CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Drupal : Security Vulnerabilities

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2002-1806 XSS 2002-12-31 2008-09-05
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in Drupal 4.0.0 allows remote attackers to inject arbitrary web script or HTML via Javascript in an IMG tag.
2 CVE-2005-0682 XSS 2005-05-02 2008-09-05
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in common.inc in Drupal before 4.5.2 allows remote attackers to inject arbitrary web script or HTML via certain inputs.
3 CVE-2005-1871 +Priv 2005-06-09 2016-10-18
7.5
None Remote Low Not required Partial Partial Partial
Unknown vulnerability in the privilege system in Drupal 4.4.0 through 4.6.0, when public registration is enabled, allows remote attackers to gain privileges, due to an "input check" that "is not implemented properly."
4 CVE-2005-2106 Exec Code 2005-07-05 2016-10-18
5.0
None Remote Low Not required None Partial None
Unknown vulnerability in Drupal 4.5.0 through 4.5.3, 4.6.0, and 4.6.1 allows remote attackers to execute arbitrary PHP code via a public comment or posting.
5 CVE-2005-3973 XSS 2005-12-03 2018-10-19
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in Drupal 4.5.0 through 4.5.5 and 4.6.0 through 4.6.3 allow remote attackers to inject arbitrary web script or HTML via various HTML tags and values, such as the (1) legend tag and the value parameter used in (2) label and (3) input tags, possibly due to an incomplete blacklist.
6 CVE-2005-3974 Bypass 2005-12-03 2018-10-19
6.4
None Remote Low Not required Partial Partial None
Drupal 4.5.0 through 4.5.5 and 4.6.0 through 4.6.3, when running on PHP5, does not correctly enforce user privileges, which allows remote attackers to bypass the "access user profiles" permission.
7 CVE-2005-3975 2005-12-03 2018-10-19
4.0
None Remote Low ??? None Partial None
Interpretation conflict in file.inc in Drupal 4.5.0 through 4.5.5 and 4.6.0 through 4.6.3 allows remote authenticated users to inject arbitrary web script or HTML via HTML in a file with a GIF or JPEG file extension, which causes the HTML to be executed by a victim who views the file in Internet Explorer as a result of CVE-2005-3312. NOTE: it could be argued that this vulnerability is due to a design flaw in Internet Explorer and the proper fix should be in that browser; if so, then this should not be treated as a vulnerability in Drupal.
8 CVE-2006-0070 XSS 2006-01-04 2018-10-19
4.3
None Remote Medium Not required None Partial None
** DISPUTED ** Drupal allows remote attackers to conduct cross-site scripting (XSS) attacks via an IMG tag with an unusual encoded Javascript function name, as demonstrated using variations of the alert() function. NOTE: a followup by the vendor suggests that the issue does not exist in 4.5.6 or 4.6.4 when "Filtered HTML" is enabled, and since "Full HTML" would not filter HTML by design, perhaps this should not be included in CVE.
9 CVE-2006-1225 2006-03-14 2018-10-18
5.0
None Remote Low Not required None Partial None
CRLF injection vulnerability in Drupal 4.5.x before 4.5.8 and 4.6.x before 4.5.8 allows remote attackers to inject headers of outgoing e-mail messages and use Drupal as a spam proxy.
10 CVE-2006-1226 XSS 2006-03-14 2018-10-18
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in Drupal 4.5.x before 4.5.8 and 4.6.x before 4.5.8 allows remote attackers to inject arbitrary web script or HTML via unknown attack vectors.
11 CVE-2006-1227 2006-03-14 2018-10-18
4.6
None Local Low Not required Partial Partial Partial
Drupal 4.5.x before 4.5.8 and 4.6.x before 4.5.8, when menu.module is used to create a menu item, does not implement access control for the page that is referenced, which might allow remote attackers to access administrator pages.
12 CVE-2006-1228 287 +Priv 2006-03-14 2018-10-18
5.1
None Remote High Not required Partial Partial Partial
Session fixation vulnerability in Drupal 4.5.x before 4.5.8 and 4.6.x before 4.5.8 allows remote attackers to gain privileges by tricking a user to click on a URL that fixes the session identifier.
13 CVE-2006-2260 XSS 2006-05-09 2017-07-20
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the project module (project.module) in Drupal 4.5 and 4.6 allows remote attackers to inject arbitrary web script or HTML via unknown attack vectors.
14 CVE-2006-2742 Exec Code Sql 2006-06-01 2018-10-18
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in Drupal 4.6.x before 4.6.7 and 4.7.0 allows remote attackers to execute arbitrary SQL commands via the (1) count and (2) from variables to (a) database.mysql.inc, (b) database.pgsql.inc, and (c) database.mysqli.inc.
15 CVE-2006-2743 2006-06-01 2018-10-18
5.1
None Remote High Not required Partial Partial Partial
Drupal 4.6.x before 4.6.7 and 4.7.0, when running on Apache with mod_mime, does not properly handle files with multiple extensions, which allows remote attackers to upload, modify, or execute arbitrary files in the files directory.
16 CVE-2006-2831 Exec Code 2006-06-06 2018-10-18
7.5
None Remote Low Not required Partial Partial Partial
Drupal 4.6.x before 4.6.8 and 4.7.x before 4.7.2, when running under certain Apache configurations such as when FileInfo overrides are disabled within .htaccess, allows remote attackers to execute arbitrary code by uploading a file with multiple extensions, a variant of CVE-2006-2743.
17 CVE-2006-2832 XSS 2006-06-06 2018-10-18
2.6
None Remote High Not required None Partial None
Cross-site scripting (XSS) vulnerability in the upload module (upload.module) in Drupal 4.6.x before 4.6.8 and 4.7.x before 4.7.2 allows remote attackers to inject arbitrary web script or HTML via the uploaded filename.
18 CVE-2006-2833 XSS 2006-06-06 2018-10-18
2.6
None Remote High Not required None Partial None
Cross-site scripting (XSS) vulnerability in the taxonomy module in Drupal 4.6.8 and 4.7.2 allows remote attackers to inject arbitrary web script or HTML via inputs that are not properly validated when the page title is output, possibly involving the $names variable.
19 CVE-2006-3473 2006-07-10 2017-07-20
7.5
None Remote Low Not required Partial Partial Partial
CRLF injection vulnerability in form_mail Drupal Module before 1.8.2.2 allows remote attackers to inject e-mail headers, which facilitates sending spam messages, a different issue than CVE-2006-1225.
20 CVE-2006-3570 XSS 2006-07-13 2017-07-20
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the webform module in Drupal 4.6 before July 8, 2006 and 4.7 before July 8, 2006 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
21 CVE-2006-4002 XSS 2006-08-07 2017-07-20
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in user.module in Drupal 4.6 before 4.6.9, and 4.7 before 4.7.3, allows remote attackers to inject arbitrary web script or HTML via the msg parameter. NOTE: portions of these details are obtained from third party information.
22 CVE-2006-4107 Exec Code Sql 2006-08-14 2017-07-20
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the Job Search module (job.module) 4.6 before revision 1.3.2.1 in Drupal allows remote attackers to execute arbitrary SQL commands via a job or resume search.
23 CVE-2006-4108 Exec Code Sql 2006-08-14 2017-07-20
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in Bibliography (biblio.module) 4.6 before revision 1.1.1.1.4.11 and 4.7 before revision 1.13.2.5 for Drupal allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
24 CVE-2006-4109 XSS 2006-08-14 2017-07-20
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in Bibliography (biblio.module) 4.6 before revision 1.1.1.1.4.11 and 4.7 before revision 1.13.2.5 for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
25 CVE-2006-4120 XSS 2006-08-14 2017-07-20
5.1
None Remote High Not required Partial Partial Partial
Cross-site scripting (XSS) vulnerability in the Recipe module (recipe.module) before 1.54 for Drupal 4.6 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
26 CVE-2006-4355 XSS 2006-08-27 2017-07-20
2.6
None Remote High Not required None Partial None
Cross-site scripting (XSS) vulnerability in Drupal Easylinks Module (easylinks.module) 4.7 before 1.5.2.1 2006/08/19 12:02:27 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
27 CVE-2006-4356 Exec Code Sql 2006-08-27 2017-07-20
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in Drupal Easylinks Module (easylinks.module) 4.7 before 1.5.2.1 2006/08/19 12:02:27 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
28 CVE-2006-4360 XSS 2006-08-27 2017-07-20
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in E-commerce 4.7 for Drupal before file.module 1.37.2.4 (20060812) allows remote authenticated users with the "create products" permission to inject arbitrary web script or HTML via unspecified vectors.
29 CVE-2006-4646 XSS 2006-09-08 2017-07-20
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site scripting (XSS) vulnerability in the Drupal 4.7 Pathauto module before pathauto_node.inc 1.17.2.1 and the Drupal 4.6 Pathauto module before pathauto_node.inc 1.14.2.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
30 CVE-2006-4717 Bypass 2006-09-12 2011-03-08
7.5
None Remote Low Not required Partial Partial Partial
The login redirection mechanism in the Drupal 4.7 Pubcookie module before 1.2.2.4 2006/09/06 and the Drupal 4.6 Pubcookie module before 1.6.2.1 2006/09/07 allows remote attackers to bypass authentication requirements and spoof identities of arbitrary users via unspecified vectors.
31 CVE-2006-4821 XSS 2006-09-15 2017-07-20
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the Drupal 4.7 Userreview module before 1.19 2006/09/12 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
32 CVE-2006-4947 XSS 2006-09-23 2017-07-20
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site scripting (XSS) vulnerability in the Drupal 4.7 Search Keywords module before 1.15 2006/09/15 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to "lack of validation on output."
33 CVE-2006-4949 XSS 2006-09-23 2017-07-20
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the Drupal 4.6 Site Profile Directory (profile_pages.module) before 1.1.2.1 and the Drupal 4.7 Site Profile Directory (profile_pages.module) before 1.2.2.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to "lack of validation on output," possibly in the name and title parameters.
34 CVE-2006-5475 XSS 2006-10-24 2018-10-17
6.8
None Remote Medium Not required Partial Partial Partial
Multiple cross-site scripting (XSS) vulnerabilities in the XML parser in Drupal 4.6.x before 4.6.10 and 4.7.x before 4.7.4 allow remote attackers to inject arbitrary web script or HTML via a crafted RSS feed.
35 CVE-2006-5476 CSRF 2006-10-24 2018-10-17
7.5
None Remote Low Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in Drupal 4.6.x before 4.6.10 and 4.7.x before 4.7.4 allows remote attackers to perform unauthorized actions as an arbitrary user via unspecified vectors.
36 CVE-2006-5477 +Info 2006-10-24 2018-10-17
2.6
None Remote High Not required Partial None None
Drupal 4.6.x before 4.6.10 and 4.7.x before 4.7.4 allows form submissions to be redirected, which allows remote attackers to obtain arbitrary form information via a crafted URL.
37 CVE-2006-5608 Exec Code Sql 2006-10-30 2017-07-20
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in Extended Tracker (xtracker) 4.7 before 1.5.2.1 for Drupal allows remote attackers to execute arbitrary SQL commands via unspecified vectors related to "parameters from URLs."
38 CVE-2006-6386 XSS 2006-12-08 2017-07-29
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site scripting (XSS) vulnerability in the CVS management/tracker 4.7.x-1.0, 4.7.x-2.0, and 4.7.0 (before the 20060807 contribution release system) for Drupal allows remote attackers to inject arbitrary web script or HTML via the motivation field in the CVS application page, which is not passed through check_markup on display.
39 CVE-2006-6528 +Priv 2006-12-14 2011-03-08
7.5
None Remote Low Not required Partial Partial Partial
The Chatroom Module before 4.7.x.-1.0 for Drupal broadcasts Chatroom visitors' session IDs to all participants, which allows remote attackers to hijack sessions and gain privileges.
40 CVE-2006-6529 +Info 2006-12-14 2008-09-05
7.5
None Remote Low Not required Partial Partial Partial
The Chatroom Module before 4.7.x.-1.0 for Drupal displays private messages in a chatroom's last messages overview, which allows remote attackers to obtain sensitive information by reading the overview.
41 CVE-2006-6530 Exec Code Sql 2006-12-14 2017-07-29
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the Help Tip module before 4.7.x-1.0 for Drupal allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
42 CVE-2006-6531 XSS 2006-12-14 2017-07-29
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site scripting (XSS) vulnerability in the Help Tip module before 4.7.x-1.0 for Drupal allows remote attackers to inject arbitrary web script or HTML, and possibly obtain administrative access, via node titles.
43 CVE-2006-6646 XSS 2006-12-20 2011-03-08
6.8
None Remote Medium Not required Partial Partial Partial
Multiple cross-site scripting (XSS) vulnerabilities in Drupal (1) Project Issue Tracking 4.7.x-1.0 and 4.7.x-2.0, and (2) Project 4.6.x-1.0, 4.7.x-1.0, and 4.7.x-2.0 allow remote attackers to inject arbitrary web script or HTML via unspecified parameters, which do not use the check_plain function.
44 CVE-2006-6647 XSS 2006-12-20 2011-03-08
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site scripting (XSS) vulnerability in the MySite 4.7.x before 4.7.x-3.3 and 5.x before 5.x-1.3 module for Drupal allows remote attackers to inject arbitrary web script or HTML via the Title field when editing a page. NOTE: some details were obtained from third party information.
45 CVE-2006-7109 2007-03-05 2017-07-29
6.5
None Remote Low ??? Partial Partial Partial
Unrestricted file upload vulnerability in IMCE before 1.6, a Drupal module, allows remote authenticated users to upload arbitrary PHP code via a filename with a double extension such as .php.gif.
46 CVE-2006-7110 Dir. Trav. 2007-03-05 2017-07-29
5.5
None Remote Low ??? None Partial Partial
Directory traversal vulnerability in the delete function in IMCE before 1.6, a Drupal module, allows remote authenticated users to delete arbitrary files via ".." sequences.
47 CVE-2007-0124 DoS 2007-01-09 2018-10-16
3.5
None Remote Medium ??? None None Partial
Unspecified vulnerability in Drupal before 4.6.11, and 4.7 before 4.7.5, when MySQL is used, allows remote authenticated users to cause a denial of service by poisoning the page cache via unspecified vectors, which triggers erroneous 404 HTTP errors for pages that exist.
48 CVE-2007-0136 79 XSS 2007-01-09 2021-04-19
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in Drupal before 4.6.11, and 4.7 before 4.7.5, allow remote attackers to inject arbitrary web script or HTML via unspecified parameters in the (1) filter and (2) system modules. NOTE: some of these details are obtained from third party information.
49 CVE-2007-0505 Exec Code 2007-01-26 2017-07-29
8.5
None Remote Medium ??? Complete Complete Complete
Unrestricted file upload vulnerability in the Project issue tracking 4.7.0 through 5.x before 20070123, a module for Drupal, allows remote authenticated users to execute arbitrary code by attaching a file with executable or multiple extensions to a project issue.
50 CVE-2007-0506 Bypass +Info 2007-01-26 2017-07-29
6.0
None Remote Medium ??? Partial Partial Partial
The project_issue_access function in the Project issue tracking 4.7.0 through 5.x before 20070123 module for Drupal allows remote authenticated users to bypass other access control modules and obtain attached files by guessing the filename, and obtain issue information via direct requests.
Total number of vulnerabilities : 331   Page : 1 (This Page)2 3 4 5 6 7
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.