Vulnerabilities > Drupal > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2010-04-20 | CVE-2009-4773 | Cross-Site Request Forgery (CSRF) vulnerability in Ubercart Cross-site request forgery (CSRF) vulnerability in the order-management functionality in the Ubercart module 5.x before 5.x-1.9 and 6.x before 6.x-2.1 for Drupal allows remote attackers to hijack the authentication of unspecified victims via unknown vectors. | 6.8 |
| 2010-04-20 | CVE-2009-4772 | Information Disclosure vulnerability in Ubercart Unspecified vulnerability in the PayPal Website Payments Standard functionality in the Ubercart module 5.x before 5.x-1.9 and 6.x before 6.x-2.1 for Drupal, when a custom checkout completion message is enabled, allows attackers to obtain sensitive information via unknown vectors. | 4.3 |
| 2010-04-20 | CVE-2009-4771 | Improper Input Validation vulnerability in Ubercart The PayPal Website Payments Standard functionality in the Ubercart module 5.x before 5.x-1.9 and 6.x before 6.x-2.1 for Drupal does not properly validate orders, which allows remote attackers to trigger unspecified "duplicate actions" via unknown vectors. | 5.0 |
| 2010-03-23 | CVE-2010-1074 | Cross-Site Scripting vulnerability in 2Bits Currency Cross-site scripting (XSS) vulnerability in the Currency Exchange module before 6.x-1.2 for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, related to watchdog logging. | 4.3 |
| 2010-02-27 | CVE-2010-0752 | Permissions, Privileges, and Access Controls vulnerability in Earl Dunovant Week The week_post_page function in the Weekly Archive by Node Type module 6.x before 6.x-2.7 for Drupal does not properly implement node access restrictions when constructing SQL queries, which allows remote attackers to read restricted node listings via unspecified vectors. | 5.0 |
| 2010-01-12 | CVE-2009-4602 | Cross-Site Scripting vulnerability in Drupal Randomizer 5.X1.0/6.X1.0 Cross-site scripting (XSS) vulnerability in the Randomizer module 5.x through 5.x-1.0 and 6.x through 6.x-1.0, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 4.3 |
| 2010-01-04 | CVE-2009-4558 | Permissions, Privileges, and Access Controls vulnerability in Unleashedmind IMG Assist The Image Assist module 5.x-1.x before 5.x-1.8, 5.x-2.x before 2.0-alpha4, 6.x-1.x before 6.x-1.1, 6.x-2.x before 2.0-alpha4, and 6.x-3.x-dev before 2009-07-15, a module for Drupal, does not properly enforce privilege requirements for unspecified pages, which allows remote attackers to read the (1) title or (2) body of an arbitrary node via unknown vectors. | 5.0 |
| 2009-12-31 | CVE-2009-4534 | Cross-Site Scripting vulnerability in Drupal FAQ Ask Open redirect vulnerability in the FAQ Ask module 5.x and 6.x before 6.x-2.0, a module for Drupal, allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors. | 4.3 |
| 2009-12-31 | CVE-2009-4533 | Information Exposure vulnerability in Nathan Haug Webform The Webform module 5.x before 5.x-2.8 and 6.x before 6.x-2.8, a module for Drupal, does not prevent caching of a page that contains token placeholders for a default value, which allows remote attackers to read session variables via unspecified vectors. | 5.0 |
| 2009-12-31 | CVE-2009-4528 | Permissions, Privileges, and Access Controls vulnerability in Moshe Weitzman OG Vocab 6.X1.0/6.X1.X The Organic Groups (OG) Vocabulary module 6.x before 6.x-1.0 for Drupal allows remote authenticated group members to bypass intended access restrictions, and create, modify, or read a vocabulary, via unspecified vectors. | 6.5 |