Total
710 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2015-2750 | 2 Debian, Drupal | 2 Debian Linux, Drupal | 2024-11-21 | 5.8 MEDIUM | 6.1 MEDIUM |
| Open redirect vulnerability in URL-related API functions in Drupal 6.x before 6.35 and 7.x before 7.35 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via vectors involving the "//" initial sequence. | |||||
| CVE-2015-2749 | 2 Debian, Drupal | 2 Debian Linux, Drupal | 2024-11-21 | 5.8 MEDIUM | 6.1 MEDIUM |
| Open redirect vulnerability in Drupal 6.x before 6.35 and 7.x before 7.35 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the destination parameter. | |||||
| CVE-2011-2726 | 4 Debian, Drupal, Fedoraproject and 1 more | 4 Debian Linux, Drupal, Fedora and 1 more | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| An access bypass issue was found in Drupal 7.x before version 7.5. If a Drupal site has the ability to attach File upload fields to any entity type in the system or has the ability to point individual File upload fields to the private file directory in comments, and the parent node is denied access, non-privileged users can still download the file attached to the comment if they know or guess its direct URL. | |||||
| CVE-2011-2715 | 1 Drupal | 2 Data, Drupal | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| An SQL Injection vulnerability exists in Drupal 6.20 with Data 6.x-1.0-alpha14 due to insufficient sanitization of table names or column names. | |||||
| CVE-2011-2714 | 1 Drupal | 2 Data, Drupal | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| A Cross-Site Scripting vulnerability exists in Drupal 6.20 with Data 6.x-1.0-alpha14 due to insufficient sanitization of table descriptions, field names, or labels before display. | |||||
| CVE-2010-2473 | 1 Drupal | 1 Drupal | 2024-11-21 | 3.5 LOW | 6.5 MEDIUM |
| Drupal 6.x before 6.16 and 5.x before version 5.22 does not properly block users under certain circumstances. A user with an open session that was blocked could maintain their session on the Drupal site despite being blocked. | |||||
| CVE-2010-2472 | 1 Drupal | 1 Drupal | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
| Locale module and dependent contributed modules in Drupal 6.x before 6.16 and 5.x before version 5.22 do not sanitize the display of language codes, native and English language names properly which could allow an attacker to perform a cross-site scripting (XSS) attack. This vulnerability is mitigated by the fact that an attacker must have a role with the 'administer languages' permission. | |||||
| CVE-2010-2471 | 2 Debian, Drupal | 2 Debian Linux, Drupal | 2024-11-21 | 5.8 MEDIUM | 6.1 MEDIUM |
| Drupal versions 5.x and 6.x has open redirection | |||||
| CVE-2010-2250 | 1 Drupal | 1 Drupal | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Drupal 5.x and 6.x before 6.16 uses a user-supplied value in output during site installation which could allow an attacker to craft a URL and perform a cross-site scripting attack. | |||||
| CVE-2024-45440 | 1 Drupal | 1 Drupal | 2024-10-28 | N/A | 5.3 MEDIUM |
| core/authorize.php in Drupal 11.x-dev allows Full Path Disclosure (even when error logging is None) if the value of hash_salt is file_get_contents of a file that does not exist. | |||||