Filtered by vendor Drupal
Subscriptions
Total
932 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2009-3157 | 2 Drupal, Karen Stevenson | 2 Drupal, Calendar | 2025-04-09 | N/A |
| Cross-site scripting (XSS) vulnerability in the Calendar module 6.x before 6.x-2.2 for Drupal allows remote authenticated users, with "create new content types" privileges, to inject arbitrary web script or HTML via the title of a content type. | ||||
| CVE-2008-2772 | 1 Drupal | 1 Magic Tabs Module | 2025-04-09 | N/A |
| The Magic Tabs module 5.x before 5.x-1.1 for Drupal allows remote attackers to execute arbitrary PHP code via unspecified URL arguments, possibly related to a missing "whitelist of callbacks." | ||||
| CVE-2008-2773 | 1 Drupal | 1 Taxonomy Image Module | 2025-04-09 | N/A |
| Cross-site scripting (XSS) vulnerability in the Taxonomy Image module 5.x before 5.x-1.3 and 6.x before 6.x-1.3, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | ||||
| CVE-2008-3223 | 2 Drupal, Fedoraproject | 2 Drupal, Fedora | 2025-04-09 | N/A |
| SQL injection vulnerability in the Schema API in Drupal 6.x before 6.3 allows remote attackers to execute arbitrary SQL commands via vectors related to "an inappropriate placeholder for 'numeric' fields." | ||||
| CVE-2009-3207 | 2 Drewish, Drupal | 2 Imagecache, Drupal | 2025-04-09 | N/A |
| The ImageCache module 5.x before 5.x-2.5 and 6.x before 6.x-2.0-beta10, a module for Drupal, when the private file system is used, does not properly perform access control for derivative images, which allows remote attackers to view arbitrary images via a request that specifies an image's filename. | ||||
| CVE-2008-3661 | 1 Drupal | 1 Drupal | 2025-04-09 | N/A |
| Drupal, probably 5.10 and 6.4, does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie. | ||||
| CVE-2008-3741 | 1 Drupal | 1 Drupal | 2025-04-09 | N/A |
| The private filesystem in Drupal 5.x before 5.10 and 6.x before 6.4 trusts the MIME type sent by a web browser, which allows remote authenticated users to conduct cross-site scripting (XSS) attacks by uploading files containing arbitrary web script or HTML. | ||||
| CVE-2009-4064 | 2 Drupal, Puntolatinoclub | 2 Drupal, Gallery Assist Module | 2025-04-09 | N/A |
| Cross-site scripting (XSS) vulnerability in the Gallery Assist module 6.x before 6.x-1.7 for Drupal allows remote attackers to inject arbitrary web script or HTML via node titles. | ||||
| CVE-2009-4043 | 2 Drupal, Patrick Przybilla | 2 Drupal, Addtoany | 2025-04-09 | N/A |
| Cross-site scripting (XSS) vulnerability in the AddToAny module 5.x before 5.x-2.4 and 6.x before 6.x-2.4 for Drupal allows remote attackers to inject arbitrary web script or HTML via a node title. | ||||
| CVE-2009-3915 | 2 Drupal, John C Fiala | 2 Drupal, Link | 2025-04-09 | N/A |
| Cross-site scripting (XSS) vulnerability in the "Separate title and URL" formatter in the Link module 5.x before 5.x-2.6 and 6.x before 6.x-2.7, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via the link title field. | ||||
| CVE-2008-4147 | 1 Drupal | 1 Mailsave | 2025-04-09 | N/A |
| Cross-site scripting (XSS) vulnerability in the Mailsave module 5.x before 5.x-3.3 and 6.x before 6.x-1.3, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via an e-mail message with an attached file that has a modified Content-Type. | ||||
| CVE-2008-4148 | 1 Drupal | 1 Mailhandler | 2025-04-09 | N/A |
| SQL injection vulnerability in the Mailhandler module 5.x before 5.x-1.4 and 6.x before 6.x-1.4, a module for Drupal, allows remote attackers to execute arbitrary SQL commands via unspecified vectors, related to composing queries without using the Drupal database API. | ||||
| CVE-2008-4149 | 1 Drupal | 1 Link To Us | 2025-04-09 | N/A |
| Cross-site scripting (XSS) vulnerability in the Greg Holsclaw Link to Us module 5.x before 5.x-1.1 for Drupal allows remote authenticated users to inject arbitrary web script or HTML via the "Link page header" field. | ||||
| CVE-2009-3914 | 2 Drupal, Wolfgang Ziegler | 2 Drupal, Temporary Invitation | 2025-04-09 | N/A |
| Cross-site scripting (XSS) vulnerability in the Temporary Invitation module 5.x before 5.x-2.3 for Drupal allows remote attackers to inject arbitrary web script or HTML via the Name field in an invitation. | ||||
| CVE-2006-5476 | 1 Drupal | 1 Drupal | 2025-04-09 | N/A |
| Cross-site request forgery (CSRF) vulnerability in Drupal 4.6.x before 4.6.10 and 4.7.x before 4.7.4 allows remote attackers to perform unauthorized actions as an arbitrary user via unspecified vectors. | ||||
| CVE-2006-5475 | 1 Drupal | 1 Drupal | 2025-04-09 | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in the XML parser in Drupal 4.6.x before 4.6.10 and 4.7.x before 4.7.4 allow remote attackers to inject arbitrary web script or HTML via a crafted RSS feed. | ||||
| CVE-2007-0506 | 1 Drupal | 2 Project, Project Issue Tracking Module | 2025-04-09 | N/A |
| The project_issue_access function in the Project issue tracking 4.7.0 through 5.x before 20070123 module for Drupal allows remote authenticated users to bypass other access control modules and obtain attached files by guessing the filename, and obtain issue information via direct requests. | ||||
| CVE-2007-0534 | 1 Drupal | 2 Project, Project Issue Tracking Module | 2025-04-09 | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in the (1) Project issue tracking 4.7.0 through 5.x before 20070123 and (2) Project 4.6.0 through 5.x before 20070123 modules for Drupal allow remote authenticated users to inject arbitrary web script or HTML via (a) certain "fields on project nodes" or (b) "certain project-specific settings regarding issue tracking." | ||||
| CVE-2009-3783 | 2 Drupal, Sjoerd Arendsen | 2 Drupal, Simplenews Statistics | 2025-04-09 | N/A |
| Cross-site scripting (XSS) vulnerability in Simplenews Statistics 6.x before 6.x-2.0, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via unspecified vector. | ||||
| CVE-2007-6298 | 1 Drupal | 1 Shoutbox | 2025-04-09 | N/A |
| Cross-site scripting (XSS) vulnerability in the Shoutbox module for Drupal 5.x before Shoutbox 5.x-1.1 allows remote authenticated users to inject arbitrary web script or HTML via Shoutbox block messages. | ||||