| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| The Apache Solr Real-Time module 7.x-1.x before 7.x-1.2 for Drupal does not check the status of an entity when indexing, which allows remote attackers to obtain information about unpublished content via a search. |
| Cross-site scripting (XSS) vulnerability in the Inline Entity Form module 7.x-1.x before 7.x-1.6 for Drupal allows remote authenticated users with permission to create or edit fields to inject arbitrary web script or HTML via unspecified vectors. |
| Cross-site request forgery (CSRF) vulnerability in the XC NCIP Provider module in the eXtensible Catalog (XC) Drupal Toolkit allows remote attackers to hijack the authentication of users with the "administer ncip providers" permission for requests that alter NCIP providers via a crafted request. |
| The Administration Views module 7.x-1.x before 7.x-1.4 for Drupal, when used with other unspecified modules, does not properly grant access to administration pages, which allows remote administrators to bypass intended restrictions via unspecified vectors. |
| Open redirect vulnerability in the Content Construction Kit (CCK) 6.x-2.x before 6.x-2.10 for Drupal allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via the destinations parameter, related to administration pages. |
| The HybridAuth Social Login module 7.x-2.x before 7.x-2.13 for Drupal allows remote attackers to bypass the user registration by administrator only configuration and create an account via a social login. |
| The me aliases module 6.x-2.x before 6.x-2.10 and 7.x-1.x before 7.x-1.2 for Drupal allows remote attackers to access Views using the "me" user argument handler by substituting "me" for a user id in a URL. |
| Cross-site scripting (XSS) vulnerability in the Shibboleth authentication module 6.x-4.x before 6.x-4.2 and 7.x-4.x before 7.x-4.2 for Drupal allows remote authenticated users with the "Administer blocks" permission to inject arbitrary web script or HTML via unspecified vectors related to a login link. |
| Cross-site scripting (XSS) vulnerability in the Migrate module 7.x-2.x before 7.x-2.8 for Drupal, when the migrate_ui submodule is enabled, allows user-assisted remote attackers to inject arbitrary web script or HTML via a destination field label. |
| The Views Bulk Operations (VBO) module 6.x-1.x and 7.x-3.x before 7.x-3.3 for Drupal, when the bulk operation for changing Roles is enabled, allows remote authenticated users to edit user accounts and add arbitrary roles to the accounts by leveraging access to a user account listing view with VBO enabled. |
| Memory leak in the last hop kernel module in F5 BIG-IP LTM, GTM, and Link Controller 10.1.x, 10.2.x before 10.2.4 HF13, 11.x before 11.2.1 HF15, 11.3.x, 11.4.x, 11.5.x before 11.5.3 HF2, and 11.6.x before HF6, BIG-IP AAM 11.4.x, 11.5.x before 11.5.3 HF2 and 11.6.0 before HF6, BIG-IP AFM and PEM 11.3.x, 11.4.x, 11.5.x before 11.5.3 HF2, and 11.6.0 before HF6, BIG-IP Analytics 11.x before 11.2.1 HF15, 11.3.x, 11.4.x, 11.5.x before 11.5.3 HF2, and 11.6.0 before HF6, BIG-IP APM and ASM 10.1.0 through 10.2.4, 11.x before 11.2.1 HF15, 11.3.x, 11.4.x, 11.5.x before 11.5.3 HF2, and 11.6.0 before HF6, BIG-IP Edge Gateway, WebAccelerator, and WOM 10.1.x, 10.2.x before 10.2.4 HF13, 11.x before 11.2.1 HF15, and 11.3.0, BIG-IP PSM 10.1.x, 10.2.x before 10.2.4 HF13, 11.x before 11.2.1 HF15, 11.3.x, and 11.4.x before 11.4.1 HF, Enterprise Manager 3.0.0 through 3.1.1, BIG-IQ Cloud and Security 4.0.0 through 4.5.0, BIG-IQ Device 4.2.0 through 4.5.0, and BIG-IQ ADC 4.5.0 might allow remote attackers to cause a denial of service (memory consumption) via a large number of crafted UDP packets. |
| Cross-site scripting (XSS) vulnerability in the applyConvolution demo in WideImage 11.02.19 allows remote attackers to inject arbitrary web script or HTML via the matrix parameter to demo/index.php. |
| Cross-site scripting (XSS) vulnerability in the Users module in Orchard 1.7.3 through 1.8.2 and 1.9.x before 1.9.1 allows remote attackers to inject arbitrary web script or HTML via the username when creating a new user account, which is not properly handled when deleting an account. |
| Cross-site scripting (XSS) vulnerability in BlackCat CMS 1.1.2 allows remote attackers to inject arbitrary web script or HTML via the name in a new group to backend/groups/index.php. |
| Heap-based buffer overflow in the ParseValue function in lexer.c in tidy before 4.9.31 allows remote attackers to cause a denial of service (crash) via vectors involving a command character in an href. |
| The ParseValue function in lexer.c in tidy before 4.9.31 allows remote attackers to cause a denial of service (crash) via vectors involving multiple whitespace characters before an empty href, which triggers a large memory allocation. |
| Cross-site scripting (XSS) vulnerability in the save_order function in class-floating-social-bar.php in the Floating Social Bar plugin before 1.1.6 for WordPress allows remote attackers to inject arbitrary web script or HTML via the items[] parameter in an fsb_save_order action to wp-admin/admin-ajax.php. |
| Multiple cross-site scripting (XSS) vulnerabilities in Free Reprintables ArticleFR 3.0.6 allow remote attackers to inject arbitrary web script or HTML via the (1) name parameter to dashboard/settings/categories/, (2) title or (3) rel parameter to dashboard/settings/links/, or (4) url parameter to dashboard/tools/pingservers/. |
| Multiple cross-site request forgery (CSRF) vulnerabilities in Free Reprintables ArticleFR 3.0.6 allow remote attackers to hijack the authentication of administrators for requests that add an administrator account via a request to dashboard/users/create/. |
| Directory traversal vulnerability in Elasticsearch before 1.6.1 allows remote attackers to read arbitrary files via unspecified vectors related to snapshot API calls. |