Filtered by vendor Drupal Subscriptions
Total 834 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2007-0534 1 Drupal 2 Project, Project Issue Tracking Module 2024-11-21 N/A
Multiple cross-site scripting (XSS) vulnerabilities in the (1) Project issue tracking 4.7.0 through 5.x before 20070123 and (2) Project 4.6.0 through 5.x before 20070123 modules for Drupal allow remote authenticated users to inject arbitrary web script or HTML via (a) certain "fields on project nodes" or (b) "certain project-specific settings regarding issue tracking."
CVE-2007-0507 1 Drupal 1 Acidfree 2024-11-21 N/A
SQL injection vulnerability in the Acidfree module for Drupal before 4.6.x-1.0, and before 4.7.x-1.0 in the 4.7 series, allows remote authenticated users with "create acidfree albums" privileges to execute arbitrary SQL commands via node titles.
CVE-2007-0506 1 Drupal 2 Project, Project Issue Tracking Module 2024-11-21 N/A
The project_issue_access function in the Project issue tracking 4.7.0 through 5.x before 20070123 module for Drupal allows remote authenticated users to bypass other access control modules and obtain attached files by guessing the filename, and obtain issue information via direct requests.
CVE-2007-0505 1 Drupal 2 Project, Project Issue Tracking Module 2024-11-21 N/A
Unrestricted file upload vulnerability in the Project issue tracking 4.7.0 through 5.x before 20070123, a module for Drupal, allows remote authenticated users to execute arbitrary code by attaching a file with executable or multiple extensions to a project issue.
CVE-2007-0136 1 Drupal 1 Drupal 2024-11-21 N/A
Multiple cross-site scripting (XSS) vulnerabilities in Drupal before 4.6.11, and 4.7 before 4.7.5, allow remote attackers to inject arbitrary web script or HTML via unspecified parameters in the (1) filter and (2) system modules. NOTE: some of these details are obtained from third party information.
CVE-2007-0124 1 Drupal 1 Drupal 2024-11-21 N/A
Unspecified vulnerability in Drupal before 4.6.11, and 4.7 before 4.7.5, when MySQL is used, allows remote authenticated users to cause a denial of service by poisoning the page cache via unspecified vectors, which triggers erroneous 404 HTTP errors for pages that exist.
CVE-2006-7110 1 Drupal 1 Imce Module 2024-11-21 N/A
Directory traversal vulnerability in the delete function in IMCE before 1.6, a Drupal module, allows remote authenticated users to delete arbitrary files via ".." sequences.
CVE-2006-7109 1 Drupal 1 Imce Module 2024-11-21 N/A
Unrestricted file upload vulnerability in IMCE before 1.6, a Drupal module, allows remote authenticated users to upload arbitrary PHP code via a filename with a double extension such as .php.gif.
CVE-2006-6647 1 Drupal 1 Drupal Mysite 2024-11-21 N/A
Cross-site scripting (XSS) vulnerability in the MySite 4.7.x before 4.7.x-3.3 and 5.x before 5.x-1.3 module for Drupal allows remote attackers to inject arbitrary web script or HTML via the Title field when editing a page. NOTE: some details were obtained from third party information.
CVE-2006-6646 1 Drupal 2 Drupal Project, Drupal Project Issue Tracking 2024-11-21 N/A
Multiple cross-site scripting (XSS) vulnerabilities in Drupal (1) Project Issue Tracking 4.7.x-1.0 and 4.7.x-2.0, and (2) Project 4.6.x-1.0, 4.7.x-1.0, and 4.7.x-2.0 allow remote attackers to inject arbitrary web script or HTML via unspecified parameters, which do not use the check_plain function.
CVE-2006-6531 1 Drupal 1 Help Tip Module 2024-11-21 N/A
Cross-site scripting (XSS) vulnerability in the Help Tip module before 4.7.x-1.0 for Drupal allows remote attackers to inject arbitrary web script or HTML, and possibly obtain administrative access, via node titles.
CVE-2006-6530 1 Drupal 1 Help Tip Module 2024-11-21 N/A
SQL injection vulnerability in the Help Tip module before 4.7.x-1.0 for Drupal allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
CVE-2006-6529 1 Drupal 1 Chatroom Module 2024-11-21 N/A
The Chatroom Module before 4.7.x.-1.0 for Drupal displays private messages in a chatroom's last messages overview, which allows remote attackers to obtain sensitive information by reading the overview.
CVE-2006-6528 1 Drupal 1 Chatroom Module 2024-11-21 N/A
The Chatroom Module before 4.7.x.-1.0 for Drupal broadcasts Chatroom visitors' session IDs to all participants, which allows remote attackers to hijack sessions and gain privileges.
CVE-2006-6386 1 Drupal 1 Cvs Management And Tracker 2024-11-21 N/A
Cross-site scripting (XSS) vulnerability in the CVS management/tracker 4.7.x-1.0, 4.7.x-2.0, and 4.7.0 (before the 20060807 contribution release system) for Drupal allows remote attackers to inject arbitrary web script or HTML via the motivation field in the CVS application page, which is not passed through check_markup on display.
CVE-2006-5608 1 Drupal 1 Extended Tracker 2024-11-21 N/A
SQL injection vulnerability in Extended Tracker (xtracker) 4.7 before 1.5.2.1 for Drupal allows remote attackers to execute arbitrary SQL commands via unspecified vectors related to "parameters from URLs."
CVE-2006-5477 1 Drupal 1 Drupal 2024-11-21 N/A
Drupal 4.6.x before 4.6.10 and 4.7.x before 4.7.4 allows form submissions to be redirected, which allows remote attackers to obtain arbitrary form information via a crafted URL.
CVE-2006-5476 1 Drupal 1 Drupal 2024-11-21 N/A
Cross-site request forgery (CSRF) vulnerability in Drupal 4.6.x before 4.6.10 and 4.7.x before 4.7.4 allows remote attackers to perform unauthorized actions as an arbitrary user via unspecified vectors.
CVE-2006-5475 1 Drupal 1 Drupal 2024-11-21 N/A
Multiple cross-site scripting (XSS) vulnerabilities in the XML parser in Drupal 4.6.x before 4.6.10 and 4.7.x before 4.7.4 allow remote attackers to inject arbitrary web script or HTML via a crafted RSS feed.
CVE-2006-4949 1 Drupal 1 Site Profile Directory Module 2024-11-21 N/A
Cross-site scripting (XSS) vulnerability in the Drupal 4.6 Site Profile Directory (profile_pages.module) before 1.1.2.1 and the Drupal 4.7 Site Profile Directory (profile_pages.module) before 1.2.2.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to "lack of validation on output," possibly in the name and title parameters.