The Organic Groups (OG) Vocabulary module 6.x-1.x before 6.x-1.2 for Drupal allows remote authenticated users with certain administrator permissions to modify the vocabularies of other groups via unspecified vectors.
CVSS Score
2.1
EPSS Score
0.003
Published
2012-08-28
The CDN module 6.x-2.2 and 7.x-2.2 for Drupal, when running in Origin Pull mode with the "Far Future expiration" option enabled, allows remote attackers to read arbitrary PHP files via unspecified vectors, as demonstrated by reading settings.php.
CVSS Score
2.6
EPSS Score
0.006
Published
2012-08-28
Multiple cross-site scripting (XSS) vulnerabilities in the "stand alone PHP application for the OSM Player," as used in the MediaFront module 6.x-1.x before 6.x-1.5 and 7.x-1.x before 7.x-1.5 for Drupal, allow remote attackers to inject arbitrary web script or HTML via (1) $_SERVER['HTTP_HOST'] or (2) $_SERVER['SCRIPT_NAME'] to players/osmplayer/player/OSMPlayer.php, (3) playlist parameter to players/osmplayer/player/getplaylist.php, and possibly other vectors related to $_SESSION.
CVSS Score
4.3
EPSS Score
0.007
Published
2012-08-28
The hook_node_access function in the revisioning module 7.x-1.x before 7.x-1.3 for Drupal checks the permissions of the current user even when it is called to check permissions of other users, which allows remote attackers to bypass intended access restrictions, as demonstrated when using the XML sitemap module to obtain sensitive information about unpublished content.
CVSS Score
6.4
EPSS Score
0.002
Published
2012-08-28
Multiple cross-site scripting (XSS) vulnerabilities in the Creative Commons module 6.x-1.x before 6.x-1.1 for Drupal allow remote authenticated users with the administer creative commons permission to inject arbitrary web script or HTML via the (1) creativecommons_user_message or (2) creativecommons_site_license_additional_text parameter.
CVSS Score
2.1
EPSS Score
0.004
Published
2012-08-26
Cross-site scripting (XSS) vulnerability in the MultiBlock module 6.x-1.x before 6.x-1.4 and 7.x-1.x before 7.x-1.1 for Drupal allows remote authenticated users with the administer blocks permission to inject arbitrary web script or HTML via the block title.
CVSS Score
2.1
EPSS Score
0.004
Published
2012-08-14
Cross-site scripting (XSS) vulnerability in the Contact Forms module 6.x-1.x before 6.x-1.13 for Drupal when the core contact form is enabled, allows remote authenticated users with the administer site-wide contact form permission to inject arbitrary web script or HTML via unspecified vectors.
CVSS Score
2.1
EPSS Score
0.003
Published
2012-08-14
Cross-site scripting (XSS) vulnerability in the Share Buttons (AddToAny) module 6.x-3.x before 6.x-3.4 for Drupal allows remote authenticated users with the administer addtoany permission to inject arbitrary web script or HTML via unspecified vectors.
CVSS Score
2.1
EPSS Score
0.003
Published
2012-08-14
The Bundle copy module 7.x-1.x before 7.x-1.1 for Drupal does not check for the "use PHP for settings" permission while importing settings, which allows remote authenticated users with certain permissions to execute arbitrary PHP code via unspecified vectors.
CVSS Score
6.0
EPSS Score
0.009
Published
2012-08-14
Unspecified vulnerability in certain default views in the Ubercart Views module 6.x before 6.x-3.2 for Drupal allows remote attackers to obtain sensitive information via unknown attack vectors.
CVSS Score
5.0
EPSS Score
0.006
Published
2012-08-14