National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

Search Results (Refine Search)

Search Parameters:
  • Results Type: Overview
  • Keyword (text search): Drupal
  • Search Type: Search All
There are 1,053 matching records.
Displaying matches 101 through 120.
Vuln ID Summary CVSS Severity
CVE-2015-6754

Cross-site scripting (XSS) vulnerability in the administration interface in the Path Breadcrumbs module 7.x-3.x before 7.x-3.3 for Drupal allows remote authenticated users with the "Administer Path Breadcrumbs" permission to inject arbitrary web script or HTML via unspecified vectors.

Published: August 31, 2015; 03:59:02 PM -04:00
    V2: 2.1 LOW
CVE-2015-6753

Multiple cross-site scripting (XSS) vulnerabilities in the Quick Edit module 7.x-1.x before 7.x-1.2 for Drupal allow remote authenticated users with certain permissions to inject arbitrary web script or HTML via an (1) entity title, related to in-place editing, or a (2) node title.

Published: August 31, 2015; 03:59:01 PM -04:00
    V2: 3.5 LOW
CVE-2015-6752

Cross-site scripting (XSS) vulnerability in the Search API Autocomplete module 7.x-1.x before 7.x-1.3 for Drupal, when the search index is configured to use the HTML filter processor, allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via unspecified vectors, which are not properly handled in the returned suggestions.

Published: August 31, 2015; 02:59:12 PM -04:00
    V2: 2.1 LOW
CVE-2015-6751

Multiple cross-site scripting (XSS) vulnerabilities in the Time Tracker module 7.x-1.x before 7.x-1.4 for Drupal allow remote authenticated users with certain permissions to inject arbitrary web script or HTML via a (1) note added to a time entry or an (2) activity used to categorize time tracker entries.

Published: August 31, 2015; 02:59:11 PM -04:00
    V2: 3.5 LOW
CVE-2015-6665

Cross-site scripting (XSS) vulnerability in the Ajax handler in Drupal 7.x before 7.39 and the Ctools module 6.x-1.x before 6.x-1.14 for Drupal allows remote attackers to inject arbitrary web script or HTML via vectors involving a whitelisted HTML element, possibly related to the "a" tag.

Published: August 24, 2015; 10:59:22 AM -04:00
    V2: 4.3 MEDIUM
CVE-2015-6661

Drupal 6.x before 6.37 and 7.x before 7.39 allows remote attackers to obtain sensitive node titles by reading the menu.

Published: August 24, 2015; 10:59:18 AM -04:00
    V2: 5.0 MEDIUM
CVE-2015-6660

The Form API in Drupal 6.x before 6.37 and 7.x before 7.39 does not properly validate the form token, which allows remote attackers to conduct CSRF attacks that upload files in a different user's account via vectors related to "file upload value callbacks."

Published: August 24, 2015; 10:59:17 AM -04:00
    V2: 6.8 MEDIUM
CVE-2015-6659

SQL injection vulnerability in the SQL comment filtering system in the Database API in Drupal 7.x before 7.39 allows remote attackers to execute arbitrary SQL commands via an SQL comment.

Published: August 24, 2015; 10:59:16 AM -04:00
    V2: 7.5 HIGH
CVE-2015-6658

Cross-site scripting (XSS) vulnerability in the Autocomplete system in Drupal 6.x before 6.37 and 7.x before 7.39 allows remote attackers to inject arbitrary web script or HTML via a crafted URL, related to uploading files.

Published: August 24, 2015; 10:59:15 AM -04:00
    V2: 4.3 MEDIUM
CVE-2015-5515

The Views Bulk Operations (VBO) module 6.x-1.x and 7.x-3.x before 7.x-3.3 for Drupal, when the bulk operation for changing Roles is enabled, allows remote authenticated users to edit user accounts and add arbitrary roles to the accounts by leveraging access to a user account listing view with VBO enabled.

Published: August 18, 2015; 02:00:21 PM -04:00
    V2: 4.9 MEDIUM
CVE-2015-5514

Cross-site scripting (XSS) vulnerability in the Migrate module 7.x-2.x before 7.x-2.8 for Drupal, when the migrate_ui submodule is enabled, allows user-assisted remote attackers to inject arbitrary web script or HTML via a destination field label.

Published: August 18, 2015; 02:00:20 PM -04:00
    V2: 2.6 LOW
CVE-2015-5513

Cross-site scripting (XSS) vulnerability in the Shibboleth authentication module 6.x-4.x before 6.x-4.2 and 7.x-4.x before 7.x-4.2 for Drupal allows remote authenticated users with the "Administer blocks" permission to inject arbitrary web script or HTML via unspecified vectors related to a login link.

Published: August 18, 2015; 02:00:19 PM -04:00
    V2: 2.1 LOW
CVE-2015-5512

The me aliases module 6.x-2.x before 6.x-2.10 and 7.x-1.x before 7.x-1.2 for Drupal allows remote attackers to access Views using the "me" user argument handler by substituting "me" for a user id in a URL.

Published: August 18, 2015; 02:00:18 PM -04:00
    V2: 5.0 MEDIUM
CVE-2015-5511

The HybridAuth Social Login module 7.x-2.x before 7.x-2.13 for Drupal allows remote attackers to bypass the user registration by administrator only configuration and create an account via a social login.

Published: August 18, 2015; 02:00:17 PM -04:00
    V2: 5.0 MEDIUM
CVE-2015-5510

Open redirect vulnerability in the Content Construction Kit (CCK) 6.x-2.x before 6.x-2.10 for Drupal allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via the destinations parameter, related to administration pages.

Published: August 18, 2015; 02:00:15 PM -04:00
    V2: 5.8 MEDIUM
CVE-2015-5509

The Administration Views module 7.x-1.x before 7.x-1.4 for Drupal, when used with other unspecified modules, does not properly grant access to administration pages, which allows remote administrators to bypass intended restrictions via unspecified vectors.

Published: August 18, 2015; 02:00:14 PM -04:00
    V2: 6.0 MEDIUM
CVE-2015-5508

Cross-site request forgery (CSRF) vulnerability in the XC NCIP Provider module in the eXtensible Catalog (XC) Drupal Toolkit allows remote attackers to hijack the authentication of users with the "administer ncip providers" permission for requests that alter NCIP providers via a crafted request.

Published: August 18, 2015; 02:00:13 PM -04:00
    V2: 5.1 MEDIUM
CVE-2015-5507

Cross-site scripting (XSS) vulnerability in the Inline Entity Form module 7.x-1.x before 7.x-1.6 for Drupal allows remote authenticated users with permission to create or edit fields to inject arbitrary web script or HTML via unspecified vectors.

Published: August 18, 2015; 02:00:12 PM -04:00
    V2: 4.3 MEDIUM
CVE-2015-5506

The Apache Solr Real-Time module 7.x-1.x before 7.x-1.2 for Drupal does not check the status of an entity when indexing, which allows remote attackers to obtain information about unpublished content via a search.

Published: August 18, 2015; 02:00:11 PM -04:00
    V2: 5.0 MEDIUM
CVE-2015-5505

The HTTP Strict Transport Security (HSTS) module 6.x-1.x before 6.x-1.1 and 7.x-1.x before 7.x-1.2 for Drupal does not properly implement the "include subdomains" directive, which causes the HSTS policy to not be applied to subdomains and allows man-in-the-middle attackers to have unspecified impact via unknown vectors.

Published: August 18, 2015; 02:00:09 PM -04:00
    V2: 6.8 MEDIUM