Vulnerabilities > Drupal > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2011-09-23 | CVE-2011-3730 | Information Exposure vulnerability in Drupal 7.0 Drupal 7.0 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by modules/simpletest/tests/upgrade/drupal-6.upload.database.php and certain other files. | 5.0 |
| 2011-09-13 | CVE-2009-5096 | Cross-Site Scripting vulnerability in Khalid Baheyeldin Flag Content Cross-site scripting (XSS) vulnerability in the Flag Content module 5.x-2.x before 5.x-2.10 for Drupal allows remote attackers to inject arbitrary web script or HTML via the Reason parameter. | 4.3 |
| 2011-04-10 | CVE-2011-1664 | Cross-Site Request Forgery (CSRF) vulnerability in Icanlocalize Translation Management Cross-site request forgery (CSRF) vulnerability in the Translation Management module 6.x before 6.x-1.21 for Drupal allows remote attackers to hijack the authentication of unspecified victims via unknown vectors. | 6.8 |
| 2011-04-10 | CVE-2011-1662 | Cross-Site Scripting vulnerability in Icanlocalize Translation Management Cross-site scripting (XSS) vulnerability in Translation Management module 6.x before 6.x-1.21 for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 4.3 |
| 2011-04-10 | CVE-2011-1661 | Permissions, Privileges, and Access Controls vulnerability in Nicholas Thompson Node Quick Find 6.X1.1 The Node Quick Find module 6.x-1.1 for Drupal does not use db_rewrite_sql when presenting node titles, which allows remote attackers to bypass intended access restrictions and read potentially sensitive node titles via the autocomplete feature. | 5.0 |
| 2011-03-23 | CVE-2010-4775 | Improper Input Validation vulnerability in Nicholas Thompson Relevant Content The Relevant Content module 5.x before 5.x-1.4 and 6.x before 6.x-1.5 for Drupal does not properly implement node access logic, which allows remote attackers to discover restricted node titles and relationships. | 5.0 |
| 2011-02-07 | CVE-2011-0899 | Information Disclosure vulnerability in Johan Lindskog AES Encryption Module 7.X1.4 The AES encryption module 7.x-1.4 for Drupal leaves certain debugging code enabled in release, which records the plaintext password of the last logged-in user and allows remote attackers to gain privileges as that user. | 5.0 |
| 2011-02-04 | CVE-2011-0771 | Improper Input Validation vulnerability in Janrain RPX 6.X1.3 The Janrain Engage (formerly RPX) module 6.x-1.3 for Drupal does not validate the file for a profile image, which allows remote authenticated users to conduct cross-site scripting (XSS) attacks and possibly execute arbitrary PHP code by causing a crafted avatar to be downloaded from an external login provider site. | 6.8 |
| 2010-12-23 | CVE-2010-4521 | Cross-Site Scripting vulnerability in Earl Miles Views Cross-site scripting (XSS) vulnerability in the Views module 6.x before 6.x-2.12 for Drupal allows remote attackers to inject arbitrary web script or HTML via a page path. | 4.3 |
| 2010-12-23 | CVE-2010-4520 | Cross-Site Scripting vulnerability in Earl Miles Views Multiple cross-site scripting (XSS) vulnerabilities in the Views module 6.x before 6.x-2.11 for Drupal allow remote attackers to inject arbitrary web script or HTML via (1) a URL or (2) an aggregator feed title. | 4.3 |