120 matches found
SA-2008-011 - Securesite - Access bypass
The Secure Site module provides functions for placing your site behind HTTP based authentication. The module contains a flaw that allows an attacker who is behind the same proxy as a logged in user, to access the site as if the attacker is the user. Versions affected Secure Site for Drupal 5.x an...
SA-2008-10 - Archive - Cross site scripting
The Archive module provides a replacement for the archive functionality that was present in Drupal 4.7. Certain URL arguments are not escaped before display. It is therefore possible to inject arbitrary HTML and script code into certain archive pages, which may lead to administrator access if...
CVE-2008-0272
Cross-site request forgery CSRF vulnerability in the aggregator module in Drupal 4.7.x before 4.7.11 and 5.x before 5.6 allows remote attackers to delete items from a feed as privileged users...
CVE-2008-0274
Cross-site scripting XSS vulnerability in Drupal 4.7.x and 5.x, when certain .htaccess protections are disabled, allows remote attackers to inject arbitrary web script or HTML via crafted links involving theme .tpl.php files...
SA-2008-008 - Meta tags - Arbitrary code execution
The Meta tags module, also known as Nodewords, adds HTML META tags to node, panel and view pages. If the site is configured to allow images in the body of any node type, any user that can create this node type is able to execute arbitrary code on the server. Versions affected Meta tags for Drupal...
SA-2008-001 - Devel - Cross site scripting
The devel module contains many useful developer functions, such as a query log and the display of variables. The contents of the variable table is not escaped prior to display. Should an unprivileged user be able to control the contents of a site variable, it would be possible to inject arbitrary...
SA-2008-002 - Atom - Access bypass
The Atom module provides a list of node titles, and teasers or bodies as part of a syndication feed. In certain conditions, the titles, teasers, and body were not respecting access permissions, potentially exposing content to syndication not available otherwise. Versions affected Atom for Drupal...
SA-2008-006 - Drupal core - Cross site scripting (UTF8)
When outputting plaintext Drupal strips potentially dangerous HTML tags and attributes from HTML, and escapes characters which have a special meaning in HTML. This output filtering secures the site against cross site scripting attacks via user input. Certain byte sequences that are invalid in the...
CVE-2007-6298
Cross-site scripting XSS vulnerability in the Shoutbox module for Drupal 5.x before Shoutbox 5.x-1.1 allows remote authenticated users to inject arbitrary web script or HTML via Shoutbox block messages...
CVE-2007-6298
Cross-site scripting XSS vulnerability in the Shoutbox module for Drupal 5.x before Shoutbox 5.x-1.1 allows remote authenticated users to inject arbitrary web script or HTML via Shoutbox block messages...
SA-2007-032 - Shoutbox - Cross site scripting
Message sent from the Shoutbox block, where visitors can quickly post short messages, are not properly sanitized in a number of cases. This allows malicious users to inject arbitrary HTML and script code into the block. Learn more about cross site scripting on Wikipedia. Versions affected Shoutbo...
Cross site scripting
Cross-site scripting XSS vulnerability in Weblinks for Drupal 4.7.x before 4.7.x-1.0 and 5.x before 5.x-1.8 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors...
SA-2007-026 - Drupal Core - Cross site scripting via uploads
The allowed extension list of the core Upload module contains the extension HTML by default. Such files can be used to execute arbitrary script code in the context of the affected site when a user views the file. Revoking upload permissions or removing the .html extension from the allowed extensi...
Cross site request forgery (csrf)
Multiple cross-site request forgery CSRF vulnerabilities in Drupal 5.x before 5.2 allow remote attackers to 1 delete comments, 2 delete content revisions, and 3 disable menu items as privileged users, related to improper use of HTTP GET and the Forms API...
CVE-2007-4063
Multiple cross-site request forgery CSRF vulnerabilities in Drupal 5.x before 5.2 allow remote attackers to 1 delete comments, 2 delete content revisions, and 3 disable menu items as privileged users, related to improper use of HTTP GET and the Forms API...
CVE-2007-4063
Multiple cross-site request forgery CSRF vulnerabilities in Drupal 5.x before 5.2 allow remote attackers to 1 delete comments, 2 delete content revisions, and 3 disable menu items as privileged users, related to improper use of HTTP GET and the Forms API...
Print - Access bypass
Print is a module that allows site administrators to produce a "print friendly" version of a posting. By manipulating URL arguments, authenticated and anonymous users are able to access posts that should have been restricted by a node access module such as Organic Groups, Taxonomy Access Control,...
Code injection
Unspecified vulnerability in the Nodefamily module for Drupal 5.x before 5.x-1.0 allows remote authenticated users to access and modify other users' profiles via unspecified URL parameters...
Drupal < 5.1 (post comments) Remote Command Execution Exploit v2
No description provided by source. !/usr/bin/perl $Id: milw0rmdrupalv5.pl,v 0.2 2007/02/15 13:40:29 str0ke Exp $ milw0rmdrupalv5.pl - Drupal 5.1 Remote Command Execution Exploit Copyright c 2007 str0ke str0ke!milw0rm.com Description ----------- Previews on comments were not passed through normal...
[DRUPAL-SA-2007-005] Drupal 4.7.6 / 5.1 fixes arbitrary code execution issue
---------------------------------------------------------------------------- Drupal security advisory DRUPAL-SA-2007-005 ---------------------------------------------------------------------------- Project: Drupal core Version: 4.7.x, 5.x Date: 2007-Jan-29 Security risk: Highy critical Exploitabl...