Cross site request forgery (csrf)

The Form API in Drupal 6.x before 6.37 and 7.x before 7.39 does not properly validate the form token, which allows remote attackers to conduct CSRF attacks that upload files in a different user's account via vectors related to "file upload value callbacks."...

CVE-2015-6660

Removed by vendor...

CVE-2015-6660

The Form API in Drupal 6.x before 6.37 and 7.x before 7.39 does not properly validate the form token, which allows remote attackers to conduct CSRF attacks that upload files in a different user's account via vectors related to "file upload value callbacks."...

CVE-2015-6660

The CVE-2015-6660 issue affects Drupal 6.x up to 6.37 and Drupal 7.x up to 7.39, where the Form API does not properly validate the form token. This enables CSRF attacks that can upload files to another user’s account via vectors related to file upload value callbacks. Root cause: insufficient for...

FreeBSD : drupal -- multiple vulnerabilities (9393213d-489b-11e5-b8c7-d050996490d0)

Drupal development team reports : This security advisory fixes multiple vulnerabilities. See below for a list. Cross-site Scripting - Ajax system - Drupal 7 A vulnerability was found that allows a malicious user to perform a cross-site scripting attack by invoking Drupal.ajax on a whitelisted HTM...

Drupal Form API Cross-Site Request Forgery Vulnerability

Drupal is a free and open source content management system developed in PHP. Drupal suffers from a cross-site request forgery vulnerability that allows remote attackers to construct malicious URIs, trick users into parsing them, and can target user contexts to perform malicious actions...

drupal -- multiple vulnerabilities

Drupal development team reports: This security advisory fixes multiple vulnerabilities. See below for a list. Cross-site Scripting - Ajax system - Drupal 7 A vulnerability was found that allows a malicious user to perform a cross-site scripting attack by invoking Drupal.ajax on a whitelisted HTML...

CVE-2014-5021

Cross-site scripting XSS vulnerability in the Form API in Drupal 6.x before 6.32 and possibly 7.x before 7.29 allows remote authenticated users with the "administer taxonomy" permission to inject arbitrary web script or HTML via an option group label...

CVE-2014-5021

Cross-site scripting XSS vulnerability in the Form API in Drupal 6.x before 6.32 and possibly 7.x before 7.29 allows remote authenticated users with the "administer taxonomy" permission to inject arbitrary web script or HTML via an option group label...

Cross site scripting

Cross-site scripting XSS vulnerability in the Form API in Drupal 6.x before 6.32 and possibly 7.x before 7.29 allows remote authenticated users with the "administer taxonomy" permission to inject arbitrary web script or HTML via an option group label...

UBUNTU-CVE-2014-5021

Cross-site scripting XSS vulnerability in the Form API in Drupal 6.x before 6.32 and possibly 7.x before 7.29 allows remote authenticated users with the "administer taxonomy" permission to inject arbitrary web script or HTML via an option group label...

CVE-2014-5021

Cross-site scripting XSS vulnerability in the Form API in Drupal 6.x before 6.32 and possibly 7.x before 7.29 allows remote authenticated users with the "administer taxonomy" permission to inject arbitrary web script or HTML via an option group label...

CVE-2014-5021

CVE-2014-5021 concerns Drupal’s Form API XSS vulnerability. The vulnerability affects Drupal 6.x before 6.32 and potentially 7.x before 7.29, where remote authenticated users who possess the “administer taxonomy” permission can inject arbitrary script or HTML via an option group label. The impact...

CVE-2014-5021

Removed by vendor...

SA-CORE-2014-003 - Drupal core - Multiple vulnerabilities

Multiple vulnerabilities were fixed in the supported Drupal core versions 6 and 7. Denial of service with malicious HTTP Host header Base system - Drupal 6 and 7 - Critical Drupal core's multisite feature dynamically determines which configuration file to use based on the HTTP Host header. The HT...

Drupal 7.x < 7.26 Multiple Vulnerabilities

The remote web server is running a version of Drupal that is 7.x prior to 7.26. It is, therefore, potentially affected by the following security bypass vulnerabilities : - An issue exists in the OpenID module that allows an authenticated attacker to hijack other users' accounts. Only user account...

Debian DSA-2847-1 : drupal7 - several vulnerabilities

Multiple vulnerabilities have been discovered in Drupal, a fully-featured content management framework. The Common Vulnerabilities and Exposures project identifies the following issues : - CVE-2014-1475 Christian Mainka and Vladislav Mladenov reported a vulnerability in the OpenID module that...

Debian Security Advisory DSA 2847-1 (drupal7 - several vulnerabilities)

Multiple vulnerabilities have been discovered in Drupal, a fully-featured content management framework. The Common Vulnerabilities and Exposures project identifies the following issues: CVE-2014-1475 Christian Mainka and Vladislav Mladenov reported a vulnerability in the OpenID module that allows...

Debian: Security Advisory (DSA-2847-1)

The remote host is missing an update for the Debian SPDX-FileCopyrightText: 2014 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

SA-CORE-2014-001 - Drupal core - Multiple vulnerabilities

Multiple vulnerabilities were fixed in the supported Drupal core versions 6 and 7. Impersonation OpenID module - Drupal 6 and 7 - Highly critical A vulnerability was found in the OpenID module that allows a malicious user to log in as other users on the site, including administrators, and hijack...