Search Results (Refine Search)
- Results Type: Overview
- Keyword (text search): Drupal
- Search Type: Search All
Vuln ID | Summary | CVSS Severity |
---|---|---|
CVE-2014-9151 |
The Services module 7.x-3.x before 7.x-3.10 for Drupal does not properly limit the rate of authentication attempts, which makes it easier for remote attackers to obtain access via a brute-force attack on the administrative password. Published: December 01, 2014; 11:59:01 AM -0500 |
V3.x:(not available) V2.0: 7.5 HIGH |
CVE-2014-5268 |
The Fasttoggle module 7.x-1.3 and 7.x-1.4 for Drupal allows remote attackers to block or unblock an account via a crafted user status link. Published: December 01, 2014; 11:59:00 AM -0500 |
V3.x:(not available) V2.0: 5.8 MEDIUM |
CVE-2014-9016 |
The password hashing API in Drupal 7.x before 7.34 and the Secure Password Hashes (aka phpass) module 6.x-2.x before 6.x-2.1 for Drupal allows remote attackers to cause a denial of service (CPU and memory consumption) via a crafted request. Published: November 24, 2014; 10:59:17 AM -0500 |
V3.x:(not available) V2.0: 5.0 MEDIUM |
CVE-2014-9015 |
Drupal 6.x before 6.34 and 7.x before 7.34 allows remote attackers to hijack sessions via a crafted request, as demonstrated by a crafted request to a server that supports both HTTP and HTTPS sessions. Published: November 24, 2014; 10:59:16 AM -0500 |
V3.x:(not available) V2.0: 6.8 MEDIUM |
CVE-2014-9026 |
The Ubercart module 7.x-3.x before 7.x-3.7 for Drupal does not properly protect the per-user order history view, which allows remote authenticated users with the "view own orders" permission to obtain sensitive information via unspecified vectors. Published: November 20, 2014; 12:50:15 PM -0500 |
V3.x:(not available) V2.0: 4.0 MEDIUM |
CVE-2014-9025 |
The default checkout completion rule in the commerce_order module in the Drupal Commerce module 7.x-1.x before 7.x-1.10 for Drupal uses the email address as the username for new accounts created at checkout, which allows remote attackers to obtain sensitive information via unspecified vectors. Published: November 20, 2014; 12:50:14 PM -0500 |
V3.x:(not available) V2.0: 5.0 MEDIUM |
CVE-2014-9024 |
The Protected Pages module 7.x-2.x before 7.x-2.4 for Drupal allows remote attackers to bypass the password protection via a crafted path. Published: November 20, 2014; 12:50:13 PM -0500 |
V3.x:(not available) V2.0: 7.5 HIGH |
CVE-2014-9023 |
The Twilio module 7.x-1.x before 7.x-1.9 for Drupal does not properly restrict access to the Twilio administration pages, which allows remote authenticated users to read and modify authentication tokens by leveraging the "access administration pages" Drupal permission. Published: November 20, 2014; 12:50:12 PM -0500 |
V3.x:(not available) V2.0: 5.5 MEDIUM |
CVE-2014-9022 |
The Webform Component Roles module 6.x-1.x before 6.x-1.8 and 7.x-1.x before 7.x-1.8 for Drupal allows remote attackers to bypass the "disabled" restriction and modify read-only components via a crafted form. Published: November 20, 2014; 12:50:11 PM -0500 |
V3.x:(not available) V2.0: 6.4 MEDIUM |
CVE-2012-2301 |
The Ubercart module 6.x-2.x before 6.x-2.8 for Drupal allows remote authenticated users with the "administer product classes" permission to execute arbitrary PHP code via unspecified vectors. Published: November 15, 2014; 9:59:00 PM -0500 |
V3.x:(not available) V2.0: 6.0 MEDIUM |
CVE-2014-8736 |
The Open Atrium Core module for Drupal before 7.x-2.22 allows remote attackers to bypass access restrictions and read file attachments that have been removed from a node by leveraging a previous revision of the node. Published: November 12, 2014; 11:55:07 AM -0500 |
V3.x:(not available) V2.0: 5.0 MEDIUM |
CVE-2014-8735 |
The Bad Behavior module 6.x-2.x before 6.x-2.2216 and 7.x-2.x before 7.x-2.2216 for Drupal logs usernames and passwords, which allows remote authenticated users with the "administer bad behavior" permission to obtain sensitive information by reading a log file. Published: November 12, 2014; 11:55:07 AM -0500 |
V3.x:(not available) V2.0: 4.0 MEDIUM |
CVE-2014-8734 |
The Organic Groups Menu (aka OG Menu) module before 7.x-2.2 for Drupal allows remote authenticated users with the "access administration pages" permission to change module settings via unspecified vectors. Published: November 12, 2014; 11:55:07 AM -0500 |
V3.x:(not available) V2.0: 3.5 LOW |
CVE-2013-4594 |
The Payment for Webform module 7.x-1.x before 7.x-1.5 for Drupal does not restrict access by anonymous users, which allows remote anonymous users to use the payment of other anonymous users when submitting a form that requires payment. Published: October 25, 2014; 6:55:01 PM -0400 |
V3.x:(not available) V2.0: 4.3 MEDIUM |
CVE-2013-7407 |
Cross-site request forgery (CSRF) vulnerability in the MRBS module for Drupal allows remote attackers to hijack the authentication of unspecified victims via unknown vectors. Published: October 22, 2014; 10:55:06 AM -0400 |
V3.x:(not available) V2.0: 6.8 MEDIUM |
CVE-2014-8379 |
Multiple cross-site scripting (XSS) vulnerabilities in the Marketo MA module before 7.x-1.5 for Drupal allow remote authenticated users with certain permissions to inject arbitrary web script or HTML via vectors related to field titles to the (1) Webform or (2) User sub-modules. Published: October 21, 2014; 11:55:08 AM -0400 |
V3.x:(not available) V2.0: 3.5 LOW |
CVE-2014-8376 |
Cross-site scripting (XSS) vulnerability in the context administration sub-panel in the Site Banner module before 7.x-4.1 for Drupal allows remote authenticated users with the "Administer contexts" Context UI module permission to inject arbitrary web script or HTML via vectors related to context settings. Published: October 21, 2014; 11:55:08 AM -0400 |
V3.x:(not available) V2.0: 3.5 LOW |
CVE-2013-7406 |
SQL injection vulnerability in the MRBS module for Drupal allows remote attackers to execute arbitrary SQL commands via unspecified vectors. Published: October 21, 2014; 10:55:03 AM -0400 |
V3.x:(not available) V2.0: 7.5 HIGH |
CVE-2014-5169 |
Cross-site scripting (XSS) vulnerability in the Date module before 7.x-2.8 for Drupal allows remote authenticated users with the permission to create a date field to inject arbitrary web script or HTML via the date field title. Published: October 20, 2014; 1:55:06 PM -0400 |
V3.x:(not available) V2.0: 3.5 LOW |
CVE-2014-8320 |
Cross-site scripting (XSS) vulnerability in the Custom Search module 6.x-1.x before 6.x-1.12 and 7.x-1.x before 7.x-1.14 for Drupal allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via the "Label text" field to the results configuration page. Published: October 17, 2014; 10:55:03 AM -0400 |
V3.x:(not available) V2.0: 3.5 LOW |