Search Results (Refine Search)
- CPE Product Version: cpe:/a:drupal:drupal:5.8
Vuln ID | Summary | CVSS Severity |
---|---|---|
CVE-2020-13672 |
Cross-site Scripting (XSS) vulnerability in Drupal core's sanitization API fails to properly filter cross-site scripting under certain circumstances. This issue affects: Drupal Core 9.1.x versions prior to 9.1.7; 9.0.x versions prior to 9.0.12; 8.9.x versions prior to 8.9.14; 7.x versions prior to 7.80. Published: February 11, 2022; 11:15:08 AM -0500 |
V3.1: 6.1 MEDIUM V2.0: 2.6 LOW |
CVE-2010-2473 |
Drupal 6.x before 6.16 and 5.x before version 5.22 does not properly block users under certain circumstances. A user with an open session that was blocked could maintain their session on the Drupal site despite being blocked. Published: November 07, 2019; 2:15:12 PM -0500 |
V3.1: 6.5 MEDIUM V2.0: 3.5 LOW |
CVE-2010-2472 |
Locale module and dependent contributed modules in Drupal 6.x before 6.16 and 5.x before version 5.22 do not sanitize the display of language codes, native and English language names properly which could allow an attacker to perform a cross-site scripting (XSS) attack. This vulnerability is mitigated by the fact that an attacker must have a role with the 'administer languages' permission. Published: November 07, 2019; 2:15:12 PM -0500 |
V3.1: 4.8 MEDIUM V2.0: 3.5 LOW |
CVE-2010-2250 |
Drupal 5.x and 6.x before 6.16 uses a user-supplied value in output during site installation which could allow an attacker to craft a URL and perform a cross-site scripting attack. Published: November 07, 2019; 1:15:11 PM -0500 |
V3.1: 6.1 MEDIUM V2.0: 4.3 MEDIUM |
CVE-2010-2471 |
Drupal versions 5.x and 6.x has open redirection Published: November 06, 2019; 1:15:10 PM -0500 |
V3.1: 6.1 MEDIUM V2.0: 5.8 MEDIUM |
CVE-2018-7600 |
Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations. Published: March 29, 2018; 3:29:00 AM -0400 |
V3.0: 9.8 CRITICAL V2.0: 7.5 HIGH |
CVE-2012-2922 |
The request_path function in includes/bootstrap.inc in Drupal 7.14 and earlier allows remote attackers to obtain sensitive information via the q[] parameter to index.php, which reveals the installation path in an error message. Published: May 21, 2012; 6:55:01 PM -0400 |
V3.x:(not available) V2.0: 5.0 MEDIUM |
CVE-2007-6752 |
Cross-site request forgery (CSRF) vulnerability in Drupal 7.12 and earlier allows remote attackers to hijack the authentication of arbitrary users for requests that end a session via the user/logout URI. NOTE: the vendor disputes the significance of this issue, by considering the "security benefit against platform complexity and performance impact" and concluding that a change to the logout behavior is not planned because "for most sites it is not worth the trade-off. Published: March 28, 2012; 6:54:59 AM -0400 |
V3.x:(not available) V2.0: 6.8 MEDIUM |
CVE-2010-3093 |
The comment module in Drupal 5.x before 5.23 and 6.x before 6.18 allows remote authenticated users with certain privileges to bypass intended access restrictions and reinstate removed comments via a crafted URL, related to an "unpublishing bypass" issue. Published: September 21, 2010; 4:00:02 PM -0400 |
V3.x:(not available) V2.0: 3.5 LOW |
CVE-2010-3092 |
The upload module in Drupal 5.x before 5.23 and 6.x before 6.18 does not properly support case-insensitive filename handling in a database configuration, which allows remote authenticated users to bypass the intended restrictions on downloading a file by uploading a different file with a similar name. Published: September 21, 2010; 4:00:02 PM -0400 |
V3.x:(not available) V2.0: 5.5 MEDIUM |
CVE-2009-4369 |
Cross-site scripting (XSS) vulnerability in the Contact module (modules/contact/contact.admin.inc or modules/contact/contact.module) in Drupal Core 5.x before 5.21 and 6.x before 6.15 allows remote authenticated users with "administer site-wide contact form" permissions to inject arbitrary web script or HTML via the contact category name. Published: December 21, 2009; 11:30:00 AM -0500 |
V3.x:(not available) V2.0: 3.5 LOW |
CVE-2009-3352 |
Multiple unspecified vulnerabilities in the quota_by_role (Quota by role) module for Drupal have unknown impact and attack vectors. Published: September 24, 2009; 12:30:01 PM -0400 |
V3.x:(not available) V2.0: 10.0 HIGH |
CVE-2009-2374 |
Drupal 5.x before 5.19 and 6.x before 6.13 does not properly sanitize failed login attempts for pages that contain a sortable table, which includes the username and password in links that can be read from (1) the HTTP referer header of external web sites that are visited from those links or (2) when page caching is enabled, the Drupal page cache. Published: July 08, 2009; 11:30:01 AM -0400 |
V3.x:(not available) V2.0: 4.3 MEDIUM |
CVE-2009-2373 |
Cross-site scripting (XSS) vulnerability in the Forum module in Drupal 6.x before 6.13 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Published: July 08, 2009; 11:30:01 AM -0400 |
V3.x:(not available) V2.0: 4.3 MEDIUM |
CVE-2009-1844 |
Multiple cross-site scripting (XSS) vulnerabilities in Drupal 5.x before 5.18 and 6.x before 6.12 allow (1) remote authenticated users to inject arbitrary web script or HTML via crafted UTF-8 byte sequences that are treated as UTF-7 by Internet Explorer 6 and 7, which are not properly handled in the "HTML exports of books" feature; and (2) allow remote authenticated users with administer taxonomy permissions to inject arbitrary web script or HTML via the help text of an arbitrary vocabulary. NOTE: vector 1 exists because of an incomplete fix for CVE-2009-1575. Published: June 01, 2009; 10:30:00 AM -0400 |
V3.x:(not available) V2.0: 3.5 LOW |
CVE-2009-1575 |
Cross-site scripting (XSS) vulnerability in Drupal 5.x before 5.17 and 6.x before 6.11, as used in vbDrupal before 5.17.0, allows remote attackers to inject arbitrary web script or HTML via crafted UTF-8 byte sequences before the Content-Type meta tag, which are treated as UTF-7 by Internet Explorer 6 and 7. Published: May 06, 2009; 1:30:09 PM -0400 |
V3.x:(not available) V2.0: 4.3 MEDIUM |
CVE-2008-6533 |
Drupal 5.x before 5.13 and 6.x before 6.7 does not delete all related content when an input format is deleted, which prevents the content from being properly filtered and allows remote attackers to conduct cross-site scripting (XSS) attacks via unspecified vectors. Published: March 26, 2009; 5:00:00 PM -0400 |
V3.x:(not available) V2.0: 4.3 MEDIUM |
CVE-2008-6532 |
Multiple cross-site request forgery (CSRF) vulnerabilities in the update feature in Drupal 5.x before 5.13 and 6.x before 6.7 allow remote attackers to perform unauthorized actions as the superuser via unspecified vectors, as demonstrated by causing the superuser to "execute old updates" that modify the database. Published: March 26, 2009; 5:00:00 PM -0400 |
V3.x:(not available) V2.0: 6.8 MEDIUM |
CVE-2008-6171 |
includes/bootstrap.inc in Drupal 5.x before 5.12 and 6.x before 6.6, when the server is configured for "IP-based virtual hosts," allows remote attackers to include and execute arbitrary files via the HTTP Host header. Published: February 19, 2009; 10:30:00 AM -0500 |
V3.x:(not available) V2.0: 9.3 HIGH |
CVE-2008-6170 |
Cross-site scripting (XSS) vulnerability in Drupal 5.x before 5.12 and 6.x before 6.6 allows remote authenticated users with create book content or edit node book hierarchy permissions to inject arbitrary web script or HTML via the book page title. Published: February 19, 2009; 10:30:00 AM -0500 |
V3.x:(not available) V2.0: 3.5 LOW |