National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

Search Results (Refine Search)

Search Parameters:
  • Results Type: Overview
  • Keyword (text search): Drupal
  • Search Type: Search All
There are 1,053 matching records.
Displaying matches 281 through 300.
Vuln ID Summary CVSS Severity
CVE-2014-5268

The Fasttoggle module 7.x-1.3 and 7.x-1.4 for Drupal allows remote attackers to block or unblock an account via a crafted user status link.

Published: December 01, 2014; 11:59:00 AM -05:00
V2: 5.8 MEDIUM
CVE-2014-9016

The password hashing API in Drupal 7.x before 7.34 and the Secure Password Hashes (aka phpass) module 6.x-2.x before 6.x-2.1 for Drupal allows remote attackers to cause a denial of service (CPU and memory consumption) via a crafted request.

Published: November 24, 2014; 10:59:17 AM -05:00
V2: 5.0 MEDIUM
CVE-2014-9015

Drupal 6.x before 6.34 and 7.x before 7.34 allows remote attackers to hijack sessions via a crafted request, as demonstrated by a crafted request to a server that supports both HTTP and HTTPS sessions.

Published: November 24, 2014; 10:59:16 AM -05:00
V2: 6.8 MEDIUM
CVE-2014-9026

The Ubercart module 7.x-3.x before 7.x-3.7 for Drupal does not properly protect the per-user order history view, which allows remote authenticated users with the "view own orders" permission to obtain sensitive information via unspecified vectors.

Published: November 20, 2014; 12:50:15 PM -05:00
V2: 4.0 MEDIUM
CVE-2014-9025

The default checkout completion rule in the commerce_order module in the Drupal Commerce module 7.x-1.x before 7.x-1.10 for Drupal uses the email address as the username for new accounts created at checkout, which allows remote attackers to obtain sensitive information via unspecified vectors.

Published: November 20, 2014; 12:50:14 PM -05:00
V2: 5.0 MEDIUM
CVE-2014-9024

The Protected Pages module 7.x-2.x before 7.x-2.4 for Drupal allows remote attackers to bypass the password protection via a crafted path.

Published: November 20, 2014; 12:50:13 PM -05:00
V2: 7.5 HIGH
CVE-2014-9023

The Twilio module 7.x-1.x before 7.x-1.9 for Drupal does not properly restrict access to the Twilio administration pages, which allows remote authenticated users to read and modify authentication tokens by leveraging the "access administration pages" Drupal permission.

Published: November 20, 2014; 12:50:12 PM -05:00
V2: 5.5 MEDIUM
CVE-2014-9022

The Webform Component Roles module 6.x-1.x before 6.x-1.8 and 7.x-1.x before 7.x-1.8 for Drupal allows remote attackers to bypass the "disabled" restriction and modify read-only components via a crafted form.

Published: November 20, 2014; 12:50:11 PM -05:00
V2: 6.4 MEDIUM
CVE-2012-2301

The Ubercart module 6.x-2.x before 6.x-2.8 for Drupal allows remote authenticated users with the "administer product classes" permission to execute arbitrary PHP code via unspecified vectors.

Published: November 15, 2014; 09:59:00 PM -05:00
V2: 6.0 MEDIUM
CVE-2014-8736

The Open Atrium Core module for Drupal before 7.x-2.22 allows remote attackers to bypass access restrictions and read file attachments that have been removed from a node by leveraging a previous revision of the node.

Published: November 12, 2014; 11:55:07 AM -05:00
V2: 5.0 MEDIUM
CVE-2014-8735

The Bad Behavior module 6.x-2.x before 6.x-2.2216 and 7.x-2.x before 7.x-2.2216 for Drupal logs usernames and passwords, which allows remote authenticated users with the "administer bad behavior" permission to obtain sensitive information by reading a log file.

Published: November 12, 2014; 11:55:07 AM -05:00
V2: 4.0 MEDIUM
CVE-2014-8734

The Organic Groups Menu (aka OG Menu) module before 7.x-2.2 for Drupal allows remote authenticated users with the "access administration pages" permission to change module settings via unspecified vectors.

Published: November 12, 2014; 11:55:07 AM -05:00
V2: 3.5 LOW
CVE-2013-4594

The Payment for Webform module 7.x-1.x before 7.x-1.5 for Drupal does not restrict access by anonymous users, which allows remote anonymous users to use the payment of other anonymous users when submitting a form that requires payment.

Published: October 25, 2014; 06:55:01 PM -04:00
V2: 4.3 MEDIUM
CVE-2013-7407

Cross-site request forgery (CSRF) vulnerability in the MRBS module for Drupal allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.

Published: October 22, 2014; 10:55:06 AM -04:00
V2: 6.8 MEDIUM
CVE-2014-8379

Multiple cross-site scripting (XSS) vulnerabilities in the Marketo MA module before 7.x-1.5 for Drupal allow remote authenticated users with certain permissions to inject arbitrary web script or HTML via vectors related to field titles to the (1) Webform or (2) User sub-modules.

Published: October 21, 2014; 11:55:08 AM -04:00
V2: 3.5 LOW
CVE-2014-8378

Cross-site scripting (XSS) vulnerability in the TableField module 7.x-2.x before 7.x-2.3 allows remote authenticated users with the "administer content types" or "administer taxonomy" permission to inject arbitrary web script or HTML via vectors related to the field help text in an entity edit form.

Published: October 21, 2014; 11:55:08 AM -04:00
V2: 3.5 LOW
CVE-2014-8376

Cross-site scripting (XSS) vulnerability in the context administration sub-panel in the Site Banner module before 7.x-4.1 for Drupal allows remote authenticated users with the "Administer contexts" Context UI module permission to inject arbitrary web script or HTML via vectors related to context settings.

Published: October 21, 2014; 11:55:08 AM -04:00
V2: 3.5 LOW
CVE-2013-7406

SQL injection vulnerability in the MRBS module for Drupal allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

Published: October 21, 2014; 10:55:03 AM -04:00
V2: 7.5 HIGH
CVE-2014-5169

Cross-site scripting (XSS) vulnerability in the Date module before 7.x-2.8 for Drupal allows remote authenticated users with the permission to create a date field to inject arbitrary web script or HTML via the date field title.

Published: October 20, 2014; 01:55:06 PM -04:00
V2: 3.5 LOW
CVE-2014-8320

Cross-site scripting (XSS) vulnerability in the Custom Search module 6.x-1.x before 6.x-1.12 and 7.x-1.x before 7.x-1.14 for Drupal allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via the "Label text" field to the results configuration page.

Published: October 17, 2014; 10:55:03 AM -04:00
V2: 3.5 LOW