National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

Search Results (Refine Search)

Search Parameters:
  • Results Type: Overview
  • Keyword (text search): Drupal
  • Search Type: Search All
There are 1,083 matching records.
Displaying matches 301 through 320.
Vuln ID Summary CVSS Severity
CVE-2014-9363

Open redirect vulnerability in the path-based meta tag editing form in the Meta tags quick module 7.x-2.x before 7.x-2.8 for Drupal allows remote authenticated users to redirect users to arbitrary web sites and conduct phishing attacks via the destination parameter.

Published: December 10, 2014; 03:59:02 PM -05:00
    V2: 5.5 MEDIUM
CVE-2014-9362

Cross-site scripting (XSS) vulnerability in the path-based meta tag editing form in the Meta tags quick module 7.x-2.x before 7.x-2.8 for Drupal allows remote authenticated users with the "Edit path based meta tags" permission to inject arbitrary web script or HTML via vectors related to deleting a Path-based Metatag.

Published: December 10, 2014; 03:59:01 PM -05:00
    V2: 3.5 LOW
CVE-2014-9361

The LoginToboggan module 7.x-1.x before 7.x-1.4 for Drupal does not properly unset the authorized user role for certain users, which allows remote attackers with the pre-authorized role to gain privileges and possibly obtain sensitive information by accessing a Page Not Found (404) page.

Published: December 10, 2014; 03:59:00 PM -05:00
    V2: 4.3 MEDIUM
CVE-2014-9346

Multiple cross-site scripting (XSS) vulnerabilities in the Hierarchical Select module 6.x-3.x before 6.x-3.9 for Drupal allow remote authenticated users with certain permissions to inject arbitrary web script or HTML via vectors related to the (1) taxonomy term title for instances with Save term lineage enabled or (2) entity type fields.

Published: December 08, 2014; 11:59:18 AM -05:00
    V2: 3.5 LOW
CVE-2014-9156

The FileField module 6.x-3.x before 6.x-3.13 for Drupal does not properly check permissions to view files, which allows remote authenticated users with permission to create or edit content to read private files by attaching an uploaded file.

Published: December 01, 2014; 11:59:07 AM -05:00
    V2: 4.0 MEDIUM
CVE-2014-9155

Directory traversal vulnerability in the Avatar Uploader module 6.x-1.x before 6.x-1.2 and 7.x-1.x before 7.x-1.0-beta6 for Drupal allows remote authenticated users to read arbitrary files via a .. (dot dot) in the path of a cropped picture in the uploader panel.

Published: December 01, 2014; 11:59:06 AM -05:00
    V2: 4.0 MEDIUM
CVE-2014-9154

The Notify module 7.x-1.x before 7.x-1.1 for Drupal does not properly restrict access to (1) new or (2) modified nodes or (3) their fields, which allows remote authenticated users to obtain node titles, teasers, and fields by reading a notification email.

Published: December 01, 2014; 11:59:05 AM -05:00
    V2: 4.0 MEDIUM
CVE-2014-9153

Cross-site scripting (XSS) vulnerability in the Services module 7.x-3.x before 7.x-3.10 for Drupal allows remote authenticated users to inject arbitrary web script or HTML via the callback parameter in a JSONP response.

Published: December 01, 2014; 11:59:03 AM -05:00
    V2: 4.3 MEDIUM
CVE-2014-9152

The _user_resource_create function in the Services module 7.x-3.x before 7.x-3.10 for Drupal uses a password of 1 when creating new user accounts, which makes it easier for remote attackers to guess the password via a brute force attack.

Published: December 01, 2014; 11:59:02 AM -05:00
    V2: 7.5 HIGH
CVE-2014-9151

The Services module 7.x-3.x before 7.x-3.10 for Drupal does not properly limit the rate of authentication attempts, which makes it easier for remote attackers to obtain access via a brute-force attack on the administrative password.

Published: December 01, 2014; 11:59:01 AM -05:00
    V2: 7.5 HIGH
CVE-2014-5268

The Fasttoggle module 7.x-1.3 and 7.x-1.4 for Drupal allows remote attackers to block or unblock an account via a crafted user status link.

Published: December 01, 2014; 11:59:00 AM -05:00
    V2: 5.8 MEDIUM
CVE-2014-9016

The password hashing API in Drupal 7.x before 7.34 and the Secure Password Hashes (aka phpass) module 6.x-2.x before 6.x-2.1 for Drupal allows remote attackers to cause a denial of service (CPU and memory consumption) via a crafted request.

Published: November 24, 2014; 10:59:17 AM -05:00
    V2: 5.0 MEDIUM
CVE-2014-9015

Drupal 6.x before 6.34 and 7.x before 7.34 allows remote attackers to hijack sessions via a crafted request, as demonstrated by a crafted request to a server that supports both HTTP and HTTPS sessions.

Published: November 24, 2014; 10:59:16 AM -05:00
    V2: 6.8 MEDIUM
CVE-2014-9026

The Ubercart module 7.x-3.x before 7.x-3.7 for Drupal does not properly protect the per-user order history view, which allows remote authenticated users with the "view own orders" permission to obtain sensitive information via unspecified vectors.

Published: November 20, 2014; 12:50:15 PM -05:00
    V2: 4.0 MEDIUM
CVE-2014-9025

The default checkout completion rule in the commerce_order module in the Drupal Commerce module 7.x-1.x before 7.x-1.10 for Drupal uses the email address as the username for new accounts created at checkout, which allows remote attackers to obtain sensitive information via unspecified vectors.

Published: November 20, 2014; 12:50:14 PM -05:00
    V2: 5.0 MEDIUM
CVE-2014-9024

The Protected Pages module 7.x-2.x before 7.x-2.4 for Drupal allows remote attackers to bypass the password protection via a crafted path.

Published: November 20, 2014; 12:50:13 PM -05:00
    V2: 7.5 HIGH
CVE-2014-9023

The Twilio module 7.x-1.x before 7.x-1.9 for Drupal does not properly restrict access to the Twilio administration pages, which allows remote authenticated users to read and modify authentication tokens by leveraging the "access administration pages" Drupal permission.

Published: November 20, 2014; 12:50:12 PM -05:00
    V2: 5.5 MEDIUM
CVE-2014-9022

The Webform Component Roles module 6.x-1.x before 6.x-1.8 and 7.x-1.x before 7.x-1.8 for Drupal allows remote attackers to bypass the "disabled" restriction and modify read-only components via a crafted form.

Published: November 20, 2014; 12:50:11 PM -05:00
    V2: 6.4 MEDIUM
CVE-2012-2301

The Ubercart module 6.x-2.x before 6.x-2.8 for Drupal allows remote authenticated users with the "administer product classes" permission to execute arbitrary PHP code via unspecified vectors.

Published: November 15, 2014; 09:59:00 PM -05:00
    V2: 6.0 MEDIUM
CVE-2014-8736

The Open Atrium Core module for Drupal before 7.x-2.22 allows remote attackers to bypass access restrictions and read file attachments that have been removed from a node by leveraging a previous revision of the node.

Published: November 12, 2014; 11:55:07 AM -05:00
    V2: 5.0 MEDIUM