drupal · threatengine.sh

CVE-2025-13083

>= 8.0.0 and < 10.4.9

Use of Web Browser Cache Containing Sensitive Information vulnerability in Drupal core allows Exploiting Incorrectly Config

3.7LOW

CVE-2025-13082

>= 8.0.0 and < 10.4.9

User Interface (UI) Misrepresentation of Critical Information vulnerability in Drupal core allows Content Spoofing.This iss

4.3MEDIUM

CVE-2025-13081

>= 8.0.0 and < 10.4.9

Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal core allows Object I

5.9MEDIUM

CVE-2025-13080

>= 8.0.0 and < 10.4.9

Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal core allows Forceful Browsing.This issue affec

5.3MEDIUM

CVE-2025-3057

>= 8.0.0 and < 10.3.13

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal core allows Cr

6.1MEDIUM

CVE-2025-31675

>= 8.0.0 and < 10.3.14

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal core allows Cr

5.4MEDIUM

CVE-2025-31674

>= 8.0.0 and < 10.3.13

Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal core allows Object I

7.5HIGH

CVE-2025-31673

>= 8.0.0 and < 10.3.13

Incorrect Authorization vulnerability in Drupal core allows Forceful Browsing.This issue affects Drupal core: from 8.0.0 be

4.6MEDIUM

CVE-2024-55638

>= 7.0 and < 7.102

Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection.This issue affects Drupal Core: from 7.0 be

9.8CRITICAL

CVE-2024-55637

>= 8.0.0 and < 10.2.11

Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection.This issue affects Drupal Core: from 8.0.0

9.8CRITICAL

CVE-2024-55636

>= 8.0.0 and < 10.2.11

Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection.This issue affects Drupal Core: from 8.0.0

9.8CRITICAL

CVE-2024-55635

>= 7.0 and < 7.102

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Drupal Core allows Cr

6.1MEDIUM

CVE-2024-55634

>= 8.0.0 and < 10.2.11

A vulnerability in Drupal Core allows Privilege Escalation.This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0

8.1HIGH

CVE-2024-12393

>= 8.8.0 and < 10.2.11

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Drupal Core allows Cr

5.4MEDIUM

CVE-2024-11942

>= 10.0.0 and < 10.2.10

A vulnerability in Drupal Core allows File Manipulation.This issue affects Drupal Core: from 10.0.0 before 10.2.10.

5.9MEDIUM

CVE-2024-11941

>= 8.0.0 and < 10.1.8

A vulnerability in Drupal Core allows Excessive Allocation.This issue affects Drupal Core: from 10.2.0 before 10.2.2, from 10.1.0

7.5HIGH

CVE-2024-45440

all versions

core/authorize.php in Drupal 11.x-dev allows Full Path Disclosure (even when error logging is None) if the value of hash_salt is f

5.3MEDIUM

CVE-2024-22362

all versions

Drupal contains a vulnerability with improper handling of structural elements. If this vulnerability is exploited, an attacker may

7.5HIGH

CVE-2023-5256

>= 8.7.0 and < 9.5.11

In certain scenarios, Drupal's JSON:API module will output error backtraces. With some configurations, this may cause sensitive in

7.5HIGH

CVE-2023-31250

>= 7.0 and < 7.96

The file download facility doesn't sufficiently sanitize file paths in certain situations. This may result in users gaining access

6.5MEDIUM

CVE-2022-25278

>= 8.0.0 and < 9.3.19

Under certain circumstances, the Drupal core form API evaluates form element access incorrectly. This may lead to a user being abl

6.5MEDIUM

CVE-2022-25277

>= 8.0.0 and < 9.3.19

Drupal core sanitizes filenames with dangerous extensions upon upload (reference: SA-CORE-2020-012) and strips leading and trailin

7.2HIGH

CVE-2022-25276

>= 9.3.0 and < 9.3.19

The Media oEmbed iframe route does not properly validate the iframe domain setting, which allows embeds to be displayed in the con

6.1MEDIUM

CVE-2022-25275

>= 7.0 and < 7.91

In some situations, the Image module does not correctly check access to image files not stored in the standard public files direct

7.5HIGH

CVE-2022-25274

>= 9.3.0 and < 9.3.12

Drupal 9.3 implemented a generic entity access API for entity revisions. However, this API was not completely integrated with exis

5.4MEDIUM

CVE-2022-25273

>= 8.0.0 and < 9.2.18

Drupal core's form API has a vulnerability where certain contributed or custom modules' forms may be vulnerable to improper input

7.5HIGH

CVE-2022-39261

>= 8.0.0 and < 9.3.22

Twig is a template language for PHP. Versions 1.x prior to 1.44.7, 2.x prior to 2.15.3, and 3.x prior to 3.4.3 encounter an issue

7.5HIGH

CVE-2022-31043

>= 9.2.0 and < 9.2.21

Guzzle is an open source PHP HTTP client. In affected versions Authorization headers on requests are sensitive information. On m

7.5HIGH

CVE-2022-31042

>= 9.2.0 and < 9.2.21

Guzzle is an open source PHP HTTP client. In affected versions the Cookie headers on requests are sensitive information. On maki

7.5HIGH

CVE-2022-29248

>= 9.2.0 and < 9.2.20

Guzzle is a PHP HTTP client. Guzzle prior to versions 6.5.6 and 7.4.3 contains a vulnerability with the cookie middleware. The vul

8.0HIGH

CVE-2022-24775

>= 8.0.0 and < 9.2.16

guzzlehttp/psr7 is a PSR-7 HTTP message library. Versions prior to 1.8.4 and 2.1.1 are vulnerable to improper header parsing. An a

7.5HIGH

CVE-2022-24729

>= 8.0.0 and < 9.2.15

CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. CKEditor4 prior to version 4.18.0 contains a vulnerability i

6.5MEDIUM

CVE-2022-24728

>= 8.0.0 and < 9.2.15

CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A vulnerability has been discovered in the core HTML process

5.4MEDIUM

CVE-2022-25270

>= 9.2.0 and < 9.2.13

The Quick Edit module does not properly check entity access in some circumstances. This could result in users with the "access in-

6.5MEDIUM

CVE-2022-25271

>= 7.0.0 and < 7.88

Drupal core's form API has a vulnerability where certain contributed or custom modules' forms may be vulnerable to improper input

7.5HIGH

CVE-2020-13677

>= 8.0.0 and < 8.9.19

Under some circumstances, the Drupal core JSON:API module does not properly restrict access to certain content, which may result i

7.5HIGH

CVE-2020-13676

>= 8.9.0 and < 8.9.19

The QuickEdit module does not properly check access to fields in some circumstances, which can lead to unintended disclosure of fi

6.5MEDIUM

CVE-2020-13675

>= 8.0.0 and < 8.9.19

Drupal's JSON:API and REST/File modules allow file uploads through their HTTP APIs. The modules do not correctly run all file vali

9.8CRITICAL

CVE-2020-13674

>= 8.9.0 and < 8.9.19

The QuickEdit module does not properly validate access to routes, which could allow cross-site request forgery under some circumst

6.5MEDIUM

CVE-2020-13672

< 7.80

Cross-site Scripting (XSS) vulnerability in Drupal core's sanitization API fails to properly filter cross-site scripting under cer

6.1MEDIUM

CVE-2020-13670

>= 8.8.0 and < 8.8.10

Information Disclosure vulnerability in file module of Drupal Core allows an attacker to gain access to the file metadata of a per

7.5HIGH

CVE-2020-13669

>= 8.8.0 and < 8.8.10

Cross-site Scripting (XSS) vulnerability in ckeditor of Drupal Core allows attacker to inject XSS. This issue affects: Drupal Core

6.1MEDIUM

CVE-2020-13668

>= 8.8.0 and < 8.8.10

Access Bypass vulnerability in Drupal Core allows for an attacker to leverage the way that HTML is rendered for affected forms in

6.1MEDIUM

CVE-2021-41165

>= 8.9.0 and < 8.9.20

CKEditor4 is an open source WYSIWYG HTML editor. In affected version a vulnerability has been discovered in the core HTML processi

8.2HIGH

CVE-2021-41164

>= 8.9.0 and < 8.9.20

CKEditor4 is an open source WYSIWYG HTML editor. In affected versions a vulnerability has been discovered in the Advanced Content

8.2HIGH

CVE-2021-41184

>= 7.0 and < 7.86

jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the of option of the `.

6.5MEDIUM

CVE-2021-41183

>= 7.0 and < 7.86

jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of various *Text options o

6.5MEDIUM

CVE-2021-41182

>= 7.0 and < 7.86

jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the altField option of

6.5MEDIUM

CVE-2020-13663

>= 7.0 and < 7.72

Cross Site Request Forgery vulnerability in Drupal Core Form API does not properly handle certain form input from cross-site reque

8.8HIGH

CVE-2020-13688

>= 8.8.0 and < 8.8.10

Cross-site scripting vulnerability in l Drupal Core allows an attacker could leverage the way that HTML is rendered for affected f

6.1MEDIUM

CVE-2021-33829

>= 8.9.0 and < 8.9.16

A cross-site scripting (XSS) vulnerability in the HTML Data Processor in CKEditor 4 4.14.0 through 4.16.x before 4.16.1 allows rem

6.1MEDIUM

CVE-2020-13667

>= 8.8.0 and < 8.8.10

Access bypass vulnerability in of Drupal Core Workspaces allows an attacker to access data without correct permissions. The Worksp

5.3MEDIUM

CVE-2020-13665

>= 8.8.0 and < 8.8.8

Access bypass vulnerability in Drupal Core allows JSON:API when JSON:API is in read/write mode. Only sites that have the read_only

9.8CRITICAL

CVE-2020-13664

>= 8.8.0 and < 8.8.8

Arbitrary PHP code execution vulnerability in Drupal Core under certain circumstances. An attacker could trick an administrator in

8.8HIGH

CVE-2020-13662

>= 7.0 and <= 7.70

Open Redirect vulnerability in Drupal Core allows a user to be tricked into visiting a specially crafted link which would redirect

6.1MEDIUM

CVE-2020-13666

>= 7.0 and < 7.73

Cross-site scripting vulnerability in Drupal Core. Drupal AJAX API does not disable JSONP by default, allowing for an XSS attack.

6.1MEDIUM

CVE-2020-36193

>= 7.0 and < 7.78

Tar.php in Archive_Tar through 1.4.11 allows write operations with Directory Traversal due to inadequate checking of symbolic link

7.5HIGH

CVE-2020-13671

>= 7.0 and < 7.74

Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incor

8.8HIGH

CVE-2020-28949

>= 7.0 and < 7.75

Archive_Tar through 1.4.10 has :// filename sanitization only to address phar attacks, and thus any other stream-wrapper attack (s

7.8HIGH

CVE-2020-28948

>= 7.0 and < 7.75

Archive_Tar through 1.4.10 allows an unserialization attack because phar: is blocked but PHAR: is not blocked.

7.8HIGH

CVE-2019-6342

all versions

An access bypass vulnerability exists when the experimental Workspaces module in Drupal 8 core is enabled. This can be mitigated b

9.8CRITICAL

CVE-2020-11022

>= 7.0 and < 7.70

In jQuery starting with 1.12.0 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery

6.9MEDIUM

CVE-2020-11023

>= 7.0 and < 7.70

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sourc

6.9MEDIUM

CVE-2020-9281

>= 8.7.0 and < 8.7.12

A cross-site scripting (XSS) vulnerability in the HTML Data Processor for CKEditor 4.0 before 4.14 allows remote attackers to inje

6.1MEDIUM

CVE-2011-2715

all versions

An SQL Injection vulnerability exists in Drupal 6.20 with Data 6.x-1.0-alpha14 due to insufficient sanitization of table names or

9.8CRITICAL

CVE-2011-2714

all versions

A Cross-Site Scripting vulnerability exists in Drupal 6.20 with Data 6.x-1.0-alpha14 due to insufficient sanitization of table des

6.1MEDIUM

CVE-2011-2726

>= 7.0 and < 7.5

An access bypass issue was found in Drupal 7.x before version 7.5. If a Drupal site has the ability to attach File upload fields t

7.5HIGH

CVE-2010-2473

>= 5.0 and < 5.22

Drupal 6.x before 6.16 and 5.x before version 5.22 does not properly block users under certain circumstances. A user with an open

6.5MEDIUM

CVE-2010-2472

>= 5.0 and < 5.22

Locale module and dependent contributed modules in Drupal 6.x before 6.16 and 5.x before version 5.22 do not sanitize the display

4.8MEDIUM

CVE-2010-2250

>= 5.0 and < 5.22

Drupal 5.x and 6.x before 6.16 uses a user-supplied value in output during site installation which could allow an attacker to craf

6.1MEDIUM

CVE-2010-2471

>= 5.0 and < 5.22

Drupal versions 5.x and 6.x has open redirection

6.1MEDIUM

CVE-2019-11876

all versions

In PrestaShop 1.7.5.2, the shop_country parameter in the install/index.php installation script/component is affected by Reflected

6.1MEDIUM

CVE-2019-10911

>= 8.5.0 and < 8.5.15

In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, a vulnerability would

7.5HIGH

CVE-2019-10910

>= 8.5.0 and < 8.5.15

In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, when service ids allo

9.8CRITICAL

CVE-2019-10909

>= 8.5.0 and < 8.5.15

In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, validation messages a

5.4MEDIUM

CVE-2019-11831

>= 7.0 and < 7.67

The PharStreamWrapper (aka phar-stream-wrapper) package 2.x before 2.1.1 and 3.x before 3.1.1 for TYPO3 does not prevent directory

9.8CRITICAL

CVE-2019-11358

>= 7.0 and < 7.66

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Objec

6.1MEDIUM

CVE-2019-6341

>= 7.0 and < 7.65

In Drupal 7 versions prior to 7.65; Drupal 8.6 versions prior to 8.6.13;Drupal 8.5 versions prior to 8.5.14. Under certain circums

5.4MEDIUM

CVE-2019-6340

>= 8.5.0 and < 8.5.11

Some field types do not properly sanitize data from non-form sources in Drupal 8.5.x before 8.5.11 and Drupal 8.6.x before 8.6.10.

8.1HIGH

CVE-2019-6339

>= 7.0 and < 7.62

In Drupal Core versions 7.x prior to 7.62, 8.6.x prior to 8.6.6 and 8.5.x prior to 8.5.9; A remote code execution vulnerability ex

9.8CRITICAL

CVE-2017-6923

>= 8.0.0 and <= 8.3.7

In Drupal 8.x prior to 8.3.7 When creating a view, you can optionally use Ajax to update the displayed data via filter parameters.

6.5MEDIUM

CVE-2017-6922

>= 7.0 and < 7.56

In Drupal core 8.x prior to 8.3.4 and Drupal core 7.x prior to 7.56; Private files that have been uploaded by an anonymous user bu

6.5MEDIUM

CVE-2019-6338

>= 7.0 and < 7.62

In Drupal Core versions 7.x prior to 7.62, 8.6.x prior to 8.6.6 and 8.5.x prior to 8.5.9; Drupal core uses the third-party PEAR Ar

8.0HIGH

CVE-2017-6921

>= 8.0.0 and < 8.3.4

In Drupal 8 prior to 8.3.4; The file REST resource does not properly validate some fields when manipulating files. A site is only

5.9MEDIUM

CVE-2017-6924

>= 8.0.0 and < 8.3.7

In Drupal 8 prior to 8.3.7; When using the REST API, users without the correct permission can post comments via REST that are appr

7.4HIGH

CVE-2017-6925

>= 8.0.0 and < 8.3.7

In versions of Drupal 8 core prior to 8.3.7; There is a vulnerability in the entity access system that could allow unwanted access

9.8CRITICAL

CVE-2017-6920

>= 8.0.0 and < 8.3.4

Drupal core 8 before versions 8.3.4 allows remote attackers to execute arbitrary code due to the PECL YAML parser not handling PHP

9.8CRITICAL

CVE-2018-14773

>= 8.0.0 and < 8.5.6

An issue was discovered in Http Foundation in Symfony 2.7.0 through 2.7.48, 2.8.0 through 2.8.43, 3.3.0 through 3.3.17, 3.4.0 thro

6.5MEDIUM

CVE-2018-7602

>= 7.0 and < 7.59

A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers t

9.8CRITICAL

CVE-2018-9861

>= 8.0.0 and < 8.4.7

Cross-site scripting (XSS) vulnerability in the Enhanced Image (aka image2) plugin for CKEditor (in versions 4.5.10 through 4.9.1;

6.1MEDIUM

CVE-2018-7600

<= 7.57

Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code

9.8CRITICAL

CVE-2017-6932

>= 7.0 and < 7.57

Drupal core 7.x versions before 7.57 has an external link injection vulnerability when the language switcher block is used. A simi

4.7MEDIUM

CVE-2017-6931

>= 8.4.0 and < 8.4.5

In Drupal versions 8.4.x versions before 8.4.5 the Settings Tray module has a vulnerability that allows users to update certain da

6.5MEDIUM

CVE-2017-6930

>= 8.4.0 and < 8.4.5

In Drupal versions 8.4.x versions before 8.4.5 when using node access controls with a multilingual site, Drupal marks the untransl

8.1HIGH

CVE-2017-6929

>= 7.0 and < 7.57

A jQuery cross site scripting vulnerability is present when making Ajax requests to untrusted domains. This vulnerability is mitig

6.1MEDIUM

CVE-2017-6928

>= 7.0 and < 7.57

Drupal core 7.x versions before 7.57 when using Drupal's private file system, Drupal will check to make sure a user has access to

5.3MEDIUM

CVE-2017-6927

>= 7.0 and < 7.57

Drupal 8.4.x versions before 8.4.5 and Drupal 7.x versions before 7.57 has a Drupal.checkPlain() JavaScript function which is used

6.1MEDIUM

CVE-2017-6926

>= 8.4.0 and < 8.4.5

In Drupal versions 8.4.x versions before 8.4.5 users with permission to post comments are able to view content and comments they d

8.1HIGH

CVE-2015-7943

all versions

Open redirect vulnerability in the Overlay module in Drupal 7.x before 7.41, the jQuery Update module 7.x-2.x before 7.x-2.7 for D

6.1MEDIUM

CVE-2015-7880

all versions

The Entity Registration module 7.x-1.x before 7.x-1.5 for Drupal allows remote attackers to obtain sensitive event registration in

4.3MEDIUM

CVE-2015-2750

all versions

Open redirect vulnerability in URL-related API functions in Drupal 6.x before 6.35 and 7.x before 7.35 allows remote attackers to

6.1MEDIUM

CVE-2015-2749

all versions

Open redirect vulnerability in Drupal 6.x before 6.35 and 7.x before 7.35 allows remote attackers to redirect users to arbitrary w

6.1MEDIUM

CVE-2017-6919

all versions

Drupal 8 before 8.2.8 and 8.3 before 8.3.1 allows critical access bypass by authenticated users if the RESTful Web Services (rest)

7.5HIGH

CVE-2017-6381

all versions

A 3rd party development library including with Drupal 8 development dependencies is vulnerable to remote code execution. This is m

8.1HIGH

CVE-2017-6379

all versions

Some administrative paths in Drupal 8.2.x before 8.2.7 did not include protection for CSRF. This would allow an attacker to disabl

7.5HIGH

CVE-2017-6377

all versions

When adding a private file via the editor in Drupal 8.2.x before 8.2.7, the editor will not correctly check access for the file be

7.5HIGH

CVE-2016-9452

all versions

The transliterate mechanism in Drupal 8.x before 8.2.3 allows remote attackers to cause a denial of service via a crafted URL.

6.5MEDIUM

CVE-2016-9451

all versions

Confirmation forms in Drupal 7.x before 7.52 make it easier for remote authenticated users to conduct open redirect attacks via un

6.8MEDIUM

CVE-2016-9450

all versions

The user password reset form in Drupal 8.x before 8.2.3 allows remote attackers to conduct cache poisoning attacks by leveraging f

7.5HIGH

CVE-2016-9449

all versions

The taxonomy module in Drupal 7.x before 7.52 and 8.x before 8.2.3 might allow remote authenticated users to obtain sensitive info

4.3MEDIUM

CVE-2016-7572

all versions

The system.temporary route in Drupal 8.x before 8.1.10 does not properly check for "Export configuration" permission, which allows

4.3MEDIUM

CVE-2016-7571

all versions

Cross-site scripting (XSS) vulnerability in Drupal 8.x before 8.1.10 allows remote attackers to inject arbitrary web script or HTM

6.1MEDIUM

CVE-2016-7570

all versions

Drupal 8.x before 8.1.10 does not properly check for "Administer comments" permission, which allows remote authenticated users to

4.3MEDIUM

CVE-2016-6212

all versions

The Views module 7.x-3.x before 7.x-3.14 in Drupal 7.x and the Views module in Drupal 8.x before 8.1.3 might allow remote authenti

5.3MEDIUM

CVE-2016-6211

all versions

The User module in Drupal 7.x before 7.44 allows remote authenticated users to gain privileges via vectors involving contributed o

8.8HIGH

CVE-2016-5385

>= 8.0.0 and < 8.1.7

PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect applicati

8.1HIGH

CVE-2016-3171

all versions

Drupal 6.x before 6.38, when used with PHP before 5.4.45, 5.5.x before 5.5.29, or 5.6.x before 5.6.13, might allow remote attacker

8.1HIGH

CVE-2016-3170

all versions

The "have you forgotten your password" links in the User module in Drupal 7.x before 7.43 and 8.x before 8.0.4 allow remote attack

5.3MEDIUM

CVE-2016-3169

all versions

The User module in Drupal 6.x before 6.38 and 7.x before 7.43 allows remote attackers to gain privileges by leveraging contributed

8.1HIGH

CVE-2016-3168

all versions

The System module in Drupal 6.x before 6.38 and 7.x before 7.43 might allow remote attackers to hijack the authentication of site

6.4MEDIUM

CVE-2016-3167

all versions

Open redirect vulnerability in the drupal_goto function in Drupal 6.x before 6.38, when used with PHP before 5.4.7, allows remote

7.4HIGH

CVE-2016-3166

all versions

CRLF injection vulnerability in the drupal_set_header function in Drupal 6.x before 6.38, when used with PHP before 5.1.2, allows

5.9MEDIUM

CVE-2016-3165

all versions

The Form API in Drupal 6.x before 6.38 ignores access restrictions on submit buttons, which might allow remote attackers to bypass

7.5HIGH

CVE-2016-3164

all versions

Drupal 6.x before 6.38, 7.x before 7.43, and 8.x before 8.0.4 might allow remote attackers to conduct open redirect attacks by lev

7.4HIGH

CVE-2016-3163

all versions

The XML-RPC system in Drupal 6.x before 6.38 and 7.x before 7.43 might make it easier for remote attackers to conduct brute-force

7.5HIGH

CVE-2016-3162

all versions

The File module in Drupal 7.x before 7.43 and 8.x before 8.0.4 allows remote authenticated users to bypass access restrictions and

8.1HIGH

CVE-2015-6665

all versions

Cross-site scripting (XSS) vulnerability in the Ajax handler in Drupal 7.x before 7.39 and the Ctools module 6.x-1.x before 6.x-1.

CVE-2015-6661

all versions

Drupal 6.x before 6.37 and 7.x before 7.39 allows remote attackers to obtain sensitive node titles by reading the menu.

CVE-2015-6660

all versions

The Form API in Drupal 6.x before 6.37 and 7.x before 7.39 does not properly validate the form token, which allows remote attacker

CVE-2015-6659

all versions

SQL injection vulnerability in the SQL comment filtering system in the Database API in Drupal 7.x before 7.39 allows remote attack

CVE-2015-6658

all versions

Cross-site scripting (XSS) vulnerability in the Autocomplete system in Drupal 6.x before 6.37 and 7.x before 7.39 allows remote at

CVE-2015-3234

all versions

The OpenID module in Drupal 6.x before 6.36 and 7.x before 7.38 allows remote attackers to log into other users' accounts by lever

CVE-2015-3233

all versions

Open redirect vulnerability in the Overlay module in Drupal 7.x before 7.38 allows remote attackers to redirect users to arbitrary

CVE-2015-3232

all versions

Open redirect vulnerability in the Field UI module in Drupal 7.x before 7.38 allows remote attackers to redirect users to arbitrar

CVE-2015-3231

all versions

The Render cache system in Drupal 7.x before 7.38, when used to cache content by user role, allows remote authenticated users to o

CVE-2015-2559

>= 6.0 and < 6.35

Drupal 6.x before 6.35 and 7.x before 7.35 allows remote authenticated users to reset the password of other accounts by leveraging

CVE-2010-5312

>= 7.0 and < 7.86

Cross-site scripting (XSS) vulnerability in jquery.ui.dialog.js in the Dialog widget in jQuery UI before 1.10.0 allows remote atta

6.1MEDIUM

CVE-2014-9016

>= 7.0 and < 7.34

The password hashing API in Drupal 7.x before 7.34 and the Secure Password Hashes (aka phpass) module 6.x-2.x before 6.x-2.1 for D

CVE-2014-9015

>= 6.0 and < 6.34

Drupal 6.x before 6.34 and 7.x before 7.34 allows remote attackers to hijack sessions via a crafted request, as demonstrated by a

CVE-2014-3704

>= 7.0 and < 7.32

The expandArguments function in the database abstraction API in Drupal core 7.x before 7.32 does not properly construct prepared s

CVE-2014-8078

all versions

Cross-site scripting (XSS) vulnerability in the Print (aka Printer, e-mail and PDF versions) module 6.x-1.x before 6.x-1.19, 7.x-1

CVE-2014-5267

all versions

modules/openid/xrds.inc in Drupal 6.x before 6.33 and 7.x before 7.31 allows remote attackers to have unspecified impact via a cra

CVE-2014-5266

all versions

The Incutio XML-RPC (IXR) Library, as used in WordPress before 3.9.2 and Drupal 6.x before 6.33 and 7.x before 7.31, does not limi

CVE-2014-5265

all versions

The Incutio XML-RPC (IXR) Library, as used in WordPress before 3.9.2 and Drupal 6.x before 6.33 and 7.x before 7.31, permits entit

CVE-2014-5022

all versions

Cross-site scripting (XSS) vulnerability in the Ajax system in Drupal 7.x before 7.29 allows remote attackers to inject arbitrary

CVE-2014-5021

all versions

Cross-site scripting (XSS) vulnerability in the Form API in Drupal 6.x before 6.32 and possibly 7.x before 7.29 allows remote auth

CVE-2014-5020

all versions

The File module in Drupal 7.x before 7.29 does not properly check permissions to view files, which allows remote authenticated use

CVE-2014-5019

all versions

The multisite feature in Drupal 6.x before 6.32 and 7.x before 7.29 allows remote attackers to cause a denial of service via a cra

CVE-2014-2983

>= 6.0 and < 6.31

Drupal 6.x before 6.31 and 7.x before 7.27 does not properly isolate the cached data of different anonymous users, which allows re

CVE-2014-1607

all versions

Cross-site scripting (XSS) vulnerability in the EventCalendar module for Drupal 7.14 allows remote attackers to inject arbitrary w

CVE-2014-1476

all versions

The Taxonomy module in Drupal 7.x before 7.26, when upgraded from an earlier version of Drupal, does not properly restrict access

CVE-2014-1475

all versions

The OpenID module in Drupal 6.x before 6.30 and 7.x before 7.26 allows remote OpenID users to authenticate as other users via unsp

CVE-2013-0244

all versions

Cross-site scripting (XSS) vulnerability in Drupal 6.x before 6.28 and 7.x before 7.19, when running with older versions of jQuery

CVE-2013-6388

all versions

Cross-site scripting (XSS) vulnerability in the Color module in Drupal 7.x before 7.24 allows remote attackers to inject arbitrary

CVE-2013-6387

all versions

Cross-site scripting (XSS) vulnerability in the Image module in Drupal 7.x before 7.24 allows remote authenticated users with cert

CVE-2013-6389

all versions

Open redirect vulnerability in the Overlay module in Drupal 7.x before 7.24 allows remote attackers to redirect users to arbitrary

CVE-2013-6386

all versions

Drupal 6.x before 6.29 and 7.x before 7.24 uses the PHP mt_rand function to generate random numbers, which uses predictable seeds

CVE-2013-6385

all versions

The form API in Drupal 6.x before 6.29 and 7.x before 7.24, when used with unspecified third-party modules, performs form validati

CVE-2012-0827

all versions

The File module in Drupal 7.x before 7.11, when using unspecified field access modules, allows remote authenticated users to read

CVE-2012-0826

all versions

Cross-site request forgery (CSRF) vulnerability in the Aggregator module in Drupal 6.x before 6.23 and 7.x before 7.11 allows remo

CVE-2012-0825

all versions

Drupal 6.x before 6.23 and 7.x before 7.11 does not verify that Attribute Exchange (AX) information is signed, which allows remote

CVE-2013-0246

all versions

The Image module in Drupal 7.x before 7.19, when a private file system is used, does not properly restrict access to derivative im

CVE-2013-0245

all versions

The printer friendly version functionality in the Book module in Drupal 6.x before 6.28 and 7.x before 7.19 does not properly rest

CVE-2013-0316

all versions

The Image module in Drupal 7.x before 7.20 allows remote attackers to cause a denial of service (CPU and disk space consumption) v

CVE-2012-5653

all versions

The file upload feature in Drupal 6.x before 6.27 and 7.x before 7.18 allows remote authenticated users to bypass the protection m

CVE-2012-5652

all versions

Drupal 6.x before 6.27 allows remote attackers to obtain sensitive information about uploaded files via a (1) RSS feed or (2) sear

CVE-2012-5651

all versions

Drupal 6.x before 6.27 and 7.x before 7.18 displays information for blocked users, which might allow remote attackers to obtain se

CVE-2012-4554

all versions

The OpenID module in Drupal 7.x before 7.16 allows remote OpenID servers to read arbitrary files via a crafted DOCTYPE declaration

CVE-2012-4553

all versions

Drupal 7.x before 7.16 allows remote attackers to obtain sensitive information and possibly re-install Drupal and execute arbitrar

CVE-2012-2153

all versions

Drupal 7.x before 7.14 does not properly restrict access to nodes in a list when using a "contributed node access module," which a

CVE-2012-1591

all versions

The image module in Drupal 7.x before 7.14 does not properly check permissions when caching derivative image styles of private ima

CVE-2012-1590

all versions

The forum list in Drupal 7.x before 7.14 does not properly check user permissions for unpublished forum posts, which allows remote

CVE-2012-1588

all versions

Algorithmic complexity vulnerability in the _filter_url function in the text filtering system (modules/filter/filter.module) in Dr

CVE-2012-2306

all versions

SQL injection vulnerability in the Addressbook module for Drupal 6.x-4.2 and earlier allows remote attackers to execute arbitrary

CVE-2012-2922

<= 7.14

The request_path function in includes/bootstrap.inc in Drupal 7.14 and earlier allows remote attackers to obtain sensitive informa

CVE-2012-2339

all versions

Cross-site scripting (XSS) vulnerability in the Glossary module 6.x-1.x before 6.x-1.8 for Drupal allows remote attackers to injec

CVE-2012-1589

all versions

Open redirect vulnerability in the Form API in Drupal 7.x before 7.13 allows remote attackers to redirect users to arbitrary web s

CVE-2007-6752

<= 7.12

Cross-site request forgery (CSRF) vulnerability in Drupal 7.12 and earlier allows remote attackers to hijack the authentication of

CVE-2011-3730

all versions

Drupal 7.0 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installa

CVE-2011-2687

all versions

Drupal 7.x before 7.3 allows remote attackers to bypass intended node_access restrictions via vectors related to a listing that sh

CVE-2010-3686

all versions

The OpenID module in Drupal 6.x before 6.18, and the OpenID module 5.x before 5.x-1.4 for Drupal, violates the OpenID 2.0 protocol

CVE-2010-3685

all versions

The OpenID module in Drupal 6.x before 6.18, and the OpenID module 5.x before 5.x-1.4 for Drupal, violates the OpenID 2.0 protocol

CVE-2010-3091

all versions

The OpenID module in Drupal 6.x before 6.18, and the OpenID module 5.x before 5.x-1.4 for Drupal, violates the OpenID 2.0 protocol

CVE-2010-3094

all versions

Multiple cross-site scripting (XSS) vulnerabilities in Drupal 6.x before 6.18 allow remote authenticated users with certain privil

CVE-2010-3093

all versions

The comment module in Drupal 5.x before 5.23 and 6.x before 6.18 allows remote authenticated users with certain privileges to bypa

CVE-2010-3092

all versions

The upload module in Drupal 5.x before 5.23 and 6.x before 6.18 does not properly support case-insensitive filename handling in a

CVE-2009-4371

all versions

Cross-site scripting (XSS) vulnerability in the Locale module (modules/locale/locale.module) in Drupal Core 6.14, and possibly oth

CVE-2009-4370

all versions

Cross-site scripting (XSS) vulnerability in the Menu module (modules/menu/menu.admin.inc) in Drupal Core 6.x before 6.15 allows re

CVE-2009-4369

all versions

Cross-site scripting (XSS) vulnerability in the Contact module (modules/contact/contact.admin.inc or modules/contact/contact.modul

CVE-2009-4066

all versions

Multiple cross-site request forgery (CSRF) vulnerabilities in the "My Account" feature in PHPList Integration module 5 before 5.x-

CVE-2009-3479

all versions

Cross-site scripting (XSS) vulnerability in Bibliography (Biblio) 5.x before 5.x-1.17 and 6.x before 6.x-1.6, a module for Drupal,

CVE-2009-3352

>= 5.0 and < 7.0

Multiple unspecified vulnerabilities in the quota_by_role (Quota by role) module for Drupal have unknown impact and attack vectors

CVE-2009-3156

all versions

Cross-site scripting (XSS) vulnerability in the Date Tools sub-module in the Date module 6.x before 6.x-2.3 for Drupal allows remo

CVE-2009-2374

>= 5.0 and < 5.19

Drupal 5.x before 5.19 and 6.x before 6.13 does not properly sanitize failed login attempts for pages that contain a sortable tabl

CVE-2009-2373

all versions

Cross-site scripting (XSS) vulnerability in the Forum module in Drupal 6.x before 6.13 allows remote attackers to inject arbitrary

CVE-2009-2372

>= 6.0 and < 6.13

Drupal 6.x before 6.13 does not prevent users from modifying user signatures after the associated comment format has been changed

CVE-2009-1844

all versions

Multiple cross-site scripting (XSS) vulnerabilities in Drupal 5.x before 5.18 and 6.x before 6.12 allow (1) remote authenticated u

CVE-2009-1823

all versions

Cross-site scripting (XSS) vulnerability in the Print (aka Printer, e-mail and PDF versions) module 5.x before 5.x-4.7 and 6.x bef

CVE-2009-1576

all versions

Unspecified vulnerability in Drupal 5.x before 5.17 and 6.x before 6.11, as used in vbDrupal before 5.17.0, allows user-assisted r

CVE-2009-1575

all versions

Cross-site scripting (XSS) vulnerability in Drupal 5.x before 5.17 and 6.x before 6.11, as used in vbDrupal before 5.17.0, allows

CVE-2009-1343

all versions

Cross-site scripting (XSS) vulnerability in the Print (aka Printer, e-mail and PDF versions) module 5.x before 5.x-4.5 and 6.x bef

CVE-2008-6533

all versions

Drupal 5.x before 5.13 and 6.x before 6.7 does not delete all related content when an input format is deleted, which prevents the

CVE-2008-6532

all versions

Multiple cross-site request forgery (CSRF) vulnerabilities in the update feature in Drupal 5.x before 5.13 and 6.x before 6.7 allo

CVE-2009-1069

all versions

Multiple cross-site scripting (XSS) vulnerabilities in the node edit form feature in Drupal Content Construction Kit (CCK) 6.x bef

CVE-2009-1047

all versions

Cross-site scripting (XSS) vulnerability in the Send by e-mail module in the "Printer, e-mail and PDF versions" module 5.x before

CVE-2009-1037

all versions

Unspecified vulnerability in the Send by e-mail module in the "Printer, e-mail and PDF versions" module 5.x before 5.x-4.4 and 6.x

CVE-2008-6229

all versions

Cross-site scripting (XSS) vulnerability in the administrative interface in Drupal Content Construction Kit (CCK) 5.x before 5.x-1

CVE-2008-6171

all versions

includes/bootstrap.inc in Drupal 5.x before 5.12 and 6.x before 6.6, when the server is configured for "IP-based virtual hosts," a

CVE-2008-6170

all versions

Cross-site scripting (XSS) vulnerability in Drupal 5.x before 5.12 and 6.x before 6.6 allows remote authenticated users with creat

CVE-2008-6137

all versions

EveryBlog 5.x and 6.x, a module for Drupal, allows remote attackers to bypass access restrictions via unknown vectors.

CVE-2008-6136

all versions

Unspecified vulnerability in EveryBlog 5.x and 6.x, a module for Drupal, allows remote attackers to gain privileges as another use

CVE-2008-6135

all versions

Cross-site scripting (XSS) vulnerability in EveryBlog 5.x and 6.x, a module for Drupal, allows remote attackers to inject arbitrar

CVE-2008-6134

all versions

SQL injection vulnerability in EveryBlog 5.x and 6.x, a module for Drupal, allows remote attackers to execute arbitrary SQL comman

CVE-2008-4793

<= 5.10

The node module API in Drupal 5.x before 5.11 allows remote attackers to bypass node validation and have unspecified other impact

CVE-2008-4792

>= 5.0 and < 5.11

The core BlogAPI module in Drupal 5.x before 5.11 and 6.x before 6.5 does not properly validate unspecified content fields of an i

CVE-2008-4791

>= 5.0 and < 5.11

The user module in Drupal 5.x before 5.11 and 6.x before 6.5 might allow remote authenticated users to bypass intended login acces

CVE-2008-4790

<= 5.10

The core upload module in Drupal 5.x before 5.11 allows remote authenticated users to bypass intended access restrictions and read

CVE-2008-4789

<= 6.4

The validation functionality in the core upload module in Drupal 6.x before 6.5 allows remote authenticated users to bypass intend

CVE-2008-3661

all versions

Drupal, probably 5.10 and 6.4, does not set the secure flag for the session cookie in an https session, which can cause the cookie

CVE-2008-3745

all versions

The Upload module in Drupal 6.x before 6.4 allows remote authenticated users to edit nodes, delete files, and download unauthorize

CVE-2008-3744

all versions

Multiple cross-site request forgery (CSRF) vulnerabilities in Drupal 5.x before 5.10 and 6.x before 6.4 allow remote attackers to

CVE-2008-3743

all versions

Multiple cross-site request forgery (CSRF) vulnerabilities in forms in Drupal 6.x before 6.4 allow remote attackers to perform uns

CVE-2008-3742

all versions

Unrestricted file upload vulnerability in the BlogAPI module in Drupal 5.x before 5.10 and 6.x before 6.4 allows remote authentica

CVE-2008-3741

all versions

The private filesystem in Drupal 5.x before 5.10 and 6.x before 6.4 trusts the MIME type sent by a web browser, which allows remot

CVE-2008-3740

all versions

Cross-site scripting (XSS) vulnerability in the output filter in Drupal 5.x before 5.10 and 6.x before 6.4 allows remote attackers

CVE-2008-3223

>= 6.0 and < 6.3

SQL injection vulnerability in the Schema API in Drupal 6.x before 6.3 allows remote attackers to execute arbitrary SQL commands v

CVE-2008-3222

>= 5.0 and < 5.9

Session fixation vulnerability in Drupal 5.x before 5.9 and 6.x before 6.3, when contributed modules "terminate the current reques

CVE-2008-3221

>= 6.0 and < 6.3

Cross-site request forgery (CSRF) vulnerability in Drupal 6.x before 6.3 allows remote attackers to perform administrative actions

CVE-2008-3220

>= 5.0 and < 5.8

Cross-site request forgery (CSRF) vulnerability in Drupal 5.x before 5.8 and 6.x before 6.3 allows remote attackers to perform adm

CVE-2008-3219

>= 5.0 and < 5.8

The Drupal filter_xss_admin function in 5.x before 5.8 and 6.x before 6.3 does not "prevent use of the object HTML tag in administ

CVE-2008-3218

>= 6.0 and < 6.3

Multiple cross-site scripting (XSS) vulnerabilities in Drupal 6.x before 6.3 allow remote attackers to inject arbitrary web script

CVE-2008-3001

all versions

The Aggregation module 5.x before 5.x-4.4 for Drupal allows remote attackers to upload files with arbitrary extensions, and possib

CVE-2008-3000

all versions

The Aggregation module 5.x before 5.x-4.4 for Drupal, when node access modules are used, does not properly implement access contro

CVE-2008-2999

all versions

Multiple SQL injection vulnerabilities in the Aggregation module 5.x before 5.x-4.4 for Drupal allow remote attackers to execute a

CVE-2008-2998

all versions

Multiple cross-site scripting (XSS) vulnerabilities in the Aggregation module 5.x before 5.x-4.4 for Drupal allow remote attackers

CVE-2008-2771

all versions

The Node Hierarchy module 5.x before 5.x-1.1 and 6.x before 6.x-1.0 for Drupal does not properly implement access checks, which al

CVE-2008-1978

<= 5-1.0

Cross-site scripting (XSS) vulnerability in the Ubercart 5.x before 5.x-1.0 rc3 module for Drupal allows remote authenticated user

CVE-2008-1916

all versions

Multiple cross-site scripting (XSS) vulnerabilities in the Ubercart 5.x before 5.x-1.0-rc1 module for Drupal allow remote attacker

CVE-2008-1729

>= 6.0 and < 6.2

The menu system in Drupal 6 before 6.2 has incorrect menu settings, which allows remote attackers to (1) edit the profile pages of

CVE-2008-1428

<= 5-1.0

Multiple cross-site scripting (XSS) vulnerabilities in the Ubercart 5.x before 5.x-1.0-beta7 module for Drupal allow remote attack

CVE-2008-1133

all versions

The Drupal.checkPlain function in Drupal 6.0 only escapes the first instance of a character in ECMAScript, which allows remote att

CVE-2008-1131

all versions

Cross-site scripting (XSS) vulnerability in Drupal 6.0 allows remote authenticated users to inject arbitrary web script or HTML vi

CVE-2008-0577

all versions

The Project Issue Tracking module 5.x-2.x-dev before 20080130 in the 5.x-2.x series, 5.x-1.2 and earlier in the 5.x-1.x series, 4.

CVE-2008-0576

all versions

Cross-site scripting (XSS) vulnerability in the Project Issue Tracking module 5.x-2.x-dev before 20080130 in the 5.x-2.x series, 5

CVE-2008-0462

all versions

Cross-site scripting (XSS) vulnerability in the Archive 5.x before 5.x-1.8 module for Drupal allows remote attackers to inject arb

CVE-2008-0276

all versions

Cross-site scripting (XSS) vulnerability in the Devel module before 5.x-0.1 for Drupal allows remote attackers to inject arbitrary

CVE-2008-0274

all versions

Cross-site scripting (XSS) vulnerability in Drupal 4.7.x and 5.x, when certain .htaccess protections are disabled, allows remote a

CVE-2008-0273

all versions

Interpretation conflict in Drupal 4.7.x before 4.7.11 and 5.x before 5.6, when Internet Explorer 6 is used, allows remote attacker

CVE-2008-0272

all versions

Cross-site request forgery (CSRF) vulnerability in the aggregator module in Drupal 4.7.x before 4.7.11 and 5.x before 5.6 allows r

CVE-2007-6299

all versions

Multiple SQL injection vulnerabilities in Drupal and vbDrupal 4.7.x before 4.7.9 and 5.x before 5.4 allow remote attackers to exec

CVE-2007-5621

all versions

Multiple cross-site scripting (XSS) vulnerabilities in the Token module before 4.7.x-1.5, and 5.x before 5.x-1.9, for Drupal; as u

CVE-2007-5597

>= 4.7.0 and < 4.7.8

The hook_comments API in Drupal 4.7.x before 4.7.8 and 5.x before 5.3 does not pass publication status, which might allow attacker

CVE-2007-5596

>= 4.7.0 and < 4.7.8

The core Upload module in Drupal 4.7.x before 4.7.8 and 5.x before 5.3 places the .html extension on a whitelist, which allows rem

CVE-2007-5595

>= 4.7.0 and < 4.7.8

CRLF injection vulnerability in the drupal_goto function in includes/common.inc Drupal 4.7.x before 4.7.8 and 5.x before 5.3 allow

CVE-2007-5594

>= 5.0 and < 5.3

Drupal 5.x before 5.3 does not apply its Drupal Forms API protection against the user deletion form, which allows remote attackers

CVE-2007-5593

>= 5.0 and < 5.3

install.php in Drupal 5.x before 5.3, when the configured database server is not reachable, allows remote attackers to execute arb

CVE-2007-5416

<= 5.2

Drupal 5.2 and earlier does not properly unset variables when the input data includes a numeric parameter with a value matching an

CVE-2007-4436

<= 4.7_1.1

The Drupal Project module before 5.x-1.0, 4.7.x-2.3, and 4.7.x-1.3 and Project issue tracking module before 5.x-1.0, 4.7.x-2.4, an

CVE-2007-4363

all versions

Multiple cross-site scripting (XSS) vulnerabilities in the nodereference module in Drupal Content Construction Kit (CCK) before 4.

CVE-2007-4064

all versions

Multiple cross-site scripting (XSS) vulnerabilities in Drupal 5.x before 5.2, and 4.7.x before 4.7.7, (1) allow remote attackers t

CVE-2007-4063

all versions

Multiple cross-site request forgery (CSRF) vulnerabilities in Drupal 5.x before 5.2 allow remote attackers to (1) delete comments,

CVE-2007-0658

all versions

The (1) Textimage 4.7.x before 4.7-1.2 and 5.x before 5.x-1.1 module for Drupal and the (2) Captcha 4.7.x before 4.7-1.2 and 5.x b

CVE-2007-0626

> 4.7.0 and < 4.7.6

The comment_form_add_preview function in comment.module in Drupal before 4.7.6, and 5.x before 5.1, and vbDrupal, allows remote at

CVE-2007-0534

<= 5

Multiple cross-site scripting (XSS) vulnerabilities in the (1) Project issue tracking 4.7.0 through 5.x before 20070123 and (2) Pr

CVE-2007-0506

all versions

The project_issue_access function in the Project issue tracking 4.7.0 through 5.x before 20070123 module for Drupal allows remote

CVE-2007-0505

all versions

Unrestricted file upload vulnerability in the Project issue tracking 4.7.0 through 5.x before 20070123, a module for Drupal, allow

CVE-2007-0136

>= 4.6.0 and < 4.6.11

Multiple cross-site scripting (XSS) vulnerabilities in Drupal before 4.6.11, and 4.7 before 4.7.5, allow remote attackers to injec

CVE-2007-0124

all versions

Unspecified vulnerability in Drupal before 4.6.11, and 4.7 before 4.7.5, when MySQL is used, allows remote authenticated users to

CVE-2006-5477

all versions

Drupal 4.6.x before 4.6.10 and 4.7.x before 4.7.4 allows form submissions to be redirected, which allows remote attackers to obtai

CVE-2006-5476

all versions

Cross-site request forgery (CSRF) vulnerability in Drupal 4.6.x before 4.6.10 and 4.7.x before 4.7.4 allows remote attackers to pe

CVE-2006-5475

all versions

Multiple cross-site scripting (XSS) vulnerabilities in the XML parser in Drupal 4.6.x before 4.6.10 and 4.7.x before 4.7.4 allow r

CVE-2006-4120

<= 4.6

Cross-site scripting (XSS) vulnerability in the Recipe module (recipe.module) before 1.54 for Drupal 4.6 and earlier allows remote

CVE-2006-4002

all versions

Cross-site scripting (XSS) vulnerability in user.module in Drupal 4.6 before 4.6.9, and 4.7 before 4.7.3, allows remote attackers

CVE-2006-3570

all versions

Cross-site scripting (XSS) vulnerability in the webform module in Drupal 4.6 before July 8, 2006 and 4.7 before July 8, 2006 allow

CVE-2006-2833

all versions

Cross-site scripting (XSS) vulnerability in the taxonomy module in Drupal 4.6.8 and 4.7.2 allows remote attackers to inject arbitr

CVE-2006-2832

all versions

Cross-site scripting (XSS) vulnerability in the upload module (upload.module) in Drupal 4.6.x before 4.6.8 and 4.7.x before 4.7.2

CVE-2006-2831

all versions

Drupal 4.6.x before 4.6.8 and 4.7.x before 4.7.2, when running under certain Apache configurations such as when FileInfo overrides

CVE-2006-2743

all versions

Drupal 4.6.x before 4.6.7 and 4.7.0, when running on Apache with mod_mime, does not properly handle files with multiple extensions

CVE-2006-2742

all versions

SQL injection vulnerability in Drupal 4.6.x before 4.6.7 and 4.7.0 allows remote attackers to execute arbitrary SQL commands via t

CVE-2006-2260

all versions

Cross-site scripting (XSS) vulnerability in the project module (project.module) in Drupal 4.5 and 4.6 allows remote attackers to i

CVE-2006-1228

all versions

Session fixation vulnerability in Drupal 4.5.x before 4.5.8 and 4.6.x before 4.5.8 allows remote attackers to gain privileges by t

CVE-2006-1227

all versions

Drupal 4.5.x before 4.5.8 and 4.6.x before 4.5.8, when menu.module is used to create a menu item, does not implement access contro

CVE-2006-1226

all versions

Cross-site scripting (XSS) vulnerability in Drupal 4.5.x before 4.5.8 and 4.6.x before 4.5.8 allows remote attackers to inject arb

CVE-2006-1225

all versions

CRLF injection vulnerability in Drupal 4.5.x before 4.5.8 and 4.6.x before 4.5.8 allows remote attackers to inject headers of outg

CVE-2006-0070

all versions

Drupal allows remote attackers to conduct cross-site scripting (XSS) attacks via an IMG tag with an unusual encoded Javascript fun

CVE-2005-3975

all versions

Interpretation conflict in file.inc in Drupal 4.5.0 through 4.5.5 and 4.6.0 through 4.6.3 allows remote authenticated users to inj

CVE-2005-3974

all versions

Drupal 4.5.0 through 4.5.5 and 4.6.0 through 4.6.3, when running on PHP5, does not correctly enforce user privileges, which allows

CVE-2005-3973

all versions

Multiple cross-site scripting (XSS) vulnerabilities in Drupal 4.5.0 through 4.5.5 and 4.6.0 through 4.6.3 allow remote attackers t

CVE-2005-2106

all versions

Unknown vulnerability in Drupal 4.5.0 through 4.5.3, 4.6.0, and 4.6.1 allows remote attackers to execute arbitrary PHP code via a

CVE-2005-1921

< 4.5.4

Eval injection vulnerability in PEAR XML_RPC 1.3.0 and earlier (aka XML-RPC or xmlrpc) and PHPXMLRPC (aka XML-RPC For PHP or php-x

CVE-2005-1871

all versions

Unknown vulnerability in the privilege system in Drupal 4.4.0 through 4.6.0, when public registration is enabled, allows remote at

CVE-2005-0682

all versions

Cross-site scripting (XSS) vulnerability in common.inc in Drupal before 4.5.2 allows remote attackers to inject arbitrary web scri

CVE-2002-1806

all versions

Cross-site scripting (XSS) vulnerability in Drupal 4.0.0 allows remote attackers to inject arbitrary web script or HTML via Javasc