The form API in Drupal 6.x before 6.29 and 7.x before 7.24, when used with unspecified third-party modules, performs form validation even when CSRF validation has failed, which might allow remote attackers to trigger application-specific impacts such as arbitrary code execution via application-specific vectors.
CVSS Score
5.1
EPSS Score
0.016
Published
2013-12-07
Drupal 6.x before 6.29 and 7.x before 7.24 uses the PHP mt_rand function to generate random numbers, which uses predictable seeds and allows remote attackers to predict security strings and bypass intended restrictions via a brute force attack.
CVSS Score
6.8
EPSS Score
0.004
Published
2013-12-07
Open redirect vulnerability in the Overlay module in Drupal 7.x before 7.24 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.
CVSS Score
5.8
EPSS Score
0.003
Published
2013-12-07
The printer friendly version functionality in the Book module in Drupal 6.x before 6.28 and 7.x before 7.19 does not properly restrict access to node that are part of a book outline, which allows remote authenticated users with the "access printer-friendly version" permission to read node titles and possibly node content via unspecified vectors.
CVSS Score
2.1
EPSS Score
0.004
Published
2013-07-16
The Image module in Drupal 7.x before 7.19, when a private file system is used, does not properly restrict access to derivative images, which allows remote attackers to read derivative images of otherwise restricted images via unspecified vectors.
CVSS Score
4.3
EPSS Score
0.005
Published
2013-07-16
The Image module in Drupal 7.x before 7.20 allows remote attackers to cause a denial of service (CPU and disk space consumption) via a large number of new derivative requests.
CVSS Score
5.0
EPSS Score
0.005
Published
2013-03-27
Cross-site request forgery (CSRF) vulnerability in the RESTful Web Services (restws) module 7.x-1.x before 7.x-1.2 and 7.x-2.x before 7.x-2.0-alpha4 for Drupal allows remote attackers to hijack the authentication of arbitrary users via unknown vectors.
CVSS Score
6.8
EPSS Score
0.002
Published
2013-03-19
Cross-site request forgery (CSRF) vulnerability in the Content Lock module for Drupal allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.
CVSS Score
6.8
EPSS Score
0.002
Published
2012-09-17
Cross-site scripting (XSS) vulnerability in the Glossary module 6.x-1.x before 6.x-1.8 for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to "taxonomy information."
CVSS Score
4.3
EPSS Score
0.007
Published
2012-05-21
The Contact Forms module 7.x-1.x before 7.x-1.2 for Drupal does not specify sufficiently restrictive permissions, which allows remote authenticated users with the "access the site-wide contact form" permission to modify the module settings via unspecified vectors.
CVSS Score
3.5
EPSS Score
0.004
Published
2012-05-21