SA-CONTRIB-2013-072 - Node View Permissions - Access Bypass

The Node View Permissions module adds permissions "View own content" and "View any content" for each content type on the permissions page. However, it only implements hooknodeaccess and not hookqueryalter, which means any listing of nodes does not respect the node view permission. CVE identifiers...

SA-CONTRIB-2013-007 User Relationships - Cross Site Scripting (XSS)

The User Relationships module allows you to create multiple relationship types and maintain relationships between users in your Drupal site. The module does not sufficiently escape relationship names before display. This allows users with the correct permissions to create relationship names...