Vulnerabilities (CVE)

Filtered by vendor Drupal Subscribe
Total 837 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2012-1057 2 Drupal, Sean Robertson 2 Drupal, Forward 2025-04-11 6.0 MEDIUM N/A
Cross-site request forgery (CSRF) vulnerability in the clickthrough tracking functionality in the Forward module 6.x-1.x before 6.x-1.21 and 7.x-1.x before 7.x-1.3 for Drupal allows remote attackers to hijack the authentication of administrators for requests that increase node rankings via the tracking code, possibly related to improper "flood control."
CVE-2012-5589 2 Drupal, Netgenius 2 Drupal, Multilink 2025-04-11 3.5 LOW N/A
The MultiLink module 6.x-2.x before 6.x-2.7 and 7.x-2.x before 7.x-2.7 for Drupal does not properly check node permissions when generating an in-content link, which allows remote authenticated users with text-editing permissions to read arbitrary node titles via a generated link.
CVE-2012-5543 2 Drupal, Feeds Project 2 Drupal, Feeds 2025-04-11 4.3 MEDIUM N/A
The Feeds module 7.x-2.x before 7.x-2.0-alpha6 for Drupal, when a field is mapped to the node's author, does not properly check permissions, which allows remote attackers to create arbitrary nodes via a crafted source feed.
CVE-2013-1778 2 Devsaran, Drupal 2 Creative, Drupal 2025-04-11 2.1 LOW N/A
Cross-site scripting (XSS) vulnerability in the Creative Theme 7.x-1.x before 7.x-1.2 for Drupal allows remote authenticated users with the administer themes permission to inject arbitrary web script or HTML via vectors related to social icons.
CVE-2012-4492 2 Drupal, Isaac Sukin 2 Drupal, Shorten 2025-04-11 2.1 LOW N/A
Multiple cross-site scripting (XSS) vulnerabilities in the Shorten URLs module 6.x-1.x before 6.x-1.13 and 7.x-1.x before 7.x-1.2 for Drupal allow remote authenticated users with certain permissions to inject arbitrary web script or HTML via unspecified vectors to the (1) report or (2) Custom Services List page.
CVE-2013-2715 2 Drupal, Thomas Seidl 2 Drupal, Search Api 2025-04-11 2.1 LOW N/A
Cross-site scripting (XSS) vulnerability in the admin view in the Search API (search_api) module 7.x-1.x before 7.x-1.4 for Drupal allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via a crafted field name.
CVE-2010-1530 2 Drupal, Reyero 2 Drupal, I18n 2025-04-11 2.1 LOW N/A
Multiple cross-site scripting (XSS) vulnerabilities in the Internationalization module 6.x before 6.x-1.4 for Drupal allow remote authenticated users, with translate interface or administer blocks privileges, to inject arbitrary web script or HTML via (1) strings used in block translation or (2) the untranslated input.
CVE-2012-5557 2 Drupal, User Read-only Project 2 Drupal, User Readonly 2025-04-11 3.6 LOW N/A
The User Read-Only module 6.x-1.x before 6.x-1.4 and 7.x-1.x before 7.x-1.4 for Drupal, does not properly assign roles when there are more than three roles on the site and certain unspecified configurations, which might allow remote authenticated users to gain privileges by performing certain operations, as demonstrated by changing a password.
CVE-2013-0260 2 Drupal, Elliot Pahl 2 Drupal, Drush Debian Packaging 2025-04-11 2.1 LOW N/A
Unspecified vulnerability in the Drush Debian Packaging module for Drupal allows local users to obtain database credentials via unknown vectors.
CVE-2013-1783 2 Devsaran, Drupal 2 Business, Drupal 2025-04-11 2.1 LOW N/A
Cross-site scripting (XSS) vulnerability in the 3 slide gallery in page--front.tpl.php in the Business theme before 7.x-1.8 for Drupal allows remote authenticated users with the administer themes permission to inject arbitrary web script or HTML via unspecified vectors.
CVE-2011-1663 2 Drupal, Icanlocalize 2 Drupal, Translation Management 2025-04-11 7.5 HIGH N/A
SQL injection vulnerability in the Translation Management module 6.x before 6.x-1.21 for Drupal allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
CVE-2012-4469 2 Drupal, Simon Rycroft 2 Drupal, Hashcash 2025-04-11 2.6 LOW N/A
Cross-site scripting (XSS) vulnerability in the Hashcash module 6.x-2.x before 6.x-2.6 and 7.x-2.x before 7.x-2.2 for Drupal, when "Log failed hashcash" is enabled, allows remote attackers to inject arbitrary web script or HTML via an invalid token, which is not properly handled when administrators use the Database logging module.
CVE-2010-5275 2 Drupal, Memcache Project 2 Drupal, Memcache 2025-04-11 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in memcache_admin in the Memcache module 5.x before 5.x-1.10 and 6.x before 6.x-1.6 for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2012-2707 2 Antoine Beaupre, Drupal 2 Hostmaster, Drupal 2025-04-11 5.8 MEDIUM N/A
The Hostmaster (Aegir) module 6.x-1.x before 6.x-1.9 for Drupal does not properly exit when users do not have access to package/task nodes, which allows remote attackers to bypass intended access restrictions and edit unauthorized nodes.
CVE-2012-5544 2 Drupal, Thinkshout 2 Drupal, Mandrill 2025-04-11 4.0 MEDIUM N/A
The Mandrill module 7.x-1.x before 7.x-1.2 for Drupal allows remote authenticated users to obtain password reset links by reading the logs in the Mandrill dashboard.
CVE-2012-1653 2 Collectivecolors, Drupal 2 Taxonomy View Integrator Module, Drupal 2025-04-11 3.5 LOW N/A
Cross-site scripting (XSS) vulnerability in the Taxonomy Views Integrator (TVI) module 6.x-1.x before 6.x-1.3 for Drupal allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors, related to "views pages."
CVE-2013-4230 2 Drupal, Monster Menus Module Project 2 Drupal, Monster Menus 2025-04-11 6.0 MEDIUM N/A
The mm_webform submodule in the Monster Menus module 6.x-6.x before 6.x-6.61 and 7.x-1.x before 7.x-1.13 for Drupal does not properly restrict access to webform submissions, which allows remote authenticated users with the "Who can read data submitted to this webform" permission to delete arbitrary submissions via unspecified vectors.
CVE-2010-1539 2 Drupal, John Vandyk 2 Drupal, Workflow 2025-04-11 2.1 LOW N/A
Cross-site scripting (XSS) vulnerability in the Workflow module 5.x-2.x before 5.x-2.6 and 6.x-1.x before 6.x-1.4 for Drupal, when used with the Token module, might allow remote authenticated users to inject arbitrary web script or HTML via a certain Comment field.
CVE-2013-0316 1 Drupal 1 Drupal 2025-04-11 5.0 MEDIUM N/A
The Image module in Drupal 7.x before 7.20 allows remote attackers to cause a denial of service (CPU and disk space consumption) via a large number of new derivative requests.
CVE-2012-2302 2 Drupal, Nancy Wichmann 2 Drupal, Sitedoc 2025-04-11 5.0 MEDIUM N/A
Site Documentation (Sitedoc) module for Drupal 6.x-1.x before 6.x-1.4 does not properly check the save location when archiving, which allows remote attackers to obtain sensitive information via unspecified vectors.