Vulnerabilities > Fedoraproject > Fedora > Medium

DATE CVE VULNERABILITY TITLE RISK
2008-08-27 CVE-2008-3281 XML Entity Expansion vulnerability in multiple products
libxml2 2.6.32 and earlier does not properly detect recursion during entity expansion in an attribute value, which allows context-dependent attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document.
6.5
2008-07-27 CVE-2008-2951 Open Redirect vulnerability in multiple products
Open redirect vulnerability in the search script in Trac before 0.10.5 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the q parameter, possibly related to the quickjump function.
network
low complexity
edgewall fedoraproject CWE-601
6.1
2008-07-18 CVE-2008-3222 Session Fixation vulnerability in multiple products
Session fixation vulnerability in Drupal 5.x before 5.9 and 6.x before 6.3, when contributed modules "terminate the current request during a login event," allows remote attackers to hijack web sessions via unknown vectors.
5.8
2008-07-18 CVE-2008-3221 Cross-Site Request Forgery (CSRF) vulnerability in multiple products
Cross-site request forgery (CSRF) vulnerability in Drupal 6.x before 6.3 allows remote attackers to perform administrative actions via vectors involving deletion of OpenID identities.
4.3
2008-07-18 CVE-2008-3220 Cross-Site Request Forgery (CSRF) vulnerability in multiple products
Cross-site request forgery (CSRF) vulnerability in Drupal 5.x before 5.8 and 6.x before 6.3 allows remote attackers to perform administrative actions via vectors involving deletion of "translated strings."
4.3
2008-07-18 CVE-2008-3219 Cross-Site Scripting vulnerability in multiple products
The Drupal filter_xss_admin function in 5.x before 5.8 and 6.x before 6.3 does not "prevent use of the object HTML tag in administrator input," which has unknown impact and attack vectors, probably related to an insufficient cross-site scripting (XSS) protection mechanism.
4.3
2008-07-18 CVE-2008-3218 Cross-Site Scripting vulnerability in multiple products
Multiple cross-site scripting (XSS) vulnerabilities in Drupal 6.x before 6.3 allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) free tagging taxonomy terms, which are not properly handled on node preview pages, and (2) unspecified OpenID values.
4.3
2008-05-02 CVE-2008-1375 Race Condition vulnerability in multiple products
Race condition in the directory notification subsystem (dnotify) in Linux kernel 2.6.x before 2.6.24.6, and 2.6.25 before 2.6.25.1, allows local users to cause a denial of service (OOPS) and possibly gain privileges via unspecified vectors.
6.9
2008-03-31 CVE-2008-1567 Cleartext Storage of Sensitive Information vulnerability in multiple products
phpMyAdmin before 2.11.5.1 stores the MySQL (1) username and (2) password, and the (3) Blowfish secret key, in cleartext in a Session file under /tmp, which allows local users to obtain sensitive information.
5.5
2007-10-19 CVE-2007-5594 Cross-Site Request Forgery (CSRF) vulnerability in multiple products
Drupal 5.x before 5.3 does not apply its Drupal Forms API protection against the user deletion form, which allows remote attackers to delete users via a cross-site request forgery (CSRF) attack.
4.3