Vulnerabilities (CVE)

Filtered by vendor Drupal Subscribe
Filtered by product Drupal
Total 721 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2012-2704 2 Drupal, John Franklin 2 Drupal, Advertisement 2025-04-11 5.0 MEDIUM N/A
The Advertisement module 6.x-2.x before 6.x-2.3 for Drupal does not properly restrict access to debug information, which allows remote attackers to obtain sensitive site configuration information that is specified by the $conf variable in settings.php.
CVE-2014-1475 1 Drupal 1 Drupal 2025-04-11 7.5 HIGH N/A
The OpenID module in Drupal 6.x before 6.30 and 7.x before 7.26 allows remote OpenID users to authenticate as other users via unspecified vectors.
CVE-2012-1636 2 Drupal, Luke Herrington 2 Drupal, Stickynote 2025-04-11 4.3 MEDIUM N/A
Cross-site request forgery (CSRF) vulnerability in the stickynote module before 7.x-1.1 for Drupal allows remote attackers to hijack the authentication of users for requests that delete stickynotes via unspecified vectors.
CVE-2010-4519 2 Drupal, Earl Miles 2 Drupal, Views 2025-04-11 6.8 MEDIUM N/A
Multiple cross-site request forgery (CSRF) vulnerabilities in the Views UI implementation in the Views module 5.x before 5.x-1.8 and 6.x before 6.x-2.11 for Drupal allow remote attackers to hijack the authentication of administrators for requests that (1) enable all Views or (2) disable all Views.
CVE-2012-5547 2 Drupal, Thomas Seidl 2 Drupal, Search Api 2025-04-11 6.8 MEDIUM N/A
Multiple cross-site request forgery (CSRF) vulnerabilities in the Search API module 7.x-1.x before 7.x-1.3 for Drupal allow remote attackers to hijack the authentication of administrators for requests that (1) enable a server via a server action or (2) enable a search index via an enable index action.
CVE-2013-5965 2 Adcisolutions, Drupal 2 Node View Permissions, Drupal 2025-04-11 5.0 MEDIUM N/A
The Node View Permissions module 7.x-1.x before 7.x-1.2 for Drupal does not properly implement the hook_query_alter function, which might allow remote attackers to obtain sensitive information by reading a node listing.
CVE-2012-1655 2 Drupal, Sven Decabooter 2 Drupal, Uc Paydutchgroup \/ Wedeal Payment 2025-04-11 4.0 MEDIUM N/A
Unspecified vulnerability in the UC PayDutchGroup / WeDeal payment module 6.x-1.0 for Drupal allows remote authenticated users to obtain account credentials via unknown attack vectors.
CVE-2010-3094 1 Drupal 1 Drupal 2025-04-11 2.1 LOW N/A
Multiple cross-site scripting (XSS) vulnerabilities in Drupal 6.x before 6.18 allow remote authenticated users with certain privileges to inject arbitrary web script or HTML via (1) an action description, (2) an action message, (3) a node, or (4) a taxonomy term, related to the actions feature and the trigger module.
CVE-2010-2123 2 Drupal, Speedtech 2 Drupal, Storm 2025-04-11 2.1 LOW N/A
Multiple cross-site scripting (XSS) vulnerabilities in the Storm module 5.x and 6.x before 6.x-1.33 for Drupal allow remote authenticated users, with certain module privileges, to inject arbitrary web script or HTML via the (1) fullname, (2) address, (3) city, (4) provstate (aka state), (5) phone, or (6) taxid parameter in a stormorganization action to index.php; the (7) name parameter in a stormperson action to index.php; the (8) stepno (aka Step no.) or (9) title parameter in a stormtask action to index.php; the (10) title (aka Project) parameter in a stormticket action to index.php; or (11) unspecified parameters in a stormproject action to index.php. NOTE: some of these details are obtained from third party information.
CVE-2012-2711 2 Drupal, Nancy Wichmann 2 Drupal, Taxonomy List 2025-04-11 2.1 LOW N/A
Multiple cross-site scripting (XSS) vulnerabilities in the Taxonomy List module 6.x-1.x before 6.x-1.4 for Drupal allow remote authenticated users with create or edit taxonomy terms permissions to inject arbitrary web script or HTML via vectors related to taxonomy information.
CVE-2010-0697 2 Drupal, Ilya Ivanchenko 2 Drupal, Itweak Upload 2025-04-11 3.5 LOW N/A
Cross-site scripting (XSS) vulnerability in the iTweak Upload module 6.x-1.x before 6.x-1.2 and 6.x-2.x before 6.x-2.3 for Drupal allows remote authenticated users, with create content and upload file permissions, to inject arbitrary web script or HTML via the file name of an uploaded file.
CVE-2011-4560 1 Drupal 2 Drupal, Petition Node Module 2025-04-11 3.5 LOW N/A
Cross-site scripting (XSS) vulnerability in the Petition Node module 6.x-1.x before 6.x-1.5 for Drupal allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors related to signing a petition.
CVE-2013-1908 3 Acquia, Commons Wikis Project, Drupal 3 Commons, Commons Wikis, Drupal 2025-04-11 5.0 MEDIUM N/A
The Commons Wikis module before 7.x-3.1 for Drupal, as used in the Commons module before 7.x-3.1, does not properly restrict access to groups, which allows remote attackers to post arbitrary content to groups via unspecified vectors.
CVE-2013-6388 1 Drupal 1 Drupal 2025-04-11 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in the Color module in Drupal 7.x before 7.24 allows remote attackers to inject arbitrary web script or HTML via vectors related to CSS.
CVE-2012-2730 2 Alexis Wilke, Drupal 2 Protected Node, Drupal 2025-04-11 7.5 HIGH N/A
The Protected Node module 6.x-1.x before 6.x-1.6 for Drupal does not properly "protect node access when nodes are accessed outside of the standard node view," which allows remote attackers to bypass intended access restrictions.
CVE-2012-2719 2 Blaine Lang, Drupal 2 Filedepot, Drupal 2025-04-11 5.1 MEDIUM N/A
The filedepot module 6.x-1.x before 6.x-1.3 for Drupal, when accessed using multiple different browsers from the same IP address, causes Internet Explorer sessions to "switch users" when uploading a file, which has unspecified impact possibly involving file uploads to the wrong user directory, aka "Session Management Vulnerability."
CVE-2012-1591 1 Drupal 1 Drupal 2025-04-11 5.0 MEDIUM N/A
The image module in Drupal 7.x before 7.14 does not properly check permissions when caching derivative image styles of private images, which allows remote attackers to read private image styles.
CVE-2012-2712 2 Drupal, Thomas Seidl 2 Drupal, Search Api 2025-04-11 2.6 LOW N/A
Multiple cross-site scripting (XSS) vulnerabilities in the Search API module 7.x-1.x before 7.x-1.1 for Drupal, when supporting manual entry of field identifiers, allow remote attackers to inject arbitrary web script or HTML via vectors related to thrown exceptions and logging errors.
CVE-2007-6752 1 Drupal 1 Drupal 2025-04-11 6.8 MEDIUM N/A
Cross-site request forgery (CSRF) vulnerability in Drupal 7.12 and earlier allows remote attackers to hijack the authentication of arbitrary users for requests that end a session via the user/logout URI. NOTE: the vendor disputes the significance of this issue, by considering the "security benefit against platform complexity and performance impact" and concluding that a change to the logout behavior is not planned because "for most sites it is not worth the trade-off.
CVE-2012-4471 2 Dominique Clause, Drupal 2 Search Autocomplete, Drupal 2025-04-11 5.0 MEDIUM N/A
The Search Autocomplete module 7.x-2.x before 7.x-2.4 for Drupal does not properly restrict access to the module admin page, which allows remote attackers to disable an autocompletion or change the priority order via unspecified vectors.