Vulnerabilities > Drupal > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2007-03-08 | CVE-2007-1360 | Unspecified vulnerability in Drupal Nodefamily 5.11.0 Unspecified vulnerability in the Nodefamily module for Drupal 5.x before 5.x-1.0 allows remote authenticated users to access and modify other users' profiles via unspecified URL parameters. network drupal | 6.0 |
| 2007-03-05 | CVE-2006-7110 | Unspecified vulnerability in Drupal Imce Module Directory traversal vulnerability in the delete function in IMCE before 1.6, a Drupal module, allows remote authenticated users to delete arbitrary files via ".." sequences. | 5.5 |
| 2007-03-05 | CVE-2006-7109 | File-Upload vulnerability in Imce Module Unrestricted file upload vulnerability in IMCE before 1.6, a Drupal module, allows remote authenticated users to upload arbitrary PHP code via a filename with a double extension such as .php.gif. | 6.5 |
| 2007-02-01 | CVE-2007-0658 | Unspecified vulnerability in Drupal and Textimage The (1) Textimage 4.7.x before 4.7-1.2 and 5.x before 5.x-1.1 module for Drupal and the (2) Captcha 4.7.x before 4.7-1.2 and 5.x before 5.x-1.1 module for Drupal allow remote attackers to bypass the CAPTCHA test via an empty captcha element in $_SESSION. | 5.0 |
| 2007-01-31 | CVE-2007-0626 | Unspecified vulnerability in Drupal 5.0 The comment_form_add_preview function in comment.module in Drupal before 4.7.6, and 5.x before 5.1, and vbDrupal, allows remote attackers with "post comments" privileges and access to multiple input filters to execute arbitrary code by previewing comments, which are not processed by "normal form validation routines." | 6.5 |
| 2007-01-26 | CVE-2007-0534 | Cross-Site Scripting vulnerability in Project Issue Tracking Module Multiple cross-site scripting (XSS) vulnerabilities in the (1) Project issue tracking 4.7.0 through 5.x before 20070123 and (2) Project 4.6.0 through 5.x before 20070123 modules for Drupal allow remote authenticated users to inject arbitrary web script or HTML via (a) certain "fields on project nodes" or (b) "certain project-specific settings regarding issue tracking." network drupal | 4.3 |
| 2007-01-26 | CVE-2007-0507 | SQL Injection vulnerability in Drupal Acidfree 4.61.0/4.71.0 SQL injection vulnerability in the Acidfree module for Drupal before 4.6.x-1.0, and before 4.7.x-1.0 in the 4.7 series, allows remote authenticated users with "create acidfree albums" privileges to execute arbitrary SQL commands via node titles. network drupal | 6.0 |
| 2007-01-26 | CVE-2007-0506 | Multiple vulnerability in Drupal Project and Project Issues Tracking Modules The project_issue_access function in the Project issue tracking 4.7.0 through 5.x before 20070123 module for Drupal allows remote authenticated users to bypass other access control modules and obtain attached files by guessing the filename, and obtain issue information via direct requests. network drupal | 6.0 |
| 2007-01-09 | CVE-2007-0136 | Cross-Site Scripting vulnerability in Drupal Multiple cross-site scripting (XSS) vulnerabilities in Drupal before 4.6.11, and 4.7 before 4.7.5, allow remote attackers to inject arbitrary web script or HTML via unspecified parameters in the (1) filter and (2) system modules. | 4.3 |
| 2006-12-20 | CVE-2006-6647 | Cross-Site Scripting vulnerability in Drupal Mysite 4.7/5 Cross-site scripting (XSS) vulnerability in the MySite 4.7.x before 4.7.x-3.3 and 5.x before 5.x-1.3 module for Drupal allows remote attackers to inject arbitrary web script or HTML via the Title field when editing a page. network drupal | 6.8 |