Vulnerabilities > Drupal > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2012-12-26 | CVE-2012-5584 | Permissions, Privileges, and Access Controls vulnerability in M2Osw Tableofcontents The Table of Contents module 6.x-3.x before 6.x-3.8 for Drupal does not properly check node permissions, which allows remote attackers to read a node's headers by accessing a table of contents block. | 4.3 |
| 2012-12-03 | CVE-2012-6065 | Arbitrary PHP Code Execution vulnerability in Drupal OM Maximenu Module The OM Maximenu module 6.x-1.43 and earlier for Drupal, when the "Title has PHP" option is enabled, allows remote authenticated users with the "Administer OM Maximenu" permission to execute arbitrary PHP code via a "Link Title," a different vulnerability than CVE-2012-5553. | 4.6 |
| 2012-12-03 | CVE-2012-5556 | Cross-Site Request Forgery (CSRF) vulnerability in Restful web Services Project Restful web Services Multiple cross-site request forgery (CSRF) vulnerabilities in the RESTful Web Services (RESTWS) module 7.x-1.x before 7.x-1.1 and 7.x-2.x before 7.x-2.0-alpha3 for Drupal allow remote attackers to hijack the authentication of arbitrary users via unknown vectors. | 6.8 |
| 2012-12-03 | CVE-2012-5554 | Information Exposure vulnerability in Coleman Watts Webform Civicrm 7.X3.0/7.X3.1/7.X3.X The default configuration for the Webform CiviCRM Integration module 7.x-3.x before 7.x-3.2 has "Enforce Permissions" disabled, which allows remote attackers to obtain contact information by reading webforms. | 5.0 |
| 2012-12-03 | CVE-2012-5552 | Information Exposure vulnerability in Erikwebb Password Policy The Password policy module 6.x-1.x before 6.x-1.5 and 7.x-1.x before 7.x-1.3 for Drupal allows remote attackers to obtain password hashes by sniffing the network, related to "client-side password history checks." | 5.0 |
| 2012-12-03 | CVE-2012-5551 | Cross-Site Scripting vulnerability in Thinkshout Mailchimp Multiple cross-site scripting (XSS) vulnerabilities in the MailChimp module 7.x-2.x before 7.x-2.7 for Drupal allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) a predictable "webhook URL key" and (2) improper sanitization of "Webhook variables from POST requests." | 4.3 |
| 2012-12-03 | CVE-2012-5549 | Cross-Site Request Forgery (CSRF) vulnerability in Carlos Carvalhar Time Spent 6.X2.X/7.X2.X Cross-site request forgery (CSRF) vulnerability in the Time Spent module 6.x and 7.x for Drupal allows remote attackers to hijack the authentication of unspecified victims via unknown vectors. | 6.8 |
| 2012-12-03 | CVE-2012-5548 | Cross-Site Scripting vulnerability in Carlos Carvalhar Time Spent 6.X2.X/7.X2.X Cross-site scripting (XSS) vulnerability in the Time Spent module 6.x and 7.x for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 4.3 |
| 2012-12-03 | CVE-2012-5547 | Cross-Site Request Forgery (CSRF) vulnerability in Thomas Seidl Search API Multiple cross-site request forgery (CSRF) vulnerabilities in the Search API module 7.x-1.x before 7.x-1.3 for Drupal allow remote attackers to hijack the authentication of administrators for requests that (1) enable a server via a server action or (2) enable a search index via an enable index action. | 6.8 |
| 2012-12-03 | CVE-2012-5544 | Information Exposure vulnerability in Thinkshout Mandrill 7.X1.0/7.X1.1/7.X1.X The Mandrill module 7.x-1.x before 7.x-1.2 for Drupal allows remote authenticated users to obtain password reset links by reading the logs in the Mandrill dashboard. | 4.0 |