Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Drupal
(Drupal)Repositories |
• https://github.com/jquery/jquery-ui
• https://github.com/symfony/symfony |
#Vulnerabilities | 253 |
Date | Id | Summary | Products | Score | Patch | Annotated |
---|---|---|---|---|---|---|
2008-07-18 | CVE-2008-3223 | SQL injection vulnerability in the Schema API in Drupal 6.x before 6.3 allows remote attackers to execute arbitrary SQL commands via vectors related to "an inappropriate placeholder for 'numeric' fields." | Drupal, Fedora | N/A | ||
2008-07-18 | CVE-2008-3222 | Session fixation vulnerability in Drupal 5.x before 5.9 and 6.x before 6.3, when contributed modules "terminate the current request during a login event," allows remote attackers to hijack web sessions via unknown vectors. | Drupal, Fedora | N/A | ||
2008-07-18 | CVE-2008-3221 | Cross-site request forgery (CSRF) vulnerability in Drupal 6.x before 6.3 allows remote attackers to perform administrative actions via vectors involving deletion of OpenID identities. | Drupal, Fedora | N/A | ||
2008-07-18 | CVE-2008-3220 | Cross-site request forgery (CSRF) vulnerability in Drupal 5.x before 5.8 and 6.x before 6.3 allows remote attackers to perform administrative actions via vectors involving deletion of "translated strings." | Drupal, Fedora | N/A | ||
2008-07-18 | CVE-2008-3219 | The Drupal filter_xss_admin function in 5.x before 5.8 and 6.x before 6.3 does not "prevent use of the object HTML tag in administrator input," which has unknown impact and attack vectors, probably related to an insufficient cross-site scripting (XSS) protection mechanism. | Drupal, Fedora | N/A | ||
2020-01-14 | CVE-2011-2715 | An SQL Injection vulnerability exists in Drupal 6.20 with Data 6.x-1.0-alpha14 due to insufficient sanitization of table names or column names. | Data, Drupal | N/A | ||
2020-01-14 | CVE-2011-2714 | A Cross-Site Scripting vulnerability exists in Drupal 6.20 with Data 6.x-1.0-alpha14 due to insufficient sanitization of table descriptions, field names, or labels before display. | Data, Drupal | N/A | ||
2019-11-15 | CVE-2011-2726 | An access bypass issue was found in Drupal 7.x before version 7.5. If a Drupal site has the ability to attach File upload fields to any entity type in the system or has the ability to point individual File upload fields to the private file directory in comments, and the parent node is denied access, non-privileged users can still download the file attached to the comment if they know or guess its direct URL. | Debian_linux, Drupal, Fedora, Enterprise_linux | N/A | ||
2019-11-07 | CVE-2010-2473 | Drupal 6.x before 6.16 and 5.x before version 5.22 does not properly block users under certain circumstances. A user with an open session that was blocked could maintain their session on the Drupal site despite being blocked. | Drupal | N/A | ||
2019-11-07 | CVE-2010-2472 | Locale module and dependent contributed modules in Drupal 6.x before 6.16 and 5.x before version 5.22 do not sanitize the display of language codes, native and English language names properly which could allow an attacker to perform a cross-site scripting (XSS) attack. This vulnerability is mitigated by the fact that an attacker must have a role with the 'administer languages' permission. | Drupal | N/A |