Search Results (946 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2012-4554 1 Drupal 1 Drupal 2025-04-11 N/A
The OpenID module in Drupal 7.x before 7.16 allows remote OpenID servers to read arbitrary files via a crafted DOCTYPE declaration in an XRDS file.
CVE-2011-1662 2 Drupal, Icanlocalize 2 Drupal, Translation Management 2025-04-11 N/A
Cross-site scripting (XSS) vulnerability in Translation Management module 6.x before 6.x-1.21 for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2012-5007 2 Drupal, Wizonesolutions 2 Drupal, Fillpdf 2025-04-11 N/A
The Fill PDF module 7.x-1.x before 7.x-1.2 for Drupal allows remote attackers to write to arbitrary PDF files via unspecified vectors related to the fillpdf_merge_pdf function and incorrect arguments, a different vulnerability than CVE-2012-1625. NOTE: some of these details are obtained from third party information.
CVE-2012-5233 2 Drupal, Luke Herrington 2 Drupal, Stickynote 2025-04-11 N/A
Cross-site scripting (XSS) vulnerability in the stickynote module before 7.x-1.1 for Drupal allows remote authenticated users with edit stickynotes privileges to inject arbitrary web script or HTML via unspecified vecotrs.
CVE-2013-6388 1 Drupal 1 Drupal 2025-04-11 N/A
Cross-site scripting (XSS) vulnerability in the Color module in Drupal 7.x before 7.24 allows remote attackers to inject arbitrary web script or HTML via vectors related to CSS.
CVE-2011-1661 2 Drupal, Nicholas Thompson 2 Drupal, Node Quick Find 2025-04-11 N/A
The Node Quick Find module 6.x-1.1 for Drupal does not use db_rewrite_sql when presenting node titles, which allows remote attackers to bypass intended access restrictions and read potentially sensitive node titles via the autocomplete feature.
CVE-2010-2158 2 Drupal, Speedtech 2 Drupal, Storm 2025-04-11 N/A
Multiple cross-site scripting (XSS) vulnerabilities in the Storm module 5.x and 6.x before 6.x-1.33 for Drupal allow remote authenticated users, with certain module privileges, to inject arbitrary web script or HTML via the (1) fullname, (2) phone, or (3) im parameter in a stormperson action to index.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
CVE-2010-2123 2 Drupal, Speedtech 2 Drupal, Storm 2025-04-11 N/A
Multiple cross-site scripting (XSS) vulnerabilities in the Storm module 5.x and 6.x before 6.x-1.33 for Drupal allow remote authenticated users, with certain module privileges, to inject arbitrary web script or HTML via the (1) fullname, (2) address, (3) city, (4) provstate (aka state), (5) phone, or (6) taxid parameter in a stormorganization action to index.php; the (7) name parameter in a stormperson action to index.php; the (8) stepno (aka Step no.) or (9) title parameter in a stormtask action to index.php; the (10) title (aka Project) parameter in a stormticket action to index.php; or (11) unspecified parameters in a stormproject action to index.php. NOTE: some of these details are obtained from third party information.
CVE-2010-2048 2 Drupal, Menhir 2 Drupal, Heartbeat 2025-04-11 N/A
Multiple cross-site scripting (XSS) vulnerabilities in the Heartbeat module 6.x before 6.x-4.9 for Drupal allow remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.
CVE-2013-1393 2 Curvycorners, Drupal 2 Curvycorners, Drupal 2025-04-11 N/A
Cross-site scripting (XSS) vulnerability in the CurvyCorners module 6.x-1.x and 7.x-1.x for Drupal allows remote authenticated users with the "administer curvycorners" permission to inject arbitrary web script or HTML via unspecified vectors.
CVE-2010-2021 2 Drupal, Nicholasthompson 2 Drupal, Global Redirect 2025-04-11 N/A
Open redirect vulnerability in the Global Redirect module 6.x-1.x before 6.x-1.4 and 7.x-1.x before 7.x-1.4 for Drupal, when non-clean to clean is enabled, allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the q parameter.
CVE-2012-3798 2 Bryce Hamrick, Drupal 2 Janrain Capture, Drupal 2025-04-11 N/A
The Janrain Capture module 6.x-1.0 and 7.x-1.0 for Drupal, when creating a local user account, allows attackers to obtain part of the initial input used to generate passwords, which makes it easier to conduct brute force password guessing attacks.
CVE-2012-2725 2 Authoring Html, Drupal 2 6.x-1.0, Drupal 2025-04-11 N/A
classes/Filter/WhitelistedExternalFilter.php in the Authoring HTML module 6.x-1.x before 6.x-1.1 for Drupal does not properly validate sources with the host white list, which allows remote authenticated users to bypass intended access restrictions and conduct cross-site scripting (XSS) attacks.
CVE-2013-1786 2 Devsaran, Drupal 2 Company, Drupal 2025-04-11 N/A
Cross-site scripting (XSS) vulnerability in the 3 slide gallery in the Company theme before 7.x-1.4 for Drupal allows remote authenticated users with the administer themes permission to inject arbitrary web script or HTML via unspecified vectors.
CVE-2013-1859 2 Chris Desautels, Drupal 2 Node Parameter Control, Drupal 2025-04-11 N/A
The Node Parameter Control module 6.x-1.x for Drupal does not properly restrict access to the configuration options, which allows remote attackers to read and edit configuration options via unspecified vectors.
CVE-2011-0899 2 Drupal, Johan Lindskog 2 Drupal, Aes Encryption Module 2025-04-11 N/A
The AES encryption module 7.x-1.4 for Drupal leaves certain debugging code enabled in release, which records the plaintext password of the last logged-in user and allows remote attackers to gain privileges as that user.
CVE-2011-1664 2 Drupal, Icanlocalize 2 Drupal, Translation Management 2025-04-11 N/A
Cross-site request forgery (CSRF) vulnerability in the Translation Management module 6.x before 6.x-1.21 for Drupal allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.
CVE-2011-1066 2 Drupal, Reyero 2 Drupal, Messaging 2025-04-11 N/A
Cross-site scripting (XSS) vulnerability in the Messaging module 6.x-2.x before 6.x-2.4 and 6.x-4.x before 6.x-4.0-beta8 for Drupal allows remote attackers with administer messaging permissions to inject arbitrary web script or HTML via unspecified vectors.
CVE-2013-1780 2 Devsaran, Drupal 2 Best Responsive, Drupal 2025-04-11 N/A
Cross-site scripting (XSS) vulnerability in the Best Responsive Theme 7.x-1.x before 7.x-1.1 for Drupal allows remote authenticated users with the administer themes permission to inject arbitrary web script or HTML via vectors related to social icons.
CVE-2013-1783 2 Devsaran, Drupal 2 Business, Drupal 2025-04-11 N/A
Cross-site scripting (XSS) vulnerability in the 3 slide gallery in page--front.tpl.php in the Business theme before 7.x-1.8 for Drupal allows remote authenticated users with the administer themes permission to inject arbitrary web script or HTML via unspecified vectors.