Total
721 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2013-0246 | 1 Drupal | 1 Drupal | 2025-04-11 | 4.3 MEDIUM | N/A |
| The Image module in Drupal 7.x before 7.19, when a private file system is used, does not properly restrict access to derivative images, which allows remote attackers to read derivative images of otherwise restricted images via unspecified vectors. | |||||
| CVE-2012-2310 | 2 Drupal, Oleg Kovalchuk | 2 Drupal, Cctags | 2025-04-11 | 3.5 LOW | N/A |
| Cross-site scripting (XSS) vulnerability in the cctags module for Drupal 6.x-1.x before 6.x-1.10 and 7.x-1.x before 7.x-1.10 allows remote authenticated users with certain roles to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2013-0325 | 2 Drupal, Varnish Http Accelerator Integration Project | 2 Drupal, Varnish | 2025-04-11 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in the Varnish module 6.x-1.x before 6.x-1.2 and 7.x-1.x before 7.x-1.0-beta2 for Drupal allow remote attackers to inject arbitrary web script or HTML via crafted a (1) Watchdog message or (2) admin setting. | |||||
| CVE-2013-4384 | 2 Drupal, Google Site Search Project | 2 Drupal, Google Site Search Module | 2025-04-11 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in Google Site Search module 6.x-1.x before 6.x-1.4 and 7.x-1.x before 7.x-1.10 for Drupal allows remote attackers to inject arbitrary web script or HTML by causing crafted data to be returned by the Google API. | |||||
| CVE-2013-0182 | 2 Bart Feenstra, Drupal | 2 Payment, Drupal | 2025-04-11 | 5.0 MEDIUM | N/A |
| The Payment module 7.x-1.x before 7.x-1.3 for Drupal does not properly restrict access to payments, which allows remote attackers to read arbitrary payments. | |||||
| CVE-2012-3802 | 2 Drupal, Peter Pokrivcak | 2 Drupal, Post Affiliate Pro | 2025-04-11 | 4.0 MEDIUM | N/A |
| Unspecified vulnerability in the Post Affiliate Pro (PAP) module for Drupal allows remote authenticated users to read the commissions of other users via unknown attack vectors. | |||||
| CVE-2012-4477 | 2 David Alkire, Drupal | 2 Drag \& Drop Gallery, Drupal | 2025-04-11 | 5.0 MEDIUM | N/A |
| Unspecified vulnerability in the Drag & Drop Gallery module 6.x for Drupal allows remote attackers to bypass access restrictions via unknown attack vectors. | |||||
| CVE-2012-4489 | 2 Drupal, Mark Burdett | 2 Drupal, Securelogin | 2025-04-11 | 5.8 MEDIUM | N/A |
| Open redirect vulnerability in the securelogin_secure_redirect function in the Secure Login module 7.x-1.x before 7.x-1.3 for Drupal allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the q parameter. | |||||
| CVE-2012-4468 | 2 Drupal, Privatemsg Project | 2 Drupal, Privatemsg | 2025-04-11 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in the Privatemsg module 7.x-1.x before 7.x-1.3 for Drupal allows remote attackers to inject arbitrary web script or HTML via a user name in a private message. | |||||
| CVE-2012-2080 | 2 Drupal, Node Limit Number Project | 2 Drupal, Node Limitnumber | 2025-04-11 | 6.8 MEDIUM | N/A |
| Cross-site request forgery (CSRF) vulnerability in the Node Limit Number module before 6.x-1.2 for Drupal allows remote attackers to hijack the authentication of users with the administer node limitnumber permission for requests that delete limits. | |||||
| CVE-2013-2129 | 2 Drupal, Nathan Haug | 2 Drupal, Webform | 2025-04-11 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in the Webform module 6.x-3.x before 6.x-3.19 for Drupal allows remote authenticated users with the "edit own webform content" or "edit all webform content" permissions to inject arbitrary web script or HTML via a component label. | |||||
| CVE-2012-5655 | 2 Drupal, Steven Jones | 2 Drupal, Context | 2025-04-11 | 5.0 MEDIUM | N/A |
| The Context module 6.x-3.x before 6.x-3.1 and 7.x-3.x before 7.x-3.0-beta6 for Drupal does not properly restrict access to block content, which allows remote attackers to obtain sensitive information via a crafted request. | |||||
| CVE-2010-2002 | 3 Addison Berry, Drupal, Jeff Warrington | 3 Wordfilter, Drupal, Wordfilter | 2025-04-11 | 2.1 LOW | N/A |
| Cross-site scripting (XSS) vulnerability in the Wordfilter module 5.x before 5.x-1.1 and 6.x before 6.x-1.1 for Drupal allows remote authenticated users, with "administer words filtered" privileges, to inject arbitrary web script or HTML via the word list. | |||||
| CVE-2012-2726 | 2 Alberto Trujillo Gonzalez, Drupal | 2 Protest, Drupal | 2025-04-11 | 2.1 LOW | N/A |
| Cross-site scripting (XSS) vulnerability in the Protest module 6.x-1.x before 6.x-1.2 or 7.x-1.x before 7.x-1.2 for Drupal allows remote authenticated users with the "administer protest" permission to inject arbitrary web script or HTML via the protest_body parameter. | |||||
| CVE-2012-3800 | 2 Drupal, Moshe Weitzman | 2 Drupal, Organic Groups | 2025-04-11 | 2.1 LOW | N/A |
| Cross-site scripting (XSS) vulnerability in og.js in the Organic Groups (OG) module 6.x-2.x before 6.x-2.4 for Drupal, when used with the Vertical Tabs module, allows remote authenticated users to inject arbitrary web script or HTML via vectors related the group title. | |||||
| CVE-2010-3093 | 1 Drupal | 1 Drupal | 2025-04-11 | 3.5 LOW | N/A |
| The comment module in Drupal 5.x before 5.23 and 6.x before 6.18 allows remote authenticated users with certain privileges to bypass intended access restrictions and reinstate removed comments via a crafted URL, related to an "unpublishing bypass" issue. | |||||
| CVE-2012-5007 | 2 Drupal, Wizonesolutions | 2 Drupal, Fillpdf | 2025-04-11 | 5.0 MEDIUM | N/A |
| The Fill PDF module 7.x-1.x before 7.x-1.2 for Drupal allows remote attackers to write to arbitrary PDF files via unspecified vectors related to the fillpdf_merge_pdf function and incorrect arguments, a different vulnerability than CVE-2012-1625. NOTE: some of these details are obtained from third party information. | |||||
| CVE-2012-1650 | 2 Drupal, Giantrobot | 2 Drupal, Zipcart | 2025-04-11 | 6.0 MEDIUM | N/A |
| The ZipCart module 6.x before 6.x-1.4 for Drupal checks the "access content" permission instead of the "access ZipCart downloads" permission when building archives, which allows remote authenticated users with access content permission to bypass intended access restrictions. | |||||
| CVE-2012-2306 | 2 Drupal, Willem Van Der Plaat | 2 Drupal, Addressbook | 2025-04-11 | 7.5 HIGH | N/A |
| SQL injection vulnerability in the Addressbook module for Drupal 6.x-4.2 and earlier allows remote attackers to execute arbitrary SQL commands via unspecified vectors. | |||||
| CVE-2012-2299 | 2 Drupal, Ubercart | 2 Drupal, Ubercart | 2025-04-11 | 2.1 LOW | N/A |
| The Ubercart module 6.x-2.x before 6.x-2.8 and 7.x-3.x before 7.x-3.1 for Drupal stores passwords for new customers in plaintext during checkout, which allows local users to obtain sensitive information by reading from the database. | |||||