cpe:2.3:a:drupal:drupal:5.1:*:*:*:*:*:*:*
The node module API in Drupal 5.x before 5.11 allows remote attackers to bypass node validation and have unspecified other impact via unknown vectors related to contributed modules.
Max CVSS
7.5
EPSS Score
0.54%
Published
2008-10-29
Updated
2017-08-08
The core BlogAPI module in Drupal 5.x before 5.11 and 6.x before 6.5 does not properly validate unspecified content fields of an internal Drupal form, which allows remote authenticated users to bypass intended access restrictions via modified field values.
Max CVSS
6.0
EPSS Score
0.22%
Published
2008-10-29
Updated
2018-11-02
The user module in Drupal 5.x before 5.11 and 6.x before 6.5 might allow remote authenticated users to bypass intended login access rules and successfully login via unknown vectors.
Max CVSS
6.0
EPSS Score
0.22%
Published
2008-10-29
Updated
2018-11-02
The core upload module in Drupal 5.x before 5.11 allows remote authenticated users to bypass intended access restrictions and read "files attached to content" via unknown vectors.
Max CVSS
6.0
EPSS Score
0.28%
Published
2008-10-29
Updated
2017-08-08
The validation functionality in the core upload module in Drupal 6.x before 6.5 allows remote authenticated users to bypass intended access restrictions and "attach files to content," related to a "logic error."
Max CVSS
6.0
EPSS Score
0.17%
Published
2008-10-29
Updated
2017-08-08
Multiple cross-site request forgery (CSRF) vulnerabilities in Drupal 5.x before 5.10 and 6.x before 6.4 allow remote attackers to hijack the authentication of administrators for requests that (1) add or (2) delete user access rules.
Max CVSS
5.8
EPSS Score
0.35%
Published
2008-08-27
Updated
2017-08-08
Unrestricted file upload vulnerability in the BlogAPI module in Drupal 5.x before 5.10 and 6.x before 6.4 allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, which is not validated.
Max CVSS
6.5
EPSS Score
1.44%
Published
2008-08-27
Updated
2017-08-08
The private filesystem in Drupal 5.x before 5.10 and 6.x before 6.4 trusts the MIME type sent by a web browser, which allows remote authenticated users to conduct cross-site scripting (XSS) attacks by uploading files containing arbitrary web script or HTML.
Max CVSS
3.5
EPSS Score
0.11%
Published
2008-08-27
Updated
2017-08-08
Cross-site scripting (XSS) vulnerability in the output filter in Drupal 5.x before 5.10 and 6.x before 6.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Max CVSS
4.3
EPSS Score
0.31%
Published
2008-08-27
Updated
2017-08-08
Session fixation vulnerability in Drupal 5.x before 5.9 and 6.x before 6.3, when contributed modules "terminate the current request during a login event," allows remote attackers to hijack web sessions via unknown vectors.
Max CVSS
5.8
EPSS Score
0.45%
Published
2008-07-18
Updated
2021-04-15
Cross-site request forgery (CSRF) vulnerability in Drupal 5.x before 5.8 and 6.x before 6.3 allows remote attackers to perform administrative actions via vectors involving deletion of "translated strings."
Max CVSS
4.3
EPSS Score
0.26%
Published
2008-07-18
Updated
2021-04-15
The Drupal filter_xss_admin function in 5.x before 5.8 and 6.x before 6.3 does not "prevent use of the object HTML tag in administrator input," which has unknown impact and attack vectors, probably related to an insufficient cross-site scripting (XSS) protection mechanism.
Max CVSS
4.3
EPSS Score
0.26%
Published
2008-07-18
Updated
2021-04-15
Multiple SQL injection vulnerabilities in the Aggregation module 5.x before 5.x-4.4 for Drupal allow remote attackers to execute arbitrary SQL commands via unspecified vectors.
Max CVSS
7.5
EPSS Score
0.14%
Published
2008-07-03
Updated
2017-08-08
Cross-site scripting (XSS) vulnerability in the Devel module before 5.x-0.1 for Drupal allows remote attackers to inject arbitrary web script or HTML via a site variable, related to lack of escaping of the variable table.
Max CVSS
4.3
EPSS Score
0.13%
Published
2008-01-15
Updated
2017-08-08
Interpretation conflict in Drupal 4.7.x before 4.7.11 and 5.x before 5.6, when Internet Explorer 6 is used, allows remote attackers to conduct cross-site scripting (XSS) attacks via invalid UTF-8 byte sequences, which are not processed as UTF-8 by Drupal's HTML filtering, but are processed as UTF-8 by Internet Explorer, effectively removing characters from the document and defeating the HTML protection mechanism.
Max CVSS
4.3
EPSS Score
0.42%
Published
2008-01-15
Updated
2017-08-08
Cross-site request forgery (CSRF) vulnerability in the aggregator module in Drupal 4.7.x before 4.7.11 and 5.x before 5.6 allows remote attackers to delete items from a feed as privileged users.
Max CVSS
4.3
EPSS Score
0.25%
Published
2008-01-15
Updated
2017-08-08
16 vulnerabilities found
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!