Search CVE reports
91 – 100 of 137 results
Some fixes available 2 of 5
Open redirect vulnerability in the Field UI module in Drupal 7.x before 7.38 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the destinations parameter.
3 affected packages
drupal6, drupal6-mod-cck, drupal7
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|
| drupal6 | Not in release | Not in release | Not in release | Not in release |
| drupal6-mod-cck | Not in release | Not in release | Not in release | Not in release |
| drupal7 | Not in release | Not in release | Not in release | Not in release |
Some fixes available 2 of 4
The Render cache system in Drupal 7.x before 7.38, when used to cache content by user role, allows remote authenticated users to obtain private content viewed by user 1 by reading the cache.
2 affected packages
drupal6, drupal7
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|
| drupal6 | Not in release | Not in release | Not in release | Not in release |
| drupal7 | Not in release | Not in release | Not in release | Not in release |
Some fixes available 2 of 5
Drupal 6.x before 6.35 and 7.x before 7.35 allows remote authenticated users to reset the password of other accounts by leveraging an account with the same password hash as another account and a crafted password reset URL.
2 affected packages
drupal6, drupal7
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|
| drupal6 | — | — | — | Not in release |
| drupal7 | — | — | — | Not in release |
Some fixes available 1 of 5
The password hashing API in Drupal 7.x before 7.34 and the Secure Password Hashes (aka phpass) module 6.x-2.x before 6.x-2.1 for Drupal allows remote attackers to cause a denial of service (CPU and memory consumption) via...
2 affected packages
drupal7, drupal6
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|
| drupal7 | Not in release | Not in release | Not in release | Not in release |
| drupal6 | Not in release | Not in release | Not in release | Not in release |
Some fixes available 1 of 5
Drupal 6.x before 6.34 and 7.x before 7.34 allows remote attackers to hijack sessions via a crafted request, as demonstrated by a crafted request to a server that supports both HTTP and HTTPS sessions.
2 affected packages
drupal6, drupal7
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|
| drupal6 | Not in release | Not in release | Not in release | Not in release |
| drupal7 | Not in release | Not in release | Not in release | Not in release |
The expandArguments function in the database abstraction API in Drupal core 7.x before 7.32 does not properly construct prepared statements, which allows remote attackers to conduct SQL injection attacks via an array containing...
2 affected packages
drupal6, drupal7
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|
| drupal6 | — | — | — | — |
| drupal7 | — | — | — | — |
modules/openid/xrds.inc in Drupal 6.x before 6.33 and 7.x before 7.31 allows remote attackers to have unspecified impact via a crafted DOCTYPE declaration in an XRDS document.
1 affected package
drupal7
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|
| drupal7 | Not in release | Not in release | Not in release | Not in release |
Some fixes available 1 of 13
The Incutio XML-RPC (IXR) Library, as used in WordPress before 3.9.2 and Drupal 6.x before 6.33 and 7.x before 7.31, does not limit the number of elements in an XML document, which allows remote attackers to cause a denial of...
3 affected packages
drupal6, drupal7, wordpress
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|
| drupal6 | Not in release | Not in release | Not in release | Not in release |
| drupal7 | Not in release | Not in release | Not in release | Not in release |
| wordpress | Not affected | Not affected | Not affected | Not affected |
Some fixes available 1 of 13
The Incutio XML-RPC (IXR) Library, as used in WordPress before 3.9.2 and Drupal 6.x before 6.33 and 7.x before 7.31, permits entity declarations without considering recursion during entity expansion, which allows remote attackers...
3 affected packages
drupal6, drupal7, wordpress
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|
| drupal6 | Not in release | Not in release | Not in release | Not in release |
| drupal7 | Not in release | Not in release | Not in release | Not in release |
| wordpress | Not affected | Not affected | Not affected | Not affected |
Cross-site scripting (XSS) vulnerability in the Ajax system in Drupal 7.x before 7.29 allows remote attackers to inject arbitrary web script or HTML via vectors involving forms with an Ajax-enabled textfield and a file field.
1 affected package
drupal7
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|
| drupal7 | Not in release | Not in release | Not in release | Not in release |