers to inject arbitrary web script or HTML via a submission.
25-08-2010 - 20:00 25-08-2010 - 20:00
CVE-2009-5096 4.3
Cross-site scripting (XSS) vulnerability in the Flag Content module 5.x-2.x before 5.x-2.10 for Drupal allows remote attackers to inject arbitrary web script or HTML via the Reason parameter.
29-08-2017 - 01:29 13-09-2011 - 19:59
CVE-2010-0370 3.5
Cross-site scripting (XSS) vulnerability in the Node Blocks module 5.x-1.1 and earlier, and 6.x-1.3 and earlier, a module for Drupal, allows remote authenticated users, with permissions to create or edit content and administer blocks, to inject arbit
10-10-2018 - 19:52 21-01-2010 - 22:30
CVE-2010-0697 3.5
Cross-site scripting (XSS) vulnerability in the iTweak Upload module 6.x-1.x before 6.x-1.2 and 6.x-2.x before 6.x-2.3 for Drupal allows remote authenticated users, with create content and upload file permissions, to inject arbitrary web script or HT
17-08-2017 - 01:32 23-02-2010 - 20:30
CVE-2010-0752 5.0
The week_post_page function in the Weekly Archive by Node Type module 6.x before 6.x-2.7 for Drupal does not properly implement node access restrictions when constructing SQL queries, which allows remote attackers to read restricted node listings via
17-08-2017 - 01:32 27-02-2010 - 00:30
CVE-2010-1107 3.5
Cross-site scripting (XSS) vulnerability in the Recent Comments module 5.x through 5.x-1.2 and 6.x through 6.x-1.0 for Drupal allows remote authenticated users to inject arbitrary web script or HTML via a "custom block title interface."
17-08-2017 - 01:32 25-03-2010 - 17:30
CVE-2010-1108 3.5
Cross-site scripting (XSS) vulnerability in the Control Panel module 5.x through 5.x-1.5 and 6.x through 6.x-1.2 for Drupal allows remote authenticated users, with "administer blocks" privileges, to inject arbitrary web script or HTML via unspecified
17-08-2017 - 01:32 25-03-2010 - 17:30
CVE-2010-1303 2.1
Multiple cross-site scripting (XSS) vulnerabilities in the Taxonomy Filter module 6.x before 6.x-1.1 for Drupal allow remote authenticated users, with administer taxonomy permissions or create node permissions when free tagging is enabled, to inject
17-08-2017 - 01:32 08-04-2010 - 16:30
CVE-2010-1358 2.1
Cross-site scripting (XSS) vulnerability in the Bibliography (Biblio) module 5.x through 5.x-1.17 and 6.x through 6.x-1.9 for Drupal allows remote authenticated users, with "administer biblio" privileges, to inject arbitrary web script or HTML via un
14-04-2010 - 04:00 13-04-2010 - 18:30
CVE-2010-1530 2.1
Multiple cross-site scripting (XSS) vulnerabilities in the Internationalization module 6.x before 6.x-1.4 for Drupal allow remote authenticated users, with translate interface or administer blocks privileges, to inject arbitrary web script or HTML vi
27-04-2010 - 04:00 26-04-2010 - 18:30
CVE-2010-1536 2.1
Cross-site scripting (XSS) vulnerability in the AddThis Button module 5.x before 5.x-2.2 and 6.x before 6.x-2.9 for Drupal allows remote authenticated users, with administer addthis privileges, to inject arbitrary web script or HTML via unspecified v
27-04-2010 - 16:04 26-04-2010 - 19:30
CVE-2010-1539 2.1
Cross-site scripting (XSS) vulnerability in the Workflow module 5.x-2.x before 5.x-2.6 and 6.x-1.x before 6.x-1.4 for Drupal, when used with the Token module, might allow remote authenticated users to inject arbitrary web script or HTML via a certain
17-08-2017 - 01:32 26-04-2010 - 19:30
CVE-2010-1543 4.3
Cross-site scripting (XSS) vulnerability in the eTracker module before 6.x-1.2 for Drupal allows remote attackers to inject arbitrary web script or HTML by appending a crafted string to an arbitrary URL associated with the Drupal site.
17-08-2017 - 01:32 26-04-2010 - 19:30
CVE-2010-1584 2.1
Cross-site scripting (XSS) vulnerability in the Context module before 6.x-2.0-rc4 for Drupal allows remote authenticated users, with Administer Blocks privileges, to inject arbitrary web script or HTML via a block description.
17-08-2017 - 01:32 19-05-2010 - 12:08
CVE-2010-1958 2.1
Cross-site scripting (XSS) vulnerability in the FileField module 5.x before 5.x-2.5 and 6.x before 6.x-3.4 for Drupal allows remote authenticated users, with create or edit permissions and 'Path to File' or 'URL to File' display enabled, to inject ar
17-08-2017 - 01:32 21-06-2010 - 19:30
CVE-2010-1976 2.1
Cross-site scripting (XSS) vulnerability in the Taxonomy Breadcrumb module 6.x before 6.x-1.1 for Drupal allows remote authenticated users, with administer taxonomy permissions, to inject arbitrary web script or HTML via the node title in a Breadcrum
17-08-2017 - 01:32 19-05-2010 - 20:00
CVE-2010-1984 2.1
Cross-site scripting (XSS) vulnerability in the Taxonomy Breadcrumb module 5.x before 5.x-1.5 and 6.x before 6.x-1.1 for Drupal allows remote authenticated users, with administer taxonomy permissions, to inject arbitrary web script or HTML via the ta
17-08-2017 - 01:32 19-05-2010 - 20:30
CVE-2010-1998 2.1
Cross-site scripting (XSS) vulnerability in the CCK TableField module 6.x before 6.x-1.2 for Drupal allows remote authenticated users, with certain node creation or editing privileges, to inject arbitrary web script or HTML via table headers.
17-08-2017 - 01:32 20-05-2010 - 17:30
CVE-2010-2000 2.1
Cross-site scripting (XSS) vulnerability in the Bibliography (Biblio) module 5.x through 5.x-1.17 and 6.x through 6.x-1.9 for Drupal allows remote authenticated users, with "administer biblio" privileges, to inject arbitrary web script or HTML via un
21-05-2010 - 04:00 20-05-2010 - 17:30
CVE-2010-2001 2.6
Cross-site scripting (XSS) vulnerability in the CiviRegister module before 6.x-1.1 for Drupal allows remote attackers to inject arbitrary web script or HTML via the URI.
21-05-2010 - 04:00 20-05-2010 - 17:30
CVE-2010-2048 3.5
Multiple cross-site scripting (XSS) vulnerabilities in the Heartbeat module 6.x before 6.x-4.9 for Drupal allow remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.
17-08-2017 - 01:32 25-05-2010 - 18:30
CVE-2010-2123 2.1
Multiple cross-site scripting (XSS) vulnerabilities in the Storm module 5.x and 6.x before 6.x-1.33 for Drupal allow remote authenticated users, with certain module privileges, to inject arbitrary web script or HTML via the (1) fullname, (2) address,
17-08-2017 - 01:32 01-06-2010 - 21:30
CVE-2010-2125 2.1
Multiple cross-site scripting (XSS) vulnerabilities in the Rotor Banner module 5.x before 5.x-1.8 and 6.x before 6.x-2.5 for Drupal allow remote authenticated users, with "create rotor item" or "edit any rotor item" privileges, to inject arbitrary we
17-08-2017 - 01:32 01-06-2010 - 21:30
CVE-2010-2158 2.1
Multiple cross-site scripting (XSS) vulnerabilities in the Storm module 5.x and 6.x before 6.x-1.33 for Drupal allow remote authenticated users, with certain module privileges, to inject arbitrary web script or HTML via the (1) fullname, (2) phone, o
08-06-2010 - 04:00 07-06-2010 - 17:12
CVE-2010-2352 5.0
The Node Reference module in Content Construction Kit (CCK) module 5.x before 5.x-1.11 and 6.x before 6.x-2.7 for Drupal does not perform access checks before displaying referenced nodes, which allows remote attackers to read controlled nodes.
17-08-2017 - 01:32 21-06-2010 - 19:30
CVE-2010-2353 5.0
The Node Reference module in Content Construction Kit (CCK) module 6.x before 6.x-2.7 for Drupal does not perform access checks for the source field in the backend URL for the autocomplete widget, which allows remote attackers to discover titles and
17-08-2017 - 01:32 21-06-2010 - 19:30
CVE-2010-2724 2.1
Cross-site scripting (XSS) vulnerability in the Hierarchical Select module 5.x before 5.x-3.2 and 6.x before 6.x-3.2 for Drupal allows remote authenticated users, with administer taxonomy permissions, to inject arbitrary web script or HTML via unspec
17-08-2017 - 01:32 13-07-2010 - 18:30
CVE-2010-3423 7.5
SQL injection vulnerability in the Yr Weatherdata module for Drupal 6.x before 6.x-1.6 allows remote attackers to execute arbitrary SQL commands via the sorting method.
17-08-2017 - 01:32 16-09-2010 - 22:00
CVE-2010-4519 6.8
Multiple cross-site request forgery (CSRF) vulnerabilities in the Views UI implementation in the Views module 5.x before 5.x-1.8 and 6.x before 6.x-2.11 for Drupal allow remote attackers to hijack the authentication of administrators for requests tha
27-12-2010 - 05:00 23-12-2010 - 18:00
CVE-2010-4520 4.3
Multiple cross-site scripting (XSS) vulnerabilities in the Views module 6.x before 6.x-2.11 for Drupal allow remote attackers to inject arbitrary web script or HTML via (1) a URL or (2) an aggregator feed title.
23-12-2010 - 18:00 23-12-2010 - 18:00
CVE-2010-4521 4.3
Cross-site scripting (XSS) vulnerability in the Views module 6.x before 6.x-2.12 for Drupal allows remote attackers to inject arbitrary web script or HTML via a page path.
11-01-2011 - 06:46 23-12-2010 - 18:00
CVE-2010-4775 5.0
The Relevant Content module 5.x before 5.x-1.4 and 6.x before 6.x-1.5 for Drupal does not properly implement node access logic, which allows remote attackers to discover restricted node titles and relationships.
17-08-2017 - 01:33 23-03-2011 - 22:00
CVE-2011-0899 5.0
The AES encryption module 7.x-1.4 for Drupal leaves certain debugging code enabled in release, which records the plaintext password of the last logged-in user and allows remote attackers to gain privileges as that user.
17-08-2017 - 01:33 07-02-2011 - 21:00
CVE-2011-1066 2.6
Cross-site scripting (XSS) vulnerability in the Messaging module 6.x-2.x before 6.x-2.4 and 6.x-4.x before 6.x-4.0-beta8 for Drupal allows remote attackers with administer messaging permissions to inject arbitrary web script or HTML via unspecified v
17-08-2017 - 01:33 23-02-2011 - 01:00
CVE-2011-1661 5.0
The Node Quick Find module 6.x-1.1 for Drupal does not use db_rewrite_sql when presenting node titles, which allows remote attackers to bypass intended access restrictions and read potentially sensitive node titles via the autocomplete feature.
17-08-2017 - 01:34 10-04-2011 - 02:51
CVE-2011-1662 4.3
Cross-site scripting (XSS) vulnerability in Translation Management module 6.x before 6.x-1.21 for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
17-08-2017 - 01:34 10-04-2011 - 02:51
CVE-2011-1663 7.5
SQL injection vulnerability in the Translation Management module 6.x before 6.x-1.21 for Drupal allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
17-08-2017 - 01:34 10-04-2011 - 02:51
CVE-2011-1664 6.8
Cross-site request forgery (CSRF) vulnerability in the Translation Management module 6.x before 6.x-1.21 for Drupal allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.
17-08-2017 - 01:34 10-04-2011 - 02:51
CVE-2011-4113 7.5
SQL injection vulnerability in the Views module before 6.x-2.13 for Drupal allows remote attackers to execute arbitrary SQL commands via vectors related to "filters/arguments on certain types of views with specific configurations of arguments."
29-08-2017 - 01:30 17-02-2012 - 23:55
CVE-2011-4560 3.5
Cross-site scripting (XSS) vulnerability in the Petition Node module 6.x-1.x before 6.x-1.5 for Drupal allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors related to signing a petition.
29-08-2017 - 01:30 28-11-2011 - 21:55
CVE-2011-5030 3.5
Cross-site scripting (XSS) vulnerability in the Meta tags quick module 7.x-2.x before 7.x-2.3 for Drupal allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via unspecified vectors, probably related to "n
29-08-2017 - 01:30 29-12-2011 - 22:55
CVE-2012-0914 4.3
Cross-site scripting (XSS) vulnerability in display_renderers/panels_renderer_editor.class.php in the admin view in the Panels module 6.x-2.x before 6.x-3.10 and 7.x-3.x before 7.x-3.0 for Drupal allows remote authenticated users with certain privile
29-08-2017 - 01:31 24-01-2012 - 18:55
CVE-2012-1056 5.0
The Forward module 6.x-1.x before 6.x-1.21 and 7.x-1.x before 7.x-1.3 for Drupal does not properly enforce permissions for (1) Recent forwards, (2) Most forwarded, or (3) Dynamic blocks, which allows remote attackers to obtain node titles via unspeci
29-08-2017 - 01:31 14-02-2012 - 00:55
CVE-2012-1057 6.0
Cross-site request forgery (CSRF) vulnerability in the clickthrough tracking functionality in the Forward module 6.x-1.x before 6.x-1.21 and 7.x-1.x before 7.x-1.3 for Drupal allows remote attackers to hijack the authentication of administrators for
29-08-2017 - 01:31 14-02-2012 - 00:55
CVE-2012-1060 2.1
Multiple cross-site scripting (XSS) vulnerabilities in revisioning_theme.inc in the Taxonomy module in the Revisioning module 6.x-3.13 and other versions before 6.x-3.14 for Drupal allow remote authenticated users with certain privileges to inject ar
14-02-2012 - 05:00 14-02-2012 - 00:55
CVE-2012-2056 6.8
Cross-site request forgery (CSRF) vulnerability in the Content Lock module for Drupal allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.
18-09-2012 - 04:00 17-09-2012 - 20:55
CVE-2012-2339 4.3
Cross-site scripting (XSS) vulnerability in the Glossary module 6.x-1.x before 6.x-1.8 for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to "taxonomy information."
29-08-2017 - 01:31 21-05-2012 - 20:55
CVE-2012-2340 3.5
The Contact Forms module 7.x-1.x before 7.x-1.2 for Drupal does not specify sufficiently restrictive permissions, which allows remote authenticated users with the "access the site-wide contact form" permission to modify the module settings via unspec
28-06-2012 - 03:43 21-05-2012 - 20:55
CVE-2012-2341 6.8
Cross-site request forgery (CSRF) vulnerability in the Take Control module 6.x-2.x before 6.x-2.2 for Drupal allows remote attackers to hijack the authentication of unspecified users for Ajax requests that manipulate files.
29-12-2017 - 02:29 18-05-2012 - 22:55
CVE-2012-2907 2.6
Cross-site scripting (XSS) vulnerability in the aberdeen_breadcrumb function in template.php in the Aberdeen theme 6.x-1.x before 6.x-1.11 for Drupal, when set to append the content title to the breadcrumb, allows remote attackers to inject arbitrary
29-08-2017 - 01:31 21-05-2012 - 18:55
CVE-2006-4120 5.1
Cross-site scripting (XSS) vulnerability in the Recipe module (recipe.module) before 1.54 for Drupal 4.6 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. If you do not use the Recipe Module, or use R
20-07-2017 - 01:32 14-08-2006 - 23:04
CVE-2007-0136 6.8
Multiple cross-site scripting (XSS) vulnerabilities in Drupal before 4.6.11, and 4.7 before 4.7.5, allow remote attackers to inject arbitrary web script or HTML via unspecified parameters in the (1) filter and (2) system modules. NOTE: some of these
17-10-2018 - 18:39 09-01-2007 - 11:28
CVE-2007-5416 6.8
Drupal 5.2 and earlier does not properly unset variables when the input data includes a numeric parameter with a value matching an alphanumeric parameter's hash value, which allows remote attackers to execute arbitrary PHP code by invoking the drupal
15-10-2018 - 21:44 12-10-2007 - 21:17
CVE-2007-5593 6.8
install.php in Drupal 5.x before 5.3, when the configured database server is not reachable, allows remote attackers to execute arbitrary code via vectors that cause settings.php to be modified.
29-07-2017 - 01:33 19-10-2007 - 23:17
CVE-2007-5594 4.3
Drupal 5.x before 5.3 does not apply its Drupal Forms API protection against the user deletion form, which allows remote attackers to delete users via a cross-site request forgery (CSRF) attack.
29-07-2017 - 01:33 19-10-2007 - 23:17
CVE-2007-6752 6.8
** DISPUTED ** Cross-site request forgery (CSRF) vulnerability in Drupal 7.12 and earlier allows remote attackers to hijack the authentication of arbitrary users for requests that end a session via the user/logout URI. NOTE: the vendor disputes the
28-03-2012 - 16:30 28-03-2012 - 10:54
CVE-2008-1133 4.3
The Drupal.checkPlain function in Drupal 6.0 only escapes the first instance of a character in ECMAScript, which allows remote attackers to conduct cross-site scripting (XSS) attacks.
05-09-2008 - 21:36 04-03-2008 - 18:44
CVE-2008-1729 5.8
The menu system in Drupal 6 before 6.2 has incorrect menu settings, which allows remote attackers to (1) edit the profile pages of arbitrary users, and obtain sensitive information from (2) tracker and (3) blog pages, related to a missing check for t
08-08-2017 - 01:30 11-04-2008 - 19:05
CVE-2008-2271 7.5
The Site Documentation Drupal module 5.x before 5.x-1.8 and 6.x before 6.x-1.1 allows remote authenticated users to gain privileges of other users by leveraging the "access content" permission to list tables and obtain session IDs from the database.
08-08-2017 - 01:30 16-05-2008 - 12:54
CVE-2008-4789 6.0
The validation functionality in the core upload module in Drupal 6.x before 6.5 allows remote authenticated users to bypass intended access restrictions and "attach files to content," related to a "logic error."
08-08-2017 - 01:32 29-10-2008 - 15:31
CVE-2008-4790 6.0
The core upload module in Drupal 5.x before 5.11 allows remote authenticated users to bypass intended access restrictions and read "files attached to content" via unknown vectors.
08-08-2017 - 01:32 29-10-2008 - 15:31
CVE-2008-4793 7.5
The node module API in Drupal 5.x before 5.11 allows remote attackers to bypass node validation and have unspecified other impact via unknown vectors related to contributed modules.
08-08-2017 - 01:32 29-10-2008 - 15:31
CVE-2009-1738 3.5
Cross-site scripting (XSS) vulnerability in Feed Block 6.x-1.x before 6.x-1.1, a module for Drupal, allows remote authenticated users with administrator feed permissions to inject arbitrary web script or HTML via unspecified vectors in "aggregator it
17-08-2017 - 01:30 20-05-2009 - 19:30
CVE-2009-2372 6.5
Drupal 6.x before 6.13 does not prevent users from modifying user signatures after the associated comment format has been changed to an administrator-controlled input format, which allows remote authenticated users to inject arbitrary web script, HTM
08-07-2009 - 15:30 08-07-2009 - 15:30
CVE-2009-2374 5.0
Drupal 5.x before 5.19 and 6.x before 6.13 does not properly sanitize failed login attempts for pages that contain a sortable table, which includes the username and password in links that can be read from (1) the HTTP referer header of external web s
08-07-2009 - 15:30 08-07-2009 - 15:30
CVE-2010-2021 5.8
Open redirect vulnerability in the Global Redirect module 6.x-1.x before 6.x-1.4 and 7.x-1.x before 7.x-1.4 for Drupal, when non-clean to clean is enabled, allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks
17-08-2017 - 01:32 25-06-2012 - 21:55
CVE-2010-5275 4.3
Cross-site scripting (XSS) vulnerability in memcache_admin in the Memcache module 5.x before 5.x-1.10 and 6.x before 6.x-1.6 for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
08-10-2012 - 04:00 07-10-2012 - 20:55
CVE-2010-5276 4.3
The Memcache module 5.x before 5.x-1.10 and 6.x before 6.x-1.6 for Drupal does not properly handle the $user object in memcache_admin, which might "lead to a role change not being recognized until the user logs in again."
08-10-2012 - 21:19 07-10-2012 - 20:55
CVE-2010-5277 4.9
Unspecified vulnerability in the Views Bulk Operations module 6 before 6.x-1.10 for Drupal allows remote authenticated users with user management permissions to bypass intended access restrictions and delete anonymous users (user 0) via unspecified v
29-08-2017 - 01:29 07-10-2012 - 20:55
CVE-2011-0771 6.8
The Janrain Engage (formerly RPX) module 6.x-1.3 for Drupal does not validate the file for a profile image, which allows remote authenticated users to conduct cross-site scripting (XSS) attacks and possibly execute arbitrary PHP code by causing a cra
17-08-2017 - 01:33 04-02-2011 - 01:00
CVE-2011-5187 2.1
Cross-site scripting (XSS) vulnerability in the Support Ticketing System module 6.x-1.x before 6.x-1.7 for Drupal allows remote authenticated users with the "administer support projects" permission to inject arbitrary web script or HTML via unspecifi
29-08-2017 - 01:30 20-09-2012 - 10:55
CVE-2011-5188 2.1
Cross-site scripting (XSS) vulnerability in the Support Timer module 6.x-1.x before 6.x-1.4 for Drupal allows remote authenticated users with the "track time spent" permission to inject arbitrary web script or HTML via unspecified vectors.
29-08-2017 - 01:30 20-09-2012 - 10:55
CVE-2011-5189 2.1
Cross-site scripting (XSS) vulnerability in the Webform Validation module 6.x-1.x before 6.x-1.5 and 7.x-1.x before 7.x-1.1 for Drupal allows remote authenticated users with permissions to "update Webform nodes" to inject arbitrary web script or HTML
29-08-2017 - 01:30 20-09-2012 - 10:55
CVE-2012-1624 3.5
Multiple cross-site scripting (XSS) vulnerabilities in the Lingotek module 6.x-1.x before 6.x-1.40 for Drupal allow remote authenticated users to inject arbitrary web script or HTML when (1) creating or (2) editing page content.
29-08-2017 - 01:31 06-10-2012 - 21:55
CVE-2012-1625 6.0
Eval injection vulnerability in the fillpdf_form_export_decode function in fillpdf.admin.inc in the Fill PDF module 6.x-1.x before 6.x-1.16 and 7.x-1.x before 7.x-1.2 for Drupal allows remote authenticated users with administer PDFs privileges to exe
20-09-2012 - 18:12 20-09-2012 - 03:46
CVE-2012-1626 6.0
SQL injection vulnerability in the conversion form for Events in the Date module 6.x-2.x before 6.x-2.8 for Drupal allows remote authenticated users with the "administer Date Tools" privilege to execute arbitrary SQL commands via unspecified vectors.
29-08-2017 - 01:31 20-09-2012 - 03:46
CVE-2012-1627 3.5
Cross-site scripting (XSS) vulnerability in vud_term.module in the Vote Up/Down module 6.x-2.x before 6.x-2.8 and 6.x-3.x before 6.x-3.1 for Drupal allows remote authenticated users to inject arbitrary web script or HTML via taxonomy terms.
15-10-2012 - 04:00 20-09-2012 - 00:55
CVE-2012-1630 2.1
Cross-site scripting (XSS) vulnerability in the Taxonomy Navigator module for Drupal allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via unspecified vectors.
29-08-2017 - 01:31 20-09-2012 - 03:46
CVE-2012-1632 2.1
Cross-site scripting (XSS) vulnerability in password_policy.admin.inc in the Password Policy module before 6.x-1.4 and 7.x-1.0 beta3 for Drupal allows remote authenticated users with administer policies permissions to inject arbitrary web script or H
20-09-2012 - 17:51 20-09-2012 - 00:55
CVE-2012-1633 6.8
Cross-site request forgery (CSRF) vulnerability in the Password Policy module before 6.x-1.4 and 7.x-1.0 beta3 for Drupal allows remote attackers to hijack the authentication of administrative users for requests that unblock a user.
29-04-2017 - 01:59 20-09-2012 - 00:55
CVE-2012-1634 4.3
Cross-site scripting (XSS) vulnerability in video_filter.codecs.inc in the Video Filter module 6.x-2.x and 7.x-2.x for Drupal allows remote attackers to inject arbitrary web script or HTML via the EMBEDLOOKUP parameter for Blip.tv links.
29-08-2017 - 01:31 06-10-2012 - 21:55
CVE-2012-1635 6.4
The hook_node_access function in the revisioning module 7.x-1.x before 7.x-1.3 for Drupal checks the permissions of the current user even when it is called to check permissions of other users, which allows remote attackers to bypass intended access r
29-08-2012 - 04:00 28-08-2012 - 17:55
CVE-2012-1636 4.3
Cross-site request forgery (CSRF) vulnerability in the stickynote module before 7.x-1.1 for Drupal allows remote attackers to hijack the authentication of users for requests that delete stickynotes via unspecified vectors.
02-10-2012 - 04:00 01-10-2012 - 22:55
CVE-2012-1642 5.0
includes/linkchecker.pages.inc in the Link checker module 6.x-2.x before 6.x-2.5 for Drupal does not properly enforce access permissions on broken links, which allows remote attackers to obtain sensitive information via unspecified vectors.
29-08-2012 - 04:00 28-08-2012 - 17:55
CVE-2012-1643 5.0
The Faster Permissions module 7.x-2.x before 7.x-1.2 for Drupal does not check the "administer permissions" permission, which allows remote attackers to modify access permissions via unspecified vectors.
29-08-2012 - 04:00 28-08-2012 - 17:55
CVE-2012-1644 2.1
The Organic Groups (OG) Vocabulary module 6.x-1.x before 6.x-1.2 for Drupal allows remote authenticated users with certain administrator permissions to modify the vocabularies of other groups via unspecified vectors.
29-08-2017 - 01:31 28-08-2012 - 17:55
CVE-2012-1645 2.6
The CDN module 6.x-2.2 and 7.x-2.2 for Drupal, when running in Origin Pull mode with the "Far Future expiration" option enabled, allows remote attackers to read arbitrary PHP files via unspecified vectors, as demonstrated by reading settings.php.
29-08-2012 - 04:00 28-08-2012 - 17:55
CVE-2012-1647 4.3
Multiple cross-site scripting (XSS) vulnerabilities in the "stand alone PHP application for the OSM Player," as used in the MediaFront module 6.x-1.x before 6.x-1.5 and 7.x-1.x before 7.x-1.5 for Drupal, allow remote attackers to inject arbitrary web
29-08-2017 - 01:31 28-08-2012 - 17:55
CVE-2012-1650 6.0
The ZipCart module 6.x before 6.x-1.4 for Drupal checks the "access content" permission instead of the "access ZipCart downloads" permission when building archives, which allows remote authenticated users with access content permission to bypass inte
29-08-2017 - 01:31 28-08-2012 - 17:55
CVE-2012-1651 3.5
Cross-site scripting (XSS) vulnerability in the Submenu Tree module before 6.x-1.5 for Drupal allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.
20-09-2012 - 04:00 19-09-2012 - 19:55
CVE-2012-1652 2.1
Cross-site scripting (XSS) vulnerability in the Hierarchical Select module 6.x-3.x before 6.x-3.8 for Drupal allows remote authenticated users with administer taxonomy permissions to inject arbitrary web script or HTML via unspecified vectors related
29-08-2017 - 01:31 19-09-2012 - 19:55
CVE-2012-1655 4.0
Unspecified vulnerability in the UC PayDutchGroup / WeDeal payment module 6.x-1.0 for Drupal allows remote authenticated users to obtain account credentials via unknown attack vectors.
29-08-2017 - 01:31 18-09-2012 - 20:55
CVE-2012-1656 6.8
SQL injection vulnerability in the Multisite Search module 6.x-2.2 for Drupal allows remote authenticated users with certain permissions to execute arbitrary SQL commands via the Site table prefix field.
29-08-2017 - 01:31 18-09-2012 - 20:55
CVE-2012-1657 2.1
Cross-site scripting (XSS) vulnerability in block_class.module in the Block Class module before 7.x-1.1 for Drupal allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via the class name.
29-08-2017 - 01:31 18-09-2012 - 20:55
CVE-2012-1658 2.1
Cross-site scripting (XSS) vulnerability in the Read More Link module 6.x-3.x before 6.x-3.1 for Drupal allows remote authenticated users with the access administration pages permission to inject arbitrary web script or HTML via unspecified vectors.
29-08-2017 - 01:31 18-09-2012 - 20:55
CVE-2012-1660 2.1
Multiple cross-site scripting (XSS) vulnerabilities in components/select.inc in the Webform module 6.x-3.x before 6.x-3.17 and 7.x-3.x before 7.x-3.17 for Drupal, when the "Select (or other)" module is enabled, allow remote authenticated users with t
29-08-2017 - 01:31 18-09-2012 - 20:55
CVE-2012-2057 6.8
Cross-site request forgery (CSRF) vulnerability in the Ubercart Bulk Stock Updater module for Drupal allows remote attackers to hijack the authentication of unspecified victims via unknown vectors related to formAPI.
29-08-2017 - 01:31 17-09-2012 - 20:55
CVE-2012-2058 5.0
The Ubercart Payflow module for Drupal does not use a secure token, which allows remote attackers to forge payments via unspecified vectors.
29-08-2017 - 01:31 17-09-2012 - 20:55
CVE-2012-2059 4.3
Cross-site scripting (XSS) vulnerability in the ticketyboo News Ticker module for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
29-08-2017 - 01:31 17-09-2012 - 20:55
CVE-2012-2060 4.3
Cross-site scripting (XSS) vulnerability in the Admin tools module for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
29-08-2017 - 01:31 17-09-2012 - 20:55
CVE-2012-2061 6.8
Cross-site request forgery (CSRF) vulnerability in the Admin tools module for Drupal allows remote attackers to hijack the authentication of unspecified victims via unknown vectors involving "not checking tokens."
29-08-2017 - 01:31 17-09-2012 - 20:55
CVE-2012-2062 6.4
Open redirect vulnerability in the Redirecting click bouncer module for Drupal allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.
29-08-2017 - 01:31 17-09-2012 - 20:55
CVE-2012-2064 4.3
Cross-site scripting (XSS) vulnerability in theme/views_lang_switch.theme.inc in the Views Language Switcher module before 7.x-1.2 for Drupal allows remote attackers to inject arbitrary web script or HTML via the q parameter.
05-09-2012 - 04:00 05-09-2012 - 00:55
CVE-2012-2065 3.5
Cross-site scripting (XSS) vulnerability in the Language Icons module 6.x-2.x before 6.x-2.1 and 7.x-1.x before 7.x-1.0 for Drupal allows remote authenticated users with administer languages permissions to inject arbitrary web script or HTML via unsp
05-09-2012 - 04:00 05-09-2012 - 00:55
CVE-2012-2068 2.1
Multiple cross-site scripting (XSS) vulnerabilities in fancy_slide.module in the Fancy Slide module before 6.x-2.7 for Drupal allow remote authenticated users with the administer fancy_slide permission to inject arbitrary web script or HTML via the (
29-08-2017 - 01:31 05-09-2012 - 00:55
CVE-2012-2069 6.8
Cross-site request forgery (CSRF) vulnerability in the Wishlist module 6.x-2.x before 6.x-2.6 and 7.x-2.x before 7.x-2.6 for Drupal allows remote attackers to hijack the authentication of arbitrary users for requests that insert cross-site scripting
30-10-2012 - 04:03 06-09-2012 - 17:55
CVE-2012-2071 2.1
Cross-site scripting (XSS) vulnerability in the Contact Forms module 6.x-1.x before 6.x-1.13 for Drupal when the core contact form is enabled, allows remote authenticated users with the administer site-wide contact form permission to inject arbitrary
29-08-2017 - 01:31 14-08-2012 - 23:55
CVE-2012-2072 2.1
Cross-site scripting (XSS) vulnerability in the Share Buttons (AddToAny) module 6.x-3.x before 6.x-3.4 for Drupal allows remote authenticated users with the administer addtoany permission to inject arbitrary web script or HTML via unspecified vectors
29-08-2017 - 01:31 14-08-2012 - 23:55
CVE-2012-2073 6.0
The Bundle copy module 7.x-1.x before 7.x-1.1 for Drupal does not check for the "use PHP for settings" permission while importing settings, which allows remote authenticated users with certain permissions to execute arbitrary PHP code via unspecified
29-08-2017 - 01:31 14-08-2012 - 23:55
CVE-2012-2074 5.0
Unspecified vulnerability in certain default views in the Ubercart Views module 6.x before 6.x-3.2 for Drupal allows remote attackers to obtain sensitive information via unknown attack vectors.
29-08-2017 - 01:31 14-08-2012 - 23:55
CVE-2012-2075 2.1
Cross-site scripting (XSS) vulnerability in the Contact Save module 6.x-1.x before 6.x-1.5 for Drupal allows remote authenticated users with the access site-wide contact form permission to inject arbitrary web script or HTML via unspecified vectors.
29-08-2017 - 01:31 14-08-2012 - 23:55
CVE-2012-2076 2.1
Cross-site scripting (XSS) vulnerability in the administration forms in the ShareThis module 7.x-2.x before 7.x-2.3 for Drupal allows remote authenticated users with administer sharethis permissions to inject arbitrary web script or HTML via unspecif
29-08-2017 - 01:31 14-08-2012 - 23:55
CVE-2012-2077 5.1
Cross-site request forgery (CSRF) vulnerability in the ShareThis module 7.x-2.x before 7.x-2.3 for Drupal allows remote attackers to hijack the authentication of users with administer sharethis permissions via unknown vectors "outside of the Form API
29-08-2017 - 01:31 14-08-2012 - 23:55
CVE-2012-2080 6.8
Cross-site request forgery (CSRF) vulnerability in the Node Limit Number module before 6.x-1.2 for Drupal allows remote attackers to hijack the authentication of users with the administer node limitnumber permission for requests that delete limits.
29-08-2017 - 01:31 14-08-2012 - 23:55
CVE-2012-2081 5.0
The Organic Groups (OG) module 6.x-2.x before 6.x-2.3 for Drupal does not properly restrict access, which allows remote attackers to obtain sensitive information such as private group titles via a request through the Views module.
29-08-2017 - 01:31 14-08-2012 - 23:55
CVE-2012-2083 4.3
Cross-site scripting (XSS) vulnerability in the fusion_core_preprocess_page function in fusion_core/template.php in the Fusion module before 6.x-1.13 for Drupal allows remote attackers to inject arbitrary web script or HTML via the q parameter.
04-09-2012 - 04:00 31-08-2012 - 22:55
CVE-2012-2084 4.3
Cross-site scripting (XSS) vulnerability in the Printer, email and PDF versions module 6.x-1.x before 6.x-1.15 and 7.x-1.x before 7.x-1.0 for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, probably the
29-08-2017 - 01:31 22-11-2012 - 12:28
CVE-2012-2096 5.0
The Fivestar module 6.x-1.x before 6.x-1.20 for Drupal does not properly validate voting data, which allows remote attackers to manipulate voting averages via a negative value in the vote parameter.
15-08-2012 - 04:00 14-08-2012 - 21:55
CVE-2012-2097 6.8
Cross-site request forgery (CSRF) vulnerability in the Autosave module 6.x before 6.x-2.10 and 7.x-2.x before 7.x-2.0 for Drupal allows remote attackers to hijack the authentication of arbitrary users for requests involving "submitting saved results
29-08-2017 - 01:31 14-08-2012 - 21:55
CVE-2012-2117 4.3
Cross-site scripting (XSS) vulnerability in the Gigya - Social optimization module 6.x before 6.x-3.2 for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
29-08-2017 - 01:31 31-08-2012 - 22:55
CVE-2012-2154 4.3
Cross-site scripting (XSS) vulnerability in the CDN2 Video module 6.x for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
29-08-2017 - 01:31 14-08-2012 - 23:55
CVE-2012-2155 6.8
Cross-site request forgery (CSRF) vulnerability in the CDN2 Video module 6.x for Drupal allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.
29-08-2017 - 01:31 14-08-2012 - 23:55
CVE-2012-2296 5.0
The Janrain Engage (formerly RPX) module for Drupal 6.x-1.x. 6.x-2.x before 6.x-2.2, and 7.x-2.x before 7.x-2.2 stores user profile data from Engage in session tables, which might allow remote attackers to obtain sensitive information by leveraging a
29-08-2017 - 01:31 25-07-2012 - 21:55
CVE-2012-2298 4.3
Multiple cross-site scripting (XSS) vulnerabilities in the RealName module 6.x-1.x before 6.x-1.5 for Drupal allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) "user names in page titles" and (2) "autocomplete ca
29-08-2017 - 01:31 14-08-2012 - 22:55
CVE-2012-2299 2.1
The Ubercart module 6.x-2.x before 6.x-2.8 and 7.x-3.x before 7.x-3.1 for Drupal stores passwords for new customers in plaintext during checkout, which allows local users to obtain sensitive information by reading from the database.
15-08-2012 - 04:00 14-08-2012 - 22:55
CVE-2012-2300 2.1
Multiple cross-site scripting (XSS) vulnerabilities in the Ubercart module 6.x-2.x before 6.x-2.8 and 7.x-3.x before 7.x-3.1 for Drupal allow remote authenticated users with the administer product classes permission to inject arbitrary web script or
15-08-2012 - 18:47 14-08-2012 - 22:55
CVE-2012-2302 5.0
Site Documentation (Sitedoc) module for Drupal 6.x-1.x before 6.x-1.4 does not properly check the save location when archiving, which allows remote attackers to obtain sensitive information via unspecified vectors.
08-08-2012 - 04:00 25-07-2012 - 21:55
CVE-2012-2303 7.5
The Spaces module 6.x-3.x before 6.x-3.4 for Drupal does not enforce permissions on non-object pages, which allows remote attackers to obtain sensitive information and possibly have other impacts via unspecified vectors to the (1) Spaces or (2) Space
09-08-2012 - 04:00 18-07-2012 - 18:55
CVE-2012-2304 4.3
The Linkit module 7.x-2.x before 7.x-2.3 for Drupal, when using an entity access module, does not check permissions when searching for entities, which allows remote attackers to obtain sensitive information via unspecified vectors.
29-08-2017 - 01:31 14-08-2012 - 22:55
CVE-2012-2305 6.8
Cross-site request forgery (CSRF) vulnerability in the Node Gallery module for Drupal 6.x-3.1 and earlier allows remote attackers to hijack the authentication of certain users for requests that create node galleries.
09-08-2012 - 04:00 25-07-2012 - 21:55
CVE-2012-2306 7.5
SQL injection vulnerability in the Addressbook module for Drupal 6.x-4.2 and earlier allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
11-09-2012 - 04:00 25-07-2012 - 21:55
CVE-2012-2307 6.8
Cross-site request forgery (CSRF) vulnerability in the Addressbook module for Drupal 6.x-4.2 and earlier allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.
30-07-2012 - 04:00 25-07-2012 - 21:55
CVE-2012-2308 3.5
Cross-site scripting (XSS) vulnerability in the Taxonomy Grid : Catalog module for Drupal 6.x-1.6 and earlier allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via unspecified vectors.
29-08-2017 - 01:31 25-07-2012 - 21:55
CVE-2012-2309 3.5
Cross-site scripting (XSS) vulnerability in the Glossify Internal Links Auto SEO module for Drupal 6.x-2.5 and earlier allows remote authenticated users with certain roles to inject arbitrary web script or HTML via unspecified vectors.
30-07-2012 - 04:00 25-07-2012 - 21:55
CVE-2012-2310 3.5
Cross-site scripting (XSS) vulnerability in the cctags module for Drupal 6.x-1.x before 6.x-1.10 and 7.x-1.x before 7.x-1.10 allows remote authenticated users with certain roles to inject arbitrary web script or HTML via unspecified vectors.
08-08-2012 - 04:00 25-07-2012 - 21:55
CVE-2012-2702 5.0
The Ubercart Product Keys module 6.x-1.x before 6.x-1.1 for Drupal does not properly check access for product keys, which allows remote attackers to read all unassigned product keys via certain conditions related to the uid.
29-08-2017 - 01:31 27-06-2012 - 00:55
CVE-2012-2703 2.6
Cross-site scripting (XSS) vulnerability in the Advertisement module 6.x-2.x before 6.x-2.3 for Drupal, when debug mode is enabled, allows remote attackers to inject arbitrary web script or HTML via vectors related to the "$conf variable in settings.
29-08-2017 - 01:31 27-06-2012 - 00:55
CVE-2012-2704 5.0
The Advertisement module 6.x-2.x before 6.x-2.3 for Drupal does not properly restrict access to debug information, which allows remote attackers to obtain sensitive site configuration information that is specified by the $conf variable in settings.ph
29-08-2017 - 01:31 31-08-2012 - 20:55
CVE-2012-2706 4.3
Cross-site scripting (XSS) vulnerability in the Post Affiliate Pro (PAP) module for Drupal allows remote attackers to inject arbitrary web script or HTML via vectors related to user registration.
29-08-2017 - 01:31 27-06-2012 - 00:55
CVE-2012-2710 2.6
Cross-site scripting (XSS) vulnerability in the Zen module 6.x-1.x before 6.x-1.1 for Drupal, when "Append the content title to the end of the breadcrumb" is enabled, allows remote attackers to inject arbitrary web script or HTML via the content titl
29-08-2017 - 01:31 27-06-2012 - 00:55
CVE-2012-2711 2.1
Multiple cross-site scripting (XSS) vulnerabilities in the Taxonomy List module 6.x-1.x before 6.x-1.4 for Drupal allow remote authenticated users with create or edit taxonomy terms permissions to inject arbitrary web script or HTML via vectors relat
29-08-2017 - 01:31 27-06-2012 - 00:55
CVE-2012-2712 2.6
Multiple cross-site scripting (XSS) vulnerabilities in the Search API module 7.x-1.x before 7.x-1.1 for Drupal, when supporting manual entry of field identifiers, allow remote attackers to inject arbitrary web script or HTML via vectors related to th
29-08-2017 - 01:31 27-06-2012 - 00:55
CVE-2012-2715 4.3
Cross-site scripting (XSS) vulnerability in the themes_links function in template.php in the Amadou theme module 6.x-1.x before 6.x-1.3 for Drupal allows remote attackers to inject arbitrary web script or HTML via vectors related to class attributes
29-08-2017 - 01:31 27-06-2012 - 00:55
CVE-2012-2717 4.3
Multiple cross-site scripting (XSS) vulnerabilities in the Mobile Tools module 6.x-2.x before 6.x-2.3 for Drupal allow remote attackers to inject arbitrary web script or HTML via the (1) Mobile URL field or (2) Desktop URL field to the General config
29-08-2017 - 01:31 27-06-2012 - 21:55
CVE-2012-2721 6.8
The default views in the Organic Groups (OG) module 6.x-2.x before 6.x-2.4 for Drupal do not properly check permissions when all users have the "access content" permission removed, which allows remote attackers to bypass access restrictions and possi
29-08-2017 - 01:31 27-06-2012 - 00:55
CVE-2012-2722 4.3
The node selection interface in the WYSIWYG editor (CKEditor) in the Node Embed module 6.x-1.x before 6.x-1.5 and 7.x-1.x before 7.x-1.0 for Drupal does not properly check permissions, which allows remote attackers to bypass intended access restricti
29-08-2017 - 01:31 27-06-2012 - 00:55
CVE-2012-2728 6.8
Multiple cross-site request forgery (CSRF) vulnerabilities in the Node Hierarchy module 6.x-1.x before 6.x-1.5 for Drupal allow remote attackers to hijack the authentication of administrators for requests that change a node hierarchy position via an
29-08-2017 - 01:31 27-06-2012 - 00:55
CVE-2012-2731 2.6
The Ubercart AJAX Cart 6.x-2.x before 6.x-2.1 for Drupal stores the PHP session id in the JavaScript settings array in page loads, which might allow remote attackers to obtain sensitive information by sniffing or reading the cache of the HTML of a we
29-08-2017 - 01:31 27-06-2012 - 00:55
CVE-2012-2922 5.0
The request_path function in includes/bootstrap.inc in Drupal 7.14 and earlier allows remote attackers to obtain sensitive information via the q[] parameter to index.php, which reveals the installation path in an error message.
29-08-2017 - 01:31 21-05-2012 - 22:55
CVE-2012-3800 2.1
Cross-site scripting (XSS) vulnerability in og.js in the Organic Groups (OG) module 6.x-2.x before 6.x-2.4 for Drupal, when used with the Vertical Tabs module, allows remote authenticated users to inject arbitrary web script or HTML via vectors relat
29-08-2017 - 01:32 27-06-2012 - 00:55
CVE-2012-3802 4.0
Unspecified vulnerability in the Post Affiliate Pro (PAP) module for Drupal allows remote authenticated users to read the commissions of other users via unknown attack vectors.
29-08-2017 - 01:32 27-06-2012 - 18:55
CVE-2012-4468 4.3
Cross-site scripting (XSS) vulnerability in the Privatemsg module 7.x-1.x before 7.x-1.3 for Drupal allows remote attackers to inject arbitrary web script or HTML via a user name in a private message.
30-01-2013 - 04:54 30-11-2012 - 22:55
CVE-2012-4469 2.6
Cross-site scripting (XSS) vulnerability in the Hashcash module 6.x-2.x before 6.x-2.6 and 7.x-2.x before 7.x-2.2 for Drupal, when "Log failed hashcash" is enabled, allows remote attackers to inject arbitrary web script or HTML via an invalid token,
03-12-2012 - 05:00 30-11-2012 - 22:55
CVE-2012-4470 7.5
The Listhandler module 6.x-1.x before 6.x-1.1 for Drupal does not properly check permissions when importing emails, which allows remote comment authors to bypass access restrictions and possibly have other unspecified impact.
30-01-2013 - 04:54 30-11-2012 - 22:55
CVE-2012-4475 5.0
The Security Questions module for Drupal 6.x-1.x before 6.x-1.1 and 7.x-1.x before 7.x-1.1 does not properly restrict access, which allows remote attackers to edit an arbitrary user's questions and answers via unspecified vectors.
03-12-2012 - 05:00 30-11-2012 - 22:55
CVE-2012-4482 5.0
The Ubercart SecureTrading Payment Method module 6.x for Drupal does not properly verify payment notification information, which allows remote attackers to purchase an item without paying via unspecified vectors.
02-11-2012 - 04:00 31-10-2012 - 16:55
CVE-2012-4484 4.3
Cross-site scripting (XSS) vulnerability in the administrative interface in the Campaign Monitor module before 6.x-2.5 for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. NOTE: this refers to an issue in
27-06-2018 - 01:29 31-10-2012 - 16:55
CVE-2012-4485 4.3
Multiple cross-site scripting (XSS) vulnerabilities in the galleryformatter_field_formatter_view functiuon in galleryformatter.tpl.php the Gallery formatter module before 7.x-1.2 for Drupal allow remote authenticated users with permissions to create
20-07-2013 - 03:31 31-10-2012 - 16:55
CVE-2012-4488 5.0
The Location module 6.x before 6.x-3.2 and 7.x before 7.x-3.0-alpha1 for Drupal does not properly check user or node access permissions, which allows remote attackers to read node or user results via the location search page.
02-11-2012 - 04:00 31-10-2012 - 16:55
CVE-2012-4489 5.8
Open redirect vulnerability in the securelogin_secure_redirect function in the Secure Login module 7.x-1.x before 7.x-1.3 for Drupal allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the q para
02-03-2013 - 04:45 31-10-2012 - 16:55
CVE-2012-4490 4.3
Multiple cross-site scripting (XSS) vulnerabilities in the Excluded Users module 6.x-1.x before 6.x-1.1 for Drupal allow remote attackers to inject arbitrary web script or HTML via a (1) user name or (2) email address.
02-03-2013 - 04:45 31-10-2012 - 16:55
CVE-2012-4491 5.8
The Monthly Archive by Node Type module 6.x for Drupal does not properly check permissions defined by node_access modules, which allows remote attackers to access restricted nodes via unspecified vectors.
02-03-2013 - 04:45 31-10-2012 - 16:55
CVE-2012-4492 2.1
Multiple cross-site scripting (XSS) vulnerabilities in the Shorten URLs module 6.x-1.x before 6.x-1.13 and 7.x-1.x before 7.x-1.2 for Drupal allow remote authenticated users with certain permissions to inject arbitrary web script or HTML via unspecif
02-03-2013 - 04:45 31-10-2012 - 16:55
CVE-2012-4493 2.1
Cross-site scripting (XSS) vulnerability in the administrative interface in the Better Revisions module 7.x-1.x before 7.x-1.1 for Drupal allows remote authenticated users with the "administer better revisions" permission to inject arbitrary web scri
06-11-2012 - 05:00 02-11-2012 - 15:55
CVE-2012-4494 4.3
The Shibboleth authentication module 7.x-4.0 for Drupal does not properly check the active status of users, which allows remote blocked users to access bypass intended access restrictions and possibly have other impacts by logging in.
02-11-2012 - 04:00 31-10-2012 - 16:55
CVE-2012-4495 4.0
The Mime Mail module 6.x-1.x before 6.x-1.1 for Drupal does not properly restrict access to files outside Drupal's publish files directory, which allows remote authenticated users to send arbitrary files as attachments.
02-03-2013 - 04:45 31-10-2012 - 16:55
CVE-2012-4496 2.1
Cross-site scripting (XSS) vulnerability in the Custom Publishing Options module 6.x-1.x before 6.x-1.4 for Drupal allows remote authenticated users with the "administer nodes" permission to inject arbitrary web script or HTML via the status labels p
30-11-2017 - 02:29 31-10-2012 - 16:55
CVE-2012-4498 7.5
The Activism module 6.x-2.x before 6.x-2.1 for Drupal does not properly restrict access to the "Campaign" content type, which might allow remote attackers to bypass access restrictions and possibly have other unspecified impact.
06-11-2012 - 05:00 02-11-2012 - 15:55
CVE-2012-4499 5.0
The contact formatter page in the Email Field module 6.x-1.x before 6.x-1.2 and 7.x-1.x before 7.x-1.1 for Drupal allows remote attackers to email the stored address in the entity via unspecified vectors.
01-11-2012 - 04:00 31-10-2012 - 16:55
CVE-2012-4500 3.5
The Announcements module 6.x-1.x before 6.x-1.5 for Drupal allows remote authenticated users with the "access announcements" permission to bypass node access restrictions and possibly have other unspecified impact.
02-03-2013 - 04:45 31-10-2012 - 16:55
CVE-2012-5007 5.0
The Fill PDF module 7.x-1.x before 7.x-1.2 for Drupal allows remote attackers to write to arbitrary PDF files via unspecified vectors related to the fillpdf_merge_pdf function and incorrect arguments, a different vulnerability than CVE-2012-1625. NO
20-09-2012 - 18:47 20-09-2012 - 03:46
CVE-2012-5233 2.1
Cross-site scripting (XSS) vulnerability in the stickynote module before 7.x-1.1 for Drupal allows remote authenticated users with edit stickynotes privileges to inject arbitrary web script or HTML via unspecified vecotrs.
02-10-2012 - 04:00 01-10-2012 - 22:55
CVE-2012-5537 6.0
The Simplenews Scheduler module 6.x-2.x before 6.x-2.4 for Drupal allows remote authenticated users with the "send scheduled newsletters" permission to inject arbitrary PHP code into the scheduling form, which is later executed by cron.
04-12-2012 - 05:00 03-12-2012 - 21:55
CVE-2012-5538 2.1
Cross-site scripting (XSS) vulnerability in the FileField Sources module 6.x-1.x before 6.x-1.6 and 7.x-1.x before 7.x-1.6 for Drupal, when the field has "Reference existing" source enabled, allows remote authenticated users to inject arbitrary web s
04-12-2012 - 05:00 03-12-2012 - 21:55
CVE-2012-5539 3.5
The Organic Groups (OG) module 7.x-1.x before 7.x-1.5 for Drupal does not properly maintain pending group memberships, which allows remote authenticated users to post to arbitrary groups by modifying their own account while a pending membership is wa
04-12-2012 - 05:00 03-12-2012 - 21:55
CVE-2012-5540 4.3
Multiple cross-site scripting (XSS) vulnerabilities in the Hostip module 6.x-2.x before 6.x-2.2 and 7.x-2.x before 7.x-2.2 for Drupal allow remote attackers with control of hostip.info to inject arbitrary web script or HTML via unspecified vectors.
04-12-2012 - 05:00 03-12-2012 - 21:55
CVE-2012-5541 4.3
Cross-site scripting (XSS) vulnerability in the Twitter Pull module 6.x-1.x before 6.x-1.3 and 7.x-1.x before 7.x-1.0-rc3 for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to "data coming from T
04-12-2012 - 05:00 03-12-2012 - 21:55
CVE-2012-5542 6.8
Cross-site request forgery (CSRF) vulnerability in the Commerce Extra Panes module 7.x-1.x before 7.x-1.1 in Drupal allows remote attackers to hijack the authentication of administrators for requests that enable or disable a Commerce extra panes pane
29-08-2017 - 01:32 03-12-2012 - 21:55
CVE-2012-5543 4.3
The Feeds module 7.x-2.x before 7.x-2.0-alpha6 for Drupal, when a field is mapped to the node's author, does not properly check permissions, which allows remote attackers to create arbitrary nodes via a crafted source feed.
04-12-2012 - 05:00 03-12-2012 - 21:55
CVE-2012-5544 4.0
The Mandrill module 7.x-1.x before 7.x-1.2 for Drupal allows remote authenticated users to obtain password reset links by reading the logs in the Mandrill dashboard.
17-12-2012 - 05:00 03-12-2012 - 21:55
CVE-2012-5545 2.1
Multiple cross-site scripting (XSS) vulnerabilities in the ShareThis module 7.x-2.x before 7.x-2.5 for Drupal allow remote authenticated users with the "administer sharethis" permission to inject arbitrary web script or HTML via unspecified vectors r
26-02-2013 - 04:52 03-12-2012 - 21:55
CVE-2012-5547 6.8
Multiple cross-site request forgery (CSRF) vulnerabilities in the Search API module 7.x-1.x before 7.x-1.3 for Drupal allow remote attackers to hijack the authentication of administrators for requests that (1) enable a server via a server action or (
04-12-2012 - 05:00 03-12-2012 - 21:55
CVE-2012-5551 4.3
Multiple cross-site scripting (XSS) vulnerabilities in the MailChimp module 7.x-2.x before 7.x-2.7 for Drupal allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) a predictable "webhook URL key" and (2) improper sa
26-02-2013 - 04:52 03-12-2012 - 21:55
CVE-2012-5552 5.0
The Password policy module 6.x-1.x before 6.x-1.5 and 7.x-1.x before 7.x-1.3 for Drupal allows remote attackers to obtain password hashes by sniffing the network, related to "client-side password history checks."
20-07-2013 - 03:33 03-12-2012 - 21:55
CVE-2012-5556 6.8
Multiple cross-site request forgery (CSRF) vulnerabilities in the RESTful Web Services (RESTWS) module 7.x-1.x before 7.x-1.1 and 7.x-2.x before 7.x-2.0-alpha3 for Drupal allow remote attackers to hijack the authentication of arbitrary users via unkn
04-12-2012 - 05:00 03-12-2012 - 21:55
CVE-2012-5557 3.6
The User Read-Only module 6.x-1.x before 6.x-1.4 and 7.x-1.x before 7.x-1.4 for Drupal, does not properly assign roles when there are more than three roles on the site and certain unspecified configurations, which might allow remote authenticated use
04-12-2012 - 05:00 03-12-2012 - 21:55
CVE-2012-5569 4.3
Multiple cross-site scripting (XSS) vulnerabilities in the Basic webmail module 6.x-1.x before 6.x-1.2 for Drupal allow remote attackers to inject arbitrary web script or HTML via a (1) page title or (2) crafted email message.
04-12-2012 - 05:00 03-12-2012 - 21:55
CVE-2012-5584 4.3
The Table of Contents module 6.x-3.x before 6.x-3.8 for Drupal does not properly check node permissions, which allows remote attackers to read a node's headers by accessing a table of contents block.
08-01-2013 - 05:00 26-12-2012 - 17:55
CVE-2012-5585 2.1
Cross-site scripting (XSS) vulnerability in the Mixpanel module 6.x-1.x before 6.x-1.1 in Drupal allows remote authenticated users with the "access administration pages" permission to inject arbitrary web script or HTML via the Maxpanel token.
26-02-2013 - 04:52 26-12-2012 - 17:55
CVE-2012-5586 2.1
The Services module 6.x-3.x before 6.x-3.3 and 7.x-3.x before 7.x-3.3 for Drupal allows remote authenticated users with the "access user profiles" permission to access arbitrary users' emails via vectors related to the "user index method" and "the pa
26-02-2013 - 04:52 26-12-2012 - 17:55
CVE-2012-5587 4.3
Cross-site scripting (XSS) vulnerability in the Email Field module 6.x-1.x before 6.x-1.3 for Drupal allows remote attackers to inject arbitrary web script or HTML via the mailto link.
08-01-2013 - 05:00 26-12-2012 - 17:55
CVE-2012-5588 2.6
The Email Field module 6.x-1.x before 6.x-1.3 for Drupal, when using a field permission module and the field contact field formatter is set to the full or teaser display mode, does not properly check permissions, which allows remote attackers to emai
27-12-2012 - 05:00 26-12-2012 - 17:55
CVE-2012-5589 3.5
The MultiLink module 6.x-2.x before 6.x-2.7 and 7.x-2.x before 7.x-2.7 for Drupal does not properly check node permissions when generating an in-content link, which allows remote authenticated users with text-editing permissions to read arbitrary nod
27-12-2012 - 05:00 26-12-2012 - 17:55
CVE-2012-5590 7.5
SQL injection vulnerability in the Webmail Plus module for Drupal allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
26-02-2013 - 04:52 26-12-2012 - 17:55
CVE-2012-5654 4.3
The Nodewords: D6 Meta Tags module before 6.x-1.14 for Drupal, when configured to automatically generate description meta tags from node text, does not properly filter node content when creating tags, which might allow remote attackers to obtain sens
03-01-2013 - 05:00 03-01-2013 - 01:55
CVE-2012-5655 5.0
The Context module 6.x-3.x before 6.x-3.1 and 7.x-3.x before 7.x-3.0-beta6 for Drupal does not properly restrict access to block content, which allows remote attackers to obtain sensitive information via a crafted request.
07-01-2013 - 05:00 03-01-2013 - 01:55
CVE-2012-5704 3.5
The Hotblocks module 6.x-1.x before 6.x-1.8 for Drupal allows remote authenticated users with the "administer hotblocks" permission to cause a denial of service (infinite loop and time out) via a block that references itself.
01-11-2012 - 10:44 01-11-2012 - 10:44
CVE-2012-5705 2.1
Cross-site scripting (XSS) vulnerability in the settings page (admin/settings/hotblocks) in the Hotblocks module 6.x-1.x before 6.x-1.8 for Drupal allows remote authenticated users with the "administer hotblocks" permission to inject arbitrary web sc
02-11-2012 - 04:00 01-11-2012 - 10:44
CVE-2012-6572 4.3
Cross-site scripting (XSS) vulnerability in the phptemplate_preprocess_node function in template.php in the Inf08 theme 6.x-1.x before 6.x-1.10 for Drupal allows remote authenticated users with the "administer taxonomy" permission to inject arbitrary
29-08-2017 - 01:32 21-06-2013 - 19:55
CVE-2012-6574 4.3
Cross-site scripting (XSS) vulnerability in the Fonecta verify module 7.x-1.x before 7.x-1.6 for Drupal allows remote attackers from certain sources to inject arbitrary web script or HTML via unspecified vectors.
29-08-2017 - 01:32 27-06-2013 - 20:55
CVE-2012-6575 4.3
Cross-site scripting (XSS) vulnerability in the Exposed Filter Data module 6.x-1.x before 6.x-1.2 for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
29-08-2017 - 01:32 27-06-2013 - 20:55
CVE-2012-6582 2.6
Cross-site scripting (XSS) vulnerability in the Spambot module 6.x-3.x before 6.x-3.2 and 7.x-1.x before 7.x-1.1 for Drupal allows certain remote attackers to inject arbitrary web script or HTML via a stopforumspam.com API response, which is logged b
29-08-2017 - 01:32 20-08-2013 - 18:14
CVE-2012-6583 2.1
Cross-site scripting (XSS) vulnerability in the Imagemenu module 6.x-1.x before 6.x-1.4 for Drupal allows remote authenticated users with the "administer imagemenu" permission to inject arbitrary web script or HTML via an image file name.
29-08-2017 - 01:32 23-08-2013 - 15:55
CVE-2013-0181 2.6
Cross-site scripting (XSS) vulnerability in Views in the Search API (search_api) module 7.x-1.x before 7.x-1.4 for Drupal, when using certain backends and facets, allows remote attackers to inject arbitrary web script or HTML via unspecified input, w
29-08-2017 - 01:32 27-03-2013 - 21:55
CVE-2013-0205 6.8
Cross-site request forgery (CSRF) vulnerability in the RESTful Web Services (restws) module 7.x-1.x before 7.x-1.2 and 7.x-2.x before 7.x-2.0-alpha4 for Drupal allows remote attackers to hijack the authentication of arbitrary users via unknown vector
21-03-2013 - 04:00 19-03-2013 - 14:55
CVE-2013-0206 6.0
Unrestricted file upload vulnerability in the Live CSS module 6.x-2.x before 6.x-2.1 and 7.x-2.x before 7.x-2.7 for Drupal allows remote authenticated users with the "administer CSS" permissions to execute arbitrary code by uploading a file with an e
21-03-2013 - 09:26 19-03-2013 - 14:55
CVE-2013-0207 6.8
Cross-site request forgery (CSRF) vulnerability in the Mark Complete module 7.x-1.x before 7.x-1.1 for Drupal allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.
21-03-2013 - 14:21 19-03-2013 - 14:55
CVE-2013-0224 4.4
The Video module 7.x-2.x before 7.x-2.9 for Drupal, when using the FFmpeg transcoder, allows local users to execute arbitrary PHP code by modifying a temporary PHP file.
21-03-2013 - 04:00 19-03-2013 - 14:55
CVE-2013-0225 2.1
Cross-site scripting (XSS) vulnerability in the User Relationships module 6.x-1.x before 6.x-1.4 and 7.x-1.x before 7.x-1.0-alpha5 for Drupal allows remote authenticated users with the "administer user relationships" permission to inject arbitrary we
21-03-2013 - 04:00 19-03-2013 - 14:55
CVE-2013-0227 2.1
Cross-site scripting (XSS) vulnerability in the Search API Sorts module 7.x-1.x before 7.x-1.4 for Drupal allows remote authenticated users with certain roles to inject arbitrary web script or HTML via unspecified field labels.
21-03-2013 - 04:00 19-03-2013 - 14:55
CVE-2013-0258 6.8
The Google Authenticator login (ga_login) module 7.x before 7.x-1.3 for Drupal, when multi-factor authentication is enabled, allows remote attackers to bypass authentication for accounts without an associated Google Authenticator token by logging in
05-04-2013 - 04:00 27-03-2013 - 21:55
CVE-2013-0260 2.1
Unspecified vulnerability in the Drush Debian Packaging module for Drupal allows local users to obtain database credentials via unknown vectors.
28-03-2013 - 04:00 27-03-2013 - 21:55
CVE-2013-0317 4.3
Cross-site scripting (XSS) vulnerability in the Manager Change for Organic Groups (og_manager_change) module 7.x-2.x before 7.x-2.1 for Drupal might allow remote attackers to inject arbitrary web script or HTML via the username in the new manager aut
04-04-2013 - 04:00 27-03-2013 - 21:55
CVE-2013-0319 4.3
Cross-site scripting (XSS) vulnerability in the Yandex.Metrics module 6.x-1.x before 6.x-1.6 and 7.x-1.x before 7.x-1.5 for Drupal allows remote attackers to inject arbitrary web script or HTML via vectors related to the Yandex.Metrica service data.
04-04-2013 - 04:00 27-03-2013 - 21:55
CVE-2013-0320 5.1
Cross-site request forgery (CSRF) vulnerability in the Taxonomy Manager (taxonomy_manager) module 6.x-2.x before 6.x-2.2 and 7.x-1.x before 7.x-1.0-rc1 for Drupal allows remote attackers to hijack the authentication of users with 'administer taxonomy
28-03-2013 - 04:00 27-03-2013 - 21:55
CVE-2013-0321 4.3
Cross-site scripting (XSS) vulnerability in Views in the Ubercart Views (uc_views) module 6.x before 6.x-3.3 for Drupal allows remote attackers to inject arbitrary web script or HTML via the full name field.
28-03-2013 - 15:28 27-03-2013 - 21:55
CVE-2013-0322 4.3
Cross-site scripting (XSS) vulnerability in Views in the Ubercart module 7.x-3.x before 7.x-3.4 for Drupal allows remote attackers to inject arbitrary web script or HTML via the full name field.
20-07-2013 - 03:35 27-03-2013 - 21:55
CVE-2013-0324 2.1
Cross-site scripting (XSS) vulnerability in the Rendered links formatter in the Menu Reference module 7.x-1.x before 7.x-1.0 for Drupal allows remote authenticated users with the "Administer menus and menu items" permission to inject arbitrary web sc
04-04-2013 - 04:00 27-03-2013 - 21:55
CVE-2013-0325 4.3
Multiple cross-site scripting (XSS) vulnerabilities in the Varnish module 6.x-1.x before 6.x-1.2 and 7.x-1.x before 7.x-1.0-beta2 for Drupal allow remote attackers to inject arbitrary web script or HTML via crafted a (1) Watchdog message or (2) admin
28-03-2013 - 04:00 27-03-2013 - 21:55
CVE-2013-1887 2.1
Multiple cross-site scripting (XSS) vulnerabilities in the Views module 7.x-3.x before 7.x-3.6 for Drupal allow remote authenticated users with certain permissions to inject arbitrary web script or HTML via certain view configuration fields.
28-03-2013 - 04:00 27-03-2013 - 23:55
CVE-2013-1906 4.3
Cross-site scripting (XSS) vulnerability in the Rules module 7.x-2.x before 7.x-2.3 for Drupal allows remote authenticated users with the "administer rules" permission to inject arbitrary web script or HTML via a rule tag.
25-06-2013 - 15:12 24-06-2013 - 16:55
CVE-2013-1946 4.3
The RESTful Web Services (RESTWS) module 7.x-1.x before 7.x-1.3 and 7.x-2.x before 7.x-2.0-alpha5 for Drupal, when page caching is enabled and anonymous users are assigned RESTWS permissions, allows remote attackers to cause a denial of service via a
07-04-2014 - 17:00 06-04-2014 - 16:55
CVE-2013-1971 2.1
Cross-site scripting (XSS) vulnerability in the MP3 Player module for Drupal 6.x allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via the file name of a MP3 file.
29-08-2017 - 01:33 25-06-2013 - 18:55
CVE-2013-2036 4.3
Cross-site scripting (XSS) vulnerability in the Filebrowser module 6.x-2.x before 6.x-2.2 for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, related to "lists of files."
29-08-2017 - 01:33 24-06-2013 - 16:55
CVE-2013-2122 5.0
The Edit Limit module 7.x-1.x before 7.x-1.3 for Drupal does not properly restrict access to comments, which allows remote authenticated users with the "edit comments" permission to edit arbitrary comments of other users via unspecified vectors.
29-08-2017 - 01:33 16-07-2013 - 18:55
CVE-2013-2123 5.8
The Node access user reference module 6.x-3.x before 6.x-3.5 and 7.x-3.x before 7.x-3.10 for Drupal does not properly restrict access to content containing a user reference field when the author update/delete grants are enabled and the author's user
07-10-2013 - 17:48 28-08-2013 - 22:55
CVE-2013-2129 4.3
Cross-site scripting (XSS) vulnerability in the Webform module 6.x-3.x before 6.x-3.19 for Drupal allows remote authenticated users with the "edit own webform content" or "edit all webform content" permissions to inject arbitrary web script or HTML v
29-08-2017 - 01:33 24-06-2013 - 16:55
CVE-2013-2158 6.8
Cross-site request forgery (CSRF) vulnerability in the Services module 6.x-3.x and 7.x-3.x before 7.x-3.4 for Drupal allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.
29-08-2017 - 01:33 01-07-2013 - 21:55
CVE-2013-2177 4.3
Cross-site scripting (XSS) vulnerability in the Display Suite module 7.x-1.x before 7.x-1.7 and 7.x-2.x before 7.x-2.3 for Drupal allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via an entity bundle l
26-06-2013 - 19:23 25-06-2013 - 18:55
CVE-2013-2197 4.3
The Login Security module 6.x-1.x before 6.x-1.3 and 7.x-1.x before 7.x-1.3 for Drupal, when using the login delay option, allows remote attackers to cause a denial of service (CPU consumption) via a large number of failed login attempts.
07-10-2013 - 17:46 28-08-2013 - 22:55
CVE-2013-2247 7.5
The Fast Permissions Administration module 6.x-2.x before 6.x-2.5 and 7.x-2.x before 7.x-2.3 for Drupal does not properly restrict access to the modal content callback, which allows remote attackers to obtain unspecified access to the permissions edi
07-10-2013 - 17:45 28-08-2013 - 22:55
CVE-2013-2715 2.1
Cross-site scripting (XSS) vulnerability in the admin view in the Search API (search_api) module 7.x-1.x before 7.x-1.4 for Drupal allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via a crafted field n
29-08-2017 - 01:33 27-03-2013 - 21:55
CVE-2013-4139 5.0
The Stage File Proxy module 7.x-1.x before 7.x-1.4 for Drupal allows remote attackers to cause a denial of service (file operations performance degradation and failure) via a large number of requests.
29-08-2013 - 17:06 28-08-2013 - 22:55
CVE-2013-4140 2.1
Cross-site scripting (XSS) vulnerability in the TinyBox (Simple Splash) module before 7.x-2.2 for Drupal allows remote authenticated users with the "administer tinybox" permission to inject arbitrary web script or HTML via unspecified vectors.
29-08-2017 - 01:33 29-07-2013 - 23:27
CVE-2013-4174 4.3
Multiple cross-site scripting (XSS) vulnerabilities in the Scald module 7.x-1.x before 7.x-1.1 for Drupal allow remote attackers to inject arbitrary web script or HTML via the (1) flash_uri, (2) flash_width, or (3) flash_height in the scald_flash_sca
29-08-2017 - 01:33 19-08-2013 - 23:55
CVE-2013-4177 5.0
The Google Authenticator login module 6.x-1.x before 6.x-1.2 and 7.x-1.x before 7.x-1.4 for Drupal does not properly identify user account names, which might allow remote attackers to bypass the two-factor authentication requirement via unspecified v
30-05-2014 - 13:34 29-05-2014 - 14:19
CVE-2013-4178 5.0
The Google Authenticator login module 6.x-1.x before 6.x-1.2 and 7.x-1.x before 7.x-1.4 for Drupal allows remote attackers to obtain access by replaying the username, password, and one-time password (OTP).
30-05-2014 - 13:35 29-05-2014 - 14:19
CVE-2013-4229 2.1
Cross-site scripting (XSS) vulnerability in the Monster Menus module 7.x-1.x before 7.x-1.12 for Drupal allows remote authenticated users with permissions to add pages to inject arbitrary web script or HTML via a title in the page settings.
29-08-2017 - 01:33 21-08-2013 - 14:55
CVE-2013-4230 6.0
The mm_webform submodule in the Monster Menus module 6.x-6.x before 6.x-6.61 and 7.x-1.x before 7.x-1.13 for Drupal does not properly restrict access to webform submissions, which allows remote authenticated users with the "Who can read data submitte
29-08-2017 - 01:33 21-08-2013 - 14:55
CVE-2013-4274 2.1
Cross-site scripting (XSS) vulnerability in the password_policy_admin_view function in password_policy.admin.inc in the Password Policy module 6.x-1.x before 6.x-1.6 and 7.x-1.x before 7.x-1.5 for Drupal allows remote authenticated users with the "Ad
29-08-2013 - 17:21 28-08-2013 - 22:55
CVE-2013-4379 6.4
The Make Meeting Scheduler module 6.x-1.x before 6.x-1.3 for Drupal allows remote attackers to bypass intended access restrictions for a poll via a direct request to the node's URL instead of the hashed URL.
10-10-2013 - 20:41 09-10-2013 - 17:55
CVE-2013-4380 2.1
Cross-site scripting (XSS) vulnerability in the MediaFront module 6.x-1.x before 6.x-1.6, 7.x-1.x before 7.x-1.6, and 7.x-2.x before 7.x-2.1 for Drupal allows remote authenticated users with the "administer mediafront" permission to inject arbitrary
21-05-2014 - 18:44 20-05-2014 - 14:55
CVE-2013-4384 4.3
Cross-site scripting (XSS) vulnerability in Google Site Search module 6.x-1.x before 6.x-1.4 and 7.x-1.x before 7.x-1.10 for Drupal allows remote attackers to inject arbitrary web script or HTML by causing crafted data to be returned by the Google AP
29-08-2017 - 01:33 09-10-2013 - 14:54
CVE-2013-4445 4.9
The json rendering functionality in the Context module 6.x-2.x before 6.x-3.2 and 7.x-3.x before 7.x-3.0 for Drupal uses Drupal's token scheme to restrict access to blocks, which makes it easier for remote authenticated users to guess the access toke
09-12-2013 - 17:36 07-12-2013 - 20:55
CVE-2013-4446 6.8
The _json_decode function in plugins/context_reaction_block.inc in the Context module 6.x-2.x before 6.x-3.2 and 7.x-3.x before 7.x-3.0 for Drupal, when using a version of PHP that does not support the json_decode function, allows remote attackers to
09-12-2013 - 17:38 07-12-2013 - 20:55
CVE-2013-4498 2.1
The Spaces OG submodule in the Spaces module 6.x-3.x before 6.x-3.7 for Drupal does not properly delete organic group group spaces content when using the option to move to a new group, which causes the content to be "orphaned" and allows remote authe
19-05-2014 - 16:45 17-05-2014 - 20:55
CVE-2013-4502 4.0
The FileField Sources module 6.x-1.x before 6.x-1.9 and 7.x-1.x before 7.x-1.9 for Drupal does not properly check file permissions, which allows remote authenticated users to read arbitrary files by attaching a file.
14-05-2014 - 18:34 13-05-2014 - 15:55
CVE-2013-4504 2.6
The Monster Menus module 7.x-1.x before 7.x-1.15 allows remote attackers to read arbitrary node comments via a crafted URL.
14-05-2014 - 16:57 13-05-2014 - 15:55
CVE-2013-5315 2.6
Cross-site scripting (XSS) vulnerability in the Resource Manager in the MEE submodule (mee.module) in the Scald module 6.x-1.x before 6.x-1.0-beta3 and 7.x-1.x before 7.x-1.1 for Drupal allows remote attackers to inject arbitrary web script or HTML v
29-08-2017 - 01:33 19-08-2013 - 23:55
CVE-2013-5964 2.1
Cross-site scripting (XSS) vulnerability in the administration page in the Flag module 7.x-3.x before 7.x-3.1 for Drupal allows remote authenticated users with the "Administer flags" permission to inject arbitrary web script or HTML via the flag titl
10-10-2013 - 18:56 30-09-2013 - 21:55
CVE-2013-7067 5.8
The OG Features module 6.x-1.x before 6.x-1.4 for Drupal does not properly override pages that have an access callback set to false, which allows remote attackers to bypass intended access restrictions via a request.
29-08-2017 - 01:34 19-12-2013 - 04:24
CVE-2013-7302 6.8
Session fixation vulnerability in the Ubercart module 6.x-2.x before 6.x-2.13 and 7.x-3.x before 7.x-3.6 for Drupal, when the "Log in new customers after checkout" option is enabled, allows remote attackers to hijack web sessions by leveraging knowle
30-04-2014 - 14:04 29-04-2014 - 14:38
CVE-2014-2983 4.3
Drupal 6.x before 6.31 and 7.x before 7.27 does not properly isolate the cached data of different anonymous users, which allows remote anonymous users to obtain sensitive interim form input information in opportunistic situations via unspecified vect
16-12-2017 - 02:29 23-04-2014 - 15:55
CVE-2014-9016 5.0
The password hashing API in Drupal 7.x before 7.34 and the Secure Password Hashes (aka phpass) module 6.x-2.x before 6.x-2.1 for Drupal allows remote attackers to cause a denial of service (CPU and memory consumption) via a crafted request.
30-12-2014 - 21:11 24-11-2014 - 15:59
CVE-2015-8095 5.0
The recycle bin feature in the Monster Menus module 7.x-1.21 before 7.x-1.24 for Drupal does not properly remove nodes from view, which allows remote attackers to obtain sensitive information via an unspecified URL pattern.
10-11-2015 - 16:45 09-11-2015 - 16:59
CVE-2018-7600 7.5
Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations.
01-03-2019 - 18:04 29-03-2018 - 07:29
CVE-2018-7602 7.5
A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being compromised. This vulnerability
09-10-2019 - 23:42 19-07-2018 - 17:29
CVE-2019-10909 3.5
In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, validation messages are not escaped, which can lead to XSS when user input is included. This is related to symfony/framework-bundle.
20-05-2019 - 13:40 16-05-2019 - 22:29
CVE-2002-1806 4.3
Cross-site scripting (XSS) vulnerability in Drupal 4.0.0 allows remote attackers to inject arbitrary web script or HTML via Javascript in an IMG tag.
05-09-2008 - 20:31 31-12-2002 - 05:00
CVE-2007-6299 7.5
Multiple SQL injection vulnerabilities in Drupal and vbDrupal 4.7.x before 4.7.9 and 5.x before 5.4 allow remote attackers to execute arbitrary SQL commands via modules that pass input to the taxonomy_select_nodes function, as demonstrated by the (1)
08-08-2017 - 01:29 10-12-2007 - 18:46
CVE-2008-0272 4.3
Cross-site request forgery (CSRF) vulnerability in the aggregator module in Drupal 4.7.x before 4.7.11 and 5.x before 5.6 allows remote attackers to delete items from a feed as privileged users.
08-08-2017 - 01:29 15-01-2008 - 20:00
CVE-2008-0273 4.3
Interpretation conflict in Drupal 4.7.x before 4.7.11 and 5.x before 5.6, when Internet Explorer 6 is used, allows remote attackers to conduct cross-site scripting (XSS) attacks via invalid UTF-8 byte sequences, which are not processed as UTF-8 by Dr
08-08-2017 - 01:29 15-01-2008 - 20:00
CVE-2008-0276 4.3
Cross-site scripting (XSS) vulnerability in the Devel module before 5.x-0.1 for Drupal allows remote attackers to inject arbitrary web script or HTML via a site variable, related to lack of escaping of the variable table.
08-08-2017 - 01:29 15-01-2008 - 20:00
CVE-2007-0626 7.6
The comment_form_add_preview function in comment.module in Drupal before 4.7.6, and 5.x before 5.1, and vbDrupal, allows remote attackers with "post comments" privileges and access to multiple input filters to execute arbitrary code by previewing com
19-10-2018 - 17:45 31-01-2007 - 18:28
CVE-2005-0682 4.3
Cross-site scripting (XSS) vulnerability in common.inc in Drupal before 4.5.2 allows remote attackers to inject arbitrary web script or HTML via certain inputs.
05-09-2008 - 20:47 02-05-2005 - 04:00
CVE-2005-1871 7.5
Unknown vulnerability in the privilege system in Drupal 4.4.0 through 4.6.0, when public registration is enabled, allows remote attackers to gain privileges, due to an "input check" that "is not implemented properly."
18-10-2016 - 03:23 09-06-2005 - 04:00
CVE-2005-2106 5.0
Unknown vulnerability in Drupal 4.5.0 through 4.5.3, 4.6.0, and 4.6.1 allows remote attackers to execute arbitrary PHP code via a public comment or posting.
18-10-2016 - 03:24 05-07-2005 - 04:00
CVE-2005-3973 4.3
Multiple cross-site scripting (XSS) vulnerabilities in Drupal 4.5.0 through 4.5.5 and 4.6.0 through 4.6.3 allow remote attackers to inject arbitrary web script or HTML via various HTML tags and values, such as the (1) legend tag and the value paramet
19-10-2018 - 15:39 03-12-2005 - 19:03
CVE-2005-3975 4.0
Interpretation conflict in file.inc in Drupal 4.5.0 through 4.5.5 and 4.6.0 through 4.6.3 allows remote authenticated users to inject arbitrary web script or HTML via HTML in a file with a GIF or JPEG file extension, which causes the HTML to be execu
19-10-2018 - 15:39 03-12-2005 - 19:03
CVE-2006-1225 5.0
CRLF injection vulnerability in Drupal 4.5.x before 4.5.8 and 4.6.x before 4.5.8 allows remote attackers to inject headers of outgoing e-mail messages and use Drupal as a spam proxy.
18-10-2018 - 16:31 14-03-2006 - 19:06
CVE-2006-1226 4.3
Cross-site scripting (XSS) vulnerability in Drupal 4.5.x before 4.5.8 and 4.6.x before 4.5.8 allows remote attackers to inject arbitrary web script or HTML via unknown attack vectors.
18-10-2018 - 16:31 14-03-2006 - 19:06
CVE-2006-1227 4.6
Drupal 4.5.x before 4.5.8 and 4.6.x before 4.5.8, when menu.module is used to create a menu item, does not implement access control for the page that is referenced, which might allow remote attackers to access administrator pages.
18-10-2018 - 16:31 14-03-2006 - 19:06
CVE-2006-1228 5.1
Session fixation vulnerability in Drupal 4.5.x before 4.5.8 and 4.6.x before 4.5.8 allows remote attackers to gain privileges by tricking a user to click on a URL that fixes the session identifier. This vulnerability affects Drupal versions 4.6.x bef
18-10-2018 - 16:31 14-03-2006 - 19:06
CVE-2005-3974 6.4
Drupal 4.5.0 through 4.5.5 and 4.6.0 through 4.6.3, when running on PHP5, does not correctly enforce user privileges, which allows remote attackers to bypass the "access user profiles" permission.
19-10-2018 - 15:39 03-12-2005 - 19:03
CVE-2006-2260 4.3
Cross-site scripting (XSS) vulnerability in the project module (project.module) in Drupal 4.5 and 4.6 allows remote attackers to inject arbitrary web script or HTML via unknown attack vectors.
20-07-2017 - 01:31 09-05-2006 - 10:02
CVE-2006-0070 4.3
** DISPUTED ** Drupal allows remote attackers to conduct cross-site scripting (XSS) attacks via an IMG tag with an unusual encoded Javascript function name, as demonstrated using variations of the alert() function. NOTE: a followup by the vendor su
19-10-2018 - 15:42 04-01-2006 - 00:03
CVE-2006-2742 7.5
SQL injection vulnerability in Drupal 4.6.x before 4.6.7 and 4.7.0 allows remote attackers to execute arbitrary SQL commands via the (1) count and (2) from variables to (a) database.mysql.inc, (b) database.pgsql.inc, and (c) database.mysqli.inc. This
18-10-2018 - 16:41 01-06-2006 - 10:02
CVE-2006-2743 5.1
Drupal 4.6.x before 4.6.7 and 4.7.0, when running on Apache with mod_mime, does not properly handle files with multiple extensions, which allows remote attackers to upload, modify, or execute arbitrary files in the files directory. Successful exploit
18-10-2018 - 16:41 01-06-2006 - 10:02
CVE-2006-2831 7.5
Drupal 4.6.x before 4.6.8 and 4.7.x before 4.7.2, when running under certain Apache configurations such as when FileInfo overrides are disabled within .htaccess, allows remote attackers to execute arbitrary code by uploading a file with multiple exte
18-10-2018 - 16:43 06-06-2006 - 00:02
CVE-2006-2832 2.6
Cross-site scripting (XSS) vulnerability in the upload module (upload.module) in Drupal 4.6.x before 4.6.8 and 4.7.x before 4.7.2 allows remote attackers to inject arbitrary web script or HTML via the uploaded filename.
18-10-2018 - 16:43 06-06-2006 - 00:02
CVE-2006-4002 4.3
Cross-site scripting (XSS) vulnerability in user.module in Drupal 4.6 before 4.6.9, and 4.7 before 4.7.3, allows remote attackers to inject arbitrary web script or HTML via the msg parameter. NOTE: portions of these details are obtained from third p
20-07-2017 - 01:32 07-08-2006 - 19:04
CVE-2006-5475 6.8
Multiple cross-site scripting (XSS) vulnerabilities in the XML parser in Drupal 4.6.x before 4.6.10 and 4.7.x before 4.7.4 allow remote attackers to inject arbitrary web script or HTML via a crafted RSS feed.
17-10-2018 - 21:43 24-10-2006 - 20:07
CVE-2006-5476 7.5
Cross-site request forgery (CSRF) vulnerability in Drupal 4.6.x before 4.6.10 and 4.7.x before 4.7.4 allows remote attackers to perform unauthorized actions as an arbitrary user via unspecified vectors.
17-10-2018 - 21:43 24-10-2006 - 20:07
CVE-2006-5477 2.6
Drupal 4.6.x before 4.6.10 and 4.7.x before 4.7.4 allows form submissions to be redirected, which allows remote attackers to obtain arbitrary form information via a crafted URL.
17-10-2018 - 21:43 24-10-2006 - 20:07
CVE-2007-0124 3.5
Unspecified vulnerability in Drupal before 4.6.11, and 4.7 before 4.7.5, when MySQL is used, allows remote authenticated users to cause a denial of service by poisoning the page cache via unspecified vectors, which triggers erroneous 404 HTTP errors
16-10-2018 - 16:31 09-01-2007 - 02:28
CVE-2006-2833 2.6
Cross-site scripting (XSS) vulnerability in the taxonomy module in Drupal 4.6.8 and 4.7.2 allows remote attackers to inject arbitrary web script or HTML via inputs that are not properly validated when the page title is output, possibly involving the
18-10-2018 - 16:43 06-06-2006 - 00:02
CVE-2006-3570 4.3
Cross-site scripting (XSS) vulnerability in the webform module in Drupal 4.6 before July 8, 2006 and 4.7 before July 8, 2006 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
20-07-2017 - 01:32 13-07-2006 - 01:05
CVE-2007-4064 4.3
Multiple cross-site scripting (XSS) vulnerabilities in Drupal 5.x before 5.2, and 4.7.x before 4.7.7, (1) allow remote attackers to inject arbitrary web script or HTML via "some server variables," including PHP_SELF; and (2) allow remote authenticate
29-07-2017 - 01:32 30-07-2007 - 17:30
CVE-2007-5595 5.1
CRLF injection vulnerability in the drupal_goto function in includes/common.inc Drupal 4.7.x before 4.7.8 and 5.x before 5.3 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.
26-10-2018 - 14:13 19-10-2007 - 23:17
CVE-2007-5596 4.3
The core Upload module in Drupal 4.7.x before 4.7.8 and 5.x before 5.3 places the .html extension on a whitelist, which allows remote attackers to conduct cross-site scripting (XSS) attacks by uploading .html files.
26-10-2018 - 14:13 19-10-2007 - 23:17
CVE-2007-5597 4.3
The hook_comments API in Drupal 4.7.x before 4.7.8 and 5.x before 5.3 does not pass publication status, which might allow attackers to bypass access restrictions and trigger e-mail with unpublished comments from some modules, as demonstrated by (1) O
26-10-2018 - 14:14 19-10-2007 - 23:17
CVE-2007-0658 5.0
The (1) Textimage 4.7.x before 4.7-1.2 and 5.x before 5.x-1.1 module for Drupal and the (2) Captcha 4.7.x before 4.7-1.2 and 5.x before 5.x-1.1 module for Drupal allow remote attackers to bypass the CAPTCHA test via an empty captcha element in $_SESS
29-07-2017 - 01:30 01-02-2007 - 22:28
CVE-2008-0274 2.6
Cross-site scripting (XSS) vulnerability in Drupal 4.7.x and 5.x, when certain .htaccess protections are disabled, allows remote attackers to inject arbitrary web script or HTML via crafted links involving theme .tpl.php files.
08-08-2017 - 01:29 15-01-2008 - 20:00
CVE-2007-4063 4.3
Multiple cross-site request forgery (CSRF) vulnerabilities in Drupal 5.x before 5.2 allow remote attackers to (1) delete comments, (2) delete content revisions, and (3) disable menu items as privileged users, related to improper use of HTTP GET and t
29-07-2017 - 01:32 30-07-2007 - 17:30
CVE-2008-2771 5.0
The Node Hierarchy module 5.x before 5.x-1.1 and 6.x before 6.x-1.0 for Drupal does not properly implement access checks, which allows remote attackers with "access content" permissions to bypass restrictions and modify the node hierarchy via unspeci
08-08-2017 - 01:31 18-06-2008 - 22:41
CVE-2008-3222 6.8
Session fixation vulnerability in Drupal 5.x before 5.9 and 6.x before 6.3, when contributed modules "terminate the current request during a login event," allows remote attackers to hijack web sessions via unknown vectors.
08-08-2017 - 01:31 18-07-2008 - 16:41
CVE-2008-3740 4.3
Cross-site scripting (XSS) vulnerability in the output filter in Drupal 5.x before 5.10 and 6.x before 6.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
08-08-2017 - 01:32 27-08-2008 - 15:21
CVE-2008-3741 3.5
The private filesystem in Drupal 5.x before 5.10 and 6.x before 6.4 trusts the MIME type sent by a web browser, which allows remote authenticated users to conduct cross-site scripting (XSS) attacks by uploading files containing arbitrary web script o
08-08-2017 - 01:32 27-08-2008 - 15:21
CVE-2008-3742 6.5
Unrestricted file upload vulnerability in the BlogAPI module in Drupal 5.x before 5.10 and 6.x before 6.4 allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, which is not validated.
08-08-2017 - 01:32 27-08-2008 - 15:21
CVE-2008-3744 5.8
Multiple cross-site request forgery (CSRF) vulnerabilities in Drupal 5.x before 5.10 and 6.x before 6.4 allow remote attackers to hijack the authentication of administrators for requests that (1) add or (2) delete user access rules.
08-08-2017 - 01:32 27-08-2008 - 15:21
CVE-2008-4791 6.0
The user module in Drupal 5.x before 5.11 and 6.x before 6.5 might allow remote authenticated users to bypass intended login access rules and successfully login via unknown vectors.
02-11-2018 - 13:07 29-10-2008 - 15:31
CVE-2008-4792 6.0
The core BlogAPI module in Drupal 5.x before 5.11 and 6.x before 6.5 does not properly validate unspecified content fields of an internal Drupal form, which allows remote authenticated users to bypass intended access restrictions via modified field v
02-11-2018 - 13:18 29-10-2008 - 15:31
CVE-2008-6170 3.5
Cross-site scripting (XSS) vulnerability in Drupal 5.x before 5.12 and 6.x before 6.6 allows remote authenticated users with create book content or edit node book hierarchy permissions to inject arbitrary web script or HTML via the book page title.
17-08-2017 - 01:29 19-02-2009 - 15:30
CVE-2008-6171 9.3
includes/bootstrap.inc in Drupal 5.x before 5.12 and 6.x before 6.6, when the server is configured for "IP-based virtual hosts," allows remote attackers to include and execute arbitrary files via the HTTP Host header.
17-08-2017 - 01:29 19-02-2009 - 15:30
CVE-2008-6532 6.8
Multiple cross-site request forgery (CSRF) vulnerabilities in the update feature in Drupal 5.x before 5.13 and 6.x before 6.7 allow remote attackers to perform unauthorized actions as the superuser via unspecified vectors, as demonstrated by causing
17-08-2017 - 01:29 26-03-2009 - 21:00
CVE-2008-6533 4.3
Drupal 5.x before 5.13 and 6.x before 6.7 does not delete all related content when an input format is deleted, which prevents the content from being properly filtered and allows remote attackers to conduct cross-site scripting (XSS) attacks via unspe
17-08-2017 - 01:29 26-03-2009 - 21:00
CVE-2009-1575 4.3
Cross-site scripting (XSS) vulnerability in Drupal 5.x before 5.17 and 6.x before 6.11, as used in vbDrupal before 5.17.0, allows remote attackers to inject arbitrary web script or HTML via crafted UTF-8 byte sequences before the Content-Type meta ta
17-08-2017 - 01:30 06-05-2009 - 17:30
CVE-2009-1844 3.5
Multiple cross-site scripting (XSS) vulnerabilities in Drupal 5.x before 5.18 and 6.x before 6.12 allow (1) remote authenticated users to inject arbitrary web script or HTML via crafted UTF-8 byte sequences that are treated as UTF-7 by Internet Explo
08-06-2009 - 05:27 01-06-2009 - 14:30
CVE-2009-2373 4.3
Cross-site scripting (XSS) vulnerability in the Forum module in Drupal 6.x before 6.13 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
08-07-2009 - 15:30 08-07-2009 - 15:30
CVE-2009-4369 3.5
Cross-site scripting (XSS) vulnerability in the Contact module (modules/contact/contact.admin.inc or modules/contact/contact.module) in Drupal Core 5.x before 5.21 and 6.x before 6.15 allows remote authenticated users with "administer site-wide conta
17-08-2017 - 01:31 21-12-2009 - 16:30
CVE-2010-2471 5.8
drupal6 version 6.16 has open redirection
06-11-2019 - 19:20 06-11-2019 - 18:15
CVE-2010-3092 5.5
The upload module in Drupal 5.x before 5.23 and 6.x before 6.18 does not properly support case-insensitive filename handling in a database configuration, which allows remote authenticated users to bypass the intended restrictions on downloading a fil
22-09-2010 - 04:00 21-09-2010 - 20:00
CVE-2010-3093 3.5
The comment module in Drupal 5.x before 5.23 and 6.x before 6.18 allows remote authenticated users with certain privileges to bypass intended access restrictions and reinstate removed comments via a crafted URL, related to an "unpublishing bypass" is
22-09-2010 - 04:00 21-09-2010 - 20:00
CVE-2010-2250 4.3
Drupal 6.x before 6.16 uses a user-supplied value in output during site installation which could allow an attacker to craft a URL and perform a cross-site scripting attack.
07-11-2019 - 18:31 07-11-2019 - 18:15
CVE-2010-2472 3.5
Locale module and dependent contributed modules in Drupal 6.x before 6.16 and 5.x before version 5.22 do not sanitize the display of language codes, native and English language names properly which could allow an attacker to perform a cross-site scri
07-11-2019 - 21:15 07-11-2019 - 19:15
CVE-2010-2473 3.5
Drupal 6.x before 6.16 and 5.x before version 5.22 does not properly block users under certain circumstances. A user with an open session that was blocked could maintain their session on the Drupal site despite being blocked.
07-11-2019 - 21:15 07-11-2019 - 19:15
CVE-2009-1576 4.3
Unspecified vulnerability in Drupal 5.x before 5.17 and 6.x before 6.11, as used in vbDrupal before 5.17.0, allows user-assisted remote attackers to obtain sensitive information by tricking victims into visiting the front page of the site with a craf
20-05-2009 - 05:36 06-05-2009 - 17:30
CVE-2009-0603 3.5
Cross-site scripting (XSS) vulnerability in index.php in the Link module 5.x-2.5 for Drupal 5.10 allows remote authenticated users, with "administer content types" privileges, to inject arbitrary web script or HTML via the description parameter (aka
17-08-2017 - 01:29 16-02-2009 - 20:30
CVE-2008-3094 4.3
The Organic Groups (OG) module 5.x before 5.x-7.3 and 6.x before 6.x-1.0-RC1, a module for Drupal, allows remote attackers to obtain sensitive information (private group names) via unspecified vectors.
08-08-2017 - 01:31 09-07-2008 - 19:33
CVE-2008-3219 5.0
The Drupal filter_xss_admin function in 5.x before 5.8 and 6.x before 6.3 does not "prevent use of the object HTML tag in administrator input," which has unknown impact and attack vectors, probably related to an insufficient cross-site scripting (XSS
08-08-2017 - 01:31 18-07-2008 - 16:41
CVE-2008-3220 6.8
Cross-site request forgery (CSRF) vulnerability in Drupal 5.x before 5.8 and 6.x before 6.3 allows remote attackers to perform administrative actions via vectors involving deletion of "translated strings."
08-08-2017 - 01:31 18-07-2008 - 16:41
CVE-2008-3221 4.3
Cross-site request forgery (CSRF) vulnerability in Drupal 6.x before 6.3 allows remote attackers to perform administrative actions via vectors involving deletion of OpenID identities.
19-08-2009 - 05:17 18-07-2008 - 16:41
CVE-2008-3223 7.5
SQL injection vulnerability in the Schema API in Drupal 6.x before 6.3 allows remote attackers to execute arbitrary SQL commands via vectors related to "an inappropriate placeholder for 'numeric' fields."
08-08-2017 - 01:31 18-07-2008 - 16:41
CVE-2008-1131 3.5
Cross-site scripting (XSS) vulnerability in Drupal 6.0 allows remote authenticated users to inject arbitrary web script or HTML via titles in content edit forms.
05-09-2008 - 21:36 04-03-2008 - 00:44
CVE-2008-3218 4.3
Multiple cross-site scripting (XSS) vulnerabilities in Drupal 6.x before 6.3 allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) free tagging taxonomy terms, which are not properly handled on node preview pages, a
08-08-2017 - 01:31 18-07-2008 - 16:41
CVE-2008-3743 5.8
Multiple cross-site request forgery (CSRF) vulnerabilities in forms in Drupal 6.x before 6.4 allow remote attackers to perform unspecified actions via unknown vectors, related to improper token validation for (1) cached forms and (2) forms with AHAH
08-08-2017 - 01:32 27-08-2008 - 15:21
CVE-2008-3745 5.5
The Upload module in Drupal 6.x before 6.4 allows remote authenticated users to edit nodes, delete files, and download unauthorized attachments via unspecified vectors.
08-08-2017 - 01:32 27-08-2008 - 15:21
CVE-2009-4370 3.5
Cross-site scripting (XSS) vulnerability in the Menu module (modules/menu/menu.admin.inc) in Drupal Core 6.x before 6.15 allows remote authenticated users with permissions to create new menus to inject arbitrary web script or HTML via a menu descript
17-08-2017 - 01:31 21-12-2009 - 16:30
CVE-2010-3091 5.0
The OpenID module in Drupal 6.x before 6.18, and the OpenID module 5.x before 5.x-1.4 for Drupal, violates the OpenID 2.0 protocol by not verifying the openid.return_to value, which allows remote attackers to bypass authentication by leveraging an as
30-09-2010 - 04:00 29-09-2010 - 17:00
CVE-2010-3094 2.1
Multiple cross-site scripting (XSS) vulnerabilities in Drupal 6.x before 6.18 allow remote authenticated users with certain privileges to inject arbitrary web script or HTML via (1) an action description, (2) an action message, (3) a node, or (4) a t
22-09-2010 - 04:00 21-09-2010 - 20:00
CVE-2010-3685 5.0
The OpenID module in Drupal 6.x before 6.18, and the OpenID module 5.x before 5.x-1.4 for Drupal, violates the OpenID 2.0 protocol by not checking for reuse of openid.response_nonce values, which allows remote attackers to bypass authentication by le
30-09-2010 - 04:00 29-09-2010 - 17:00
CVE-2010-3686 5.0
The OpenID module in Drupal 6.x before 6.18, and the OpenID module 5.x before 5.x-1.4 for Drupal, violates the OpenID 2.0 protocol by not ensuring that fields are signed, which allows remote attackers to bypass authentication by leveraging an asserti
30-09-2010 - 04:00 29-09-2010 - 17:00
CVE-2012-0825 6.8
Drupal 6.x before 6.23 and 7.x before 7.11 does not verify that Attribute Exchange (AX) information is signed, which allows remote attackers to modify potentially sensitive AX information without detection via a man-in-the-middle (MITM) attack.
08-03-2014 - 04:54 28-10-2013 - 22:55
CVE-2012-0826 6.8
Cross-site request forgery (CSRF) vulnerability in the Aggregator module in Drupal 6.x before 6.23 and 7.x before 7.11 allows remote attackers to hijack the authentication of unspecified victims for requests that update feeds and possibly cause a den
08-03-2014 - 04:54 28-10-2013 - 22:55
CVE-2012-5651 5.0
Drupal 6.x before 6.27 and 7.x before 7.18 displays information for blocked users, which might allow remote attackers to obtain sensitive information by reading the search results.
29-08-2017 - 01:32 03-01-2013 - 01:55
CVE-2012-5652 5.0
Drupal 6.x before 6.27 allows remote attackers to obtain sensitive information about uploaded files via a (1) RSS feed or (2) search result.
29-08-2017 - 01:32 03-01-2013 - 01:55
CVE-2012-5653 6.0
The file upload feature in Drupal 6.x before 6.27 and 7.x before 7.18 allows remote authenticated users to bypass the protection mechanism and execute arbitrary PHP code via a null byte in a file name.
29-08-2017 - 01:32 03-01-2013 - 01:55
CVE-2013-0244 2.6
Cross-site scripting (XSS) vulnerability in Drupal 6.x before 6.28 and 7.x before 7.19, when running with older versions of jQuery that are vulnerable to CVE-2011-4969, allows remote attackers to inject arbitrary web script or HTML via vectors involv
08-03-2014 - 05:02 19-01-2014 - 17:16
CVE-2013-0245 2.1
The printer friendly version functionality in the Book module in Drupal 6.x before 6.28 and 7.x before 7.19 does not properly restrict access to node that are part of a book outline, which allows remote authenticated users with the "access printer-fr
29-08-2017 - 01:33 16-07-2013 - 18:55
CVE-2013-6385 5.1
The form API in Drupal 6.x before 6.29 and 7.x before 7.24, when used with unspecified third-party modules, performs form validation even when CSRF validation has failed, which might allow remote attackers to trigger application-specific impacts such
14-01-2014 - 04:28 07-12-2013 - 21:55
CVE-2013-6386 6.8
Drupal 6.x before 6.29 and 7.x before 7.24 uses the PHP mt_rand function to generate random numbers, which uses predictable seeds and allows remote attackers to predict security strings and bypass intended restrictions via a brute force attack.
14-01-2014 - 04:28 07-12-2013 - 21:55
CVE-2014-1475 7.5
The OpenID module in Drupal 6.x before 6.30 and 7.x before 7.26 allows remote OpenID users to authenticate as other users via unspecified vectors.
21-02-2014 - 05:06 24-01-2014 - 18:55
CVE-2014-5019 5.0
The multisite feature in Drupal 6.x before 6.32 and 7.x before 7.29 allows remote attackers to cause a denial of service via a crafted HTTP Host header, related to determining which configuration file to use.
22-07-2014 - 19:00 22-07-2014 - 14:55
CVE-2014-5021 2.1
Cross-site scripting (XSS) vulnerability in the Form API in Drupal 6.x before 6.32 and possibly 7.x before 7.29 allows remote authenticated users with the "administer taxonomy" permission to inject arbitrary web script or HTML via an option group lab
22-07-2014 - 19:10 22-07-2014 - 14:55
CVE-2014-5265 5.0
The Incutio XML-RPC (IXR) Library, as used in WordPress before 3.9.2 and Drupal 6.x before 6.33 and 7.x before 7.31, permits entity declarations without considering recursion during entity expansion, which allows remote attackers to cause a denial of
25-11-2015 - 20:38 18-08-2014 - 11:15
CVE-2014-5266 5.0
The Incutio XML-RPC (IXR) Library, as used in WordPress before 3.9.2 and Drupal 6.x before 6.33 and 7.x before 7.31, does not limit the number of elements in an XML document, which allows remote attackers to cause a denial of service (CPU consumption
25-11-2015 - 20:39 18-08-2014 - 11:15
CVE-2014-5267 6.8
modules/openid/xrds.inc in Drupal 6.x before 6.33 and 7.x before 7.31 allows remote attackers to have unspecified impact via a crafted DOCTYPE declaration in an XRDS document.
10-10-2014 - 05:23 30-09-2014 - 14:55
CVE-2014-9015 6.8
Drupal 6.x before 6.34 and 7.x before 7.34 allows remote attackers to hijack sessions via a crafted request, as demonstrated by a crafted request to a server that supports both HTTP and HTTPS sessions.
20-12-2018 - 17:53 24-11-2014 - 15:59
CVE-2015-2559 3.5
Drupal 6.x before 6.35 and 7.x before 7.35 allows remote authenticated users to reset the password of other accounts by leveraging an account with the same password hash as another account and a crafted password reset URL.
05-02-2019 - 18:52 25-03-2015 - 14:59
CVE-2015-2749 5.8
Open redirect vulnerability in Drupal 6.x before 6.35 and 7.x before 7.35 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the destination parameter.
21-09-2017 - 17:06 13-09-2017 - 16:29
CVE-2015-2750 5.8
Open redirect vulnerability in URL-related API functions in Drupal 6.x before 6.35 and 7.x before 7.35 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via vectors involving the "//" initial sequence.
20-09-2017 - 19:15 13-09-2017 - 16:29
CVE-2015-3234 4.3
The OpenID module in Drupal 6.x before 6.36 and 7.x before 7.38 allows remote attackers to log into other users' accounts by leveraging an OpenID identity from certain providers, as demonstrated by the Verisign, LiveJournal, and StackExchange provide
03-12-2016 - 03:09 22-06-2015 - 19:59
CVE-2015-6658 4.3
Cross-site scripting (XSS) vulnerability in the Autocomplete system in Drupal 6.x before 6.37 and 7.x before 7.39 allows remote attackers to inject arbitrary web script or HTML via a crafted URL, related to uploading files.
24-12-2016 - 02:59 24-08-2015 - 14:59
CVE-2015-6660 6.8
The Form API in Drupal 6.x before 6.37 and 7.x before 7.39 does not properly validate the form token, which allows remote attackers to conduct CSRF attacks that upload files in a different user's account via vectors related to "file upload value call
24-12-2016 - 02:59 24-08-2015 - 14:59
CVE-2015-6661 5.0
Drupal 6.x before 6.37 and 7.x before 7.39 allows remote attackers to obtain sensitive node titles by reading the menu.
24-12-2016 - 02:59 24-08-2015 - 14:59
CVE-2016-3163 5.0
The XML-RPC system in Drupal 6.x before 6.38 and 7.x before 7.43 might make it easier for remote attackers to conduct brute-force attacks via a large number of calls made at once to the same method.
19-04-2016 - 03:01 12-04-2016 - 15:59
CVE-2016-3164 5.8
Drupal 6.x before 6.38, 7.x before 7.43, and 8.x before 8.0.4 might allow remote attackers to conduct open redirect attacks by leveraging (1) custom code or (2) a form shown on a 404 error page, related to path manipulation. <a href="http://cwe.mitre
13-04-2016 - 00:55 12-04-2016 - 15:59
CVE-2016-3165 5.0
The Form API in Drupal 6.x before 6.38 ignores access restrictions on submit buttons, which might allow remote attackers to bypass intended access restrictions by leveraging permission to submit a form with a button that has "#access" set to FALSE in
13-04-2016 - 00:51 12-04-2016 - 15:59
CVE-2016-3166 4.3
CRLF injection vulnerability in the drupal_set_header function in Drupal 6.x before 6.38, when used with PHP before 5.1.2, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks by leveraging a module tha
13-04-2016 - 00:44 12-04-2016 - 15:59
CVE-2016-3168 8.5
The System module in Drupal 6.x before 6.38 and 7.x before 7.43 might allow remote attackers to hijack the authentication of site administrators for requests that download and run files with arbitrary JSON-encoded content, aka a "reflected file downl
14-04-2016 - 14:33 12-04-2016 - 15:59
CVE-2016-3169 6.8
The User module in Drupal 6.x before 6.38 and 7.x before 7.43 allows remote attackers to gain privileges by leveraging contributed or custom code that calls the user_save function with an explicit category and loads all roles into the array.
13-04-2016 - 00:22 12-04-2016 - 15:59
CVE-2016-3171 6.8
Drupal 6.x before 6.38, when used with PHP before 5.4.45, 5.5.x before 5.5.29, or 5.6.x before 5.6.13, might allow remote attackers to execute arbitrary code via vectors related to session data truncation.
09-05-2016 - 17:46 12-04-2016 - 15:59
CVE-2016-3167 6.4
Open redirect vulnerability in the drupal_goto function in Drupal 6.x before 6.38, when used with PHP before 5.4.7, allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a double-encoded URL in the "destina
19-04-2016 - 03:20 12-04-2016 - 15:59
CVE-2009-4371 3.5
Cross-site scripting (XSS) vulnerability in the Locale module (modules/locale/locale.module) in Drupal Core 6.14, and possibly other versions including 6.15, allows remote authenticated users with "administer languages" permissions to inject arbitrar
17-08-2017 - 01:31 21-12-2009 - 16:30
CVE-2011-2687 7.5
Drupal 7.x before 7.3 allows remote attackers to bypass intended node_access restrictions via vectors related to a listing that shows nodes but lacks a JOIN clause for the node table.
03-09-2015 - 14:21 27-07-2011 - 02:55
CVE-2011-3730 5.0
Drupal 7.0 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by modules/simpletest/tests/upgrade/drupal-6.upload.database.php and cert
13-03-2012 - 04:00 23-09-2011 - 23:55
CVE-2012-0827 3.5
The File module in Drupal 7.x before 7.11, when using unspecified field access modules, allows remote authenticated users to read arbitrary private files that are associated with restricted fields via unspecified vectors.
29-10-2013 - 15:19 28-10-2013 - 22:55
CVE-2012-1588 3.5
Algorithmic complexity vulnerability in the _filter_url function in the text filtering system (modules/filter/filter.module) in Drupal 7.x before 7.14 allows remote authenticated users with certain roles to cause a denial of service (CPU consumption)
13-12-2013 - 04:58 01-10-2012 - 00:55
CVE-2012-1589 5.8
Open redirect vulnerability in the Form API in Drupal 7.x before 7.13 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via crafted parameters in a destination URL.
13-12-2013 - 04:58 18-05-2012 - 20:55
CVE-2012-1590 4.0
The forum list in Drupal 7.x before 7.14 does not properly check user permissions for unpublished forum posts, which allows remote authenticated users to obtain sensitive information such as the post title via the forum overview page.
13-12-2013 - 04:58 01-10-2012 - 00:55
CVE-2012-1591 5.0
The image module in Drupal 7.x before 7.14 does not properly check permissions when caching derivative image styles of private images, which allows remote attackers to read private image styles.
13-12-2013 - 04:58 01-10-2012 - 00:55
CVE-2012-2153 4.0
Drupal 7.x before 7.14 does not properly restrict access to nodes in a list when using a "contributed node access module," which allows remote authenticated users with the "Access the content overview page" permission to read all published nodes by a
13-12-2013 - 04:59 01-10-2012 - 00:55
CVE-2012-4553 6.8
Drupal 7.x before 7.16 allows remote attackers to obtain sensitive information and possibly re-install Drupal and execute arbitrary PHP code via an external database server, related to "transient conditions."
12-11-2012 - 21:56 11-11-2012 - 13:00
CVE-2012-4554 5.0
The OpenID module in Drupal 7.x before 7.16 allows remote OpenID servers to read arbitrary files via a crafted DOCTYPE declaration in an XRDS file.
12-11-2012 - 22:00 11-11-2012 - 13:00
CVE-2013-0246 4.3
The Image module in Drupal 7.x before 7.19, when a private file system is used, does not properly restrict access to derivative images, which allows remote attackers to read derivative images of otherwise restricted images via unspecified vectors.
16-07-2013 - 18:55 16-07-2013 - 18:55
CVE-2013-0316 5.0
The Image module in Drupal 7.x before 7.20 allows remote attackers to cause a denial of service (CPU and disk space consumption) via a large number of new derivative requests.
28-03-2013 - 04:00 27-03-2013 - 21:55
CVE-2013-6387 2.1
Cross-site scripting (XSS) vulnerability in the Image module in Drupal 7.x before 7.24 allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via the description field.
04-01-2014 - 04:50 24-12-2013 - 20:55
CVE-2013-6388 4.3
Cross-site scripting (XSS) vulnerability in the Color module in Drupal 7.x before 7.24 allows remote attackers to inject arbitrary web script or HTML via vectors related to CSS.
04-01-2014 - 04:50 24-12-2013 - 20:55
CVE-2013-6389 5.8
Open redirect vulnerability in the Overlay module in Drupal 7.x before 7.24 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.
04-01-2014 - 04:50 07-12-2013 - 21:55
CVE-2014-1476 4.0
The Taxonomy module in Drupal 7.x before 7.26, when upgraded from an earlier version of Drupal, does not properly restrict access to unpublished content, which allows remote authenticated users to obtain sensitive information via a listing page.
21-02-2014 - 05:06 24-01-2014 - 18:55
CVE-2014-5020 4.9
The File module in Drupal 7.x before 7.29 does not properly check permissions to view files, which allows remote authenticated users with certain permissions to bypass intended restrictions and read files by attaching the file to content with a file
22-07-2014 - 19:03 22-07-2014 - 14:55
CVE-2014-5022 4.3
Cross-site scripting (XSS) vulnerability in the Ajax system in Drupal 7.x before 7.29 allows remote attackers to inject arbitrary web script or HTML via vectors involving forms with an Ajax-enabled textfield and a file field.
22-07-2014 - 19:21 22-07-2014 - 14:55
CVE-2015-3231 4.0
The Render cache system in Drupal 7.x before 7.38, when used to cache content by user role, allows remote authenticated users to obtain private content viewed by user 1 by reading the cache.
03-12-2016 - 03:09 22-06-2015 - 19:59
CVE-2015-3232 5.8
Open redirect vulnerability in the Field UI module in Drupal 7.x before 7.38 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the destinations parameter. <a href="http://cwe.mitre.org/data/def
03-12-2016 - 03:09 22-06-2015 - 19:59
CVE-2015-3233 5.8
Open redirect vulnerability in the Overlay module in Drupal 7.x before 7.38 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors. <a href="http://cwe.mitre.org/data/definitions/601.html
03-12-2016 - 03:09 22-06-2015 - 19:59
CVE-2015-6659 7.5
SQL injection vulnerability in the SQL comment filtering system in the Database API in Drupal 7.x before 7.39 allows remote attackers to execute arbitrary SQL commands via an SQL comment.
24-12-2016 - 02:59 24-08-2015 - 14:59
CVE-2015-7943 5.8
Open redirect vulnerability in the Overlay module in Drupal 7.x before 7.41, the jQuery Update module 7.x-2.x before 7.x-2.7 for Drupal, and the LABjs module 7.x-1.x before 7.x-1.8 allows remote attackers to redirect users to arbitrary web sites and
08-11-2017 - 15:49 18-10-2017 - 18:29
CVE-2016-3162 6.5
The File module in Drupal 7.x before 7.43 and 8.x before 8.0.4 allows remote authenticated users to bypass access restrictions and read, delete, or substitute a link to a file uploaded to an unprocessed form by leveraging permission to create content
22-04-2016 - 14:11 12-04-2016 - 15:59
CVE-2016-3170 5.0
The "have you forgotten your password" links in the User module in Drupal 7.x before 7.43 and 8.x before 8.0.4 allow remote attackers to obtain sensitive username information by leveraging a configuration that permits using an email address to login
14-04-2016 - 21:44 12-04-2016 - 15:59
CVE-2016-6211 6.5
The User module in Drupal 7.x before 7.44 allows remote authenticated users to gain privileges via vectors involving contributed or custom code that triggers a rebuild of the user profile form.
28-11-2016 - 20:31 09-09-2016 - 14:05
CVE-2016-6212 5.0
The Views module 7.x-3.x before 7.x-3.14 in Drupal 7.x and the Views module in Drupal 8.x before 8.1.3 might allow remote authenticated users to bypass intended access restrictions and obtain sensitive Statistics information via unspecified vectors.
28-11-2016 - 20:31 09-09-2016 - 14:05
CVE-2016-9449 4.0
The taxonomy module in Drupal 7.x before 7.52 and 8.x before 8.2.3 might allow remote authenticated users to obtain sensitive information about taxonomy terms by leveraging inconsistent naming of access query tags.
07-01-2017 - 03:00 25-11-2016 - 18:59
CVE-2016-9451 4.9
Confirmation forms in Drupal 7.x before 7.52 make it easier for remote authenticated users to conduct open redirect attacks via unspecified vectors.
07-01-2017 - 03:00 25-11-2016 - 18:59
CVE-2017-6922 4.0
In Drupal core 8.x prior to 8.3.4 and Drupal core 7.x prior to 7.56; Private files that have been uploaded by an anonymous user but not permanently attached to content on the site should only be visible to the anonymous user that uploaded them, rathe
09-10-2019 - 23:29 22-01-2019 - 15:29
CVE-2017-6927 4.3
Drupal 8.4.x versions before 8.4.5 and Drupal 7.x versions before 7.57 has a Drupal.checkPlain() JavaScript function which is used to escape potentially dangerous text before outputting it to HTML (as JavaScript output does not typically go through T
22-03-2018 - 17:28 01-03-2018 - 23:29
CVE-2017-6928 3.5
Drupal core 7.x versions before 7.57 when using Drupal's private file system, Drupal will check to make sure a user has access to a file before allowing the user to view or download it. This check fails under certain conditions in which one module is
03-10-2019 - 00:03 01-03-2018 - 23:29
CVE-2017-6929 4.3
A jQuery cross site scripting vulnerability is present when making Ajax requests to untrusted domains. This vulnerability is mitigated by the fact that it requires contributed or custom modules in order to exploit. For Drupal 8, this vulnerability wa
21-03-2018 - 16:54 01-03-2018 - 23:29
CVE-2017-6932 5.8
Drupal core 7.x versions before 7.57 has an external link injection vulnerability when the language switcher block is used. A similar vulnerability exists in various custom and contributed modules. This vulnerability could allow an attacker to trick
22-03-2018 - 13:53 01-03-2018 - 23:29
CVE-2019-6338 6.0
In Drupal Core versions 7.x prior to 7.62, 8.6.x prior to 8.6.6 and 8.5.x prior to 8.5.9; Drupal core uses the third-party PEAR Archive_Tar library. This library has released a security update which impacts some Drupal configurations. Refer to CVE-20
09-10-2019 - 23:51 22-01-2019 - 14:29
CVE-2019-6339 7.5
In Drupal Core versions 7.x prior to 7.62, 8.6.x prior to 8.6.6 and 8.5.x prior to 8.5.9; A remote code execution vulnerability exists in PHP's built-in phar stream wrapper when performing file operations on an untrusted phar:// URI. Some Drupal code
09-10-2019 - 23:51 22-01-2019 - 15:29
CVE-2019-6341 3.5
In Drupal 7 versions prior to 7.65; Drupal 8.6 versions prior to 8.6.13;Drupal 8.5 versions prior to 8.5.14. Under certain circumstances the File module/subsystem allows a malicious user to upload a file that can trigger a cross-site scripting (XSS)
16-05-2019 - 02:29 26-03-2019 - 18:29
CVE-2011-2726 5.0
An access bypass issue was found in Drupal 7.x before version 7.5. If a Drupal site has the ability to attach File upload fields to any entity type in the system or has the ability to point individual File upload fields to the private file directory
15-11-2019 - 18:04 15-11-2019 - 17:15
CVE-2014-1607 4.3
** DISPUTED ** Cross-site scripting (XSS) vulnerability in the EventCalendar module for Drupal 7.14 allows remote attackers to inject arbitrary web script or HTML via the year parameter to eventcalander/. NOTE: this issue has been disputed by the Dru
09-10-2018 - 19:42 26-01-2014 - 20:55
CVE-2015-7880 4.0
The Entity Registration module 7.x-1.x before 7.x-1.5 for Drupal allows remote attackers to obtain sensitive event registration information by leveraging the "Register other accounts" permission and knowledge of usernames.
26-09-2017 - 15:52 13-09-2017 - 16:29
CVE-2016-7570 4.0
Drupal 8.x before 8.1.10 does not properly check for "Administer comments" permission, which allows remote authenticated users to set the visibility of comments for arbitrary nodes by leveraging rights to edit those nodes.
04-10-2016 - 17:42 03-10-2016 - 18:59
CVE-2016-7571 4.3
Cross-site scripting (XSS) vulnerability in Drupal 8.x before 8.1.10 allows remote attackers to inject arbitrary web script or HTML via vectors involving an HTTP exception.
04-10-2016 - 17:54 03-10-2016 - 18:59
CVE-2016-7572 4.0
The system.temporary route in Drupal 8.x before 8.1.10 does not properly check for "Export configuration" permission, which allows remote authenticated users to bypass intended access restrictions and read a full config export via unspecified vectors
04-10-2016 - 18:06 03-10-2016 - 18:59
CVE-2016-9450 5.0
The user password reset form in Drupal 8.x before 8.2.3 allows remote attackers to conduct cache poisoning attacks by leveraging failure to specify a correct cache context.
29-11-2016 - 18:37 25-11-2016 - 18:59
CVE-2016-9452 4.3
The transliterate mechanism in Drupal 8.x before 8.2.3 allows remote attackers to cause a denial of service via a crafted URL.
29-11-2016 - 15:48 25-11-2016 - 18:59
CVE-2017-6381 6.8
A 3rd party development library including with Drupal 8 development dependencies is vulnerable to remote code execution. This is mitigated by the default .htaccess protection against PHP execution, and the fact that Composer development dependencies
03-10-2019 - 00:03 16-03-2017 - 14:59
CVE-2017-6919 6.0
Drupal 8 before 8.2.8 and 8.3 before 8.3.1 allows critical access bypass by authenticated users if the RESTful Web Services (rest) module is enabled and the site allows PATCH requests.
03-10-2019 - 00:03 20-04-2017 - 02:59
CVE-2017-6920 7.5
Drupal core 8 before versions 8.3.4 allows remote attackers to execute arbitrary code due to the PECL YAML parser not handling PHP objects safely during certain operations.
04-10-2018 - 16:16 06-08-2018 - 15:29
CVE-2017-6921 4.3
In Drupal 8 prior to 8.3.4; The file REST resource does not properly validate some fields when manipulating files. A site is only affected by this if the site has the RESTful Web Services (rest) module enabled, the file REST resource is enabled and a
09-10-2019 - 23:29 15-01-2019 - 21:29
CVE-2017-6923 4.0
In Drupal 8.x prior to 8.3.7 When creating a view, you can optionally use Ajax to update the displayed data via filter parameters. The views subsystem/module did not restrict access to the Ajax endpoint to only views configured to use Ajax. This is m
09-10-2019 - 23:29 22-01-2019 - 15:29
CVE-2017-6924 5.8
In Drupal 8 prior to 8.3.7; When using the REST API, users without the correct permission can post comments via REST that are approved even if the user does not have permission to post approved comments. This issue only affects sites that have the RE
09-10-2019 - 23:29 15-01-2019 - 20:29
CVE-2017-6925 7.5
In versions of Drupal 8 core prior to 8.3.7; There is a vulnerability in the entity access system that could allow unwanted access to view, create, update, or delete entities. This only affects entities that do not use or do not have UUIDs, and entit
03-10-2019 - 00:03 15-01-2019 - 17:29
CVE-2017-6377 5.0
When adding a private file via the editor in Drupal 8.2.x before 8.2.7, the editor will not correctly check access for the file being attached, resulting in an access bypass.
03-10-2019 - 00:03 16-03-2017 - 14:59
CVE-2017-6379 5.1
Some administrative paths in Drupal 8.2.x before 8.2.7 did not include protection for CSRF. This would allow an attacker to disable some blocks on a site. This issue is mitigated by the fact that users would have to know the block ID.
12-07-2017 - 01:29 16-03-2017 - 14:59
CVE-2017-6926 5.5
In Drupal versions 8.4.x versions before 8.4.5 users with permission to post comments are able to view content and comments they do not have access to, and are also able to add comments to this content. This vulnerability is mitigated by the fact tha
22-03-2018 - 17:20 01-03-2018 - 23:29
CVE-2017-6930 6.8
In Drupal versions 8.4.x versions before 8.4.5 when using node access controls with a multilingual site, Drupal marks the untranslated version of a node as the default fallback for access queries. This fallback is used for languages that do not yet h
03-10-2019 - 00:03 01-03-2018 - 23:29
CVE-2017-6931 4.0
In Drupal versions 8.4.x versions before 8.4.5 the Settings Tray module has a vulnerability that allows users to update certain data that they do not have the permissions for. If you have implemented a Settings Tray form in contrib or a custom module
03-10-2019 - 00:03 01-03-2018 - 23:29
CVE-2019-6340 6.8
Some field types do not properly sanitize data from non-form sources in Drupal 8.5.x before 8.5.11 and Drupal 8.6.x before 8.6.10. This can lead to arbitrary PHP code execution in some cases. A site is only affected by this if one of the following co
08-03-2019 - 20:04 21-02-2019 - 21:29
CVE-2019-11876 4.3
In PrestaShop 1.7.5.2, the shop_country parameter in the install/index.php installation script/component is affected by Reflected XSS. Exploitation by a malicious actor requires the user to follow the initial stages of the setup (accepting terms and
28-05-2019 - 14:59 24-05-2019 - 16:29
CVE-2014-3704 7.5
The expandArguments function in the database abstraction API in Drupal core 7.x before 7.32 does not properly construct prepared statements, which allows remote attackers to conduct SQL injection attacks via an array containing crafted keys.
09-10-2018 - 19:47 16-10-2014 - 00:55
CVE-2006-4360 3.5
Cross-site scripting (XSS) vulnerability in E-commerce 4.7 for Drupal before file.module 1.37.2.4 (20060812) allows remote authenticated users with the "create products" permission to inject arbitrary web script or HTML via unspecified vectors.
20-07-2017 - 01:33 27-08-2006 - 02:04
CVE-2006-4355 2.6
Cross-site scripting (XSS) vulnerability in Drupal Easylinks Module (easylinks.module) 4.7 before 1.5.2.1 2006/08/19 12:02:27 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
20-07-2017 - 01:33 27-08-2006 - 02:04
CVE-2006-4356 7.5
SQL injection vulnerability in Drupal Easylinks Module (easylinks.module) 4.7 before 1.5.2.1 2006/08/19 12:02:27 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
20-07-2017 - 01:33 27-08-2006 - 02:04
CVE-2006-6647 6.8
Cross-site scripting (XSS) vulnerability in the MySite 4.7.x before 4.7.x-3.3 and 5.x before 5.x-1.3 module for Drupal allows remote attackers to inject arbitrary web script or HTML via the Title field when editing a page. NOTE: some details were ob
08-03-2011 - 02:46 20-12-2006 - 02:28
CVE-2006-4646 6.8
Cross-site scripting (XSS) vulnerability in the Drupal 4.7 Pathauto module before pathauto_node.inc 1.17.2.1 and the Drupal 4.6 Pathauto module before pathauto_node.inc 1.14.2.1 allows remote attackers to inject arbitrary web script or HTML via unspe
20-07-2017 - 01:33 08-09-2006 - 21:04
CVE-2006-6646 6.8
Multiple cross-site scripting (XSS) vulnerabilities in Drupal (1) Project Issue Tracking 4.7.x-1.0 and 4.7.x-2.0, and (2) Project 4.6.x-1.0, 4.7.x-1.0, and 4.7.x-2.0 allow remote attackers to inject arbitrary web script or HTML via unspecified parame
08-03-2011 - 02:46 20-12-2006 - 02:28
CVE-2007-1368 3.5
The Project issue tracking module before 4.7.x-1.3, 4.7.x-2.* before 4.7.x-2.3, and 5 before 5.x-0.2-beta for Drupal allows remote authenticated users, with "access project issues" permission, to read the contents of a private node via a URL with a m
29-07-2017 - 01:30 09-03-2007 - 22:19
CVE-2007-5228 3.5
Cross-site scripting (XSS) vulnerability in the subscription functionality in the Project issue tracking module before 4.7.x-1.5, 4.7.x-2.x before 4.7.x-2.5, and 5.x-1.x before 5.x-1.1 for Drupal allows remote authenticated users with project create
29-07-2017 - 01:33 05-10-2007 - 23:17
CVE-2006-4717 7.5
The login redirection mechanism in the Drupal 4.7 Pubcookie module before 1.2.2.4 2006/09/06 and the Drupal 4.6 Pubcookie module before 1.6.2.1 2006/09/07 allows remote attackers to bypass authentication requirements and spoof identities of arbitrary
08-03-2011 - 02:41 12-09-2006 - 16:07
CVE-2006-4821 4.3
Cross-site scripting (XSS) vulnerability in the Drupal 4.7 Userreview module before 1.19 2006/09/12 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
20-07-2017 - 01:33 15-09-2006 - 22:07
Back to Top Mark selected
Back to Top