Vulnerabilities > Drupal > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2014-01-30 | CVE-2014-1611 | Cross-Site Scripting vulnerability in Anonymous Posting Project Anonymous Posting 7.X1.2/7.X1.3 Cross-site scripting (XSS) vulnerability in the Anonymous Posting module 7.x-1.2 and 7.x-1.3 for Drupal allows remote attackers to inject arbitrary web script or HTML via the contact name field. | 4.3 |
| 2014-01-24 | CVE-2014-1476 | Permissions, Privileges, and Access Controls vulnerability in Drupal The Taxonomy module in Drupal 7.x before 7.26, when upgraded from an earlier version of Drupal, does not properly restrict access to unpublished content, which allows remote authenticated users to obtain sensitive information via a listing page. | 4.0 |
| 2013-12-24 | CVE-2013-6388 | Cross-Site Scripting vulnerability in Drupal Cross-site scripting (XSS) vulnerability in the Color module in Drupal 7.x before 7.24 allows remote attackers to inject arbitrary web script or HTML via vectors related to CSS. | 4.3 |
| 2013-12-19 | CVE-2013-7067 | Permissions, Privileges, and Access Controls vulnerability in Mike Stefanello OG Features The OG Features module 6.x-1.x before 6.x-1.4 for Drupal does not properly override pages that have an access callback set to false, which allows remote attackers to bypass intended access restrictions via a request. | 5.8 |
| 2013-12-07 | CVE-2013-6389 | Improper Input Validation vulnerability in Drupal Open redirect vulnerability in the Overlay module in Drupal 7.x before 7.24 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors. | 5.8 |
| 2013-12-07 | CVE-2013-6386 | Cryptographic Issues vulnerability in Drupal Drupal 6.x before 6.29 and 7.x before 7.24 uses the PHP mt_rand function to generate random numbers, which uses predictable seeds and allows remote attackers to predict security strings and bypass intended restrictions via a brute force attack. | 6.8 |
| 2013-12-07 | CVE-2013-6385 | Code Injection vulnerability in Drupal The form API in Drupal 6.x before 6.29 and 7.x before 7.24, when used with unspecified third-party modules, performs form validation even when CSRF validation has failed, which might allow remote attackers to trigger application-specific impacts such as arbitrary code execution via application-specific vectors. | 5.1 |
| 2013-12-07 | CVE-2013-4446 | Code Injection vulnerability in Steven Jones Context The _json_decode function in plugins/context_reaction_block.inc in the Context module 6.x-2.x before 6.x-3.2 and 7.x-3.x before 7.x-3.0 for Drupal, when using a version of PHP that does not support the json_decode function, allows remote attackers to execute arbitrary PHP code via unspecified vectors related to Ajax operations, possibly involving eval injection. | 6.8 |
| 2013-12-07 | CVE-2013-4445 | Permissions, Privileges, and Access Controls vulnerability in Steven Jones Context The json rendering functionality in the Context module 6.x-2.x before 6.x-3.2 and 7.x-3.x before 7.x-3.0 for Drupal uses Drupal's token scheme to restrict access to blocks, which makes it easier for remote authenticated users to guess the access token for a block by leveraging the token from a block to which the user has access. | 4.9 |
| 2013-10-28 | CVE-2012-0826 | Cross-Site Request Forgery (CSRF) vulnerability in Drupal Cross-site request forgery (CSRF) vulnerability in the Aggregator module in Drupal 6.x before 6.23 and 7.x before 7.11 allows remote attackers to hijack the authentication of unspecified victims for requests that update feeds and possibly cause a denial of service (loss of updates due to rate limit) via unspecified vectors. | 6.8 |