Vulnerabilities > Drupal > High

DATE CVE VULNERABILITY TITLE RISK
2014-10-16 CVE-2014-3704 SQL Injection vulnerability in multiple products
The expandArguments function in the database abstraction API in Drupal core 7.x before 7.32 does not properly construct prepared statements, which allows remote attackers to conduct SQL injection attacks via an array containing crafted keys.
network
low complexity
drupal debian CWE-89
7.5
2014-01-24 CVE-2014-1475 Multiple Security vulnerability in Drupal Core
The OpenID module in Drupal 6.x before 6.30 and 7.x before 7.26 allows remote OpenID users to authenticate as other users via unspecified vectors.
network
low complexity
drupal
7.5
2013-08-28 CVE-2013-2247 Permissions, Privileges, and Access Controls vulnerability in Fast Permissions Administration Project Fast Permission Administration
The Fast Permissions Administration module 6.x-2.x before 6.x-2.5 and 7.x-2.x before 7.x-2.3 for Drupal does not properly restrict access to the modal content callback, which allows remote attackers to obtain unspecified access to the permissions edit form.
7.5
2012-12-26 CVE-2012-5590 SQL Injection vulnerability in Scripthead Webmail Plus
SQL injection vulnerability in the Webmail Plus module for Drupal allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
network
low complexity
scripthead drupal CWE-89
7.5
2012-12-03 CVE-2012-5550 SQL Injection vulnerability in Carlos Carvalhar Time Spent 6.X2.X/7.X2.X
SQL injection vulnerability in the Time Spent module 6.x and 7.x for Drupal allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
network
low complexity
carlos-carvalhar drupal CWE-89
7.5
2012-11-30 CVE-2012-4479 SQL Injection vulnerability in David Alkire Drag & Drop Gallery 6.X1.5
SQL injection vulnerability in the Drag & Drop Gallery module 6.x for Drupal allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
network
low complexity
david-alkire drupal CWE-89
7.5
2012-11-30 CVE-2012-4470 Permissions, Privileges, and Access Controls vulnerability in Philip Ludlam Listhandler 6.X1.0
The Listhandler module 6.x-1.x before 6.x-1.1 for Drupal does not properly check permissions when importing emails, which allows remote comment authors to bypass access restrictions and possibly have other unspecified impact.
network
low complexity
philip-ludlam drupal CWE-264
7.5
2012-11-02 CVE-2012-4498 Permissions, Privileges, and Access Controls vulnerability in Morbus IFF Activism 6.X2.0/6.X2.X
The Activism module 6.x-2.x before 6.x-2.1 for Drupal does not properly restrict access to the "Campaign" content type, which might allow remote attackers to bypass access restrictions and possibly have other unspecified impact.
network
low complexity
morbus-iff drupal CWE-264
7.5
2012-07-25 CVE-2012-2306 SQL Injection vulnerability in Drupal
SQL injection vulnerability in the Addressbook module for Drupal 6.x-4.2 and earlier allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
network
low complexity
willem-van-der-plaat drupal CWE-89
7.5
2012-07-18 CVE-2012-2303 Permissions, Privileges, and Access Controls vulnerability in Florian Weber Spaces
The Spaces module 6.x-3.x before 6.x-3.4 for Drupal does not enforce permissions on non-object pages, which allows remote attackers to obtain sensitive information and possibly have other impacts via unspecified vectors to the (1) Spaces or (2) Spaces OG module.
network
low complexity
florian-weber drupal CWE-264
7.5