Drupal
by Drupal
Source repositories
CVEs (203)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2009-3479 | 0.00 | — | 0.01 | Sep 30, 2009 | Cross-site scripting (XSS) vulnerability in Bibliography (Biblio) 5.x before 5.x-1.17 and 6.x before 6.x-1.6, a module for Drupal, allows remote attackers, with "create content displayed by the Bibliography module" permissions, to inject arbitrary web script or HTML via a title. | |||
| CVE-2009-3352 | 0.00 | — | 0.02 | Sep 24, 2009 | Multiple unspecified vulnerabilities in the quota_by_role (Quota by role) module for Drupal have unknown impact and attack vectors. | |||
| CVE-2009-3156 | 0.00 | — | 0.01 | Sep 10, 2009 | Cross-site scripting (XSS) vulnerability in the Date Tools sub-module in the Date module 6.x before 6.x-2.3 for Drupal allows remote authenticated users, with "use date tools" or "administer content types" privileges, to inject arbitrary web script or HTML via a "Content type… | |||
| CVE-2008-6908 | 0.00 | — | 0.01 | Aug 6, 2009 | Services 5.x before 5.x-0.92 and 6.x before 6.x-0.13, a module for Drupal, uses an insecure hash when signing requests, which allows remote attackers to impersonate other users and gain privileges. | |||
| CVE-2009-2374 | 0.00 | — | 0.01 | Jul 8, 2009 | Drupal 5.x before 5.19 and 6.x before 6.13 does not properly sanitize failed login attempts for pages that contain a sortable table, which includes the username and password in links that can be read from (1) the HTTP referer header of external web sites that are visited from… | |||
| CVE-2009-2373 | 0.00 | — | 0.02 | Jul 8, 2009 | Cross-site scripting (XSS) vulnerability in the Forum module in Drupal 6.x before 6.13 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||
| CVE-2009-2372 | 0.00 | — | 0.02 | Jul 8, 2009 | Drupal 6.x before 6.13 does not prevent users from modifying user signatures after the associated comment format has been changed to an administrator-controlled input format, which allows remote authenticated users to inject arbitrary web script, HTML, and possibly PHP code via… | |||
| CVE-2009-1844 | 0.00 | — | 0.01 | Jun 1, 2009 | Multiple cross-site scripting (XSS) vulnerabilities in Drupal 5.x before 5.18 and 6.x before 6.12 allow (1) remote authenticated users to inject arbitrary web script or HTML via crafted UTF-8 byte sequences that are treated as UTF-7 by Internet Explorer 6 and 7, which are not… | |||
| CVE-2009-1576 | 0.00 | — | 0.02 | May 6, 2009 | Unspecified vulnerability in Drupal 5.x before 5.17 and 6.x before 6.11, as used in vbDrupal before 5.17.0, allows user-assisted remote attackers to obtain sensitive information by tricking victims into visiting the front page of the site with a crafted URL and causing form data… | |||
| CVE-2009-1575 | 0.00 | — | 0.02 | May 6, 2009 | Cross-site scripting (XSS) vulnerability in Drupal 5.x before 5.17 and 6.x before 6.11, as used in vbDrupal before 5.17.0, allows remote attackers to inject arbitrary web script or HTML via crafted UTF-8 byte sequences before the Content-Type meta tag, which are treated as UTF-7… | |||
| CVE-2008-6533 | 0.00 | — | 0.02 | Mar 26, 2009 | Drupal 5.x before 5.13 and 6.x before 6.7 does not delete all related content when an input format is deleted, which prevents the content from being properly filtered and allows remote attackers to conduct cross-site scripting (XSS) attacks via unspecified vectors. | |||
| CVE-2008-6532 | 0.00 | — | 0.01 | Mar 26, 2009 | Multiple cross-site request forgery (CSRF) vulnerabilities in the update feature in Drupal 5.x before 5.13 and 6.x before 6.7 allow remote attackers to perform unauthorized actions as the superuser via unspecified vectors, as demonstrated by causing the superuser to "execute old… | |||
| CVE-2009-1047 | 0.00 | — | 0.01 | Mar 23, 2009 | Cross-site scripting (XSS) vulnerability in the Send by e-mail module in the "Printer, e-mail and PDF versions" module 5.x before 5.x-4.4 and 6.x before 6.x-1.4, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via vectors involving outbound… | |||
| CVE-2008-6171 | 0.00 | — | 0.04 | Feb 19, 2009 | includes/bootstrap.inc in Drupal 5.x before 5.12 and 6.x before 6.6, when the server is configured for "IP-based virtual hosts," allows remote attackers to include and execute arbitrary files via the HTTP Host header. | |||
| CVE-2008-6170 | 0.00 | — | 0.02 | Feb 19, 2009 | Cross-site scripting (XSS) vulnerability in Drupal 5.x before 5.12 and 6.x before 6.6 allows remote authenticated users with create book content or edit node book hierarchy permissions to inject arbitrary web script or HTML via the book page title. | |||
| CVE-2008-4793 | 0.00 | — | 0.02 | Oct 29, 2008 | The node module API in Drupal 5.x before 5.11 allows remote attackers to bypass node validation and have unspecified other impact via unknown vectors related to contributed modules. | |||
| CVE-2008-4792 | 0.00 | — | 0.01 | Oct 29, 2008 | The core BlogAPI module in Drupal 5.x before 5.11 and 6.x before 6.5 does not properly validate unspecified content fields of an internal Drupal form, which allows remote authenticated users to bypass intended access restrictions via modified field values. | |||
| CVE-2008-4791 | 0.00 | — | 0.02 | Oct 29, 2008 | The user module in Drupal 5.x before 5.11 and 6.x before 6.5 might allow remote authenticated users to bypass intended login access rules and successfully login via unknown vectors. | |||
| CVE-2008-4790 | 0.00 | — | 0.01 | Oct 29, 2008 | The core upload module in Drupal 5.x before 5.11 allows remote authenticated users to bypass intended access restrictions and read "files attached to content" via unknown vectors. | |||
| CVE-2008-4789 | 0.00 | — | 0.01 | Oct 29, 2008 | The validation functionality in the core upload module in Drupal 6.x before 6.5 allows remote authenticated users to bypass intended access restrictions and "attach files to content," related to a "logic error." |
- CVE-2009-3479Sep 30, 2009risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in Bibliography (Biblio) 5.x before 5.x-1.17 and 6.x before 6.x-1.6, a module for Drupal, allows remote attackers, with "create content displayed by the Bibliography module" permissions, to inject arbitrary web script or HTML via a title.
- CVE-2009-3352Sep 24, 2009risk 0.00cvss —epss 0.02
Multiple unspecified vulnerabilities in the quota_by_role (Quota by role) module for Drupal have unknown impact and attack vectors.
- CVE-2009-3156Sep 10, 2009risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in the Date Tools sub-module in the Date module 6.x before 6.x-2.3 for Drupal allows remote authenticated users, with "use date tools" or "administer content types" privileges, to inject arbitrary web script or HTML via a "Content type…
- CVE-2008-6908Aug 6, 2009risk 0.00cvss —epss 0.01
Services 5.x before 5.x-0.92 and 6.x before 6.x-0.13, a module for Drupal, uses an insecure hash when signing requests, which allows remote attackers to impersonate other users and gain privileges.
- CVE-2009-2374Jul 8, 2009risk 0.00cvss —epss 0.01
Drupal 5.x before 5.19 and 6.x before 6.13 does not properly sanitize failed login attempts for pages that contain a sortable table, which includes the username and password in links that can be read from (1) the HTTP referer header of external web sites that are visited from…
- CVE-2009-2373Jul 8, 2009risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in the Forum module in Drupal 6.x before 6.13 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
- CVE-2009-2372Jul 8, 2009risk 0.00cvss —epss 0.02
Drupal 6.x before 6.13 does not prevent users from modifying user signatures after the associated comment format has been changed to an administrator-controlled input format, which allows remote authenticated users to inject arbitrary web script, HTML, and possibly PHP code via…
- CVE-2009-1844Jun 1, 2009risk 0.00cvss —epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in Drupal 5.x before 5.18 and 6.x before 6.12 allow (1) remote authenticated users to inject arbitrary web script or HTML via crafted UTF-8 byte sequences that are treated as UTF-7 by Internet Explorer 6 and 7, which are not…
- CVE-2009-1576May 6, 2009risk 0.00cvss —epss 0.02
Unspecified vulnerability in Drupal 5.x before 5.17 and 6.x before 6.11, as used in vbDrupal before 5.17.0, allows user-assisted remote attackers to obtain sensitive information by tricking victims into visiting the front page of the site with a crafted URL and causing form data…
- CVE-2009-1575May 6, 2009risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in Drupal 5.x before 5.17 and 6.x before 6.11, as used in vbDrupal before 5.17.0, allows remote attackers to inject arbitrary web script or HTML via crafted UTF-8 byte sequences before the Content-Type meta tag, which are treated as UTF-7…
- CVE-2008-6533Mar 26, 2009risk 0.00cvss —epss 0.02
Drupal 5.x before 5.13 and 6.x before 6.7 does not delete all related content when an input format is deleted, which prevents the content from being properly filtered and allows remote attackers to conduct cross-site scripting (XSS) attacks via unspecified vectors.
- CVE-2008-6532Mar 26, 2009risk 0.00cvss —epss 0.01
Multiple cross-site request forgery (CSRF) vulnerabilities in the update feature in Drupal 5.x before 5.13 and 6.x before 6.7 allow remote attackers to perform unauthorized actions as the superuser via unspecified vectors, as demonstrated by causing the superuser to "execute old…
- CVE-2009-1047Mar 23, 2009risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in the Send by e-mail module in the "Printer, e-mail and PDF versions" module 5.x before 5.x-4.4 and 6.x before 6.x-1.4, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via vectors involving outbound…
- CVE-2008-6171Feb 19, 2009risk 0.00cvss —epss 0.04
includes/bootstrap.inc in Drupal 5.x before 5.12 and 6.x before 6.6, when the server is configured for "IP-based virtual hosts," allows remote attackers to include and execute arbitrary files via the HTTP Host header.
- CVE-2008-6170Feb 19, 2009risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in Drupal 5.x before 5.12 and 6.x before 6.6 allows remote authenticated users with create book content or edit node book hierarchy permissions to inject arbitrary web script or HTML via the book page title.
- CVE-2008-4793Oct 29, 2008risk 0.00cvss —epss 0.02
The node module API in Drupal 5.x before 5.11 allows remote attackers to bypass node validation and have unspecified other impact via unknown vectors related to contributed modules.
- CVE-2008-4792Oct 29, 2008risk 0.00cvss —epss 0.01
The core BlogAPI module in Drupal 5.x before 5.11 and 6.x before 6.5 does not properly validate unspecified content fields of an internal Drupal form, which allows remote authenticated users to bypass intended access restrictions via modified field values.
- CVE-2008-4791Oct 29, 2008risk 0.00cvss —epss 0.02
The user module in Drupal 5.x before 5.11 and 6.x before 6.5 might allow remote authenticated users to bypass intended login access rules and successfully login via unknown vectors.
- CVE-2008-4790Oct 29, 2008risk 0.00cvss —epss 0.01
The core upload module in Drupal 5.x before 5.11 allows remote authenticated users to bypass intended access restrictions and read "files attached to content" via unknown vectors.
- CVE-2008-4789Oct 29, 2008risk 0.00cvss —epss 0.01
The validation functionality in the core upload module in Drupal 6.x before 6.5 allows remote authenticated users to bypass intended access restrictions and "attach files to content," related to a "logic error."
Page 7 of 11