DRUPAL-CONTRIB-2025-070

This module enables you to setup a repeating date rule that users can "book" different dates, allowing you to let users register for a variety of different things like conference rooms or guitar lessons. This module has a permission of "view booking" and "view booking contact" which allows you to...

Simple Klaro - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-071

The "Simple Klaro" module adds the "Klaro! A Simple Consent Manager" to your website and allows you to configure it according to your needs in the Drupal backend. The module doesn't sufficiently mark its administrative permission as restricted, creating the possibility for the permission to be...

CVE-2012-2305

Cross-site request forgery CSRF vulnerability in the Node Gallery module for Drupal 6.x-3.1 and earlier allows remote attackers to hijack the authentication of certain users for requests that create node galleries...

CVE-2012-4479

SQL injection vulnerability in the Drag & Drop Gallery module 6.x for Drupal allows remote attackers to execute arbitrary SQL commands via unspecified vectors...

CVE-2015-8081

The Field as Block module 7.x-1.x before 7.x-1.4 for Drupal might allow remote attackers to obtain sensitive field information by reading a cached block...

CVE-2013-0207

Cross-site request forgery CSRF vulnerability in the Mark Complete module 7.x-1.x before 7.x-1.1 for Drupal allows remote attackers to hijack the authentication of unspecified victims via unknown vectors...

CVE-2013-1859

The Node Parameter Control module 6.x-1.x for Drupal does not properly restrict access to the configuration options, which allows remote attackers to read and edit configuration options via unspecified vectors...

CVE-2012-2306

SQL injection vulnerability in the Addressbook module for Drupal 6.x-4.2 and earlier allows remote attackers to execute arbitrary SQL commands via unspecified vectors...

CVE-2012-5550

SQL injection vulnerability in the Time Spent module 6.x and 7.x for Drupal allows remote attackers to execute arbitrary SQL commands via unspecified vectors...

CVE-2014-7869

Cross-site scripting XSS vulnerability in the configuration UI in the Context Form Alteration module 7.x-1.x before 7.x-1.2 for Drupal allows remote authenticated users with the "administer contexts" permission to inject arbitrary web script or HTML via unspecified vectors...

CVE-2013-0317

Cross-site scripting XSS vulnerability in the Manager Change for Organic Groups ogmanagerchange module 7.x-2.x before 7.x-2.1 for Drupal might allow remote attackers to inject arbitrary web script or HTML via the username in the new manager autocomplete field...

CVE-2009-1344

Cross-site scripting XSS vulnerability in the Localization client module 5.x before 5.x-1.2 and 6.x before 6.x-1.7, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via input to the translation functionality...

CVE-2009-3353

Multiple unspecified vulnerabilities in the Node2Node module for Drupal have unknown impact and attack vectors...

CVE-2009-3479

Cross-site scripting XSS vulnerability in Bibliography Biblio 5.x before 5.x-1.17 and 6.x before 6.x-1.6, a module for Drupal, allows remote attackers, with "create content displayed by the Bibliography module" permissions, to inject arbitrary web script or HTML via a title...

CVE-2009-2291

Unspecified vulnerability in LoginToboggan 6.x-1.x before 6.x-1.5, a module for Drupal, when "Allow users to login using their e-mail address" is enabled, allows remote blocked users to bypass intended access restrictions via unspecified vectors...

CVE-2009-2083

Cross-site scripting XSS vulnerability in the term data detail page in Taxonomy manager 5.x before 5.x-1.2, a module for Drupal, allows remote authenticated users, with administer taxonomy privileges or the ability to use free tagging to add taxonomy terms, to inject arbitrary web script or HTML...

CVE-2009-1342

Cross-site scripting XSS vulnerability in the CCK comment reference module 6.x before 6.x-1.2, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via certain comment titles associated with a node edit form...

CVE-2009-1249

Cross-site scripting XSS vulnerability in Feed element mapper 5.x before 5.x-1.1, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via the content title in admin/content/node-type/nodetype/map...

CVE-2009-3784

Open redirect vulnerability in Simplenews Statistics 6.x before 6.x-2.0, a module for Drupal, allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors...

DRUPAL-CONTRIB-2025-065

This module provides a block to easily display a rendered node. Access to the rendered node isn't validated before rendering the block. Allowing access to node content for users that would normally not be allowed to access the node...