Vulnerabilities > Drupal
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2015-06-22 | CVE-2015-3232 | Open Redirection vulnerability in Drupal Field UI Module Open redirect vulnerability in the Field UI module in Drupal 7.x before 7.38 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the destinations parameter. | 5.8 |
2015-06-22 | CVE-2015-3231 | Information Exposure vulnerability in multiple products The Render cache system in Drupal 7.x before 7.38, when used to cache content by user role, allows remote authenticated users to obtain private content viewed by user 1 by reading the cache. | 4.0 |
2015-03-25 | CVE-2015-2559 | Improper Access Control vulnerability in multiple products Drupal 6.x before 6.35 and 7.x before 7.35 allows remote authenticated users to reset the password of other accounts by leveraging an account with the same password hash as another account and a crafted password reset URL. | 3.5 |
2014-11-24 | CVE-2010-5312 | Cross-site Scripting vulnerability in multiple products Cross-site scripting (XSS) vulnerability in jquery.ui.dialog.js in the Dialog widget in jQuery UI before 1.10.0 allows remote attackers to inject arbitrary web script or HTML via the title option. | 6.1 |
2014-11-24 | CVE-2014-9016 | The password hashing API in Drupal 7.x before 7.34 and the Secure Password Hashes (aka phpass) module 6.x-2.x before 6.x-2.1 for Drupal allows remote attackers to cause a denial of service (CPU and memory consumption) via a crafted request. | 5.0 |
2014-11-24 | CVE-2014-9015 | Permissions, Privileges, and Access Controls vulnerability in multiple products Drupal 6.x before 6.34 and 7.x before 7.34 allows remote attackers to hijack sessions via a crafted request, as demonstrated by a crafted request to a server that supports both HTTP and HTTPS sessions. | 6.8 |
2014-11-12 | CVE-2014-8734 | Permissions, Privileges, and Access Controls vulnerability in Drupal Organic Groups Menu 7.X2.0/7.X2.Xdev The Organic Groups Menu (aka OG Menu) module before 7.x-2.2 for Drupal allows remote authenticated users with the "access administration pages" permission to change module settings via unspecified vectors. | 3.5 |
2014-10-22 | CVE-2013-7407 | Cross-Site Request Forgery (CSRF) vulnerability in Drupal Mrbs Module Cross-site request forgery (CSRF) vulnerability in the MRBS module for Drupal allows remote attackers to hijack the authentication of unspecified victims via unknown vectors. | 6.8 |
2014-10-16 | CVE-2014-8296 | Cross-Site Scripting vulnerability in Drupal Modal Frame Cross-site scripting (XSS) vulnerability in the Modal Frame API module 6.x-1.x before 6.x-1.9 for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 4.3 |
2014-10-16 | CVE-2014-3704 | SQL Injection vulnerability in multiple products The expandArguments function in the database abstraction API in Drupal core 7.x before 7.32 does not properly construct prepared statements, which allows remote attackers to conduct SQL injection attacks via an array containing crafted keys. | 7.5 |