National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

Search Results (Refine Search)

Search Parameters:
  • Results Type: Overview
  • Keyword (text search): Drupal
  • Search Type: Search All
There are 1,048 matching records.
Displaying matches 81 through 100.
Vuln ID Summary CVSS Severity
CVE-2015-7306

The CMS Updater module 7.x-1.x before 7.x-1.3 for Drupal does not properly check access permissions, which allows remote authenticated users to access and change settings by leveraging the "access administration pages" permission.

Published: September 21, 2015; 03:59:10 PM -04:00
V2: 4.9 MEDIUM
CVE-2015-7305

The Scald module 7.x-1.x before 7.x-1.5 for Drupal does not properly restrict access to fields, which allows remote attackers to obtain sensitive atom property information via vectors involving a "debug context."

Published: September 21, 2015; 03:59:09 PM -04:00
V2: 5.0 MEDIUM
CVE-2015-7304

Cross-site scripting (XSS) vulnerability in the amoCRM module 7.x-1.x before 7.x-1.2 for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified HTTP POST data.

Published: September 21, 2015; 03:59:07 PM -04:00
V2: 2.6 LOW
CVE-2015-7234

The OSF module 7.x-3.x before 7.x-3.1 for Drupal, when the OSF Ontology and OSF Import modules are enabled, allows user-assisted remote attackers to delete arbitrary files via unspecified vectors.

Published: September 17, 2015; 12:59:13 PM -04:00
V2: 4.0 MEDIUM
CVE-2015-7233

Cross-site request forgery (CSRF) vulnerability in the OSF module 7.x-3.x before 7.x-3.1 for Drupal, when the OSF Import module is enabled, allows remote attackers to hijack the authentication of administrators for requests that create new OSF datasets via unspecified vectors.

Published: September 17, 2015; 12:59:12 PM -04:00
V2: 5.1 MEDIUM
CVE-2015-7232

Cross-site scripting (XSS) vulnerability in unspecified administration pages in the OSF module 7.x-3.x before 7.x-3.1 for Drupal, when the OSF Ontology module is enabled, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Published: September 17, 2015; 12:59:11 PM -04:00
V2: 2.6 LOW
CVE-2015-7231

The Commerce Commonwealth (CBA) module 7.x-1.x before 7.x-1.5 for Drupal does not properly validate payments, which allows remote attackers to make a failed payment appear valid via a crafted URL, related to a "response from commweb."

Published: September 17, 2015; 12:59:10 PM -04:00
V2: 5.0 MEDIUM
CVE-2015-7230

The Workbench Email module 7.x-3.x before 7.x-3.4 for Drupal allows remote authenticated users with certain permissions to bypass node and field validation by saving a node.

Published: September 17, 2015; 12:59:09 PM -04:00
V2: 3.5 LOW
CVE-2015-7229

The Twitter module 6.x-5.x before 6.x-5.2, 7.x-5.x before 7.x-5.9, and 7.x-6.x before 7.x-6.0 for Drupal does not properly check access permissions, which allows remote authenticated users to post tweets to arbitrary accounts by leveraging the (1) "post to twitter" permission or change the options for arbitrary attached accounts by leveraging the (2) "add twitter accounts" or (3) "add authenticated twitter accounts" permission.

Published: September 17, 2015; 12:59:08 PM -04:00
V2: 3.5 LOW
CVE-2015-7228

The RESTful module 7.x-1.x before 7.x-1.3 for Drupal does not properly cache pages of authenticated users when using non-cookie authentication providers, which allows remote attackers to obtain sensitive information via unspecified vectors.

Published: September 17, 2015; 12:59:07 PM -04:00
V2: 5.0 MEDIUM
CVE-2015-7227

The Fieldable Panels Panes module 7.x-1.x before 7.x-1.7 for Drupal does not properly check permissions to edit Fieldable Panels Panes entities, which allows remote authenticated users to edit panes by leveraging permissions to edit panels.

Published: September 17, 2015; 12:59:06 PM -04:00
V2: 3.5 LOW
CVE-2015-7226

The Administration Views module 7.x-1.x before 7.x-1.5 for Drupal checks access permissions based on the router path from the view instead of the display property, which allows remote attackers to obtain sensitive information via vectors related to the access handler.

Published: September 17, 2015; 12:59:05 PM -04:00
V2: 5.0 MEDIUM
CVE-2015-6921

Cross-site scripting (XSS) vulnerability in the Zendesk Feedback Tab module 7.x-1.x before 7.x-1.1 for Drupal allows remote administrators with the "Configure Zendesk Feedback Tab" permission to inject arbitrary web script or HTML via unspecified vectors.

Published: September 11, 2015; 04:59:03 PM -04:00
V2: 2.6 LOW
CVE-2015-6808

Cross-site scripting (XSS) vulnerability in the Spotlight module 7.x-1.x before 7.x-1.5 for Drupal allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via a node title.

Published: September 04, 2015; 11:59:05 AM -04:00
V2: 3.5 LOW
CVE-2015-6807

Cross-site scripting (XSS) vulnerability in the Mass Contact module 6.x-1.x before 6.x-1.6 and 7.x-1.x before 7.x-1.1 for Drupal allows remote authenticated users with the "administer mass contact" permission to inject arbitrary web script or HTML via a category label.

Published: September 04, 2015; 11:59:04 AM -04:00
V2: 2.1 LOW
CVE-2015-6754

Cross-site scripting (XSS) vulnerability in the administration interface in the Path Breadcrumbs module 7.x-3.x before 7.x-3.3 for Drupal allows remote authenticated users with the "Administer Path Breadcrumbs" permission to inject arbitrary web script or HTML via unspecified vectors.

Published: August 31, 2015; 03:59:02 PM -04:00
V2: 2.1 LOW
CVE-2015-6753

Multiple cross-site scripting (XSS) vulnerabilities in the Quick Edit module 7.x-1.x before 7.x-1.2 for Drupal allow remote authenticated users with certain permissions to inject arbitrary web script or HTML via an (1) entity title, related to in-place editing, or a (2) node title.

Published: August 31, 2015; 03:59:01 PM -04:00
V2: 3.5 LOW
CVE-2015-6752

Cross-site scripting (XSS) vulnerability in the Search API Autocomplete module 7.x-1.x before 7.x-1.3 for Drupal, when the search index is configured to use the HTML filter processor, allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via unspecified vectors, which are not properly handled in the returned suggestions.

Published: August 31, 2015; 02:59:12 PM -04:00
V2: 2.1 LOW
CVE-2015-6751

Multiple cross-site scripting (XSS) vulnerabilities in the Time Tracker module 7.x-1.x before 7.x-1.4 for Drupal allow remote authenticated users with certain permissions to inject arbitrary web script or HTML via a (1) note added to a time entry or an (2) activity used to categorize time tracker entries.

Published: August 31, 2015; 02:59:11 PM -04:00
V2: 3.5 LOW
CVE-2015-6665

Cross-site scripting (XSS) vulnerability in the Ajax handler in Drupal 7.x before 7.39 and the Ctools module 6.x-1.x before 6.x-1.14 for Drupal allows remote attackers to inject arbitrary web script or HTML via vectors involving a whitelisted HTML element, possibly related to the "a" tag.

Published: August 24, 2015; 10:59:22 AM -04:00
V2: 4.3 MEDIUM