Vulnerabilities > Drupal > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2009-03-02 | CVE-2008-6383 | SQL Injection vulnerability in Drupal Storm SQL injection vulnerability in SpeedTech Organization and Resource Manager (Storm) 5.x before 5.x-1.14 and 6.x before 6.x-1.18, a module for Drupal, allows remote authenticated users with storm project access to execute arbitrary SQL commands via unspecified vectors. | 6.0 |
| 2009-02-25 | CVE-2008-6276 | SQL Injection vulnerability in Drupal User Karma Module Multiple SQL injection vulnerabilities in the User Karma module 5.x before 5.x-1.13 and 6.x before 6.x-1.0-beta1, a module for Drupal, allow remote authenticated administrators to execute arbitrary SQL commands via (1) a content type or (2) a voting API value. | 6.5 |
| 2009-02-25 | CVE-2008-6275 | Cross-Site Scripting vulnerability in Drupal User Karma Module Cross-site scripting (XSS) vulnerability in the User Karma module 5.x before 5.x-1.13 and 6.x before 6.x-1.0-beta1, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via unspecified messages. | 4.3 |
| 2009-02-19 | CVE-2008-6169 | Cross-Site Request Forgery (CSRF) vulnerability in Drupal Localization Client and Localization Server Cross-site request forgery (CSRF) vulnerability in the Localization client 5.x before 5.x-1.1 and 6.x before 6.x-1.6 and the Localization server 5.x before 5.x-1.0-alpha5 and 6.x before 6.x-alpha2, modules for Drupal, allows remote attackers to perform unauthorized actions as administrators via unspecified vectors related to the "local translation submission interface." | 6.8 |
| 2009-02-18 | CVE-2008-6160 | Permissions, Privileges, and Access Controls vulnerability in Drupal Semantically Interconnected Online Communities Semantically-Interconnected Online Communities (SIOC) 5.x before 5.x-1.2 and 6.x before 6.x-1.1, a module for Drupal, does not properly implement menu and database APIs, which allows remote attackers to obtain usernames and read hashed emails and comments via unspecified vectors. | 5.0 |
| 2009-02-14 | CVE-2008-6135 | Cross-Site Scripting vulnerability in Drupal Everyblog 5.0/6.0 Cross-site scripting (XSS) vulnerability in EveryBlog 5.x and 6.x, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 4.3 |
| 2009-02-13 | CVE-2009-0575 | Cross-Site Scripting vulnerability in Drupal Views Bulk Operations Cross-site scripting (XSS) vulnerability in the theme_views_bulk_operations_confirmation function in views_bulk_operations.module in Views Bulk Operations 5.x before 5.x-1.3 and 6.x before 6.x-1.4, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to node titles. | 4.3 |
| 2009-02-02 | CVE-2009-0382 | Permissions, Privileges, and Access Controls vulnerability in Drupal Internationalization 5.X1.1 Unspecified vulnerability in Internationalization (i18n) Translation 5.x before 5.x-2.5, a module for Drupal, allows remote attackers with "translate node" permissions to bypass intended access restrictions and read unpublished nodes via unspecified vectors. | 4.3 |
| 2009-01-28 | CVE-2008-5998 | SQL Injection vulnerability in Drupal Ajax Checklist 5.X1.0 Multiple SQL injection vulnerabilities in the ajax_checklist_save function in the Ajax Checklist module 5.x before 5.x-1.1 for Drupal allow remote authenticated users, with "update ajax checklists" permissions, to execute arbitrary SQL commands via a save operation, related to the (1) nid, (2) qid, and (3) state parameters. | 6.0 |
| 2008-10-29 | CVE-2008-4792 | Permissions, Privileges, and Access Controls vulnerability in Drupal The core BlogAPI module in Drupal 5.x before 5.11 and 6.x before 6.5 does not properly validate unspecified content fields of an internal Drupal form, which allows remote authenticated users to bypass intended access restrictions via modified field values. | 6.0 |