Vulnerabilities (CVE)

Filtered by vendor Drupal Subscribe
Filtered by product Drupal
Total 710 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2009-4429 2 Alexander Hass, Drupal 2 Sections Module, Drupal 2025-04-09 3.5 LOW N/A
Cross-site scripting (XSS) vulnerability in the Sections module 5.x before 5.x-1.3 and 6.x before 6.x-1.3 for Drupal allows remote authenticated users with "administer sections" privileges to inject arbitrary web script or HTML via a section name (aka the Name field).
CVE-2009-2372 1 Drupal 1 Drupal 2025-04-09 6.5 MEDIUM N/A
Drupal 6.x before 6.13 does not prevent users from modifying user signatures after the associated comment format has been changed to an administrator-controlled input format, which allows remote authenticated users to inject arbitrary web script, HTML, and possibly PHP code via a crafted user signature.
CVE-2009-4369 1 Drupal 1 Drupal 2025-04-09 3.5 LOW N/A
Cross-site scripting (XSS) vulnerability in the Contact module (modules/contact/contact.admin.inc or modules/contact/contact.module) in Drupal Core 5.x before 5.21 and 6.x before 6.15 allows remote authenticated users with "administer site-wide contact form" permissions to inject arbitrary web script or HTML via the contact category name.
CVE-2009-3363 2 Drupal, Ufku Bayburt 2 Drupal, Bueditor 2025-04-09 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in the BUEditor module 5.x before 5.x-1.2 and 6.x before 6.x-1.4, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via input to the "plain textarea editor."
CVE-2009-4062 2 Anon-design, Drupal 2 Printfriendly, Drupal 2025-04-09 4.3 MEDIUM N/A
Multiple cross-site scripting (XSS) vulnerabilities in the Printfriendly module 6.x before 6.x-1.6 for Drupal allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2009-1249 1 Drupal 2 Drupal, Feedapi Mapper 2025-04-09 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in Feed element mapper 5.x before 5.x-1.1, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via the content title in admin/content/node-type/nodetype/map.
CVE-2009-2374 1 Drupal 1 Drupal 2025-04-09 4.3 MEDIUM N/A
Drupal 5.x before 5.19 and 6.x before 6.13 does not properly sanitize failed login attempts for pages that contain a sortable table, which includes the username and password in links that can be read from (1) the HTTP referer header of external web sites that are visited from those links or (2) when page caching is enabled, the Drupal page cache.
CVE-2009-4370 1 Drupal 1 Drupal 2025-04-09 3.5 LOW N/A
Cross-site scripting (XSS) vulnerability in the Menu module (modules/menu/menu.admin.inc) in Drupal Core 6.x before 6.15 allows remote authenticated users with permissions to create new menus to inject arbitrary web script or HTML via a menu description, which is not properly handled in the menu administration overview.
CVE-2009-4371 1 Drupal 1 Drupal 2025-04-09 3.5 LOW N/A
Cross-site scripting (XSS) vulnerability in the Locale module (modules/locale/locale.module) in Drupal Core 6.14, and possibly other versions including 6.15, allows remote authenticated users with "administer languages" permissions to inject arbitrary web script or HTML via the (1) Language name in English or (2) Native language name fields in the Custom language form.
CVE-2009-2371 2 Drupal, Michelle Cox 2 Drupal, Advanced Forum 2025-04-09 6.5 MEDIUM N/A
Advanced Forum 6.x before 6.x-1.1, a module for Drupal, does not prevent users from modifying user signatures after the associated comment format has been changed to an administrator-controlled input format, which allows remote authenticated users to inject arbitrary web script, HTML, and possibly PHP code via a crafted user signature.
CVE-2009-3920 2 Drupal, Sean Robertson 2 Drupal, Crmngp 2025-04-09 5.0 MEDIUM N/A
An administration page in the NGP COO/CWP Integration (crmngp) module 6.x before 6.x-1.12 for Drupal does not perform the expected access control, which allows remote attackers to read log information via unspecified vectors.
CVE-2009-1037 1 Drupal 2 Drupal, Print 2025-04-09 5.0 MEDIUM N/A
Unspecified vulnerability in the Send by e-mail module in the "Printer, e-mail and PDF versions" module 5.x before 5.x-4.4 and 6.x before 6.x-1.4, a module for Drupal, allows remote attackers to send unlimited spam messages via unknown vectors related to the flood control API.
CVE-2009-4515 2 Drupal, Speedtech 2 Drupal, Storm 2025-04-09 5.0 MEDIUM N/A
The Storm module 6.x before 6.x-1.25 for Drupal does not enforce privilege requirements for storminvoiceitem nodes, which allows remote attackers to read node titles via unspecified vectors.
CVE-2008-4790 1 Drupal 1 Drupal 2025-04-09 6.0 MEDIUM N/A
The core upload module in Drupal 5.x before 5.11 allows remote authenticated users to bypass intended access restrictions and read "files attached to content" via unknown vectors.
CVE-2008-1131 1 Drupal 1 Drupal 2025-04-09 3.5 LOW N/A
Cross-site scripting (XSS) vulnerability in Drupal 6.0 allows remote authenticated users to inject arbitrary web script or HTML via titles in content edit forms.
CVE-2009-3122 2 Chris Shattuck, Drupal 2 Ajaxtable, Drupal 2025-04-09 6.4 MEDIUM N/A
The Ajax Table module 5.x for Drupal does not perform access control, which allows remote attackers to delete arbitrary users and nodes via unspecified vectors.
CVE-2007-6299 1 Drupal 1 Drupal 2025-04-09 7.5 HIGH N/A
Multiple SQL injection vulnerabilities in Drupal and vbDrupal 4.7.x before 4.7.9 and 5.x before 5.4 allow remote attackers to execute arbitrary SQL commands via modules that pass input to the taxonomy_select_nodes function, as demonstrated by the (1) taxonomy_menu, (2) ajaxLoader, and (3) ubrowser contributed modules.
CVE-2009-2610 2 Drupal, Scott Courtney 2 Drupal, Links Package 2025-04-09 3.5 LOW N/A
Cross-site scripting (XSS) vulnerability in the Links Related module in the Links Package 5.x before 5.x-1.13 and 6.x before 6.x-1.2, a module for Drupal, allows remote authenticated users to inject arbitrary web script or HTML via the title field.
CVE-2009-1342 1 Drupal 2 Cck Comment Reference, Drupal 2025-04-09 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in the CCK comment reference module 6.x before 6.x-1.2, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via certain comment titles associated with a node edit form.
CVE-2009-3916 2 Drupal, Ronan Dowling 2 Drupal, Nodehierarchy 2025-04-09 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in the Node Hierarchy module 5.x before 5.x-1.3 and 6.x before 6.x-1.3, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via a child node title.