Total
725 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2007-6752 | 1 Drupal | 1 Drupal | 2025-04-11 | 6.8 MEDIUM | N/A |
| Cross-site request forgery (CSRF) vulnerability in Drupal 7.12 and earlier allows remote attackers to hijack the authentication of arbitrary users for requests that end a session via the user/logout URI. NOTE: the vendor disputes the significance of this issue, by considering the "security benefit against platform complexity and performance impact" and concluding that a change to the logout behavior is not planned because "for most sites it is not worth the trade-off. | |||||
| CVE-2012-4489 | 2 Drupal, Mark Burdett | 2 Drupal, Securelogin | 2025-04-11 | 5.8 MEDIUM | N/A |
| Open redirect vulnerability in the securelogin_secure_redirect function in the Secure Login module 7.x-1.x before 7.x-1.3 for Drupal allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the q parameter. | |||||
| CVE-2012-1635 | 2 Drupal, Rik De Boer | 2 Drupal, Revisioning | 2025-04-11 | 6.4 MEDIUM | N/A |
| The hook_node_access function in the revisioning module 7.x-1.x before 7.x-1.3 for Drupal checks the permissions of the current user even when it is called to check permissions of other users, which allows remote attackers to bypass intended access restrictions, as demonstrated when using the XML sitemap module to obtain sensitive information about unpublished content. | |||||
| CVE-2012-2298 | 2 Drupal, Nancy Wichmann | 3 Drupal, Realname, Realname | 2025-04-11 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in the RealName module 6.x-1.x before 6.x-1.5 for Drupal allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) "user names in page titles" and (2) "autocomplete callbacks." | |||||
| CVE-2012-2064 | 2 Drupal, Mark Theunissen | 2 Drupal, Views Lang Switch | 2025-04-11 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in theme/views_lang_switch.theme.inc in the Views Language Switcher module before 7.x-1.2 for Drupal allows remote attackers to inject arbitrary web script or HTML via the q parameter. | |||||
| CVE-2012-4500 | 2 Drupal, Nancy Wichmann | 2 Drupal, Announcements | 2025-04-11 | 3.5 LOW | N/A |
| The Announcements module 6.x-1.x before 6.x-1.5 for Drupal allows remote authenticated users with the "access announcements" permission to bypass node access restrictions and possibly have other unspecified impact. | |||||
| CVE-2013-1971 | 2 Drupal, Jordan De Laune | 2 Drupal, Mp3 Player | 2025-04-11 | 2.1 LOW | N/A |
| Cross-site scripting (XSS) vulnerability in the MP3 Player module for Drupal 6.x allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via the file name of a MP3 file. | |||||
| CVE-2010-1536 | 2 Drupal, Mearra | 2 Drupal, Addthis | 2025-04-11 | 2.1 LOW | N/A |
| Cross-site scripting (XSS) vulnerability in the AddThis Button module 5.x before 5.x-2.2 and 6.x before 6.x-2.9 for Drupal allows remote authenticated users, with administer addthis privileges, to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2013-1393 | 2 Curvycorners, Drupal | 2 Curvycorners, Drupal | 2025-04-11 | 2.1 LOW | N/A |
| Cross-site scripting (XSS) vulnerability in the CurvyCorners module 6.x-1.x and 7.x-1.x for Drupal allows remote authenticated users with the "administer curvycorners" permission to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2012-2721 | 2 Drupal, Moshe Weitzman | 2 Drupal, Organic Groups | 2025-04-11 | 6.8 MEDIUM | N/A |
| The default views in the Organic Groups (OG) module 6.x-2.x before 6.x-2.4 for Drupal do not properly check permissions when all users have the "access content" permission removed, which allows remote attackers to bypass access restrictions and possibly have other unspecified impact. | |||||
| CVE-2010-2000 | 2 Drupal, Ron Jerome | 2 Drupal, Bibliography | 2025-04-11 | 2.1 LOW | N/A |
| Cross-site scripting (XSS) vulnerability in the Bibliography (Biblio) module 5.x through 5.x-1.17 and 6.x through 6.x-1.9 for Drupal allows remote authenticated users, with "administer biblio" privileges, to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2010-1358. | |||||
| CVE-2010-1539 | 2 Drupal, John Vandyk | 2 Drupal, Workflow | 2025-04-11 | 2.1 LOW | N/A |
| Cross-site scripting (XSS) vulnerability in the Workflow module 5.x-2.x before 5.x-2.6 and 6.x-1.x before 6.x-1.4 for Drupal, when used with the Token module, might allow remote authenticated users to inject arbitrary web script or HTML via a certain Comment field. | |||||
| CVE-2011-3730 | 1 Drupal | 1 Drupal | 2025-04-11 | 5.0 MEDIUM | N/A |
| Drupal 7.0 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by modules/simpletest/tests/upgrade/drupal-6.upload.database.php and certain other files. | |||||
| CVE-2012-5655 | 2 Drupal, Steven Jones | 2 Drupal, Context | 2025-04-11 | 5.0 MEDIUM | N/A |
| The Context module 6.x-3.x before 6.x-3.1 and 7.x-3.x before 7.x-3.0-beta6 for Drupal does not properly restrict access to block content, which allows remote attackers to obtain sensitive information via a crafted request. | |||||
| CVE-2010-1984 | 2 Drupal, Michael Nichols | 2 Drupal, Taxonomy Breadcrumb | 2025-04-11 | 2.1 LOW | N/A |
| Cross-site scripting (XSS) vulnerability in the Taxonomy Breadcrumb module 5.x before 5.x-1.5 and 6.x before 6.x-1.1 for Drupal allows remote authenticated users, with administer taxonomy permissions, to inject arbitrary web script or HTML via the taxonomy term name in a Breadcrumb display. | |||||
| CVE-2013-2197 | 2 Drupal, Login Security Project | 2 Drupal, Login Security | 2025-04-11 | 4.3 MEDIUM | N/A |
| The Login Security module 6.x-1.x before 6.x-1.3 and 7.x-1.x before 7.x-1.3 for Drupal, when using the login delay option, allows remote attackers to cause a denial of service (CPU consumption) via a large number of failed login attempts. | |||||
| CVE-2012-3798 | 2 Bryce Hamrick, Drupal | 2 Janrain Capture, Drupal | 2025-04-11 | 5.0 MEDIUM | N/A |
| The Janrain Capture module 6.x-1.0 and 7.x-1.0 for Drupal, when creating a local user account, allows attackers to obtain part of the initial input used to generate passwords, which makes it easier to conduct brute force password guessing attacks. | |||||
| CVE-2013-1887 | 2 Drupal, Views Project | 2 Drupal, Views | 2025-04-11 | 2.1 LOW | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in the Views module 7.x-3.x before 7.x-3.6 for Drupal allow remote authenticated users with certain permissions to inject arbitrary web script or HTML via certain view configuration fields. | |||||
| CVE-2012-6573 | 2 Alejandro Garza, Drupal | 2 Apachesolr Autocomplete, Drupal | 2025-04-11 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in the Apache Solr Autocomplete module 6.x-1.x before 6.x-1.4 and 7.x-1.x before 7.x-1.3 for Drupal allows remote attackers to inject arbitrary web script or HTML via vectors involving autocomplete results. | |||||
| CVE-2013-4384 | 2 Drupal, Google Site Search Project | 2 Drupal, Google Site Search Module | 2025-04-11 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in Google Site Search module 6.x-1.x before 6.x-1.4 and 7.x-1.x before 7.x-1.10 for Drupal allows remote attackers to inject arbitrary web script or HTML by causing crafted data to be returned by the Google API. | |||||