National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

Search Results (Refine Search)

Search Parameters:
  • Results Type: Overview
  • Keyword (text search): Drupal
  • Search Type: Search All
There are 1,053 matching records.
Displaying matches 901 through 920.
Vuln ID Summary CVSS Severity
CVE-2008-4530

Cross-site scripting (XSS) vulnerability in Brilliant Gallery 5.x before 5.x-4.2, a module for Drupal, allows remote authenticated users with permissions to inject arbitrary web script or HTML via unspecified vectors related to posting of answers.

Published: October 09, 2008; 02:14:15 PM -04:00
    V2: 3.5 LOW
CVE-2008-4338

SQL injection vulnerability in the brilliant_gallery_checklist_save function in the bgchecklist/save script in Brilliant Gallery 5.x and 6.x, a module for Drupal, allows remote authenticated users with "access brilliant_gallery" permissions to execute arbitrary SQL commands via the (1) nid, (2) qid, (3) state, and possibly (4) user parameters.

Published: September 30, 2008; 01:22:09 PM -04:00
    V2: 6.0 MEDIUM
CVE-2008-4153

The Talk module 5.x before 5.x-1.3 and 6.x before 6.x-1.5, a module for Drupal, does not perform access checks for a node before displaying comments, which allows remote attackers to obtain sensitive information.

Published: September 24, 2008; 01:41:39 AM -04:00
    V2: 5.0 MEDIUM
CVE-2008-4152

Cross-site scripting (XSS) vulnerability in the Talk module 5.x before 5.x-1.3 and 6.x before 6.x-1.5, a module for Drupal, allows remote authenticated users to inject arbitrary web script or HTML via a node title.

Published: September 24, 2008; 01:41:39 AM -04:00
    V2: 3.5 LOW
CVE-2008-4149

Cross-site scripting (XSS) vulnerability in the Greg Holsclaw Link to Us module 5.x before 5.x-1.1 for Drupal allows remote authenticated users to inject arbitrary web script or HTML via the "Link page header" field.

Published: September 24, 2008; 01:41:38 AM -04:00
    V2: 4.3 MEDIUM
CVE-2008-4148

SQL injection vulnerability in the Mailhandler module 5.x before 5.x-1.4 and 6.x before 6.x-1.4, a module for Drupal, allows remote attackers to execute arbitrary SQL commands via unspecified vectors, related to composing queries without using the Drupal database API.

Published: September 24, 2008; 01:41:38 AM -04:00
    V2: 7.5 HIGH
CVE-2008-4147

Cross-site scripting (XSS) vulnerability in the Mailsave module 5.x before 5.x-3.3 and 6.x before 6.x-1.3, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via an e-mail message with an attached file that has a modified Content-Type.

Published: September 24, 2008; 01:41:38 AM -04:00
    V2: 4.3 MEDIUM
CVE-2008-3661

Drupal, probably 5.10 and 6.4, does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.

Published: September 23, 2008; 11:25:42 AM -04:00
    V2: 5.0 MEDIUM
CVE-2008-3740

Cross-site scripting (XSS) vulnerability in the output filter in Drupal 5.x before 5.10 and 6.x before 6.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Published: August 27, 2008; 11:21:00 AM -04:00
    V2: 4.3 MEDIUM
CVE-2008-3741

The private filesystem in Drupal 5.x before 5.10 and 6.x before 6.4 trusts the MIME type sent by a web browser, which allows remote authenticated users to conduct cross-site scripting (XSS) attacks by uploading files containing arbitrary web script or HTML.

Published: August 27, 2008; 11:21:00 AM -04:00
    V2: 3.5 LOW
CVE-2008-3742

Unrestricted file upload vulnerability in the BlogAPI module in Drupal 5.x before 5.10 and 6.x before 6.4 allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, which is not validated.

Published: August 27, 2008; 11:21:00 AM -04:00
    V2: 6.5 MEDIUM
CVE-2008-3743

Multiple cross-site request forgery (CSRF) vulnerabilities in forms in Drupal 6.x before 6.4 allow remote attackers to perform unspecified actions via unknown vectors, related to improper token validation for (1) cached forms and (2) forms with AHAH elements.

Published: August 27, 2008; 11:21:00 AM -04:00
    V2: 5.8 MEDIUM
CVE-2008-3744

Multiple cross-site request forgery (CSRF) vulnerabilities in Drupal 5.x before 5.10 and 6.x before 6.4 allow remote attackers to hijack the authentication of administrators for requests that (1) add or (2) delete user access rules.

Published: August 27, 2008; 11:21:00 AM -04:00
    V2: 5.8 MEDIUM
CVE-2008-3745

The Upload module in Drupal 6.x before 6.4 allows remote authenticated users to edit nodes, delete files, and download unauthorized attachments via unspecified vectors.

Published: August 27, 2008; 11:21:00 AM -04:00
    V2: 5.5 MEDIUM
CVE-2008-3500

Cross-site scripting (XSS) vulnerability in the Suggested Terms module 5.x before 5.x-1.2 for Drupal allows remote authenticated users to inject arbitrary web script or HTML via crafted Taxonomy terms.

Published: August 06, 2008; 02:41:00 PM -04:00
    V2: 4.3 MEDIUM
CVE-2008-3218

Multiple cross-site scripting (XSS) vulnerabilities in Drupal 6.x before 6.3 allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) free tagging taxonomy terms, which are not properly handled on node preview pages, and (2) unspecified OpenID values.

Published: July 18, 2008; 12:41:00 PM -04:00
    V2: 4.3 MEDIUM
CVE-2008-3219

The Drupal filter_xss_admin function in 5.x before 5.8 and 6.x before 6.3 does not "prevent use of the object HTML tag in administrator input," which has unknown impact and attack vectors, probably related to an insufficient cross-site scripting (XSS) protection mechanism.

Published: July 18, 2008; 12:41:00 PM -04:00
    V2: 5.0 MEDIUM
CVE-2008-3220

Cross-site request forgery (CSRF) vulnerability in Drupal 5.x before 5.8 and 6.x before 6.3 allows remote attackers to perform administrative actions via vectors involving deletion of "translated strings."

Published: July 18, 2008; 12:41:00 PM -04:00
    V2: 6.8 MEDIUM
CVE-2008-3221

Cross-site request forgery (CSRF) vulnerability in Drupal 6.x before 6.3 allows remote attackers to perform administrative actions via vectors involving deletion of OpenID identities.

Published: July 18, 2008; 12:41:00 PM -04:00
    V2: 4.3 MEDIUM
CVE-2008-3222

Session fixation vulnerability in Drupal 5.x before 5.9 and 6.x before 6.3, when contributed modules "terminate the current request during a login event," allows remote attackers to hijack web sessions via unknown vectors.

Published: July 18, 2008; 12:41:00 PM -04:00
    V2: 6.8 MEDIUM