ReportizFlow
Filtered by vendor Drupal
Subscriptions
Filtered by product Drupal
Subscriptions
Total
754 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2009-3210 | 2 Drupal, Joao Ventura | 2 Drupal, Print | 2026-04-23 | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in the Print (aka Printer, e-mail and PDF versions) module 5.x before 5.x-4.8 and 6.x before 6.x-1.8, a module for Drupal, allow remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. | ||||
| CVE-2009-3350 | 2 Drupal, Roshan Shah | 2 Drupal, Subdomain Manager | 2026-04-23 | N/A |
| Multiple unspecified vulnerabilities in the Subdomain Manager module for Drupal have unknown impact and attack vectors. | ||||
| CVE-2009-4061 | 2 Drupal, Yuriy Babenko | 2 Drupal, Agreement Module | 2026-04-23 | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in the Agreement module 6.x before 6.x-1.2 for Drupal allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. | ||||
| CVE-2009-3435 | 2 Drupal, Moshe Weitzman | 2 Drupal, Devel | 2026-04-23 | N/A |
| Cross-site scripting (XSS) vulnerability in the variable editor in the Devel module 5.x before 5.x-1.2 and 6.x before 6.x-1.18, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via a variable name. | ||||
| CVE-2009-3488 | 2 Drupal, Ron Jerome | 2 Drupal, Bibliography | 2026-04-23 | N/A |
| Cross-site scripting (XSS) vulnerability in the Bibliography (aka Biblio) module 6.x-1.6 for Drupal allows remote authenticated users, with certain content-creation privileges, to inject arbitrary web script or HTML via the Title field, probably a different vulnerability than CVE-2009-3479. | ||||
| CVE-2009-3657 | 2 Drupal, Tim Nelson | 2 Drupal, Shared Sign-on | 2026-04-23 | N/A |
| Session fixation vulnerability in Shared Sign-On 5.x and 6.x, a module for Drupal, allows remote attackers to hijack web sessions via unspecified vectors. | ||||
| CVE-2009-3784 | 2 Drupal, Sjoerd Arendsen | 2 Drupal, Simplenews Statistics | 2026-04-23 | N/A |
| Open redirect vulnerability in Simplenews Statistics 6.x before 6.x-2.0, a module for Drupal, allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors. | ||||
| CVE-2009-3915 | 2 Drupal, John C Fiala | 2 Drupal, Link | 2026-04-23 | N/A |
| Cross-site scripting (XSS) vulnerability in the "Separate title and URL" formatter in the Link module 5.x before 5.x-2.6 and 6.x before 6.x-2.7, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via the link title field. | ||||
| CVE-2009-3922 | 2 Chad Phillips, Drupal | 2 Userprotect, Drupal | 2026-04-23 | N/A |
| Multiple cross-site request forgery (CSRF) vulnerabilities in the User Protect module 5.x before 5.x-1.4 and 6.x before 6.x-1.3, a module for Drupal, allow remote attackers to hijack the authentication of administrators for requests that (1) delete the editing protection of a user or (2) delete a certain type of administrative-bypass rule. | ||||
| CVE-2009-4042 | 2 Drupal, Marek Sotak | 2 Drupal, Rootcandy | 2026-04-23 | N/A |
| Cross-site scripting (XSS) vulnerability in the RootCandy theme 6.x before 6.x-1.5 for Drupal allows remote attackers to inject arbitrary web script or HTML via the URI. | ||||
| CVE-2009-4065 | 2 Drupal, Jeff Miccolis | 2 Drupal, Strongarm Module | 2026-04-23 | N/A |
| Cross-site scripting (XSS) vulnerability in the settings page in the Strongarm module 6.x before 6.x-1.1 for Drupal allows remote attackers to inject arbitrary web script or HTML via the value field when viewing overridden variables. | ||||
| CVE-2007-5416 | 1 Drupal | 1 Drupal | 2026-04-23 | N/A |
| Drupal 5.2 and earlier does not properly unset variables when the input data includes a numeric parameter with a value matching an alphanumeric parameter's hash value, which allows remote attackers to execute arbitrary PHP code by invoking the drupal_eval function through a callback parameter to the default URI, as demonstrated by the _menu[callbacks][1][callback] parameter. NOTE: it could be argued that this vulnerability is due to a bug in the unset PHP command (CVE-2006-3017) and the proper fix should be in PHP; if so, then this should not be treated as a vulnerability in Drupal. | ||||
| CVE-2009-4369 | 1 Drupal | 1 Drupal | 2026-04-23 | N/A |
| Cross-site scripting (XSS) vulnerability in the Contact module (modules/contact/contact.admin.inc or modules/contact/contact.module) in Drupal Core 5.x before 5.21 and 6.x before 6.15 allows remote authenticated users with "administer site-wide contact form" permissions to inject arbitrary web script or HTML via the contact category name. | ||||
| CVE-2009-4370 | 1 Drupal | 1 Drupal | 2026-04-23 | N/A |
| Cross-site scripting (XSS) vulnerability in the Menu module (modules/menu/menu.admin.inc) in Drupal Core 6.x before 6.15 allows remote authenticated users with permissions to create new menus to inject arbitrary web script or HTML via a menu description, which is not properly handled in the menu administration overview. | ||||
| CVE-2009-4520 | 2 Drupal, Kristof De Jaeger | 2 Drupal, Commentreference | 2026-04-23 | N/A |
| The CCK Comment Reference module 5.x before 5.x-1.2 and 6.x before 6.x-1.3, a module for Drupal, allows remote attackers to bypass intended access restrictions and read comments by using the autocomplete path. | ||||
| CVE-2009-3919 | 2 Drupal, Sean Robertson | 2 Drupal, Crmngp | 2026-04-23 | N/A |
| Cross-site scripting (XSS) vulnerability in the NGP COO/CWP Integration (crmngp) module 6.x before 6.x-1.12 for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified "user-supplied information." | ||||
| CVE-2009-4207 | 2 Drupal, Nathan Haug | 2 Drupal, Webform | 2026-04-23 | N/A |
| Cross-site scripting (XSS) vulnerability in the Webform module 5.x before 5.x-2.7 and 6.x before 6.x-2.7, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via a submission. | ||||
| CVE-2009-4515 | 2 Drupal, Speedtech | 2 Drupal, Storm | 2026-04-23 | N/A |
| The Storm module 6.x before 6.x-1.25 for Drupal does not enforce privilege requirements for storminvoiceitem nodes, which allows remote attackers to read node titles via unspecified vectors. | ||||
| CVE-2007-5594 | 2 Drupal, Fedoraproject | 2 Drupal, Fedora | 2026-04-23 | N/A |
| Drupal 5.x before 5.3 does not apply its Drupal Forms API protection against the user deletion form, which allows remote attackers to delete users via a cross-site request forgery (CSRF) attack. | ||||
| CVE-2007-5597 | 1 Drupal | 1 Drupal | 2026-04-23 | N/A |
| The hook_comments API in Drupal 4.7.x before 4.7.8 and 5.x before 5.3 does not pass publication status, which might allow attackers to bypass access restrictions and trigger e-mail with unpublished comments from some modules, as demonstrated by (1) Organic groups and (2) Subscriptions. | ||||