| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2013-0316 |
399 |
|
DoS |
2013-03-27 |
2013-03-28 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The Image module in Drupal 7.x before 7.20 allows remote attackers to cause a denial of service (CPU and disk space consumption) via a large number of new derivative requests. |
|
2 |
CVE-2012-5653 |
20 |
|
Exec Code Bypass |
2013-01-02 |
2013-01-07 |
6.0 |
None |
Remote |
Medium |
Single system |
Partial |
Partial |
Partial |
|
The file upload feature in Drupal 6.x before 6.27 and 7.x before 7.18 allows remote authenticated users to bypass the protection mechanism and execute arbitrary PHP code via a null byte in a file name. |
|
3 |
CVE-2012-5652 |
200 |
|
+Info |
2013-01-02 |
2013-01-03 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Drupal 6.x before 6.27 allows remote attackers to obtain sensitive information about uploaded files via a (1) RSS feed or (2) search result. |
|
4 |
CVE-2012-5651 |
264 |
|
+Info |
2013-01-02 |
2013-01-03 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Drupal 6.x before 6.27 and 7.x before 7.18 displays information for blocked users, which might allow remote attackers to obtain sensitive information by reading the search results. |
|
5 |
CVE-2012-4554 |
264 |
|
|
2012-11-11 |
2012-11-12 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The OpenID module in Drupal 7.x before 7.16 allows remote OpenID servers to read arbitrary files via a crafted DOCTYPE declaration in an XRDS file. |
|
6 |
CVE-2012-4553 |
264 |
|
Exec Code +Info |
2012-11-11 |
2012-11-12 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Drupal 7.x before 7.16 allows remote attackers to obtain sensitive information and possibly re-install Drupal and execute arbitrary PHP code via an external database server, related to "transient conditions." |
|
7 |
CVE-2012-2922 |
200 |
|
+Info |
2012-05-21 |
2012-09-04 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The request_path function in includes/bootstrap.inc in Drupal 7.14 and earlier allows remote attackers to obtain sensitive information via the q[] parameter to index.php, which reveals the installation path in an error message. |
|
8 |
CVE-2012-2339 |
79 |
|
XSS |
2012-05-21 |
2012-08-13 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Glossary module 6.x-1.x before 6.x-1.8 for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to "taxonomy information." |
|
9 |
CVE-2012-2306 |
89 |
|
Exec Code Sql |
2012-07-25 |
2012-09-11 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in the Addressbook module for Drupal 6.x-4.2 and earlier allows remote attackers to execute arbitrary SQL commands via unspecified vectors. |
|
10 |
CVE-2012-2298 |
79 |
|
XSS |
2012-08-14 |
2012-12-18 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in the RealName module 6.x-1.x before 6.x-1.5 for Drupal allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) "user names in page titles" and (2) "autocomplete callbacks." |
|
11 |
CVE-2012-2153 |
264 |
|
|
2012-09-30 |
2012-11-26 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
Drupal 7.x before 7.14 does not properly restrict access to nodes in a list when using a "contributed node access module," which allows remote authenticated users with the "Access the content overview page" permission to read all published nodes by accessing the admin/content page. |
|
12 |
CVE-2012-1646 |
79 |
|
XSS |
2012-09-25 |
2012-09-26 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in the FAQ module 6.x-1.x before 6.x-1.13 and 7.x-1.x-rc1 for Drupal allow remote authenticated users to inject arbitrary web script or HTML via the (1) title parameter in faq.admin.inc or (2) detailed_question parameter in faq.module. |
|
13 |
CVE-2012-1591 |
264 |
|
|
2012-09-30 |
2012-11-26 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The image module in Drupal 7.x before 7.14 does not properly check permissions when caching derivative image styles of private images, which allows remote attackers to read private image styles. |
|
14 |
CVE-2012-1590 |
264 |
|
+Info |
2012-09-30 |
2012-11-26 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
The forum list in Drupal 7.x before 7.14 does not properly check user permissions for unpublished forum posts, which allows remote authenticated users to obtain sensitive information such as the post title via the forum overview page. |
|
15 |
CVE-2012-1589 |
20 |
|
|
2012-05-18 |
2012-11-26 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
Open redirect vulnerability in the Form API in Drupal 7.x before 7.13 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via crafted parameters in a destination URL. |
|
16 |
CVE-2012-1588 |
399 |
|
DoS |
2012-09-30 |
2012-11-26 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
None |
Partial |
|
Algorithmic complexity vulnerability in the _filter_url function in the text filtering system (modules/filter/filter.module) in Drupal 7.x before 7.14 allows remote authenticated users with certain roles to cause a denial of service (CPU consumption) via a long email address. |
|
17 |
CVE-2011-4560 |
79 |
|
XSS |
2011-11-28 |
2012-01-03 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Petition Node module 6.x-1.x before 6.x-1.5 for Drupal allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors related to signing a petition. |
|
18 |
CVE-2011-3730 |
200 |
|
+Info |
2011-09-23 |
2012-03-13 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Drupal 7.0 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by modules/simpletest/tests/upgrade/drupal-6.upload.database.php and certain other files. |
|
19 |
CVE-2011-2687 |
264 |
|
Bypass |
2011-07-26 |
2011-07-28 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Drupal 7.x before 7.3 allows remote attackers to bypass intended node_access restrictions via vectors related to a listing that shows nodes but lacks a JOIN clause for the node table. |
|
20 |
CVE-2010-3686 |
287 |
|
Bypass |
2010-09-29 |
2010-09-30 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
The OpenID module in Drupal 6.x before 6.18, and the OpenID module 5.x before 5.x-1.4 for Drupal, violates the OpenID 2.0 protocol by not ensuring that fields are signed, which allows remote attackers to bypass authentication by leveraging an assertion from an OpenID provider. |
|
21 |
CVE-2010-3685 |
287 |
|
Bypass |
2010-09-29 |
2010-09-30 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
The OpenID module in Drupal 6.x before 6.18, and the OpenID module 5.x before 5.x-1.4 for Drupal, violates the OpenID 2.0 protocol by not checking for reuse of openid.response_nonce values, which allows remote attackers to bypass authentication by leveraging an assertion from an OpenID provider. |
|
22 |
CVE-2010-3094 |
79 |
|
XSS |
2010-09-21 |
2010-09-22 |
2.1 |
None |
Remote |
High |
Single system |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in Drupal 6.x before 6.18 allow remote authenticated users with certain privileges to inject arbitrary web script or HTML via (1) an action description, (2) an action message, (3) a node, or (4) a taxonomy term, related to the actions feature and the trigger module. |
|
23 |
CVE-2010-3093 |
264 |
|
Bypass |
2010-09-21 |
2010-09-22 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
The comment module in Drupal 5.x before 5.23 and 6.x before 6.18 allows remote authenticated users with certain privileges to bypass intended access restrictions and reinstate removed comments via a crafted URL, related to an "unpublishing bypass" issue. |
|
24 |
CVE-2010-3092 |
264 |
|
Bypass |
2010-09-21 |
2010-09-22 |
5.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
None |
|
The upload module in Drupal 5.x before 5.23 and 6.x before 6.18 does not properly support case-insensitive filename handling in a database configuration, which allows remote authenticated users to bypass the intended restrictions on downloading a file by uploading a different file with a similar name. |
|
25 |
CVE-2010-3091 |
287 |
|
Bypass |
2010-09-29 |
2010-09-30 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
The OpenID module in Drupal 6.x before 6.18, and the OpenID module 5.x before 5.x-1.4 for Drupal, violates the OpenID 2.0 protocol by not verifying the openid.return_to value, which allows remote attackers to bypass authentication by leveraging an assertion from an OpenID provider. |
|
26 |
CVE-2010-3022 |
79 |
|
XSS |
2010-08-16 |
2010-08-17 |
2.6 |
None |
Remote |
High |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Performance logging module in the Devel module 5.x before 5.x-1.3 and 6.x before 6.x-1.21 for Drupal allows remote authenticated users, with add url aliases and report access permissions, to inject arbitrary web script or HTML via crafted node paths in a URL. |
|
27 |
CVE-2009-4602 |
79 |
|
XSS |
2010-01-12 |
2010-01-13 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Randomizer module 5.x through 5.x-1.0 and 6.x through 6.x-1.0, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
|
28 |
CVE-2009-4371 |
79 |
|
XSS |
2009-12-21 |
2009-12-22 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Locale module (modules/locale/locale.module) in Drupal Core 6.14, and possibly other versions including 6.15, allows remote authenticated users with "administer languages" permissions to inject arbitrary web script or HTML via the (1) Language name in English or (2) Native language name fields in the Custom language form. |
|
29 |
CVE-2009-4370 |
79 |
|
XSS |
2009-12-21 |
2009-12-22 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Menu module (modules/menu/menu.admin.inc) in Drupal Core 6.x before 6.15 allows remote authenticated users with permissions to create new menus to inject arbitrary web script or HTML via a menu description, which is not properly handled in the menu administration overview. |
|
30 |
CVE-2009-4369 |
79 |
|
XSS |
2009-12-21 |
2012-01-05 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Contact module (modules/contact/contact.admin.inc or modules/contact/contact.module) in Drupal Core 5.x before 5.21 and 6.x before 6.15 allows remote authenticated users with "administer site-wide contact form" permissions to inject arbitrary web script or HTML via the contact category name. |
|
31 |
CVE-2009-4066 |
352 |
|
CSRF |
2009-11-23 |
2009-11-24 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Multiple cross-site request forgery (CSRF) vulnerabilities in the "My Account" feature in PHPList Integration module 5 before 5.x-1.2 and 6 before 6.x-1.1 for Drupal allow remote attackers to hijack the authentication of arbitrary users via vectors related to (1) subscribing or (2) unsubscribing to mailing lists. |
|
32 |
CVE-2009-3479 |
79 |
|
XSS |
2009-09-30 |
2009-10-01 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in Bibliography (Biblio) 5.x before 5.x-1.17 and 6.x before 6.x-1.6, a module for Drupal, allows remote attackers, with "create content displayed by the Bibliography module" permissions, to inject arbitrary web script or HTML via a title. |
|
33 |
CVE-2009-3156 |
79 |
|
XSS |
2009-09-10 |
2009-09-24 |
2.1 |
None |
Remote |
High |
Single system |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Date Tools sub-module in the Date module 6.x before 6.x-2.3 for Drupal allows remote authenticated users, with "use date tools" or "administer content types" privileges, to inject arbitrary web script or HTML via a "Content type label" field. |
|
34 |
CVE-2009-2374 |
255 |
|
|
2009-07-08 |
2009-07-08 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Drupal 5.x before 5.19 and 6.x before 6.13 does not properly sanitize failed login attempts for pages that contain a sortable table, which includes the username and password in links that can be read from (1) the HTTP referer header of external web sites that are visited from those links or (2) when page caching is enabled, the Drupal page cache. |
|
35 |
CVE-2009-2373 |
79 |
|
XSS |
2009-07-08 |
2009-07-08 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Forum module in Drupal 6.x before 6.13 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
|
36 |
CVE-2009-2372 |
94 |
|
|
2009-07-08 |
2009-07-08 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
Drupal 6.x before 6.13 does not prevent users from modifying user signatures after the associated comment format has been changed to an administrator-controlled input format, which allows remote authenticated users to inject arbitrary web script, HTML, and possibly PHP code via a crafted user signature. |
|
37 |
CVE-2009-2079 |
79 |
|
XSS |
2009-06-16 |
2009-06-17 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the administrative page interface in Taxonomy manager 5.x before 5.x-1.2 and 6.x before 6.x-1.1, a module for Drupal, allows remote authenticated users, with administer taxonomy privileges or the ability to use free tagging to add taxonomy terms, to inject arbitrary web script or HTML via (1) vocabulary names, (2) synonyms, and (3) term names. |
|
38 |
CVE-2009-2076 |
79 |
|
XSS |
2009-06-16 |
2009-06-29 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in Views 6.x before 6.x-2.6, a module for Drupal, allows remote authenticated users to inject arbitrary web script or HTML via (1) exposed filters in the Views UI administrative interface and in the (2) view name parameter in the define custom views feature. NOTE: vector 2 is only exploitable by users with administer views permissions. |
|
39 |
CVE-2009-2074 |
79 |
|
XSS |
2009-06-16 |
2009-06-17 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in Nodequeue 5.x before 5.x-2.7 and 6.x before 6.x-2.2, a module for Drupal, allows remote authenticated users with administer taxonomy permissions to inject arbitrary web script or HTML via vocabulary names. |
|
40 |
CVE-2009-2035 |
|
|
|
2009-06-12 |
2009-06-15 |
6.4 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
None |
|
Unspecified vulnerability in Services 6.x before 6.x-0.14, a module for Drupal, when key-based access is enabled, allows remote attackers to read or add keys and access unauthorized services via unspecified vectors. |
|
41 |
CVE-2009-1942 |
79 |
|
XSS |
2009-06-05 |
2009-06-08 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Quiz module 5.x, 6.x-2.x before 6.x-2.2, and 6.x-3.x before 6.x-3.0, a module for Drupal, allows remote authenticated users, with create quizzes or quiz questions access, to inject arbitrary web script or HTML via unspecified vectors. |
|
42 |
CVE-2009-1844 |
79 |
|
XSS |
2009-06-01 |
2009-06-08 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in Drupal 5.x before 5.18 and 6.x before 6.12 allow (1) remote authenticated users to inject arbitrary web script or HTML via crafted UTF-8 byte sequences that are treated as UTF-7 by Internet Explorer 6 and 7, which are not properly handled in the "HTML exports of books" feature; and (2) allow remote authenticated users with administer taxonomy permissions to inject arbitrary web script or HTML via the help text of an arbitrary vocabulary. NOTE: vector 1 exists because of an incomplete fix for CVE-2009-1575. |
|
43 |
CVE-2009-1823 |
79 |
|
XSS |
2009-05-29 |
2009-06-01 |
2.6 |
None |
Remote |
High |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Print (aka Printer, e-mail and PDF versions) module 5.x before 5.x-4.7 and 6.x before 6.x-1.7, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML by modifying a document head, before the Content-Type META element, to contain crafted UTF-8 byte sequences that are treated as UTF-7 by Internet Explorer 6 and 7, a related issue to CVE-2009-1575. |
|
44 |
CVE-2009-1576 |
|
|
+Info CSRF |
2009-05-06 |
2009-05-20 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
Unspecified vulnerability in Drupal 5.x before 5.17 and 6.x before 6.11, as used in vbDrupal before 5.17.0, allows user-assisted remote attackers to obtain sensitive information by tricking victims into visiting the front page of the site with a crafted URL and causing form data to be sent to an attacker-controlled site, possibly related to multiple / (slash) characters that are not properly handled by includes/bootstrap.inc, as demonstrated using the search box. NOTE: this vulnerability can be leveraged to conduct cross-site request forgery (CSRF) attacks. |
|
45 |
CVE-2009-1575 |
79 |
|
XSS |
2009-05-06 |
2009-05-20 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in Drupal 5.x before 5.17 and 6.x before 6.11, as used in vbDrupal before 5.17.0, allows remote attackers to inject arbitrary web script or HTML via crafted UTF-8 byte sequences before the Content-Type meta tag, which are treated as UTF-7 by Internet Explorer 6 and 7. |
|
46 |
CVE-2009-1507 |
264 |
|
Bypass |
2009-05-01 |
2009-05-13 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
The Node Access User Reference module 5.x before 5.x-2.0-beta4 and 6.x before 6.x-2.0-beta6, a module for Drupal, interprets an empty CCK user reference as a reference to the anonymous user, which might allow remote attackers to bypass intended access restrictions to read or modify a node. |
|
47 |
CVE-2009-1505 |
89 |
|
Exec Code Sql |
2009-05-01 |
2010-03-31 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in the News Page module 5.x before 5.x-1.2 for Drupal allows remote authenticated users, with News Page nodes create and edit privileges, to execute arbitrary SQL commands via the Include Words (aka keywords) field. |
|
48 |
CVE-2009-1344 |
79 |
|
XSS |
2009-04-20 |
2009-04-20 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Localization client module 5.x before 5.x-1.2 and 6.x before 6.x-1.7, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via input to the translation functionality. |
|
49 |
CVE-2009-1343 |
79 |
|
XSS |
2009-04-20 |
2009-04-21 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Print (aka Printer, e-mail and PDF versions) module 5.x before 5.x-4.5 and 6.x before 6.x-1.5, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via content titles. |
|
50 |
CVE-2009-1342 |
79 |
|
XSS |
2009-04-20 |
2009-04-20 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the CCK comment reference module 6.x before 6.x-1.2, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via certain comment titles associated with a node edit form. |
