Drupal 6.x before 6.29 and 7.x before 7.24 uses the PHP mt_rand function to generate random numbers, which uses predictable seeds and allows remote attackers to predict security strings and bypass intended restrictions via a brute force attack.
Max CVSS
6.8
EPSS Score
0.45%
Published
2013-12-07
Updated
2014-01-14
The file upload feature in Drupal 6.x before 6.27 and 7.x before 7.18 allows remote authenticated users to bypass the protection mechanism and execute arbitrary PHP code via a null byte in a file name.
Max CVSS
6.0
EPSS Score
1.23%
Published
2013-01-03
Updated
2017-08-29
Cross-site request forgery (CSRF) vulnerability in the Aggregator module in Drupal 6.x before 6.23 and 7.x before 7.11 allows remote attackers to hijack the authentication of unspecified victims for requests that update feeds and possibly cause a denial of service (loss of updates due to rate limit) via unspecified vectors.
Max CVSS
6.8
EPSS Score
0.09%
Published
2013-10-28
Updated
2014-03-08
Drupal 6.x before 6.23 and 7.x before 7.11 does not verify that Attribute Exchange (AX) information is signed, which allows remote attackers to modify potentially sensitive AX information without detection via a man-in-the-middle (MITM) attack.
Max CVSS
6.8
EPSS Score
0.39%
Published
2013-10-28
Updated
2014-03-08
4 vulnerabilities found