Vulnerabilities (CVE)

Filtered by vendor Drupal Subscribe
Filtered by product Drupal
Total 710 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2008-6910 2 Drupal, Marc Ingram 2 Drupal, Services 2025-04-09 7.5 HIGH N/A
Services 5.x before 5.x-0.92 and 6.x before 6.x-0.13, a module for Drupal, does not use timeouts for signed requests, which allows remote attackers to impersonate other users and gain privileges via a replay attack that sends the same request.
CVE-2009-3921 2 Drupal, Ezra Barnett Gildesgame 2 Drupal, Smartqueue Og 2025-04-09 4.0 MEDIUM N/A
The Smartqueue_og module 5.x before 5.x-1.3 and 6.x before 6.x-1.0-rc3, a module for Drupal, does not verify group-node privileges in certain circumstances involving subqueue creation, which allows remote authenticated users to discover arbitrary organic group names by reading confirmation messages.
CVE-2009-3352 1 Drupal 1 Drupal 2025-04-09 10.0 HIGH N/A
Multiple unspecified vulnerabilities in the quota_by_role (Quota by role) module for Drupal have unknown impact and attack vectors.
CVE-2009-1344 1 Drupal 2 Drupal, Localization Client 2025-04-09 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in the Localization client module 5.x before 5.x-1.2 and 6.x before 6.x-1.7, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via input to the translation functionality.
CVE-2009-4532 2 Drupal, Nathan Haug 2 Drupal, Webform 2025-04-09 3.5 LOW N/A
Cross-site scripting (XSS) vulnerability in the Webform module 5.x before 5.x-2.8 and 6.x before 6.x-2.8, a module for Drupal, allows remote authenticated users, with webform creation privileges, to inject arbitrary web script or HTML via a field label.
CVE-2009-4520 2 Drupal, Kristof De Jaeger 2 Drupal, Commentreference 2025-04-09 5.0 MEDIUM N/A
The CCK Comment Reference module 5.x before 5.x-1.2 and 6.x before 6.x-1.3, a module for Drupal, allows remote attackers to bypass intended access restrictions and read comments by using the autocomplete path.
CVE-2009-2077 2 Angrydonuts, Drupal 2 Views, Drupal 2025-04-09 4.0 MEDIUM N/A
Drupal 6.x before 6.x-2.6, a module for Drupal, allows remote authenticated users to bypass access restrictions and (1) read unpublished content from anonymous users when a view is already configured to display the content, and (2) read private content in generated queries.
CVE-2020-11023 7 Debian, Drupal, Fedoraproject and 4 more 60 Debian Linux, Drupal, Fedora and 57 more 2025-04-04 4.3 MEDIUM 6.9 MEDIUM
In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
CVE-2020-36193 4 Debian, Drupal, Fedoraproject and 1 more 4 Debian Linux, Drupal, Fedora and 1 more 2025-04-03 5.0 MEDIUM 7.5 HIGH
Tar.php in Archive_Tar through 1.4.11 allows write operations with Directory Traversal due to inadequate checking of symbolic links, a related issue to CVE-2020-28948.
CVE-2006-4002 1 Drupal 1 Drupal 2025-04-03 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in user.module in Drupal 4.6 before 4.6.9, and 4.7 before 4.7.3, allows remote attackers to inject arbitrary web script or HTML via the msg parameter. NOTE: portions of these details are obtained from third party information.
CVE-2006-2742 1 Drupal 1 Drupal 2025-04-03 7.5 HIGH N/A
SQL injection vulnerability in Drupal 4.6.x before 4.6.7 and 4.7.0 allows remote attackers to execute arbitrary SQL commands via the (1) count and (2) from variables to (a) database.mysql.inc, (b) database.pgsql.inc, and (c) database.mysqli.inc.
CVE-2005-2106 1 Drupal 1 Drupal 2025-04-03 5.0 MEDIUM N/A
Unknown vulnerability in Drupal 4.5.0 through 4.5.3, 4.6.0, and 4.6.1 allows remote attackers to execute arbitrary PHP code via a public comment or posting.
CVE-2006-4120 1 Drupal 2 Drupal, Recipe Module 2025-04-03 5.1 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in the Recipe module (recipe.module) before 1.54 for Drupal 4.6 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2006-2832 1 Drupal 1 Drupal 2025-04-03 2.6 LOW N/A
Cross-site scripting (XSS) vulnerability in the upload module (upload.module) in Drupal 4.6.x before 4.6.8 and 4.7.x before 4.7.2 allows remote attackers to inject arbitrary web script or HTML via the uploaded filename.
CVE-2006-1227 1 Drupal 1 Drupal 2025-04-03 4.6 MEDIUM N/A
Drupal 4.5.x before 4.5.8 and 4.6.x before 4.5.8, when menu.module is used to create a menu item, does not implement access control for the page that is referenced, which might allow remote attackers to access administrator pages.
CVE-2002-1806 1 Drupal 1 Drupal 2025-04-03 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in Drupal 4.0.0 allows remote attackers to inject arbitrary web script or HTML via Javascript in an IMG tag.
CVE-2006-0070 1 Drupal 1 Drupal 2025-04-03 4.3 MEDIUM N/A
Drupal allows remote attackers to conduct cross-site scripting (XSS) attacks via an IMG tag with an unusual encoded Javascript function name, as demonstrated using variations of the alert() function. NOTE: a followup by the vendor suggests that the issue does not exist in 4.5.6 or 4.6.4 when "Filtered HTML" is enabled, and since "Full HTML" would not filter HTML by design, perhaps this should not be included in CVE
CVE-2005-1921 5 Debian, Drupal, Gggeek and 2 more 5 Debian Linux, Drupal, Phpxmlrpc and 2 more 2025-04-03 7.5 HIGH N/A
Eval injection vulnerability in PEAR XML_RPC 1.3.0 and earlier (aka XML-RPC or xmlrpc) and PHPXMLRPC (aka XML-RPC For PHP or php-xmlrpc) 1.1 and earlier, as used in products such as (1) WordPress, (2) Serendipity, (3) Drupal, (4) egroupware, (5) MailWatch, (6) TikiWiki, (7) phpWebSite, (8) Ampache, and others, allows remote attackers to execute arbitrary PHP code via an XML file, which is not properly sanitized before being used in an eval statement.
CVE-2006-2831 1 Drupal 1 Drupal 2025-04-03 7.5 HIGH N/A
Drupal 4.6.x before 4.6.8 and 4.7.x before 4.7.2, when running under certain Apache configurations such as when FileInfo overrides are disabled within .htaccess, allows remote attackers to execute arbitrary code by uploading a file with multiple extensions, a variant of CVE-2006-2743.
CVE-2005-3974 1 Drupal 1 Drupal 2025-04-03 6.4 MEDIUM N/A
Drupal 4.5.0 through 4.5.5 and 4.6.0 through 4.6.3, when running on PHP5, does not correctly enforce user privileges, which allows remote attackers to bypass the "access user profiles" permission.