National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

Search Results (Refine Search)

Search Parameters:
  • Results Type: Overview
  • Keyword (text search): Drupal
  • Search Type: Search All
There are 1,077 matching records.
Displaying matches 81 through 100.
Vuln ID Summary CVSS Severity
CVE-2016-6211

The User module in Drupal 7.x before 7.44 allows remote authenticated users to gain privileges via vectors involving contributed or custom code that triggers a rebuild of the user profile form.

Published: September 09, 2016; 10:05:08 AM -04:00
V3.0: 8.8 HIGH
    V2: 6.5 MEDIUM
CVE-2016-5385

PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, as demonstrated by (1) an application that makes a getenv('HTTP_PROXY') call or (2) a CGI configuration of PHP, aka an "httpoxy" issue.

Published: July 18, 2016; 10:00:17 PM -04:00
V3.0: 8.1 HIGH
    V2: 5.1 MEDIUM
CVE-2016-3144

Cross-site scripting (XSS) vulnerability in the Block Class module 7.x-2.x before 7.x-2.2 for Drupal allows remote authenticated users with the "Administer block classes" permission to inject arbitrary web script or HTML via a class name.

Published: April 15, 2016; 11:59:02 AM -04:00
V3.0: 5.4 MEDIUM
    V2: 3.5 LOW
CVE-2016-3171

Drupal 6.x before 6.38, when used with PHP before 5.4.45, 5.5.x before 5.5.29, or 5.6.x before 5.6.13, might allow remote attackers to execute arbitrary code via vectors related to session data truncation.

Published: April 12, 2016; 11:59:08 AM -04:00
V3.0: 8.1 HIGH
    V2: 6.8 MEDIUM
CVE-2016-3170

The "have you forgotten your password" links in the User module in Drupal 7.x before 7.43 and 8.x before 8.0.4 allow remote attackers to obtain sensitive username information by leveraging a configuration that permits using an email address to login and a module that permits logging in.

Published: April 12, 2016; 11:59:07 AM -04:00
V3.0: 5.3 MEDIUM
    V2: 5.0 MEDIUM
CVE-2016-3169

The User module in Drupal 6.x before 6.38 and 7.x before 7.43 allows remote attackers to gain privileges by leveraging contributed or custom code that calls the user_save function with an explicit category and loads all roles into the array.

Published: April 12, 2016; 11:59:06 AM -04:00
V3.0: 8.1 HIGH
    V2: 6.8 MEDIUM
CVE-2016-3168

The System module in Drupal 6.x before 6.38 and 7.x before 7.43 might allow remote attackers to hijack the authentication of site administrators for requests that download and run files with arbitrary JSON-encoded content, aka a "reflected file download vulnerability."

Published: April 12, 2016; 11:59:05 AM -04:00
V3.0: 6.4 MEDIUM
    V2: 8.5 HIGH
CVE-2016-3167

Open redirect vulnerability in the drupal_goto function in Drupal 6.x before 6.38, when used with PHP before 5.4.7, allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a double-encoded URL in the "destination" parameter.

Published: April 12, 2016; 11:59:04 AM -04:00
V3.0: 7.4 HIGH
    V2: 6.4 MEDIUM
CVE-2016-3166

CRLF injection vulnerability in the drupal_set_header function in Drupal 6.x before 6.38, when used with PHP before 5.1.2, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks by leveraging a module that allows user-submitted data to appear in HTTP headers.

Published: April 12, 2016; 11:59:04 AM -04:00
V3.0: 5.9 MEDIUM
    V2: 4.3 MEDIUM
CVE-2016-3165

The Form API in Drupal 6.x before 6.38 ignores access restrictions on submit buttons, which might allow remote attackers to bypass intended access restrictions by leveraging permission to submit a form with a button that has "#access" set to FALSE in the server-side form definition.

Published: April 12, 2016; 11:59:03 AM -04:00
V3.0: 7.5 HIGH
    V2: 5.0 MEDIUM
CVE-2016-3164

Drupal 6.x before 6.38, 7.x before 7.43, and 8.x before 8.0.4 might allow remote attackers to conduct open redirect attacks by leveraging (1) custom code or (2) a form shown on a 404 error page, related to path manipulation.

Published: April 12, 2016; 11:59:02 AM -04:00
V3.0: 7.4 HIGH
    V2: 5.8 MEDIUM
CVE-2016-3163

The XML-RPC system in Drupal 6.x before 6.38 and 7.x before 7.43 might make it easier for remote attackers to conduct brute-force attacks via a large number of calls made at once to the same method.

Published: April 12, 2016; 11:59:01 AM -04:00
V3.0: 7.5 HIGH
    V2: 5.0 MEDIUM
CVE-2016-3162

The File module in Drupal 7.x before 7.43 and 8.x before 8.0.4 allows remote authenticated users to bypass access restrictions and read, delete, or substitute a link to a file uploaded to an unprocessed form by leveraging permission to create content or comment and upload files.

Published: April 12, 2016; 11:59:00 AM -04:00
V3.0: 8.1 HIGH
    V2: 6.5 MEDIUM
CVE-2016-3188

The _prepopulate_request_walk function in the Prepopulate module 7.x-2.x before 7.x-2.1 for Drupal allows remote attackers to modify the (1) actions, (2) container, (3) token, (4) password, (5) password_confirm, (6) text_format, or (7) markup field type, and consequently have unspecified impact, via unspecified vectors.

Published: April 08, 2016; 10:59:06 AM -04:00
V3.0: 7.3 HIGH
    V2: 7.5 HIGH
CVE-2016-3187

The Prepopulate module 7.x-2.x before 7.x-2.1 for Drupal allows remote attackers to modify the REQUEST superglobal array, and consequently have unspecified impact, via a base64-encoded pp parameter.

Published: April 08, 2016; 10:59:05 AM -04:00
V3.0: 7.3 HIGH
    V2: 7.5 HIGH
CVE-2016-1913

Multiple cross-site scripting (XSS) vulnerabilities in the Redhen module 7.x-1.x before 7.x-1.11 for Drupal allow remote authenticated users with certain access to inject arbitrary web script or HTML via unspecified vectors, related to (1) individual contacts, (2) notes, or (3) engagement scores.

Published: January 15, 2016; 03:59:05 PM -05:00
V3.0: 5.4 MEDIUM
    V2: 3.5 LOW
CVE-2016-1565

Cross-site scripting (XSS) vulnerability in the Field Group module 7.x-1.x before 7.x-1.5 for Drupal allows remote authenticated users with permission to configure field display settings to inject arbitrary web script or HTML via an element attribute.

Published: January 08, 2016; 04:59:10 PM -05:00
V3.0: 6.1 MEDIUM
    V2: 3.5 LOW
CVE-2015-8761

The Values module 7.x-1.x before 7.x-1.2 for Drupal does not properly check permissions, which allows remote administrators with the "Import value sets" permission to execute arbitrary PHP code via the exported values list in a ctools import.

Published: January 08, 2016; 02:59:27 PM -05:00
V3.0: 9.0 CRITICAL
    V2: 6.0 MEDIUM
CVE-2015-8754

The Mollom module 6.x-2.7 before 6.x-2.15 for Drupal allows remote attackers to bypass intended access restrictions and modify the mollom blacklist via unspecified vectors.

Published: January 08, 2016; 02:59:20 PM -05:00
V3.0: 7.5 HIGH
    V2: 5.0 MEDIUM
CVE-2015-8602

The Token Insert Entity module 7.x-1.x before 7.x-1.1 for Drupal does not properly check permissions, which allows remote authenticated users with certain permissions to bypass intended access restrictions and possibly obtain sensitive information by inserting a token, which embeds a rendered entity in the main node.

Published: December 17, 2015; 02:59:14 PM -05:00
    V2: 3.5 LOW