CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register   Reset Password   Activate Account
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Drupal : Security Vulnerabilities Published In 2008

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2008-4793 264 Bypass 2008-10-29 2009-08-19
7.5
User Remote Low Not required Partial Partial Partial
The node module API in Drupal 5.x before 5.11 allows remote attackers to bypass node validation and have unspecified other impact via unknown vectors related to contributed modules.
2 CVE-2008-4792 264 Bypass 2008-10-29 2009-01-28
6.0
User Remote Medium Single system Partial Partial Partial
The core BlogAPI module in Drupal 5.x before 5.11 and 6.x before 6.5 does not properly validate unspecified content fields of an internal Drupal form, which allows remote authenticated users to bypass intended access restrictions via modified field values.
3 CVE-2008-4791 264 Bypass 2008-10-29 2009-02-05
6.0
User Remote Medium Single system Partial Partial Partial
The user module in Drupal 5.x before 5.11 and 6.x before 6.5 might allow remote authenticated users to bypass intended login access rules and successfully login via unknown vectors.
4 CVE-2008-4790 264 Bypass 2008-10-29 2009-02-05
6.0
User Remote Medium Single system Partial Partial Partial
The core upload module in Drupal 5.x before 5.11 allows remote authenticated users to bypass intended access restrictions and read "files attached to content" via unknown vectors.
5 CVE-2008-4789 264 Bypass 2008-10-29 2009-02-05
6.0
User Remote Medium Single system Partial Partial Partial
The validation functionality in the core upload module in Drupal 6.x before 6.5 allows remote authenticated users to bypass intended access restrictions and "attach files to content," related to a "logic error."
6 CVE-2008-4710 79 XSS 2008-10-23 2008-10-30
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the stock quotes page in Stock 6.x before 6.x-1.0, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
7 CVE-2008-4633 89 Exec Code Sql 2008-10-20 2008-10-21
6.0
User Remote Medium Single system Partial Partial Partial
SQL injection vulnerability in Node Vote 5.x before 5.x-1.1 and 6.x before 6.x-1.0, a module for Drupal, when "Allow user to vote again" is enabled, allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors related to a "previously cast vote."
8 CVE-2008-4598 XSS 2008-10-17 2009-07-22
7.5
User Remote Low Not required Partial Partial Partial
Unspecified vulnerability in Shindig-Integrator 5.x, a module for Drupal, has unspecified impact and remote attack vectors related to "numerous flaws" that are not related to XSS or access control, a different vulnerability than CVE-2008-4596 and CVE-2008-4597.
9 CVE-2008-4597 264 +Priv 2008-10-17 2009-07-22
7.5
User Remote Low Not required Partial Partial Partial
Shindig-Integrator 5.x, a module for Drupal, does not properly restrict generated page access, which allows remote attackers to gain privileges via unspecified vectors.
10 CVE-2008-4596 79 XSS 2008-10-17 2008-10-20
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in Shindig-Integrator 5.x, a module for Drupal, allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors in generated pages.
11 CVE-2008-4531 89 Exec Code Sql 2008-10-09 2008-10-10
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in Brilliant Gallery 5.x before 5.x-4.2, a module for Drupal, allows remote attackers to execute arbitrary SQL commands via unspecified vectors, related to queries. NOTE: this might be the same issue as CVE-2008-4338.
12 CVE-2008-4530 79 XSS 2008-10-09 2009-07-23
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in Brilliant Gallery 5.x before 5.x-4.2, a module for Drupal, allows remote authenticated users with permissions to inject arbitrary web script or HTML via unspecified vectors related to posting of answers.
13 CVE-2008-4153 264 +Info 2008-09-24 2009-03-17
5.0
None Remote Low Not required Partial None None
The Talk module 5.x before 5.x-1.3 and 6.x before 6.x-1.5, a module for Drupal, does not perform access checks for a node before displaying comments, which allows remote attackers to obtain sensitive information.
14 CVE-2008-4152 79 XSS 2008-09-24 2009-03-17
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in the Talk module 5.x before 5.x-1.3 and 6.x before 6.x-1.5, a module for Drupal, allows remote authenticated users to inject arbitrary web script or HTML via a node title.
15 CVE-2008-4149 79 XSS 2008-09-24 2009-03-17
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the Greg Holsclaw Link to Us module 5.x before 5.x-1.1 for Drupal allows remote authenticated users to inject arbitrary web script or HTML via the "Link page header" field.
16 CVE-2008-4148 89 Exec Code Sql 2008-09-24 2009-08-19
7.5
User Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the Mailhandler module 5.x before 5.x-1.4 and 6.x before 6.x-1.4, a module for Drupal, allows remote attackers to execute arbitrary SQL commands via unspecified vectors, related to composing queries without using the Drupal database API.
17 CVE-2008-4147 79 XSS 2008-09-24 2009-03-17
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the Mailsave module 5.x before 5.x-3.3 and 6.x before 6.x-1.3, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via an e-mail message with an attached file that has a modified Content-Type.
18 CVE-2008-3745 264 2008-08-27 2009-03-18
5.5
None Remote Low Single system None Partial Partial
The Upload module in Drupal 6.x before 6.4 allows remote authenticated users to edit nodes, delete files, and download unauthorized attachments via unspecified vectors.
19 CVE-2008-3744 352 CSRF 2008-08-27 2009-04-02
5.8
None Remote Medium Not required None Partial Partial
Multiple cross-site request forgery (CSRF) vulnerabilities in Drupal 5.x before 5.10 and 6.x before 6.4 allow remote attackers to hijack the authentication of administrators for requests that (1) add or (2) delete user access rules.
20 CVE-2008-3743 352 CSRF 2008-08-27 2009-03-18
5.8
None Remote Medium Not required None Partial Partial
Multiple cross-site request forgery (CSRF) vulnerabilities in forms in Drupal 6.x before 6.4 allow remote attackers to perform unspecified actions via unknown vectors, related to improper token validation for (1) cached forms and (2) forms with AHAH elements.
21 CVE-2008-3742 264 Exec Code 2008-08-27 2009-03-18
6.5
None Remote Low Single system Partial Partial Partial
Unrestricted file upload vulnerability in the BlogAPI module in Drupal 5.x before 5.10 and 6.x before 6.4 allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, which is not validated.
22 CVE-2008-3741 79 XSS 2008-08-27 2009-03-18
3.5
None Remote Medium Single system None Partial None
The private filesystem in Drupal 5.x before 5.10 and 6.x before 6.4 trusts the MIME type sent by a web browser, which allows remote authenticated users to conduct cross-site scripting (XSS) attacks by uploading files containing arbitrary web script or HTML.
23 CVE-2008-3740 79 XSS 2008-08-27 2009-03-18
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the output filter in Drupal 5.x before 5.10 and 6.x before 6.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
24 CVE-2008-3661 310 2008-09-23 2009-02-05
5.0
None Remote Low Not required Partial None None
Drupal, probably 5.10 and 6.4, does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.
25 CVE-2008-3500 79 XSS 2008-08-06 2009-04-14
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the Suggested Terms module 5.x before 5.x-1.2 for Drupal allows remote authenticated users to inject arbitrary web script or HTML via crafted Taxonomy terms.
26 CVE-2008-3223 89 Exec Code Sql 2008-07-18 2009-08-19
7.5
User Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the Schema API in Drupal 6.x before 6.3 allows remote attackers to execute arbitrary SQL commands via vectors related to "an inappropriate placeholder for 'numeric' fields."
27 CVE-2008-3222 287 2008-07-18 2009-08-19
6.8
User Remote Medium Not required Partial Partial Partial
Session fixation vulnerability in Drupal 5.x before 5.9 and 6.x before 6.3, when contributed modules "terminate the current request during a login event," allows remote attackers to hijack web sessions via unknown vectors.
28 CVE-2008-3221 352 CSRF 2008-07-18 2009-08-19
4.3
None Remote Medium Not required None Partial None
Cross-site request forgery (CSRF) vulnerability in Drupal 6.x before 6.3 allows remote attackers to perform administrative actions via vectors involving deletion of OpenID identities.
29 CVE-2008-3220 352 CSRF 2008-07-18 2009-08-19
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in Drupal 5.x before 5.8 and 6.x before 6.3 allows remote attackers to perform administrative actions via vectors involving deletion of "translated strings."
30 CVE-2008-3219 79 XSS 2008-07-18 2009-08-19
5.0
None Remote Low Not required None Partial None
The Drupal filter_xss_admin function in 5.x before 5.8 and 6.x before 6.3 does not "prevent use of the object HTML tag in administrator input," which has unknown impact and attack vectors, probably related to an insufficient cross-site scripting (XSS) protection mechanism.
31 CVE-2008-3218 79 XSS 2008-07-18 2009-08-19
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in Drupal 6.x before 6.3 allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) free tagging taxonomy terms, which are not properly handled on node preview pages, and (2) unspecified OpenID values.
32 CVE-2008-3097 79 XSS 2008-07-09 2008-09-05
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in the Tinytax module (aka Tinytax taxonomy block) 5.x before 5.x-1.10-1 for Drupal allows remote authenticated users to inject arbitrary web script or HTML, probably by creating a crafted taxonomy term.
33 CVE-2008-3096 264 +Priv 2008-07-09 2008-09-05
6.5
None Remote Low Single system Partial Partial Partial
The Outline Designer module 5.x before 5.x-1.4 for Drupal changes each content reader's authentication level to match that of the content author, which might allow remote attackers to gain privileges.
34 CVE-2008-3095 79 XSS 2008-07-09 2008-09-05
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in the Organic Groups (OG) module 5.x before 5.x-7.3 and 6.x before 6.x-1.0-RC1, a module for Drupal, allows remote authenticated users, with group owner permissions, to inject arbitrary web script or HTML via unspecified vectors.
35 CVE-2008-3094 200 +Info 2008-07-09 2009-05-14
4.3
None Remote Medium Not required Partial None None
The Organic Groups (OG) module 5.x before 5.x-7.3 and 6.x before 6.x-1.0-RC1, a module for Drupal, allows remote attackers to obtain sensitive information (private group names) via unspecified vectors.
36 CVE-2008-3092 89 Exec Code Sql 2008-07-09 2008-09-05
6.5
None Remote Low Single system Partial Partial Partial
SQL injection vulnerability in the Taxonomy Autotagger module 5.x before 5.x-1.8 for Drupal allows remote authenticated users, with create or edit post permissions, to execute arbitrary SQL commands via unspecified vectors.
37 CVE-2008-3091 79 XSS 2008-07-09 2008-09-05
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in the Taxonomy Autotagger module 5.x before 5.x-1.8 for Drupal allows remote authenticated users, with create or edit post permissions, to inject arbitrary web script or HTML via unspecified vectors.
38 CVE-2008-3001 94 Exec Code 2008-07-03 2009-09-09
9.3
None Remote Medium Not required Complete Complete Complete
The Aggregation module 5.x before 5.x-4.4 for Drupal allows remote attackers to upload files with arbitrary extensions, and possibly execute arbitrary code, via a crafted feed that allows upload of files with arbitrary extensions.
39 CVE-2008-3000 264 Bypass 2008-07-03 2009-09-09
6.8
None Remote Medium Not required Partial Partial Partial
The Aggregation module 5.x before 5.x-4.4 for Drupal, when node access modules are used, does not properly implement access control, which allows remote attackers to bypass intended restrictions.
40 CVE-2008-2999 89 Exec Code Sql 2008-07-03 2009-09-09
7.5
None Remote Low Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in the Aggregation module 5.x before 5.x-4.4 for Drupal allow remote attackers to execute arbitrary SQL commands via unspecified vectors.
41 CVE-2008-2998 79 XSS 2008-07-03 2009-09-09
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in the Aggregation module 5.x before 5.x-4.4 for Drupal allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
42 CVE-2008-2850 89 Exec Code Sql 2008-06-25 2008-09-05
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the TrailScout module 5.x before 5.x-1.4 for Drupal allows remote attackers to execute arbitrary SQL commands via unspecified cookies, related to improper use of the Drupal database API.
43 CVE-2008-2849 79 XSS 2008-06-25 2008-09-05
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in the TrailScout module 5.x before 5.x-1.4 for Drupal allows remote authenticated users, with create post permissions, to inject arbitrary web script or HTML via unspecified vectors.
44 CVE-2008-2773 79 XSS 2008-06-18 2009-04-14
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the Taxonomy Image module 5.x before 5.x-1.3 and 6.x before 6.x-1.3, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
45 CVE-2008-2772 94 Exec Code 2008-06-18 2009-04-08
7.5
User Remote Low Not required Partial Partial Partial
The Magic Tabs module 5.x before 5.x-1.1 for Drupal allows remote attackers to execute arbitrary PHP code via unspecified URL arguments, possibly related to a missing "whitelist of callbacks."
46 CVE-2008-2771 264 Bypass 2008-06-18 2008-09-05
5.0
None Remote Low Not required None Partial None
The Node Hierarchy module 5.x before 5.x-1.1 and 6.x before 6.x-1.0 for Drupal does not properly implement access checks, which allows remote attackers with "access content" permissions to bypass restrictions and modify the node hierarchy via unspecified attack vectors.
47 CVE-2008-2271 264 +Priv 2008-05-16 2008-09-05
7.5
User Remote Low Not required Partial Partial Partial
The Site Documentation Drupal module 5.x before 5.x-1.8 and 6.x before 6.x-1.1 allows remote authenticated users to gain privileges of other users by leveraging the "access content" permission to list tables and obtain session IDs from the database.
48 CVE-2008-1981 352 CSRF 2008-04-27 2011-01-20
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in E-Publish 5.x before 5.x-1.1 and 6.x before 6.x-1.0 beta1, a Drupal module, allows remote attackers to perform unauthorized actions as other users via unspecified vectors.
49 CVE-2008-1980 79 XSS 2008-04-27 2008-09-05
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in E-Publish 5.x before 5.x-1.1 and 6.x before 6.x-1.0 beta1, a Drupal module, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
50 CVE-2008-1978 79 XSS 2008-04-27 2008-09-05
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in the Ubercart 5.x before 5.x-1.0 rc3 module for Drupal allows remote authenticated users to inject arbitrary web script or HTML via node titles related to unspecified product features, a different vector than CVE-2008-1428.
Total number of vulnerabilities : 75   Page : 1 (This Page)2
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.