Vulnerabilities > Drupal > Project Issue Tracking Module
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2008-02-05 | CVE-2008-0577 | Permissions, Privileges, and Access Controls vulnerability in Drupal Project Issue Tracking Module 4.7/5.0 The Project Issue Tracking module 5.x-2.x-dev before 20080130 in the 5.x-2.x series, 5.x-1.2 and earlier in the 5.x-1.x series, 4.7.x-2.6 and earlier in the 4.7.x-2.x series, and 4.7.x-1.6 and earlier in the 4.7.x-1.x series for Drupal (1) does not restrict the extensions of attached files when the Upload module is enabled for issue nodes, which allows remote attackers to upload and possibly execute arbitrary files; and (2) accepts the .html extension within the bundled file-upload functionality, which allows remote attackers to upload files containing arbitrary web script or HTML. | 6.4 |
2008-02-05 | CVE-2008-0576 | Cross-Site Scripting vulnerability in Drupal Project Issue Tracking Module 4.7/5 Cross-site scripting (XSS) vulnerability in the Project Issue Tracking module 5.x-2.x-dev before 20080130 in the 5.x-2.x series, 5.x-1.2 and earlier in the 5.x-1.x series, 4.7.x-2.6 and earlier in the 4.7.x-2.x series, and 4.7.x-1.6 and earlier in the 4.7.x-1.x series for Drupal allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors that write to summary table pages. | 4.3 |
2007-08-20 | CVE-2007-4436 | Permissions, Privileges, and Access Controls vulnerability in Drupal Project and Project Issue Tracking Module The Drupal Project module before 5.x-1.0, 4.7.x-2.3, and 4.7.x-1.3 and Project issue tracking module before 5.x-1.0, 4.7.x-2.4, and 4.7.x-1.4 do not properly enforce permissions, which allows remote attackers to (1) obtain sensitive via the Tracker Module and the Recent posts page; (2) obtain project names via unspecified vectors; (3) obtain sensitive information via the statistics pages; and (4) read CVS project activity. | 5.0 |
2007-01-26 | CVE-2007-0534 | Cross-Site Scripting vulnerability in Project Issue Tracking Module Multiple cross-site scripting (XSS) vulnerabilities in the (1) Project issue tracking 4.7.0 through 5.x before 20070123 and (2) Project 4.6.0 through 5.x before 20070123 modules for Drupal allow remote authenticated users to inject arbitrary web script or HTML via (a) certain "fields on project nodes" or (b) "certain project-specific settings regarding issue tracking." network drupal | 4.3 |
2007-01-26 | CVE-2007-0506 | Multiple vulnerability in Drupal Project and Project Issues Tracking Modules The project_issue_access function in the Project issue tracking 4.7.0 through 5.x before 20070123 module for Drupal allows remote authenticated users to bypass other access control modules and obtain attached files by guessing the filename, and obtain issue information via direct requests. network drupal | 6.0 |
2007-01-26 | CVE-2007-0505 | Multiple vulnerability in Drupal Project and Project Issues Tracking Modules Unrestricted file upload vulnerability in the Project issue tracking 4.7.0 through 5.x before 20070123, a module for Drupal, allows remote authenticated users to execute arbitrary code by attaching a file with executable or multiple extensions to a project issue. network drupal | 8.5 |