6.14 : Security Vulnerabilities

Cpe Name:cpe:/a:drupal:drupal:6.14

CVSS Scores Greater Than: 0 1 2 3 4 5 6 7 8 9

Sort Results By : Cve Number Descending Cve Number Ascending CVSS Score Descending Number Of Exploits Descending

Copy Results Download Results Select Table

#	CVE ID	CWE ID	# of Exploits	Vulnerability Type(s)	Publish Date	Update Date	Score	Gained Access Level	Access	Complexity	Authentication	Conf.	Integ.	Avail.
1	CVE-2012-5653	20		Exec Code Bypass	2013-01-02	2013-01-07	6.0	None	Remote	Medium	Single system	Partial	Partial	Partial
The file upload feature in Drupal 6.x before 6.27 and 7.x before 7.18 allows remote authenticated users to bypass the protection mechanism and execute arbitrary PHP code via a null byte in a file name.
2	CVE-2012-5652	200		+Info	2013-01-02	2013-01-03	5.0	None	Remote	Low	Not required	Partial	None	None
Drupal 6.x before 6.27 allows remote attackers to obtain sensitive information about uploaded files via a (1) RSS feed or (2) search result.
3	CVE-2012-5651	264		+Info	2013-01-02	2013-01-03	5.0	None	Remote	Low	Not required	Partial	None	None
Drupal 6.x before 6.27 and 7.x before 7.18 displays information for blocked users, which might allow remote attackers to obtain sensitive information by reading the search results.
4	CVE-2012-2922	200		+Info	2012-05-21	2012-09-04	5.0	None	Remote	Low	Not required	Partial	None	None
The request_path function in includes/bootstrap.inc in Drupal 7.14 and earlier allows remote attackers to obtain sensitive information via the q[] parameter to index.php, which reveals the installation path in an error message.
5	CVE-2010-3686	287		Bypass	2010-09-29	2010-09-30	5.0	None	Remote	Low	Not required	None	Partial	None
The OpenID module in Drupal 6.x before 6.18, and the OpenID module 5.x before 5.x-1.4 for Drupal, violates the OpenID 2.0 protocol by not ensuring that fields are signed, which allows remote attackers to bypass authentication by leveraging an assertion from an OpenID provider.
6	CVE-2010-3685	287		Bypass	2010-09-29	2010-09-30	5.0	None	Remote	Low	Not required	None	Partial	None
The OpenID module in Drupal 6.x before 6.18, and the OpenID module 5.x before 5.x-1.4 for Drupal, violates the OpenID 2.0 protocol by not checking for reuse of openid.response_nonce values, which allows remote attackers to bypass authentication by leveraging an assertion from an OpenID provider.
7	CVE-2010-3094	79		XSS	2010-09-21	2010-09-22	2.1	None	Remote	High	Single system	None	Partial	None
Multiple cross-site scripting (XSS) vulnerabilities in Drupal 6.x before 6.18 allow remote authenticated users with certain privileges to inject arbitrary web script or HTML via (1) an action description, (2) an action message, (3) a node, or (4) a taxonomy term, related to the actions feature and the trigger module.
8	CVE-2010-3093	264		Bypass	2010-09-21	2010-09-22	3.5	None	Remote	Medium	Single system	None	Partial	None
The comment module in Drupal 5.x before 5.23 and 6.x before 6.18 allows remote authenticated users with certain privileges to bypass intended access restrictions and reinstate removed comments via a crafted URL, related to an "unpublishing bypass" issue.
9	CVE-2010-3092	264		Bypass	2010-09-21	2010-09-22	5.5	None	Remote	Low	Single system	Partial	Partial	None
The upload module in Drupal 5.x before 5.23 and 6.x before 6.18 does not properly support case-insensitive filename handling in a database configuration, which allows remote authenticated users to bypass the intended restrictions on downloading a file by uploading a different file with a similar name.
10	CVE-2010-3091	287		Bypass	2010-09-29	2010-09-30	5.0	None	Remote	Low	Not required	None	Partial	None
The OpenID module in Drupal 6.x before 6.18, and the OpenID module 5.x before 5.x-1.4 for Drupal, violates the OpenID 2.0 protocol by not verifying the openid.return_to value, which allows remote attackers to bypass authentication by leveraging an assertion from an OpenID provider.
11	CVE-2009-4371	79		XSS	2009-12-21	2009-12-22	3.5	None	Remote	Medium	Single system	None	Partial	None
Cross-site scripting (XSS) vulnerability in the Locale module (modules/locale/locale.module) in Drupal Core 6.14, and possibly other versions including 6.15, allows remote authenticated users with "administer languages" permissions to inject arbitrary web script or HTML via the (1) Language name in English or (2) Native language name fields in the Custom language form.
12	CVE-2009-4370	79		XSS	2009-12-21	2009-12-22	3.5	None	Remote	Medium	Single system	None	Partial	None
Cross-site scripting (XSS) vulnerability in the Menu module (modules/menu/menu.admin.inc) in Drupal Core 6.x before 6.15 allows remote authenticated users with permissions to create new menus to inject arbitrary web script or HTML via a menu description, which is not properly handled in the menu administration overview.
13	CVE-2009-4369	79		XSS	2009-12-21	2012-01-05	3.5	None	Remote	Medium	Single system	None	Partial	None
Cross-site scripting (XSS) vulnerability in the Contact module (modules/contact/contact.admin.inc or modules/contact/contact.module) in Drupal Core 5.x before 5.21 and 6.x before 6.15 allows remote authenticated users with "administer site-wide contact form" permissions to inject arbitrary web script or HTML via the contact category name.
14	CVE-2007-6752	352	2	CSRF	2012-03-28	2012-03-28	6.8	None	Remote	Medium	Not required	Partial	Partial	Partial
DISPUTED Cross-site request forgery (CSRF) vulnerability in Drupal 7.12 and earlier allows remote attackers to hijack the authentication of arbitrary users for requests that end a session via the user/logout URI. NOTE: the vendor disputes the significance of this issue, by considering the "security benefit against platform complexity and performance impact" and concluding that a change to the logout behavior is not planned because "for most sites it is not worth the trade-off."

Total number of vulnerabilities : 14 Page : 1 (This Page)