National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

Search Results (Refine Search)

Search Parameters:
  • Results Type: Overview
  • Keyword (text search): Drupal
  • Search Type: Search All
There are 1,053 matching records.
Displaying matches 81 through 100.
Vuln ID Summary CVSS Severity
CVE-2015-8082

The Login Disable module 6.x-1.x before 6.x-1.1 and 7.x-1.x before 7.x-1.2 for Drupal does not properly load the user_logout function, which allows remote attackers to bypass the logout protection mechanism by leveraging a contributed user authentication module, as demonstrated by the CAS and URL Login modules.

Published: November 06, 2015; 04:59:15 PM -05:00
V2: 7.5 HIGH
CVE-2015-8081

The Field as Block module 7.x-1.x before 7.x-1.4 for Drupal might allow remote attackers to obtain sensitive field information by reading a cached block.

Published: November 06, 2015; 04:59:13 PM -05:00
V2: 5.0 MEDIUM
CVE-2015-7881

The Colorbox module 7.x-2.x before 7.x-2.10 for Drupal allows remote authenticated users with certain permissions to bypass intended access restrictions and "add unexpected content to a Colorbox" via unspecified vectors, possibly related to a link in a comment.

Published: October 26, 2015; 10:59:11 AM -04:00
V2: 3.5 LOW
CVE-2015-7876

The escapeLike function in sqlsrv/database.inc in the Drupal 7 driver for SQL Server and SQL Azure 7.x-1.x before 7.x-1.4 does not properly escape certain characters, which allows remote attackers to execute arbitrary SQL commands via vectors involving a module using the db_like function.

Published: October 21, 2015; 10:59:00 AM -04:00
V2: 7.5 HIGH
CVE-2015-7307

Cross-site scripting (XSS) vulnerability in the CMS Updater module 7.x-1.x before 7.x-1.3 for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors involving the configuration page.

Published: September 21, 2015; 03:59:11 PM -04:00
V2: 4.3 MEDIUM
CVE-2015-7306

The CMS Updater module 7.x-1.x before 7.x-1.3 for Drupal does not properly check access permissions, which allows remote authenticated users to access and change settings by leveraging the "access administration pages" permission.

Published: September 21, 2015; 03:59:10 PM -04:00
V2: 4.9 MEDIUM
CVE-2015-7305

The Scald module 7.x-1.x before 7.x-1.5 for Drupal does not properly restrict access to fields, which allows remote attackers to obtain sensitive atom property information via vectors involving a "debug context."

Published: September 21, 2015; 03:59:09 PM -04:00
V2: 5.0 MEDIUM
CVE-2015-7304

Cross-site scripting (XSS) vulnerability in the amoCRM module 7.x-1.x before 7.x-1.2 for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified HTTP POST data.

Published: September 21, 2015; 03:59:07 PM -04:00
V2: 2.6 LOW
CVE-2015-7234

The OSF module 7.x-3.x before 7.x-3.1 for Drupal, when the OSF Ontology and OSF Import modules are enabled, allows user-assisted remote attackers to delete arbitrary files via unspecified vectors.

Published: September 17, 2015; 12:59:13 PM -04:00
V2: 4.0 MEDIUM
CVE-2015-7233

Cross-site request forgery (CSRF) vulnerability in the OSF module 7.x-3.x before 7.x-3.1 for Drupal, when the OSF Import module is enabled, allows remote attackers to hijack the authentication of administrators for requests that create new OSF datasets via unspecified vectors.

Published: September 17, 2015; 12:59:12 PM -04:00
V2: 5.1 MEDIUM
CVE-2015-7232

Cross-site scripting (XSS) vulnerability in unspecified administration pages in the OSF module 7.x-3.x before 7.x-3.1 for Drupal, when the OSF Ontology module is enabled, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Published: September 17, 2015; 12:59:11 PM -04:00
V2: 2.6 LOW
CVE-2015-7231

The Commerce Commonwealth (CBA) module 7.x-1.x before 7.x-1.5 for Drupal does not properly validate payments, which allows remote attackers to make a failed payment appear valid via a crafted URL, related to a "response from commweb."

Published: September 17, 2015; 12:59:10 PM -04:00
V2: 5.0 MEDIUM
CVE-2015-7230

The Workbench Email module 7.x-3.x before 7.x-3.4 for Drupal allows remote authenticated users with certain permissions to bypass node and field validation by saving a node.

Published: September 17, 2015; 12:59:09 PM -04:00
V2: 3.5 LOW
CVE-2015-7229

The Twitter module 6.x-5.x before 6.x-5.2, 7.x-5.x before 7.x-5.9, and 7.x-6.x before 7.x-6.0 for Drupal does not properly check access permissions, which allows remote authenticated users to post tweets to arbitrary accounts by leveraging the (1) "post to twitter" permission or change the options for arbitrary attached accounts by leveraging the (2) "add twitter accounts" or (3) "add authenticated twitter accounts" permission.

Published: September 17, 2015; 12:59:08 PM -04:00
V2: 3.5 LOW
CVE-2015-7228

The RESTful module 7.x-1.x before 7.x-1.3 for Drupal does not properly cache pages of authenticated users when using non-cookie authentication providers, which allows remote attackers to obtain sensitive information via unspecified vectors.

Published: September 17, 2015; 12:59:07 PM -04:00
V2: 5.0 MEDIUM
CVE-2015-7227

The Fieldable Panels Panes module 7.x-1.x before 7.x-1.7 for Drupal does not properly check permissions to edit Fieldable Panels Panes entities, which allows remote authenticated users to edit panes by leveraging permissions to edit panels.

Published: September 17, 2015; 12:59:06 PM -04:00
V2: 3.5 LOW
CVE-2015-7226

The Administration Views module 7.x-1.x before 7.x-1.5 for Drupal checks access permissions based on the router path from the view instead of the display property, which allows remote attackers to obtain sensitive information via vectors related to the access handler.

Published: September 17, 2015; 12:59:05 PM -04:00
V2: 5.0 MEDIUM
CVE-2015-6921

Cross-site scripting (XSS) vulnerability in the Zendesk Feedback Tab module 7.x-1.x before 7.x-1.1 for Drupal allows remote administrators with the "Configure Zendesk Feedback Tab" permission to inject arbitrary web script or HTML via unspecified vectors.

Published: September 11, 2015; 04:59:03 PM -04:00
V2: 2.6 LOW
CVE-2015-6808

Cross-site scripting (XSS) vulnerability in the Spotlight module 7.x-1.x before 7.x-1.5 for Drupal allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via a node title.

Published: September 04, 2015; 11:59:05 AM -04:00
V2: 3.5 LOW
CVE-2015-6807

Cross-site scripting (XSS) vulnerability in the Mass Contact module 6.x-1.x before 6.x-1.6 and 7.x-1.x before 7.x-1.1 for Drupal allows remote authenticated users with the "administer mass contact" permission to inject arbitrary web script or HTML via a category label.

Published: September 04, 2015; 11:59:04 AM -04:00
V2: 2.1 LOW