National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

Search Results (Refine Search)

Search Parameters:
  • Results Type: Overview
  • Keyword (text search): Drupal
  • Search Type: Search All
There are 1,080 matching records.
Displaying matches 161 through 180.
Vuln ID Summary CVSS Severity
CVE-2015-5491

The Dynamic display block module 7.x-1.x before 7.x-1.1 for Drupal allows remote authenticated users to bypass intended access restrictions and read sensitive titles by leveraging the "administer ddblock" permission.

Published: August 18, 2015; 01:59:36 PM -04:00
    V2: 3.5 LOW
CVE-2015-5490

The _views_fetch_data method in includes/cache.inc in the Views module 7.x-3.5 through 7.x-3.10 for Drupal does not rebuild the full cache if the static cache is not empty, which allows remote attackers to bypass intended filters and obtain access to hidden content via unspecified vectors.

Published: August 18, 2015; 01:59:31 PM -04:00
    V2: 5.0 MEDIUM
CVE-2015-5489

Cross-site scripting (XSS) vulnerability in the Smart Trim module 7.x-1.x before 7.x-1.5 for Drupal allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via vectors involving the field settings form.

Published: August 18, 2015; 01:59:28 PM -04:00
    V2: 3.5 LOW
CVE-2015-5488

Cross-site scripting (XSS) vulnerability in the MailChimp Signup submodule in the MailChimp module 7.x-3.x before 7.x-3.3 for Drupal allows remote authenticated users with the "administer mailchimp" permission to inject arbitrary web script or HTML via unspecified vectors.

Published: August 18, 2015; 01:59:24 PM -04:00
    V2: 2.1 LOW
CVE-2015-5487

Cross-site scripting (XSS) vulnerability in the Camtasia Relay module 6.x-2.x before 6.x-3.2 and 7.x-2.x before 7.x-1.3 for Drupal allows remote authenticated users with the "view meta information" permission to inject arbitrary web script or HTML via unspecified vectors related to the meta access tab.

Published: August 18, 2015; 01:59:21 PM -04:00
    V2: 4.3 MEDIUM
CVE-2014-9740

Cross-site scripting (XSS) vulnerability in the Rules Link module 7.x-1.x before 7.x-1.1 for Drupal allows remote authenticated users with the "administer rules links" permission to inject arbitrary web script or HTML via unspecified vectors, which are not properly handled in the (1) question and (2) description strings in a confirmation form for a triggering Rules link.

Published: July 06, 2015; 11:59:05 AM -04:00
    V2: 2.1 LOW
CVE-2014-9739

Cross-site scripting (XSS) vulnerability in the Node Field module 7.x-2.x before 7.x-2.45 for Drupal allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via unspecified vectors involving internal fields.

Published: July 06, 2015; 11:59:04 AM -04:00
    V2: 3.5 LOW
CVE-2014-9738

Multiple cross-site scripting (XSS) vulnerabilities in the Tournament module 7.x-1.x before 7.x-1.2 for Drupal allow remote authenticated users with certain permissions to inject arbitrary web script or HTML via an (1) account username, a (2) node title, or a (3) team entity title.

Published: July 06, 2015; 11:59:03 AM -04:00
    V2: 4.3 MEDIUM
CVE-2014-9737

Open redirect vulnerability in the Language Switcher Dropdown module 7.x-1.x before 7.x-1.4 for Drupal allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in a block.

Published: July 06, 2015; 11:59:02 AM -04:00
    V2: 5.8 MEDIUM
CVE-2015-3234

The OpenID module in Drupal 6.x before 6.36 and 7.x before 7.38 allows remote attackers to log into other users' accounts by leveraging an OpenID identity from certain providers, as demonstrated by the Verisign, LiveJournal, and StackExchange providers.

Published: June 22, 2015; 03:59:02 PM -04:00
    V2: 4.3 MEDIUM
CVE-2015-3233

Open redirect vulnerability in the Overlay module in Drupal 7.x before 7.38 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.

Published: June 22, 2015; 03:59:01 PM -04:00
    V2: 5.8 MEDIUM
CVE-2015-3232

Open redirect vulnerability in the Field UI module in Drupal 7.x before 7.38 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the destinations parameter.

Published: June 22, 2015; 03:59:00 PM -04:00
    V2: 5.8 MEDIUM
CVE-2015-3231

The Render cache system in Drupal 7.x before 7.38, when used to cache content by user role, allows remote authenticated users to obtain private content viewed by user 1 by reading the cache.

Published: June 22, 2015; 03:59:00 PM -04:00
    V2: 4.0 MEDIUM
CVE-2015-4398

Open redirect vulnerability in the Chaos tool suite (ctools) module before 6.x-1.12 and 7.x-1.x before 7.x-1.7 for Drupal allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors involving processing confirmation delete pages.

Published: June 16, 2015; 01:59:00 PM -04:00
    V2: 5.8 MEDIUM
CVE-2015-4374

Cross-site scripting (XSS) vulnerability in the Webform module before 6.x-3.23, 7.x-3.x before 7.x-3.23, and 7.x-4.x before 7.x-4.5 for Drupal allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via a component name in the recipient (To) address of an email.

Published: June 16, 2015; 01:59:00 PM -04:00
    V2: 3.5 LOW
CVE-2015-4397

Cross-site request forgery (CSRF) vulnerability in the Node Template module for Drupal allows remote attackers to hijack the authentication of users with the "access node template" permission for requests that delete node templates via unspecified vectors.

Published: June 15, 2015; 10:59:52 AM -04:00
    V2: 6.8 MEDIUM
CVE-2015-4396

Multiple cross-site request forgery (CSRF) vulnerabilities in the Keyword Research module 6.x-1.x before 6.x-1.2 for Drupal allow remote attackers to hijack the authentication of users with the "kwresearch admin site keywords" permission for requests that (1) create, (2) delete, or (3) set priorities to keywords via unspecified vectors.

Published: June 15, 2015; 10:59:50 AM -04:00
    V2: 5.1 MEDIUM
CVE-2015-4395

The HybridAuth Social Login module 7.x-2.x before 7.x-2.10 for Drupal stores passwords in plaintext when the "Ask user for a password when registering" option is enabled, which allows remote authenticated users with certain permissions to obtain sensitive information by leveraging access to the database.

Published: June 15, 2015; 10:59:50 AM -04:00
    V2: 3.5 LOW
CVE-2015-4394

The Services module 7.x-3.x before 7.x-3.12 for Drupal allows remote attackers to bypass the field_access restriction and obtain sensitive private field information via unspecified vectors.

Published: June 15, 2015; 10:59:48 AM -04:00
    V2: 5.0 MEDIUM
CVE-2015-4393

The resource/endpoint for uploading files in the Services module 7.x-3.x before 7.x-3.12 for Drupal allows remote authenticated users with the "Save file information" permission to execute arbitrary code via a crafted filename.

Published: June 15, 2015; 10:59:48 AM -04:00
    V2: 6.0 MEDIUM