Filtered by vendor Drupal
Subscribe
Total
834 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2013-0206 | 2 Drupal, Guy Bedford | 2 Drupal, Live Css | 2024-02-28 | 6.0 MEDIUM | N/A |
Unrestricted file upload vulnerability in the Live CSS module 6.x-2.x before 6.x-2.1 and 7.x-2.x before 7.x-2.7 for Drupal allows remote authenticated users with the "administer CSS" permissions to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in an unspecified directory. | |||||
CVE-2012-1630 | 2 Drupal, Nestor Mata Cuthbert | 2 Drupal, Taxonomy Navigator | 2024-02-28 | 2.1 LOW | N/A |
Cross-site scripting (XSS) vulnerability in the Taxonomy Navigator module for Drupal allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via unspecified vectors. | |||||
CVE-2012-5651 | 1 Drupal | 1 Drupal | 2024-02-28 | 5.0 MEDIUM | N/A |
Drupal 6.x before 6.27 and 7.x before 7.18 displays information for blocked users, which might allow remote attackers to obtain sensitive information by reading the search results. | |||||
CVE-2012-1625 | 2 Drupal, Wizonesolutions | 2 Drupal, Fillpdf | 2024-02-28 | 6.0 MEDIUM | N/A |
Eval injection vulnerability in the fillpdf_form_export_decode function in fillpdf.admin.inc in the Fill PDF module 6.x-1.x before 6.x-1.16 and 7.x-1.x before 7.x-1.2 for Drupal allows remote authenticated users with administer PDFs privileges to execute arbitrary PHP code via unspecified vectors. NOTE: Some of these details are obtained from third party information. | |||||
CVE-2012-5652 | 1 Drupal | 1 Drupal | 2024-02-28 | 5.0 MEDIUM | N/A |
Drupal 6.x before 6.27 allows remote attackers to obtain sensitive information about uploaded files via a (1) RSS feed or (2) search result. | |||||
CVE-2012-4496 | 2 Drupal, Inclind | 2 Drupal, Custom Pub | 2024-02-28 | 2.1 LOW | N/A |
Cross-site scripting (XSS) vulnerability in the Custom Publishing Options module 6.x-1.x before 6.x-1.4 for Drupal allows remote authenticated users with the "administer nodes" permission to inject arbitrary web script or HTML via the status labels parameter. | |||||
CVE-2013-1972 | 2 Alexey Sukhotin, Drupal | 2 Elfinder, Drupal | 2024-02-28 | 4.3 MEDIUM | N/A |
Cross-site request forgery (CSRF) vulnerability in the elFinder file manager module 6.x-0.x before 6.x-0.8 and 7.x-0.x before 7.x-0.8 for Drupal allows remote attackers to hijack the authentication of unspecified victims to create, modify, or delete files via unknown vectors. | |||||
CVE-2012-2306 | 2 Drupal, Willem Van Der Plaat | 2 Drupal, Addressbook | 2024-02-28 | 7.5 HIGH | N/A |
SQL injection vulnerability in the Addressbook module for Drupal 6.x-4.2 and earlier allows remote attackers to execute arbitrary SQL commands via unspecified vectors. | |||||
CVE-2012-4473 | 2 Christian Johansson, Drupal | 2 Restrict Node Page View, Drupal | 2024-02-28 | 3.5 LOW | N/A |
The Restrict node page view module 7.x-1.x before 7.x-1.2 for Drupal allows remote authenticated users with the "view any node page" or "view any node {type} page" permission to access unpublished nodes via a direct request. | |||||
CVE-2013-2247 | 2 Drupal, Fast Permissions Administration Project | 2 Drupal, Fast Permission Administration | 2024-02-28 | 7.5 HIGH | N/A |
The Fast Permissions Administration module 6.x-2.x before 6.x-2.5 and 7.x-2.x before 7.x-2.3 for Drupal does not properly restrict access to the modal content callback, which allows remote attackers to obtain unspecified access to the permissions edit form. | |||||
CVE-2013-4274 | 2 Drupal, Erikwebb | 2 Drupal, Password Policy | 2024-02-28 | 2.1 LOW | N/A |
Cross-site scripting (XSS) vulnerability in the password_policy_admin_view function in password_policy.admin.inc in the Password Policy module 6.x-1.x before 6.x-1.6 and 7.x-1.x before 7.x-1.5 for Drupal allows remote authenticated users with the "Administer policies" permission to inject arbitrary web script or HTML via the "Password Expiration Warning" field to the admin/config/people/password_policy/add page. | |||||
CVE-2013-0207 | 2 Drupal, Leighton Whiting | 2 Drupal, Mark Complete | 2024-02-28 | 6.8 MEDIUM | N/A |
Cross-site request forgery (CSRF) vulnerability in the Mark Complete module 7.x-1.x before 7.x-1.1 for Drupal allows remote attackers to hijack the authentication of unspecified victims via unknown vectors. | |||||
CVE-2012-2727 | 2 Bryce Hamrick, Drupal | 2 Janrain Capture, Drupal | 2024-02-28 | 5.8 MEDIUM | N/A |
Open redirect vulnerability in the Janrain Capture module 6.x-1.0 and 7.x-1.0 for Drupal, when synchronizing user data, allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the destination parameter. | |||||
CVE-2013-5937 | 2 Click2sell, Drupal | 2 Click2sell Suite Module, Drupal | 2024-02-28 | 6.8 MEDIUM | N/A |
Cross-site request forgery (CSRF) vulnerability in the Click2Sell Suite module 6.x-1.x for Drupal allows remote attackers to hijack the authentication of administrators for requests that delete database information via vectors involving the Drupal Form API. | |||||
CVE-2012-2071 | 2 Drupal, Geoff Davies | 2 Drupal, Contact Forms | 2024-02-28 | 2.1 LOW | N/A |
Cross-site scripting (XSS) vulnerability in the Contact Forms module 6.x-1.x before 6.x-1.13 for Drupal when the core contact form is enabled, allows remote authenticated users with the administer site-wide contact form permission to inject arbitrary web script or HTML via unspecified vectors. | |||||
CVE-2012-5585 | 2 Drupal, Mixpanel Project | 2 Drupal, Mixpanel | 2024-02-28 | 2.1 LOW | N/A |
Cross-site scripting (XSS) vulnerability in the Mixpanel module 6.x-1.x before 6.x-1.1 in Drupal allows remote authenticated users with the "access administration pages" permission to inject arbitrary web script or HTML via the Maxpanel token. | |||||
CVE-2013-2177 | 2 Drupal, Kristof De Jaeger | 2 Drupal, Display Suite | 2024-02-28 | 4.3 MEDIUM | N/A |
Cross-site scripting (XSS) vulnerability in the Display Suite module 7.x-1.x before 7.x-1.7 and 7.x-2.x before 7.x-2.3 for Drupal allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via an entity bundle label. | |||||
CVE-2012-2153 | 1 Drupal | 1 Drupal | 2024-02-28 | 4.0 MEDIUM | N/A |
Drupal 7.x before 7.14 does not properly restrict access to nodes in a list when using a "contributed node access module," which allows remote authenticated users with the "Access the content overview page" permission to read all published nodes by accessing the admin/content page. | |||||
CVE-2012-2705 | 2 Christopher Mitchell, Drupal | 2 Smart Breadcrumb, Drupal | 2024-02-28 | 2.1 LOW | N/A |
The filter_titles function in the Smart Breadcrumb module 6.x-1.x before 6.x-1.3 for Drupal does not properly convert a title to plain-text, which allows remote authenticated users with create or edit node permissions to conduct cross-site scripting (XSS) attacks via the title parameter. | |||||
CVE-2012-1588 | 1 Drupal | 1 Drupal | 2024-02-28 | 3.5 LOW | N/A |
Algorithmic complexity vulnerability in the _filter_url function in the text filtering system (modules/filter/filter.module) in Drupal 7.x before 7.14 allows remote authenticated users with certain roles to cause a denial of service (CPU consumption) via a long email address. |