| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| The validation functionality in the core upload module in Drupal 6.x before 6.5 allows remote authenticated users to bypass intended access restrictions and "attach files to content," related to a "logic error." |
| Cross-site scripting (XSS) vulnerability in the Taxonomy Autotagger module 5.x before 5.x-1.8 for Drupal allows remote authenticated users, with create or edit post permissions, to inject arbitrary web script or HTML via unspecified vectors. |
| SQL injection vulnerability in the Taxonomy Autotagger module 5.x before 5.x-1.8 for Drupal allows remote authenticated users, with create or edit post permissions, to execute arbitrary SQL commands via unspecified vectors. |
| The Outline Designer module 5.x before 5.x-1.4 for Drupal changes each content reader's authentication level to match that of the content author, which might allow remote attackers to gain privileges. |
| Cross-site request forgery (CSRF) vulnerability in Drupal 5.x before 5.8 and 6.x before 6.3 allows remote attackers to perform administrative actions via vectors involving deletion of "translated strings." |
| Multiple cross-site scripting (XSS) vulnerabilities in Drupal 6.x before 6.3 allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) free tagging taxonomy terms, which are not properly handled on node preview pages, and (2) unspecified OpenID values. |
| The Drupal filter_xss_admin function in 5.x before 5.8 and 6.x before 6.3 does not "prevent use of the object HTML tag in administrator input," which has unknown impact and attack vectors, probably related to an insufficient cross-site scripting (XSS) protection mechanism. |
| SQL injection vulnerability in the Schema API in Drupal 6.x before 6.3 allows remote attackers to execute arbitrary SQL commands via vectors related to "an inappropriate placeholder for 'numeric' fields." |
| Cross-site scripting (XSS) vulnerability in the Suggested Terms module 5.x before 5.x-1.2 for Drupal allows remote authenticated users to inject arbitrary web script or HTML via crafted Taxonomy terms. |
| Cross-site scripting (XSS) vulnerability in the output filter in Drupal 5.x before 5.10 and 6.x before 6.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
| The private filesystem in Drupal 5.x before 5.10 and 6.x before 6.4 trusts the MIME type sent by a web browser, which allows remote authenticated users to conduct cross-site scripting (XSS) attacks by uploading files containing arbitrary web script or HTML. |
| Unrestricted file upload vulnerability in the BlogAPI module in Drupal 5.x before 5.10 and 6.x before 6.4 allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, which is not validated. |
| Multiple cross-site request forgery (CSRF) vulnerabilities in forms in Drupal 6.x before 6.4 allow remote attackers to perform unspecified actions via unknown vectors, related to improper token validation for (1) cached forms and (2) forms with AHAH elements. |
| The Upload module in Drupal 6.x before 6.4 allows remote authenticated users to edit nodes, delete files, and download unauthorized attachments via unspecified vectors. |
| Unspecified vulnerability in EveryBlog 5.x and 6.x, a module for Drupal, allows remote attackers to gain privileges as another user or an administrator via unknown attack vectors. |
| Multiple SQL injection vulnerabilities in the User Karma module 5.x before 5.x-1.13 and 6.x before 6.x-1.0-beta1, a module for Drupal, allow remote authenticated administrators to execute arbitrary SQL commands via (1) a content type or (2) a voting API value. |
| Cross-site scripting (XSS) vulnerability in the theme_views_bulk_operations_confirmation function in views_bulk_operations.module in Views Bulk Operations 5.x before 5.x-1.3 and 6.x before 6.x-1.4, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to node titles. NOTE: some of these details are obtained from third party information. |
| Unspecified vulnerability in Internationalization (i18n) Translation 5.x before 5.x-2.5, a module for Drupal, allows remote attackers with "translate node" permissions to bypass intended access restrictions and read unpublished nodes via unspecified vectors. |
| Cross-site scripting (XSS) vulnerability in Brilliant Gallery 5.x before 5.x-4.2, a module for Drupal, allows remote authenticated users with permissions to inject arbitrary web script or HTML via unspecified vectors related to posting of answers. |
| SQL injection vulnerability in Brilliant Gallery 5.x before 5.x-4.2, a module for Drupal, allows remote attackers to execute arbitrary SQL commands via unspecified vectors, related to queries. NOTE: this might be the same issue as CVE-2008-4338. |
