National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

Search Results (Refine Search)

Search Parameters:
  • Results Type: Overview
  • Keyword (text search): Drupal
  • Search Type: Search All
There are 1,053 matching records.
Displaying matches 981 through 1000.
Vuln ID Summary CVSS Severity
CVE-2007-5228

Cross-site scripting (XSS) vulnerability in the subscription functionality in the Project issue tracking module before 4.7.x-1.5, 4.7.x-2.x before 4.7.x-2.5, and 5.x-1.x before 5.x-1.1 for Drupal allows remote authenticated users with project create or edit permissions to inject arbitrary web script or HTML via unspecified vectors involving a (1) individual or (2) overview form.

Published: October 05, 2007; 07:17:00 PM -04:00
    V2: 3.5 LOW
CVE-2007-4436

The Drupal Project module before 5.x-1.0, 4.7.x-2.3, and 4.7.x-1.3 and Project issue tracking module before 5.x-1.0, 4.7.x-2.4, and 4.7.x-1.4 do not properly enforce permissions, which allows remote attackers to (1) obtain sensitive via the Tracker Module and the Recent posts page; (2) obtain project names via unspecified vectors; (3) obtain sensitive information via the statistics pages; and (4) read CVS project activity.

Published: August 20, 2007; 06:17:00 PM -04:00
    V2: 5.0 MEDIUM
CVE-2007-4363

Multiple cross-site scripting (XSS) vulnerabilities in the nodereference module in Drupal Content Construction Kit (CCK) before 4.7.x-1.6, and 5.x before 5.x-1.6 ,allow remote attackers to inject arbitrary web script or HTML via nodereference fields, when using (1) the plain formatter or (2) the autocomplete text field widget without Views.module.

Published: August 15, 2007; 03:17:00 PM -04:00
    V2: 4.3 MEDIUM
CVE-2007-4063

Multiple cross-site request forgery (CSRF) vulnerabilities in Drupal 5.x before 5.2 allow remote attackers to (1) delete comments, (2) delete content revisions, and (3) disable menu items as privileged users, related to improper use of HTTP GET and the Forms API.

Published: July 30, 2007; 01:30:00 PM -04:00
    V2: 4.3 MEDIUM
CVE-2007-4064

Multiple cross-site scripting (XSS) vulnerabilities in Drupal 5.x before 5.2, and 4.7.x before 4.7.7, (1) allow remote attackers to inject arbitrary web script or HTML via "some server variables," including PHP_SELF; and (2) allow remote authenticated administrators to inject arbitrary web script or HTML via custom content type names.

Published: July 30, 2007; 01:30:00 PM -04:00
    V2: 4.3 MEDIUM
CVE-2007-3817

Cross-site scripting (XSS) vulnerability in the LoginToboggan module 4.7.x-1.0, 4.7.x-1.x-dev, and 5.x-1.x-dev before 20070712 for Drupal, when configured to display a "Log out" link, allows remote attackers to inject arbitrary web script or HTML via a crafted username. NOTE: Drupal sanitizes the username by removing certain characters, so this might not be a vulnerability on default installations.

Published: July 16, 2007; 09:30:00 PM -04:00
    V2: 4.3 MEDIUM
CVE-2007-3818

Cross-site scripting (XSS) vulnerability in the LoginToboggan module 5.x-1.x-dev before 20070712 for Drupal allows remote authenticated users with "administer blocks" permission to inject arbitrary JavaScript and gain privileges via "the message displayed above the default user login block."

Published: July 16, 2007; 09:30:00 PM -04:00
    V2: 3.5 LOW
CVE-2007-3689

The Print module before 4.7-1.0 and 5.x before 5.x-1.2 for Drupal allows remote attackers to read restricted posts in (1) Organic Groups, (2) Taxonomy Access Control, (3) Taxonomy Access Lite, and other unspecified node access modules, via modified URL arguments.

Published: July 11, 2007; 01:30:00 PM -04:00
    V2: 7.8 HIGH
CVE-2007-3690

The Forward module before 4.7-1.1 and 5.x before 5.x-1.0 for Drupal allows remote attackers to read restricted posts in (1) Organic Groups, (2) Taxonomy Access Control, (3) Taxonomy Access Lite, and other unspecified node access modules, via modified URL arguments.

Published: July 11, 2007; 01:30:00 PM -04:00
    V2: 7.8 HIGH
CVE-2007-2159

Multiple cross-site scripting (XSS) vulnerabilities in the Database Administration (dba) module 4.6.x-*, and before 4.7.x-1.2 in the 4.7.x-1.* series, for Drupal allow remote attackers to inject arbitrary web script or HTML via unspecified vectors relating to (1) direct display of data from the database and (2) other portions of the user interface.

Published: April 22, 2007; 03:19:00 PM -04:00
    V2: 4.3 MEDIUM
CVE-2007-2160

Multiple cross-site request forgery (CSRF) vulnerabilities in the Database Administration (dba) module 4.6.x-*, and before 4.7.x-1.2 in the 4.7.x-1.* series, for Drupal allow remote attackers to perform unauthorized actions as an arbitrary user, a related issue to CVE-2006-5476.

Published: April 22, 2007; 03:19:00 PM -04:00
    V2: 7.5 HIGH
CVE-2007-1368

The Project issue tracking module before 4.7.x-1.3, 4.7.x-2.* before 4.7.x-2.3, and 5 before 5.x-0.2-beta for Drupal allows remote authenticated users, with "access project issues" permission, to read the contents of a private node via a URL with a modified node identifier.

Published: March 09, 2007; 05:19:00 PM -05:00
    V2: 3.5 LOW
CVE-2007-1360

Unspecified vulnerability in the Nodefamily module for Drupal 5.x before 5.x-1.0 allows remote authenticated users to access and modify other users' profiles via unspecified URL parameters.

Published: March 08, 2007; 05:19:00 PM -05:00
    V2: 6.0 MEDIUM
CVE-2006-7109

Unrestricted file upload vulnerability in IMCE before 1.6, a Drupal module, allows remote authenticated users to upload arbitrary PHP code via a filename with a double extension such as .php.gif.

Published: March 05, 2007; 03:19:00 PM -05:00
    V2: 6.5 MEDIUM
CVE-2006-7110

Directory traversal vulnerability in the delete function in IMCE before 1.6, a Drupal module, allows remote authenticated users to delete arbitrary files via ".." sequences.

Published: March 05, 2007; 03:19:00 PM -05:00
    V2: 5.5 MEDIUM
CVE-2007-1028

Cross-site scripting (XSS) vulnerability in the Barry Jaspan Image Pager 4.7.x-1.x-dev and 5.x-1.x-dev before 2007-02-08 module for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to HTML entities and the IMG element.

Published: February 21, 2007; 06:28:00 AM -05:00
    V2: 6.8 MEDIUM
CVE-2007-1033

Unspecified vulnerability in the Secure site 4.7.x-1.x-dev and 5.x-1.x-dev module for Drupal allows remote attackers to bypass access restrictions via a crafted URL.

Published: February 21, 2007; 06:28:00 AM -05:00
    V2: 7.5 HIGH
CVE-2007-1035

Unspecified vulnerability in certain demonstration scripts in getID3 1.7.1, as used in the Mediafield and Audio modules for Drupal, allows remote attackers to read and delete arbitrary files, list arbitrary directories, and write to empty files or .mp3 files via unknown vectors.

Published: February 21, 2007; 06:28:00 AM -05:00
    V2: 7.5 HIGH
CVE-2007-0841

Multiple unspecified vulnerabilities in vbDrupal before 4.7.6.0 have unknown impact and remote attack vectors. NOTE: the vector related to Drupal is covered by CVE-2007-0626. These vulnerabilities might be associated with other CVE identifiers.

Published: February 07, 2007; 09:28:00 PM -05:00
    V2: 10.0 HIGH
CVE-2007-0658

The (1) Textimage 4.7.x before 4.7-1.2 and 5.x before 5.x-1.1 module for Drupal and the (2) Captcha 4.7.x before 4.7-1.2 and 5.x before 5.x-1.1 module for Drupal allow remote attackers to bypass the CAPTCHA test via an empty captcha element in $_SESSION.

Published: February 01, 2007; 05:28:00 PM -05:00
    V2: 5.0 MEDIUM