Vulnerabilities (CVE)

Filtered by vendor Drupal Subscribe
Filtered by product Drupal
Total 725 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2013-1783 2 Devsaran, Drupal 2 Business, Drupal 2025-04-11 2.1 LOW N/A
Cross-site scripting (XSS) vulnerability in the 3 slide gallery in page--front.tpl.php in the Business theme before 7.x-1.8 for Drupal allows remote authenticated users with the administer themes permission to inject arbitrary web script or HTML via unspecified vectors.
CVE-2013-6387 1 Drupal 1 Drupal 2025-04-11 2.1 LOW N/A
Cross-site scripting (XSS) vulnerability in the Image module in Drupal 7.x before 7.24 allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via the description field.
CVE-2012-5549 2 Carlos Carvalhar, Drupal 2 Time Spent, Drupal 2025-04-11 6.8 MEDIUM N/A
Cross-site request forgery (CSRF) vulnerability in the Time Spent module 6.x and 7.x for Drupal allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.
CVE-2012-4477 2 David Alkire, Drupal 2 Drag \& Drop Gallery, Drupal 2025-04-11 5.0 MEDIUM N/A
Unspecified vulnerability in the Drag & Drop Gallery module 6.x for Drupal allows remote attackers to bypass access restrictions via unknown attack vectors.
CVE-2012-2726 2 Alberto Trujillo Gonzalez, Drupal 2 Protest, Drupal 2025-04-11 2.1 LOW N/A
Cross-site scripting (XSS) vulnerability in the Protest module 6.x-1.x before 6.x-1.2 or 7.x-1.x before 7.x-1.2 for Drupal allows remote authenticated users with the "administer protest" permission to inject arbitrary web script or HTML via the protest_body parameter.
CVE-2012-4493 2 Drupal, Roy Baxter 2 Drupal, Better Revisions 2025-04-11 2.1 LOW N/A
Cross-site scripting (XSS) vulnerability in the administrative interface in the Better Revisions module 7.x-1.x before 7.x-1.1 for Drupal allows remote authenticated users with the "administer better revisions" permission to inject arbitrary web script or HTML via unspecified vectors.
CVE-2012-2309 2 Drupal, Wearepropeople 2 Drupal, Glossify Internal Links Auto Seo 2025-04-11 3.5 LOW N/A
Cross-site scripting (XSS) vulnerability in the Glossify Internal Links Auto SEO module for Drupal 6.x-2.5 and earlier allows remote authenticated users with certain roles to inject arbitrary web script or HTML via unspecified vectors.
CVE-2013-0324 2 Drupal, Tomasbarej 2 Drupal, Menu Reference 2025-04-11 2.1 LOW N/A
Cross-site scripting (XSS) vulnerability in the Rendered links formatter in the Menu Reference module 7.x-1.x before 7.x-1.0 for Drupal allows remote authenticated users with the "Administer menus and menu items" permission to inject arbitrary web script or HTML via the menu link title.
CVE-2012-4478 2 David Alkire, Drupal 2 Drag \& Drop Gallery, Drupal 2025-04-11 6.8 MEDIUM N/A
Cross-site request forgery (CSRF) vulnerability in the Drag & Drop Gallery module 6.x for Drupal allows remote attackers to hijack the authentication of administrators.
CVE-2012-1626 2 Drupal, Karen Stevenson 2 Drupal, Date 2025-04-11 6.0 MEDIUM N/A
SQL injection vulnerability in the conversion form for Events in the Date module 6.x-2.x before 6.x-2.8 for Drupal allows remote authenticated users with the "administer Date Tools" privilege to execute arbitrary SQL commands via unspecified vectors.
CVE-2012-0914 2 Drupal, Earl Miles 2 Drupal, Panels 2025-04-11 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in display_renderers/panels_renderer_editor.class.php in the admin view in the Panels module 6.x-2.x before 6.x-3.10 and 7.x-3.x before 7.x-3.0 for Drupal allows remote authenticated users with certain privileges to inject arbitrary web script or HTML via the Region title.
CVE-2013-0244 1 Drupal 1 Drupal 2025-04-11 2.6 LOW N/A
Cross-site scripting (XSS) vulnerability in Drupal 6.x before 6.28 and 7.x before 7.19, when running with older versions of jQuery that are vulnerable to CVE-2011-4969, allows remote attackers to inject arbitrary web script or HTML via vectors involving unspecified Javascript functions that are used to select DOM elements.
CVE-2010-1107 2 Drupal, Fourkitchens 2 Drupal, Recent Comments 2025-04-11 3.5 LOW N/A
Cross-site scripting (XSS) vulnerability in the Recent Comments module 5.x through 5.x-1.2 and 6.x through 6.x-1.0 for Drupal allows remote authenticated users to inject arbitrary web script or HTML via a "custom block title interface."
CVE-2012-4470 2 Drupal, Philip Ludlam 2 Drupal, Listhandler 2025-04-11 7.5 HIGH N/A
The Listhandler module 6.x-1.x before 6.x-1.1 for Drupal does not properly check permissions when importing emails, which allows remote comment authors to bypass access restrictions and possibly have other unspecified impact.
CVE-2012-2715 2 Drupal, Jason Moore 2 Drupal, Amadou 2025-04-11 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in the themes_links function in template.php in the Amadou theme module 6.x-1.x before 6.x-1.3 for Drupal allows remote attackers to inject arbitrary web script or HTML via vectors related to class attributes in a list of links.
CVE-2012-5588 2 Drupal, Epiqo 2 Drupal, Email 2025-04-11 2.6 LOW N/A
The Email Field module 6.x-1.x before 6.x-1.3 for Drupal, when using a field permission module and the field contact field formatter is set to the full or teaser display mode, does not properly check permissions, which allows remote attackers to email the stored address via unspecified vectors.
CVE-2012-2056 2 Drupal, Nathan Brink 2 Drupal, Content Lock 2025-04-11 6.8 MEDIUM N/A
Cross-site request forgery (CSRF) vulnerability in the Content Lock module for Drupal allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.
CVE-2012-2073 2 Drupal, Kristof De Jaeger 2 Drupal, Bundle Copy 2025-04-11 6.0 MEDIUM N/A
The Bundle copy module 7.x-1.x before 7.x-1.1 for Drupal does not check for the "use PHP for settings" permission while importing settings, which allows remote authenticated users with certain permissions to execute arbitrary PHP code via unspecified vectors.
CVE-2012-2304 2 Drupal, Emil Stjerneman 2 Drupal, Linkit 2025-04-11 4.3 MEDIUM N/A
The Linkit module 7.x-2.x before 7.x-2.3 for Drupal, when using an entity access module, does not check permissions when searching for entities, which allows remote attackers to obtain sensitive information via unspecified vectors.
CVE-2013-2177 2 Drupal, Kristof De Jaeger 2 Drupal, Display Suite 2025-04-11 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in the Display Suite module 7.x-1.x before 7.x-1.7 and 7.x-2.x before 7.x-2.3 for Drupal allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via an entity bundle label.