Vulnerabilities > Drupal > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2008-04-15 | CVE-2008-1792 | Cross-Site Scripting vulnerability in Drupalr Flickr Cross-site scripting (XSS) vulnerability in the insertion filter in the Flickr Drupal module 5.x before 5.x-1.3 and 6.x before 6.x-1.0-alpha allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 4.3 |
| 2008-04-11 | CVE-2008-1729 | Unspecified vulnerability in Drupal 6.0/6.1 The menu system in Drupal 6 before 6.2 has incorrect menu settings, which allows remote attackers to (1) edit the profile pages of arbitrary users, and obtain sensitive information from (2) tracker and (3) blog pages, related to a missing check for the "access content" permission; and (4) allows remote authenticated users, with administration page view access, to edit content types. network drupal | 5.8 |
| 2008-03-20 | CVE-2008-1428 | Cross-Site Scripting vulnerability in Drupal Ubercart Module Multiple cross-site scripting (XSS) vulnerabilities in the Ubercart 5.x before 5.x-1.0-beta7 module for Drupal allow remote attackers to inject arbitrary web script or HTML via a text attribute value for a product. | 4.3 |
| 2008-03-04 | CVE-2008-1133 | Cross-Site Scripting vulnerability in Drupal The Drupal.checkPlain function in Drupal 6.0 only escapes the first instance of a character in ECMAScript, which allows remote attackers to conduct cross-site scripting (XSS) attacks. | 4.3 |
| 2008-02-05 | CVE-2008-0577 | Permissions, Privileges, and Access Controls vulnerability in Drupal Project Issue Tracking Module 4.7/5.0 The Project Issue Tracking module 5.x-2.x-dev before 20080130 in the 5.x-2.x series, 5.x-1.2 and earlier in the 5.x-1.x series, 4.7.x-2.6 and earlier in the 4.7.x-2.x series, and 4.7.x-1.6 and earlier in the 4.7.x-1.x series for Drupal (1) does not restrict the extensions of attached files when the Upload module is enabled for issue nodes, which allows remote attackers to upload and possibly execute arbitrary files; and (2) accepts the .html extension within the bundled file-upload functionality, which allows remote attackers to upload files containing arbitrary web script or HTML. | 6.4 |
| 2008-02-05 | CVE-2008-0576 | Cross-Site Scripting vulnerability in Drupal Project Issue Tracking Module 4.7/5 Cross-site scripting (XSS) vulnerability in the Project Issue Tracking module 5.x-2.x-dev before 20080130 in the 5.x-2.x series, 5.x-1.2 and earlier in the 5.x-1.x series, 4.7.x-2.6 and earlier in the 4.7.x-2.x series, and 4.7.x-1.6 and earlier in the 4.7.x-1.x series for Drupal allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors that write to summary table pages. | 4.3 |
| 2008-02-05 | CVE-2008-0571 | Cross-Site Request Forgery (CSRF) vulnerability in Drupal Userpoints Module 4.7/5.0 The point moderation form in the Userpoints 4.7.x before 4.7.x-2.3, 5.x-2 before 5.x-2.16, and 5.x-3 before 5.x-3.3 module for Drupal does not follow Drupal's Forms API submission model, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks and manipulate points. | 4.3 |
| 2008-02-05 | CVE-2008-0570 | Improper Input Validation vulnerability in Drupal Openid 5 The OpenID 5.x-1.0 and earlier module for Drupal does not properly verify the claimed_id returned by an OpenID provider, which allows remote OpenID providers to spoof OpenID authentication for domains associated with other providers. | 5.0 |
| 2008-02-05 | CVE-2008-0569 | Permissions, Privileges, and Access Controls vulnerability in Drupal Comment Upload Module 4.7/5.0 The Comment Upload 4.7.x before 4.7.x-0.1 and 5.x before 5.x-0.1 module for Drupal does not properly use functions in the upload module, which allows remote attackers to bypass upload validation, and upload arbitrary files and possibly execute arbitrary code, via unspecified vectors. | 6.4 |
| 2008-01-25 | CVE-2008-0463 | Cross-Site Scripting vulnerability in Drupal Workflow Cross-site scripting (XSS) vulnerability in the Workflow 4.7.x before 4.7.x-1.2 and 5.x before 5.x-1.2 module for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors involving node properties. | 4.3 |