Vulnerabilities > Drupal > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2012-12-03 | CVE-2012-5543 | Permissions, Privileges, and Access Controls vulnerability in Feeds Project Feeds 7.X2.0/7.X2.X The Feeds module 7.x-2.x before 7.x-2.0-alpha6 for Drupal, when a field is mapped to the node's author, does not properly check permissions, which allows remote attackers to create arbitrary nodes via a crafted source feed. | 4.3 |
| 2012-12-03 | CVE-2012-5542 | Cross-Site Request Forgery (CSRF) vulnerability in Pedro Cambra Commerce Extra Panes 7.X1.0/7.X1.X Cross-site request forgery (CSRF) vulnerability in the Commerce Extra Panes module 7.x-1.x before 7.x-1.1 in Drupal allows remote attackers to hijack the authentication of administrators for requests that enable or disable a Commerce extra panes pane via unspecified vectors related to "the link to reorder items." | 6.8 |
| 2012-12-03 | CVE-2012-5541 | Cross-Site Scripting vulnerability in Twitter Pull Project Twitter Pull Cross-site scripting (XSS) vulnerability in the Twitter Pull module 6.x-1.x before 6.x-1.3 and 7.x-1.x before 7.x-1.0-rc3 for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to "data coming from Twitter." | 4.3 |
| 2012-12-03 | CVE-2012-5540 | Cross-Site Scripting vulnerability in Tekritisoftware Hostip Multiple cross-site scripting (XSS) vulnerabilities in the Hostip module 6.x-2.x before 6.x-2.2 and 7.x-2.x before 7.x-2.2 for Drupal allow remote attackers with control of hostip.info to inject arbitrary web script or HTML via unspecified vectors. | 4.3 |
| 2012-12-03 | CVE-2012-5537 | Code Injection vulnerability in Simplenews Scheduler Project Simplenews Scheduler The Simplenews Scheduler module 6.x-2.x before 6.x-2.4 for Drupal allows remote authenticated users with the "send scheduled newsletters" permission to inject arbitrary PHP code into the scheduling form, which is later executed by cron. | 6.0 |
| 2012-11-30 | CVE-2012-4478 | Cross-Site Request Forgery (CSRF) vulnerability in David Alkire Drag & Drop Gallery 6.X1.5 Cross-site request forgery (CSRF) vulnerability in the Drag & Drop Gallery module 6.x for Drupal allows remote attackers to hijack the authentication of administrators. | 6.8 |
| 2012-11-30 | CVE-2012-4477 | Permissions, Privileges, and Access Controls vulnerability in David Alkire Drag & Drop Gallery 6.X1.5 Unspecified vulnerability in the Drag & Drop Gallery module 6.x for Drupal allows remote attackers to bypass access restrictions via unknown attack vectors. | 5.0 |
| 2012-11-30 | CVE-2012-4476 | Cross-Site Scripting vulnerability in David Alkire Drag & Drop Gallery 6.X1.5 Cross-site scripting (XSS) vulnerability in the Drag & Drop Gallery module 6.x for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 4.3 |
| 2012-11-30 | CVE-2012-4475 | Permissions, Privileges, and Access Controls vulnerability in Security Questions Project Security Questions The Security Questions module for Drupal 6.x-1.x before 6.x-1.1 and 7.x-1.x before 7.x-1.1 does not properly restrict access, which allows remote attackers to edit an arbitrary user's questions and answers via unspecified vectors. | 5.0 |
| 2012-11-30 | CVE-2012-4474 | Cross-Site Scripting vulnerability in Colorbox Node Dennis Blake 7.X2.0/7.X2.1 Multiple cross-site scripting (XSS) vulnerabilities in the Colorbox Node module 7.x-2.x before 7.x-2.2 for Drupal allow remote attackers to inject arbitrary web script or HTML via unspecified parameters. | 4.3 |