| ID |
Disc Date |
Title |
|
66761
|
2010-07-28
|
Dashboard Module for Drupal Default Widget Multiple Parameter XSS
|
|
|
|
66763
|
2010-07-28
|
Sage Pay Direct Payment Gateway for Ubercart Module for Drupal Transaction iframe Caching Information Disclosure
|
|
|
|
66765
|
2010-07-28
|
Kaltura Module for Drupal Hidden iframe Remote Information Disclosure
|
|
|
|
66482
|
2010-07-21
|
Tagging Module for Drupal Free-tagging Vocabularies XSS
|
|
|
|
66322
|
2010-07-14
|
Drupad Module for Drupal User Account Deletion CSRF
|
|
|
|
66117
|
2010-07-07
|
Hierarchical Select Module for Drupal hierarchical_select Form Element XSS
|
|
Cross-site scripting (XSS) vulnerability in the Hierarchical Select module 5.x before 5.x-3.2 and 6.x before 6.x-3.2 for Drupal allows remote authenticated users, with administer taxonomy permissions, to inject arbitrary web script or HTML via unspecified vectors in the hierarchical_select form.<span style='font-weight:bold;'>(Description Provided by <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-2724" target="_blank">CVE</a>)</span> :
|
|
66118
|
2010-07-07
|
MultiSafepay Integration Module for Drupal Unspecified CSRF
|
|
|
|
66022
|
2010-07-02
|
Views Module for Drupal modules/views/includes/ajax.inc views_ajax_autocomplete_user() Function Permission Weakness Username Disclosure
|
|
|
|
65730
|
2010-06-24
|
Masquerade Module for Drupal Unspecified Action CSRF
|
|
|
|
65740
|
2010-06-23
|
Case Tracker Module for Drupal Unspecified XSS
|
|
|
|
65741
|
2010-06-23
|
Case Tracker Module for Drupal Access Case Tracker Permission Bypass
|
|
|
|
65611
|
2010-06-17
|
FileField Module for Drupal filepath Parameter XSS
|
|
Cross-site scripting (XSS) vulnerability in the FileField module 5.x before 5.x-2.5 and 6.x before 6.x-3.4 for Drupal allows remote authenticated users, with create or edit permissions and 'Path to File' or 'URL to File' display enabled, to inject arbitrary web script or HTML via the file name (filepath parameter).<span style='font-weight:bold;'>(Description Provided by <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-1958" target="_blank">CVE</a>)</span> :
|
|
65620
|
2010-06-17
|
Views Module for Drupal Views UI Module CSRF
|
|
|
|
65621
|
2010-06-17
|
Views Module for Drupal URL / Aggregator Feed Title XSS
|
|
|
|
65612
|
2010-06-16
|
Views Module for Drupal Administer Views Excess Permissions Privilege Escalation
|
|
|
|
65614
|
2010-06-16
|
Ogone | Ubercart Module for Drupal Order Status Verification Issue
|
|
|
|
65615
|
2010-06-16
|
Content Construction Kit for Drupal Node Reference Module Access Restriction Bypass
|
|
The Node Reference module in Content Construction Kit (CCK) module 5.x before 5.x-1.11 and 6.x before 6.x-2.7 for Drupal does not perform access checks before displaying referenced nodes, which allows remote attackers to read controlled nodes.<span style='font-weight:bold;'>(Description Provided by <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-2352" target="_blank">CVE</a>)</span> :
|
|
65616
|
2010-06-16
|
Content Construction Kit for Drupal Node Reference Module Backend URL Validation Node Information Disclosure
|
|
|
|
65617
|
2010-06-16
|
Ubercart for Drupal MIGS Module Checkout Parameter Validation Restriction Bypass
|
|
|
|
65619
|
2010-06-16
|
Studio Theme Pack Module for Drupal Unspecified XSS
|
|
|
|
65682
|
2010-06-16
|
Content Construction Kit for Drupal Node Reference Module Autocomplete Widget Access Check Weakness Controlled Node Information Disclosure
|
|
The Node Reference module in Content Construction Kit (CCK) module 6.x before 6.x-2.7 for Drupal does not perform access checks for the source field in the backend URL for the autocomplete widget, which allows remote attackers to discover titles and IDs of controlled nodes.<span style='font-weight:bold;'>(Description Provided by <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-2353" target="_blank">CVE</a>)</span> :
|
|
64946
|
2010-05-26
|
Scheduler Module for Drupal Unpublished Node Title XSS
|
|
Scheduler Module for Drupal contains a flaw that allows a remote cross site scripting (XSS) attack. This flaw exists because the application does not validate the input of unpublished node titles. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.
|
|
64947
|
2010-05-26
|
AddonChat Module for Drupal addonchat_auth.php user Object Authentication Bypass
|
|
|
|
64948
|
2010-05-26
|
AddonChat Module for Drupal Unspecified XSS
|
|
AddonChat Module for Drupal contains a flaw that allows a remote cross site scripting (XSS) attack. This flaw exists because the application does not validate unspecified input. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.
|
|
64762
|
2010-05-20
|
External Link Page Module for Drupal Content Filter Redirect XSS
|
|
External Link Page Module for Drupal contains a flaw that allows a remote cross site scripting (XSS) attack. This flaw exists because the application does not validate the input on the module's administration page before being displayed on redirect pages. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.
|
|
64761
|
2010-05-20
|
Wordpress Import Module for Drupal WRX File Import Arbitrary File Upload
|
|
|
|
64773
|
2010-05-19
|
Heartbeat Module for Drupal User Activity Display Module XSS
|
|
Heartbeat Module for Drupal contains a flaw that allows a remote cross site scripting (XSS) attack. This flaw exists because the application does not validate certain unspecified parameter upon submission to the user activity display module. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.
|
|
64772
|
2010-05-19
|
CAPTCHA Module for Drupal CAPTCHA Description XSS
|
|
|
|
64771
|
2010-05-19
|
User Queue Module for Drupal Delete User URI CSRF
|
|
User Queue Module for Drupal contains a flaw that allows a remote Cross-site Request Forgery (CSRF / XSRF) attack. The flaw exists because the application does not require multiple steps or explicit confirmation for sensitive transactions such as delete users from queues. By using a crafted URL (e.g., a crafted GET request inside an "img" tag), an attacker may trick the victim into clicking on the image to take advantage of the trust relationship between the authenticated victim and the ...
|
|
64769
|
2010-05-19
|
Panels Module for Drupal Import Function PHP Code Execution
|
|
|
|
64768
|
2010-05-19
|
Simplenews Module for Drupal Subscription Form Access Restrictions Bypass
|
|
|
|
64763
|
2010-05-19
|
Chaos Tool Suite Module for Drupal Node Titles XSS
|
|
Chaos Tool Suite Module for Drupal contains a flaw that allows a remote cross site scripting (XSS) attack. This flaw exists because the application does not validate input submitted to node titles. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.
|
|
64764
|
2010-05-19
|
Chaos Tool Suite Module for Drupal admin/build/pages/import object Parameter Arbitrary Code Execution
|
|
Multiple eval injection vulnerabilities in the import functionality in the Chaos Tool Suite (aka CTools) module 6.x before 6.x-1.4 for Drupal allow remote authenticated users, with "administer page manager" privileges, to execute arbitrary PHP code via input to a text area, related to (1) the page_manager_page_import_subtask_validate function in page_manager/plugins/tasks/page.admin.inc and (2) the page_manager_handler_import_validate function in page_manager/page_manager.admin.inc.<span style='font-weight:bold;'>(Description Provided by <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-1546" target="_blank">CVE</a>)</span> :
|
|
64765
|
2010-05-19
|
Chaos Tool Suite Module for Drupal admin/build/pages object Parameter Arbitrary Code Execution
|
|
Multiple eval injection vulnerabilities in the import functionality in the Chaos Tool Suite (aka CTools) module 6.x before 6.x-1.4 for Drupal allow remote authenticated users, with "administer page manager" privileges, to execute arbitrary PHP code via input to a text area, related to (1) the page_manager_page_import_subtask_validate function in page_manager/plugins/tasks/page.admin.inc and (2) the page_manager_handler_import_validate function in page_manager/page_manager.admin.inc.<span style='font-weight:bold;'>(Description Provided by <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-1546" target="_blank">CVE</a>)</span> :
|
|
64766
|
2010-05-19
|
Chaos Tool Suite Module for Drupal Administrative Forms CSRF
|
|
Chaos Tool Suite Module for Drupal contains a flaw that allows a remote Cross-site Request Forgery (CSRF / XSRF) attack. The flaw exists because the application does not require multiple steps or explicit confirmation for sensitive transactions such as enable or disable certain pages. By using a crafted URL (e.g., a crafted GET request inside an "img" tag), an attacker may trick the victim into clicking on the image to take advantage of the trust relationship between the authenticated victim ...
|
|
64767
|
2010-05-19
|
Chaos Tool Suite Module for Drupal ctools/autocomplete/node URI Access Restrictions Bypass
|
|
The auto-complete functionality in the Chaos Tool Suite (aka CTools) module 6.x before 6.x-1.4 for Drupal does not follow access restrictions, which allows remote authenticated users, with "access content" privileges, to read the title of an unpublished node via a q=ctools/autocomplete/node/ value accompanied by the first character of the node's title.<span style='font-weight:bold;'>(Description Provided by <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-1548" target="_blank">CVE</a>)</span> :
|
|
64613
|
2010-05-12
|
CiviRegister Module for Drupal Profile Administrative Page XSS
|
|
Cross-site scripting (XSS) vulnerability in the CiviRegister module before 6.x-1.1 for Drupal allows remote attackers to inject arbitrary web script or HTML via the URI.<span style='font-weight:bold;'>(Description Provided by <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-2001" target="_blank">CVE</a>)</span> :
|
|
64598
|
2010-05-12
|
Bibliography Module for Drupal Unspecified XSS
|
|
Cross-site scripting (XSS) vulnerability in the Bibliography (Biblio) module 5.x through 5.x-1.17 and 6.x through 6.x-1.9 for Drupal allows remote authenticated users, with "administer biblio" privileges, to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2010-1358.<span style='font-weight:bold;'>(Description Provided by <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-2000" target="_blank">CVE</a>)</span> :
|
|
64597
|
2010-05-12
|
Award Module for Drupal award Title XSS
|
|
|
|
64610
|
2010-05-12
|
Auto Assign Role Module for Drupal Permissions Bypass
|
|
|
|
64599
|
2010-05-12
|
LoginToboggan Module for Drupal Unspecified Session Fixation Hijacking
|
|
|
|
64614
|
2010-05-12
|
Wordfilter Module for Drupal Banned Word List XSS
|
|
Cross-site scripting (XSS) vulnerability in the Wordfilter module 5.x before 5.x-1.1 and 6.x before 6.x-1.1 for Drupal allows remote authenticated users, with "administer words filtered" privileges, to inject arbitrary web script or HTML via the word list.<span style='font-weight:bold;'>(Description Provided by <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-2002" target="_blank">CVE</a>)</span> :
|
|
64612
|
2010-05-12
|
Services Module for Drupal Session ID Authentication Bypass
|
|
|
|
64616
|
2010-05-12
|
Storm Module for Drupal index.php Multiple Parameter XSS
|
|
Multiple cross-site scripting (XSS) vulnerabilities in the Storm module 5.x and 6.x before 6.x-1.33 for Drupal allow remote authenticated users, with certain module privileges, to inject arbitrary web script or HTML via the (1) fullname, (2) address, (3) city, (4) provstate (aka state), (5) phone, or (6) taxid parameter in a stormorganization action to index.php; the (7) name parameter in a stormperson action to index.php; the (8) stepno (aka Step no.) or (9) title parameter in a stormtask action to ...<span style='font-weight:bold;'>(Description Provided by <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-2123" target="_blank">CVE</a>)</span> :
|
|
64737
|
2010-05-10
|
Context Module for Drupal Block Description XSS
|
|
Cross-site scripting (XSS) vulnerability in the Context module before 6.x-2.0-rc4 for Drupal allows remote authenticated users, with Administer Blocks privileges, to inject arbitrary web script or HTML via a block description.<span style='font-weight:bold;'>(Description Provided by <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-1584" target="_blank">CVE</a>)</span> :
|
|
64356
|
2010-05-05
|
ImageField Module for Drupal Restricted Image Permission Weakness Information Disclosure
|
|
|
|
64357
|
2010-05-05
|
FileField Module for Drupal Configuration Page New File Arbitrary File Upload
|
|
|
|
64358
|
2010-05-05
|
CCK TableField Module for Drupal Table Headers XSS
|
|
Cross-site scripting (XSS) vulnerability in the CCK TableField module 6.x before 6.x-1.2 for Drupal allows remote authenticated users, with certain node creation or editing privileges, to inject arbitrary web script or HTML via table headers.<span style='font-weight:bold;'>(Description Provided by <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-1998" target="_blank">CVE</a>)</span> :
|
|
64131
|
2010-04-28
|
Decisions Module for Drupal Unspecified Information Disclosure
|
|
|
|
64132
|
2010-04-28
|
Privatemsg Module for Drupal pm_email_notify.module Access Restriction Bypass
|
|
|
