CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Drupal : Security Vulnerabilities

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
151 CVE-2011-2715 89 Sql 2020-01-14 2020-01-24
7.5
None Remote Low Not required Partial Partial Partial
An SQL Injection vulnerability exists in Drupal 6.20 with Data 6.x-1.0-alpha14 due to insufficient sanitization of table names or column names.
152 CVE-2011-2714 79 XSS 2020-01-14 2020-01-23
4.3
None Remote Medium Not required None Partial None
A Cross-Site Scripting vulnerability exists in Drupal 6.20 with Data 6.x-1.0-alpha14 due to insufficient sanitization of table descriptions, field names, or labels before display.
153 CVE-2011-2687 264 Bypass 2011-07-27 2015-09-03
7.5
None Remote Low Not required Partial Partial Partial
Drupal 7.x before 7.3 allows remote attackers to bypass intended node_access restrictions via vectors related to a listing that shows nodes but lacks a JOIN clause for the node table.
154 CVE-2010-3686 287 Bypass 2010-09-29 2010-09-30
5.0
None Remote Low Not required None Partial None
The OpenID module in Drupal 6.x before 6.18, and the OpenID module 5.x before 5.x-1.4 for Drupal, violates the OpenID 2.0 protocol by not ensuring that fields are signed, which allows remote attackers to bypass authentication by leveraging an assertion from an OpenID provider.
155 CVE-2010-3685 287 Bypass 2010-09-29 2010-09-30
5.0
None Remote Low Not required None Partial None
The OpenID module in Drupal 6.x before 6.18, and the OpenID module 5.x before 5.x-1.4 for Drupal, violates the OpenID 2.0 protocol by not checking for reuse of openid.response_nonce values, which allows remote attackers to bypass authentication by leveraging an assertion from an OpenID provider.
156 CVE-2010-3094 79 XSS 2010-09-21 2010-09-22
2.1
None Remote High ??? None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in Drupal 6.x before 6.18 allow remote authenticated users with certain privileges to inject arbitrary web script or HTML via (1) an action description, (2) an action message, (3) a node, or (4) a taxonomy term, related to the actions feature and the trigger module.
157 CVE-2010-3093 264 Bypass 2010-09-21 2010-09-22
3.5
None Remote Medium ??? None Partial None
The comment module in Drupal 5.x before 5.23 and 6.x before 6.18 allows remote authenticated users with certain privileges to bypass intended access restrictions and reinstate removed comments via a crafted URL, related to an "unpublishing bypass" issue.
158 CVE-2010-3092 264 Bypass 2010-09-21 2010-09-22
5.5
None Remote Low ??? Partial Partial None
The upload module in Drupal 5.x before 5.23 and 6.x before 6.18 does not properly support case-insensitive filename handling in a database configuration, which allows remote authenticated users to bypass the intended restrictions on downloading a file by uploading a different file with a similar name.
159 CVE-2010-3091 287 Bypass 2010-09-29 2010-09-30
5.0
None Remote Low Not required None Partial None
The OpenID module in Drupal 6.x before 6.18, and the OpenID module 5.x before 5.x-1.4 for Drupal, violates the OpenID 2.0 protocol by not verifying the openid.return_to value, which allows remote attackers to bypass authentication by leveraging an assertion from an OpenID provider.
160 CVE-2010-3022 79 XSS 2010-08-16 2017-08-17
2.6
None Remote High Not required None Partial None
Cross-site scripting (XSS) vulnerability in the Performance logging module in the Devel module 5.x before 5.x-1.3 and 6.x before 6.x-1.21 for Drupal allows remote authenticated users, with add url aliases and report access permissions, to inject arbitrary web script or HTML via crafted node paths in a URL.
161 CVE-2010-2473 20 2019-11-07 2019-11-13
3.5
None Remote Medium ??? None Partial None
Drupal 6.x before 6.16 and 5.x before version 5.22 does not properly block users under certain circumstances. A user with an open session that was blocked could maintain their session on the Drupal site despite being blocked.
162 CVE-2010-2472 79 XSS 2019-11-07 2019-11-13
3.5
None Remote Medium ??? None Partial None
Locale module and dependent contributed modules in Drupal 6.x before 6.16 and 5.x before version 5.22 do not sanitize the display of language codes, native and English language names properly which could allow an attacker to perform a cross-site scripting (XSS) attack. This vulnerability is mitigated by the fact that an attacker must have a role with the 'administer languages' permission.
163 CVE-2010-2471 601 2019-11-06 2021-04-28
5.8
None Remote Medium Not required Partial Partial None
Drupal versions 5.x and 6.x has open redirection
164 CVE-2010-2250 79 XSS 2019-11-07 2021-04-30
4.3
None Remote Medium Not required None Partial None
Drupal 5.x and 6.x before 6.16 uses a user-supplied value in output during site installation which could allow an attacker to craft a URL and perform a cross-site scripting attack.
165 CVE-2009-4371 79 XSS 2009-12-21 2017-08-17
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in the Locale module (modules/locale/locale.module) in Drupal Core 6.14, and possibly other versions including 6.15, allows remote authenticated users with "administer languages" permissions to inject arbitrary web script or HTML via the (1) Language name in English or (2) Native language name fields in the Custom language form.
166 CVE-2009-4370 79 XSS 2009-12-21 2017-08-17
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in the Menu module (modules/menu/menu.admin.inc) in Drupal Core 6.x before 6.15 allows remote authenticated users with permissions to create new menus to inject arbitrary web script or HTML via a menu description, which is not properly handled in the menu administration overview.
167 CVE-2009-4369 79 XSS 2009-12-21 2017-08-17
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in the Contact module (modules/contact/contact.admin.inc or modules/contact/contact.module) in Drupal Core 5.x before 5.21 and 6.x before 6.15 allows remote authenticated users with "administer site-wide contact form" permissions to inject arbitrary web script or HTML via the contact category name.
168 CVE-2009-2374 255 2009-07-08 2021-04-21
4.3
None Remote Medium Not required Partial None None
Drupal 5.x before 5.19 and 6.x before 6.13 does not properly sanitize failed login attempts for pages that contain a sortable table, which includes the username and password in links that can be read from (1) the HTTP referer header of external web sites that are visited from those links or (2) when page caching is enabled, the Drupal page cache.
169 CVE-2009-2373 79 XSS 2009-07-08 2009-07-08
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the Forum module in Drupal 6.x before 6.13 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
170 CVE-2009-2372 94 2009-07-08 2021-04-21
6.5
None Remote Low ??? Partial Partial Partial
Drupal 6.x before 6.13 does not prevent users from modifying user signatures after the associated comment format has been changed to an administrator-controlled input format, which allows remote authenticated users to inject arbitrary web script, HTML, and possibly PHP code via a crafted user signature.
171 CVE-2009-2035 2009-06-12 2009-06-15
6.4
None Remote Low Not required Partial Partial None
Unspecified vulnerability in Services 6.x before 6.x-0.14, a module for Drupal, when key-based access is enabled, allows remote attackers to read or add keys and access unauthorized services via unspecified vectors.
172 CVE-2009-1942 79 XSS 2009-06-05 2009-06-08
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in the Quiz module 5.x, 6.x-2.x before 6.x-2.2, and 6.x-3.x before 6.x-3.0, a module for Drupal, allows remote authenticated users, with create quizzes or quiz questions access, to inject arbitrary web script or HTML via unspecified vectors.
173 CVE-2009-1844 79 XSS 2009-06-01 2009-06-08
3.5
None Remote Medium ??? None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in Drupal 5.x before 5.18 and 6.x before 6.12 allow (1) remote authenticated users to inject arbitrary web script or HTML via crafted UTF-8 byte sequences that are treated as UTF-7 by Internet Explorer 6 and 7, which are not properly handled in the "HTML exports of books" feature; and (2) allow remote authenticated users with administer taxonomy permissions to inject arbitrary web script or HTML via the help text of an arbitrary vocabulary. NOTE: vector 1 exists because of an incomplete fix for CVE-2009-1575.
174 CVE-2009-1576 +Info CSRF 2009-05-06 2009-05-20
4.3
None Remote Medium Not required Partial None None
Unspecified vulnerability in Drupal 5.x before 5.17 and 6.x before 6.11, as used in vbDrupal before 5.17.0, allows user-assisted remote attackers to obtain sensitive information by tricking victims into visiting the front page of the site with a crafted URL and causing form data to be sent to an attacker-controlled site, possibly related to multiple / (slash) characters that are not properly handled by includes/bootstrap.inc, as demonstrated using the search box. NOTE: this vulnerability can be leveraged to conduct cross-site request forgery (CSRF) attacks.
175 CVE-2009-1575 79 XSS 2009-05-06 2017-08-17
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in Drupal 5.x before 5.17 and 6.x before 6.11, as used in vbDrupal before 5.17.0, allows remote attackers to inject arbitrary web script or HTML via crafted UTF-8 byte sequences before the Content-Type meta tag, which are treated as UTF-7 by Internet Explorer 6 and 7.
176 CVE-2009-1034 89 Exec Code Sql 2009-03-20 2017-08-17
10.0
None Remote Low Not required Complete Complete Complete
SQL injection vulnerability in the Tasklist module 5.x-1.x before 5.x-1.3 and 5.x-2.x before 5.x-2.0-alpha1, a module for Drupal, allows remote attackers to execute arbitrary SQL commands via values in the URI.
177 CVE-2009-0575 79 XSS 2009-02-13 2017-08-17
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the theme_views_bulk_operations_confirmation function in views_bulk_operations.module in Views Bulk Operations 5.x before 5.x-1.3 and 6.x before 6.x-1.4, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to node titles. NOTE: some of these details are obtained from third party information.
178 CVE-2008-6533 79 XSS 2009-03-26 2017-08-17
4.3
None Remote Medium Not required None Partial None
Drupal 5.x before 5.13 and 6.x before 6.7 does not delete all related content when an input format is deleted, which prevents the content from being properly filtered and allows remote attackers to conduct cross-site scripting (XSS) attacks via unspecified vectors.
179 CVE-2008-6532 352 CSRF 2009-03-26 2017-08-17
6.8
None Remote Medium Not required Partial Partial Partial
Multiple cross-site request forgery (CSRF) vulnerabilities in the update feature in Drupal 5.x before 5.13 and 6.x before 6.7 allow remote attackers to perform unauthorized actions as the superuser via unspecified vectors, as demonstrated by causing the superuser to "execute old updates" that modify the database.
180 CVE-2008-6384 352 CSRF 2009-03-02 2017-08-17
6.8
None Remote Medium Not required Partial Partial Partial
Multiple cross-site request forgery (CSRF) vulnerabilities in Comment Mail 5.x before 5.x-1.1, a module for Drupal, allow remote attackers to hijack the authentication of administrators.
181 CVE-2008-6229 79 XSS 2009-02-20 2017-08-17
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in the administrative interface in Drupal Content Construction Kit (CCK) 5.x before 5.x-1.10 and 6.x before 6.x-2.0, a module for Drupal, allows remote authenticated users with "administer content" permissions to inject arbitrary web script or HTML via (1) field labels and (2) content-type names.
182 CVE-2008-6171 16 2009-02-19 2017-08-17
9.3
None Remote Medium Not required Complete Complete Complete
includes/bootstrap.inc in Drupal 5.x before 5.12 and 6.x before 6.6, when the server is configured for "IP-based virtual hosts," allows remote attackers to include and execute arbitrary files via the HTTP Host header.
183 CVE-2008-6170 79 XSS 2009-02-19 2017-08-17
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in Drupal 5.x before 5.12 and 6.x before 6.6 allows remote authenticated users with create book content or edit node book hierarchy permissions to inject arbitrary web script or HTML via the book page title.
184 CVE-2008-6169 352 CSRF 2009-02-19 2017-08-17
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in the Localization client 5.x before 5.x-1.1 and 6.x before 6.x-1.6 and the Localization server 5.x before 5.x-1.0-alpha5 and 6.x before 6.x-alpha2, modules for Drupal, allows remote attackers to perform unauthorized actions as administrators via unspecified vectors related to the "local translation submission interface."
185 CVE-2008-6160 264 2009-02-18 2017-08-17
5.0
None Remote Low Not required Partial None None
Semantically-Interconnected Online Communities (SIOC) 5.x before 5.x-1.2 and 6.x before 6.x-1.1, a module for Drupal, does not properly implement menu and database APIs, which allows remote attackers to obtain usernames and read hashed emails and comments via unspecified vectors.
186 CVE-2008-6136 264 +Priv 2009-02-14 2017-08-17
7.5
None Remote Low Not required Partial Partial Partial
Unspecified vulnerability in EveryBlog 5.x and 6.x, a module for Drupal, allows remote attackers to gain privileges as another user or an administrator via unknown attack vectors.
187 CVE-2008-4793 264 Bypass 2008-10-29 2017-08-08
7.5
None Remote Low Not required Partial Partial Partial
The node module API in Drupal 5.x before 5.11 allows remote attackers to bypass node validation and have unspecified other impact via unknown vectors related to contributed modules.
188 CVE-2008-4792 264 Bypass 2008-10-29 2018-11-02
6.0
None Remote Medium ??? Partial Partial Partial
The core BlogAPI module in Drupal 5.x before 5.11 and 6.x before 6.5 does not properly validate unspecified content fields of an internal Drupal form, which allows remote authenticated users to bypass intended access restrictions via modified field values.
189 CVE-2008-4791 264 Bypass 2008-10-29 2018-11-02
6.0
None Remote Medium ??? Partial Partial Partial
The user module in Drupal 5.x before 5.11 and 6.x before 6.5 might allow remote authenticated users to bypass intended login access rules and successfully login via unknown vectors.
190 CVE-2008-4790 264 Bypass 2008-10-29 2017-08-08
6.0
None Remote Medium ??? Partial Partial Partial
The core upload module in Drupal 5.x before 5.11 allows remote authenticated users to bypass intended access restrictions and read "files attached to content" via unknown vectors.
191 CVE-2008-4789 264 Bypass 2008-10-29 2017-08-08
6.0
None Remote Medium ??? Partial Partial Partial
The validation functionality in the core upload module in Drupal 6.x before 6.5 allows remote authenticated users to bypass intended access restrictions and "attach files to content," related to a "logic error."
192 CVE-2008-4598 XSS 2008-10-17 2017-08-08
7.5
None Remote Low Not required Partial Partial Partial
Unspecified vulnerability in Shindig-Integrator 5.x, a module for Drupal, has unspecified impact and remote attack vectors related to "numerous flaws" that are not related to XSS or access control, a different vulnerability than CVE-2008-4596 and CVE-2008-4597.
193 CVE-2008-4597 264 +Priv 2008-10-17 2017-08-08
7.5
None Remote Low Not required Partial Partial Partial
Shindig-Integrator 5.x, a module for Drupal, does not properly restrict generated page access, which allows remote attackers to gain privileges via unspecified vectors.
194 CVE-2008-4596 79 XSS 2008-10-17 2017-08-08
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in Shindig-Integrator 5.x, a module for Drupal, allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors in generated pages.
195 CVE-2008-4531 89 Exec Code Sql 2008-10-09 2017-08-08
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in Brilliant Gallery 5.x before 5.x-4.2, a module for Drupal, allows remote attackers to execute arbitrary SQL commands via unspecified vectors, related to queries. NOTE: this might be the same issue as CVE-2008-4338.
196 CVE-2008-4530 79 XSS 2008-10-09 2017-08-08
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in Brilliant Gallery 5.x before 5.x-4.2, a module for Drupal, allows remote authenticated users with permissions to inject arbitrary web script or HTML via unspecified vectors related to posting of answers.
197 CVE-2008-4153 264 +Info 2008-09-24 2017-08-08
5.0
None Remote Low Not required Partial None None
The Talk module 5.x before 5.x-1.3 and 6.x before 6.x-1.5, a module for Drupal, does not perform access checks for a node before displaying comments, which allows remote attackers to obtain sensitive information.
198 CVE-2008-4152 79 XSS 2008-09-24 2017-08-08
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in the Talk module 5.x before 5.x-1.3 and 6.x before 6.x-1.5, a module for Drupal, allows remote authenticated users to inject arbitrary web script or HTML via a node title.
199 CVE-2008-4149 79 XSS 2008-09-24 2017-08-08
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the Greg Holsclaw Link to Us module 5.x before 5.x-1.1 for Drupal allows remote authenticated users to inject arbitrary web script or HTML via the "Link page header" field.
200 CVE-2008-4148 89 Exec Code Sql 2008-09-24 2017-08-08
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the Mailhandler module 5.x before 5.x-1.4 and 6.x before 6.x-1.4, a module for Drupal, allows remote attackers to execute arbitrary SQL commands via unspecified vectors, related to composing queries without using the Drupal database API.
Total number of vulnerabilities : 331   Page : 1 2 3 4 (This Page)5 6 7
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.