Search CVE reports
81 – 90 of 129 results
CVE-2015-3234
Medium prioritySome fixes available 2 of 5
The OpenID module in Drupal 6.x before 6.36 and 7.x before 7.38 allows remote attackers to log into other users' accounts by leveraging an OpenID identity from certain providers, as demonstrated by the Verisign, LiveJournal, and...
2 affected packages
drupal6, drupal7
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
|---|---|---|---|---|---|
| drupal6 | Not in release | Not in release | Not in release | Not in release | Not in release |
| drupal7 | Not in release | Not in release | Not in release | Not in release | Not affected |
CVE-2015-3233
Medium prioritySome fixes available 2 of 4
Open redirect vulnerability in the Overlay module in Drupal 7.x before 7.38 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.
2 affected packages
drupal6, drupal7
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
|---|---|---|---|---|---|
| drupal6 | Not in release | Not in release | Not in release | Not in release | Not in release |
| drupal7 | Not in release | Not in release | Not in release | Not in release | Not affected |
CVE-2015-3232
Low prioritySome fixes available 2 of 5
Open redirect vulnerability in the Field UI module in Drupal 7.x before 7.38 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the destinations parameter.
3 affected packages
drupal6, drupal6-mod-cck, drupal7
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
|---|---|---|---|---|---|
| drupal6 | Not in release | Not in release | Not in release | Not in release | Not in release |
| drupal6-mod-cck | Not in release | Not in release | Not in release | Not in release | Not in release |
| drupal7 | Not in release | Not in release | Not in release | Not in release | Not affected |
CVE-2015-3231
Low prioritySome fixes available 2 of 4
The Render cache system in Drupal 7.x before 7.38, when used to cache content by user role, allows remote authenticated users to obtain private content viewed by user 1 by reading the cache.
2 affected packages
drupal6, drupal7
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
|---|---|---|---|---|---|
| drupal6 | Not in release | Not in release | Not in release | Not in release | Not in release |
| drupal7 | Not in release | Not in release | Not in release | Not in release | Not affected |
CVE-2015-2559
Medium prioritySome fixes available 2 of 5
Drupal 6.x before 6.35 and 7.x before 7.35 allows remote authenticated users to reset the password of other accounts by leveraging an account with the same password hash as another account and a crafted password reset URL.
2 affected packages
drupal6, drupal7
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
|---|---|---|---|---|---|
| drupal6 | — | — | — | Not in release | Not in release |
| drupal7 | — | — | — | Not in release | Not affected |
CVE-2014-9016
Medium prioritySome fixes available 1 of 5
The password hashing API in Drupal 7.x before 7.34 and the Secure Password Hashes (aka phpass) module 6.x-2.x before 6.x-2.1 for Drupal allows remote attackers to cause a denial of service (CPU and memory consumption) via...
2 affected packages
drupal6, drupal7
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
|---|---|---|---|---|---|
| drupal6 | Not in release | Not in release | Not in release | Not in release | Not in release |
| drupal7 | Not in release | Not in release | Not in release | Not in release | Not affected |
CVE-2014-9015
Medium prioritySome fixes available 1 of 5
Drupal 6.x before 6.34 and 7.x before 7.34 allows remote attackers to hijack sessions via a crafted request, as demonstrated by a crafted request to a server that supports both HTTP and HTTPS sessions.
2 affected packages
drupal6, drupal7
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
|---|---|---|---|---|---|
| drupal6 | Not in release | Not in release | Not in release | Not in release | Not in release |
| drupal7 | Not in release | Not in release | Not in release | Not in release | Not affected |
CVE-2014-3704
Medium priorityThe expandArguments function in the database abstraction API in Drupal core 7.x before 7.32 does not properly construct prepared statements, which allows remote attackers to conduct SQL injection attacks via an array containing...
2 affected packages
drupal6, drupal7
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
|---|---|---|---|---|---|
| drupal6 | — | — | — | — | — |
| drupal7 | — | — | — | — | — |
CVE-2014-5267
Medium prioritymodules/openid/xrds.inc in Drupal 6.x before 6.33 and 7.x before 7.31 allows remote attackers to have unspecified impact via a crafted DOCTYPE declaration in an XRDS document.
1 affected packages
drupal7
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
|---|---|---|---|---|---|
| drupal7 | Not in release | Not in release | Not in release | Not in release | Not affected |
CVE-2014-5266
Medium prioritySome fixes available 1 of 13
The Incutio XML-RPC (IXR) Library, as used in WordPress before 3.9.2 and Drupal 6.x before 6.33 and 7.x before 7.31, does not limit the number of elements in an XML document, which allows remote attackers to cause a denial of...
3 affected packages
drupal6, drupal7, wordpress
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
|---|---|---|---|---|---|
| drupal6 | Not in release | Not in release | Not in release | Not in release | Not in release |
| drupal7 | Not in release | Not in release | Not in release | Not in release | Not affected |
| wordpress | Not affected | Not affected | Not affected | Not affected | Not affected |