Vulnerabilities > Drupal > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2008-01-25 | CVE-2008-0462 | Cross-Site Scripting vulnerability in Drupal Archive Module and Drupal Cross-site scripting (XSS) vulnerability in the Archive 5.x before 5.x-1.8 module for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 4.3 |
| 2008-01-15 | CVE-2008-0276 | Cross-Site Scripting vulnerability in Drupal Cross-site scripting (XSS) vulnerability in the Devel module before 5.x-0.1 for Drupal allows remote attackers to inject arbitrary web script or HTML via a site variable, related to lack of escaping of the variable table. | 4.3 |
| 2008-01-15 | CVE-2008-0275 | Permissions, Privileges, and Access Controls vulnerability in Drupal Atom Module The Atom 4.7 before 4.7.x-1.0 and 5.x before 5.x-1.0 module for Drupal does not properly manage permissions for node (1) titles, (2) teasers, and (3) bodies, which might allow remote attackers to gain access to syndicated content. | 5.0 |
| 2008-01-15 | CVE-2008-0273 | Cross-Site Scripting vulnerability in Drupal Interpretation conflict in Drupal 4.7.x before 4.7.11 and 5.x before 5.6, when Internet Explorer 6 is used, allows remote attackers to conduct cross-site scripting (XSS) attacks via invalid UTF-8 byte sequences, which are not processed as UTF-8 by Drupal's HTML filtering, but are processed as UTF-8 by Internet Explorer, effectively removing characters from the document and defeating the HTML protection mechanism. | 4.3 |
| 2008-01-15 | CVE-2008-0272 | Cross-Site Request Forgery (CSRF) vulnerability in Drupal Cross-site request forgery (CSRF) vulnerability in the aggregator module in Drupal 4.7.x before 4.7.11 and 5.x before 5.6 allows remote attackers to delete items from a feed as privileged users. | 4.3 |
| 2008-01-15 | CVE-2008-0271 | Cross-Site Request Forgery (CSRF) vulnerability in Drupal Bueditor The editor deletion form in BUEditor 4.7.x before 4.7.x-1.0 and 5.x before 5.x-1.1, a module for Drupal, does not follow Drupal's Forms API submission model, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks and delete custom editor interfaces. | 4.3 |
| 2008-01-15 | CVE-2008-0264 | Improper Input Validation vulnerability in Drupal Meta Tags Module Unspecified vulnerability in the Meta Tags (aka Nodewords) 5.x-1.6 module for Drupal, when images are permitted in node bodies, allows remote authenticated users to execute arbitrary code via unspecified vectors involving creation of a node. | 6.8 |
| 2007-12-12 | CVE-2007-6320 | Cross-Site Request Forgery (CSRF) vulnerability in Drupal Feature Module 4.7.Xdev/5.Xdev Feature 4.7.x-dev and 5.x-dev before 20071206, a Drupal module, does not follow Drupal's Forms API submission model, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks. | 4.3 |
| 2007-12-10 | CVE-2007-6298 | Cross-Site Scripting vulnerability in Drupal Shoutbox Cross-site scripting (XSS) vulnerability in the Shoutbox module for Drupal 5.x before Shoutbox 5.x-1.1 allows remote authenticated users to inject arbitrary web script or HTML via Shoutbox block messages. | 4.3 |
| 2007-10-19 | CVE-2007-5597 | Permissions, Privileges, and Access Controls vulnerability in Drupal The hook_comments API in Drupal 4.7.x before 4.7.8 and 5.x before 5.3 does not pass publication status, which might allow attackers to bypass access restrictions and trigger e-mail with unpublished comments from some modules, as demonstrated by (1) Organic groups and (2) Subscriptions. | 4.3 |