SA-CONTRIB-2010-042: LoginToboggan - Session fixation

The LoginToboggan module provides a customized log in workflow. Attackers may be able to exploit the workflow to initiate a session fixation attack. Versions affected LoginToboggan versions for the 5.x and 6.x versions of Drupal Drupal core is not affected. If you do not use the contributed...

SA-CONTRIB-2009-026 - LoginToboggan - Access bypass

LoginToboggan includes a setting which, if enabled, allows users to log in using either their username or e-mail address. In some circumstances, previously blocked users may still be able to access the site if this setting is enabled. Versions affected LoginToboggan 6.x-1.x prior to 6.x-1.5...

SA-2008-012 - Project issue tracking - XSS vulnerability in comment summary tables

The Project issue tracking module provides a summary table to show changes in issue states between comments. Users who have certain editing rights may be able to inject arbitrary code on pages containing these tables. Wikipedia has more information about cross site scripting XSS. Versions affecte...

LoginToboggan - Cross site scripting

The LoginToboggan module provides several modifications of the Drupal login system. One of the features is a block that can be enabled on the site to display the currently logged in user with a "Log out" link. If a user is able to insert JavaScript into their username, they would be able execute ...