Vulnerabilities > Drupal > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2012-06-27 | CVE-2012-2702 | Permissions, Privileges, and Access Controls vulnerability in Tony Freixas Ubercart Product Keys 6.X1.0 The Ubercart Product Keys module 6.x-1.x before 6.x-1.1 for Drupal does not properly check access for product keys, which allows remote attackers to read all unassigned product keys via certain conditions related to the uid. | 5.0 |
| 2012-06-25 | CVE-2010-2021 | Improper Input Validation vulnerability in Nicholasthompson Global Redirect Open redirect vulnerability in the Global Redirect module 6.x-1.x before 6.x-1.4 and 7.x-1.x before 7.x-1.4 for Drupal, when non-clean to clean is enabled, allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the q parameter. | 5.8 |
| 2012-06-21 | CVE-2012-2716 | Cross-Site Request Forgery (CSRF) vulnerability in David Stosik Comment Moderation 6.X1.0/6.X1.Xdev Cross-site request forgery (CSRF) vulnerability in the Comment Moderation module 6.x-1.x before 6.x-1.1 for Drupal allows remote attackers to hijack the authentication of administrators for requests that publish comments. | 6.8 |
| 2012-05-21 | CVE-2012-2922 | Information Exposure vulnerability in Drupal The request_path function in includes/bootstrap.inc in Drupal 7.14 and earlier allows remote attackers to obtain sensitive information via the q[] parameter to index.php, which reveals the installation path in an error message. | 5.0 |
| 2012-05-21 | CVE-2012-2339 | Cross-Site Scripting vulnerability in multiple products Cross-site scripting (XSS) vulnerability in the Glossary module 6.x-1.x before 6.x-1.8 for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to "taxonomy information." | 4.3 |
| 2012-05-18 | CVE-2012-2341 | Cross-Site Request Forgery (CSRF) vulnerability in Rahul Singla Take Control 6.X1.X/6.X2.0/6.X2.X Cross-site request forgery (CSRF) vulnerability in the Take Control module 6.x-2.x before 6.x-2.2 for Drupal allows remote attackers to hijack the authentication of unspecified users for Ajax requests that manipulate files. | 6.8 |
| 2012-05-18 | CVE-2012-1589 | Improper Input Validation vulnerability in Drupal Open redirect vulnerability in the Form API in Drupal 7.x before 7.13 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via crafted parameters in a destination URL. | 5.8 |
| 2012-02-14 | CVE-2012-1057 | Cross-Site Request Forgery (CSRF) vulnerability in Sean Robertson Forward Cross-site request forgery (CSRF) vulnerability in the clickthrough tracking functionality in the Forward module 6.x-1.x before 6.x-1.21 and 7.x-1.x before 7.x-1.3 for Drupal allows remote attackers to hijack the authentication of administrators for requests that increase node rankings via the tracking code, possibly related to improper "flood control." | 6.0 |
| 2012-02-14 | CVE-2012-1056 | Permissions, Privileges, and Access Controls vulnerability in Sean Robertson Forward The Forward module 6.x-1.x before 6.x-1.21 and 7.x-1.x before 7.x-1.3 for Drupal does not properly enforce permissions for (1) Recent forwards, (2) Most forwarded, or (3) Dynamic blocks, which allows remote attackers to obtain node titles via unspecified vectors. | 5.0 |
| 2012-01-24 | CVE-2012-0914 | Cross-Site Scripting vulnerability in Earl Miles Panels Cross-site scripting (XSS) vulnerability in display_renderers/panels_renderer_editor.class.php in the admin view in the Panels module 6.x-2.x before 6.x-3.10 and 7.x-3.x before 7.x-3.0 for Drupal allows remote authenticated users with certain privileges to inject arbitrary web script or HTML via the Region title. | 4.3 |