Search Results (768 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2009-4044 2 Bruno Massa, Drupal 2 Web Services, Drupal 2025-04-09 N/A
The Web Services module 6.x for Drupal does not perform the expected access control, which allows remote attackers to make unspecified use of an API via unknown vectors.
CVE-2008-2629 2 Drupal, Lifetype 2 Drupal, Lifetype 2025-04-09 N/A
SQL injection vulnerability in the LifeType (formerly pLog) module for Drupal allows remote attackers to execute arbitrary SQL commands via the albumId parameter in a ViewAlbum action to index.php.
CVE-2009-4043 2 Drupal, Patrick Przybilla 2 Drupal, Addtoany 2025-04-09 N/A
Cross-site scripting (XSS) vulnerability in the AddToAny module 5.x before 5.x-2.4 and 6.x before 6.x-2.4 for Drupal allows remote attackers to inject arbitrary web script or HTML via a node title.
CVE-2008-7150 2 Ber Kessels, Drupal 2 Refine By Taxo, Drupal 2025-04-09 N/A
Cross-site scripting (XSS) vulnerability in Refine by Taxonomy 5.x before 5.x-0.1, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via a taxonomy term, which is not properly handled by refine_by_taxo when displaying tags.
CVE-2009-4042 2 Drupal, Marek Sotak 2 Drupal, Rootcandy 2025-04-09 N/A
Cross-site scripting (XSS) vulnerability in the RootCandy theme 6.x before 6.x-1.5 for Drupal allows remote attackers to inject arbitrary web script or HTML via the URI.
CVE-2009-3922 2 Chad Phillips, Drupal 2 Userprotect, Drupal 2025-04-09 N/A
Multiple cross-site request forgery (CSRF) vulnerabilities in the User Protect module 5.x before 5.x-1.4 and 6.x before 6.x-1.3, a module for Drupal, allow remote attackers to hijack the authentication of administrators for requests that (1) delete the editing protection of a user or (2) delete a certain type of administrative-bypass rule.
CVE-2008-6972 3 Drupal, Karen Stevenson, Yves Chedemois 3 Drupal, Cck, Cck 2025-04-09 N/A
Multiple cross-site scripting (XSS) vulnerabilities in Drupal Content Construction Kit (CCK) 5.x through 5.x-1.8 allow remote authenticated users with "administer content" permissions to inject arbitrary web script or HTML via the (1) "field label," (2) "help text," or (3) "allowed values" settings.
CVE-2009-3921 2 Drupal, Ezra Barnett Gildesgame 2 Drupal, Smartqueue Og 2025-04-09 N/A
The Smartqueue_og module 5.x before 5.x-1.3 and 6.x before 6.x-1.0-rc3, a module for Drupal, does not verify group-node privileges in certain circumstances involving subqueue creation, which allows remote authenticated users to discover arbitrary organic group names by reading confirmation messages.
CVE-2008-1980 1 Drupal 2 Drupal, E-publish 2025-04-09 N/A
Cross-site scripting (XSS) vulnerability in E-Publish 5.x before 5.x-1.1 and 6.x before 6.x-1.0 beta1, a Drupal module, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2007-1368 1 Drupal 1 Drupal Project Issue Tracking 2025-04-09 N/A
The Project issue tracking module before 4.7.x-1.3, 4.7.x-2.* before 4.7.x-2.3, and 5 before 5.x-0.2-beta for Drupal allows remote authenticated users, with "access project issues" permission, to read the contents of a private node via a URL with a modified node identifier.
CVE-2009-3920 2 Drupal, Sean Robertson 2 Drupal, Crmngp 2025-04-09 N/A
An administration page in the NGP COO/CWP Integration (crmngp) module 6.x before 6.x-1.12 for Drupal does not perform the expected access control, which allows remote attackers to read log information via unspecified vectors.
CVE-2008-6910 2 Drupal, Marc Ingram 2 Drupal, Services 2025-04-09 N/A
Services 5.x before 5.x-0.92 and 6.x before 6.x-0.13, a module for Drupal, does not use timeouts for signed requests, which allows remote attackers to impersonate other users and gain privileges via a replay attack that sends the same request.
CVE-2009-3919 2 Drupal, Sean Robertson 2 Drupal, Crmngp 2025-04-09 N/A
Cross-site scripting (XSS) vulnerability in the NGP COO/CWP Integration (crmngp) module 6.x before 6.x-1.12 for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified "user-supplied information."
CVE-2006-6647 1 Drupal 1 Drupal Mysite 2025-04-09 N/A
Cross-site scripting (XSS) vulnerability in the MySite 4.7.x before 4.7.x-3.3 and 5.x before 5.x-1.3 module for Drupal allows remote attackers to inject arbitrary web script or HTML via the Title field when editing a page. NOTE: some details were obtained from third party information.
CVE-2009-3918 2 Drupal, Karim Ratib 2 Drupal, Zoomify 2025-04-09 N/A
Cross-site scripting (XSS) vulnerability in the Zoomify module 5.x before 5.x-2.2 and 6.x before 6.x-1.4, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via the node title.
CVE-2008-6909 2 Drupal, Marc Ingram 2 Drupal, Services 2025-04-09 N/A
Services 5.x before 5.x-0.92 and 6.x before 6.x-0.13, a module for Drupal, does not sign all required data in requests, which has unspecified impact, probably related to man-in-the-middle attacks that modify critical data and allow remote attackers to impersonate other users and gain privileges.
CVE-2009-3917 2 Drupal, Greg Knaddison 2 Drupal, S5 2025-04-09 N/A
Cross-site scripting (XSS) vulnerability in the S5 Presentation Player module 6.x-1.x before 6.x-1.1 for Drupal allows remote attackers to inject arbitrary web script or HTML via an unspecified field that is copied to the HTML HEAD element.
CVE-2008-1978 1 Drupal 2 Drupal, Ubercart Module 2025-04-09 N/A
Cross-site scripting (XSS) vulnerability in the Ubercart 5.x before 5.x-1.0 rc3 module for Drupal allows remote authenticated users to inject arbitrary web script or HTML via node titles related to unspecified product features, a different vector than CVE-2008-1428.
CVE-2008-1133 1 Drupal 1 Drupal 2025-04-09 N/A
The Drupal.checkPlain function in Drupal 6.0 only escapes the first instance of a character in ECMAScript, which allows remote attackers to conduct cross-site scripting (XSS) attacks.
CVE-2009-3916 2 Drupal, Ronan Dowling 2 Drupal, Nodehierarchy 2025-04-09 N/A
Cross-site scripting (XSS) vulnerability in the Node Hierarchy module 5.x before 5.x-1.3 and 6.x before 6.x-1.3, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via a child node title.