Total
708 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2016-6212 | 1 Drupal | 1 Drupal | 2023-12-10 | 5.0 MEDIUM | 5.3 MEDIUM |
The Views module 7.x-3.x before 7.x-3.14 in Drupal 7.x and the Views module in Drupal 8.x before 8.1.3 might allow remote authenticated users to bypass intended access restrictions and obtain sensitive Statistics information via unspecified vectors. | |||||
CVE-2016-3167 | 3 Debian, Drupal, Php | 3 Debian Linux, Drupal, Php | 2023-12-10 | 6.4 MEDIUM | 7.4 HIGH |
Open redirect vulnerability in the drupal_goto function in Drupal 6.x before 6.38, when used with PHP before 5.4.7, allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a double-encoded URL in the "destination" parameter. | |||||
CVE-2015-6659 | 1 Drupal | 1 Drupal | 2023-12-10 | 7.5 HIGH | N/A |
SQL injection vulnerability in the SQL comment filtering system in the Database API in Drupal 7.x before 7.39 allows remote attackers to execute arbitrary SQL commands via an SQL comment. | |||||
CVE-2016-6211 | 2 Debian, Drupal | 2 Debian Linux, Drupal | 2023-12-10 | 6.5 MEDIUM | 8.8 HIGH |
The User module in Drupal 7.x before 7.44 allows remote authenticated users to gain privileges via vectors involving contributed or custom code that triggers a rebuild of the user profile form. | |||||
CVE-2015-6660 | 1 Drupal | 1 Drupal | 2023-12-10 | 6.8 MEDIUM | N/A |
The Form API in Drupal 6.x before 6.37 and 7.x before 7.39 does not properly validate the form token, which allows remote attackers to conduct CSRF attacks that upload files in a different user's account via vectors related to "file upload value callbacks." | |||||
CVE-2015-6665 | 3 Chaos Tool Suite Project, Drupal, Fedoraproject | 3 Ctools, Drupal, Fedora | 2023-12-10 | 4.3 MEDIUM | N/A |
Cross-site scripting (XSS) vulnerability in the Ajax handler in Drupal 7.x before 7.39 and the Ctools module 6.x-1.x before 6.x-1.14 for Drupal allows remote attackers to inject arbitrary web script or HTML via vectors involving a whitelisted HTML element, possibly related to the "a" tag. | |||||
CVE-2016-3170 | 2 Debian, Drupal | 2 Debian Linux, Drupal | 2023-12-10 | 5.0 MEDIUM | 5.3 MEDIUM |
The "have you forgotten your password" links in the User module in Drupal 7.x before 7.43 and 8.x before 8.0.4 allow remote attackers to obtain sensitive username information by leveraging a configuration that permits using an email address to login and a module that permits logging in. | |||||
CVE-2016-7571 | 1 Drupal | 1 Drupal | 2023-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
Cross-site scripting (XSS) vulnerability in Drupal 8.x before 8.1.10 allows remote attackers to inject arbitrary web script or HTML via vectors involving an HTTP exception. | |||||
CVE-2016-5385 | 8 Debian, Drupal, Fedoraproject and 5 more | 14 Debian Linux, Drupal, Fedora and 11 more | 2023-12-10 | 5.1 MEDIUM | 8.1 HIGH |
PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, as demonstrated by (1) an application that makes a getenv('HTTP_PROXY') call or (2) a CGI configuration of PHP, aka an "httpoxy" issue. | |||||
CVE-2015-8095 | 2 Drupal, Monster Menus Module Project | 2 Drupal, Monster Menus | 2023-12-10 | 5.0 MEDIUM | N/A |
The recycle bin feature in the Monster Menus module 7.x-1.21 before 7.x-1.24 for Drupal does not properly remove nodes from view, which allows remote attackers to obtain sensitive information via an unspecified URL pattern. | |||||
CVE-2013-4504 | 2 Drupal, Monster Menus Module Project | 2 Drupal, Monster Menus | 2023-12-10 | 2.6 LOW | N/A |
The Monster Menus module 7.x-1.x before 7.x-1.15 allows remote attackers to read arbitrary node comments via a crafted URL. | |||||
CVE-2014-1476 | 1 Drupal | 1 Drupal | 2023-12-10 | 4.0 MEDIUM | N/A |
The Taxonomy module in Drupal 7.x before 7.26, when upgraded from an earlier version of Drupal, does not properly restrict access to unpublished content, which allows remote authenticated users to obtain sensitive information via a listing page. | |||||
CVE-2014-5267 | 1 Drupal | 1 Drupal | 2023-12-10 | 6.8 MEDIUM | N/A |
modules/openid/xrds.inc in Drupal 6.x before 6.33 and 7.x before 7.31 allows remote attackers to have unspecified impact via a crafted DOCTYPE declaration in an XRDS document. | |||||
CVE-2014-1475 | 1 Drupal | 1 Drupal | 2023-12-10 | 7.5 HIGH | N/A |
The OpenID module in Drupal 6.x before 6.30 and 7.x before 7.26 allows remote OpenID users to authenticate as other users via unspecified vectors. | |||||
CVE-2013-4177 | 2 Drupal, Google Authenticator Login Project | 2 Drupal, Ga Login | 2023-12-10 | 5.0 MEDIUM | N/A |
The Google Authenticator login module 6.x-1.x before 6.x-1.2 and 7.x-1.x before 7.x-1.4 for Drupal does not properly identify user account names, which might allow remote attackers to bypass the two-factor authentication requirement via unspecified vectors. | |||||
CVE-2013-4380 | 2 Drupal, Mediafront | 2 Drupal, Mediafront | 2023-12-10 | 2.1 LOW | N/A |
Cross-site scripting (XSS) vulnerability in the MediaFront module 6.x-1.x before 6.x-1.6, 7.x-1.x before 7.x-1.6, and 7.x-2.x before 7.x-2.1 for Drupal allows remote authenticated users with the "administer mediafront" permission to inject arbitrary web script or HTML via the preset settings. | |||||
CVE-2013-4178 | 2 Drupal, Google Authenticator Login Project | 2 Drupal, Ga Login | 2023-12-10 | 5.0 MEDIUM | N/A |
The Google Authenticator login module 6.x-1.x before 6.x-1.2 and 7.x-1.x before 7.x-1.4 for Drupal allows remote attackers to obtain access by replaying the username, password, and one-time password (OTP). | |||||
CVE-2014-5265 | 3 Debian, Drupal, Wordpress | 3 Debian Linux, Drupal, Wordpress | 2023-12-10 | 5.0 MEDIUM | N/A |
The Incutio XML-RPC (IXR) Library, as used in WordPress before 3.9.2 and Drupal 6.x before 6.33 and 7.x before 7.31, permits entity declarations without considering recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564. | |||||
CVE-2014-5019 | 1 Drupal | 1 Drupal | 2023-12-10 | 5.0 MEDIUM | N/A |
The multisite feature in Drupal 6.x before 6.32 and 7.x before 7.29 allows remote attackers to cause a denial of service via a crafted HTTP Host header, related to determining which configuration file to use. | |||||
CVE-2014-1611 | 2 Anonymous Posting Project, Drupal | 2 Anonymous Posting, Drupal | 2023-12-10 | 4.3 MEDIUM | N/A |
Cross-site scripting (XSS) vulnerability in the Anonymous Posting module 7.x-1.2 and 7.x-1.3 for Drupal allows remote attackers to inject arbitrary web script or HTML via the contact name field. |