Drupal Security Vulnerabilities
Multiple cross-site request forgery (CSRF) vulnerabilities in the "My Account" feature in PHPList Integration module 5 before 5.x-1.2 and 6 before 6.x-1.1 for Drupal allow remote attackers to hijack the authentication of arbitrary users via vectors related to (1) subscribing or (2) unsubscribing to...
7.3AI Score
0.003EPSS
Cross-site scripting (XSS) vulnerability in the Contact module (modules/contact/contact.admin.inc or modules/contact/contact.module) in Drupal Core 5.x before 5.21 and 6.x before 6.15 allows remote authenticated users with "administer site-wide contact form" permissions to inject arbitrary web scri...
5.3AI Score
0.001EPSS
Cross-site scripting (XSS) vulnerability in the Menu module (modules/menu/menu.admin.inc) in Drupal Core 6.x before 6.15 allows remote authenticated users with permissions to create new menus to inject arbitrary web script or HTML via a menu description, which is not properly handled in the menu ad...
5.2AI Score
0.001EPSS
Cross-site scripting (XSS) vulnerability in the Locale module (modules/locale/locale.module) in Drupal Core 6.14, and possibly other versions including 6.15, allows remote authenticated users with "administer languages" permissions to inject arbitrary web script or HTML via the (1) Language name in...
5.5AI Score
0.001EPSS
Cross-site scripting (XSS) vulnerability in the Randomizer module 5.x through 5.x-1.0 and 6.x through 6.x-1.0, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
5.9AI Score
0.001EPSS
Drupal 5.x and 6.x before 6.16 uses a user-supplied value in output during site installation which could allow an attacker to craft a URL and perform a cross-site scripting attack.
6.1CVSS
5.9AI Score
0.002EPSS
6.1CVSS
6.3AI Score
0.003EPSS
Locale module and dependent contributed modules in Drupal 6.x before 6.16 and 5.x before version 5.22 do not sanitize the display of language codes, native and English language names properly which could allow an attacker to perform a cross-site scripting (XSS) attack. This vulnerability is mitigat...
4.8CVSS
5.3AI Score
0.001EPSS
Drupal 6.x before 6.16 and 5.x before version 5.22 does not properly block users under certain circumstances. A user with an open session that was blocked could maintain their session on the Drupal site despite being blocked.
6.5CVSS
6.4AI Score
0.001EPSS
Cross-site scripting (XSS) vulnerability in the Performance logging module in the Devel module 5.x before 5.x-1.3 and 6.x before 6.x-1.21 for Drupal allows remote authenticated users, with add url aliases and report access permissions, to inject arbitrary web script or HTML via crafted node paths i...
5.5AI Score
0.001EPSS
The OpenID module in Drupal 6.x before 6.18, and the OpenID module 5.x before 5.x-1.4 for Drupal, violates the OpenID 2.0 protocol by not verifying the openid.return_to value, which allows remote attackers to bypass authentication by leveraging an assertion from an OpenID provider.
6.9AI Score
0.005EPSS
The upload module in Drupal 5.x before 5.23 and 6.x before 6.18 does not properly support case-insensitive filename handling in a database configuration, which allows remote authenticated users to bypass the intended restrictions on downloading a file by uploading a different file with a similar na...
6.2AI Score
0.002EPSS
The comment module in Drupal 5.x before 5.23 and 6.x before 6.18 allows remote authenticated users with certain privileges to bypass intended access restrictions and reinstate removed comments via a crafted URL, related to an "unpublishing bypass" issue.
6.2AI Score
0.001EPSS
Multiple cross-site scripting (XSS) vulnerabilities in Drupal 6.x before 6.18 allow remote authenticated users with certain privileges to inject arbitrary web script or HTML via (1) an action description, (2) an action message, (3) a node, or (4) a taxonomy term, related to the actions feature and ...
5.3AI Score
0.001EPSS
The OpenID module in Drupal 6.x before 6.18, and the OpenID module 5.x before 5.x-1.4 for Drupal, violates the OpenID 2.0 protocol by not checking for reuse of openid.response_nonce values, which allows remote attackers to bypass authentication by leveraging an assertion from an OpenID provider.
7AI Score
0.005EPSS
The OpenID module in Drupal 6.x before 6.18, and the OpenID module 5.x before 5.x-1.4 for Drupal, violates the OpenID 2.0 protocol by not ensuring that fields are signed, which allows remote attackers to bypass authentication by leveraging an assertion from an OpenID provider.
7AI Score
0.005EPSS
Cross-site scripting (XSS) vulnerability in jquery.ui.dialog.js in the Dialog widget in jQuery UI before 1.10.0 allows remote attackers to inject arbitrary web script or HTML via the title option.
6.1CVSS
6AI Score
0.002EPSS
Drupal 7.x before 7.3 allows remote attackers to bypass intended node_access restrictions via vectors related to a listing that shows nodes but lacks a JOIN clause for the node table.
6.5AI Score
0.014EPSS
A Cross-Site Scripting vulnerability exists in Drupal 6.20 with Data 6.x-1.0-alpha14 due to insufficient sanitization of table descriptions, field names, or labels before display.
6.1CVSS
6AI Score
0.001EPSS
An SQL Injection vulnerability exists in Drupal 6.20 with Data 6.x-1.0-alpha14 due to insufficient sanitization of table names or column names.
9.8CVSS
9.7AI Score
0.002EPSS
An access bypass issue was found in Drupal 7.x before version 7.5. If a Drupal site has the ability to attach File upload fields to any entity type in the system or has the ability to point individual File upload fields to the private file directory in comments, and the parent node is denied access...
7.5CVSS
7.5AI Score
0.004EPSS
Drupal Views Builk Operations (VBO) module 6.x-1.0 through 6.x-1.10 does not properly escape the vocabulary help when the vocabulary has had user tagging enabled and the "Modify node taxonomy terms" action is used. A remote attacker could provide a specially-crafted URL that could lead to cross-sit...
6.1CVSS
5.8AI Score
0.002EPSS
Drupal 7.0 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by modules/simpletest/tests/upgrade/drupal-6.upload.database.php and certain other files.
7.2AI Score
0.003EPSS
Cross-site scripting (XSS) vulnerability in the Petition Node module 6.x-1.x before 6.x-1.5 for Drupal allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors related to signing a petition.
5.4AI Score
0.001EPSS
Drupal 6.x before 6.23 and 7.x before 7.11 does not verify that Attribute Exchange (AX) information is signed, which allows remote attackers to modify potentially sensitive AX information without detection via a man-in-the-middle (MITM) attack.
6AI Score
0.004EPSS
Cross-site request forgery (CSRF) vulnerability in the Aggregator module in Drupal 6.x before 6.23 and 7.x before 7.11 allows remote attackers to hijack the authentication of unspecified victims for requests that update feeds and possibly cause a denial of service (loss of updates due to rate limit...
7AI Score
0.001EPSS
The File module in Drupal 7.x before 7.11, when using unspecified field access modules, allows remote authenticated users to read arbitrary private files that are associated with restricted fields via unspecified vectors.
6.2AI Score
0.001EPSS
Algorithmic complexity vulnerability in the _filter_url function in the text filtering system (modules/filter/filter.module) in Drupal 7.x before 7.14 allows remote authenticated users with certain roles to cause a denial of service (CPU consumption) via a long email address.
6.2AI Score
0.01EPSS
Open redirect vulnerability in the Form API in Drupal 7.x before 7.13 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via crafted parameters in a destination URL.
6.6AI Score
0.004EPSS
The forum list in Drupal 7.x before 7.14 does not properly check user permissions for unpublished forum posts, which allows remote authenticated users to obtain sensitive information such as the post title via the forum overview page.
5.8AI Score
0.003EPSS
The image module in Drupal 7.x before 7.14 does not properly check permissions when caching derivative image styles of private images, which allows remote attackers to read private image styles.
6.5AI Score
0.006EPSS
Cross-site scripting vulnerability (XSS) in the Quick Tabs module 6.x-2.x before 6.x-2.1, 6.x-3.x before 6.x-3.1, and 7.x-3.x before 7.x-3.3 for Drupal.
4.8CVSS
5AI Score
0.001EPSS
Multiple cross-site scripting (XSS) vulnerabilities in the FAQ module 6.x-1.x before 6.x-1.13 and 7.x-1.x-rc1 for Drupal allow remote authenticated users to inject arbitrary web script or HTML via the (1) title parameter in faq.admin.inc or (2) detailed_question parameter in faq.module.
5.5AI Score
0.003EPSS
4.8CVSS
5AI Score
0.001EPSS
A cross-site request forgery (CSRF) vulnerability in the Activity module 6.x-1.x for Drupal.
8.8CVSS
8.7AI Score
0.001EPSS
Drupal 7.x before 7.14 does not properly restrict access to nodes in a list when using a "contributed node access module," which allows remote authenticated users with the "Access the content overview page" permission to read all published nodes by accessing the admin/content page.
6AI Score
0.002EPSS
Multiple cross-site scripting (XSS) vulnerabilities in the RealName module 6.x-1.x before 6.x-1.5 for Drupal allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) "user names in page titles" and (2) "autocomplete callbacks."
5.8AI Score
0.005EPSS
SQL injection vulnerability in the Addressbook module for Drupal 6.x-4.2 and earlier allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
8.7AI Score
0.002EPSS
Cross-site scripting (XSS) vulnerability in the Glossary module 6.x-1.x before 6.x-1.8 for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to "taxonomy information."
5.8AI Score
0.004EPSS
The request_path function in includes/bootstrap.inc in Drupal 7.14 and earlier allows remote attackers to obtain sensitive information via the q[] parameter to index.php, which reveals the installation path in an error message.
6.8AI Score
0.007EPSS
Drupal 7.x before 7.16 allows remote attackers to obtain sensitive information and possibly re-install Drupal and execute arbitrary PHP code via an external database server, related to "transient conditions."
7.3AI Score
0.004EPSS
The OpenID module in Drupal 7.x before 7.16 allows remote OpenID servers to read arbitrary files via a crafted DOCTYPE declaration in an XRDS file.
6.4AI Score
0.166EPSS
Drupal 6.x before 6.27 and 7.x before 7.18 displays information for blocked users, which might allow remote attackers to obtain sensitive information by reading the search results.
6AI Score
0.007EPSS
Drupal 6.x before 6.27 allows remote attackers to obtain sensitive information about uploaded files via a (1) RSS feed or (2) search result.
5.9AI Score
0.007EPSS
The file upload feature in Drupal 6.x before 6.27 and 7.x before 7.18 allows remote authenticated users to bypass the protection mechanism and execute arbitrary PHP code via a null byte in a file name.
7AI Score
0.012EPSS
Cross-site scripting (XSS) vulnerability in Drupal 6.x before 6.28 and 7.x before 7.19, when running with older versions of jQuery that are vulnerable to CVE-2011-4969, allows remote attackers to inject arbitrary web script or HTML via vectors involving unspecified Javascript functions that are use...
7.4AI Score
0.003EPSS
The printer friendly version functionality in the Book module in Drupal 6.x before 6.28 and 7.x before 7.19 does not properly restrict access to node that are part of a book outline, which allows remote authenticated users with the "access printer-friendly version" permission to read node titles an...
6AI Score
0.002EPSS
The Image module in Drupal 7.x before 7.19, when a private file system is used, does not properly restrict access to derivative images, which allows remote attackers to read derivative images of otherwise restricted images via unspecified vectors.
6.6AI Score
0.003EPSS
The Image module in Drupal 7.x before 7.20 allows remote attackers to cause a denial of service (CPU and disk space consumption) via a large number of new derivative requests.
6.5AI Score
0.002EPSS
The Authenticated User Page Caching (Authcache) module 7.x-1.x before 7.x-1.5 for Drupal does not properly restrict access to cached pages, which allows remote attackers with the same role-combination as the superuser to obtain sensitive information via the cached pages of the superuser.
6.5CVSS
6.3AI Score
0.002EPSS