National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

Search Results (Refine Search)

Search Parameters:
  • Results Type: Overview
  • Search Type: Search All
  • Keyword (text search): drupal
There are 1,022 matching records.
Displaying matches 1 through 20.
Vuln ID Summary CVSS Severity
CVE-2014-9504

The OG Subgroups module, when used with the Open Atrium module 7.x-2.x before 7.x-2.26 for Drupal, allows remote attackers to access child groups via vectors related to membership inheritance.

Published: February 01, 2018; 12:29:01 PM -05:00
(not available)
CVE-2014-9503

The Discussions sub module in the Open Atrium module 7.x-2.x before 7.x-2.26 for Drupal allows remote authenticated users with "access content" permissions to modify arbitrary nodes by leveraging improper access checks on unspecified ajax callbacks.

Published: February 01, 2018; 12:29:00 PM -05:00
(not available)
CVE-2014-9502

Multiple cross-site request forgery (CSRF) vulnerabilities in unspecified sub modules in the Open Atrium module 7.x-2.x before 7.x-2.26 for Drupal allow remote attackers to hijack the authentication of unknown victims via vectors related to menu callbacks.

Published: February 01, 2018; 12:29:00 PM -05:00
(not available)
CVE-2015-7878

Cross-site scripting (XSS) vulnerability in the Taxonomy Find module 6.x-2.x through 6.x-1.2 and 7.x-2.x through 7.x-1.0 in Drupal allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via taxonomy vocabulary and term names.

Published: November 06, 2017; 12:29:00 PM -05:00
V3: 5.4 MEDIUM
V2: 3.5 LOW
CVE-2015-7943

Open redirect vulnerability in the Overlay module in Drupal 7.x before 7.41, the jQuery Update module 7.x-2.x before 7.x-2.7 for Drupal, and the LABjs module 7.x-1.x before 7.x-1.8 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-3233.

Published: October 18, 2017; 02:29:00 PM -04:00
V3: 6.1 MEDIUM
V2: 5.8 MEDIUM
CVE-2015-7980

Cross-site scripting (XSS) vulnerability in the Compass Rose module 6.x-1.x before 6.x-1.1 for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, related to "embedding a JavaScript library from an external source that was not reliable."

Published: October 02, 2017; 09:29:00 PM -04:00
V3: 6.1 MEDIUM
V2: 4.3 MEDIUM
CVE-2015-7880

The Entity Registration module 7.x-1.x before 7.x-1.5 for Drupal allows remote attackers to obtain sensitive event registration information by leveraging the "Register other accounts" permission and knowledge of usernames.

Published: September 13, 2017; 12:29:00 PM -04:00
V3: 4.3 MEDIUM
V2: 4.0 MEDIUM
CVE-2015-2750

Open redirect vulnerability in URL-related API functions in Drupal 6.x before 6.35 and 7.x before 7.35 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via vectors involving the "//" initial sequence.

Published: September 13, 2017; 12:29:00 PM -04:00
V3: 6.1 MEDIUM
V2: 5.8 MEDIUM
CVE-2015-2749

Open redirect vulnerability in Drupal 6.x before 6.35 and 7.x before 7.35 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the destination parameter.

Published: September 13, 2017; 12:29:00 PM -04:00
V3: 6.1 MEDIUM
V2: 5.8 MEDIUM
CVE-2015-7879

Cross-site scripting (XSS) vulnerability in the Stickynote module 7.x before 7.x-1.3 for Drupal allows remote authenticated users with permission to create or edit a stickynote to inject arbitrary web script or HTML via note text on the admin listing page.

Published: September 11, 2017; 01:29:00 PM -04:00
V3: 5.4 MEDIUM
V2: 3.5 LOW
CVE-2015-7877

Multiple SQL injection vulnerabilities in the User Dashboard module 7.x before 7.x-1.4 for Drupal allow remote attackers to execute arbitrary SQL commands via unspecified vectors.

Published: September 11, 2017; 01:29:00 PM -04:00
V3: 9.8 CRITICAL
V2: 7.5 HIGH
CVE-2015-7875

ctools 6.x-1.x before 6.x-1.14 and 7.x-1.x before 7.x-1.8 in Drupal does not verify the "edit" permission for the "content type" plugins that are used on Panels and similar systems to place content and functionality on a page.

Published: August 07, 2017; 01:29:00 PM -04:00
V3: 7.5 HIGH
V2: 5.0 MEDIUM
CVE-2017-6919

Drupal 8 before 8.2.8 and 8.3 before 8.3.1 allows critical access bypass by authenticated users if the RESTful Web Services (rest) module is enabled and the site allows PATCH requests.

Published: April 19, 2017; 10:59:00 PM -04:00
V3: 7.5 HIGH
V2: 6.0 MEDIUM
CVE-2017-6381

A 3rd party development library including with Drupal 8 development dependencies is vulnerable to remote code execution. This is mitigated by the default .htaccess protection against PHP execution, and the fact that Composer development dependencies aren't normal installed. You might be vulnerable to this if you are running a version of Drupal before 8.2.2. To be sure you aren't vulnerable, you can remove the <siteroot>/vendor/phpunit directory from your production deployments

Published: March 16, 2017; 10:59:00 AM -04:00
V3: 8.1 HIGH
V2: 6.8 MEDIUM
CVE-2017-6379

Some administrative paths in Drupal 8.2.x before 8.2.7 did not include protection for CSRF. This would allow an attacker to disable some blocks on a site. This issue is mitigated by the fact that users would have to know the block ID.

Published: March 16, 2017; 10:59:00 AM -04:00
V3: 7.5 HIGH
V2: 5.1 MEDIUM
CVE-2017-6377

When adding a private file via the editor in Drupal 8.2.x before 8.2.7, the editor will not correctly check access for the file being attached, resulting in an access bypass.

Published: March 16, 2017; 10:59:00 AM -04:00
V3: 7.5 HIGH
V2: 5.0 MEDIUM
CVE-2016-10033

The mailSend function in the isMail transport in PHPMailer before 5.2.18 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted Sender property.

Published: December 30, 2016; 02:59:00 PM -05:00
V3: 9.8 CRITICAL
V2: 7.5 HIGH
CVE-2016-9452

The transliterate mechanism in Drupal 8.x before 8.2.3 allows remote attackers to cause a denial of service via a crafted URL.

Published: November 25, 2016; 01:59:04 PM -05:00
V3: 6.5 MEDIUM
V2: 4.3 MEDIUM
CVE-2016-9451

Confirmation forms in Drupal 7.x before 7.52 make it easier for remote authenticated users to conduct open redirect attacks via unspecified vectors.

Published: November 25, 2016; 01:59:03 PM -05:00
V3: 6.8 MEDIUM
V2: 4.9 MEDIUM
CVE-2016-9450

The user password reset form in Drupal 8.x before 8.2.3 allows remote attackers to conduct cache poisoning attacks by leveraging failure to specify a correct cache context.

Published: November 25, 2016; 01:59:02 PM -05:00
V3: 7.5 HIGH
V2: 5.0 MEDIUM