Search Results (Refine Search)
- Results Type: Overview
- Keyword (text search): Drupal
- Search Type: Search All
Vuln ID | Summary | CVSS Severity |
---|---|---|
CVE-2015-2086 |
Cross-site scripting (XSS) vulnerability in the live preview in the Panopoly Magic module before 7.x-1.17 for Drupal allows remote authenticated users to inject arbitrary web script or HTML via a pane title. Published: February 26, 2015; 10:59:00 AM -0500 |
V3.x:(not available) V2.0: 3.5 LOW |
CVE-2015-1621 |
Cross-site scripting (XSS) vulnerability in the Webform prepopulate block module before 7.x-3.1 for Drupal allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. Published: February 17, 2015; 10:59:11 AM -0500 |
V3.x:(not available) V2.0: 3.5 LOW |
CVE-2015-1568 |
Cross-site request forgery (CSRF) vulnerability in the GD Infinite Scroll module before 7.x-1.4 for Drupal allows remote attackers to hijack the authentication of users with the "edit gd infinite scroll settings" permission for requests that delete settings via unspecified vectors. Published: February 09, 2015; 12:59:13 PM -0500 |
V3.x:(not available) V2.0: 6.8 MEDIUM |
CVE-2015-1567 |
Cross-site scripting (XSS) vulnerability in the admin page in the GD Infinite Scroll module before 7.x-1.4 for Drupal allows remote authenticated users with the "edit gd infinite scroll settings" permission to inject arbitrary web script or HTML via unspecified vectors. Published: February 09, 2015; 12:59:12 PM -0500 |
V3.x:(not available) V2.0: 4.3 MEDIUM |
CVE-2015-1051 |
Open redirect vulnerability in the Context UI module in the Context module 7.x-3.x before 7.x-3.6 for Drupal allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the destination parameter. Published: January 15, 2015; 10:59:31 AM -0500 |
V3.x:(not available) V2.0: 5.8 MEDIUM |
CVE-2014-9505 |
Cross-site scripting (XSS) vulnerability in the School Administration module 7.x-1.x before 7.x-1.8 for Drupal allows remote authenticated users with permission to create or edit a class node to inject arbitrary web script or HTML via a node title. Published: January 09, 2015; 1:59:08 PM -0500 |
V3.x:(not available) V2.0: 3.5 LOW |
CVE-2014-9501 |
Cross-site scripting (XSS) vulnerability in the Poll Chart Block module 7.x-1.x before 7.x-1.2 for Drupal allows remote authenticated users to inject arbitrary web script or HTML via a poll node title. Published: January 09, 2015; 1:59:07 PM -0500 |
V3.x:(not available) V2.0: 3.5 LOW |
CVE-2014-9500 |
Cross-site scripting (XSS) vulnerability in the Moip module 7.x-1.x before 7.x-1.4 for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors to the notification page callback. Published: January 09, 2015; 1:59:06 PM -0500 |
V3.x:(not available) V2.0: 4.3 MEDIUM |
CVE-2014-9499 |
Cross-site scripting (XSS) vulnerability in the Godwin's Law module before 7.x-1.1 for Drupal, when using the dblog module, allows remote authenticated users to inject arbitrary web script or HTML via a Watchdog message. Published: January 09, 2015; 1:59:05 PM -0500 |
V3.x:(not available) V2.0: 3.5 LOW |
CVE-2014-9498 |
Cross-site scripting (XSS) vulnerability in the Webform Invitation module 7.x-1.x before 7.x-1.3 and 7.x-2.x before 7.x-2.4 for Drupal allows remote authenticated users with the Webform: Create new content, Webform: Edit own content, or Webform: Edit any content permission to inject arbitrary web script or HTML via a node title. Published: January 09, 2015; 1:59:04 PM -0500 |
V3.x:(not available) V2.0: 3.5 LOW |
CVE-2014-9364 |
Cross-site scripting (XSS) vulnerability in the Unified Login form in the LoginToboggan module 7.x-1.x before 7.x-1.4 for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Published: December 10, 2014; 3:59:03 PM -0500 |
V3.x:(not available) V2.0: 4.3 MEDIUM |
CVE-2014-9363 |
Open redirect vulnerability in the path-based meta tag editing form in the Meta tags quick module 7.x-2.x before 7.x-2.8 for Drupal allows remote authenticated users to redirect users to arbitrary web sites and conduct phishing attacks via the destination parameter. Published: December 10, 2014; 3:59:02 PM -0500 |
V3.x:(not available) V2.0: 5.5 MEDIUM |
CVE-2014-9362 |
Cross-site scripting (XSS) vulnerability in the path-based meta tag editing form in the Meta tags quick module 7.x-2.x before 7.x-2.8 for Drupal allows remote authenticated users with the "Edit path based meta tags" permission to inject arbitrary web script or HTML via vectors related to deleting a Path-based Metatag. Published: December 10, 2014; 3:59:01 PM -0500 |
V3.x:(not available) V2.0: 3.5 LOW |
CVE-2014-9361 |
The LoginToboggan module 7.x-1.x before 7.x-1.4 for Drupal does not properly unset the authorized user role for certain users, which allows remote attackers with the pre-authorized role to gain privileges and possibly obtain sensitive information by accessing a Page Not Found (404) page. Published: December 10, 2014; 3:59:00 PM -0500 |
V3.x:(not available) V2.0: 4.3 MEDIUM |
CVE-2014-9346 |
Multiple cross-site scripting (XSS) vulnerabilities in the Hierarchical Select module 6.x-3.x before 6.x-3.9 for Drupal allow remote authenticated users with certain permissions to inject arbitrary web script or HTML via vectors related to the (1) taxonomy term title for instances with Save term lineage enabled or (2) entity type fields. Published: December 08, 2014; 11:59:18 AM -0500 |
V3.x:(not available) V2.0: 3.5 LOW |
CVE-2014-9156 |
The FileField module 6.x-3.x before 6.x-3.13 for Drupal does not properly check permissions to view files, which allows remote authenticated users with permission to create or edit content to read private files by attaching an uploaded file. Published: December 01, 2014; 11:59:07 AM -0500 |
V3.x:(not available) V2.0: 4.0 MEDIUM |
CVE-2014-9155 |
Directory traversal vulnerability in the Avatar Uploader module 6.x-1.x before 6.x-1.2 and 7.x-1.x before 7.x-1.0-beta6 for Drupal allows remote authenticated users to read arbitrary files via a .. (dot dot) in the path of a cropped picture in the uploader panel. Published: December 01, 2014; 11:59:06 AM -0500 |
V3.x:(not available) V2.0: 4.0 MEDIUM |
CVE-2014-9154 |
The Notify module 7.x-1.x before 7.x-1.1 for Drupal does not properly restrict access to (1) new or (2) modified nodes or (3) their fields, which allows remote authenticated users to obtain node titles, teasers, and fields by reading a notification email. Published: December 01, 2014; 11:59:05 AM -0500 |
V3.x:(not available) V2.0: 4.0 MEDIUM |
CVE-2014-9153 |
Cross-site scripting (XSS) vulnerability in the Services module 7.x-3.x before 7.x-3.10 for Drupal allows remote authenticated users to inject arbitrary web script or HTML via the callback parameter in a JSONP response. Published: December 01, 2014; 11:59:03 AM -0500 |
V3.x:(not available) V2.0: 4.3 MEDIUM |
CVE-2014-9152 |
The _user_resource_create function in the Services module 7.x-3.x before 7.x-3.10 for Drupal uses a password of 1 when creating new user accounts, which makes it easier for remote attackers to guess the password via a brute force attack. Published: December 01, 2014; 11:59:02 AM -0500 |
V3.x:(not available) V2.0: 7.5 HIGH |