CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register   Reset Password   Activate Account
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Drupal » Drupal : Security Vulnerabilities Published In 2008

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2008-4793 264 Bypass 2008-10-29 2009-08-19
7.5
User Remote Low Not required Partial Partial Partial
The node module API in Drupal 5.x before 5.11 allows remote attackers to bypass node validation and have unspecified other impact via unknown vectors related to contributed modules.
2 CVE-2008-4792 264 Bypass 2008-10-29 2009-01-28
6.0
User Remote Medium Single system Partial Partial Partial
The core BlogAPI module in Drupal 5.x before 5.11 and 6.x before 6.5 does not properly validate unspecified content fields of an internal Drupal form, which allows remote authenticated users to bypass intended access restrictions via modified field values.
3 CVE-2008-4791 264 Bypass 2008-10-29 2009-02-05
6.0
User Remote Medium Single system Partial Partial Partial
The user module in Drupal 5.x before 5.11 and 6.x before 6.5 might allow remote authenticated users to bypass intended login access rules and successfully login via unknown vectors.
4 CVE-2008-4790 264 Bypass 2008-10-29 2009-02-05
6.0
User Remote Medium Single system Partial Partial Partial
The core upload module in Drupal 5.x before 5.11 allows remote authenticated users to bypass intended access restrictions and read "files attached to content" via unknown vectors.
5 CVE-2008-4789 264 Bypass 2008-10-29 2009-02-05
6.0
User Remote Medium Single system Partial Partial Partial
The validation functionality in the core upload module in Drupal 6.x before 6.5 allows remote authenticated users to bypass intended access restrictions and "attach files to content," related to a "logic error."
6 CVE-2008-3745 264 2008-08-27 2009-03-18
5.5
None Remote Low Single system None Partial Partial
The Upload module in Drupal 6.x before 6.4 allows remote authenticated users to edit nodes, delete files, and download unauthorized attachments via unspecified vectors.
7 CVE-2008-3744 352 CSRF 2008-08-27 2009-04-02
5.8
None Remote Medium Not required None Partial Partial
Multiple cross-site request forgery (CSRF) vulnerabilities in Drupal 5.x before 5.10 and 6.x before 6.4 allow remote attackers to hijack the authentication of administrators for requests that (1) add or (2) delete user access rules.
8 CVE-2008-3743 352 CSRF 2008-08-27 2009-03-18
5.8
None Remote Medium Not required None Partial Partial
Multiple cross-site request forgery (CSRF) vulnerabilities in forms in Drupal 6.x before 6.4 allow remote attackers to perform unspecified actions via unknown vectors, related to improper token validation for (1) cached forms and (2) forms with AHAH elements.
9 CVE-2008-3742 264 Exec Code 2008-08-27 2009-03-18
6.5
None Remote Low Single system Partial Partial Partial
Unrestricted file upload vulnerability in the BlogAPI module in Drupal 5.x before 5.10 and 6.x before 6.4 allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, which is not validated.
10 CVE-2008-3741 79 XSS 2008-08-27 2009-03-18
3.5
None Remote Medium Single system None Partial None
The private filesystem in Drupal 5.x before 5.10 and 6.x before 6.4 trusts the MIME type sent by a web browser, which allows remote authenticated users to conduct cross-site scripting (XSS) attacks by uploading files containing arbitrary web script or HTML.
11 CVE-2008-3740 79 XSS 2008-08-27 2009-03-18
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the output filter in Drupal 5.x before 5.10 and 6.x before 6.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
12 CVE-2008-3661 310 2008-09-23 2009-02-05
5.0
None Remote Low Not required Partial None None
Drupal, probably 5.10 and 6.4, does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.
13 CVE-2008-3223 89 Exec Code Sql 2008-07-18 2009-08-19
7.5
User Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the Schema API in Drupal 6.x before 6.3 allows remote attackers to execute arbitrary SQL commands via vectors related to "an inappropriate placeholder for 'numeric' fields."
14 CVE-2008-3222 287 2008-07-18 2009-08-19
6.8
User Remote Medium Not required Partial Partial Partial
Session fixation vulnerability in Drupal 5.x before 5.9 and 6.x before 6.3, when contributed modules "terminate the current request during a login event," allows remote attackers to hijack web sessions via unknown vectors.
15 CVE-2008-3221 352 CSRF 2008-07-18 2009-08-19
4.3
None Remote Medium Not required None Partial None
Cross-site request forgery (CSRF) vulnerability in Drupal 6.x before 6.3 allows remote attackers to perform administrative actions via vectors involving deletion of OpenID identities.
16 CVE-2008-3220 352 CSRF 2008-07-18 2009-08-19
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in Drupal 5.x before 5.8 and 6.x before 6.3 allows remote attackers to perform administrative actions via vectors involving deletion of "translated strings."
17 CVE-2008-3219 79 XSS 2008-07-18 2009-08-19
5.0
None Remote Low Not required None Partial None
The Drupal filter_xss_admin function in 5.x before 5.8 and 6.x before 6.3 does not "prevent use of the object HTML tag in administrator input," which has unknown impact and attack vectors, probably related to an insufficient cross-site scripting (XSS) protection mechanism.
18 CVE-2008-3218 79 XSS 2008-07-18 2009-08-19
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in Drupal 6.x before 6.3 allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) free tagging taxonomy terms, which are not properly handled on node preview pages, and (2) unspecified OpenID values.
19 CVE-2008-3094 200 +Info 2008-07-09 2009-05-14
4.3
None Remote Medium Not required Partial None None
The Organic Groups (OG) module 5.x before 5.x-7.3 and 6.x before 6.x-1.0-RC1, a module for Drupal, allows remote attackers to obtain sensitive information (private group names) via unspecified vectors.
20 CVE-2008-2999 89 Exec Code Sql 2008-07-03 2009-09-09
7.5
None Remote Low Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in the Aggregation module 5.x before 5.x-4.4 for Drupal allow remote attackers to execute arbitrary SQL commands via unspecified vectors.
21 CVE-2008-2771 264 Bypass 2008-06-18 2008-09-05
5.0
None Remote Low Not required None Partial None
The Node Hierarchy module 5.x before 5.x-1.1 and 6.x before 6.x-1.0 for Drupal does not properly implement access checks, which allows remote attackers with "access content" permissions to bypass restrictions and modify the node hierarchy via unspecified attack vectors.
22 CVE-2008-2271 264 +Priv 2008-05-16 2008-09-05
7.5
User Remote Low Not required Partial Partial Partial
The Site Documentation Drupal module 5.x before 5.x-1.8 and 6.x before 6.x-1.1 allows remote authenticated users to gain privileges of other users by leveraging the "access content" permission to list tables and obtain session IDs from the database.
23 CVE-2008-1729 +Info 2008-04-11 2008-09-05
5.8
None Remote Medium Not required Partial Partial None
The menu system in Drupal 6 before 6.2 has incorrect menu settings, which allows remote attackers to (1) edit the profile pages of arbitrary users, and obtain sensitive information from (2) tracker and (3) blog pages, related to a missing check for the "access content" permission; and (4) allows remote authenticated users, with administration page view access, to edit content types.
24 CVE-2008-1133 79 XSS 2008-03-04 2008-09-05
4.3
None Remote Medium Not required None Partial None
The Drupal.checkPlain function in Drupal 6.0 only escapes the first instance of a character in ECMAScript, which allows remote attackers to conduct cross-site scripting (XSS) attacks.
25 CVE-2008-1131 79 XSS 2008-03-03 2008-09-05
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in Drupal 6.0 allows remote authenticated users to inject arbitrary web script or HTML via titles in content edit forms.
26 CVE-2008-0462 79 XSS 2008-01-25 2008-09-05
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the Archive 5.x before 5.x-1.8 module for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
27 CVE-2008-0276 79 XSS 2008-01-15 2008-09-05
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the Devel module before 5.x-0.1 for Drupal allows remote attackers to inject arbitrary web script or HTML via a site variable, related to lack of escaping of the variable table.
28 CVE-2008-0274 79 XSS 2008-01-15 2009-09-15
2.6
None Remote High Not required None Partial None
Cross-site scripting (XSS) vulnerability in Drupal 4.7.x and 5.x, when certain .htaccess protections are disabled, allows remote attackers to inject arbitrary web script or HTML via crafted links involving theme .tpl.php files.
29 CVE-2008-0273 79 XSS 2008-01-15 2009-09-15
4.3
None Remote Medium Not required None Partial None
Interpretation conflict in Drupal 4.7.x before 4.7.11 and 5.x before 5.6, when Internet Explorer 6 is used, allows remote attackers to conduct cross-site scripting (XSS) attacks via invalid UTF-8 byte sequences, which are not processed as UTF-8 by Drupal's HTML filtering, but are processed as UTF-8 by Internet Explorer, effectively removing characters from the document and defeating the HTML protection mechanism.
30 CVE-2008-0272 352 CSRF 2008-01-15 2009-09-15
4.3
None Remote Medium Not required None Partial None
Cross-site request forgery (CSRF) vulnerability in the aggregator module in Drupal 4.7.x before 4.7.11 and 5.x before 5.6 allows remote attackers to delete items from a feed as privileged users.
Total number of vulnerabilities : 30   Page : 1 (This Page)
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.