Lucene search
K

481 matches found

Drupal
Drupal
added 2011/06/29 12:0 a.m.23 views

SA-CONTRIB-2011-026 - Secure Password Hashes (phpass) - Multiple Vulnerabilities

This module uses the PHPass hashing library to try to store users hashed passwords securely. The module sets a fixed string for the 'pass' column in the users database column but does not replace the pass attribute of the account object used for password reset links. This leads to a vulnerability...

7.2AI score
Exploits0References8
NVD
NVD
added 2011/04/10 2:51 a.m.17 views

CVE-2011-1661

The Node Quick Find module 6.x-1.1 for Drupal does not use dbrewritesql when presenting node titles, which allows remote attackers to bypass intended access restrictions and read potentially sensitive node titles via the autocomplete feature...

5CVSS6.6AI score0.0147EPSS
Exploits0References6
Drupal
Drupal
added 2010/08/11 12:0 a.m.15 views

SA-CONTRIB-2010-084 - OpenID - Authentication bypass

The OpenID module provides users the ability to login to sites using an OpenID account. The OpenID module doesn't implement the all required verifications from the OpenID 2.0 protocol and is vulnerable to a number of attacks. Specifically: - OpenID should verify that a "openid.responsenonce" has...

7.1AI score
Exploits0References9
Drupal
Drupal
added 2010/08/11 12:0 a.m.14 views

SA-CONTRIB-2010-088 - Content Construction Kit (CCK) - Access Bypass

The Content Construction Kit CCK project is a set of modules that allows you to add custom fields to nodes using a web browser. The CCK "Node Reference" module provides a backend URL that is used for asynchronous requests by the "autocomplete" widget to locate nodes the user can reference. In som...

7.2AI score
Exploits0References8
Prion
Prion
added 2010/05/21 8:30 p.m.14 views

Sql injection

Multiple eval injection vulnerabilities in the import functionality in the Chaos Tool Suite aka CTools module 6.x before 6.x-1.4 for Drupal allow remote authenticated users, with "administer page manager" privileges, to execute arbitrary PHP code via input to a text area, related to 1 the...

6CVSS8.1AI score0.01379EPSS
Exploits0References10Affected Software1
Cvelist
Cvelist
added 2010/05/21 8:0 p.m.24 views

CVE-2010-1547

Multiple cross-site request forgery CSRF vulnerabilities in the Chaos Tool Suite aka CTools module 6.x before 6.x-1.4 for Drupal allow remote attackers to hijack the authentication of administrators for requests that 1 enable a page via a q=admin/build/pages/nojs/enable/ value or 2 disable a page...

7.2AI score0.00671EPSS
Exploits0References6
Drupal
Drupal
added 2010/05/19 12:0 a.m.10 views

SA-CONTRIB-2010-054 - Storm - Cross Site Scripting (XSS)

The Storm project provides a group of modules for project management and billing. The module displays data entered by users without sanitising it, allowing for a cross site scripting XSS attack that may lead to a malicious user gaining full administrative access. Versions affected Storm project f...

6AI score
Exploits0References6
Drupal
Drupal
added 2010/05/12 12:0 a.m.14 views

SA-CONTRIB-2010-043: Wordfilter - Cross Site Scripting

The Wordfilter module implements an input filter that rewrites content to remove improper or foul language. Wordfilter does not sanitize the list of words that are filtered along with their replacements, allowing users with permissions to manage the list of banned words to insert arbitrary HTML a...

5.9AI score
Exploits0References8
Drupal
Drupal
added 2010/02/24 12:0 a.m.16 views

SA-CONTRIB-2010-020 - Facebook-style Statuses (Microblog) - Access bypass

The Facebook-style Statuses Microblog module enables each user to have a stream of messages "statuses" like on Facebook. Users can update their own status as well as write messages to other users by visiting the other user's profile. When a user updates his own status and then updates it again...

7.1AI score
Exploits0References5
Prion
Prion
added 2009/09/30 3:30 p.m.19 views

Cross site scripting

Cross-site scripting XSS vulnerability in Bibliography Biblio 5.x before 5.x-1.17 and 6.x before 6.x-1.6, a module for Drupal, allows remote attackers, with "create content displayed by the Bibliography module" permissions, to inject arbitrary web script or HTML via a title...

4.3CVSS5.9AI score0.01065EPSS
Exploits0References5Affected Software1
Drupal
Drupal
added 2009/07/08 12:0 a.m.15 views

SA-CONTRIB-2009-041 - Nodequeue - Access bypass

The Nodequeue module enables an administrator to arbitrarily put nodes in a group with an arbitrary order for any purpose, such as providing a listing of nodes or featuring a particular node. On the queue administration screen, users with permission to manipulate a queue are presented with an...

7AI score
Exploits0References5
Tenable Nessus
Tenable Nessus
added 2009/06/16 12:0 a.m.13 views

Fedora 9 : drupal-views-6.x.2.6-1.fc9 (2009-6171)

Advisory ID: DRUPAL-SA-CONTRIB-2009-037 0 Project: Views Versions: 6.x-2.x Date: 2009-June-10 Security risk: Moderately critical Exploitable from: Remote Vulnerability: Cross Site Scripting XSS, Access Bypass -------- DESCRIPTION -------------------------------------------------------- - The...

5.3AI score
Exploits0References5
Drupal
Drupal
added 2009/05/20 12:0 a.m.8 views

SA-CONTRIB-2009-030 - Email Verification - Information disclosure / Cross Site Scripting

The Email Verification module tries to verify user email addresses by talking to the appropriate SMTP host. It also allows the administrator to access a list of not confirmed email addresses. In the Drupal 5 version, this list is only protected by the "access content" permission, hence allowing a...

6.1AI score
Exploits0References5
Drupal
Drupal
added 2009/05/13 12:0 a.m.12 views

SA-CONTRIB-2009-026 - LoginToboggan - Access bypass

LoginToboggan includes a setting which, if enabled, allows users to log in using either their username or e-mail address. In some circumstances, previously blocked users may still be able to access the site if this setting is enabled. Versions affected LoginToboggan 6.x-1.x prior to 6.x-1.5...

6.8AI score
Exploits0References4
Drupal
Drupal
added 2009/05/13 12:0 a.m.11 views

SA-CONTRIB-2009-028 - Feed Block - Cross Site Scripting

The Feed Block module creates a block with one externalsyndicated article for each feed source from selected feed category. Feed block doesn't properly escapes aggregator items allowing users with administer news feeds permission to inject arbitrary code into the site. Such a cross site scripting...

6.3AI score
Exploits0References6
OpenVAS
OpenVAS
added 2009/05/11 12:0 a.m.19 views

Debian Security Advisory DSA 1792-1 (drupal6)

The remote host is missing an update to drupal6 announced via advisory DSA 1792-1. OpenVAS Vulnerability Test $Id: deb17921.nasl 6615 2017-07-07 12:09:52Z cfischer $ Description: Auto-generated from advisory DSA 1792-1 drupal6 Authors: Thomas Reinke Copyright: Copyright c 2009 E-Soft Inc...

4.3CVSS0.6AI score0.01631EPSS
Exploits0
Drupal
Drupal
added 2009/03/25 12:0 a.m.15 views

SA-CONTRIB-2009-015 - Tokenauth - Access bypass

The Token authentication module allows access to RSS feeds via a token without having to provide your username and password to the site. Token authentication did not properly use the Drupal Form API which would allow a malicious user to learn the site administrator's token giving them the ability...

7.2AI score
Exploits0References5
Drupal
Drupal
added 2009/01/14 12:0 a.m.11 views

SA-CONTRIB-2009-003 - Internationalizaion (i18n) Translation module - Access bypass

The third-party i18n module enables users to make a translation of an existing item of content a node. In that process the existing node's content is copied into the new node. The module contains a flaw that allows a user with the 'translate node' permission to potentially bypass normal viewing...

7AI score
Exploits0References5
Drupal
Drupal
added 2009/01/07 12:0 a.m.10 views

SA-CONTRIB-2009-001 - Project release - Multiple vulnerabilities

Exploitable from: Remote Vulnerabilities: Arbitrary file upload, Cross-site scripting XSS The Project release module is a component within the broader Project module. This announcement covers the following two issues: 1. Project release enables file attachments to create a specific version of cod...

7AI score
Exploits0References7
Cvelist
Cvelist
added 2008/10/29 3:0 p.m.19 views

CVE-2008-4790

The core upload module in Drupal 5.x before 5.11 allows remote authenticated users to bypass intended access restrictions and read "files attached to content" via unknown vectors...

6.1AI score0.01001EPSS
Exploits0References5
Rows per page
Query Builder