U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Search Results (Refine Search)

Search Parameters:
  • Results Type: Overview
  • Keyword (text search): Drupal
  • Search Type: Search All
There are 1,105 matching records.
Displaying matches 121 through 140.
Vuln ID Summary CVSS Severity
CVE-2016-3170

The "have you forgotten your password" links in the User module in Drupal 7.x before 7.43 and 8.x before 8.0.4 allow remote attackers to obtain sensitive username information by leveraging a configuration that permits using an email address to login and a module that permits logging in.

Published: April 12, 2016; 11:59:07 AM -0400
V3.0: 5.3 MEDIUM
V2.0: 5.0 MEDIUM
CVE-2016-3169

The User module in Drupal 6.x before 6.38 and 7.x before 7.43 allows remote attackers to gain privileges by leveraging contributed or custom code that calls the user_save function with an explicit category and loads all roles into the array.

Published: April 12, 2016; 11:59:06 AM -0400
V3.0: 8.1 HIGH
V2.0: 6.8 MEDIUM
CVE-2016-3168

The System module in Drupal 6.x before 6.38 and 7.x before 7.43 might allow remote attackers to hijack the authentication of site administrators for requests that download and run files with arbitrary JSON-encoded content, aka a "reflected file download vulnerability."

Published: April 12, 2016; 11:59:05 AM -0400
V3.0: 6.4 MEDIUM
V2.0: 8.5 HIGH
CVE-2016-3167

Open redirect vulnerability in the drupal_goto function in Drupal 6.x before 6.38, when used with PHP before 5.4.7, allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a double-encoded URL in the "destination" parameter.

Published: April 12, 2016; 11:59:04 AM -0400
V3.0: 7.4 HIGH
V2.0: 6.4 MEDIUM
CVE-2016-3166

CRLF injection vulnerability in the drupal_set_header function in Drupal 6.x before 6.38, when used with PHP before 5.1.2, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks by leveraging a module that allows user-submitted data to appear in HTTP headers.

Published: April 12, 2016; 11:59:04 AM -0400
V3.0: 5.9 MEDIUM
V2.0: 4.3 MEDIUM
CVE-2016-3165

The Form API in Drupal 6.x before 6.38 ignores access restrictions on submit buttons, which might allow remote attackers to bypass intended access restrictions by leveraging permission to submit a form with a button that has "#access" set to FALSE in the server-side form definition.

Published: April 12, 2016; 11:59:03 AM -0400
V3.0: 7.5 HIGH
V2.0: 5.0 MEDIUM
CVE-2016-3164

Drupal 6.x before 6.38, 7.x before 7.43, and 8.x before 8.0.4 might allow remote attackers to conduct open redirect attacks by leveraging (1) custom code or (2) a form shown on a 404 error page, related to path manipulation.

Published: April 12, 2016; 11:59:02 AM -0400
V3.0: 7.4 HIGH
V2.0: 5.8 MEDIUM
CVE-2016-3163

The XML-RPC system in Drupal 6.x before 6.38 and 7.x before 7.43 might make it easier for remote attackers to conduct brute-force attacks via a large number of calls made at once to the same method.

Published: April 12, 2016; 11:59:01 AM -0400
V3.0: 7.5 HIGH
V2.0: 5.0 MEDIUM
CVE-2016-3162

The File module in Drupal 7.x before 7.43 and 8.x before 8.0.4 allows remote authenticated users to bypass access restrictions and read, delete, or substitute a link to a file uploaded to an unprocessed form by leveraging permission to create content or comment and upload files.

Published: April 12, 2016; 11:59:00 AM -0400
V3.0: 8.1 HIGH
V2.0: 6.5 MEDIUM
CVE-2016-3188

The _prepopulate_request_walk function in the Prepopulate module 7.x-2.x before 7.x-2.1 for Drupal allows remote attackers to modify the (1) actions, (2) container, (3) token, (4) password, (5) password_confirm, (6) text_format, or (7) markup field type, and consequently have unspecified impact, via unspecified vectors.

Published: April 08, 2016; 10:59:06 AM -0400
V3.0: 7.3 HIGH
V2.0: 7.5 HIGH
CVE-2016-3187

The Prepopulate module 7.x-2.x before 7.x-2.1 for Drupal allows remote attackers to modify the REQUEST superglobal array, and consequently have unspecified impact, via a base64-encoded pp parameter.

Published: April 08, 2016; 10:59:05 AM -0400
V3.0: 7.3 HIGH
V2.0: 7.5 HIGH
CVE-2016-1913

Multiple cross-site scripting (XSS) vulnerabilities in the Redhen module 7.x-1.x before 7.x-1.11 for Drupal allow remote authenticated users with certain access to inject arbitrary web script or HTML via unspecified vectors, related to (1) individual contacts, (2) notes, or (3) engagement scores.

Published: January 15, 2016; 3:59:05 PM -0500
V3.0: 5.4 MEDIUM
V2.0: 3.5 LOW
CVE-2016-1565

Cross-site scripting (XSS) vulnerability in the Field Group module 7.x-1.x before 7.x-1.5 for Drupal allows remote authenticated users with permission to configure field display settings to inject arbitrary web script or HTML via an element attribute.

Published: January 08, 2016; 4:59:10 PM -0500
V3.0: 6.1 MEDIUM
V2.0: 3.5 LOW
CVE-2015-8761

The Values module 7.x-1.x before 7.x-1.2 for Drupal does not properly check permissions, which allows remote administrators with the "Import value sets" permission to execute arbitrary PHP code via the exported values list in a ctools import.

Published: January 08, 2016; 2:59:27 PM -0500
V3.0: 9.0 CRITICAL
V2.0: 6.0 MEDIUM
CVE-2015-8754

The Mollom module 6.x-2.7 before 6.x-2.15 for Drupal allows remote attackers to bypass intended access restrictions and modify the mollom blacklist via unspecified vectors.

Published: January 08, 2016; 2:59:20 PM -0500
V3.0: 7.5 HIGH
V2.0: 5.0 MEDIUM
CVE-2015-8602

The Token Insert Entity module 7.x-1.x before 7.x-1.1 for Drupal does not properly check permissions, which allows remote authenticated users with certain permissions to bypass intended access restrictions and possibly obtain sensitive information by inserting a token, which embeds a rendered entity in the main node.

Published: December 17, 2015; 2:59:14 PM -0500
V3.x:(not available)
V2.0: 3.5 LOW
CVE-2015-8601

The Chat Room module 7.x-2.x before 7.x-2.2 for Drupal does not properly check permissions when setting up a websocket for chat messages, which allows remote attackers to bypass intended access restrictions and read messages from arbitrary Chat Rooms via unspecified vectors.

Published: December 17, 2015; 2:59:13 PM -0500
V3.x:(not available)
V2.0: 5.0 MEDIUM
CVE-2015-8233

Cross-site scripting (XSS) vulnerability in the MAYO theme 7.x-1.x before 7.x-1.4 and 7.x-2.x before 7.x-2.6 for Drupal allows remote administrators with the "Administer themes" permission to inject arbitrary web script or HTML via unspecified vectors related to theme settings.

Published: November 17, 2015; 10:59:26 AM -0500
V3.x:(not available)
V2.0: 2.6 LOW
CVE-2015-8232

The UC Profile module 6.x-1.x before 6.x-1.3 for Drupal does not properly check access to profiles in certain circumstances, which might allow remote attackers to obtain sensitive information from the anonymous user profile via unspecified vectors.

Published: November 17, 2015; 10:59:25 AM -0500
V3.x:(not available)
V2.0: 4.3 MEDIUM
CVE-2015-8095

The recycle bin feature in the Monster Menus module 7.x-1.21 before 7.x-1.24 for Drupal does not properly remove nodes from view, which allows remote attackers to obtain sensitive information via an unspecified URL pattern.

Published: November 09, 2015; 11:59:12 AM -0500
V3.x:(not available)
V2.0: 5.0 MEDIUM