National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

Search Results (Refine Search)

Search Parameters:
  • Results Type: Overview
  • Keyword (text search): Drupal
  • Search Type: Search All
There are 1,077 matching records.
Displaying matches 121 through 140.
Vuln ID Summary CVSS Severity
CVE-2015-7226

The Administration Views module 7.x-1.x before 7.x-1.5 for Drupal checks access permissions based on the router path from the view instead of the display property, which allows remote attackers to obtain sensitive information via vectors related to the access handler.

Published: September 17, 2015; 12:59:05 PM -04:00
    V2: 5.0 MEDIUM
CVE-2015-6921

Cross-site scripting (XSS) vulnerability in the Zendesk Feedback Tab module 7.x-1.x before 7.x-1.1 for Drupal allows remote administrators with the "Configure Zendesk Feedback Tab" permission to inject arbitrary web script or HTML via unspecified vectors.

Published: September 11, 2015; 04:59:03 PM -04:00
    V2: 2.6 LOW
CVE-2015-6808

Cross-site scripting (XSS) vulnerability in the Spotlight module 7.x-1.x before 7.x-1.5 for Drupal allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via a node title.

Published: September 04, 2015; 11:59:05 AM -04:00
    V2: 3.5 LOW
CVE-2015-6807

Cross-site scripting (XSS) vulnerability in the Mass Contact module 6.x-1.x before 6.x-1.6 and 7.x-1.x before 7.x-1.1 for Drupal allows remote authenticated users with the "administer mass contact" permission to inject arbitrary web script or HTML via a category label.

Published: September 04, 2015; 11:59:04 AM -04:00
    V2: 2.1 LOW
CVE-2015-6754

Cross-site scripting (XSS) vulnerability in the administration interface in the Path Breadcrumbs module 7.x-3.x before 7.x-3.3 for Drupal allows remote authenticated users with the "Administer Path Breadcrumbs" permission to inject arbitrary web script or HTML via unspecified vectors.

Published: August 31, 2015; 03:59:02 PM -04:00
    V2: 2.1 LOW
CVE-2015-6753

Multiple cross-site scripting (XSS) vulnerabilities in the Quick Edit module 7.x-1.x before 7.x-1.2 for Drupal allow remote authenticated users with certain permissions to inject arbitrary web script or HTML via an (1) entity title, related to in-place editing, or a (2) node title.

Published: August 31, 2015; 03:59:01 PM -04:00
    V2: 3.5 LOW
CVE-2015-6752

Cross-site scripting (XSS) vulnerability in the Search API Autocomplete module 7.x-1.x before 7.x-1.3 for Drupal, when the search index is configured to use the HTML filter processor, allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via unspecified vectors, which are not properly handled in the returned suggestions.

Published: August 31, 2015; 02:59:12 PM -04:00
    V2: 2.1 LOW
CVE-2015-6751

Multiple cross-site scripting (XSS) vulnerabilities in the Time Tracker module 7.x-1.x before 7.x-1.4 for Drupal allow remote authenticated users with certain permissions to inject arbitrary web script or HTML via a (1) note added to a time entry or an (2) activity used to categorize time tracker entries.

Published: August 31, 2015; 02:59:11 PM -04:00
    V2: 3.5 LOW
CVE-2015-6665

Cross-site scripting (XSS) vulnerability in the Ajax handler in Drupal 7.x before 7.39 and the Ctools module 6.x-1.x before 6.x-1.14 for Drupal allows remote attackers to inject arbitrary web script or HTML via vectors involving a whitelisted HTML element, possibly related to the "a" tag.

Published: August 24, 2015; 10:59:22 AM -04:00
    V2: 4.3 MEDIUM
CVE-2015-6661

Drupal 6.x before 6.37 and 7.x before 7.39 allows remote attackers to obtain sensitive node titles by reading the menu.

Published: August 24, 2015; 10:59:18 AM -04:00
    V2: 5.0 MEDIUM
CVE-2015-6660

The Form API in Drupal 6.x before 6.37 and 7.x before 7.39 does not properly validate the form token, which allows remote attackers to conduct CSRF attacks that upload files in a different user's account via vectors related to "file upload value callbacks."

Published: August 24, 2015; 10:59:17 AM -04:00
    V2: 6.8 MEDIUM
CVE-2015-6659

SQL injection vulnerability in the SQL comment filtering system in the Database API in Drupal 7.x before 7.39 allows remote attackers to execute arbitrary SQL commands via an SQL comment.

Published: August 24, 2015; 10:59:16 AM -04:00
    V2: 7.5 HIGH
CVE-2015-6658

Cross-site scripting (XSS) vulnerability in the Autocomplete system in Drupal 6.x before 6.37 and 7.x before 7.39 allows remote attackers to inject arbitrary web script or HTML via a crafted URL, related to uploading files.

Published: August 24, 2015; 10:59:15 AM -04:00
    V2: 4.3 MEDIUM
CVE-2015-5515

The Views Bulk Operations (VBO) module 6.x-1.x and 7.x-3.x before 7.x-3.3 for Drupal, when the bulk operation for changing Roles is enabled, allows remote authenticated users to edit user accounts and add arbitrary roles to the accounts by leveraging access to a user account listing view with VBO enabled.

Published: August 18, 2015; 02:00:21 PM -04:00
    V2: 4.9 MEDIUM
CVE-2015-5514

Cross-site scripting (XSS) vulnerability in the Migrate module 7.x-2.x before 7.x-2.8 for Drupal, when the migrate_ui submodule is enabled, allows user-assisted remote attackers to inject arbitrary web script or HTML via a destination field label.

Published: August 18, 2015; 02:00:20 PM -04:00
    V2: 2.6 LOW
CVE-2015-5513

Cross-site scripting (XSS) vulnerability in the Shibboleth authentication module 6.x-4.x before 6.x-4.2 and 7.x-4.x before 7.x-4.2 for Drupal allows remote authenticated users with the "Administer blocks" permission to inject arbitrary web script or HTML via unspecified vectors related to a login link.

Published: August 18, 2015; 02:00:19 PM -04:00
    V2: 2.1 LOW
CVE-2015-5512

The me aliases module 6.x-2.x before 6.x-2.10 and 7.x-1.x before 7.x-1.2 for Drupal allows remote attackers to access Views using the "me" user argument handler by substituting "me" for a user id in a URL.

Published: August 18, 2015; 02:00:18 PM -04:00
    V2: 5.0 MEDIUM
CVE-2015-5511

The HybridAuth Social Login module 7.x-2.x before 7.x-2.13 for Drupal allows remote attackers to bypass the user registration by administrator only configuration and create an account via a social login.

Published: August 18, 2015; 02:00:17 PM -04:00
    V2: 5.0 MEDIUM
CVE-2015-5510

Open redirect vulnerability in the Content Construction Kit (CCK) 6.x-2.x before 6.x-2.10 for Drupal allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via the destinations parameter, related to administration pages.

Published: August 18, 2015; 02:00:15 PM -04:00
    V2: 5.8 MEDIUM
CVE-2015-5509

The Administration Views module 7.x-1.x before 7.x-1.4 for Drupal, when used with other unspecified modules, does not properly grant access to administration pages, which allows remote administrators to bypass intended restrictions via unspecified vectors.

Published: August 18, 2015; 02:00:14 PM -04:00
    V2: 6.0 MEDIUM