the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew  

Metasploit Modules Related To Drupal

CVE-2012-4554  Drupal OpenID External Entity Injection
This module abuses an XML External Entity Injection vulnerability on the OpenID module from Drupal. The vulnerability exists in the parsing of a malformed XRDS file coming from a malicious OpenID endpoint. This module has been tested successfully on Drupal 7.15 and 7.2 with the OpenID module enabled.
Module type : auxiliary Rank : normal
CVE-2014-3704  Drupal HTTP Parameter Key/Value SQL Injection
This module exploits the Drupal HTTP Parameter Key/Value SQL Injection (aka Drupageddon) in order to achieve a remote shell on the vulnerable instance. This module was tested against Drupal 7.0 and 7.31 (was fixed in 7.32). Two methods are available to trigger the PHP payload on the target: - set TARGET 0: Form-cache PHP injection method (default). This uses the SQLi to upload a malicious form to Drupal's cache, then trigger the cache entry to execute the payload using a POP chain. - set TARGET 1: User-post injection method. This creates a new Drupal user, adds it to the administrators group, enable Drupal's PHP module, grant the administrators the right to bundle PHP code in their post, create a new post containing the payload and preview it to trigger the payload execution.
Module type : exploit Rank : excellent Platforms : PHP
CVE-2014-5266  Wordpress XMLRPC DoS
Wordpress XMLRPC parsing is vulnerable to a XML based denial of service. This vulnerability affects Wordpress 3.5 - 3.9.2 (3.8.4 and 3.7.4 are also patched).
Module type : auxiliary Rank : normal
CVE-2014-9016  WordPress Long Password DoS
WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 allows remote attackers to cause a denial of service (CPU consumption) via a long password that is improperly handled during hashing.
Module type : auxiliary Rank : normal
CVE-2018-7600  Drupal Drupalgeddon 2 Forms API Property Injection
This module exploits a Drupal property injection in the Forms API. Drupal 6.x, < 7.58, 8.2.x, < 8.3.9, < 8.4.6, and < 8.5.1 are vulnerable.
Module type : exploit Rank : excellent Platforms : PHP,Unix,Linux

Please note: Metasploit modules are only matched by CVE numbers. There may be other modules related to this product. Visit metasploit web site for more details
Total number of modules found = 5   Page : 1 (This Page)
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.