|
|
Drupal : Security Vulnerabilities (Gain Privilege)
| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2016-6211 |
264 |
|
+Priv |
2016-09-09 |
2016-11-28 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
The User module in Drupal 7.x before 7.44 allows remote authenticated users to gain privileges via vectors involving contributed or custom code that triggers a rebuild of the user profile form. |
|
2 |
CVE-2016-3169 |
264 |
|
+Priv |
2016-04-12 |
2016-04-12 |
6.8 |
User |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
The User module in Drupal 6.x before 6.38 and 7.x before 7.43 allows remote attackers to gain privileges by leveraging contributed or custom code that calls the user_save function with an explicit category and loads all roles into the array. |
|
3 |
CVE-2008-6136 |
264 |
|
+Priv |
2009-02-13 |
2017-08-16 |
7.5 |
User |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Unspecified vulnerability in EveryBlog 5.x and 6.x, a module for Drupal, allows remote attackers to gain privileges as another user or an administrator via unknown attack vectors. |
|
4 |
CVE-2008-4597 |
264 |
|
+Priv |
2008-10-17 |
2017-08-07 |
7.5 |
User |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Shindig-Integrator 5.x, a module for Drupal, does not properly restrict generated page access, which allows remote attackers to gain privileges via unspecified vectors. |
|
5 |
CVE-2008-3096 |
264 |
|
+Priv |
2008-07-09 |
2017-08-07 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
The Outline Designer module 5.x before 5.x-1.4 for Drupal changes each content reader's authentication level to match that of the content author, which might allow remote attackers to gain privileges. |
|
6 |
CVE-2008-2271 |
264 |
|
+Priv |
2008-05-16 |
2017-08-07 |
7.5 |
User |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
The Site Documentation Drupal module 5.x before 5.x-1.8 and 6.x before 6.x-1.1 allows remote authenticated users to gain privileges of other users by leveraging the "access content" permission to list tables and obtain session IDs from the database. |
|
7 |
CVE-2008-0568 |
|
|
+Priv |
2008-02-04 |
2008-11-22 |
10.0 |
Admin |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
Unspecified vulnerability in the IP-authentication feature in the Secure Site 5.x-1.0 and 4.7.x-1.0 module for Drupal allows remote attackers to gain the privileges of a user who has authenticated from behind the same proxy server as the attacker. |
|
8 |
CVE-2007-3818 |
|
|
+Priv XSS |
2007-07-16 |
2012-10-30 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the LoginToboggan module 5.x-1.x-dev before 20070712 for Drupal allows remote authenticated users with "administer blocks" permission to inject arbitrary JavaScript and gain privileges via "the message displayed above the default user login block." |
|
9 |
CVE-2006-6528 |
|
|
+Priv |
2006-12-13 |
2008-09-05 |
7.5 |
User |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
The Chatroom Module before 4.7.x.-1.0 for Drupal broadcasts Chatroom visitors' session IDs to all participants, which allows remote attackers to hijack sessions and gain privileges. |
|
10 |
CVE-2006-1228 |
287 |
|
+Priv |
2006-03-14 |
2018-10-18 |
5.1 |
User |
Remote |
High |
Not required |
Partial |
Partial |
Partial |
|
Session fixation vulnerability in Drupal 4.5.x before 4.5.8 and 4.6.x before 4.5.8 allows remote attackers to gain privileges by tricking a user to click on a URL that fixes the session identifier. |
|
11 |
CVE-2005-1871 |
|
|
+Priv |
2005-06-09 |
2016-10-17 |
7.5 |
User |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Unknown vulnerability in the privilege system in Drupal 4.4.0 through 4.6.0, when public registration is enabled, allows remote attackers to gain privileges, due to an "input check" that "is not implemented properly." |
Total number of vulnerabilities : 11
Page :
1
(This Page)
|
|
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is
MITRE's CVE web site.
CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is
MITRE's CWE web site.
OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is
MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition.
There are NO warranties, implied or otherwise, with regard to this information or its use.
Any use of this information is at the user's risk.
It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content.
EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site.
ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT,
INDIRECT or any other kind of loss.
