Vulnerabilities > Drupal > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2009-08-06 | CVE-2008-6909 | Cryptographic Issues vulnerability in Marc Ingram Services Services 5.x before 5.x-0.92 and 6.x before 6.x-0.13, a module for Drupal, does not sign all required data in requests, which has unspecified impact, probably related to man-in-the-middle attacks that modify critical data and allow remote attackers to impersonate other users and gain privileges. | 6.5 |
| 2009-07-22 | CVE-2009-2572 | Cross-Site Request Forgery (CSRF) vulnerability in Lullabot Fivestar Module FOR Drupal Cross-site request forgery (CSRF) vulnerability in the Fivestar module 5.x-1.x before 5.x-1.14 and 6.x-1.x before 6.x-1.14, a module for Drupal, allows remote attackers to hijack the authentication of arbitrary users for requests that cast votes. | 6.8 |
| 2009-07-08 | CVE-2009-2374 | Credentials Management vulnerability in Drupal Drupal 5.x before 5.19 and 6.x before 6.13 does not properly sanitize failed login attempts for pages that contain a sortable table, which includes the username and password in links that can be read from (1) the HTTP referer header of external web sites that are visited from those links or (2) when page caching is enabled, the Drupal page cache. | 5.0 |
| 2009-07-08 | CVE-2009-2373 | Cross-Site Scripting vulnerability in Drupal Cross-site scripting (XSS) vulnerability in the Forum module in Drupal 6.x before 6.13 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 4.3 |
| 2009-07-08 | CVE-2009-2372 | Code Injection vulnerability in Drupal Drupal 6.x before 6.13 does not prevent users from modifying user signatures after the associated comment format has been changed to an administrator-controlled input format, which allows remote authenticated users to inject arbitrary web script, HTML, and possibly PHP code via a crafted user signature. | 6.5 |
| 2009-07-08 | CVE-2009-2371 | Permissions, Privileges, and Access Controls vulnerability in Michelle COX Advanced Forum 6.X1.0/6.X1.Xdev Advanced Forum 6.x before 6.x-1.1, a module for Drupal, does not prevent users from modifying user signatures after the associated comment format has been changed to an administrator-controlled input format, which allows remote authenticated users to inject arbitrary web script, HTML, and possibly PHP code via a crafted user signature. | 6.5 |
| 2009-07-08 | CVE-2009-2370 | Cross-Site Scripting vulnerability in Michelle COX Advanced Forum 5.X1.Xdev/6.X1.Xdev Cross-site scripting (XSS) vulnerability in Advanced Forum 5.x before 5.x-1.1 and 6.x before 6.x-1.1, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 4.3 |
| 2009-07-01 | CVE-2009-2291 | Permissions, Privileges, and Access Controls vulnerability in Chad Phillips Logintoboggan Unspecified vulnerability in LoginToboggan 6.x-1.x before 6.x-1.5, a module for Drupal, when "Allow users to login using their e-mail address" is enabled, allows remote blocked users to bypass intended access restrictions via unspecified vectors. | 6.8 |
| 2009-06-27 | CVE-2008-6836 | Cross-Site Request Forgery (CSRF) vulnerability in Peter Wolanin Openid 5.X1.0/5.X1.1/5.X1.X Cross-site request forgery (CSRF) vulnerability in OpenID 5.x before 5x.-1.2, a module for Drupal, allows remote attackers to hijack the authentication of unspecified victims to delete OpenID identities via unknown vectors. | 6.8 |
| 2009-06-27 | CVE-2008-6835 | Cross-Site Scripting vulnerability in Peter Wolanin Openid 5.X1.0/5.X1.1/5.X1.X Cross-site scripting (XSS) vulnerability in OpenID 5.x before 5.x-1.2, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 4.3 |