Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by vendor Drupal Subscribe
Total 823 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2012-5584 2 Drupal, M2osw 2 Drupal, Tableofcontents 2013-01-07 4.3 MEDIUM N/A
The Table of Contents module 6.x-3.x before 6.x-3.8 for Drupal does not properly check node permissions, which allows remote attackers to read a node's headers by accessing a table of contents block.
CVE-2012-5655 2 Drupal, Steven Jones 2 Drupal, Context 2013-01-06 5.0 MEDIUM N/A
The Context module 6.x-3.x before 6.x-3.1 and 7.x-3.x before 7.x-3.0-beta6 for Drupal does not properly restrict access to block content, which allows remote attackers to obtain sensitive information via a crafted request.
CVE-2012-5654 2 Drupal, Nodewords Project 2 Drupal, Nodewords 2013-01-02 4.3 MEDIUM N/A
The Nodewords: D6 Meta Tags module before 6.x-1.14 for Drupal, when configured to automatically generate description meta tags from node text, does not properly filter node content when creating tags, which might allow remote attackers to obtain sensitive information by reading the (1) description, (2) dc.description or (3) og:description meta tags.
CVE-2012-5588 2 Drupal, Epiqo 2 Drupal, Email 2012-12-26 2.6 LOW N/A
The Email Field module 6.x-1.x before 6.x-1.3 for Drupal, when using a field permission module and the field contact field formatter is set to the full or teaser display mode, does not properly check permissions, which allows remote attackers to email the stored address via unspecified vectors.
CVE-2012-5591 2 Catalin Florian Radut, Drupal 2 Zeropoint, Drupal 2012-12-26 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in the Zero Point module 6.x-1.x before 6.x-1.18 and 7.x-1.x before 7.x-1.4 for Drupal allows remote attackers to inject arbitrary web script or HTML via the path aliases.
CVE-2012-5589 2 Drupal, Netgenius 2 Drupal, Multilink 2012-12-26 3.5 LOW N/A
The MultiLink module 6.x-2.x before 6.x-2.7 and 7.x-2.x before 7.x-2.7 for Drupal does not properly check node permissions when generating an in-content link, which allows remote authenticated users with text-editing permissions to read arbitrary node titles via a generated link.
CVE-2012-1654 2 Alex Barth, Drupal 2 Data, Drupal 2012-12-19 2.1 LOW N/A
Multiple cross-site scripting (XSS) vulnerabilities in the Data module 6.x-1.x before 6.x-1.0 and 7.x-1.x before 7.x-1.0-alpha3 for Drupal allow remote authenticated users with the administer data tables permission to inject arbitrary web script or HTML via the title parameter in (1) data.views.inc and (2) data_ui/data_ui.admin.inc.
CVE-2012-5544 2 Drupal, Thinkshout 2 Drupal, Mandrill 2012-12-16 4.0 MEDIUM N/A
The Mandrill module 7.x-1.x before 7.x-1.2 for Drupal allows remote authenticated users to obtain password reset links by reading the logs in the Mandrill dashboard.
CVE-2012-5550 2 Carlos Carvalhar, Drupal 2 Time Spent, Drupal 2012-12-04 7.5 HIGH N/A
SQL injection vulnerability in the Time Spent module 6.x and 7.x for Drupal allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
CVE-2012-5549 2 Carlos Carvalhar, Drupal 2 Time Spent, Drupal 2012-12-04 6.8 MEDIUM N/A
Cross-site request forgery (CSRF) vulnerability in the Time Spent module 6.x and 7.x for Drupal allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.
CVE-2012-5557 2 Drupal, User Read-only Project 2 Drupal, User Readonly 2012-12-03 3.6 LOW N/A
The User Read-Only module 6.x-1.x before 6.x-1.4 and 7.x-1.x before 7.x-1.4 for Drupal, does not properly assign roles when there are more than three roles on the site and certain unspecified configurations, which might allow remote authenticated users to gain privileges by performing certain operations, as demonstrated by changing a password.
CVE-2012-5554 2 Coleman Watts, Drupal 2 Webform Civicrm, Drupal 2012-12-03 5.0 MEDIUM N/A
The default configuration for the Webform CiviCRM Integration module 7.x-3.x before 7.x-3.2 has "Enforce Permissions" disabled, which allows remote attackers to obtain contact information by reading webforms.
CVE-2012-5553 2 Daniel Honrade, Drupal 2 Om Maximenu, Drupal 2012-12-03 2.1 LOW N/A
Multiple cross-site scripting (XSS) vulnerabilities in the OM Maximenu module 6.x-1.x before 6.x-1.44 and 7.x-1.x before 7.x-1.44 for Drupal allow remote authenticated users with the "administer OM Maximenu" permission to inject arbitrary web script or HTML via the (1) Menu Title (2) Link Title, (3) Path Query, (4) Anchor, or (5) vocabulary names.
CVE-2012-5548 2 Carlos Carvalhar, Drupal 2 Time Spent, Drupal 2012-12-03 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in the Time Spent module 6.x and 7.x for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2012-5547 2 Drupal, Thomas Seidl 2 Drupal, Search Api 2012-12-03 6.8 MEDIUM N/A
Multiple cross-site request forgery (CSRF) vulnerabilities in the Search API module 7.x-1.x before 7.x-1.3 for Drupal allow remote attackers to hijack the authentication of administrators for requests that (1) enable a server via a server action or (2) enable a search index via an enable index action.
CVE-2012-5543 2 Drupal, Feeds Project 2 Drupal, Feeds 2012-12-03 4.3 MEDIUM N/A
The Feeds module 7.x-2.x before 7.x-2.0-alpha6 for Drupal, when a field is mapped to the node's author, does not properly check permissions, which allows remote attackers to create arbitrary nodes via a crafted source feed.
CVE-2012-5541 2 Drupal, Twitter Pull Project 2 Drupal, Twitter Pull 2012-12-03 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in the Twitter Pull module 6.x-1.x before 6.x-1.3 and 7.x-1.x before 7.x-1.0-rc3 for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to "data coming from Twitter."
CVE-2012-5540 2 Drupal, Tekritisoftware 2 Drupal, Hostip 2012-12-03 4.3 MEDIUM N/A
Multiple cross-site scripting (XSS) vulnerabilities in the Hostip module 6.x-2.x before 6.x-2.2 and 7.x-2.x before 7.x-2.2 for Drupal allow remote attackers with control of hostip.info to inject arbitrary web script or HTML via unspecified vectors.
CVE-2012-5538 2 Drupal, Nathan Haug 2 Drupal, Filefield Sources 2012-12-03 2.1 LOW N/A
Cross-site scripting (XSS) vulnerability in the FileField Sources module 6.x-1.x before 6.x-1.6 and 7.x-1.x before 7.x-1.6 for Drupal, when the field has "Reference existing" source enabled, allows remote authenticated users to inject arbitrary web script or HTML via the filename of an uploaded file.
CVE-2012-5537 2 Drupal, Simplenews Scheduler Project 2 Drupal, Simplenews Scheduler 2012-12-03 6.0 MEDIUM N/A
The Simplenews Scheduler module 6.x-2.x before 6.x-2.4 for Drupal allows remote authenticated users with the "send scheduled newsletters" permission to inject arbitrary PHP code into the scheduling form, which is later executed by cron.