Vulnerabilities > Drupal > Drupal > Low
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2013-03-27 | CVE-2013-2715 | Cross-Site Scripting vulnerability in Thomas Seidl Search API Cross-site scripting (XSS) vulnerability in the admin view in the Search API (search_api) module 7.x-1.x before 7.x-1.4 for Drupal allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via a crafted field name. | 2.1 |
2013-03-19 | CVE-2013-0225 | Cross-Site Scripting vulnerability in User Relationships Project User Relationships Cross-site scripting (XSS) vulnerability in the User Relationships module 6.x-1.x before 6.x-1.4 and 7.x-1.x before 7.x-1.0-alpha5 for Drupal allows remote authenticated users with the "administer user relationships" permission to inject arbitrary web script or HTML via a relationship name. | 2.1 |
2013-03-19 | CVE-2013-0227 | Cross-Site Scripting vulnerability in Mathijs Koenraadt Search API Sorts Cross-site scripting (XSS) vulnerability in the Search API Sorts module 7.x-1.x before 7.x-1.4 for Drupal allows remote authenticated users with certain roles to inject arbitrary web script or HTML via unspecified field labels. | 2.1 |
2012-12-26 | CVE-2012-5585 | Cross-Site Scripting vulnerability in Mixpanel Project Mixpanel 6.X1.0/6.X1.X Cross-site scripting (XSS) vulnerability in the Mixpanel module 6.x-1.x before 6.x-1.1 in Drupal allows remote authenticated users with the "access administration pages" permission to inject arbitrary web script or HTML via the Maxpanel token. | 2.1 |
2012-12-26 | CVE-2012-5586 | Permissions, Privileges, and Access Controls vulnerability in Marc Ingram Services The Services module 6.x-3.x before 6.x-3.3 and 7.x-3.x before 7.x-3.3 for Drupal allows remote authenticated users with the "access user profiles" permission to access arbitrary users' emails via vectors related to the "user index method" and "the path to the user resource." | 2.1 |
2012-12-26 | CVE-2012-5588 | Permissions, Privileges, and Access Controls vulnerability in Epiqo Email The Email Field module 6.x-1.x before 6.x-1.3 for Drupal, when using a field permission module and the field contact field formatter is set to the full or teaser display mode, does not properly check permissions, which allows remote attackers to email the stored address via unspecified vectors. | 2.6 |
2012-12-26 | CVE-2012-5589 | Information Exposure vulnerability in Netgenius Multilink The MultiLink module 6.x-2.x before 6.x-2.7 and 7.x-2.x before 7.x-2.7 for Drupal does not properly check node permissions when generating an in-content link, which allows remote authenticated users with text-editing permissions to read arbitrary node titles via a generated link. | 3.5 |
2012-12-03 | CVE-2012-5538 | Cross-Site Scripting vulnerability in Nathan Haug Filefield Sources Cross-site scripting (XSS) vulnerability in the FileField Sources module 6.x-1.x before 6.x-1.6 and 7.x-1.x before 7.x-1.6 for Drupal, when the field has "Reference existing" source enabled, allows remote authenticated users to inject arbitrary web script or HTML via the filename of an uploaded file. | 2.1 |
2012-12-03 | CVE-2012-5539 | Permissions, Privileges, and Access Controls vulnerability in Organic Groups Project Organic Groups The Organic Groups (OG) module 7.x-1.x before 7.x-1.5 for Drupal does not properly maintain pending group memberships, which allows remote authenticated users to post to arbitrary groups by modifying their own account while a pending membership is waiting to be approved. | 3.5 |
2012-12-03 | CVE-2012-5545 | Cross-Site Scripting vulnerability in ROB Loach Sharethis Multiple cross-site scripting (XSS) vulnerabilities in the ShareThis module 7.x-2.x before 7.x-2.5 for Drupal allow remote authenticated users with the "administer sharethis" permission to inject arbitrary web script or HTML via unspecified vectors related to "JavaScript settings." | 2.1 |