Total
708 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2013-4380 | 2 Drupal, Mediafront | 2 Drupal, Mediafront | 2014-05-21 | 2.1 LOW | N/A |
| Cross-site scripting (XSS) vulnerability in the MediaFront module 6.x-1.x before 6.x-1.6, 7.x-1.x before 7.x-1.6, and 7.x-2.x before 7.x-2.1 for Drupal allows remote authenticated users with the "administer mediafront" permission to inject arbitrary web script or HTML via the preset settings. | |||||
| CVE-2013-4498 | 2 Drupal, Florian Weber | 2 Drupal, Spaces | 2014-05-19 | 2.1 LOW | N/A |
| The Spaces OG submodule in the Spaces module 6.x-3.x before 6.x-3.7 for Drupal does not properly delete organic group group spaces content when using the option to move to a new group, which causes the content to be "orphaned" and allows remote authenticated users with the "access content" permission to obtain sensitive information via vectors involving a rebuild access for the site or content. | |||||
| CVE-2013-4502 | 2 Drupal, Nathan Haug | 2 Drupal, Filefield Sources | 2014-05-14 | 4.0 MEDIUM | N/A |
| The FileField Sources module 6.x-1.x before 6.x-1.9 and 7.x-1.x before 7.x-1.9 for Drupal does not properly check file permissions, which allows remote authenticated users to read arbitrary files by attaching a file. | |||||
| CVE-2013-4504 | 2 Drupal, Monster Menus Module Project | 2 Drupal, Monster Menus | 2014-05-14 | 2.6 LOW | N/A |
| The Monster Menus module 7.x-1.x before 7.x-1.15 allows remote attackers to read arbitrary node comments via a crafted URL. | |||||
| CVE-2013-5965 | 2 Adcisolutions, Drupal | 2 Node View Permissions, Drupal | 2014-05-05 | 5.0 MEDIUM | N/A |
| The Node View Permissions module 7.x-1.x before 7.x-1.2 for Drupal does not properly implement the hook_query_alter function, which might allow remote attackers to obtain sensitive information by reading a node listing. | |||||
| CVE-2013-7302 | 2 Drupal, Ubercart | 2 Drupal, Ubercart | 2014-04-30 | 6.8 MEDIUM | N/A |
| Session fixation vulnerability in the Ubercart module 6.x-2.x before 6.x-2.13 and 7.x-3.x before 7.x-3.6 for Drupal, when the "Log in new customers after checkout" option is enabled, allows remote attackers to hijack web sessions by leveraging knowledge of the original session ID. | |||||
| CVE-2013-0244 | 1 Drupal | 1 Drupal | 2014-03-08 | 2.6 LOW | N/A |
| Cross-site scripting (XSS) vulnerability in Drupal 6.x before 6.28 and 7.x before 7.19, when running with older versions of jQuery that are vulnerable to CVE-2011-4969, allows remote attackers to inject arbitrary web script or HTML via vectors involving unspecified Javascript functions that are used to select DOM elements. | |||||
| CVE-2012-0826 | 1 Drupal | 1 Drupal | 2014-03-08 | 6.8 MEDIUM | N/A |
| Cross-site request forgery (CSRF) vulnerability in the Aggregator module in Drupal 6.x before 6.23 and 7.x before 7.11 allows remote attackers to hijack the authentication of unspecified victims for requests that update feeds and possibly cause a denial of service (loss of updates due to rate limit) via unspecified vectors. | |||||
| CVE-2012-0825 | 1 Drupal | 1 Drupal | 2014-03-08 | 6.8 MEDIUM | N/A |
| Drupal 6.x before 6.23 and 7.x before 7.11 does not verify that Attribute Exchange (AX) information is signed, which allows remote attackers to modify potentially sensitive AX information without detection via a man-in-the-middle (MITM) attack. | |||||
| CVE-2014-1476 | 1 Drupal | 1 Drupal | 2014-02-21 | 4.0 MEDIUM | N/A |
| The Taxonomy module in Drupal 7.x before 7.26, when upgraded from an earlier version of Drupal, does not properly restrict access to unpublished content, which allows remote authenticated users to obtain sensitive information via a listing page. | |||||
| CVE-2014-1475 | 1 Drupal | 1 Drupal | 2014-02-21 | 7.5 HIGH | N/A |
| The OpenID module in Drupal 6.x before 6.30 and 7.x before 7.26 allows remote OpenID users to authenticate as other users via unspecified vectors. | |||||
| CVE-2013-4383 | 2 Dennis Bruecke, Drupal | 2 Jquery Countdown, Drupal | 2014-02-04 | 2.1 LOW | N/A |
| Cross-site scripting (XSS) vulnerability in the jQuery Countdown module 7.x-1.x before 7.x-1.1 for Drupal allows remote authenticated users with the "access administration pages" permission to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2013-6386 | 1 Drupal | 1 Drupal | 2014-01-14 | 6.8 MEDIUM | N/A |
| Drupal 6.x before 6.29 and 7.x before 7.24 uses the PHP mt_rand function to generate random numbers, which uses predictable seeds and allows remote attackers to predict security strings and bypass intended restrictions via a brute force attack. | |||||
| CVE-2013-6385 | 1 Drupal | 1 Drupal | 2014-01-14 | 5.1 MEDIUM | N/A |
| The form API in Drupal 6.x before 6.29 and 7.x before 7.24, when used with unspecified third-party modules, performs form validation even when CSRF validation has failed, which might allow remote attackers to trigger application-specific impacts such as arbitrary code execution via application-specific vectors. | |||||
| CVE-2013-6389 | 1 Drupal | 1 Drupal | 2014-01-04 | 5.8 MEDIUM | N/A |
| Open redirect vulnerability in the Overlay module in Drupal 7.x before 7.24 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors. | |||||
| CVE-2013-6388 | 1 Drupal | 1 Drupal | 2014-01-04 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in the Color module in Drupal 7.x before 7.24 allows remote attackers to inject arbitrary web script or HTML via vectors related to CSS. | |||||
| CVE-2013-6387 | 1 Drupal | 1 Drupal | 2014-01-04 | 2.1 LOW | N/A |
| Cross-site scripting (XSS) vulnerability in the Image module in Drupal 7.x before 7.24 allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via the description field. | |||||
| CVE-2012-2153 | 1 Drupal | 1 Drupal | 2013-12-13 | 4.0 MEDIUM | N/A |
| Drupal 7.x before 7.14 does not properly restrict access to nodes in a list when using a "contributed node access module," which allows remote authenticated users with the "Access the content overview page" permission to read all published nodes by accessing the admin/content page. | |||||
| CVE-2012-1591 | 1 Drupal | 1 Drupal | 2013-12-13 | 5.0 MEDIUM | N/A |
| The image module in Drupal 7.x before 7.14 does not properly check permissions when caching derivative image styles of private images, which allows remote attackers to read private image styles. | |||||
| CVE-2012-1590 | 1 Drupal | 1 Drupal | 2013-12-13 | 4.0 MEDIUM | N/A |
| The forum list in Drupal 7.x before 7.14 does not properly check user permissions for unpublished forum posts, which allows remote authenticated users to obtain sensitive information such as the post title via the forum overview page. | |||||