Search Results (992 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2013-4139 2 Drupal, Stage File Proxy Project 2 Drupal, Stage File Proxy 2025-04-11 N/A
The Stage File Proxy module 7.x-1.x before 7.x-1.4 for Drupal allows remote attackers to cause a denial of service (file operations performance degradation and failure) via a large number of requests.
CVE-2013-4140 2 Drupal, Drupalisme 2 Drupal, Tinybox 2025-04-11 N/A
Cross-site scripting (XSS) vulnerability in the TinyBox (Simple Splash) module before 7.x-2.2 for Drupal allows remote authenticated users with the "administer tinybox" permission to inject arbitrary web script or HTML via unspecified vectors.
CVE-2013-4174 2 Drupal, Ows 2 Drupal, Scald 2025-04-11 N/A
Multiple cross-site scripting (XSS) vulnerabilities in the Scald module 7.x-1.x before 7.x-1.1 for Drupal allow remote attackers to inject arbitrary web script or HTML via the (1) flash_uri, (2) flash_width, or (3) flash_height in the scald_flash_scald_prerender function in providers/scald_flash/scald_flash.module; or the (4) caption in the scald_image_scald_prerender function in providers/scald_image/scald_image.module.
CVE-2012-2705 2 Christopher Mitchell, Drupal 2 Smart Breadcrumb, Drupal 2025-04-11 N/A
The filter_titles function in the Smart Breadcrumb module 6.x-1.x before 6.x-1.3 for Drupal does not properly convert a title to plain-text, which allows remote authenticated users with create or edit node permissions to conduct cross-site scripting (XSS) attacks via the title parameter.
CVE-2012-2704 2 Drupal, John Franklin 2 Drupal, Advertisement 2025-04-11 N/A
The Advertisement module 6.x-2.x before 6.x-2.3 for Drupal does not properly restrict access to debug information, which allows remote attackers to obtain sensitive site configuration information that is specified by the $conf variable in settings.php.
CVE-2013-4272 2 Botcha Spam Prevention Project, Drupal 2 Botcha, Drupal 2025-04-11 N/A
The BOTCHA Spam Prevention module 7.x-1.x before 7.x-1.6, 7.x-2.x before 7.x-2.1, and 7.x-3.x before 7.x-3.3 for Drupal, when the debugging level is set to 5 or 6, logs the content of submitted forms, which allows context-dependent users to obtain sensitive information such as usernames and passwords by reading the log file.
CVE-2013-4274 2 Drupal, Erikwebb 2 Drupal, Password Policy 2025-04-11 N/A
Cross-site scripting (XSS) vulnerability in the password_policy_admin_view function in password_policy.admin.inc in the Password Policy module 6.x-1.x before 6.x-1.6 and 7.x-1.x before 7.x-1.5 for Drupal allows remote authenticated users with the "Administer policies" permission to inject arbitrary web script or HTML via the "Password Expiration Warning" field to the admin/config/people/password_policy/add page.
CVE-2013-4379 2 Drupal, Sebastien Corbin 2 Drupal, Make Meeting Scheduler Module 2025-04-11 N/A
The Make Meeting Scheduler module 6.x-1.x before 6.x-1.3 for Drupal allows remote attackers to bypass intended access restrictions for a poll via a direct request to the node's URL instead of the hashed URL.
CVE-2013-4383 2 Dennis Bruecke, Drupal 2 Jquery Countdown, Drupal 2025-04-11 N/A
Cross-site scripting (XSS) vulnerability in the jQuery Countdown module 7.x-1.x before 7.x-1.1 for Drupal allows remote authenticated users with the "access administration pages" permission to inject arbitrary web script or HTML via unspecified vectors.
CVE-2013-4384 2 Drupal, Google Site Search Project 2 Drupal, Google Site Search Module 2025-04-11 N/A
Cross-site scripting (XSS) vulnerability in Google Site Search module 6.x-1.x before 6.x-1.4 and 7.x-1.x before 7.x-1.10 for Drupal allows remote attackers to inject arbitrary web script or HTML by causing crafted data to be returned by the Google API.
CVE-2013-4445 2 Drupal, Steven Jones 2 Drupal, Context 2025-04-11 N/A
The json rendering functionality in the Context module 6.x-2.x before 6.x-3.2 and 7.x-3.x before 7.x-3.0 for Drupal uses Drupal's token scheme to restrict access to blocks, which makes it easier for remote authenticated users to guess the access token for a block by leveraging the token from a block to which the user has access.
CVE-2013-4446 2 Drupal, Steven Jones 2 Drupal, Context 2025-04-11 N/A
The _json_decode function in plugins/context_reaction_block.inc in the Context module 6.x-2.x before 6.x-3.2 and 7.x-3.x before 7.x-3.0 for Drupal, when using a version of PHP that does not support the json_decode function, allows remote attackers to execute arbitrary PHP code via unspecified vectors related to Ajax operations, possibly involving eval injection.
CVE-2012-2703 2 Drupal, John Franklin 2 Drupal, Advertisement 2025-04-11 N/A
Cross-site scripting (XSS) vulnerability in the Advertisement module 6.x-2.x before 6.x-2.3 for Drupal, when debug mode is enabled, allows remote attackers to inject arbitrary web script or HTML via vectors related to the "$conf variable in settings.php."
CVE-2013-5315 2 Drupal, Ows 2 Drupal, Scald 2025-04-11 N/A
Cross-site scripting (XSS) vulnerability in the Resource Manager in the MEE submodule (mee.module) in the Scald module 6.x-1.x before 6.x-1.0-beta3 and 7.x-1.x before 7.x-1.1 for Drupal allows remote attackers to inject arbitrary web script or HTML via the atom title, a different vector than CVE-2013-4174.
CVE-2013-5937 2 Click2sell, Drupal 2 Click2sell Suite Module, Drupal 2025-04-11 N/A
Cross-site request forgery (CSRF) vulnerability in the Click2Sell Suite module 6.x-1.x for Drupal allows remote attackers to hijack the authentication of administrators for requests that delete database information via vectors involving the Drupal Form API.
CVE-2013-5938 2 Click2sell, Drupal 2 Click2sell Suite Module, Drupal 2025-04-11 N/A
Cross-site scripting (XSS) vulnerability in the Click2Sell Suite module 6.x-1.x for Drupal allows remote attackers to inject arbitrary web script or HTML via a confirmation form.
CVE-2013-5964 2 Drupal, Joachim Noreiko 2 Drupal, Flag Module 2025-04-11 N/A
Cross-site scripting (XSS) vulnerability in the administration page in the Flag module 7.x-3.x before 7.x-3.1 for Drupal allows remote authenticated users with the "Administer flags" permission to inject arbitrary web script or HTML via the flag title.
CVE-2013-5965 2 Adcisolutions, Drupal 2 Node View Permissions, Drupal 2025-04-11 N/A
The Node View Permissions module 7.x-1.x before 7.x-1.2 for Drupal does not properly implement the hook_query_alter function, which might allow remote attackers to obtain sensitive information by reading a node listing.
CVE-2013-6385 1 Drupal 1 Drupal 2025-04-11 N/A
The form API in Drupal 6.x before 6.29 and 7.x before 7.24, when used with unspecified third-party modules, performs form validation even when CSRF validation has failed, which might allow remote attackers to trigger application-specific impacts such as arbitrary code execution via application-specific vectors.
CVE-2013-6386 1 Drupal 1 Drupal 2025-04-11 N/A
Drupal 6.x before 6.29 and 7.x before 7.24 uses the PHP mt_rand function to generate random numbers, which uses predictable seeds and allows remote attackers to predict security strings and bypass intended restrictions via a brute force attack.