Search Results (Refine Search)
- Results Type: Overview
- Keyword (text search): Drupal
- Search Type: Search All
Vuln ID | Summary | CVSS Severity |
---|---|---|
CVE-2013-7063 |
The Invitation module 7.x-2.x for Drupal does not properly check permissions, which allows remote attackers to obtain sensitive information via unspecified default views. Published: April 29, 2014; 10:38:43 AM -0400 |
V3.x:(not available) V2.0: 5.0 MEDIUM |
CVE-2014-2715 |
Multiple cross-site scripting (XSS) vulnerabilities in vwrooms\templates\logout.tpl.php in the VideoWhisper Webcam plugins for Drupal 7.x allow remote attackers to inject arbitrary web script or HTML via the (1) module or (2) message parameter to index.php. Published: April 28, 2014; 10:09:07 AM -0400 |
V3.x:(not available) V2.0: 4.3 MEDIUM |
CVE-2014-2983 |
Drupal 6.x before 6.31 and 7.x before 7.27 does not properly isolate the cached data of different anonymous users, which allows remote anonymous users to obtain sensitive interim form input information in opportunistic situations via unspecified vectors. Published: April 23, 2014; 11:55:05 AM -0400 |
V3.x:(not available) V2.0: 5.0 MEDIUM |
CVE-2012-6645 |
Cross-site scripting (XSS) vulnerability in the autocomplete functionality in the Finder module 6.x-1.x before 6.x-1.26, 7.x-1.x, and 7.x-2.x before 7.x-2.0-alpha8 for Drupal allows remote attackers to inject arbitrary web script or HTML via the title of a node, a different vulnerability than CVE-2012-1561. Published: April 08, 2014; 10:22:09 AM -0400 |
V3.x:(not available) V2.0: 4.3 MEDIUM |
CVE-2012-1561 |
Cross-site scripting (XSS) vulnerability in the Finder module 6.x-1.x before 6.x-1.26, 7.x-1.x, and 7.x-2.x before 7.x-2.0-alpha8 for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to the "checkbox and radio button functionalities." Published: April 08, 2014; 10:22:09 AM -0400 |
V3.x:(not available) V2.0: 4.3 MEDIUM |
CVE-2013-1946 |
The RESTful Web Services (RESTWS) module 7.x-1.x before 7.x-1.3 and 7.x-2.x before 7.x-2.0-alpha5 for Drupal, when page caching is enabled and anonymous users are assigned RESTWS permissions, allows remote attackers to cause a denial of service via a GET request with an HTTP Accept header set to a non-HTML type, which can "interfere with Drupal's page cache." Published: April 06, 2014; 12:55:06 PM -0400 |
V3.x:(not available) V2.0: 4.3 MEDIUM |
CVE-2013-4499 |
Cross-site scripting (XSS) vulnerability in the Bean module 7.x-1.x before 7.x-1.5 for Drupal allows remote attackers to inject arbitrary web script or HTML via the bean title. Published: February 14, 2014; 2:55:05 PM -0500 |
V3.x:(not available) V2.0: 4.3 MEDIUM |
CVE-2013-4383 |
Cross-site scripting (XSS) vulnerability in the jQuery Countdown module 7.x-1.x before 7.x-1.1 for Drupal allows remote authenticated users with the "access administration pages" permission to inject arbitrary web script or HTML via unspecified vectors. Published: January 31, 2014; 10:07:34 AM -0500 |
V3.x:(not available) V2.0: 2.1 LOW |
CVE-2014-1611 |
Cross-site scripting (XSS) vulnerability in the Anonymous Posting module 7.x-1.2 and 7.x-1.3 for Drupal allows remote attackers to inject arbitrary web script or HTML via the contact name field. Published: January 30, 2014; 1:55:03 PM -0500 |
V3.x:(not available) V2.0: 4.3 MEDIUM |
CVE-2014-1607 |
Cross-site scripting (XSS) vulnerability in the EventCalendar module for Drupal 7.14 allows remote attackers to inject arbitrary web script or HTML via the year parameter to eventcalander/. NOTE: this issue has been disputed by the Drupal Security Team; it may be site-specific. If so, then this CVE will be REJECTed in the future Published: January 26, 2014; 3:55:06 PM -0500 |
V3.x:(not available) V2.0: 4.3 MEDIUM |
CVE-2014-1476 |
The Taxonomy module in Drupal 7.x before 7.26, when upgraded from an earlier version of Drupal, does not properly restrict access to unpublished content, which allows remote authenticated users to obtain sensitive information via a listing page. Published: January 24, 2014; 1:55:05 PM -0500 |
V3.x:(not available) V2.0: 4.0 MEDIUM |
CVE-2014-1475 |
The OpenID module in Drupal 6.x before 6.30 and 7.x before 7.26 allows remote OpenID users to authenticate as other users via unspecified vectors. Published: January 24, 2014; 1:55:05 PM -0500 |
V3.x:(not available) V2.0: 7.5 HIGH |
CVE-2013-0244 |
Cross-site scripting (XSS) vulnerability in Drupal 6.x before 6.28 and 7.x before 7.19, when running with older versions of jQuery that are vulnerable to CVE-2011-4969, allows remote attackers to inject arbitrary web script or HTML via vectors involving unspecified Javascript functions that are used to select DOM elements. Published: January 19, 2014; 12:16:30 PM -0500 |
V3.x:(not available) V2.0: 2.6 LOW |
CVE-2013-6388 |
Cross-site scripting (XSS) vulnerability in the Color module in Drupal 7.x before 7.24 allows remote attackers to inject arbitrary web script or HTML via vectors related to CSS. Published: December 24, 2013; 3:55:04 PM -0500 |
V3.x:(not available) V2.0: 4.3 MEDIUM |
CVE-2013-6387 |
Cross-site scripting (XSS) vulnerability in the Image module in Drupal 7.x before 7.24 allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via the description field. Published: December 24, 2013; 3:55:04 PM -0500 |
V3.x:(not available) V2.0: 2.1 LOW |
CVE-2013-7067 |
The OG Features module 6.x-1.x before 6.x-1.4 for Drupal does not properly override pages that have an access callback set to false, which allows remote attackers to bypass intended access restrictions via a request. Published: December 18, 2013; 11:24:57 PM -0500 |
V3.x:(not available) V2.0: 5.8 MEDIUM |
CVE-2013-6389 |
Open redirect vulnerability in the Overlay module in Drupal 7.x before 7.24 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors. Published: December 07, 2013; 4:55:10 PM -0500 |
V3.x:(not available) V2.0: 5.8 MEDIUM |
CVE-2013-6386 |
Drupal 6.x before 6.29 and 7.x before 7.24 uses the PHP mt_rand function to generate random numbers, which uses predictable seeds and allows remote attackers to predict security strings and bypass intended restrictions via a brute force attack. Published: December 07, 2013; 4:55:10 PM -0500 |
V3.x:(not available) V2.0: 6.8 MEDIUM |
CVE-2013-6385 |
The form API in Drupal 6.x before 6.29 and 7.x before 7.24, when used with unspecified third-party modules, performs form validation even when CSRF validation has failed, which might allow remote attackers to trigger application-specific impacts such as arbitrary code execution via application-specific vectors. Published: December 07, 2013; 4:55:10 PM -0500 |
V3.x:(not available) V2.0: 5.1 MEDIUM |
CVE-2013-4446 |
The _json_decode function in plugins/context_reaction_block.inc in the Context module 6.x-2.x before 6.x-3.2 and 7.x-3.x before 7.x-3.0 for Drupal, when using a version of PHP that does not support the json_decode function, allows remote attackers to execute arbitrary PHP code via unspecified vectors related to Ajax operations, possibly involving eval injection. Published: December 07, 2013; 3:55:02 PM -0500 |
V3.x:(not available) V2.0: 6.8 MEDIUM |