Total
709 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2009-4063 | 2 Drupal, Ezra Barnett Gildesgame | 2 Drupal, Og Subgroups | 2024-02-28 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in the Subgroups for Organic Groups (OG) module 5.x before 5.x-4.0 and 5.x before 5.x-3.4 for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified node titles. | |||||
| CVE-2009-3656 | 2 Drupal, Tim Nelson | 2 Drupal, Shared Sign-on | 2024-02-28 | 6.8 MEDIUM | N/A |
| Cross-site request forgery (CSRF) vulnerability in Shared Sign-On 5.x and 6.x, a module for Drupal, allows remote attackers to hijack the authentication of arbitrary users via unknown vectors. | |||||
| CVE-2009-3207 | 2 Drewish, Drupal | 2 Imagecache, Drupal | 2024-02-28 | 6.8 MEDIUM | N/A |
| The ImageCache module 5.x before 5.x-2.5 and 6.x before 6.x-2.0-beta10, a module for Drupal, when the private file system is used, does not properly perform access control for derivative images, which allows remote attackers to view arbitrary images via a request that specifies an image's filename. | |||||
| CVE-2009-3922 | 2 Chad Phillips, Drupal | 2 Userprotect, Drupal | 2024-02-28 | 6.8 MEDIUM | N/A |
| Multiple cross-site request forgery (CSRF) vulnerabilities in the User Protect module 5.x before 5.x-1.4 and 6.x before 6.x-1.3, a module for Drupal, allow remote attackers to hijack the authentication of administrators for requests that (1) delete the editing protection of a user or (2) delete a certain type of administrative-bypass rule. | |||||
| CVE-2008-3661 | 1 Drupal | 1 Drupal | 2024-02-28 | 5.0 MEDIUM | N/A |
| Drupal, probably 5.10 and 6.4, does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie. | |||||
| CVE-2008-3745 | 1 Drupal | 2 Drupal, Upload Module | 2024-02-28 | 5.5 MEDIUM | N/A |
| The Upload module in Drupal 6.x before 6.4 allows remote authenticated users to edit nodes, delete files, and download unauthorized attachments via unspecified vectors. | |||||
| CVE-2009-3920 | 2 Drupal, Sean Robertson | 2 Drupal, Crmngp | 2024-02-28 | 5.0 MEDIUM | N/A |
| An administration page in the NGP COO/CWP Integration (crmngp) module 6.x before 6.x-1.12 for Drupal does not perform the expected access control, which allows remote attackers to read log information via unspecified vectors. | |||||
| CVE-2008-6835 | 2 Drupal, Peter Wolanin | 2 Drupal, Openid | 2024-02-28 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in OpenID 5.x before 5.x-1.2, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2009-0603 | 1 Drupal | 2 Drupal, Link Module | 2024-02-28 | 3.5 LOW | N/A |
| Cross-site scripting (XSS) vulnerability in index.php in the Link module 5.x-2.5 for Drupal 5.10 allows remote authenticated users, with "administer content types" privileges, to inject arbitrary web script or HTML via the description parameter (aka the Help field). NOTE: some of these details are obtained from third party information. | |||||
| CVE-2009-4064 | 2 Drupal, Puntolatinoclub | 2 Drupal, Gallery Assist Module | 2024-02-28 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in the Gallery Assist module 6.x before 6.x-1.7 for Drupal allows remote attackers to inject arbitrary web script or HTML via node titles. | |||||
| CVE-2009-2077 | 2 Angrydonuts, Drupal | 2 Views, Drupal | 2024-02-28 | 4.0 MEDIUM | N/A |
| Drupal 6.x before 6.x-2.6, a module for Drupal, allows remote authenticated users to bypass access restrictions and (1) read unpublished content from anonymous users when a view is already configured to display the content, and (2) read private content in generated queries. | |||||
| CVE-2008-1729 | 1 Drupal | 1 Drupal | 2024-02-28 | 5.8 MEDIUM | N/A |
| The menu system in Drupal 6 before 6.2 has incorrect menu settings, which allows remote attackers to (1) edit the profile pages of arbitrary users, and obtain sensitive information from (2) tracker and (3) blog pages, related to a missing check for the "access content" permission; and (4) allows remote authenticated users, with administration page view access, to edit content types. | |||||
| CVE-2009-3568 | 3 Dave Reid, Drupal, Gabor Hojtsy | 3 Commentrss, Drupal, Commentrss | 2024-02-28 | 5.0 MEDIUM | N/A |
| Comment RSS 5.x before 5.x-2.2 and 6.x before 6.x-2.2, a module for Drupal, does not properly enforce permissions when a link is added to the RSS feed, which allows remote attackers to obtain the node title and possibly other sensitive content by reading the feed. | |||||
| CVE-2009-1035 | 2 Drupal, Jake Gordon | 2 Drupal, Tasks | 2024-02-28 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in the Tasklist module 5.x-1.x before 5.x-1.3 and 5.x-2.x before 5.x-2.0-alpha1, a module for Drupal, allows remote authenticated users to inject arbitrary web script or HTML via Cascading Style Sheets (CSS). | |||||
| CVE-2009-3157 | 2 Drupal, Karen Stevenson | 2 Drupal, Calendar | 2024-02-28 | 3.5 LOW | N/A |
| Cross-site scripting (XSS) vulnerability in the Calendar module 6.x before 6.x-2.2 for Drupal allows remote authenticated users, with "create new content types" privileges, to inject arbitrary web script or HTML via the title of a content type. | |||||
| CVE-2008-2999 | 1 Drupal | 2 Aggregation Module, Drupal | 2024-02-28 | 7.5 HIGH | N/A |
| Multiple SQL injection vulnerabilities in the Aggregation module 5.x before 5.x-4.4 for Drupal allow remote attackers to execute arbitrary SQL commands via unspecified vectors. | |||||
| CVE-2009-3488 | 2 Drupal, Ron Jerome | 2 Drupal, Bibliography | 2024-02-28 | 2.1 LOW | N/A |
| Cross-site scripting (XSS) vulnerability in the Bibliography (aka Biblio) module 6.x-1.6 for Drupal allows remote authenticated users, with certain content-creation privileges, to inject arbitrary web script or HTML via the Title field, probably a different vulnerability than CVE-2009-3479. | |||||
| CVE-2008-3221 | 2 Drupal, Fedoraproject | 2 Drupal, Fedora | 2024-02-28 | 4.3 MEDIUM | N/A |
| Cross-site request forgery (CSRF) vulnerability in Drupal 6.x before 6.3 allows remote attackers to perform administrative actions via vectors involving deletion of OpenID identities. | |||||
| CVE-2009-1343 | 1 Drupal | 2 Drupal, Print | 2024-02-28 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in the Print (aka Printer, e-mail and PDF versions) module 5.x before 5.x-4.5 and 6.x before 6.x-1.5, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via content titles. | |||||
| CVE-2008-6532 | 1 Drupal | 1 Drupal | 2024-02-28 | 6.8 MEDIUM | N/A |
| Multiple cross-site request forgery (CSRF) vulnerabilities in the update feature in Drupal 5.x before 5.13 and 6.x before 6.7 allow remote attackers to perform unauthorized actions as the superuser via unspecified vectors, as demonstrated by causing the superuser to "execute old updates" that modify the database. | |||||