6.0 : Security Vulnerabilities

Cpe Name:cpe:/a:drupal:drupal:6.0

CVSS Scores Greater Than: 0 1 2 3 4 5 6 7 8 9

Sort Results By : Cve Number Descending Cve Number Ascending CVSS Score Descending Number Of Exploits Descending

Copy Results Download Results Select Table

#	CVE ID	CWE ID	# of Exploits	Vulnerability Type(s)	Publish Date	Update Date	Score	Gained Access Level	Access	Complexity	Authentication	Conf.	Integ.	Avail.
1	CVE-2012-5653	20		Exec Code Bypass	2013-01-02	2013-01-07	6.0	None	Remote	Medium	Single system	Partial	Partial	Partial
The file upload feature in Drupal 6.x before 6.27 and 7.x before 7.18 allows remote authenticated users to bypass the protection mechanism and execute arbitrary PHP code via a null byte in a file name.
2	CVE-2012-5652	200		+Info	2013-01-02	2013-01-03	5.0	None	Remote	Low	Not required	Partial	None	None
Drupal 6.x before 6.27 allows remote attackers to obtain sensitive information about uploaded files via a (1) RSS feed or (2) search result.
3	CVE-2012-5651	264		+Info	2013-01-02	2013-01-03	5.0	None	Remote	Low	Not required	Partial	None	None
Drupal 6.x before 6.27 and 7.x before 7.18 displays information for blocked users, which might allow remote attackers to obtain sensitive information by reading the search results.
4	CVE-2012-2922	200		+Info	2012-05-21	2012-09-04	5.0	None	Remote	Low	Not required	Partial	None	None
The request_path function in includes/bootstrap.inc in Drupal 7.14 and earlier allows remote attackers to obtain sensitive information via the q[] parameter to index.php, which reveals the installation path in an error message.
5	CVE-2010-3686	287		Bypass	2010-09-29	2010-09-30	5.0	None	Remote	Low	Not required	None	Partial	None
The OpenID module in Drupal 6.x before 6.18, and the OpenID module 5.x before 5.x-1.4 for Drupal, violates the OpenID 2.0 protocol by not ensuring that fields are signed, which allows remote attackers to bypass authentication by leveraging an assertion from an OpenID provider.
6	CVE-2010-3685	287		Bypass	2010-09-29	2010-09-30	5.0	None	Remote	Low	Not required	None	Partial	None
The OpenID module in Drupal 6.x before 6.18, and the OpenID module 5.x before 5.x-1.4 for Drupal, violates the OpenID 2.0 protocol by not checking for reuse of openid.response_nonce values, which allows remote attackers to bypass authentication by leveraging an assertion from an OpenID provider.
7	CVE-2010-3094	79		XSS	2010-09-21	2010-09-22	2.1	None	Remote	High	Single system	None	Partial	None
Multiple cross-site scripting (XSS) vulnerabilities in Drupal 6.x before 6.18 allow remote authenticated users with certain privileges to inject arbitrary web script or HTML via (1) an action description, (2) an action message, (3) a node, or (4) a taxonomy term, related to the actions feature and the trigger module.
8	CVE-2010-3093	264		Bypass	2010-09-21	2010-09-22	3.5	None	Remote	Medium	Single system	None	Partial	None
The comment module in Drupal 5.x before 5.23 and 6.x before 6.18 allows remote authenticated users with certain privileges to bypass intended access restrictions and reinstate removed comments via a crafted URL, related to an "unpublishing bypass" issue.
9	CVE-2010-3092	264		Bypass	2010-09-21	2010-09-22	5.5	None	Remote	Low	Single system	Partial	Partial	None
The upload module in Drupal 5.x before 5.23 and 6.x before 6.18 does not properly support case-insensitive filename handling in a database configuration, which allows remote authenticated users to bypass the intended restrictions on downloading a file by uploading a different file with a similar name.
10	CVE-2010-3091	287		Bypass	2010-09-29	2010-09-30	5.0	None	Remote	Low	Not required	None	Partial	None
The OpenID module in Drupal 6.x before 6.18, and the OpenID module 5.x before 5.x-1.4 for Drupal, violates the OpenID 2.0 protocol by not verifying the openid.return_to value, which allows remote attackers to bypass authentication by leveraging an assertion from an OpenID provider.
11	CVE-2009-4370	79		XSS	2009-12-21	2009-12-22	3.5	None	Remote	Medium	Single system	None	Partial	None
Cross-site scripting (XSS) vulnerability in the Menu module (modules/menu/menu.admin.inc) in Drupal Core 6.x before 6.15 allows remote authenticated users with permissions to create new menus to inject arbitrary web script or HTML via a menu description, which is not properly handled in the menu administration overview.
12	CVE-2009-4369	79		XSS	2009-12-21	2012-01-05	3.5	None	Remote	Medium	Single system	None	Partial	None
Cross-site scripting (XSS) vulnerability in the Contact module (modules/contact/contact.admin.inc or modules/contact/contact.module) in Drupal Core 5.x before 5.21 and 6.x before 6.15 allows remote authenticated users with "administer site-wide contact form" permissions to inject arbitrary web script or HTML via the contact category name.
13	CVE-2009-2374	255			2009-07-08	2009-07-08	5.0	None	Remote	Low	Not required	Partial	None	None
Drupal 5.x before 5.19 and 6.x before 6.13 does not properly sanitize failed login attempts for pages that contain a sortable table, which includes the username and password in links that can be read from (1) the HTTP referer header of external web sites that are visited from those links or (2) when page caching is enabled, the Drupal page cache.
14	CVE-2009-2373	79		XSS	2009-07-08	2009-07-08	4.3	None	Remote	Medium	Not required	None	Partial	None
Cross-site scripting (XSS) vulnerability in the Forum module in Drupal 6.x before 6.13 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
15	CVE-2009-1844	79		XSS	2009-06-01	2009-06-08	3.5	None	Remote	Medium	Single system	None	Partial	None
Multiple cross-site scripting (XSS) vulnerabilities in Drupal 5.x before 5.18 and 6.x before 6.12 allow (1) remote authenticated users to inject arbitrary web script or HTML via crafted UTF-8 byte sequences that are treated as UTF-7 by Internet Explorer 6 and 7, which are not properly handled in the "HTML exports of books" feature; and (2) allow remote authenticated users with administer taxonomy permissions to inject arbitrary web script or HTML via the help text of an arbitrary vocabulary. NOTE: vector 1 exists because of an incomplete fix for CVE-2009-1575.
16	CVE-2009-1575	79		XSS	2009-05-06	2009-05-20	4.3	None	Remote	Medium	Not required	None	Partial	None
Cross-site scripting (XSS) vulnerability in Drupal 5.x before 5.17 and 6.x before 6.11, as used in vbDrupal before 5.17.0, allows remote attackers to inject arbitrary web script or HTML via crafted UTF-8 byte sequences before the Content-Type meta tag, which are treated as UTF-7 by Internet Explorer 6 and 7.
17	CVE-2008-6533	79		XSS	2009-03-26	2009-04-25	4.3	None	Remote	Medium	Not required	None	Partial	None
Drupal 5.x before 5.13 and 6.x before 6.7 does not delete all related content when an input format is deleted, which prevents the content from being properly filtered and allows remote attackers to conduct cross-site scripting (XSS) attacks via unspecified vectors.
18	CVE-2008-6532	352		CSRF	2009-03-26	2009-04-25	6.8	None	Remote	Medium	Not required	Partial	Partial	Partial
Multiple cross-site request forgery (CSRF) vulnerabilities in the update feature in Drupal 5.x before 5.13 and 6.x before 6.7 allow remote attackers to perform unauthorized actions as the superuser via unspecified vectors, as demonstrated by causing the superuser to "execute old updates" that modify the database.
19	CVE-2008-6171	20			2009-02-19	2009-05-14	9.3	Admin	Remote	Medium	Not required	Complete	Complete	Complete
includes/bootstrap.inc in Drupal 5.x before 5.12 and 6.x before 6.6, when the server is configured for "IP-based virtual hosts," allows remote attackers to include and execute arbitrary files via the HTTP Host header.
20	CVE-2008-6170	79		XSS	2009-02-19	2009-05-14	3.5	None	Remote	Medium	Single system	None	Partial	None
Cross-site scripting (XSS) vulnerability in Drupal 5.x before 5.12 and 6.x before 6.6 allows remote authenticated users with create book content or edit node book hierarchy permissions to inject arbitrary web script or HTML via the book page title.
21	CVE-2008-4792	264		Bypass	2008-10-29	2009-01-28	6.0	User	Remote	Medium	Single system	Partial	Partial	Partial
The core BlogAPI module in Drupal 5.x before 5.11 and 6.x before 6.5 does not properly validate unspecified content fields of an internal Drupal form, which allows remote authenticated users to bypass intended access restrictions via modified field values.
22	CVE-2008-4791	264		Bypass	2008-10-29	2009-02-05	6.0	User	Remote	Medium	Single system	Partial	Partial	Partial
The user module in Drupal 5.x before 5.11 and 6.x before 6.5 might allow remote authenticated users to bypass intended login access rules and successfully login via unknown vectors.
23	CVE-2008-4789	264		Bypass	2008-10-29	2009-02-05	6.0	User	Remote	Medium	Single system	Partial	Partial	Partial
The validation functionality in the core upload module in Drupal 6.x before 6.5 allows remote authenticated users to bypass intended access restrictions and "attach files to content," related to a "logic error."
24	CVE-2008-3745	264			2008-08-27	2009-03-18	5.5	None	Remote	Low	Single system	None	Partial	Partial
The Upload module in Drupal 6.x before 6.4 allows remote authenticated users to edit nodes, delete files, and download unauthorized attachments via unspecified vectors.
25	CVE-2008-3744	352		CSRF	2008-08-27	2009-04-02	5.8	None	Remote	Medium	Not required	None	Partial	Partial
Multiple cross-site request forgery (CSRF) vulnerabilities in Drupal 5.x before 5.10 and 6.x before 6.4 allow remote attackers to hijack the authentication of administrators for requests that (1) add or (2) delete user access rules.
26	CVE-2008-3743	352		CSRF	2008-08-27	2009-03-18	5.8	None	Remote	Medium	Not required	None	Partial	Partial
Multiple cross-site request forgery (CSRF) vulnerabilities in forms in Drupal 6.x before 6.4 allow remote attackers to perform unspecified actions via unknown vectors, related to improper token validation for (1) cached forms and (2) forms with AHAH elements.
27	CVE-2008-3742	264		Exec Code	2008-08-27	2009-03-18	6.5	None	Remote	Low	Single system	Partial	Partial	Partial
Unrestricted file upload vulnerability in the BlogAPI module in Drupal 5.x before 5.10 and 6.x before 6.4 allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, which is not validated.
28	CVE-2008-3741	79		XSS	2008-08-27	2009-03-18	3.5	None	Remote	Medium	Single system	None	Partial	None
The private filesystem in Drupal 5.x before 5.10 and 6.x before 6.4 trusts the MIME type sent by a web browser, which allows remote authenticated users to conduct cross-site scripting (XSS) attacks by uploading files containing arbitrary web script or HTML.
29	CVE-2008-3740	79		XSS	2008-08-27	2009-03-18	4.3	None	Remote	Medium	Not required	None	Partial	None
Cross-site scripting (XSS) vulnerability in the output filter in Drupal 5.x before 5.10 and 6.x before 6.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
30	CVE-2008-3222	287			2008-07-18	2009-08-19	6.8	User	Remote	Medium	Not required	Partial	Partial	Partial
Session fixation vulnerability in Drupal 5.x before 5.9 and 6.x before 6.3, when contributed modules "terminate the current request during a login event," allows remote attackers to hijack web sessions via unknown vectors.
31	CVE-2008-3218	79		XSS	2008-07-18	2009-08-19	4.3	None	Remote	Medium	Not required	None	Partial	None
Multiple cross-site scripting (XSS) vulnerabilities in Drupal 6.x before 6.3 allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) free tagging taxonomy terms, which are not properly handled on node preview pages, and (2) unspecified OpenID values.
32	CVE-2008-2771	264		Bypass	2008-06-18	2008-09-05	5.0	None	Remote	Low	Not required	None	Partial	None
The Node Hierarchy module 5.x before 5.x-1.1 and 6.x before 6.x-1.0 for Drupal does not properly implement access checks, which allows remote attackers with "access content" permissions to bypass restrictions and modify the node hierarchy via unspecified attack vectors.
33	CVE-2008-1729			+Info	2008-04-11	2008-09-05	5.8	None	Remote	Medium	Not required	Partial	Partial	None
The menu system in Drupal 6 before 6.2 has incorrect menu settings, which allows remote attackers to (1) edit the profile pages of arbitrary users, and obtain sensitive information from (2) tracker and (3) blog pages, related to a missing check for the "access content" permission; and (4) allows remote authenticated users, with administration page view access, to edit content types.
34	CVE-2008-1133	79		XSS	2008-03-04	2008-09-05	4.3	None	Remote	Medium	Not required	None	Partial	None
The Drupal.checkPlain function in Drupal 6.0 only escapes the first instance of a character in ECMAScript, which allows remote attackers to conduct cross-site scripting (XSS) attacks.
35	CVE-2008-1131	79		XSS	2008-03-03	2008-09-05	3.5	None	Remote	Medium	Single system	None	Partial	None
Cross-site scripting (XSS) vulnerability in Drupal 6.0 allows remote authenticated users to inject arbitrary web script or HTML via titles in content edit forms.
36	CVE-2007-6752	352	2	CSRF	2012-03-28	2012-03-28	6.8	None	Remote	Medium	Not required	Partial	Partial	Partial
DISPUTED Cross-site request forgery (CSRF) vulnerability in Drupal 7.12 and earlier allows remote attackers to hijack the authentication of arbitrary users for requests that end a session via the user/logout URI. NOTE: the vendor disputes the significance of this issue, by considering the "security benefit against platform complexity and performance impact" and concluding that a change to the logout behavior is not planned because "for most sites it is not worth the trade-off."

Total number of vulnerabilities : 36 Page : 1 (This Page)