Vulnerabilities > Drupal > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2013-03-19 | CVE-2013-0224 | Configuration vulnerability in Video Project Video The Video module 7.x-2.x before 7.x-2.9 for Drupal, when using the FFmpeg transcoder, allows local users to execute arbitrary PHP code by modifying a temporary PHP file. | 4.4 |
| 2013-03-19 | CVE-2013-0207 | Cross-Site Request Forgery (CSRF) vulnerability in Leighton Whiting Mark Complete Cross-site request forgery (CSRF) vulnerability in the Mark Complete module 7.x-1.x before 7.x-1.1 for Drupal allows remote attackers to hijack the authentication of unspecified victims via unknown vectors. | 6.8 |
| 2013-03-19 | CVE-2013-0206 | Unspecified vulnerability in GUY Bedford Live CSS Unrestricted file upload vulnerability in the Live CSS module 6.x-2.x before 6.x-2.1 and 7.x-2.x before 7.x-2.7 for Drupal allows remote authenticated users with the "administer CSS" permissions to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in an unspecified directory. | 6.0 |
| 2013-01-03 | CVE-2012-5655 | Permissions, Privileges, and Access Controls vulnerability in Steven Jones Context The Context module 6.x-3.x before 6.x-3.1 and 7.x-3.x before 7.x-3.0-beta6 for Drupal does not properly restrict access to block content, which allows remote attackers to obtain sensitive information via a crafted request. | 5.0 |
| 2013-01-03 | CVE-2012-5654 | Information Exposure vulnerability in Nodewords Project Nodewords The Nodewords: D6 Meta Tags module before 6.x-1.14 for Drupal, when configured to automatically generate description meta tags from node text, does not properly filter node content when creating tags, which might allow remote attackers to obtain sensitive information by reading the (1) description, (2) dc.description or (3) og:description meta tags. | 4.3 |
| 2013-01-03 | CVE-2012-5653 | Improper Input Validation vulnerability in multiple products The file upload feature in Drupal 6.x before 6.27 and 7.x before 7.18 allows remote authenticated users to bypass the protection mechanism and execute arbitrary PHP code via a null byte in a file name. | 6.0 |
| 2013-01-03 | CVE-2012-5652 | Information Exposure vulnerability in Drupal Drupal 6.x before 6.27 allows remote attackers to obtain sensitive information about uploaded files via a (1) RSS feed or (2) search result. | 5.0 |
| 2013-01-03 | CVE-2012-5651 | Permissions, Privileges, and Access Controls vulnerability in Drupal Drupal 6.x before 6.27 and 7.x before 7.18 displays information for blocked users, which might allow remote attackers to obtain sensitive information by reading the search results. | 5.0 |
| 2012-12-26 | CVE-2012-5591 | Cross-Site Scripting vulnerability in Catalin Florian Radut Zeropoint Cross-site scripting (XSS) vulnerability in the Zero Point module 6.x-1.x before 6.x-1.18 and 7.x-1.x before 7.x-1.4 for Drupal allows remote attackers to inject arbitrary web script or HTML via the path aliases. | 4.3 |
| 2012-12-26 | CVE-2012-5587 | Cross-Site Scripting vulnerability in Epiqo Email Cross-site scripting (XSS) vulnerability in the Email Field module 6.x-1.x before 6.x-1.3 for Drupal allows remote attackers to inject arbitrary web script or HTML via the mailto link. | 4.3 |