| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| SQL injection vulnerability in the SQL comment filtering system in the Database API in Drupal 7.x before 7.39 allows remote attackers to execute arbitrary SQL commands via an SQL comment. |
| Open redirect vulnerability in the Field UI module in Drupal 7.x before 7.38 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the destinations parameter. |
| Cross-site scripting (XSS) vulnerability in the Autocomplete system in Drupal 6.x before 6.37 and 7.x before 7.39 allows remote attackers to inject arbitrary web script or HTML via a crafted URL, related to uploading files. |
| Cross-site scripting (XSS) vulnerability in the Google Doubleclick for Publishers (DFP) module 7.x-1.x before 7.x-1.2 for Drupal allows remote authenticated users with the "administer dfp" permission to inject arbitrary web script or HTML via a slot name. |
| Cross-site scripting (XSS) vulnerability in the Drupal Commons module 7.x-3.x before 7.x-3.9 for Drupal allows remote attackers to inject arbitrary web script or HTML via vectors related to content creation and activity stream messages. |
| The Form API in Drupal 6.x before 6.37 and 7.x before 7.39 does not properly validate the form token, which allows remote attackers to conduct CSRF attacks that upload files in a different user's account via vectors related to "file upload value callbacks." |
| The Organic Groups Menu (aka OG Menu) module before 7.x-2.2 for Drupal allows remote authenticated users with the "access administration pages" permission to change module settings via unspecified vectors. |
| Cross-site scripting (XSS) vulnerability in the Modal Frame API module 6.x-1.x before 6.x-1.9 for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
| Multiple cross-site scripting (XSS) vulnerabilities in the Maestro module 7.x-1.x before 7.x-1.4 for Drupal allow remote authenticated users with certain permissions to inject arbitrary web script or HTML via a (1) Role or (2) Organic Group name. |
| modules/openid/xrds.inc in Drupal 6.x before 6.33 and 7.x before 7.31 allows remote attackers to have unspecified impact via a crafted DOCTYPE declaration in an XRDS document. |
| Cross-site scripting (XSS) vulnerability in the Print (aka Printer, e-mail and PDF versions) module 6.x-1.x before 6.x-1.19, 7.x-1.x before 7.x-1.3, and 7.x-2.x before 7.x-2.0 for Drupal allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via vectors related to nodes. |
| Cross-site scripting (XSS) vulnerability in the MAYO theme 7.x-1.x before 7.x-1.3 for Drupal allows remote authenticated users with the "administer themes" permission to inject arbitrary web script or HTML via vectors related to header background setting. |
| Cross-site scripting (XSS) vulnerability in the Skeleton theme 7.x-1.2 through 7.x-1.3 before 7.x-1.4, for Drupal allows remote authenticated users with the "administer themes" permission to inject arbitrary web script or HTML via vectors related to theme settings. |
| Drupal 6.x before 6.37 and 7.x before 7.39 allows remote attackers to obtain sensitive node titles by reading the menu. |
| The taxonomy module in Drupal 7.x before 7.52 and 8.x before 8.2.3 might allow remote authenticated users to obtain sensitive information about taxonomy terms by leveraging inconsistent naming of access query tags. |
| Drupal 6.x before 6.31 and 7.x before 7.27 does not properly isolate the cached data of different anonymous users, which allows remote anonymous users to obtain sensitive interim form input information in opportunistic situations via unspecified vectors. |
| The OpenID module in Drupal 6.x before 6.36 and 7.x before 7.38 allows remote attackers to log into other users' accounts by leveraging an OpenID identity from certain providers, as demonstrated by the Verisign, LiveJournal, and StackExchange providers. |
| Cross-site scripting (XSS) vulnerability in the BlueMasters theme 7.x-2.x before 7.x-2.1 for Drupal allows remote authenticated users with the "administer themes" permission to inject arbitrary web script or HTML via vectors related to theme settings. |
| Cross-site scripting (XSS) vulnerability in the Custom Search module 6.x-1.x before 6.x-1.12 and 7.x-1.x before 7.x-1.14 for Drupal allows remote authenticated users with the "administer custom search" permission to inject arbitrary web script or HTML via the "Label text" field to admin/config/search/custom_search/results. |
| Cross-site scripting (XSS) vulnerability in the SimpleCorp theme 7.x-1.x before 7.x-1.1 for Drupal allows remote authenticated users with the "administer themes" permission to inject arbitrary web script or HTML via vectors related to theme settings. |
