Filtered by vendor Drupal
Subscribe
Total
834 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2012-1633 | 2 Drupal, Erikwebb | 2 Drupal, Password Policy | 2024-02-28 | 6.8 MEDIUM | N/A |
Cross-site request forgery (CSRF) vulnerability in the Password Policy module before 6.x-1.4 and 7.x-1.0 beta3 for Drupal allows remote attackers to hijack the authentication of administrative users for requests that unblock a user. | |||||
CVE-2012-2058 | 2 Drupal, Paypal | 2 Drupal, Ubercart Payflow | 2024-02-28 | 5.0 MEDIUM | N/A |
The Ubercart Payflow module for Drupal does not use a secure token, which allows remote attackers to forge payments via unspecified vectors. | |||||
CVE-2010-5276 | 2 Drupal, Memcache Project | 2 Drupal, Memcache | 2024-02-28 | 4.3 MEDIUM | N/A |
The Memcache module 5.x before 5.x-1.10 and 6.x before 6.x-1.6 for Drupal does not properly handle the $user object in memcache_admin, which might "lead to a role change not being recognized until the user logs in again." | |||||
CVE-2012-5588 | 2 Drupal, Epiqo | 2 Drupal, Email | 2024-02-28 | 2.6 LOW | N/A |
The Email Field module 6.x-1.x before 6.x-1.3 for Drupal, when using a field permission module and the field contact field formatter is set to the full or teaser display mode, does not properly check permissions, which allows remote attackers to email the stored address via unspecified vectors. | |||||
CVE-2012-2083 | 2 Drupal, Fusiondrupalthemes | 2 Drupal, Fusion | 2024-02-28 | 4.3 MEDIUM | N/A |
Cross-site scripting (XSS) vulnerability in the fusion_core_preprocess_page function in fusion_core/template.php in the Fusion module before 6.x-1.13 for Drupal allows remote attackers to inject arbitrary web script or HTML via the q parameter. | |||||
CVE-2012-2717 | 2 Drupal, Mathew Winstone | 2 Drupal, Mobile Tools | 2024-02-28 | 4.3 MEDIUM | N/A |
Multiple cross-site scripting (XSS) vulnerabilities in the Mobile Tools module 6.x-2.x before 6.x-2.3 for Drupal allow remote attackers to inject arbitrary web script or HTML via the (1) Mobile URL field or (2) Desktop URL field to the General configuration page, or the (3) message to the Mobile Tools block message options. | |||||
CVE-2013-2123 | 2 Drupal, Node Access User Reference Project | 2 Drupal, Nodeaccess Userreference Module | 2024-02-28 | 5.8 MEDIUM | N/A |
The Node access user reference module 6.x-3.x before 6.x-3.5 and 7.x-3.x before 7.x-3.10 for Drupal does not properly restrict access to content containing a user reference field when the author update/delete grants are enabled and the author's user account is deleted, which allows remote attackers to modify the content via unspecified vectors. | |||||
CVE-2012-2080 | 2 Drupal, Node Limit Number Project | 2 Drupal, Node Limitnumber | 2024-02-28 | 6.8 MEDIUM | N/A |
Cross-site request forgery (CSRF) vulnerability in the Node Limit Number module before 6.x-1.2 for Drupal allows remote attackers to hijack the authentication of users with the administer node limitnumber permission for requests that delete limits. | |||||
CVE-2013-0245 | 1 Drupal | 1 Drupal | 2024-02-28 | 2.1 LOW | N/A |
The printer friendly version functionality in the Book module in Drupal 6.x before 6.28 and 7.x before 7.19 does not properly restrict access to node that are part of a book outline, which allows remote authenticated users with the "access printer-friendly version" permission to read node titles and possibly node content via unspecified vectors. | |||||
CVE-2012-4488 | 2 Drupal, Location Module Project | 2 Drupal, Location | 2024-02-28 | 5.0 MEDIUM | N/A |
The Location module 6.x before 6.x-3.2 and 7.x before 7.x-3.0-alpha1 for Drupal does not properly check user or node access permissions, which allows remote attackers to read node or user results via the location search page. | |||||
CVE-2012-6582 | 2 Drupal, Spambot Module Project | 2 Drupal, Spambot | 2024-02-28 | 2.6 LOW | N/A |
Cross-site scripting (XSS) vulnerability in the Spambot module 6.x-3.x before 6.x-3.2 and 7.x-1.x before 7.x-1.1 for Drupal allows certain remote attackers to inject arbitrary web script or HTML via a stopforumspam.com API response, which is logged by the watchdog. | |||||
CVE-2011-5188 | 2 Drupal, Tag1consulting | 2 Drupal, Support Timer | 2024-02-28 | 2.1 LOW | N/A |
Cross-site scripting (XSS) vulnerability in the Support Timer module 6.x-1.x before 6.x-1.4 for Drupal allows remote authenticated users with the "track time spent" permission to inject arbitrary web script or HTML via unspecified vectors. | |||||
CVE-2012-4487 | 2 Boombatower, Drupal | 2 Subuser, Drupal | 2024-02-28 | 4.0 MEDIUM | N/A |
The Subuser module before 6.x-1.8 for Drupal does not properly check "switch subuser" permissions, which allows remote authenticated parent users to change their role by switching to a subuser they created. | |||||
CVE-2012-1650 | 2 Drupal, Giantrobot | 2 Drupal, Zipcart | 2024-02-28 | 6.0 MEDIUM | N/A |
The ZipCart module 6.x before 6.x-1.4 for Drupal checks the "access content" permission instead of the "access ZipCart downloads" permission when building archives, which allows remote authenticated users with access content permission to bypass intended access restrictions. | |||||
CVE-2012-5548 | 2 Carlos Carvalhar, Drupal | 2 Time Spent, Drupal | 2024-02-28 | 4.3 MEDIUM | N/A |
Cross-site scripting (XSS) vulnerability in the Time Spent module 6.x and 7.x for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
CVE-2012-2304 | 2 Drupal, Emil Stjerneman | 2 Drupal, Linkit | 2024-02-28 | 4.3 MEDIUM | N/A |
The Linkit module 7.x-2.x before 7.x-2.3 for Drupal, when using an entity access module, does not check permissions when searching for entities, which allows remote attackers to obtain sensitive information via unspecified vectors. | |||||
CVE-2012-3802 | 2 Drupal, Peter Pokrivcak | 2 Drupal, Post Affiliate Pro | 2024-02-28 | 4.0 MEDIUM | N/A |
Unspecified vulnerability in the Post Affiliate Pro (PAP) module for Drupal allows remote authenticated users to read the commissions of other users via unknown attack vectors. | |||||
CVE-2012-4499 | 2 Drupal, Matthias Hutterer | 2 Drupal, Email | 2024-02-28 | 5.0 MEDIUM | N/A |
The contact formatter page in the Email Field module 6.x-1.x before 6.x-1.2 and 7.x-1.x before 7.x-1.1 for Drupal allows remote attackers to email the stored address in the entity via unspecified vectors. | |||||
CVE-2012-2718 | 2 Drupal, Drupal-id | 2 Drupal, Counter Module | 2024-02-28 | 7.5 HIGH | N/A |
SQL injection vulnerability in the Counter module for Drupal allows remote attackers to execute arbitrary SQL commands via unspecified vectors related to "recording visits." | |||||
CVE-2012-2296 | 2 Drupal, Janrain | 2 Drupal, Rpx | 2024-02-28 | 5.0 MEDIUM | N/A |
The Janrain Engage (formerly RPX) module for Drupal 6.x-1.x. 6.x-2.x before 6.x-2.2, and 7.x-2.x before 7.x-2.2 stores user profile data from Engage in session tables, which might allow remote attackers to obtain sensitive information by leveraging a separate vulnerability. |