Vulnerabilities (CVE)

Filtered by vendor Drupal Subscribe
Total 837 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2010-1107 2 Drupal, Fourkitchens 2 Drupal, Recent Comments 2025-04-11 3.5 LOW N/A
Cross-site scripting (XSS) vulnerability in the Recent Comments module 5.x through 5.x-1.2 and 6.x through 6.x-1.0 for Drupal allows remote authenticated users to inject arbitrary web script or HTML via a "custom block title interface."
CVE-2012-2064 2 Drupal, Mark Theunissen 2 Drupal, Views Lang Switch 2025-04-11 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in theme/views_lang_switch.theme.inc in the Views Language Switcher module before 7.x-1.2 for Drupal allows remote attackers to inject arbitrary web script or HTML via the q parameter.
CVE-2013-0322 2 Drupal, Ubercart 2 Drupal, Ubercart 2025-04-11 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in Views in the Ubercart module 7.x-3.x before 7.x-3.4 for Drupal allows remote attackers to inject arbitrary web script or HTML via the full name field.
CVE-2012-1628 2 63reasons, Drupal 2 Supercron, Drupal 2025-04-11 3.5 LOW N/A
Cross-site scripting (XSS) vulnerability in the SuperCron module for Drupal allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.
CVE-2012-5590 2 Drupal, Scripthead 2 Drupal, Webmail Plus 2025-04-11 7.5 HIGH N/A
SQL injection vulnerability in the Webmail Plus module for Drupal allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
CVE-2013-0225 2 Drupal, User Relationships Project 2 Drupal, User Relationships 2025-04-11 2.1 LOW N/A
Cross-site scripting (XSS) vulnerability in the User Relationships module 6.x-1.x before 6.x-1.4 and 7.x-1.x before 7.x-1.0-alpha5 for Drupal allows remote authenticated users with the "administer user relationships" permission to inject arbitrary web script or HTML via a relationship name.
CVE-2012-2065 2 Drupal, Freso 2 Drupal, Languageicons 2025-04-11 3.5 LOW N/A
Cross-site scripting (XSS) vulnerability in the Language Icons module 6.x-2.x before 6.x-2.1 and 7.x-1.x before 7.x-1.0 for Drupal allows remote authenticated users with administer languages permissions to inject arbitrary web script or HTML via unspecified vectors.
CVE-2013-4140 2 Drupal, Drupalisme 2 Drupal, Tinybox 2025-04-11 2.1 LOW N/A
Cross-site scripting (XSS) vulnerability in the TinyBox (Simple Splash) module before 7.x-2.2 for Drupal allows remote authenticated users with the "administer tinybox" permission to inject arbitrary web script or HTML via unspecified vectors.
CVE-2012-2070 2 Andrew Levine, Drupal 2 Multiblock, Drupal 2025-04-11 2.1 LOW N/A
Cross-site scripting (XSS) vulnerability in the MultiBlock module 6.x-1.x before 6.x-1.4 and 7.x-1.x before 7.x-1.1 for Drupal allows remote authenticated users with the administer blocks permission to inject arbitrary web script or HTML via the block title.
CVE-2013-0317 2 Drupal, Joe Haskins 2 Drupal, Og Manager Change 2025-04-11 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in the Manager Change for Organic Groups (og_manager_change) module 7.x-2.x before 7.x-2.1 for Drupal might allow remote attackers to inject arbitrary web script or HTML via the username in the new manager autocomplete field.
CVE-2012-3802 2 Drupal, Peter Pokrivcak 2 Drupal, Post Affiliate Pro 2025-04-11 4.0 MEDIUM N/A
Unspecified vulnerability in the Post Affiliate Pro (PAP) module for Drupal allows remote authenticated users to read the commissions of other users via unknown attack vectors.
CVE-2010-2158 2 Drupal, Speedtech 2 Drupal, Storm 2025-04-11 2.1 LOW N/A
Multiple cross-site scripting (XSS) vulnerabilities in the Storm module 5.x and 6.x before 6.x-1.33 for Drupal allow remote authenticated users, with certain module privileges, to inject arbitrary web script or HTML via the (1) fullname, (2) phone, or (3) im parameter in a stormperson action to index.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
CVE-2012-1644 2 Drupal, Gizra 2 Drupal, Og Vocab 2025-04-11 2.1 LOW N/A
The Organic Groups (OG) Vocabulary module 6.x-1.x before 6.x-1.2 for Drupal allows remote authenticated users with certain administrator permissions to modify the vocabularies of other groups via unspecified vectors.
CVE-2012-4498 2 Drupal, Morbus Iff 2 Drupal, Activism 2025-04-11 7.5 HIGH N/A
The Activism module 6.x-2.x before 6.x-2.1 for Drupal does not properly restrict access to the "Campaign" content type, which might allow remote attackers to bypass access restrictions and possibly have other unspecified impact.
CVE-2011-3730 1 Drupal 1 Drupal 2025-04-11 5.0 MEDIUM N/A
Drupal 7.0 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by modules/simpletest/tests/upgrade/drupal-6.upload.database.php and certain other files.
CVE-2013-0323 2 Display Suite Project, Drupal 2 Ds, Drupal 2025-04-11 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in the Display Suite module 7.x-1.x before 7.x-1.7 and 7.x-2.x before 7.x-2.1 for Drupal allows remote attackers to inject arbitrary web script or HTML via the author field.
CVE-2013-1971 2 Drupal, Jordan De Laune 2 Drupal, Mp3 Player 2025-04-11 2.1 LOW N/A
Cross-site scripting (XSS) vulnerability in the MP3 Player module for Drupal 6.x allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via the file name of a MP3 file.
CVE-2012-1639 2 Commerceguys, Drupal 2 Commerce, Drupal 2025-04-11 3.5 LOW N/A
Multiple cross-site scripting (XSS) vulnerabilities in product/commerce_product.module in the Drupal Commerce module for Drupal before 7.x-1.2 allow remote authenticated users to inject arbitrary web script or HTML via the (1) sku or (2) title parameters.
CVE-2012-1056 2 Drupal, Sean Robertson 2 Drupal, Forward 2025-04-11 5.0 MEDIUM N/A
The Forward module 6.x-1.x before 6.x-1.21 and 7.x-1.x before 7.x-1.3 for Drupal does not properly enforce permissions for (1) Recent forwards, (2) Most forwarded, or (3) Dynamic blocks, which allows remote attackers to obtain node titles via unspecified vectors.
CVE-2012-2060 2 Drupal, Nijskens Raf 2 Drupal, Admintools 2025-04-11 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in the Admin tools module for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.