Multiple cross-site request forgery (CSRF) vulnerabilities in the Search API module 7.x-1.x before 7.x-1.3 for Drupal allow remote attackers to hijack the authentication of administrators for requests that (1) enable a server via a server action or (2) enable a search index via an enable index action.
CVSS Score
6.8
EPSS Score
0.001
Published
2012-12-03
Cross-site scripting (XSS) vulnerability in the Time Spent module 6.x and 7.x for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVSS Score
4.3
EPSS Score
0.003
Published
2012-12-03
Cross-site request forgery (CSRF) vulnerability in the Time Spent module 6.x and 7.x for Drupal allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.
CVSS Score
6.8
EPSS Score
0.001
Published
2012-12-03
SQL injection vulnerability in the Time Spent module 6.x and 7.x for Drupal allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
CVSS Score
7.5
EPSS Score
0.004
Published
2012-12-03
Multiple cross-site scripting (XSS) vulnerabilities in the MailChimp module 7.x-2.x before 7.x-2.7 for Drupal allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) a predictable "webhook URL key" and (2) improper sanitization of "Webhook variables from POST requests."
CVSS Score
4.3
EPSS Score
0.003
Published
2012-12-03
The Password policy module 6.x-1.x before 6.x-1.5 and 7.x-1.x before 7.x-1.3 for Drupal allows remote attackers to obtain password hashes by sniffing the network, related to "client-side password history checks."
CVSS Score
5.0
EPSS Score
0.004
Published
2012-12-03
Multiple cross-site scripting (XSS) vulnerabilities in the OM Maximenu module 6.x-1.x before 6.x-1.44 and 7.x-1.x before 7.x-1.44 for Drupal allow remote authenticated users with the "administer OM Maximenu" permission to inject arbitrary web script or HTML via the (1) Menu Title (2) Link Title, (3) Path Query, (4) Anchor, or (5) vocabulary names.
CVSS Score
2.1
EPSS Score
0.003
Published
2012-12-03
The default configuration for the Webform CiviCRM Integration module 7.x-3.x before 7.x-3.2 has "Enforce Permissions" disabled, which allows remote attackers to obtain contact information by reading webforms.
CVSS Score
5.0
EPSS Score
0.002
Published
2012-12-03
Multiple cross-site request forgery (CSRF) vulnerabilities in the RESTful Web Services (RESTWS) module 7.x-1.x before 7.x-1.1 and 7.x-2.x before 7.x-2.0-alpha3 for Drupal allow remote attackers to hijack the authentication of arbitrary users via unknown vectors.
CVSS Score
6.8
EPSS Score
0.002
Published
2012-12-03
The User Read-Only module 6.x-1.x before 6.x-1.4 and 7.x-1.x before 7.x-1.4 for Drupal, does not properly assign roles when there are more than three roles on the site and certain unspecified configurations, which might allow remote authenticated users to gain privileges by performing certain operations, as demonstrated by changing a password.
CVSS Score
3.6
EPSS Score
0.002
Published
2012-12-03