Drupal 6.x before 6.34 and 7.x before 7.34 allows remote attackers to hijack sessions via a crafted request, as demonstrated by a crafted request to a server that supports both HTTP and HTTPS sessions.
Max CVSS
6.8
EPSS Score
0.69%
Published
2014-11-24
Updated
2018-12-20
modules/openid/xrds.inc in Drupal 6.x before 6.33 and 7.x before 7.31 allows remote attackers to have unspecified impact via a crafted DOCTYPE declaration in an XRDS document.
Max CVSS
6.8
EPSS Score
0.54%
Published
2014-09-30
Updated
2014-10-10
CVE-2014-3704
Public exploit
The expandArguments function in the database abstraction API in Drupal core 7.x before 7.32 does not properly construct prepared statements, which allows remote attackers to conduct SQL injection attacks via an array containing crafted keys.
Max CVSS
7.5
EPSS Score
97.53%
Published
2014-10-16
Updated
2021-09-29
The OpenID module in Drupal 6.x before 6.30 and 7.x before 7.26 allows remote OpenID users to authenticate as other users via unspecified vectors.
Max CVSS
7.5
EPSS Score
0.69%
Published
2014-01-24
Updated
2014-02-21
Cross-site scripting (XSS) vulnerability in jquery.ui.dialog.js in the Dialog widget in jQuery UI before 1.10.0 allows remote attackers to inject arbitrary web script or HTML via the title option.
Max CVSS
6.1
EPSS Score
0.17%
Published
2014-11-24
Updated
2023-06-21
5 vulnerabilities found