Vulnerabilities > Drupal > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2008-10-29 | CVE-2008-4791 | Permissions, Privileges, and Access Controls vulnerability in Drupal The user module in Drupal 5.x before 5.11 and 6.x before 6.5 might allow remote authenticated users to bypass intended login access rules and successfully login via unknown vectors. | 6.0 |
| 2008-10-29 | CVE-2008-4790 | Permissions, Privileges, and Access Controls vulnerability in Drupal The core upload module in Drupal 5.x before 5.11 allows remote authenticated users to bypass intended access restrictions and read "files attached to content" via unknown vectors. | 6.0 |
| 2008-10-29 | CVE-2008-4789 | Permissions, Privileges, and Access Controls vulnerability in Drupal The validation functionality in the core upload module in Drupal 6.x before 6.5 allows remote authenticated users to bypass intended access restrictions and "attach files to content," related to a "logic error." | 6.0 |
| 2008-10-23 | CVE-2008-4710 | Cross-Site Scripting vulnerability in Drupal Stock Module 6X Cross-site scripting (XSS) vulnerability in the stock quotes page in Stock 6.x before 6.x-1.0, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 4.3 |
| 2008-10-21 | CVE-2008-4633 | SQL Injection vulnerability in Drupal Node Clone SQL injection vulnerability in Node Vote 5.x before 5.x-1.1 and 6.x before 6.x-1.0, a module for Drupal, when "Allow user to vote again" is enabled, allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors related to a "previously cast vote." | 6.0 |
| 2008-10-17 | CVE-2008-4596 | Cross-Site Scripting vulnerability in Drupal Shindig-Integrator 5 Cross-site scripting (XSS) vulnerability in Shindig-Integrator 5.x, a module for Drupal, allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors in generated pages. | 4.3 |
| 2008-09-24 | CVE-2008-4153 | Permissions, Privileges, and Access Controls vulnerability in Drupal Talk The Talk module 5.x before 5.x-1.3 and 6.x before 6.x-1.5, a module for Drupal, does not perform access checks for a node before displaying comments, which allows remote attackers to obtain sensitive information. | 5.0 |
| 2008-09-24 | CVE-2008-4149 | Cross-Site Scripting vulnerability in Drupal Link TO US 5.X1.Xdev Cross-site scripting (XSS) vulnerability in the Greg Holsclaw Link to Us module 5.x before 5.x-1.1 for Drupal allows remote authenticated users to inject arbitrary web script or HTML via the "Link page header" field. | 4.3 |
| 2008-09-24 | CVE-2008-4147 | Cross-Site Scripting vulnerability in Drupal Mailsave Cross-site scripting (XSS) vulnerability in the Mailsave module 5.x before 5.x-3.3 and 6.x before 6.x-1.3, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via an e-mail message with an attached file that has a modified Content-Type. | 4.3 |
| 2008-09-23 | CVE-2008-3661 | Cryptographic Issues vulnerability in Drupal Drupal, probably 5.10 and 6.4, does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie. | 5.0 |