National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

Search Results (Refine Search)

Search Parameters:
  • Results Type: Overview
  • Keyword (text search): Drupal
  • Search Type: Search All
There are 1,050 matching records.
Displaying matches 1001 through 1020.
Vuln ID Summary CVSS Severity
CVE-2007-0506

The project_issue_access function in the Project issue tracking 4.7.0 through 5.x before 20070123 module for Drupal allows remote authenticated users to bypass other access control modules and obtain attached files by guessing the filename, and obtain issue information via direct requests.

Published: January 25, 2007; 07:28:00 PM -05:00
V2: 6.0 MEDIUM
CVE-2007-0507

SQL injection vulnerability in the Acidfree module for Drupal before 4.6.x-1.0, and before 4.7.x-1.0 in the 4.7 series, allows remote authenticated users with "create acidfree albums" privileges to execute arbitrary SQL commands via node titles.

Published: January 25, 2007; 07:28:00 PM -05:00
V2: 6.0 MEDIUM
CVE-2007-0136

Multiple cross-site scripting (XSS) vulnerabilities in Drupal before 4.6.11, and 4.7 before 4.7.5, allow remote attackers to inject arbitrary web script or HTML via unspecified parameters in the (1) filter and (2) system modules. NOTE: some of these details are obtained from third party information.

Published: January 09, 2007; 06:28:00 AM -05:00
V2: 6.8 MEDIUM
CVE-2007-0124

Unspecified vulnerability in Drupal before 4.6.11, and 4.7 before 4.7.5, when MySQL is used, allows remote authenticated users to cause a denial of service by poisoning the page cache via unspecified vectors, which triggers erroneous 404 HTTP errors for pages that exist.

Published: January 08, 2007; 09:28:00 PM -05:00
V2: 3.5 LOW
CVE-2006-6646

Multiple cross-site scripting (XSS) vulnerabilities in Drupal (1) Project Issue Tracking 4.7.x-1.0 and 4.7.x-2.0, and (2) Project 4.6.x-1.0, 4.7.x-1.0, and 4.7.x-2.0 allow remote attackers to inject arbitrary web script or HTML via unspecified parameters, which do not use the check_plain function.

Published: December 19, 2006; 09:28:00 PM -05:00
V2: 6.8 MEDIUM
CVE-2006-6647

Cross-site scripting (XSS) vulnerability in the MySite 4.7.x before 4.7.x-3.3 and 5.x before 5.x-1.3 module for Drupal allows remote attackers to inject arbitrary web script or HTML via the Title field when editing a page. NOTE: some details were obtained from third party information.

Published: December 19, 2006; 09:28:00 PM -05:00
V2: 6.8 MEDIUM
CVE-2006-6528

The Chatroom Module before 4.7.x.-1.0 for Drupal broadcasts Chatroom visitors' session IDs to all participants, which allows remote attackers to hijack sessions and gain privileges.

Published: December 13, 2006; 08:28:00 PM -05:00
V2: 7.5 HIGH
CVE-2006-6529

The Chatroom Module before 4.7.x.-1.0 for Drupal displays private messages in a chatroom's last messages overview, which allows remote attackers to obtain sensitive information by reading the overview.

Published: December 13, 2006; 08:28:00 PM -05:00
V2: 7.5 HIGH
CVE-2006-6530

SQL injection vulnerability in the Help Tip module before 4.7.x-1.0 for Drupal allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

Published: December 13, 2006; 08:28:00 PM -05:00
V2: 7.5 HIGH
CVE-2006-6531

Cross-site scripting (XSS) vulnerability in the Help Tip module before 4.7.x-1.0 for Drupal allows remote attackers to inject arbitrary web script or HTML, and possibly obtain administrative access, via node titles.

Published: December 13, 2006; 08:28:00 PM -05:00
V2: 6.8 MEDIUM
CVE-2006-6386

Cross-site scripting (XSS) vulnerability in the CVS management/tracker 4.7.x-1.0, 4.7.x-2.0, and 4.7.0 (before the 20060807 contribution release system) for Drupal allows remote attackers to inject arbitrary web script or HTML via the motivation field in the CVS application page, which is not passed through check_markup on display.

Published: December 07, 2006; 08:28:00 PM -05:00
V2: 6.8 MEDIUM
CVE-2006-5608

SQL injection vulnerability in Extended Tracker (xtracker) 4.7 before 1.5.2.1 for Drupal allows remote attackers to execute arbitrary SQL commands via unspecified vectors related to "parameters from URLs."

Published: October 30, 2006; 06:07:00 PM -05:00
V2: 7.5 HIGH
CVE-2006-5475

Multiple cross-site scripting (XSS) vulnerabilities in the XML parser in Drupal 4.6.x before 4.6.10 and 4.7.x before 4.7.4 allow remote attackers to inject arbitrary web script or HTML via a crafted RSS feed.

Published: October 24, 2006; 04:07:00 PM -04:00
V2: 6.8 MEDIUM
CVE-2006-5476

Cross-site request forgery (CSRF) vulnerability in Drupal 4.6.x before 4.6.10 and 4.7.x before 4.7.4 allows remote attackers to perform unauthorized actions as an arbitrary user via unspecified vectors.

Published: October 24, 2006; 04:07:00 PM -04:00
V2: 7.5 HIGH
CVE-2006-5477

Drupal 4.6.x before 4.6.10 and 4.7.x before 4.7.4 allows form submissions to be redirected, which allows remote attackers to obtain arbitrary form information via a crafted URL.

Published: October 24, 2006; 04:07:00 PM -04:00
V2: 2.6 LOW
CVE-2006-4947

Cross-site scripting (XSS) vulnerability in the Drupal 4.7 Search Keywords module before 1.15 2006/09/15 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to "lack of validation on output."

Published: September 22, 2006; 09:07:00 PM -04:00
V2: 6.8 MEDIUM
CVE-2006-4949

Cross-site scripting (XSS) vulnerability in the Drupal 4.6 Site Profile Directory (profile_pages.module) before 1.1.2.1 and the Drupal 4.7 Site Profile Directory (profile_pages.module) before 1.2.2.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to "lack of validation on output," possibly in the name and title parameters.

Published: September 22, 2006; 09:07:00 PM -04:00
V2: 4.3 MEDIUM
CVE-2006-4821

Cross-site scripting (XSS) vulnerability in the Drupal 4.7 Userreview module before 1.19 2006/09/12 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Published: September 15, 2006; 06:07:00 PM -04:00
V2: 4.3 MEDIUM
CVE-2006-4717

The login redirection mechanism in the Drupal 4.7 Pubcookie module before 1.2.2.4 2006/09/06 and the Drupal 4.6 Pubcookie module before 1.6.2.1 2006/09/07 allows remote attackers to bypass authentication requirements and spoof identities of arbitrary users via unspecified vectors.

Published: September 12, 2006; 12:07:00 PM -04:00
V2: 7.5 HIGH
CVE-2006-4646

Cross-site scripting (XSS) vulnerability in the Drupal 4.7 Pathauto module before pathauto_node.inc 1.17.2.1 and the Drupal 4.6 Pathauto module before pathauto_node.inc 1.14.2.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Published: September 08, 2006; 05:04:00 PM -04:00
V2: 6.8 MEDIUM