Vulnerabilities > Drupal > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2012-11-30 | CVE-2012-4472 | Unspecified vulnerability in David Alkire Drag & Drop Gallery 6.X1.5 Unrestricted file upload vulnerability in upload.php in the Drag & Drop Gallery module 6.x-1.5 and earlier for Drupal allows remote attackers to execute arbitrary PHP code by uploading a file with an executable extension followed by a safe extension, then accessing it via a direct request to the directory specified by the filedir parameter. | 5.1 |
| 2012-11-30 | CVE-2012-4471 | Permissions, Privileges, and Access Controls vulnerability in Dominique Clause Search Autocomplete The Search Autocomplete module 7.x-2.x before 7.x-2.4 for Drupal does not properly restrict access to the module admin page, which allows remote attackers to disable an autocompletion or change the priority order via unspecified vectors. | 5.0 |
| 2012-11-30 | CVE-2012-4468 | Cross-Site Scripting vulnerability in Privatemsg Project Privatemsg Cross-site scripting (XSS) vulnerability in the Privatemsg module 7.x-1.x before 7.x-1.3 for Drupal allows remote attackers to inject arbitrary web script or HTML via a user name in a private message. | 4.3 |
| 2012-11-22 | CVE-2012-2084 | Cross-Site Scripting vulnerability in Joao Ventura Print Cross-site scripting (XSS) vulnerability in the Printer, email and PDF versions module 6.x-1.x before 6.x-1.15 and 7.x-1.x before 7.x-1.0 for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, probably the PATH_INFO. | 4.3 |
| 2012-11-11 | CVE-2012-4554 | Permissions, Privileges, and Access Controls vulnerability in Drupal The OpenID module in Drupal 7.x before 7.16 allows remote OpenID servers to read arbitrary files via a crafted DOCTYPE declaration in an XRDS file. | 5.0 |
| 2012-11-11 | CVE-2012-4553 | Permissions, Privileges, and Access Controls vulnerability in Drupal Drupal 7.x before 7.16 allows remote attackers to obtain sensitive information and possibly re-install Drupal and execute arbitrary PHP code via an external database server, related to "transient conditions." | 6.8 |
| 2012-11-02 | CVE-2012-4487 | Permissions, Privileges, and Access Controls vulnerability in Boombatower Subuser The Subuser module before 6.x-1.8 for Drupal does not properly check "switch subuser" permissions, which allows remote authenticated parent users to change their role by switching to a subuser they created. | 4.0 |
| 2012-11-02 | CVE-2012-4486 | Cross-Site Request Forgery (CSRF) vulnerability in Boombatower Subuser Cross-site request forgery (CSRF) vulnerability in the Subuser module before 6.x-1.8 for Drupal allows remote attackers to hijack the authentication of arbitrary users for requests that switch the user to a subuser via unspecified vectors. | 6.8 |
| 2012-10-31 | CVE-2012-4499 | Permissions, Privileges, and Access Controls vulnerability in Matthias Hutterer Email The contact formatter page in the Email Field module 6.x-1.x before 6.x-1.2 and 7.x-1.x before 7.x-1.1 for Drupal allows remote attackers to email the stored address in the entity via unspecified vectors. | 5.0 |
| 2012-10-31 | CVE-2012-4495 | Permissions, Privileges, and Access Controls vulnerability in Mime Mail Module Project Mimemail 6.X1.0/6.X1.X The Mime Mail module 6.x-1.x before 6.x-1.1 for Drupal does not properly restrict access to files outside Drupal's publish files directory, which allows remote authenticated users to send arbitrary files as attachments. | 4.0 |