National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

Search Results (Refine Search)

Search Parameters:
  • Results Type: Overview
  • Keyword (text search): Drupal
  • Search Type: Search All
There are 1,080 matching records.
Displaying matches 1021 through 1040.
Vuln ID Summary CVSS Severity
CVE-2006-7109

Unrestricted file upload vulnerability in IMCE before 1.6, a Drupal module, allows remote authenticated users to upload arbitrary PHP code via a filename with a double extension such as .php.gif.

Published: March 05, 2007; 03:19:00 PM -05:00
    V2: 6.5 MEDIUM
CVE-2006-7110

Directory traversal vulnerability in the delete function in IMCE before 1.6, a Drupal module, allows remote authenticated users to delete arbitrary files via ".." sequences.

Published: March 05, 2007; 03:19:00 PM -05:00
    V2: 5.5 MEDIUM
CVE-2007-1028

Cross-site scripting (XSS) vulnerability in the Barry Jaspan Image Pager 4.7.x-1.x-dev and 5.x-1.x-dev before 2007-02-08 module for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to HTML entities and the IMG element.

Published: February 21, 2007; 06:28:00 AM -05:00
    V2: 6.8 MEDIUM
CVE-2007-1033

Unspecified vulnerability in the Secure site 4.7.x-1.x-dev and 5.x-1.x-dev module for Drupal allows remote attackers to bypass access restrictions via a crafted URL.

Published: February 21, 2007; 06:28:00 AM -05:00
    V2: 7.5 HIGH
CVE-2007-1035

Unspecified vulnerability in certain demonstration scripts in getID3 1.7.1, as used in the Mediafield and Audio modules for Drupal, allows remote attackers to read and delete arbitrary files, list arbitrary directories, and write to empty files or .mp3 files via unknown vectors.

Published: February 21, 2007; 06:28:00 AM -05:00
    V2: 7.5 HIGH
CVE-2007-0841

Multiple unspecified vulnerabilities in vbDrupal before 4.7.6.0 have unknown impact and remote attack vectors. NOTE: the vector related to Drupal is covered by CVE-2007-0626. These vulnerabilities might be associated with other CVE identifiers.

Published: February 07, 2007; 09:28:00 PM -05:00
    V2: 10.0 HIGH
CVE-2007-0658

The (1) Textimage 4.7.x before 4.7-1.2 and 5.x before 5.x-1.1 module for Drupal and the (2) Captcha 4.7.x before 4.7-1.2 and 5.x before 5.x-1.1 module for Drupal allow remote attackers to bypass the CAPTCHA test via an empty captcha element in $_SESSION.

Published: February 01, 2007; 05:28:00 PM -05:00
    V2: 5.0 MEDIUM
CVE-2007-0626

The comment_form_add_preview function in comment.module in Drupal before 4.7.6, and 5.x before 5.1, and vbDrupal, allows remote attackers with "post comments" privileges and access to multiple input filters to execute arbitrary code by previewing comments, which are not processed by "normal form validation routines."

Published: January 31, 2007; 01:28:00 PM -05:00
    V2: 7.6 HIGH
CVE-2007-0534

Multiple cross-site scripting (XSS) vulnerabilities in the (1) Project issue tracking 4.7.0 through 5.x before 20070123 and (2) Project 4.6.0 through 5.x before 20070123 modules for Drupal allow remote authenticated users to inject arbitrary web script or HTML via (a) certain "fields on project nodes" or (b) "certain project-specific settings regarding issue tracking."

Published: January 25, 2007; 08:28:00 PM -05:00
    V2: 4.3 MEDIUM
CVE-2007-0505

Unrestricted file upload vulnerability in the Project issue tracking 4.7.0 through 5.x before 20070123, a module for Drupal, allows remote authenticated users to execute arbitrary code by attaching a file with executable or multiple extensions to a project issue.

Published: January 25, 2007; 07:28:00 PM -05:00
    V2: 8.5 HIGH
CVE-2007-0506

The project_issue_access function in the Project issue tracking 4.7.0 through 5.x before 20070123 module for Drupal allows remote authenticated users to bypass other access control modules and obtain attached files by guessing the filename, and obtain issue information via direct requests.

Published: January 25, 2007; 07:28:00 PM -05:00
    V2: 6.0 MEDIUM
CVE-2007-0507

SQL injection vulnerability in the Acidfree module for Drupal before 4.6.x-1.0, and before 4.7.x-1.0 in the 4.7 series, allows remote authenticated users with "create acidfree albums" privileges to execute arbitrary SQL commands via node titles.

Published: January 25, 2007; 07:28:00 PM -05:00
    V2: 6.0 MEDIUM
CVE-2007-0136

Multiple cross-site scripting (XSS) vulnerabilities in Drupal before 4.6.11, and 4.7 before 4.7.5, allow remote attackers to inject arbitrary web script or HTML via unspecified parameters in the (1) filter and (2) system modules. NOTE: some of these details are obtained from third party information.

Published: January 09, 2007; 06:28:00 AM -05:00
    V2: 6.8 MEDIUM
CVE-2007-0124

Unspecified vulnerability in Drupal before 4.6.11, and 4.7 before 4.7.5, when MySQL is used, allows remote authenticated users to cause a denial of service by poisoning the page cache via unspecified vectors, which triggers erroneous 404 HTTP errors for pages that exist.

Published: January 08, 2007; 09:28:00 PM -05:00
    V2: 3.5 LOW
CVE-2006-6646

Multiple cross-site scripting (XSS) vulnerabilities in Drupal (1) Project Issue Tracking 4.7.x-1.0 and 4.7.x-2.0, and (2) Project 4.6.x-1.0, 4.7.x-1.0, and 4.7.x-2.0 allow remote attackers to inject arbitrary web script or HTML via unspecified parameters, which do not use the check_plain function.

Published: December 19, 2006; 09:28:00 PM -05:00
    V2: 6.8 MEDIUM
CVE-2006-6647

Cross-site scripting (XSS) vulnerability in the MySite 4.7.x before 4.7.x-3.3 and 5.x before 5.x-1.3 module for Drupal allows remote attackers to inject arbitrary web script or HTML via the Title field when editing a page. NOTE: some details were obtained from third party information.

Published: December 19, 2006; 09:28:00 PM -05:00
    V2: 6.8 MEDIUM
CVE-2006-6528

The Chatroom Module before 4.7.x.-1.0 for Drupal broadcasts Chatroom visitors' session IDs to all participants, which allows remote attackers to hijack sessions and gain privileges.

Published: December 13, 2006; 08:28:00 PM -05:00
    V2: 7.5 HIGH
CVE-2006-6529

The Chatroom Module before 4.7.x.-1.0 for Drupal displays private messages in a chatroom's last messages overview, which allows remote attackers to obtain sensitive information by reading the overview.

Published: December 13, 2006; 08:28:00 PM -05:00
    V2: 7.5 HIGH
CVE-2006-6530

SQL injection vulnerability in the Help Tip module before 4.7.x-1.0 for Drupal allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

Published: December 13, 2006; 08:28:00 PM -05:00
    V2: 7.5 HIGH
CVE-2006-6531

Cross-site scripting (XSS) vulnerability in the Help Tip module before 4.7.x-1.0 for Drupal allows remote attackers to inject arbitrary web script or HTML, and possibly obtain administrative access, via node titles.

Published: December 13, 2006; 08:28:00 PM -05:00
    V2: 6.8 MEDIUM