Vulnerabilities > Drupal > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2012-08-14 | CVE-2012-2096 | Improper Input Validation vulnerability in Lullabot Fivestar Module for Drupal 6.X1.20/6.X1.X The Fivestar module 6.x-1.x before 6.x-1.20 for Drupal does not properly validate voting data, which allows remote attackers to manipulate voting averages via a negative value in the vote parameter. | 5.0 |
| 2012-07-25 | CVE-2012-2307 | Cross-Site Request Forgery (CSRF) vulnerability in Plaatsoft Addressbook Cross-site request forgery (CSRF) vulnerability in the Addressbook module for Drupal 6.x-4.2 and earlier allows remote attackers to hijack the authentication of unspecified victims via unknown vectors. | 6.8 |
| 2012-07-25 | CVE-2012-2305 | Cross-Site Request Forgery (CSRF) vulnerability in Justin Ellison Node Gallery 6.X3.1 Cross-site request forgery (CSRF) vulnerability in the Node Gallery module for Drupal 6.x-3.1 and earlier allows remote attackers to hijack the authentication of certain users for requests that create node galleries. | 6.8 |
| 2012-07-25 | CVE-2012-2302 | Information Exposure vulnerability in Nancy Wichmann Sitedoc Site Documentation (Sitedoc) module for Drupal 6.x-1.x before 6.x-1.4 does not properly check the save location when archiving, which allows remote attackers to obtain sensitive information via unspecified vectors. | 5.0 |
| 2012-07-25 | CVE-2012-2296 | Information Exposure vulnerability in Janrain RPX The Janrain Engage (formerly RPX) module for Drupal 6.x-1.x. | 5.0 |
| 2012-06-27 | CVE-2012-2717 | Cross-Site Scripting vulnerability in Mathew Winstone Mobile Tools Multiple cross-site scripting (XSS) vulnerabilities in the Mobile Tools module 6.x-2.x before 6.x-2.3 for Drupal allow remote attackers to inject arbitrary web script or HTML via the (1) Mobile URL field or (2) Desktop URL field to the General configuration page, or the (3) message to the Mobile Tools block message options. | 4.3 |
| 2012-06-27 | CVE-2012-3802 | Cross-Site Scripting and Access Security Bypass vulnerability in Drupal Post Affiliate Pro Unspecified vulnerability in the Post Affiliate Pro (PAP) module for Drupal allows remote authenticated users to read the commissions of other users via unknown attack vectors. | 4.0 |
| 2012-06-27 | CVE-2012-3799 | Cross-Site Request Forgery (CSRF) vulnerability in Blaine Lang Maestro 7.X1.0/7.X1.1/7.X1.X Multiple cross-site request forgery (CSRF) vulnerabilities in the Maestro module 7.x-1.x before 7.x-1.2 for Drupal allow remote attackers to hijack the authentication of administrators for requests that (1) change workflows or (2) insert cross-site scripting (XSS) sequences. | 5.1 |
| 2012-06-27 | CVE-2012-3798 | Information Exposure vulnerability in Bryce Hamrick Janrain Capture 6.X1.0/7.X1.0 The Janrain Capture module 6.x-1.0 and 7.x-1.0 for Drupal, when creating a local user account, allows attackers to obtain part of the initial input used to generate passwords, which makes it easier to conduct brute force password guessing attacks. | 5.0 |
| 2012-06-27 | CVE-2012-2729 | Cross-Site Request Forgery (CSRF) vulnerability in Adcillc Simplemeta Multiple cross-site request forgery (CSRF) vulnerabilities in the SimpleMeta module 6.x-1.x before 6.x-2.0 for Drupal allow remote attackers to hijack the authentication of administrators for requests that (1) delete or (2) add a meta tag entry. | 6.8 |