Filtered by vendor Drupal
Subscribe
Total
853 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-13662 | 1 Drupal | 1 Drupal | 2021-05-13 | 5.8 MEDIUM | 6.1 MEDIUM |
| Open Redirect vulnerability in Drupal Core allows a user to be tricked into visiting a specially crafted link which would redirect them to an arbitrary external URL. This issue affects: Drupal Drupal Core 7 version 7.70 and prior versions. | |||||
| CVE-2020-13666 | 1 Drupal | 1 Drupal | 2021-05-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in Drupal Core. Drupal AJAX API does not disable JSONP by default, allowing for an XSS attack. This issue affects: Drupal Drupal Core 7.x versions prior to 7.73; 8.8.x versions prior to 8.8.10; 8.9.x versions prior to 8.9.6; 9.0.x versions prior to 9.0.6. | |||||
| CVE-2010-2250 | 1 Drupal | 1 Drupal | 2021-04-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| Drupal 5.x and 6.x before 6.16 uses a user-supplied value in output during site installation which could allow an attacker to craft a URL and perform a cross-site scripting attack. | |||||
| CVE-2010-2471 | 2 Debian, Drupal | 2 Debian Linux, Drupal | 2021-04-28 | 5.8 MEDIUM | 6.1 MEDIUM |
| Drupal versions 5.x and 6.x has open redirection | |||||
| CVE-2009-2372 | 1 Drupal | 1 Drupal | 2021-04-21 | 6.5 MEDIUM | N/A |
| Drupal 6.x before 6.13 does not prevent users from modifying user signatures after the associated comment format has been changed to an administrator-controlled input format, which allows remote authenticated users to inject arbitrary web script, HTML, and possibly PHP code via a crafted user signature. | |||||
| CVE-2009-2374 | 1 Drupal | 1 Drupal | 2021-04-21 | 4.3 MEDIUM | N/A |
| Drupal 5.x before 5.19 and 6.x before 6.13 does not properly sanitize failed login attempts for pages that contain a sortable table, which includes the username and password in links that can be read from (1) the HTTP referer header of external web sites that are visited from those links or (2) when page caching is enabled, the Drupal page cache. | |||||
| CVE-2008-3661 | 1 Drupal | 1 Drupal | 2021-04-21 | 5.0 MEDIUM | N/A |
| Drupal, probably 5.10 and 6.4, does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie. | |||||
| CVE-2008-1133 | 1 Drupal | 1 Drupal | 2021-04-20 | 4.3 MEDIUM | N/A |
| The Drupal.checkPlain function in Drupal 6.0 only escapes the first instance of a character in ECMAScript, which allows remote attackers to conduct cross-site scripting (XSS) attacks. | |||||
| CVE-2019-10909 | 2 Drupal, Sensiolabs | 2 Drupal, Symfony | 2021-04-20 | 3.5 LOW | 5.4 MEDIUM |
| In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, validation messages are not escaped, which can lead to XSS when user input is included. This is related to symfony/framework-bundle. | |||||
| CVE-2014-9016 | 3 Debian, Drupal, Secure Password Hashes Project | 3 Debian Linux, Drupal, Secure Passwords Hashes | 2021-04-20 | 5.0 MEDIUM | N/A |
| The password hashing API in Drupal 7.x before 7.34 and the Secure Password Hashes (aka phpass) module 6.x-2.x before 6.x-2.1 for Drupal allows remote attackers to cause a denial of service (CPU and memory consumption) via a crafted request. | |||||
| CVE-2014-2983 | 2 Debian, Drupal | 2 Debian Linux, Drupal | 2021-04-20 | 5.0 MEDIUM | N/A |
| Drupal 6.x before 6.31 and 7.x before 7.27 does not properly isolate the cached data of different anonymous users, which allows remote anonymous users to obtain sensitive interim form input information in opportunistic situations via unspecified vectors. | |||||
| CVE-2008-3218 | 2 Drupal, Fedoraproject | 2 Drupal, Fedora | 2021-04-19 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in Drupal 6.x before 6.3 allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) free tagging taxonomy terms, which are not properly handled on node preview pages, and (2) unspecified OpenID values. | |||||
| CVE-2007-5593 | 2 Drupal, Fedoraproject | 2 Drupal, Fedora | 2021-04-19 | 6.8 MEDIUM | N/A |
| install.php in Drupal 5.x before 5.3, when the configured database server is not reachable, allows remote attackers to execute arbitrary code via vectors that cause settings.php to be modified. | |||||
| CVE-2008-1729 | 1 Drupal | 1 Drupal | 2021-04-19 | 5.8 MEDIUM | N/A |
| The menu system in Drupal 6 before 6.2 has incorrect menu settings, which allows remote attackers to (1) edit the profile pages of arbitrary users, and obtain sensitive information from (2) tracker and (3) blog pages, related to a missing check for the "access content" permission; and (4) allows remote authenticated users, with administration page view access, to edit content types. | |||||
| CVE-2007-5594 | 2 Drupal, Fedoraproject | 2 Drupal, Fedora | 2021-04-19 | 4.3 MEDIUM | N/A |
| Drupal 5.x before 5.3 does not apply its Drupal Forms API protection against the user deletion form, which allows remote attackers to delete users via a cross-site request forgery (CSRF) attack. | |||||
| CVE-2007-0626 | 1 Drupal | 1 Drupal | 2021-04-19 | 6.5 MEDIUM | N/A |
| The comment_form_add_preview function in comment.module in Drupal before 4.7.6, and 5.x before 5.1, and vbDrupal, allows remote attackers with "post comments" privileges and access to multiple input filters to execute arbitrary code by previewing comments, which are not processed by "normal form validation routines." | |||||
| CVE-2007-0136 | 1 Drupal | 1 Drupal | 2021-04-19 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in Drupal before 4.6.11, and 4.7 before 4.7.5, allow remote attackers to inject arbitrary web script or HTML via unspecified parameters in the (1) filter and (2) system modules. NOTE: some of these details are obtained from third party information. | |||||
| CVE-2012-5569 | 3 Basic Webmail Project, Drupal, Jason Flatt | 3 Basic Webmail, Drupal, Basic Webmail | 2021-04-15 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in the Basic webmail module 6.x-1.x before 6.x-1.2 for Drupal allow remote attackers to inject arbitrary web script or HTML via a (1) page title or (2) crafted email message. | |||||
| CVE-2008-3219 | 2 Drupal, Fedoraproject | 2 Drupal, Fedora | 2021-04-15 | 4.3 MEDIUM | N/A |
| The Drupal filter_xss_admin function in 5.x before 5.8 and 6.x before 6.3 does not "prevent use of the object HTML tag in administrator input," which has unknown impact and attack vectors, probably related to an insufficient cross-site scripting (XSS) protection mechanism. | |||||
| CVE-2008-3222 | 2 Drupal, Fedoraproject | 2 Drupal, Fedora | 2021-04-15 | 5.8 MEDIUM | N/A |
| Session fixation vulnerability in Drupal 5.x before 5.9 and 6.x before 6.3, when contributed modules "terminate the current request during a login event," allows remote attackers to hijack web sessions via unknown vectors. | |||||