Search Results (Refine Search)

Search Parameters:
  • Results Type: Overview
  • Keyword (text search): Drupal
  • Search Type: Search All
There are 1,083 matching records.
Displaying matches 361 through 380.
Vuln ID Summary CVSS Severity
CVE-2014-5021

Cross-site scripting (XSS) vulnerability in the Form API in Drupal 6.x before 6.32 and possibly 7.x before 7.29 allows remote authenticated users with the "administer taxonomy" permission to inject arbitrary web script or HTML via an option group label.

Published: July 22, 2014; 10:55:10 AM -0400
V3.x:(not available)
V2.0: 2.1 LOW
CVE-2014-5020

The File module in Drupal 7.x before 7.29 does not properly check permissions to view files, which allows remote authenticated users with certain permissions to bypass intended restrictions and read files by attaching the file to content with a file field.

Published: July 22, 2014; 10:55:10 AM -0400
V3.x:(not available)
V2.0: 4.9 MEDIUM
CVE-2014-5019

The multisite feature in Drupal 6.x before 6.32 and 7.x before 7.29 allows remote attackers to cause a denial of service via a crafted HTTP Host header, related to determining which configuration file to use.

Published: July 22, 2014; 10:55:10 AM -0400
V3.x:(not available)
V2.0: 5.0 MEDIUM
CVE-2013-7391

The Entity API module 7.x-1.x before 7.x-1.2 for Drupal, when using the (a) Views field or (b) area plugins, allows remote attackers to read restricted entities via the (1) field, (2) header, or (3) footer of a View. NOTE: this identifier was SPLIT from CVE-2013-4273 per ADT5 due to different researcher organizations.

Published: July 19, 2014; 2:55:01 PM -0400
V3.x:(not available)
V2.0: 5.0 MEDIUM
CVE-2013-4273

The Entity API module 7.x-1.x before 7.x-1.2 for Drupal does not properly restrict access to node comments, which allows remote authenticated users to read the comments via unspecified vectors. NOTE: this identifier was SPLIT per ADT5 due to different researcher organizations. CVE-2013-7391 was assigned for the View vector.

Published: July 19, 2014; 2:55:01 PM -0400
V3.x:(not available)
V2.0: 4.0 MEDIUM
CVE-2014-4506

Cross-site scripting (XSS) vulnerability in the Custom Meta module 6.x-1.x before 6.x-1.2 and 7.x-1.x before 7.x-1.3 for Drupal allows remote authenticated users with the "administer custom meta settings" permission to inject arbitrary web script or HTML via the (1) attribute or (2) content value for a meta tag.

Published: June 20, 2014; 10:55:07 AM -0400
V3.x:(not available)
V2.0: 2.1 LOW
CVE-2014-4505

Cross-site scripting (XSS) vulnerability in the Easy Breadcrumb module 7.x-2.x before 7.x-2.10 for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Published: June 20, 2014; 10:55:07 AM -0400
V3.x:(not available)
V2.0: 4.3 MEDIUM
CVE-2014-4303

Multiple cross-site scripting (XSS) vulnerabilities in the Touch theme 7.x-1.x before 7.x-1.9 for Drupal allow remote authenticated users with the Administer themes permission to inject arbitrary web script or HTML via vectors related to the (1) Twitter and (2) Facebook username settings.

Published: June 18, 2014; 10:55:13 AM -0400
V3.x:(not available)
V2.0: 2.1 LOW
CVE-2013-4599

The Misery module 6.x-2.x before 6.x-2.5 and 7.x-2.x before 7.x-2.2 for Drupal, when the "delay misery" configuration is set to a high value, allows remote attackers to cause a denial of service (process consumption) via multiple requests.

Published: June 09, 2014; 3:55:09 PM -0400
V3.x:(not available)
V2.0: 4.3 MEDIUM
CVE-2013-4597

The Revisioning module 7.x-1.x before 7.x-1.6 for Drupal does not properly check node access permissions for content marked unpublished by the Scheduled module, which allows remote authenticated users to obtain sensitive information via unspecified vectors.

Published: June 09, 2014; 3:55:09 PM -0400
V3.x:(not available)
V2.0: 4.0 MEDIUM
CVE-2013-4595

The Secure Pages module 6.x-2.x before 6.x-2.0 for Drupal does not properly match URLs, which causes HTTP to be used instead of HTTPS and makes it easier for remote attackers to obtain sensitive information via a crafted web page.

Published: June 09, 2014; 3:55:09 PM -0400
V3.x:(not available)
V2.0: 4.3 MEDIUM
CVE-2013-1973

The autocomplete callback in Autocomplete Widgets for Text and Number Fields (autocomplete_widgets) module 6.x-1.x before 6.x-1.4 and 7.x-1.x before 7.x-1.0-rc1 does not properly handle node permissions, which allows remote authenticated users to obtain sensitive field values via unspecified vectors.

Published: June 09, 2014; 3:55:06 PM -0400
V3.x:(not available)
V2.0: 4.0 MEDIUM
CVE-2013-4596

The Node Access Keys module 7.x-1.x before 7.x-1.1 for Drupal does not properly check permissions, which allows remote attackers to bypass access restrictions via a node listing.

Published: June 02, 2014; 11:55:10 AM -0400
V3.x:(not available)
V2.0: 5.8 MEDIUM
CVE-2014-3933

Cross-site scripting (XSS) vulnerability in the address components field formatter in the AddressField Tokens module 7.x-1.x before 7.x-1.4 for Drupal allows remote authenticated users to inject arbitrary web script or HTML via an address field.

Published: June 02, 2014; 10:55:03 AM -0400
V3.x:(not available)
V2.0: 3.5 LOW
CVE-2013-4178

The Google Authenticator login module 6.x-1.x before 6.x-1.2 and 7.x-1.x before 7.x-1.4 for Drupal allows remote attackers to obtain access by replaying the username, password, and one-time password (OTP).

Published: May 29, 2014; 10:19:07 AM -0400
V3.x:(not available)
V2.0: 5.0 MEDIUM
CVE-2013-4177

The Google Authenticator login module 6.x-1.x before 6.x-1.2 and 7.x-1.x before 7.x-1.4 for Drupal does not properly identify user account names, which might allow remote attackers to bypass the two-factor authentication requirement via unspecified vectors.

Published: May 29, 2014; 10:19:07 AM -0400
V3.x:(not available)
V2.0: 5.0 MEDIUM
CVE-2013-4598

The Groups, Communities and Co (GCC) module 7.x-1.x before 7.x-1.1 for Drupal does not properly check permission, which allows remote attackers to access the configuration pages via unspecified vectors.

Published: May 27, 2014; 10:55:10 AM -0400
V3.x:(not available)
V2.0: 5.0 MEDIUM
CVE-2013-4380

Cross-site scripting (XSS) vulnerability in the MediaFront module 6.x-1.x before 6.x-1.6, 7.x-1.x before 7.x-1.6, and 7.x-2.x before 7.x-2.1 for Drupal allows remote authenticated users with the "administer mediafront" permission to inject arbitrary web script or HTML via the preset settings.

Published: May 20, 2014; 10:55:04 AM -0400
V3.x:(not available)
V2.0: 2.1 LOW
CVE-2013-4406

The Quick Tabs module 6.x-2.x before 6.x-2.2, 6.x-3.x before 6.x-3.2, and 7.x-3.x before 7.x-3.6 for Drupal does not properly check block permissions, which allows remote attackers to obtain sensitive information by reading a Quick Tab.

Published: May 19, 2014; 10:55:07 AM -0400
V3.x:(not available)
V2.0: 5.0 MEDIUM
CVE-2013-4498

The Spaces OG submodule in the Spaces module 6.x-3.x before 6.x-3.7 for Drupal does not properly delete organic group group spaces content when using the option to move to a new group, which causes the content to be "orphaned" and allows remote authenticated users with the "access content" permission to obtain sensitive information via vectors involving a rebuild access for the site or content.

Published: May 17, 2014; 4:55:02 PM -0400
V3.x:(not available)
V2.0: 2.1 LOW