National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

Search Results (Refine Search)

Search Parameters:
  • Results Type: Overview
  • Keyword (text search): Drupal
  • Search Type: Search All
There are 1,058 matching records.
Displaying matches 921 through 940.
Vuln ID Summary CVSS Severity
CVE-2008-3218

Multiple cross-site scripting (XSS) vulnerabilities in Drupal 6.x before 6.3 allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) free tagging taxonomy terms, which are not properly handled on node preview pages, and (2) unspecified OpenID values.

Published: July 18, 2008; 12:41:00 PM -04:00
    V2: 4.3 MEDIUM
CVE-2008-3219

The Drupal filter_xss_admin function in 5.x before 5.8 and 6.x before 6.3 does not "prevent use of the object HTML tag in administrator input," which has unknown impact and attack vectors, probably related to an insufficient cross-site scripting (XSS) protection mechanism.

Published: July 18, 2008; 12:41:00 PM -04:00
    V2: 5.0 MEDIUM
CVE-2008-3220

Cross-site request forgery (CSRF) vulnerability in Drupal 5.x before 5.8 and 6.x before 6.3 allows remote attackers to perform administrative actions via vectors involving deletion of "translated strings."

Published: July 18, 2008; 12:41:00 PM -04:00
    V2: 6.8 MEDIUM
CVE-2008-3221

Cross-site request forgery (CSRF) vulnerability in Drupal 6.x before 6.3 allows remote attackers to perform administrative actions via vectors involving deletion of OpenID identities.

Published: July 18, 2008; 12:41:00 PM -04:00
    V2: 4.3 MEDIUM
CVE-2008-3222

Session fixation vulnerability in Drupal 5.x before 5.9 and 6.x before 6.3, when contributed modules "terminate the current request during a login event," allows remote attackers to hijack web sessions via unknown vectors.

Published: July 18, 2008; 12:41:00 PM -04:00
    V2: 6.8 MEDIUM
CVE-2008-3223

SQL injection vulnerability in the Schema API in Drupal 6.x before 6.3 allows remote attackers to execute arbitrary SQL commands via vectors related to "an inappropriate placeholder for 'numeric' fields."

Published: July 18, 2008; 12:41:00 PM -04:00
    V2: 7.5 HIGH
CVE-2008-3091

Cross-site scripting (XSS) vulnerability in the Taxonomy Autotagger module 5.x before 5.x-1.8 for Drupal allows remote authenticated users, with create or edit post permissions, to inject arbitrary web script or HTML via unspecified vectors.

Published: July 09, 2008; 03:33:00 PM -04:00
    V2: 3.5 LOW
CVE-2008-3092

SQL injection vulnerability in the Taxonomy Autotagger module 5.x before 5.x-1.8 for Drupal allows remote authenticated users, with create or edit post permissions, to execute arbitrary SQL commands via unspecified vectors.

Published: July 09, 2008; 03:33:00 PM -04:00
    V2: 6.5 MEDIUM
CVE-2008-3094

The Organic Groups (OG) module 5.x before 5.x-7.3 and 6.x before 6.x-1.0-RC1, a module for Drupal, allows remote attackers to obtain sensitive information (private group names) via unspecified vectors.

Published: July 09, 2008; 03:33:00 PM -04:00
    V2: 4.3 MEDIUM
CVE-2008-3095

Cross-site scripting (XSS) vulnerability in the Organic Groups (OG) module 5.x before 5.x-7.3 and 6.x before 6.x-1.0-RC1, a module for Drupal, allows remote authenticated users, with group owner permissions, to inject arbitrary web script or HTML via unspecified vectors.

Published: July 09, 2008; 03:33:00 PM -04:00
    V2: 3.5 LOW
CVE-2008-3096

The Outline Designer module 5.x before 5.x-1.4 for Drupal changes each content reader's authentication level to match that of the content author, which might allow remote attackers to gain privileges.

Published: July 09, 2008; 03:33:00 PM -04:00
    V2: 6.5 MEDIUM
CVE-2008-3097

Cross-site scripting (XSS) vulnerability in the Tinytax module (aka Tinytax taxonomy block) 5.x before 5.x-1.10-1 for Drupal allows remote authenticated users to inject arbitrary web script or HTML, probably by creating a crafted taxonomy term.

Published: July 09, 2008; 03:33:00 PM -04:00
    V2: 3.5 LOW
CVE-2008-2998

Multiple cross-site scripting (XSS) vulnerabilities in the Aggregation module 5.x before 5.x-4.4 for Drupal allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Published: July 03, 2008; 02:41:00 PM -04:00
    V2: 4.3 MEDIUM
CVE-2008-2999

Multiple SQL injection vulnerabilities in the Aggregation module 5.x before 5.x-4.4 for Drupal allow remote attackers to execute arbitrary SQL commands via unspecified vectors.

Published: July 03, 2008; 02:41:00 PM -04:00
    V2: 7.5 HIGH
CVE-2008-3000

The Aggregation module 5.x before 5.x-4.4 for Drupal, when node access modules are used, does not properly implement access control, which allows remote attackers to bypass intended restrictions.

Published: July 03, 2008; 02:41:00 PM -04:00
    V2: 6.8 MEDIUM
CVE-2008-3001

The Aggregation module 5.x before 5.x-4.4 for Drupal allows remote attackers to upload files with arbitrary extensions, and possibly execute arbitrary code, via a crafted feed that allows upload of files with arbitrary extensions.

Published: July 03, 2008; 02:41:00 PM -04:00
    V2: 9.3 HIGH
CVE-2008-2849

Cross-site scripting (XSS) vulnerability in the TrailScout module 5.x before 5.x-1.4 for Drupal allows remote authenticated users, with create post permissions, to inject arbitrary web script or HTML via unspecified vectors.

Published: June 25, 2008; 08:36:00 AM -04:00
    V2: 3.5 LOW
CVE-2008-2850

SQL injection vulnerability in the TrailScout module 5.x before 5.x-1.4 for Drupal allows remote attackers to execute arbitrary SQL commands via unspecified cookies, related to improper use of the Drupal database API.

Published: June 25, 2008; 08:36:00 AM -04:00
    V2: 7.5 HIGH
CVE-2008-2771

The Node Hierarchy module 5.x before 5.x-1.1 and 6.x before 6.x-1.0 for Drupal does not properly implement access checks, which allows remote attackers with "access content" permissions to bypass restrictions and modify the node hierarchy via unspecified attack vectors.

Published: June 18, 2008; 06:41:00 PM -04:00
    V2: 5.0 MEDIUM
CVE-2008-2772

The Magic Tabs module 5.x before 5.x-1.1 for Drupal allows remote attackers to execute arbitrary PHP code via unspecified URL arguments, possibly related to a missing "whitelist of callbacks."

Published: June 18, 2008; 06:41:00 PM -04:00
    V2: 7.5 HIGH