National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

Search Results (Refine Search)

Search Parameters:
  • Results Type: Overview
  • Keyword (text search): Drupal
  • Search Type: Search All
There are 1,080 matching records.
Displaying matches 101 through 120.
Vuln ID Summary CVSS Severity
CVE-2015-8761

The Values module 7.x-1.x before 7.x-1.2 for Drupal does not properly check permissions, which allows remote administrators with the "Import value sets" permission to execute arbitrary PHP code via the exported values list in a ctools import.

Published: January 08, 2016; 02:59:27 PM -05:00
V3.0: 9.0 CRITICAL
    V2: 6.0 MEDIUM
CVE-2015-8754

The Mollom module 6.x-2.7 before 6.x-2.15 for Drupal allows remote attackers to bypass intended access restrictions and modify the mollom blacklist via unspecified vectors.

Published: January 08, 2016; 02:59:20 PM -05:00
V3.0: 7.5 HIGH
    V2: 5.0 MEDIUM
CVE-2015-8602

The Token Insert Entity module 7.x-1.x before 7.x-1.1 for Drupal does not properly check permissions, which allows remote authenticated users with certain permissions to bypass intended access restrictions and possibly obtain sensitive information by inserting a token, which embeds a rendered entity in the main node.

Published: December 17, 2015; 02:59:14 PM -05:00
    V2: 3.5 LOW
CVE-2015-8601

The Chat Room module 7.x-2.x before 7.x-2.2 for Drupal does not properly check permissions when setting up a websocket for chat messages, which allows remote attackers to bypass intended access restrictions and read messages from arbitrary Chat Rooms via unspecified vectors.

Published: December 17, 2015; 02:59:13 PM -05:00
    V2: 5.0 MEDIUM
CVE-2015-8233

Cross-site scripting (XSS) vulnerability in the MAYO theme 7.x-1.x before 7.x-1.4 and 7.x-2.x before 7.x-2.6 for Drupal allows remote administrators with the "Administer themes" permission to inject arbitrary web script or HTML via unspecified vectors related to theme settings.

Published: November 17, 2015; 10:59:26 AM -05:00
    V2: 2.6 LOW
CVE-2015-8232

The UC Profile module 6.x-1.x before 6.x-1.3 for Drupal does not properly check access to profiles in certain circumstances, which might allow remote attackers to obtain sensitive information from the anonymous user profile via unspecified vectors.

Published: November 17, 2015; 10:59:25 AM -05:00
    V2: 4.3 MEDIUM
CVE-2015-8095

The recycle bin feature in the Monster Menus module 7.x-1.21 before 7.x-1.24 for Drupal does not properly remove nodes from view, which allows remote attackers to obtain sensitive information via an unspecified URL pattern.

Published: November 09, 2015; 11:59:12 AM -05:00
    V2: 5.0 MEDIUM
CVE-2015-8082

The Login Disable module 6.x-1.x before 6.x-1.1 and 7.x-1.x before 7.x-1.2 for Drupal does not properly load the user_logout function, which allows remote attackers to bypass the logout protection mechanism by leveraging a contributed user authentication module, as demonstrated by the CAS and URL Login modules.

Published: November 06, 2015; 04:59:15 PM -05:00
    V2: 7.5 HIGH
CVE-2015-8081

The Field as Block module 7.x-1.x before 7.x-1.4 for Drupal might allow remote attackers to obtain sensitive field information by reading a cached block.

Published: November 06, 2015; 04:59:13 PM -05:00
    V2: 5.0 MEDIUM
CVE-2015-7881

The Colorbox module 7.x-2.x before 7.x-2.10 for Drupal allows remote authenticated users with certain permissions to bypass intended access restrictions and "add unexpected content to a Colorbox" via unspecified vectors, possibly related to a link in a comment.

Published: October 26, 2015; 10:59:11 AM -04:00
    V2: 3.5 LOW
CVE-2015-7876

The escapeLike function in sqlsrv/database.inc in the Drupal 7 driver for SQL Server and SQL Azure 7.x-1.x before 7.x-1.4 does not properly escape certain characters, which allows remote attackers to execute arbitrary SQL commands via vectors involving a module using the db_like function.

Published: October 21, 2015; 10:59:00 AM -04:00
    V2: 7.5 HIGH
CVE-2015-7307

Cross-site scripting (XSS) vulnerability in the CMS Updater module 7.x-1.x before 7.x-1.3 for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors involving the configuration page.

Published: September 21, 2015; 03:59:11 PM -04:00
    V2: 4.3 MEDIUM
CVE-2015-7306

The CMS Updater module 7.x-1.x before 7.x-1.3 for Drupal does not properly check access permissions, which allows remote authenticated users to access and change settings by leveraging the "access administration pages" permission.

Published: September 21, 2015; 03:59:10 PM -04:00
    V2: 4.9 MEDIUM
CVE-2015-7305

The Scald module 7.x-1.x before 7.x-1.5 for Drupal does not properly restrict access to fields, which allows remote attackers to obtain sensitive atom property information via vectors involving a "debug context."

Published: September 21, 2015; 03:59:09 PM -04:00
    V2: 5.0 MEDIUM
CVE-2015-7304

Cross-site scripting (XSS) vulnerability in the amoCRM module 7.x-1.x before 7.x-1.2 for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified HTTP POST data.

Published: September 21, 2015; 03:59:07 PM -04:00
    V2: 2.6 LOW
CVE-2015-7234

The OSF module 7.x-3.x before 7.x-3.1 for Drupal, when the OSF Ontology and OSF Import modules are enabled, allows user-assisted remote attackers to delete arbitrary files via unspecified vectors.

Published: September 17, 2015; 12:59:13 PM -04:00
    V2: 4.0 MEDIUM
CVE-2015-7233

Cross-site request forgery (CSRF) vulnerability in the OSF module 7.x-3.x before 7.x-3.1 for Drupal, when the OSF Import module is enabled, allows remote attackers to hijack the authentication of administrators for requests that create new OSF datasets via unspecified vectors.

Published: September 17, 2015; 12:59:12 PM -04:00
    V2: 5.1 MEDIUM
CVE-2015-7232

Cross-site scripting (XSS) vulnerability in unspecified administration pages in the OSF module 7.x-3.x before 7.x-3.1 for Drupal, when the OSF Ontology module is enabled, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Published: September 17, 2015; 12:59:11 PM -04:00
    V2: 2.6 LOW
CVE-2015-7231

The Commerce Commonwealth (CBA) module 7.x-1.x before 7.x-1.5 for Drupal does not properly validate payments, which allows remote attackers to make a failed payment appear valid via a crafted URL, related to a "response from commweb."

Published: September 17, 2015; 12:59:10 PM -04:00
    V2: 5.0 MEDIUM
CVE-2015-7230

The Workbench Email module 7.x-3.x before 7.x-3.4 for Drupal allows remote authenticated users with certain permissions to bypass node and field validation by saving a node.

Published: September 17, 2015; 12:59:09 PM -04:00
    V2: 3.5 LOW