Vulnerabilities (CVE)

Filtered by vendor Drupal Subscribe
Filtered by product Drupal
Total 725 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2012-1627 2 Drupal, Marvil07 2 Drupal, Vote Up Down 2025-04-11 3.5 LOW N/A
Cross-site scripting (XSS) vulnerability in vud_term.module in the Vote Up/Down module 6.x-2.x before 6.x-2.8 and 6.x-3.x before 6.x-3.1 for Drupal allows remote authenticated users to inject arbitrary web script or HTML via taxonomy terms.
CVE-2012-2710 2 Drupal, John Albin 2 Drupal, Zen 2025-04-11 2.6 LOW N/A
Cross-site scripting (XSS) vulnerability in the Zen module 6.x-1.x before 6.x-1.1 for Drupal, when "Append the content title to the end of the breadcrumb" is enabled, allows remote attackers to inject arbitrary web script or HTML via the content title in a breadcrumb.
CVE-2010-5277 2 Drupal, Karim Ratib 2 Drupal, Views Bulk Operations 2025-04-11 4.9 MEDIUM N/A
Unspecified vulnerability in the Views Bulk Operations module 6 before 6.x-1.10 for Drupal allows remote authenticated users with user management permissions to bypass intended access restrictions and delete anonymous users (user 0) via unspecified vectors.
CVE-2010-2353 2 Drupal, Yves Chedemois 2 Drupal, Cck 2025-04-11 5.0 MEDIUM N/A
The Node Reference module in Content Construction Kit (CCK) module 6.x before 6.x-2.7 for Drupal does not perform access checks for the source field in the backend URL for the autocomplete widget, which allows remote attackers to discover titles and IDs of controlled nodes.
CVE-2012-6575 2 Drupal, Mobile4social 2 Drupal, Exposed Filter Data 2025-04-11 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in the Exposed Filter Data module 6.x-1.x before 6.x-1.2 for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2012-1056 2 Drupal, Sean Robertson 2 Drupal, Forward 2025-04-11 5.0 MEDIUM N/A
The Forward module 6.x-1.x before 6.x-1.21 and 7.x-1.x before 7.x-1.3 for Drupal does not properly enforce permissions for (1) Recent forwards, (2) Most forwarded, or (3) Dynamic blocks, which allows remote attackers to obtain node titles via unspecified vectors.
CVE-2013-0320 2 Drupal, Mattias Hutterer 2 Drupal, Taxonomy Manager 2025-04-11 5.1 MEDIUM N/A
Cross-site request forgery (CSRF) vulnerability in the Taxonomy Manager (taxonomy_manager) module 6.x-2.x before 6.x-2.2 and 7.x-1.x before 7.x-1.0-rc1 for Drupal allows remote attackers to hijack the authentication of users with 'administer taxonomy' permissions via unspecified vectors.
CVE-2010-3685 2 Drupal, Peter Wolanin 2 Drupal, Openid 2025-04-11 5.0 MEDIUM N/A
The OpenID module in Drupal 6.x before 6.18, and the OpenID module 5.x before 5.x-1.4 for Drupal, violates the OpenID 2.0 protocol by not checking for reuse of openid.response_nonce values, which allows remote attackers to bypass authentication by leveraging an assertion from an OpenID provider.
CVE-2013-0245 1 Drupal 1 Drupal 2025-04-11 2.1 LOW N/A
The printer friendly version functionality in the Book module in Drupal 6.x before 6.28 and 7.x before 7.19 does not properly restrict access to node that are part of a book outline, which allows remote authenticated users with the "access printer-friendly version" permission to read node titles and possibly node content via unspecified vectors.
CVE-2012-1628 2 63reasons, Drupal 2 Supercron, Drupal 2025-04-11 3.5 LOW N/A
Cross-site scripting (XSS) vulnerability in the SuperCron module for Drupal allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.
CVE-2013-6388 1 Drupal 1 Drupal 2025-04-11 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in the Color module in Drupal 7.x before 7.24 allows remote attackers to inject arbitrary web script or HTML via vectors related to CSS.
CVE-2009-4772 2 Drupal, Ubercart 2 Drupal, Ubercart 2025-04-11 4.3 MEDIUM N/A
Unspecified vulnerability in the PayPal Website Payments Standard functionality in the Ubercart module 5.x before 5.x-1.9 and 6.x before 6.x-2.1 for Drupal, when a custom checkout completion message is enabled, allows attackers to obtain sensitive information via unknown vectors.
CVE-2012-2063 2 Brian Altenhofel, Drupal 2 Slidebox, Drupal 2025-04-11 5.0 MEDIUM N/A
The Slidebox module before 7.x-1.4 for Drupal does not properly check permissions, which allows remote attackers to obtain sensitive information via unspecified vectors.
CVE-2011-2687 1 Drupal 1 Drupal 2025-04-11 7.5 HIGH N/A
Drupal 7.x before 7.3 allows remote attackers to bypass intended node_access restrictions via vectors related to a listing that shows nodes but lacks a JOIN clause for the node table.
CVE-2012-1657 2 Drupal, Fourkitchens 2 Drupal, Block Class 2025-04-11 2.1 LOW N/A
Cross-site scripting (XSS) vulnerability in block_class.module in the Block Class module before 7.x-1.1 for Drupal allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via the class name.
CVE-2012-1060 2 Drupal, Rik De Boer 2 Drupal, Revisioning 2025-04-11 2.1 LOW N/A
Multiple cross-site scripting (XSS) vulnerabilities in revisioning_theme.inc in the Taxonomy module in the Revisioning module 6.x-3.13 and other versions before 6.x-3.14 for Drupal allow remote authenticated users with certain privileges to inject arbitrary web script or HTML via the (1) tags or (2) term parameters.
CVE-2013-6385 1 Drupal 1 Drupal 2025-04-11 5.1 MEDIUM N/A
The form API in Drupal 6.x before 6.29 and 7.x before 7.24, when used with unspecified third-party modules, performs form validation even when CSRF validation has failed, which might allow remote attackers to trigger application-specific impacts such as arbitrary code execution via application-specific vectors.
CVE-2012-5548 2 Carlos Carvalhar, Drupal 2 Time Spent, Drupal 2025-04-11 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in the Time Spent module 6.x and 7.x for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2010-4521 2 Drupal, Earl Miles 2 Drupal, Views 2025-04-11 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in the Views module 6.x before 6.x-2.12 for Drupal allows remote attackers to inject arbitrary web script or HTML via a page path.
CVE-2012-5587 2 Drupal, Epiqo 2 Drupal, Email 2025-04-11 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in the Email Field module 6.x-1.x before 6.x-1.3 for Drupal allows remote attackers to inject arbitrary web script or HTML via the mailto link.