Vulnerabilities > Drupal > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2013-10-28 | CVE-2012-0825 | Information Exposure vulnerability in Drupal Drupal 6.x before 6.23 and 7.x before 7.11 does not verify that Attribute Exchange (AX) information is signed, which allows remote attackers to modify potentially sensitive AX information without detection via a man-in-the-middle (MITM) attack. | 6.8 |
| 2013-10-09 | CVE-2013-4379 | Permissions, Privileges, and Access Controls vulnerability in Sebastien Corbin Make Meeting Scheduler Module The Make Meeting Scheduler module 6.x-1.x before 6.x-1.3 for Drupal allows remote attackers to bypass intended access restrictions for a poll via a direct request to the node's URL instead of the hashed URL. | 6.4 |
| 2013-10-09 | CVE-2013-4384 | Cross-Site Scripting vulnerability in Google Site Search Project Google Site Search Module Cross-site scripting (XSS) vulnerability in Google Site Search module 6.x-1.x before 6.x-1.4 and 7.x-1.x before 7.x-1.10 for Drupal allows remote attackers to inject arbitrary web script or HTML by causing crafted data to be returned by the Google API. | 4.3 |
| 2013-09-30 | CVE-2013-5965 | Permissions, Privileges, and Access Controls vulnerability in Adcisolutions Node View Permissions 7.X1.0/7.X1.1 The Node View Permissions module 7.x-1.x before 7.x-1.2 for Drupal does not properly implement the hook_query_alter function, which might allow remote attackers to obtain sensitive information by reading a node listing. | 5.0 |
| 2013-09-25 | CVE-2013-5938 | Cross-Site Scripting vulnerability in Click2Sell Suite Module 6.X1.0 Cross-site scripting (XSS) vulnerability in the Click2Sell Suite module 6.x-1.x for Drupal allows remote attackers to inject arbitrary web script or HTML via a confirmation form. | 4.3 |
| 2013-09-25 | CVE-2013-5937 | Cross-Site Request Forgery (CSRF) vulnerability in Click2Sell Suite Module 6.X1.0 Cross-site request forgery (CSRF) vulnerability in the Click2Sell Suite module 6.x-1.x for Drupal allows remote attackers to hijack the authentication of administrators for requests that delete database information via vectors involving the Drupal Form API. | 6.8 |
| 2013-08-28 | CVE-2013-4272 | Information Exposure vulnerability in Botcha Spam Prevention Project Botcha The BOTCHA Spam Prevention module 7.x-1.x before 7.x-1.6, 7.x-2.x before 7.x-2.1, and 7.x-3.x before 7.x-3.3 for Drupal, when the debugging level is set to 5 or 6, logs the content of submitted forms, which allows context-dependent users to obtain sensitive information such as usernames and passwords by reading the log file. | 4.3 |
| 2013-08-28 | CVE-2013-4139 | Unspecified vulnerability in Stage File Proxy Project Stage File Proxy The Stage File Proxy module 7.x-1.x before 7.x-1.4 for Drupal allows remote attackers to cause a denial of service (file operations performance degradation and failure) via a large number of requests. | 5.0 |
| 2013-08-28 | CVE-2013-2197 | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Login Security Project Login Security The Login Security module 6.x-1.x before 6.x-1.3 and 7.x-1.x before 7.x-1.3 for Drupal, when using the login delay option, allows remote attackers to cause a denial of service (CPU consumption) via a large number of failed login attempts. | 4.3 |
| 2013-08-28 | CVE-2013-2123 | Permissions, Privileges, and Access Controls vulnerability in Node Access User Reference Project Nodeaccess Userreference Module The Node access user reference module 6.x-3.x before 6.x-3.5 and 7.x-3.x before 7.x-3.10 for Drupal does not properly restrict access to content containing a user reference field when the author update/delete grants are enabled and the author's user account is deleted, which allows remote attackers to modify the content via unspecified vectors. | 5.8 |