Vulnerabilities > Drupal > Drupal > 5.14
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2009-09-24 | CVE-2009-3352 | Unspecified vulnerability in Drupal Multiple unspecified vulnerabilities in the quota_by_role (Quota by role) module for Drupal have unknown impact and attack vectors. | 10.0 |
2009-07-08 | CVE-2009-2374 | Credentials Management vulnerability in Drupal Drupal 5.x before 5.19 and 6.x before 6.13 does not properly sanitize failed login attempts for pages that contain a sortable table, which includes the username and password in links that can be read from (1) the HTTP referer header of external web sites that are visited from those links or (2) when page caching is enabled, the Drupal page cache. | 5.0 |
2009-07-08 | CVE-2009-2373 | Cross-Site Scripting vulnerability in Drupal Cross-site scripting (XSS) vulnerability in the Forum module in Drupal 6.x before 6.13 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 4.3 |
2009-07-08 | CVE-2009-2372 | Code Injection vulnerability in Drupal Drupal 6.x before 6.13 does not prevent users from modifying user signatures after the associated comment format has been changed to an administrator-controlled input format, which allows remote authenticated users to inject arbitrary web script, HTML, and possibly PHP code via a crafted user signature. | 6.5 |
2009-06-01 | CVE-2009-1844 | Cross-Site Scripting vulnerability in Drupal Multiple cross-site scripting (XSS) vulnerabilities in Drupal 5.x before 5.18 and 6.x before 6.12 allow (1) remote authenticated users to inject arbitrary web script or HTML via crafted UTF-8 byte sequences that are treated as UTF-7 by Internet Explorer 6 and 7, which are not properly handled in the "HTML exports of books" feature; and (2) allow remote authenticated users with administer taxonomy permissions to inject arbitrary web script or HTML via the help text of an arbitrary vocabulary. | 3.5 |
2009-05-06 | CVE-2009-1576 | Unspecified vulnerability in Drupal Unspecified vulnerability in Drupal 5.x before 5.17 and 6.x before 6.11, as used in vbDrupal before 5.17.0, allows user-assisted remote attackers to obtain sensitive information by tricking victims into visiting the front page of the site with a crafted URL and causing form data to be sent to an attacker-controlled site, possibly related to multiple / (slash) characters that are not properly handled by includes/bootstrap.inc, as demonstrated using the search box. network drupal | 4.3 |
2009-05-06 | CVE-2009-1575 | Cross-Site Scripting vulnerability in Drupal Cross-site scripting (XSS) vulnerability in Drupal 5.x before 5.17 and 6.x before 6.11, as used in vbDrupal before 5.17.0, allows remote attackers to inject arbitrary web script or HTML via crafted UTF-8 byte sequences before the Content-Type meta tag, which are treated as UTF-7 by Internet Explorer 6 and 7. | 4.3 |
2008-10-29 | CVE-2008-4789 | Permissions, Privileges, and Access Controls vulnerability in Drupal The validation functionality in the core upload module in Drupal 6.x before 6.5 allows remote authenticated users to bypass intended access restrictions and "attach files to content," related to a "logic error." | 6.0 |
2008-03-04 | CVE-2008-1133 | Cross-Site Scripting vulnerability in Drupal The Drupal.checkPlain function in Drupal 6.0 only escapes the first instance of a character in ECMAScript, which allows remote attackers to conduct cross-site scripting (XSS) attacks. | 4.3 |