CVSS: 6.1EPSS: 0%CPEs: 48EXPL: 0CVE-2008-0273
https://notcve.org/view.php?id=CVE-2008-0273
15 Jan 2008 — Interpretation conflict in Drupal 4.7.x before 4.7.11 and 5.x before 5.6, when Internet Explorer 6 is used, allows remote attackers to conduct cross-site scripting (XSS) attacks via invalid UTF-8 byte sequences, which are not processed as UTF-8 by Drupal's HTML filtering, but are processed as UTF-8 by Internet Explorer, effectively removing characters from the document and defeating the HTML protection mechanism. Conflicto de interpretación en Drupal 4.7.x anterior a 4.7.11 y 5.x anterior a 5.6, cuando se u... • http://drupal.org/node/208564 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 48EXPL: 0CVE-2008-0276
https://notcve.org/view.php?id=CVE-2008-0276
15 Jan 2008 — Cross-site scripting (XSS) vulnerability in the Devel module before 5.x-0.1 for Drupal allows remote attackers to inject arbitrary web script or HTML via a site variable, related to lack of escaping of the variable table. Vulnerabilidad de secuencia de comandos en sitios cruzados (XSS) en el módulo Devel anterior a 5.x-0.1 para Drupal permite a atacantes remotos inyectar secuencias de comandos web o HTML a través de la variable site, Relacionado con la falta de escape de la variable tabla. • http://drupal.org/node/208524 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 1%CPEs: 43EXPL: 0CVE-2007-6299
https://notcve.org/view.php?id=CVE-2007-6299
10 Dec 2007 — Multiple SQL injection vulnerabilities in Drupal and vbDrupal 4.7.x before 4.7.9 and 5.x before 5.4 allow remote attackers to execute arbitrary SQL commands via modules that pass input to the taxonomy_select_nodes function, as demonstrated by the (1) taxonomy_menu, (2) ajaxLoader, and (3) ubrowser contributed modules. Múltiples vulnerabilidades de inyección SQL en Drupal y vbDrupal 4.7.x versiones anteriores a 4.7.9 y 5.x versiones anteriores a 5.4 permiten a atacantes remotos ejecutar comandos SQL de su el... • http://drupal.org/node/198162 • CWE-20: Improper Input Validation CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 4%CPEs: 1EXPL: 2CVE-2007-5416 – Drupal 5.2 - PHP Zend Hash ation Vector
https://notcve.org/view.php?id=CVE-2007-5416
12 Oct 2007 — Drupal 5.2 and earlier does not properly unset variables when the input data includes a numeric parameter with a value matching an alphanumeric parameter's hash value, which allows remote attackers to execute arbitrary PHP code by invoking the drupal_eval function through a callback parameter to the default URI, as demonstrated by the _menu[callbacks][1][callback] parameter. NOTE: it could be argued that this vulnerability is due to a bug in the unset PHP command (CVE-2006-3017) and the proper fix should be... • https://www.exploit-db.com/exploits/4510 • CWE-189: Numeric Errors •
CVSS: 6.1EPSS: 1%CPEs: 14EXPL: 0CVE-2006-4120
https://notcve.org/view.php?id=CVE-2006-4120
14 Aug 2006 — Cross-site scripting (XSS) vulnerability in the Recipe module (recipe.module) before 1.54 for Drupal 4.6 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en el módulo Recipe (recipe.module) anterior a 1.54 para Drupal 4.6 y anteriores permite a atacantes remotos inyectar secuencias de comandos web o HTML de su elección a través de vectores no especificados. • http://drupal.org/node/77538 •
CVSS: 6.1EPSS: 0%CPEs: 10EXPL: 0CVE-2006-2260
https://notcve.org/view.php?id=CVE-2006-2260
09 May 2006 — Cross-site scripting (XSS) vulnerability in the project module (project.module) in Drupal 4.5 and 4.6 allows remote attackers to inject arbitrary web script or HTML via unknown attack vectors. • http://drupal.org/node/62406 •
CVSS: 6.5EPSS: 1%CPEs: 6EXPL: 0CVE-2006-1225
https://notcve.org/view.php?id=CVE-2006-1225
14 Mar 2006 — CRLF injection vulnerability in Drupal 4.5.x before 4.5.8 and 4.6.x before 4.5.8 allows remote attackers to inject headers of outgoing e-mail messages and use Drupal as a spam proxy. • http://drupal.org/node/53806 •
CVSS: 6.1EPSS: 1%CPEs: 6EXPL: 0CVE-2006-1226
https://notcve.org/view.php?id=CVE-2006-1226
14 Mar 2006 — Cross-site scripting (XSS) vulnerability in Drupal 4.5.x before 4.5.8 and 4.6.x before 4.5.8 allows remote attackers to inject arbitrary web script or HTML via unknown attack vectors. • http://drupal.org/node/53803 •
CVSS: 9.1EPSS: 0%CPEs: 14EXPL: 0CVE-2006-1227
https://notcve.org/view.php?id=CVE-2006-1227
14 Mar 2006 — Drupal 4.5.x before 4.5.8 and 4.6.x before 4.5.8, when menu.module is used to create a menu item, does not implement access control for the page that is referenced, which might allow remote attackers to access administrator pages. • http://drupal.org/node/53796 •
CVSS: 8.8EPSS: 2%CPEs: 6EXPL: 0CVE-2006-1228
https://notcve.org/view.php?id=CVE-2006-1228
14 Mar 2006 — Session fixation vulnerability in Drupal 4.5.x before 4.5.8 and 4.6.x before 4.5.8 allows remote attackers to gain privileges by tricking a user to click on a URL that fixes the session identifier. • http://drupal.org/node/53805 • CWE-287: Improper Authentication •