Search Results (Refine Search)
- Results Type: Overview
- Keyword (text search): token drupal module
- Search Type: Search All
Vuln ID | Summary | CVSS Severity |
---|---|---|
CVE-2013-4227 |
Cross-site request forgery (CSRF) vulnerability in the persona_xsrf_token function in persona.module in the Mozilla Persona module 7.x-1.x before 7.x-1.11 for Drupal allows remote attackers to hijack the authentication of aribitrary users via a security token that is not a string data type. Published: February 18, 2020; 10:15:11 AM -0500 |
V3.1: 8.8 HIGH V2.0: 6.8 MEDIUM |
CVE-2016-3188 |
The _prepopulate_request_walk function in the Prepopulate module 7.x-2.x before 7.x-2.1 for Drupal allows remote attackers to modify the (1) actions, (2) container, (3) token, (4) password, (5) password_confirm, (6) text_format, or (7) markup field type, and consequently have unspecified impact, via unspecified vectors. Published: April 08, 2016; 10:59:06 AM -0400 |
V3.0: 7.3 HIGH V2.0: 7.5 HIGH |
CVE-2015-8602 |
The Token Insert Entity module 7.x-1.x before 7.x-1.1 for Drupal does not properly check permissions, which allows remote authenticated users with certain permissions to bypass intended access restrictions and possibly obtain sensitive information by inserting a token, which embeds a rendered entity in the main node. Published: December 17, 2015; 2:59:14 PM -0500 |
V3.x:(not available) V2.0: 3.5 LOW |
CVE-2015-3373 |
The Amazon AWS module before 7.x-1.3 for Drupal uses the base URL and AWS access key to generate the access token, which makes it easier for remote attackers to guess the token value and create backups via a crafted URL. Published: April 21, 2015; 12:59:31 PM -0400 |
V3.x:(not available) V2.0: 5.0 MEDIUM |
CVE-2015-2197 |
Cross-site scripting (XSS) vulnerability in the Entity API module before 7.x-1.6 for Drupal allows remote authenticated users to inject arbitrary web script or HTML via a field label in the Token API. Published: March 03, 2015; 2:59:03 PM -0500 |
V3.x:(not available) V2.0: 3.5 LOW |
CVE-2014-9023 |
The Twilio module 7.x-1.x before 7.x-1.9 for Drupal does not properly restrict access to the Twilio administration pages, which allows remote authenticated users to read and modify authentication tokens by leveraging the "access administration pages" Drupal permission. Published: November 20, 2014; 12:50:12 PM -0500 |
V3.x:(not available) V2.0: 5.5 MEDIUM |
CVE-2014-3933 |
Cross-site scripting (XSS) vulnerability in the address components field formatter in the AddressField Tokens module 7.x-1.x before 7.x-1.4 for Drupal allows remote authenticated users to inject arbitrary web script or HTML via an address field. Published: June 02, 2014; 10:55:03 AM -0400 |
V3.x:(not available) V2.0: 3.5 LOW |
CVE-2013-4445 |
The json rendering functionality in the Context module 6.x-2.x before 6.x-3.2 and 7.x-3.x before 7.x-3.0 for Drupal uses Drupal's token scheme to restrict access to blocks, which makes it easier for remote authenticated users to guess the access token for a block by leveraging the token from a block to which the user has access. Published: December 07, 2013; 3:55:02 PM -0500 |
V3.x:(not available) V2.0: 4.9 MEDIUM |
CVE-2013-0258 |
The Google Authenticator login (ga_login) module 7.x before 7.x-1.3 for Drupal, when multi-factor authentication is enabled, allows remote attackers to bypass authentication for accounts without an associated Google Authenticator token by logging in with the username. Published: March 27, 2013; 5:55:02 PM -0400 |
V3.x:(not available) V2.0: 6.8 MEDIUM |
CVE-2012-5585 |
Cross-site scripting (XSS) vulnerability in the Mixpanel module 6.x-1.x before 6.x-1.1 in Drupal allows remote authenticated users with the "access administration pages" permission to inject arbitrary web script or HTML via the Maxpanel token. Published: December 26, 2012; 12:55:02 PM -0500 |
V3.x:(not available) V2.0: 2.1 LOW |
CVE-2012-4469 |
Cross-site scripting (XSS) vulnerability in the Hashcash module 6.x-2.x before 6.x-2.6 and 7.x-2.x before 7.x-2.2 for Drupal, when "Log failed hashcash" is enabled, allows remote attackers to inject arbitrary web script or HTML via an invalid token, which is not properly handled when administrators use the Database logging module. Published: November 30, 2012; 5:55:00 PM -0500 |
V3.x:(not available) V2.0: 2.6 LOW |
CVE-2012-2061 |
Cross-site request forgery (CSRF) vulnerability in the Admin tools module for Drupal allows remote attackers to hijack the authentication of unspecified victims via unknown vectors involving "not checking tokens." Published: September 17, 2012; 4:55:02 PM -0400 |
V3.x:(not available) V2.0: 6.8 MEDIUM |
CVE-2012-2058 |
The Ubercart Payflow module for Drupal does not use a secure token, which allows remote attackers to forge payments via unspecified vectors. Published: September 17, 2012; 4:55:02 PM -0400 |
V3.x:(not available) V2.0: 5.0 MEDIUM |
CVE-2012-2720 |
The Token Authentication (tokenauth) module 6.x-1.x before 6.x-1.7 for Drupal does not properly revert user sessions, which might allow remote attackers to perform requests with extra privileges. Published: June 26, 2012; 8:55:04 PM -0400 |
V3.x:(not available) V2.0: 5.0 MEDIUM |
CVE-2010-4813 |
Cross-site scripting (XSS) vulnerability in the Category Tokens module 6.x before 6.x-1.1 for Drupal allows remote authenticated users with administer taxonomy permissions to inject arbitrary web script or HTML by editing or creating vocabulary names, which are not properly handled in token help. Published: July 08, 2011; 6:55:00 PM -0400 |
V3.x:(not available) V2.0: 3.5 LOW |
CVE-2010-1539 |
Cross-site scripting (XSS) vulnerability in the Workflow module 5.x-2.x before 5.x-2.6 and 6.x-1.x before 6.x-1.4 for Drupal, when used with the Token module, might allow remote authenticated users to inject arbitrary web script or HTML via a certain Comment field. Published: April 26, 2010; 3:30:00 PM -0400 |
V3.x:(not available) V2.0: 2.1 LOW |
CVE-2009-4533 |
The Webform module 5.x before 5.x-2.8 and 6.x before 6.x-2.8, a module for Drupal, does not prevent caching of a page that contains token placeholders for a default value, which allows remote attackers to read session variables via unspecified vectors. Published: December 31, 2009; 2:30:00 PM -0500 |
V3.x:(not available) V2.0: 5.0 MEDIUM |
CVE-2007-5621 |
Multiple cross-site scripting (XSS) vulnerabilities in the Token module before 4.7.x-1.5, and 5.x before 5.x-1.9, for Drupal; as used by the ASIN Field, e-Commerce, Fullname field for CCK, Invite, Node Relativity, Pathauto, PayPal Node, and Ubercart modules; allow remote authenticated users with a post comments privilege to inject arbitrary web script or HTML via unspecified vectors related to (1) comments, (2) vocabulary names, (3) term names, and (4) usernames. Published: October 22, 2007; 3:46:00 PM -0400 |
V3.x:(not available) V2.0: 3.5 LOW |