Vulnerabilities > Drupal > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2010-12-23 | CVE-2010-4519 | Cross-Site Request Forgery (CSRF) vulnerability in Earl Miles Views Multiple cross-site request forgery (CSRF) vulnerabilities in the Views UI implementation in the Views module 5.x before 5.x-1.8 and 6.x before 6.x-2.11 for Drupal allow remote attackers to hijack the authentication of administrators for requests that (1) enable all Views or (2) disable all Views. | 6.8 |
| 2010-09-29 | CVE-2010-3686 | Improper Authentication vulnerability in multiple products The OpenID module in Drupal 6.x before 6.18, and the OpenID module 5.x before 5.x-1.4 for Drupal, violates the OpenID 2.0 protocol by not ensuring that fields are signed, which allows remote attackers to bypass authentication by leveraging an assertion from an OpenID provider. | 5.0 |
| 2010-09-29 | CVE-2010-3685 | Improper Authentication vulnerability in multiple products The OpenID module in Drupal 6.x before 6.18, and the OpenID module 5.x before 5.x-1.4 for Drupal, violates the OpenID 2.0 protocol by not checking for reuse of openid.response_nonce values, which allows remote attackers to bypass authentication by leveraging an assertion from an OpenID provider. | 5.0 |
| 2010-09-29 | CVE-2010-3091 | Improper Authentication vulnerability in multiple products The OpenID module in Drupal 6.x before 6.18, and the OpenID module 5.x before 5.x-1.4 for Drupal, violates the OpenID 2.0 protocol by not verifying the openid.return_to value, which allows remote attackers to bypass authentication by leveraging an assertion from an OpenID provider. | 5.0 |
| 2010-09-21 | CVE-2010-3092 | Permissions, Privileges, and Access Controls vulnerability in Drupal The upload module in Drupal 5.x before 5.23 and 6.x before 6.18 does not properly support case-insensitive filename handling in a database configuration, which allows remote authenticated users to bypass the intended restrictions on downloading a file by uploading a different file with a similar name. | 5.5 |
| 2010-08-25 | CVE-2009-4990 | Cross-Site Scripting vulnerability in Jrbcs Webform Report Cross-site scripting (XSS) vulnerability in the Webform report module 5.x and 6.x for Drupal allows remote attackers to inject arbitrary web script or HTML via a submission. | 4.3 |
| 2010-06-21 | CVE-2010-2353 | Permissions, Privileges, and Access Controls vulnerability in Yves Chedemois CCK The Node Reference module in Content Construction Kit (CCK) module 6.x before 6.x-2.7 for Drupal does not perform access checks for the source field in the backend URL for the autocomplete widget, which allows remote attackers to discover titles and IDs of controlled nodes. | 5.0 |
| 2010-06-21 | CVE-2010-2352 | Improper Input Validation vulnerability in multiple products The Node Reference module in Content Construction Kit (CCK) module 5.x before 5.x-1.11 and 6.x before 6.x-2.7 for Drupal does not perform access checks before displaying referenced nodes, which allows remote attackers to read controlled nodes. | 5.0 |
| 2010-05-24 | CVE-2010-2030 | Cross-Site Scripting vulnerability in Alan Palazzolo External Link Page 5.X0.8/6.X1.0/6.X1.1 Cross-site scripting (XSS) vulnerability in the External Link Page module 5.x before 5.x-1.0 and 6.x before 6.x-1.2 for Drupal allows remote attackers to inject arbitrary web script or HTML via vectors related to the administration and redirect pages. | 4.3 |
| 2010-04-26 | CVE-2010-1543 | Cross-Site Scripting vulnerability in Etracker 6.X1.0/6.X1.Xdev Cross-site scripting (XSS) vulnerability in the eTracker module before 6.x-1.2 for Drupal allows remote attackers to inject arbitrary web script or HTML by appending a crafted string to an arbitrary URL associated with the Drupal site. | 4.3 |