Search Results (Refine Search)
- CPE Product Version: cpe:/a:drupal:drupal:-
Vuln ID | Summary | CVSS Severity |
---|---|---|
CVE-2020-13672 |
Cross-site Scripting (XSS) vulnerability in Drupal core's sanitization API fails to properly filter cross-site scripting under certain circumstances. This issue affects: Drupal Core 9.1.x versions prior to 9.1.7; 9.0.x versions prior to 9.0.12; 8.9.x versions prior to 8.9.14; 7.x versions prior to 7.80. Published: February 11, 2022; 11:15:08 AM -0500 |
V3.1: 6.1 MEDIUM V2.0: 2.6 LOW |
CVE-2018-7600 |
Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations. Published: March 29, 2018; 3:29:00 AM -0400 |
V3.0: 9.8 CRITICAL V2.0: 7.5 HIGH |
CVE-2015-8095 |
The recycle bin feature in the Monster Menus module 7.x-1.21 before 7.x-1.24 for Drupal does not properly remove nodes from view, which allows remote attackers to obtain sensitive information via an unspecified URL pattern. Published: November 09, 2015; 11:59:12 AM -0500 |
V3.x:(not available) V2.0: 5.0 MEDIUM |
CVE-2013-4178 |
The Google Authenticator login module 6.x-1.x before 6.x-1.2 and 7.x-1.x before 7.x-1.4 for Drupal allows remote attackers to obtain access by replaying the username, password, and one-time password (OTP). Published: May 29, 2014; 10:19:07 AM -0400 |
V3.x:(not available) V2.0: 5.0 MEDIUM |
CVE-2013-4177 |
The Google Authenticator login module 6.x-1.x before 6.x-1.2 and 7.x-1.x before 7.x-1.4 for Drupal does not properly identify user account names, which might allow remote attackers to bypass the two-factor authentication requirement via unspecified vectors. Published: May 29, 2014; 10:19:07 AM -0400 |
V3.x:(not available) V2.0: 5.0 MEDIUM |
CVE-2013-4380 |
Cross-site scripting (XSS) vulnerability in the MediaFront module 6.x-1.x before 6.x-1.6, 7.x-1.x before 7.x-1.6, and 7.x-2.x before 7.x-2.1 for Drupal allows remote authenticated users with the "administer mediafront" permission to inject arbitrary web script or HTML via the preset settings. Published: May 20, 2014; 10:55:04 AM -0400 |
V3.x:(not available) V2.0: 2.1 LOW |
CVE-2013-4498 |
The Spaces OG submodule in the Spaces module 6.x-3.x before 6.x-3.7 for Drupal does not properly delete organic group group spaces content when using the option to move to a new group, which causes the content to be "orphaned" and allows remote authenticated users with the "access content" permission to obtain sensitive information via vectors involving a rebuild access for the site or content. Published: May 17, 2014; 4:55:02 PM -0400 |
V3.x:(not available) V2.0: 2.1 LOW |
CVE-2013-4504 |
The Monster Menus module 7.x-1.x before 7.x-1.15 allows remote attackers to read arbitrary node comments via a crafted URL. Published: May 13, 2014; 11:55:04 AM -0400 |
V3.x:(not available) V2.0: 2.6 LOW |
CVE-2013-4502 |
The FileField Sources module 6.x-1.x before 6.x-1.9 and 7.x-1.x before 7.x-1.9 for Drupal does not properly check file permissions, which allows remote authenticated users to read arbitrary files by attaching a file. Published: May 13, 2014; 11:55:04 AM -0400 |
V3.x:(not available) V2.0: 4.0 MEDIUM |
CVE-2013-7302 |
Session fixation vulnerability in the Ubercart module 6.x-2.x before 6.x-2.13 and 7.x-3.x before 7.x-3.6 for Drupal, when the "Log in new customers after checkout" option is enabled, allows remote attackers to hijack web sessions by leveraging knowledge of the original session ID. Published: April 29, 2014; 10:38:49 AM -0400 |
V3.x:(not available) V2.0: 6.8 MEDIUM |
CVE-2013-1946 |
The RESTful Web Services (RESTWS) module 7.x-1.x before 7.x-1.3 and 7.x-2.x before 7.x-2.0-alpha5 for Drupal, when page caching is enabled and anonymous users are assigned RESTWS permissions, allows remote attackers to cause a denial of service via a GET request with an HTTP Accept header set to a non-HTML type, which can "interfere with Drupal's page cache." Published: April 06, 2014; 12:55:06 PM -0400 |
V3.x:(not available) V2.0: 4.3 MEDIUM |
CVE-2013-4383 |
Cross-site scripting (XSS) vulnerability in the jQuery Countdown module 7.x-1.x before 7.x-1.1 for Drupal allows remote authenticated users with the "access administration pages" permission to inject arbitrary web script or HTML via unspecified vectors. Published: January 31, 2014; 10:07:34 AM -0500 |
V3.x:(not available) V2.0: 2.1 LOW |
CVE-2014-1611 |
Cross-site scripting (XSS) vulnerability in the Anonymous Posting module 7.x-1.2 and 7.x-1.3 for Drupal allows remote attackers to inject arbitrary web script or HTML via the contact name field. Published: January 30, 2014; 1:55:03 PM -0500 |
V3.x:(not available) V2.0: 4.3 MEDIUM |
CVE-2013-7067 |
The OG Features module 6.x-1.x before 6.x-1.4 for Drupal does not properly override pages that have an access callback set to false, which allows remote attackers to bypass intended access restrictions via a request. Published: December 18, 2013; 11:24:57 PM -0500 |
V3.x:(not available) V2.0: 5.8 MEDIUM |
CVE-2013-4446 |
The _json_decode function in plugins/context_reaction_block.inc in the Context module 6.x-2.x before 6.x-3.2 and 7.x-3.x before 7.x-3.0 for Drupal, when using a version of PHP that does not support the json_decode function, allows remote attackers to execute arbitrary PHP code via unspecified vectors related to Ajax operations, possibly involving eval injection. Published: December 07, 2013; 3:55:02 PM -0500 |
V3.x:(not available) V2.0: 6.8 MEDIUM |
CVE-2013-4445 |
The json rendering functionality in the Context module 6.x-2.x before 6.x-3.2 and 7.x-3.x before 7.x-3.0 for Drupal uses Drupal's token scheme to restrict access to blocks, which makes it easier for remote authenticated users to guess the access token for a block by leveraging the token from a block to which the user has access. Published: December 07, 2013; 3:55:02 PM -0500 |
V3.x:(not available) V2.0: 4.9 MEDIUM |
CVE-2013-4379 |
The Make Meeting Scheduler module 6.x-1.x before 6.x-1.3 for Drupal allows remote attackers to bypass intended access restrictions for a poll via a direct request to the node's URL instead of the hashed URL. Published: October 09, 2013; 1:55:05 PM -0400 |
V3.x:(not available) V2.0: 6.4 MEDIUM |
CVE-2013-4384 |
Cross-site scripting (XSS) vulnerability in Google Site Search module 6.x-1.x before 6.x-1.4 and 7.x-1.x before 7.x-1.10 for Drupal allows remote attackers to inject arbitrary web script or HTML by causing crafted data to be returned by the Google API. Published: October 09, 2013; 10:54:26 AM -0400 |
V3.x:(not available) V2.0: 4.3 MEDIUM |
CVE-2013-5965 |
The Node View Permissions module 7.x-1.x before 7.x-1.2 for Drupal does not properly implement the hook_query_alter function, which might allow remote attackers to obtain sensitive information by reading a node listing. Published: September 30, 2013; 5:55:07 PM -0400 |
V3.x:(not available) V2.0: 5.0 MEDIUM |
CVE-2013-5964 |
Cross-site scripting (XSS) vulnerability in the administration page in the Flag module 7.x-3.x before 7.x-3.1 for Drupal allows remote authenticated users with the "Administer flags" permission to inject arbitrary web script or HTML via the flag title. Published: September 30, 2013; 5:55:07 PM -0400 |
V3.x:(not available) V2.0: 2.1 LOW |