National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

Search Results (Refine Search)

Search Parameters:
  • Results Type: Overview
  • Keyword (text search): Drupal
  • Search Type: Search All
There are 1,053 matching records.
Displaying matches 261 through 280.
Vuln ID Summary CVSS Severity
CVE-2015-1621

Cross-site scripting (XSS) vulnerability in the Webform prepopulate block module before 7.x-3.1 for Drupal allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.

Published: February 17, 2015; 10:59:11 AM -05:00
V2: 3.5 LOW
CVE-2015-1568

Cross-site request forgery (CSRF) vulnerability in the GD Infinite Scroll module before 7.x-1.4 for Drupal allows remote attackers to hijack the authentication of users with the "edit gd infinite scroll settings" permission for requests that delete settings via unspecified vectors.

Published: February 09, 2015; 12:59:13 PM -05:00
V2: 6.8 MEDIUM
CVE-2015-1567

Cross-site scripting (XSS) vulnerability in the admin page in the GD Infinite Scroll module before 7.x-1.4 for Drupal allows remote authenticated users with the "edit gd infinite scroll settings" permission to inject arbitrary web script or HTML via unspecified vectors.

Published: February 09, 2015; 12:59:12 PM -05:00
V2: 4.3 MEDIUM
CVE-2015-1051

Open redirect vulnerability in the Context UI module in the Context module 7.x-3.x before 7.x-3.6 for Drupal allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the destination parameter.

Published: January 15, 2015; 10:59:31 AM -05:00
V2: 5.8 MEDIUM
CVE-2014-9505

Cross-site scripting (XSS) vulnerability in the School Administration module 7.x-1.x before 7.x-1.8 for Drupal allows remote authenticated users with permission to create or edit a class node to inject arbitrary web script or HTML via a node title.

Published: January 09, 2015; 01:59:08 PM -05:00
V2: 3.5 LOW
CVE-2014-9501

Cross-site scripting (XSS) vulnerability in the Poll Chart Block module 7.x-1.x before 7.x-1.2 for Drupal allows remote authenticated users to inject arbitrary web script or HTML via a poll node title.

Published: January 09, 2015; 01:59:07 PM -05:00
V2: 3.5 LOW
CVE-2014-9500

Cross-site scripting (XSS) vulnerability in the Moip module 7.x-1.x before 7.x-1.4 for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors to the notification page callback.

Published: January 09, 2015; 01:59:06 PM -05:00
V2: 4.3 MEDIUM
CVE-2014-9499

Cross-site scripting (XSS) vulnerability in the Godwin's Law module before 7.x-1.1 for Drupal, when using the dblog module, allows remote authenticated users to inject arbitrary web script or HTML via a Watchdog message.

Published: January 09, 2015; 01:59:05 PM -05:00
V2: 3.5 LOW
CVE-2014-9498

Cross-site scripting (XSS) vulnerability in the Webform Invitation module 7.x-1.x before 7.x-1.3 and 7.x-2.x before 7.x-2.4 for Drupal allows remote authenticated users with the Webform: Create new content, Webform: Edit own content, or Webform: Edit any content permission to inject arbitrary web script or HTML via a node title.

Published: January 09, 2015; 01:59:04 PM -05:00
V2: 3.5 LOW
CVE-2014-9364

Cross-site scripting (XSS) vulnerability in the Unified Login form in the LoginToboggan module 7.x-1.x before 7.x-1.4 for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Published: December 10, 2014; 03:59:03 PM -05:00
V2: 4.3 MEDIUM
CVE-2014-9363

Open redirect vulnerability in the path-based meta tag editing form in the Meta tags quick module 7.x-2.x before 7.x-2.8 for Drupal allows remote authenticated users to redirect users to arbitrary web sites and conduct phishing attacks via the destination parameter.

Published: December 10, 2014; 03:59:02 PM -05:00
V2: 5.5 MEDIUM
CVE-2014-9362

Cross-site scripting (XSS) vulnerability in the path-based meta tag editing form in the Meta tags quick module 7.x-2.x before 7.x-2.8 for Drupal allows remote authenticated users with the "Edit path based meta tags" permission to inject arbitrary web script or HTML via vectors related to deleting a Path-based Metatag.

Published: December 10, 2014; 03:59:01 PM -05:00
V2: 3.5 LOW
CVE-2014-9361

The LoginToboggan module 7.x-1.x before 7.x-1.4 for Drupal does not properly unset the authorized user role for certain users, which allows remote attackers with the pre-authorized role to gain privileges and possibly obtain sensitive information by accessing a Page Not Found (404) page.

Published: December 10, 2014; 03:59:00 PM -05:00
V2: 4.3 MEDIUM
CVE-2014-9346

Multiple cross-site scripting (XSS) vulnerabilities in the Hierarchical Select module 6.x-3.x before 6.x-3.9 for Drupal allow remote authenticated users with certain permissions to inject arbitrary web script or HTML via vectors related to the (1) taxonomy term title for instances with Save term lineage enabled or (2) entity type fields.

Published: December 08, 2014; 11:59:18 AM -05:00
V2: 3.5 LOW
CVE-2014-9156

The FileField module 6.x-3.x before 6.x-3.13 for Drupal does not properly check permissions to view files, which allows remote authenticated users with permission to create or edit content to read private files by attaching an uploaded file.

Published: December 01, 2014; 11:59:07 AM -05:00
V2: 4.0 MEDIUM
CVE-2014-9155

Directory traversal vulnerability in the Avatar Uploader module 6.x-1.x before 6.x-1.2 and 7.x-1.x before 7.x-1.0-beta6 for Drupal allows remote authenticated users to read arbitrary files via a .. (dot dot) in the path of a cropped picture in the uploader panel.

Published: December 01, 2014; 11:59:06 AM -05:00
V2: 4.0 MEDIUM
CVE-2014-9154

The Notify module 7.x-1.x before 7.x-1.1 for Drupal does not properly restrict access to (1) new or (2) modified nodes or (3) their fields, which allows remote authenticated users to obtain node titles, teasers, and fields by reading a notification email.

Published: December 01, 2014; 11:59:05 AM -05:00
V2: 4.0 MEDIUM
CVE-2014-9153

Cross-site scripting (XSS) vulnerability in the Services module 7.x-3.x before 7.x-3.10 for Drupal allows remote authenticated users to inject arbitrary web script or HTML via the callback parameter in a JSONP response.

Published: December 01, 2014; 11:59:03 AM -05:00
V2: 4.3 MEDIUM
CVE-2014-9152

The _user_resource_create function in the Services module 7.x-3.x before 7.x-3.10 for Drupal uses a password of 1 when creating new user accounts, which makes it easier for remote attackers to guess the password via a brute force attack.

Published: December 01, 2014; 11:59:02 AM -05:00
V2: 7.5 HIGH
CVE-2014-9151

The Services module 7.x-3.x before 7.x-3.10 for Drupal does not properly limit the rate of authentication attempts, which makes it easier for remote attackers to obtain access via a brute-force attack on the administrative password.

Published: December 01, 2014; 11:59:01 AM -05:00
V2: 7.5 HIGH