2 matches found
SA-CONTRIB-2012-133 - Taxonomy Image - Cross Site Scripting (XSS) & Arbitrary PHP code execution
The taxonomyimage module allows site administrators to associate images with taxonomy terms. The module did not sufficiently filter retrieval of taxonomy images, allowing users to bypass Drupal's normal file upload protections to install malicious HTML or executable code to the server. This...
SA-CONTRIB-2011-022 - Cosign - SQL Injection
Under certain conditions the module deletes uid 1 and then does an unparameterized dbquery to insert a new uid 1. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer site configuration" and must be able to remotely manipulate the web serve...