Filtered by vendor Drupal
Subscriptions
Filtered by product Drupal
Subscriptions
Total
709 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2013-4504 | 2 Drupal, Monster Menus Module Project | 2 Drupal, Monster Menus | 2024-11-21 | N/A |
The Monster Menus module 7.x-1.x before 7.x-1.15 allows remote attackers to read arbitrary node comments via a crafted URL. | ||||
CVE-2013-4502 | 2 Drupal, Nathan Haug | 2 Drupal, Filefield Sources | 2024-11-21 | N/A |
The FileField Sources module 6.x-1.x before 6.x-1.9 and 7.x-1.x before 7.x-1.9 for Drupal does not properly check file permissions, which allows remote authenticated users to read arbitrary files by attaching a file. | ||||
CVE-2013-4498 | 2 Drupal, Florian Weber | 2 Drupal, Spaces | 2024-11-21 | N/A |
The Spaces OG submodule in the Spaces module 6.x-3.x before 6.x-3.7 for Drupal does not properly delete organic group group spaces content when using the option to move to a new group, which causes the content to be "orphaned" and allows remote authenticated users with the "access content" permission to obtain sensitive information via vectors involving a rebuild access for the site or content. | ||||
CVE-2013-4446 | 2 Drupal, Steven Jones | 2 Drupal, Context | 2024-11-21 | N/A |
The _json_decode function in plugins/context_reaction_block.inc in the Context module 6.x-2.x before 6.x-3.2 and 7.x-3.x before 7.x-3.0 for Drupal, when using a version of PHP that does not support the json_decode function, allows remote attackers to execute arbitrary PHP code via unspecified vectors related to Ajax operations, possibly involving eval injection. | ||||
CVE-2013-4445 | 2 Drupal, Steven Jones | 2 Drupal, Context | 2024-11-21 | N/A |
The json rendering functionality in the Context module 6.x-2.x before 6.x-3.2 and 7.x-3.x before 7.x-3.0 for Drupal uses Drupal's token scheme to restrict access to blocks, which makes it easier for remote authenticated users to guess the access token for a block by leveraging the token from a block to which the user has access. | ||||
CVE-2013-4384 | 2 Drupal, Google Site Search Project | 2 Drupal, Google Site Search Module | 2024-11-21 | N/A |
Cross-site scripting (XSS) vulnerability in Google Site Search module 6.x-1.x before 6.x-1.4 and 7.x-1.x before 7.x-1.10 for Drupal allows remote attackers to inject arbitrary web script or HTML by causing crafted data to be returned by the Google API. | ||||
CVE-2013-4383 | 2 Dennis Bruecke, Drupal | 2 Jquery Countdown, Drupal | 2024-11-21 | N/A |
Cross-site scripting (XSS) vulnerability in the jQuery Countdown module 7.x-1.x before 7.x-1.1 for Drupal allows remote authenticated users with the "access administration pages" permission to inject arbitrary web script or HTML via unspecified vectors. | ||||
CVE-2013-4380 | 2 Drupal, Mediafront | 2 Drupal, Mediafront | 2024-11-21 | N/A |
Cross-site scripting (XSS) vulnerability in the MediaFront module 6.x-1.x before 6.x-1.6, 7.x-1.x before 7.x-1.6, and 7.x-2.x before 7.x-2.1 for Drupal allows remote authenticated users with the "administer mediafront" permission to inject arbitrary web script or HTML via the preset settings. | ||||
CVE-2013-4379 | 2 Drupal, Sebastien Corbin | 2 Drupal, Make Meeting Scheduler Module | 2024-11-21 | N/A |
The Make Meeting Scheduler module 6.x-1.x before 6.x-1.3 for Drupal allows remote attackers to bypass intended access restrictions for a poll via a direct request to the node's URL instead of the hashed URL. | ||||
CVE-2013-4274 | 2 Drupal, Erikwebb | 2 Drupal, Password Policy | 2024-11-21 | N/A |
Cross-site scripting (XSS) vulnerability in the password_policy_admin_view function in password_policy.admin.inc in the Password Policy module 6.x-1.x before 6.x-1.6 and 7.x-1.x before 7.x-1.5 for Drupal allows remote authenticated users with the "Administer policies" permission to inject arbitrary web script or HTML via the "Password Expiration Warning" field to the admin/config/people/password_policy/add page. | ||||
CVE-2013-4272 | 2 Botcha Spam Prevention Project, Drupal | 2 Botcha, Drupal | 2024-11-21 | N/A |
The BOTCHA Spam Prevention module 7.x-1.x before 7.x-1.6, 7.x-2.x before 7.x-2.1, and 7.x-3.x before 7.x-3.3 for Drupal, when the debugging level is set to 5 or 6, logs the content of submitted forms, which allows context-dependent users to obtain sensitive information such as usernames and passwords by reading the log file. | ||||
CVE-2013-4230 | 2 Drupal, Monster Menus Module Project | 2 Drupal, Monster Menus | 2024-11-21 | N/A |
The mm_webform submodule in the Monster Menus module 6.x-6.x before 6.x-6.61 and 7.x-1.x before 7.x-1.13 for Drupal does not properly restrict access to webform submissions, which allows remote authenticated users with the "Who can read data submitted to this webform" permission to delete arbitrary submissions via unspecified vectors. | ||||
CVE-2013-4229 | 2 Drupal, Monster Menus Module Project | 2 Drupal, Monster Menus | 2024-11-21 | N/A |
Cross-site scripting (XSS) vulnerability in the Monster Menus module 7.x-1.x before 7.x-1.12 for Drupal allows remote authenticated users with permissions to add pages to inject arbitrary web script or HTML via a title in the page settings. | ||||
CVE-2013-4178 | 2 Drupal, Google Authenticator Login Project | 2 Drupal, Ga Login | 2024-11-21 | N/A |
The Google Authenticator login module 6.x-1.x before 6.x-1.2 and 7.x-1.x before 7.x-1.4 for Drupal allows remote attackers to obtain access by replaying the username, password, and one-time password (OTP). | ||||
CVE-2013-4177 | 2 Drupal, Google Authenticator Login Project | 2 Drupal, Ga Login | 2024-11-21 | N/A |
The Google Authenticator login module 6.x-1.x before 6.x-1.2 and 7.x-1.x before 7.x-1.4 for Drupal does not properly identify user account names, which might allow remote attackers to bypass the two-factor authentication requirement via unspecified vectors. | ||||
CVE-2013-4174 | 2 Drupal, Ows | 2 Drupal, Scald | 2024-11-21 | N/A |
Multiple cross-site scripting (XSS) vulnerabilities in the Scald module 7.x-1.x before 7.x-1.1 for Drupal allow remote attackers to inject arbitrary web script or HTML via the (1) flash_uri, (2) flash_width, or (3) flash_height in the scald_flash_scald_prerender function in providers/scald_flash/scald_flash.module; or the (4) caption in the scald_image_scald_prerender function in providers/scald_image/scald_image.module. | ||||
CVE-2013-4140 | 2 Drupal, Drupalisme | 2 Drupal, Tinybox | 2024-11-21 | N/A |
Cross-site scripting (XSS) vulnerability in the TinyBox (Simple Splash) module before 7.x-2.2 for Drupal allows remote authenticated users with the "administer tinybox" permission to inject arbitrary web script or HTML via unspecified vectors. | ||||
CVE-2013-4139 | 2 Drupal, Stage File Proxy Project | 2 Drupal, Stage File Proxy | 2024-11-21 | N/A |
The Stage File Proxy module 7.x-1.x before 7.x-1.4 for Drupal allows remote attackers to cause a denial of service (file operations performance degradation and failure) via a large number of requests. | ||||
CVE-2013-4138 | 2 Alienwp, Drupal | 2 Hatch, Drupal | 2024-11-21 | N/A |
Cross-site scripting (XSS) vulnerability in the Hatch theme 7.x-1.x before 7.x-1.4 for Drupal allows remote authenticated users with the "Administer content," "Create new article," or "Edit any article type content" permission to inject arbitrary web script or HTML via unspecified vectors. | ||||
CVE-2013-2715 | 2 Drupal, Thomas Seidl | 2 Drupal, Search Api | 2024-11-21 | N/A |
Cross-site scripting (XSS) vulnerability in the admin view in the Search API (search_api) module 7.x-1.x before 7.x-1.4 for Drupal allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via a crafted field name. |