Vulnerabilities > Drupal > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2012-06-27 | CVE-2012-2728 | Cross-Site Request Forgery (CSRF) vulnerability in Ronan Dowling Node Hierarchy Multiple cross-site request forgery (CSRF) vulnerabilities in the Node Hierarchy module 6.x-1.x before 6.x-1.5 for Drupal allow remote attackers to hijack the authentication of administrators for requests that change a node hierarchy position via an (1) up or (2) down action. | 6.8 |
| 2012-06-27 | CVE-2012-2727 | Improper Input Validation vulnerability in Bryce Hamrick Janrain Capture 6.X1.0/7.X1.0 Open redirect vulnerability in the Janrain Capture module 6.x-1.0 and 7.x-1.0 for Drupal, when synchronizing user data, allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the destination parameter. | 5.8 |
| 2012-06-27 | CVE-2012-2722 | Permissions, Privileges, and Access Controls vulnerability in Scott Reynen Node Embed The node selection interface in the WYSIWYG editor (CKEditor) in the Node Embed module 6.x-1.x before 6.x-1.5 and 7.x-1.x before 7.x-1.0 for Drupal does not properly check permissions, which allows remote attackers to bypass intended access restrictions and read node titles. | 4.3 |
| 2012-06-27 | CVE-2012-2721 | Permissions, Privileges, and Access Controls vulnerability in Moshe Weitzman Organic Groups The default views in the Organic Groups (OG) module 6.x-2.x before 6.x-2.4 for Drupal do not properly check permissions when all users have the "access content" permission removed, which allows remote attackers to bypass access restrictions and possibly have other unspecified impact. | 6.8 |
| 2012-06-27 | CVE-2012-2720 | Permissions, Privileges, and Access Controls vulnerability in Adam Ross Tokenauth The Token Authentication (tokenauth) module 6.x-1.x before 6.x-1.7 for Drupal does not properly revert user sessions, which might allow remote attackers to perform requests with extra privileges. | 5.0 |
| 2012-06-27 | CVE-2012-2719 | Permissions, Privileges, and Access Controls vulnerability in Blaine Lang Filedepot The filedepot module 6.x-1.x before 6.x-1.3 for Drupal, when accessed using multiple different browsers from the same IP address, causes Internet Explorer sessions to "switch users" when uploading a file, which has unspecified impact possibly involving file uploads to the wrong user directory, aka "Session Management Vulnerability." | 5.1 |
| 2012-06-27 | CVE-2012-2715 | Cross-Site Scripting vulnerability in Jason Moore Amadou Cross-site scripting (XSS) vulnerability in the themes_links function in template.php in the Amadou theme module 6.x-1.x before 6.x-1.3 for Drupal allows remote attackers to inject arbitrary web script or HTML via vectors related to class attributes in a list of links. | 4.3 |
| 2012-06-27 | CVE-2012-2713 | Cross-Site Request Forgery (CSRF) vulnerability in Browserid Project Browserid 7.X1.1/7.X1.2 Cross-site request forgery (CSRF) vulnerability in the BrowserID (Mozilla Persona) module 7.x-1.x before 7.x-1.3 for Drupal allows remote attackers to hijack the authentication of arbitrary users for requests that login a user to another web site. | 6.8 |
| 2012-06-27 | CVE-2012-2707 | Permissions, Privileges, and Access Controls vulnerability in Antoine Beaupre Hostmaster The Hostmaster (Aegir) module 6.x-1.x before 6.x-1.9 for Drupal does not properly exit when users do not have access to package/task nodes, which allows remote attackers to bypass intended access restrictions and edit unauthorized nodes. | 5.8 |
| 2012-06-27 | CVE-2012-2706 | Cross-Site Scripting vulnerability in Peter Pokrivcak Post Affiliate PRO Cross-site scripting (XSS) vulnerability in the Post Affiliate Pro (PAP) module for Drupal allows remote attackers to inject arbitrary web script or HTML via vectors related to user registration. | 4.3 |