Vulnerabilities > Drupal
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2008-01-15 | CVE-2008-0264 | Improper Input Validation vulnerability in Drupal Meta Tags Module Unspecified vulnerability in the Meta Tags (aka Nodewords) 5.x-1.6 module for Drupal, when images are permitted in node bodies, allows remote authenticated users to execute arbitrary code via unspecified vectors involving creation of a node. | 6.8 |
| 2007-12-12 | CVE-2007-6320 | Cross-Site Request Forgery (CSRF) vulnerability in Drupal Feature Module 4.7.Xdev/5.Xdev Feature 4.7.x-dev and 5.x-dev before 20071206, a Drupal module, does not follow Drupal's Forms API submission model, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks. | 4.3 |
| 2007-12-10 | CVE-2007-6299 | Improper Input Validation vulnerability in Drupal Multiple SQL injection vulnerabilities in Drupal and vbDrupal 4.7.x before 4.7.9 and 5.x before 5.4 allow remote attackers to execute arbitrary SQL commands via modules that pass input to the taxonomy_select_nodes function, as demonstrated by the (1) taxonomy_menu, (2) ajaxLoader, and (3) ubrowser contributed modules. | 7.5 |
| 2007-12-10 | CVE-2007-6298 | Cross-Site Scripting vulnerability in Drupal Shoutbox Cross-site scripting (XSS) vulnerability in the Shoutbox module for Drupal 5.x before Shoutbox 5.x-1.1 allows remote authenticated users to inject arbitrary web script or HTML via Shoutbox block messages. | 4.3 |
| 2007-10-22 | CVE-2007-5621 | Cross-Site Scripting vulnerability in Drupal products Multiple cross-site scripting (XSS) vulnerabilities in the Token module before 4.7.x-1.5, and 5.x before 5.x-1.9, for Drupal; as used by the ASIN Field, e-Commerce, Fullname field for CCK, Invite, Node Relativity, Pathauto, PayPal Node, and Ubercart modules; allow remote authenticated users with a post comments privilege to inject arbitrary web script or HTML via unspecified vectors related to (1) comments, (2) vocabulary names, (3) term names, and (4) usernames. | 3.5 |
| 2007-10-19 | CVE-2007-5597 | Permissions, Privileges, and Access Controls vulnerability in Drupal The hook_comments API in Drupal 4.7.x before 4.7.8 and 5.x before 5.3 does not pass publication status, which might allow attackers to bypass access restrictions and trigger e-mail with unpublished comments from some modules, as demonstrated by (1) Organic groups and (2) Subscriptions. | 4.3 |
| 2007-10-19 | CVE-2007-5596 | Cross-Site Scripting vulnerability in Drupal The core Upload module in Drupal 4.7.x before 4.7.8 and 5.x before 5.3 places the .html extension on a whitelist, which allows remote attackers to conduct cross-site scripting (XSS) attacks by uploading .html files. | 4.3 |
| 2007-10-19 | CVE-2007-5595 | Http Response Splitting vulnerability in Drupal CRLF injection vulnerability in the drupal_goto function in includes/common.inc Drupal 4.7.x before 4.7.8 and 5.x before 5.3 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors. | 5.1 |
| 2007-10-19 | CVE-2007-5594 | Cross-Site Request Forgery (CSRF) vulnerability in multiple products Drupal 5.x before 5.3 does not apply its Drupal Forms API protection against the user deletion form, which allows remote attackers to delete users via a cross-site request forgery (CSRF) attack. | 4.3 |
| 2007-10-19 | CVE-2007-5593 | Code Injection vulnerability in multiple products install.php in Drupal 5.x before 5.3, when the configured database server is not reachable, allows remote attackers to execute arbitrary code via vectors that cause settings.php to be modified. | 6.8 |