Filtered by vendor Drupal Subscriptions
Total 834 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2012-2922 1 Drupal 1 Drupal 2024-08-06 N/A
The request_path function in includes/bootstrap.inc in Drupal 7.14 and earlier allows remote attackers to obtain sensitive information via the q[] parameter to index.php, which reveals the installation path in an error message.
CVE-2012-2703 2 Drupal, John Franklin 2 Drupal, Advertisement 2024-08-06 N/A
Cross-site scripting (XSS) vulnerability in the Advertisement module 6.x-2.x before 6.x-2.3 for Drupal, when debug mode is enabled, allows remote attackers to inject arbitrary web script or HTML via vectors related to the "$conf variable in settings.php."
CVE-2012-2725 2 Authoring Html, Drupal 2 6.x-1.0, Drupal 2024-08-06 N/A
classes/Filter/WhitelistedExternalFilter.php in the Authoring HTML module 6.x-1.x before 6.x-1.1 for Drupal does not properly validate sources with the host white list, which allows remote authenticated users to bypass intended access restrictions and conduct cross-site scripting (XSS) attacks.
CVE-2012-2721 2 Drupal, Moshe Weitzman 2 Drupal, Organic Groups 2024-08-06 N/A
The default views in the Organic Groups (OG) module 6.x-2.x before 6.x-2.4 for Drupal do not properly check permissions when all users have the "access content" permission removed, which allows remote attackers to bypass access restrictions and possibly have other unspecified impact.
CVE-2012-2727 2 Bryce Hamrick, Drupal 2 Janrain Capture, Drupal 2024-08-06 N/A
Open redirect vulnerability in the Janrain Capture module 6.x-1.0 and 7.x-1.0 for Drupal, when synchronizing user data, allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the destination parameter.
CVE-2012-2730 2 Alexis Wilke, Drupal 2 Protected Node, Drupal 2024-08-06 N/A
The Protected Node module 6.x-1.x before 6.x-1.6 for Drupal does not properly "protect node access when nodes are accessed outside of the standard node view," which allows remote attackers to bypass intended access restrictions.
CVE-2012-2722 2 Drupal, Scott Reynen 2 Drupal, Node Embed 2024-08-06 N/A
The node selection interface in the WYSIWYG editor (CKEditor) in the Node Embed module 6.x-1.x before 6.x-1.5 and 7.x-1.x before 7.x-1.0 for Drupal does not properly check permissions, which allows remote attackers to bypass intended access restrictions and read node titles.
CVE-2012-2731 2 Drupal, Richardo Ante 2 Drupal, Ubercart Ajax Cart 2024-08-06 N/A
The Ubercart AJAX Cart 6.x-2.x before 6.x-2.1 for Drupal stores the PHP session id in the JavaScript settings array in page loads, which might allow remote attackers to obtain sensitive information by sniffing or reading the cache of the HTML of a webpage.
CVE-2012-2728 2 Drupal, Ronan Dowling 2 Drupal, Node Hierarchy 2024-08-06 N/A
Multiple cross-site request forgery (CSRF) vulnerabilities in the Node Hierarchy module 6.x-1.x before 6.x-1.5 for Drupal allow remote attackers to hijack the authentication of administrators for requests that change a node hierarchy position via an (1) up or (2) down action.
CVE-2012-2717 2 Drupal, Mathew Winstone 2 Drupal, Mobile Tools 2024-08-06 N/A
Multiple cross-site scripting (XSS) vulnerabilities in the Mobile Tools module 6.x-2.x before 6.x-2.3 for Drupal allow remote attackers to inject arbitrary web script or HTML via the (1) Mobile URL field or (2) Desktop URL field to the General configuration page, or the (3) message to the Mobile Tools block message options.
CVE-2012-2713 2 Browserid Project, Drupal 2 Browserid, Drupal 2024-08-06 N/A
Cross-site request forgery (CSRF) vulnerability in the BrowserID (Mozilla Persona) module 7.x-1.x before 7.x-1.3 for Drupal allows remote attackers to hijack the authentication of arbitrary users for requests that login a user to another web site.
CVE-2012-2720 2 Adam Ross, Drupal 2 Tokenauth, Drupal 2024-08-06 N/A
The Token Authentication (tokenauth) module 6.x-1.x before 6.x-1.7 for Drupal does not properly revert user sessions, which might allow remote attackers to perform requests with extra privileges.
CVE-2012-2729 2 Adcillc, Drupal 2 Simplemeta, Drupal 2024-08-06 N/A
Multiple cross-site request forgery (CSRF) vulnerabilities in the SimpleMeta module 6.x-1.x before 6.x-2.0 for Drupal allow remote attackers to hijack the authentication of administrators for requests that (1) delete or (2) add a meta tag entry.
CVE-2012-2726 2 Alberto Trujillo Gonzalez, Drupal 2 Protest, Drupal 2024-08-06 N/A
Cross-site scripting (XSS) vulnerability in the Protest module 6.x-1.x before 6.x-1.2 or 7.x-1.x before 7.x-1.2 for Drupal allows remote authenticated users with the "administer protest" permission to inject arbitrary web script or HTML via the protest_body parameter.
CVE-2012-2718 2 Drupal, Drupal-id 2 Drupal, Counter Module 2024-08-06 N/A
SQL injection vulnerability in the Counter module for Drupal allows remote attackers to execute arbitrary SQL commands via unspecified vectors related to "recording visits."
CVE-2012-2723 2 Blaine Lang, Drupal 2 Maestro, Drupal 2024-08-06 N/A
Cross-site scripting (XSS) vulnerability in the Maestro module 7.x-1.x before 7.x-1.2 for Drupal allows remote authenticated users with maestro admin permissions to inject arbitrary web script or HTML via unspecified vectors.
CVE-2012-2710 2 Drupal, John Albin 2 Drupal, Zen 2024-08-06 N/A
Cross-site scripting (XSS) vulnerability in the Zen module 6.x-1.x before 6.x-1.1 for Drupal, when "Append the content title to the end of the breadcrumb" is enabled, allows remote attackers to inject arbitrary web script or HTML via the content title in a breadcrumb.
CVE-2012-2707 2 Antoine Beaupre, Drupal 2 Hostmaster, Drupal 2024-08-06 N/A
The Hostmaster (Aegir) module 6.x-1.x before 6.x-1.9 for Drupal does not properly exit when users do not have access to package/task nodes, which allows remote attackers to bypass intended access restrictions and edit unauthorized nodes.
CVE-2012-2705 2 Christopher Mitchell, Drupal 2 Smart Breadcrumb, Drupal 2024-08-06 N/A
The filter_titles function in the Smart Breadcrumb module 6.x-1.x before 6.x-1.3 for Drupal does not properly convert a title to plain-text, which allows remote authenticated users with create or edit node permissions to conduct cross-site scripting (XSS) attacks via the title parameter.
CVE-2012-2715 2 Drupal, Jason Moore 2 Drupal, Amadou 2024-08-06 N/A
Cross-site scripting (XSS) vulnerability in the themes_links function in template.php in the Amadou theme module 6.x-1.x before 6.x-1.3 for Drupal allows remote attackers to inject arbitrary web script or HTML via vectors related to class attributes in a list of links.