Vulnerabilities > Medium

DATE CVE VULNERABILITY TITLE RISK
2016-04-12 CVE-2016-3170 Information Exposure vulnerability in multiple products
The "have you forgotten your password" links in the User module in Drupal 7.x before 7.43 and 8.x before 8.0.4 allow remote attackers to obtain sensitive username information by leveraging a configuration that permits using an email address to login and a module that permits logging in.
network
low complexity
debian drupal CWE-200
5.0
2016-04-12 CVE-2016-3169 Permissions, Privileges, and Access Controls vulnerability in multiple products
The User module in Drupal 6.x before 6.38 and 7.x before 7.43 allows remote attackers to gain privileges by leveraging contributed or custom code that calls the user_save function with an explicit category and loads all roles into the array.
6.8
2016-04-12 CVE-2016-3167 Open redirect vulnerability in the drupal_goto function in Drupal 6.x before 6.38, when used with PHP before 5.4.7, allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a double-encoded URL in the "destination" parameter.
network
low complexity
php drupal debian
6.4
2016-04-12 CVE-2016-3166 CRLF injection vulnerability in the drupal_set_header function in Drupal 6.x before 6.38, when used with PHP before 5.1.2, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks by leveraging a module that allows user-submitted data to appear in HTTP headers.
network
debian drupal
4.3
2016-04-12 CVE-2016-3165 Improper Access Control vulnerability in Drupal
The Form API in Drupal 6.x before 6.38 ignores access restrictions on submit buttons, which might allow remote attackers to bypass intended access restrictions by leveraging permission to submit a form with a button that has "#access" set to FALSE in the server-side form definition.
network
low complexity
drupal CWE-284
5.0
2016-04-12 CVE-2016-3164 Drupal 6.x before 6.38, 7.x before 7.43, and 8.x before 8.0.4 might allow remote attackers to conduct open redirect attacks by leveraging (1) custom code or (2) a form shown on a 404 error page, related to path manipulation.
network
drupal debian
5.8
2016-04-12 CVE-2016-3163 7PK - Security Features vulnerability in multiple products
The XML-RPC system in Drupal 6.x before 6.38 and 7.x before 7.43 might make it easier for remote attackers to conduct brute-force attacks via a large number of calls made at once to the same method.
network
low complexity
debian drupal CWE-254
5.0
2016-04-12 CVE-2016-3162 Improper Access Control vulnerability in multiple products
The File module in Drupal 7.x before 7.43 and 8.x before 8.0.4 allows remote authenticated users to bypass access restrictions and read, delete, or substitute a link to a file uploaded to an unprocessed form by leveraging permission to create content or comment and upload files.
network
low complexity
drupal debian CWE-284
6.5
2016-04-12 CVE-2016-2166 Information Exposure vulnerability in multiple products
The (1) proton.reactor.Connector, (2) proton.reactor.Container, and (3) proton.utils.BlockingConnection classes in Apache Qpid Proton before 0.12.1 improperly use an unencrypted connection for an amqps URI scheme when SSL support is unavailable, which might allow man-in-the-middle attackers to obtain sensitive information or modify data via unspecified vectors.
network
high complexity
apache fedoraproject CWE-200
6.5
2016-04-12 CVE-2016-2140 Information Exposure vulnerability in Openstack Nova
The libvirt driver in OpenStack Compute (Nova) before 2015.1.4 (kilo) and 12.0.x before 12.0.3 (liberty), when using raw storage and use_cow_images is set to false, allows remote authenticated users to read arbitrary files via a crafted qcow2 header in an ephemeral or root disk.
network
high complexity
openstack CWE-200
5.3