Drupal Drupalgeddon 2 Forms API Property Injection Exploit

This Metasploit module exploits a Drupal property injection in the Forms API. Drupal versions 6.x, less than 7.58, 8.2.x, less than 8.3.9, less than 8.4.6, and less than 8.5.1 are vulnerable. This module requires Metasploit: https://metasploit.com/download Current source:...

Drupal Drupalgeddon 2 Forms API Property Injection

This module exploits a Drupal property injection in the Forms API. Drupal 6.x, 'Drupal Drupalgeddon 2 Forms API Property Injection', 'Description' = %q This module exploits a Drupal property injection in the Forms API. Drupal 6.x, 'Jasper Mattsson', Vulnerability discovery 'a2u', Proof of concept...

Open redirect

Open redirect vulnerability in URL-related API functions in Drupal 6.x before 6.35 and 7.x before 7.35 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via vectors involving the "//" initial sequence...

CVE-2015-2749

Open redirect vulnerability in Drupal 6.x before 6.35 and 7.x before 7.35 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the destination parameter...

CVE-2015-2749

CVE-2015-2749 is an open redirect vulnerability in Drupal. The affected software is Drupal 6.x prior to 6.35 and Drupal 7.x prior to 7.35. The vulnerability enables remote attackers to redirect users to arbitrary websites and potentially facilitate phishing through a destination parameter. Exploi...

Drupal 6.x < 6.38 Multiple Vulnerabilities (SA-CORE-2016-001) - Windows

Drupal is prone to multiple vulnerabilities. SPDX-FileCopyrightText: 2016 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:drupal:drupal"; ifdescription...

Design/Logic Flaw

The Form API in Drupal 6.x before 6.38 ignores access restrictions on submit buttons, which might allow remote attackers to bypass intended access restrictions by leveraging permission to submit a form with a button that has "access" set to FALSE in the server-side form definition...

CVE-2016-3165

The Form API in Drupal 6.x before 6.38 ignores access restrictions on submit buttons, which might allow remote attackers to bypass intended access restrictions by leveraging permission to submit a form with a button that has "access" set to FALSE in the server-side form definition...

Code injection

Drupal 6.x before 6.38, when used with PHP before 5.4.45, 5.5.x before 5.5.29, or 5.6.x before 5.6.13, might allow remote attackers to execute arbitrary code via vectors related to session data truncation...

Crlf injection

CRLF injection vulnerability in the drupalsetheader function in Drupal 6.x before 6.38, when used with PHP before 5.1.2, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks by leveraging a module that allows user-submitted data to appear in HTTP...

CVE-2016-3167

Open redirect vulnerability in the drupalgoto function in Drupal 6.x before 6.38, when used with PHP before 5.4.7, allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a double-encoded URL in the "destination" parameter...

CVE-2016-3171

Removed by vendor...

CVE-2016-3166

CVE-2016-3166 describes a CRLF injection in Drupal 6.x before 6.38 when used with PHP before 5.1.2, due to the drupal_set_header function. The issue allows remote attackers to inject arbitrary HTTP headers and perform HTTP response splitting by leveraging a module that outputs user-submitted data...

CVE-2016-3171

Drupal 6.x before 6.38, when used with PHP before 5.4.45, 5.5.x before 5.5.29, or 5.6.x before 5.6.13, might allow remote attackers to execute arbitrary code via vectors related to session data truncation...

Drupal 6.x < 6.37 Multiple Vulnerabilities

Binary data 9215.prm...

Mollom - Critical - Access bypass - SA-CONTRIB-2015-168

The Mollom module allows users to protect their website from spam. As part of the spam protection, Mollom enables the website administrator to create a blacklist. When content is submitted that matches terms on the black list it will be automatically marked as spam and rejected per the site...

UC Profile - Moderately Critical - Information Disclosure - SA-CONTRIB-2015-165

UC Profile module enables you to collect profile fields for users during the checkout process of Ubercart as a checkout pane. The module doesn't sufficiently check access to profiles under certain circumstances. Depending on the information being collected, sensitive data may be exposed. This...

Drupal 6.x < 6.37 Multiple Vulnerabilities

The remote web server is running a version of Drupal that is 6.x prior to 6.37. It is, therefore, potentially affected by the following vulnerabilities : - A cross-site scripting vulnerability exists in the autocomplete functionality due to improper validation of input passed via requested URLs. ...

CVE-2015-6658

Removed by vendor...

CVE-2015-6658

Cross-site scripting XSS vulnerability in the Autocomplete system in Drupal 6.x before 6.37 and 7.x before 7.39 allows remote attackers to inject arbitrary web script or HTML via a crafted URL, related to uploading files...