National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

Search Results (Refine Search)

Search Parameters:
  • Results Type: Overview
  • Keyword (text search): Drupal
  • Search Type: Search All
There are 1,050 matching records.
Displaying matches 901 through 920.
Vuln ID Summary CVSS Severity
CVE-2008-4152

Cross-site scripting (XSS) vulnerability in the Talk module 5.x before 5.x-1.3 and 6.x before 6.x-1.5, a module for Drupal, allows remote authenticated users to inject arbitrary web script or HTML via a node title.

Published: September 24, 2008; 01:41:39 AM -04:00
V2: 3.5 LOW
CVE-2008-4149

Cross-site scripting (XSS) vulnerability in the Greg Holsclaw Link to Us module 5.x before 5.x-1.1 for Drupal allows remote authenticated users to inject arbitrary web script or HTML via the "Link page header" field.

Published: September 24, 2008; 01:41:38 AM -04:00
V2: 4.3 MEDIUM
CVE-2008-4148

SQL injection vulnerability in the Mailhandler module 5.x before 5.x-1.4 and 6.x before 6.x-1.4, a module for Drupal, allows remote attackers to execute arbitrary SQL commands via unspecified vectors, related to composing queries without using the Drupal database API.

Published: September 24, 2008; 01:41:38 AM -04:00
V2: 7.5 HIGH
CVE-2008-4147

Cross-site scripting (XSS) vulnerability in the Mailsave module 5.x before 5.x-3.3 and 6.x before 6.x-1.3, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via an e-mail message with an attached file that has a modified Content-Type.

Published: September 24, 2008; 01:41:38 AM -04:00
V2: 4.3 MEDIUM
CVE-2008-3661

Drupal, probably 5.10 and 6.4, does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.

Published: September 23, 2008; 11:25:42 AM -04:00
V2: 5.0 MEDIUM
CVE-2008-3740

Cross-site scripting (XSS) vulnerability in the output filter in Drupal 5.x before 5.10 and 6.x before 6.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Published: August 27, 2008; 11:21:00 AM -04:00
V2: 4.3 MEDIUM
CVE-2008-3741

The private filesystem in Drupal 5.x before 5.10 and 6.x before 6.4 trusts the MIME type sent by a web browser, which allows remote authenticated users to conduct cross-site scripting (XSS) attacks by uploading files containing arbitrary web script or HTML.

Published: August 27, 2008; 11:21:00 AM -04:00
V2: 3.5 LOW
CVE-2008-3742

Unrestricted file upload vulnerability in the BlogAPI module in Drupal 5.x before 5.10 and 6.x before 6.4 allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, which is not validated.

Published: August 27, 2008; 11:21:00 AM -04:00
V2: 6.5 MEDIUM
CVE-2008-3743

Multiple cross-site request forgery (CSRF) vulnerabilities in forms in Drupal 6.x before 6.4 allow remote attackers to perform unspecified actions via unknown vectors, related to improper token validation for (1) cached forms and (2) forms with AHAH elements.

Published: August 27, 2008; 11:21:00 AM -04:00
V2: 5.8 MEDIUM
CVE-2008-3744

Multiple cross-site request forgery (CSRF) vulnerabilities in Drupal 5.x before 5.10 and 6.x before 6.4 allow remote attackers to hijack the authentication of administrators for requests that (1) add or (2) delete user access rules.

Published: August 27, 2008; 11:21:00 AM -04:00
V2: 5.8 MEDIUM
CVE-2008-3745

The Upload module in Drupal 6.x before 6.4 allows remote authenticated users to edit nodes, delete files, and download unauthorized attachments via unspecified vectors.

Published: August 27, 2008; 11:21:00 AM -04:00
V2: 5.5 MEDIUM
CVE-2008-3500

Cross-site scripting (XSS) vulnerability in the Suggested Terms module 5.x before 5.x-1.2 for Drupal allows remote authenticated users to inject arbitrary web script or HTML via crafted Taxonomy terms.

Published: August 06, 2008; 02:41:00 PM -04:00
V2: 4.3 MEDIUM
CVE-2008-3218

Multiple cross-site scripting (XSS) vulnerabilities in Drupal 6.x before 6.3 allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) free tagging taxonomy terms, which are not properly handled on node preview pages, and (2) unspecified OpenID values.

Published: July 18, 2008; 12:41:00 PM -04:00
V2: 4.3 MEDIUM
CVE-2008-3219

The Drupal filter_xss_admin function in 5.x before 5.8 and 6.x before 6.3 does not "prevent use of the object HTML tag in administrator input," which has unknown impact and attack vectors, probably related to an insufficient cross-site scripting (XSS) protection mechanism.

Published: July 18, 2008; 12:41:00 PM -04:00
V2: 5.0 MEDIUM
CVE-2008-3220

Cross-site request forgery (CSRF) vulnerability in Drupal 5.x before 5.8 and 6.x before 6.3 allows remote attackers to perform administrative actions via vectors involving deletion of "translated strings."

Published: July 18, 2008; 12:41:00 PM -04:00
V2: 6.8 MEDIUM
CVE-2008-3221

Cross-site request forgery (CSRF) vulnerability in Drupal 6.x before 6.3 allows remote attackers to perform administrative actions via vectors involving deletion of OpenID identities.

Published: July 18, 2008; 12:41:00 PM -04:00
V2: 4.3 MEDIUM
CVE-2008-3222

Session fixation vulnerability in Drupal 5.x before 5.9 and 6.x before 6.3, when contributed modules "terminate the current request during a login event," allows remote attackers to hijack web sessions via unknown vectors.

Published: July 18, 2008; 12:41:00 PM -04:00
V2: 6.8 MEDIUM
CVE-2008-3223

SQL injection vulnerability in the Schema API in Drupal 6.x before 6.3 allows remote attackers to execute arbitrary SQL commands via vectors related to "an inappropriate placeholder for 'numeric' fields."

Published: July 18, 2008; 12:41:00 PM -04:00
V2: 7.5 HIGH
CVE-2008-3091

Cross-site scripting (XSS) vulnerability in the Taxonomy Autotagger module 5.x before 5.x-1.8 for Drupal allows remote authenticated users, with create or edit post permissions, to inject arbitrary web script or HTML via unspecified vectors.

Published: July 09, 2008; 03:33:00 PM -04:00
V2: 3.5 LOW
CVE-2008-3092

SQL injection vulnerability in the Taxonomy Autotagger module 5.x before 5.x-1.8 for Drupal allows remote authenticated users, with create or edit post permissions, to execute arbitrary SQL commands via unspecified vectors.

Published: July 09, 2008; 03:33:00 PM -04:00
V2: 6.5 MEDIUM