| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| Drupal 6.x before 6.37 and 7.x before 7.39 allows remote attackers to obtain sensitive node titles by reading the menu. |
| The Form API in Drupal 6.x before 6.37 and 7.x before 7.39 does not properly validate the form token, which allows remote attackers to conduct CSRF attacks that upload files in a different user's account via vectors related to "file upload value callbacks." |
| The expandArguments function in the database abstraction API in Drupal core 7.x before 7.32 does not properly construct prepared statements, which allows remote attackers to conduct SQL injection attacks via an array containing crafted keys. |
| Open redirect vulnerability in the Overlay module in Drupal 7.x before 7.38 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors. |
| Multiple cross-site scripting (XSS) vulnerabilities in the Project Issue File Review module (PIFR) module 6.x-2.x before 6.x-2.17 for Drupal allow (1) remote attackers to inject arbitrary web script or HTML via a crafted patch, which triggers a PIFR client to test the patch and return the results to the PIFR_Server test results page or (2) remote authenticated users with the "manage PIFR environments" permission to inject arbitrary web script or HTML via vectors involving a PIFR_Server administrative page. |
| Cross-site scripting (XSS) vulnerability in the configuration UI in the Context Form Alteration module 7.x-1.x before 7.x-1.2 for Drupal allows remote authenticated users with the "administer contexts" permission to inject arbitrary web script or HTML via unspecified vectors. |
| Cross-site scripting (XSS) vulnerability in the Autocomplete system in Drupal 6.x before 6.37 and 7.x before 7.39 allows remote attackers to inject arbitrary web script or HTML via a crafted URL, related to uploading files. |
| Cross-site scripting (XSS) vulnerability in the Custom Search module 6.x-1.x before 6.x-1.13 and 7.x-1.x before 7.x-1.15 for Drupal allows remote authenticated users with the "administer taxonomy" permission to inject arbitrary web script or HTML via a taxonomy vocabulary label. |
| Cross-site scripting (XSS) vulnerability in the Nivo Slider module 7.x-2.x before 7.x-1.11 for Drupal allows remote authenticated users with the "administer nivo slider" permission to inject arbitrary web script or HTML via an image title. |
| Cross-site scripting (XSS) vulnerability in the Skeleton theme 7.x-1.2 through 7.x-1.3 before 7.x-1.4, for Drupal allows remote authenticated users with the "administer themes" permission to inject arbitrary web script or HTML via vectors related to theme settings. |
| The Organic Groups Menu (aka OG Menu) module before 7.x-2.2 for Drupal allows remote authenticated users with the "access administration pages" permission to change module settings via unspecified vectors. |
| Multiple cross-site scripting (XSS) vulnerabilities in the Maestro module 7.x-1.x before 7.x-1.4 for Drupal allow remote authenticated users with certain permissions to inject arbitrary web script or HTML via a (1) Role or (2) Organic Group name. |
| Cross-site scripting (XSS) vulnerability in the Drupal Commons module 7.x-3.x before 7.x-3.9 for Drupal allows remote attackers to inject arbitrary web script or HTML via vectors related to content creation and activity stream messages. |
| The system.temporary route in Drupal 8.x before 8.1.10 does not properly check for "Export configuration" permission, which allows remote authenticated users to bypass intended access restrictions and read a full config export via unspecified vectors. |
| Cross-site scripting (XSS) vulnerability in the Ajax system in Drupal 7.x before 7.29 allows remote attackers to inject arbitrary web script or HTML via vectors involving forms with an Ajax-enabled textfield and a file field. |
| The Incutio XML-RPC (IXR) Library, as used in WordPress before 3.9.2 and Drupal 6.x before 6.33 and 7.x before 7.31, does not limit the number of elements in an XML document, which allows remote attackers to cause a denial of service (CPU consumption) via a large document, a different vulnerability than CVE-2014-5265. |
| The Render cache system in Drupal 7.x before 7.38, when used to cache content by user role, allows remote authenticated users to obtain private content viewed by user 1 by reading the cache. |
| The OpenID module in Drupal 6.x before 6.36 and 7.x before 7.38 allows remote attackers to log into other users' accounts by leveraging an OpenID identity from certain providers, as demonstrated by the Verisign, LiveJournal, and StackExchange providers. |
| Cross-site scripting (XSS) vulnerability in the NewsFlash theme 6.x-1.x before 6.x-1.7 and 7.x-1.x before 7.x-2.5 for Drupal allows remote authenticated users with the "administer themes" permission to inject arbitrary web script or HTML via vectors related to font family CSS property. |
| Cross-site scripting (XSS) vulnerability in the Tribune module 6.x-1.x and 7.x-3.x for Drupal allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via a node title. |
