Filtered by vendor Drupal
Subscribe
Total
853 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2014-8078 | 1 Drupal | 1 Print | 2025-04-12 | 3.5 LOW | N/A |
| Cross-site scripting (XSS) vulnerability in the Print (aka Printer, e-mail and PDF versions) module 6.x-1.x before 6.x-1.19, 7.x-1.x before 7.x-1.3, and 7.x-2.x before 7.x-2.0 for Drupal allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via vectors related to nodes. | |||||
| CVE-2015-6665 | 3 Chaos Tool Suite Project, Drupal, Fedoraproject | 3 Ctools, Drupal, Fedora | 2025-04-12 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in the Ajax handler in Drupal 7.x before 7.39 and the Ctools module 6.x-1.x before 6.x-1.14 for Drupal allows remote attackers to inject arbitrary web script or HTML via vectors involving a whitelisted HTML element, possibly related to the "a" tag. | |||||
| CVE-2014-7978 | 1 Drupal | 1 Bluemasters | 2025-04-12 | 3.5 LOW | N/A |
| Cross-site scripting (XSS) vulnerability in the BlueMasters theme 7.x-2.x before 7.x-2.1 for Drupal allows remote authenticated users with the "administer themes" permission to inject arbitrary web script or HTML via vectors related to theme settings. | |||||
| CVE-2015-3231 | 2 Debian, Drupal | 2 Debian Linux, Drupal | 2025-04-12 | 4.0 MEDIUM | N/A |
| The Render cache system in Drupal 7.x before 7.38, when used to cache content by user role, allows remote authenticated users to obtain private content viewed by user 1 by reading the cache. | |||||
| CVE-2014-8079 | 1 Drupal | 1 Mayo | 2025-04-12 | 4.0 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in the MAYO theme 7.x-1.x before 7.x-1.3 for Drupal allows remote authenticated users with the "administer themes" permission to inject arbitrary web script or HTML via vectors related to header background setting. | |||||
| CVE-2014-5020 | 1 Drupal | 1 Drupal | 2025-04-12 | 4.9 MEDIUM | N/A |
| The File module in Drupal 7.x before 7.29 does not properly check permissions to view files, which allows remote authenticated users with certain permissions to bypass intended restrictions and read files by attaching the file to content with a file field. | |||||
| CVE-2015-3232 | 2 Debian, Drupal | 2 Debian Linux, Drupal | 2025-04-12 | 5.8 MEDIUM | N/A |
| Open redirect vulnerability in the Field UI module in Drupal 7.x before 7.38 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the destinations parameter. | |||||
| CVE-2016-3163 | 2 Debian, Drupal | 2 Debian Linux, Drupal | 2025-04-12 | 5.0 MEDIUM | 7.5 HIGH |
| The XML-RPC system in Drupal 6.x before 6.38 and 7.x before 7.43 might make it easier for remote attackers to conduct brute-force attacks via a large number of calls made at once to the same method. | |||||
| CVE-2016-6211 | 2 Debian, Drupal | 2 Debian Linux, Drupal | 2025-04-12 | 6.5 MEDIUM | 8.8 HIGH |
| The User module in Drupal 7.x before 7.44 allows remote authenticated users to gain privileges via vectors involving contributed or custom code that triggers a rebuild of the user profile form. | |||||
| CVE-2014-5019 | 1 Drupal | 1 Drupal | 2025-04-12 | 5.0 MEDIUM | N/A |
| The multisite feature in Drupal 6.x before 6.32 and 7.x before 7.29 allows remote attackers to cause a denial of service via a crafted HTTP Host header, related to determining which configuration file to use. | |||||
| CVE-2014-3704 | 2 Debian, Drupal | 2 Debian Linux, Drupal | 2025-04-12 | 7.5 HIGH | N/A |
| The expandArguments function in the database abstraction API in Drupal core 7.x before 7.32 does not properly construct prepared statements, which allows remote attackers to conduct SQL injection attacks via an array containing crafted keys. | |||||
| CVE-2016-7570 | 1 Drupal | 1 Drupal | 2025-04-12 | 4.0 MEDIUM | 4.3 MEDIUM |
| Drupal 8.x before 8.1.10 does not properly check for "Administer comments" permission, which allows remote authenticated users to set the visibility of comments for arbitrary nodes by leveraging rights to edit those nodes. | |||||
| CVE-2013-7302 | 2 Drupal, Ubercart | 2 Drupal, Ubercart | 2025-04-12 | 6.8 MEDIUM | N/A |
| Session fixation vulnerability in the Ubercart module 6.x-2.x before 6.x-2.13 and 7.x-3.x before 7.x-3.6 for Drupal, when the "Log in new customers after checkout" option is enabled, allows remote attackers to hijack web sessions by leveraging knowledge of the original session ID. | |||||
| CVE-2013-4178 | 2 Drupal, Google Authenticator Login Project | 2 Drupal, Ga Login | 2025-04-12 | 5.0 MEDIUM | N/A |
| The Google Authenticator login module 6.x-1.x before 6.x-1.2 and 7.x-1.x before 7.x-1.4 for Drupal allows remote attackers to obtain access by replaying the username, password, and one-time password (OTP). | |||||
| CVE-2014-5022 | 1 Drupal | 1 Drupal | 2025-04-12 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in the Ajax system in Drupal 7.x before 7.29 allows remote attackers to inject arbitrary web script or HTML via vectors involving forms with an Ajax-enabled textfield and a file field. | |||||
| CVE-2015-3233 | 1 Drupal | 1 Drupal | 2025-04-12 | 5.8 MEDIUM | N/A |
| Open redirect vulnerability in the Overlay module in Drupal 7.x before 7.38 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors. | |||||
| CVE-2016-7572 | 1 Drupal | 1 Drupal | 2025-04-12 | 4.0 MEDIUM | 4.3 MEDIUM |
| The system.temporary route in Drupal 8.x before 8.1.10 does not properly check for "Export configuration" permission, which allows remote authenticated users to bypass intended access restrictions and read a full config export via unspecified vectors. | |||||
| CVE-2014-9016 | 3 Debian, Drupal, Secure Password Hashes Project | 3 Debian Linux, Drupal, Secure Passwords Hashes | 2025-04-12 | 5.0 MEDIUM | N/A |
| The password hashing API in Drupal 7.x before 7.34 and the Secure Password Hashes (aka phpass) module 6.x-2.x before 6.x-2.1 for Drupal allows remote attackers to cause a denial of service (CPU and memory consumption) via a crafted request. | |||||
| CVE-2014-8746 | 1 Drupal | 1 Skeleton Theme | 2025-04-12 | 3.5 LOW | N/A |
| Cross-site scripting (XSS) vulnerability in the Skeleton theme 7.x-1.2 through 7.x-1.3 before 7.x-1.4, for Drupal allows remote authenticated users with the "administer themes" permission to inject arbitrary web script or HTML via vectors related to theme settings. | |||||
| CVE-2015-6658 | 1 Drupal | 1 Drupal | 2025-04-12 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in the Autocomplete system in Drupal 6.x before 6.37 and 7.x before 7.39 allows remote attackers to inject arbitrary web script or HTML via a crafted URL, related to uploading files. | |||||