Filtered by vendor Drupal
Subscribe
Total
834 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2007-5595 | 1 Drupal | 1 Drupal | 2024-02-28 | 5.1 MEDIUM | N/A |
CRLF injection vulnerability in the drupal_goto function in includes/common.inc Drupal 4.7.x before 4.7.8 and 5.x before 5.3 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors. | |||||
CVE-2008-1131 | 1 Drupal | 1 Drupal | 2024-02-28 | 3.5 LOW | N/A |
Cross-site scripting (XSS) vulnerability in Drupal 6.0 allows remote authenticated users to inject arbitrary web script or HTML via titles in content edit forms. | |||||
CVE-2007-0507 | 1 Drupal | 1 Acidfree | 2024-02-28 | 6.0 MEDIUM | N/A |
SQL injection vulnerability in the Acidfree module for Drupal before 4.6.x-1.0, and before 4.7.x-1.0 in the 4.7 series, allows remote authenticated users with "create acidfree albums" privileges to execute arbitrary SQL commands via node titles. | |||||
CVE-2006-5476 | 1 Drupal | 1 Drupal | 2024-02-28 | 7.5 HIGH | N/A |
Cross-site request forgery (CSRF) vulnerability in Drupal 4.6.x before 4.6.10 and 4.7.x before 4.7.4 allows remote attackers to perform unauthorized actions as an arbitrary user via unspecified vectors. | |||||
CVE-2007-0505 | 1 Drupal | 2 Project, Project Issue Tracking Module | 2024-02-28 | 8.5 HIGH | N/A |
Unrestricted file upload vulnerability in the Project issue tracking 4.7.0 through 5.x before 20070123, a module for Drupal, allows remote authenticated users to execute arbitrary code by attaching a file with executable or multiple extensions to a project issue. | |||||
CVE-2008-0271 | 1 Drupal | 1 Bueditor | 2024-02-28 | 4.3 MEDIUM | N/A |
The editor deletion form in BUEditor 4.7.x before 4.7.x-1.0 and 5.x before 5.x-1.1, a module for Drupal, does not follow Drupal's Forms API submission model, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks and delete custom editor interfaces. | |||||
CVE-2008-0570 | 1 Drupal | 1 Openid | 2024-02-28 | 5.0 MEDIUM | N/A |
The OpenID 5.x-1.0 and earlier module for Drupal does not properly verify the claimed_id returned by an OpenID provider, which allows remote OpenID providers to spoof OpenID authentication for domains associated with other providers. | |||||
CVE-2007-4436 | 1 Drupal | 2 Project, Project Issue Tracking Module | 2024-02-28 | 5.0 MEDIUM | N/A |
The Drupal Project module before 5.x-1.0, 4.7.x-2.3, and 4.7.x-1.3 and Project issue tracking module before 5.x-1.0, 4.7.x-2.4, and 4.7.x-1.4 do not properly enforce permissions, which allows remote attackers to (1) obtain sensitive via the Tracker Module and the Recent posts page; (2) obtain project names via unspecified vectors; (3) obtain sensitive information via the statistics pages; and (4) read CVS project activity. | |||||
CVE-2008-0275 | 1 Drupal | 1 Atom Module | 2024-02-28 | 5.0 MEDIUM | N/A |
The Atom 4.7 before 4.7.x-1.0 and 5.x before 5.x-1.0 module for Drupal does not properly manage permissions for node (1) titles, (2) teasers, and (3) bodies, which might allow remote attackers to gain access to syndicated content. | |||||
CVE-2006-6646 | 1 Drupal | 2 Drupal Project, Drupal Project Issue Tracking | 2024-02-28 | 6.8 MEDIUM | N/A |
Multiple cross-site scripting (XSS) vulnerabilities in Drupal (1) Project Issue Tracking 4.7.x-1.0 and 4.7.x-2.0, and (2) Project 4.6.x-1.0, 4.7.x-1.0, and 4.7.x-2.0 allow remote attackers to inject arbitrary web script or HTML via unspecified parameters, which do not use the check_plain function. | |||||
CVE-2008-0463 | 1 Drupal | 1 Workflow | 2024-02-28 | 4.3 MEDIUM | N/A |
Cross-site scripting (XSS) vulnerability in the Workflow 4.7.x before 4.7.x-1.2 and 5.x before 5.x-1.2 module for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors involving node properties. | |||||
CVE-2007-6299 | 1 Drupal | 1 Drupal | 2024-02-28 | 7.5 HIGH | N/A |
Multiple SQL injection vulnerabilities in Drupal and vbDrupal 4.7.x before 4.7.9 and 5.x before 5.4 allow remote attackers to execute arbitrary SQL commands via modules that pass input to the taxonomy_select_nodes function, as demonstrated by the (1) taxonomy_menu, (2) ajaxLoader, and (3) ubrowser contributed modules. | |||||
CVE-2006-6386 | 1 Drupal | 1 Cvs Management And Tracker | 2024-02-28 | 6.8 MEDIUM | N/A |
Cross-site scripting (XSS) vulnerability in the CVS management/tracker 4.7.x-1.0, 4.7.x-2.0, and 4.7.0 (before the 20060807 contribution release system) for Drupal allows remote attackers to inject arbitrary web script or HTML via the motivation field in the CVS application page, which is not passed through check_markup on display. | |||||
CVE-2008-0823 | 1 Drupal | 1 Header Image | 2024-02-28 | 10.0 HIGH | N/A |
Unspecified vulnerability in the Header Image Module before 5.x-1.1 for Drupal allows remote attackers to access the administration pages via unknown attack vectors. | |||||
CVE-2007-1033 | 1 Drupal | 1 Secure Site Module | 2024-02-28 | 7.5 HIGH | N/A |
Unspecified vulnerability in the Secure site 4.7.x-1.x-dev and 5.x-1.x-dev module for Drupal allows remote attackers to bypass access restrictions via a crafted URL. | |||||
CVE-2007-0124 | 1 Drupal | 1 Drupal | 2024-02-28 | 3.5 LOW | N/A |
Unspecified vulnerability in Drupal before 4.6.11, and 4.7 before 4.7.5, when MySQL is used, allows remote authenticated users to cause a denial of service by poisoning the page cache via unspecified vectors, which triggers erroneous 404 HTTP errors for pages that exist. | |||||
CVE-2006-7109 | 1 Drupal | 1 Imce Module | 2024-02-28 | 6.5 MEDIUM | N/A |
Unrestricted file upload vulnerability in IMCE before 1.6, a Drupal module, allows remote authenticated users to upload arbitrary PHP code via a filename with a double extension such as .php.gif. | |||||
CVE-2007-4063 | 1 Drupal | 1 Drupal | 2024-02-28 | 4.3 MEDIUM | N/A |
Multiple cross-site request forgery (CSRF) vulnerabilities in Drupal 5.x before 5.2 allow remote attackers to (1) delete comments, (2) delete content revisions, and (3) disable menu items as privileged users, related to improper use of HTTP GET and the Forms API. | |||||
CVE-2007-0534 | 1 Drupal | 2 Project, Project Issue Tracking Module | 2024-02-28 | 4.3 MEDIUM | N/A |
Multiple cross-site scripting (XSS) vulnerabilities in the (1) Project issue tracking 4.7.0 through 5.x before 20070123 and (2) Project 4.6.0 through 5.x before 20070123 modules for Drupal allow remote authenticated users to inject arbitrary web script or HTML via (a) certain "fields on project nodes" or (b) "certain project-specific settings regarding issue tracking." | |||||
CVE-2006-4821 | 1 Drupal | 1 Drupal Userreview Module | 2024-02-28 | 4.3 MEDIUM | N/A |
Cross-site scripting (XSS) vulnerability in the Drupal 4.7 Userreview module before 1.19 2006/09/12 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |