Vulnerabilities > Drupal > Drupal > 4.7.7
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2022-02-11 | CVE-2020-13672 | Cross-site Scripting vulnerability in Drupal Cross-site Scripting (XSS) vulnerability in Drupal core's sanitization API fails to properly filter cross-site scripting under certain circumstances. | 2.6 |
2018-03-29 | CVE-2018-7600 | Improper Input Validation vulnerability in multiple products Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations. | 7.5 |
2012-05-21 | CVE-2012-2922 | Information Exposure vulnerability in Drupal The request_path function in includes/bootstrap.inc in Drupal 7.14 and earlier allows remote attackers to obtain sensitive information via the q[] parameter to index.php, which reveals the installation path in an error message. | 5.0 |
2009-07-08 | CVE-2009-2374 | Credentials Management vulnerability in Drupal Drupal 5.x before 5.19 and 6.x before 6.13 does not properly sanitize failed login attempts for pages that contain a sortable table, which includes the username and password in links that can be read from (1) the HTTP referer header of external web sites that are visited from those links or (2) when page caching is enabled, the Drupal page cache. | 5.0 |
2009-07-08 | CVE-2009-2372 | Code Injection vulnerability in Drupal Drupal 6.x before 6.13 does not prevent users from modifying user signatures after the associated comment format has been changed to an administrator-controlled input format, which allows remote authenticated users to inject arbitrary web script, HTML, and possibly PHP code via a crafted user signature. | 6.5 |
2008-10-29 | CVE-2008-4793 | Permissions, Privileges, and Access Controls vulnerability in Drupal The node module API in Drupal 5.x before 5.11 allows remote attackers to bypass node validation and have unspecified other impact via unknown vectors related to contributed modules. | 7.5 |
2008-10-29 | CVE-2008-4790 | Permissions, Privileges, and Access Controls vulnerability in Drupal The core upload module in Drupal 5.x before 5.11 allows remote authenticated users to bypass intended access restrictions and read "files attached to content" via unknown vectors. | 6.0 |
2008-10-29 | CVE-2008-4789 | Permissions, Privileges, and Access Controls vulnerability in Drupal The validation functionality in the core upload module in Drupal 6.x before 6.5 allows remote authenticated users to bypass intended access restrictions and "attach files to content," related to a "logic error." | 6.0 |
2008-03-04 | CVE-2008-1133 | Cross-Site Scripting vulnerability in Drupal The Drupal.checkPlain function in Drupal 6.0 only escapes the first instance of a character in ECMAScript, which allows remote attackers to conduct cross-site scripting (XSS) attacks. | 4.3 |
2008-01-15 | CVE-2008-0276 | Cross-Site Scripting vulnerability in Drupal Cross-site scripting (XSS) vulnerability in the Devel module before 5.x-0.1 for Drupal allows remote attackers to inject arbitrary web script or HTML via a site variable, related to lack of escaping of the variable table. | 4.3 |