Page 6 of 31 results (0.006 seconds)

CVSS: 4.3EPSS: 0%CPEs: 10EXPL: 0

Cross-site scripting (XSS) vulnerability in the project module (project.module) in Drupal 4.5 and 4.6 allows remote attackers to inject arbitrary web script or HTML via unknown attack vectors. • http://drupal.org/node/62406 http://secunia.com/advisories/19997 http://www.securityfocus.com/bid/17885 http://www.vupen.com/english/advisories/2006/1697 https://exchange.xforce.ibmcloud.com/vulnerabilities/26358 •

CVSS: 4.6EPSS: 0%CPEs: 14EXPL: 0

Drupal 4.5.x before 4.5.8 and 4.6.x before 4.5.8, when menu.module is used to create a menu item, does not implement access control for the page that is referenced, which might allow remote attackers to access administrator pages. • http://drupal.org/node/53796 http://secunia.com/advisories/19245 http://secunia.com/advisories/19257 http://securityreason.com/securityalert/578 http://www.debian.org/security/2006/dsa-1007 http://www.osvdb.org/23909 http://www.securityfocus.com/archive/1/427587/100/0/threaded http://www.securityfocus.com/bid/17104 https://exchange.xforce.ibmcloud.com/vulnerabilities/25197 •

CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 1

Drupal allows remote attackers to conduct cross-site scripting (XSS) attacks via an IMG tag with an unusual encoded Javascript function name, as demonstrated using variations of the alert() function. NOTE: a followup by the vendor suggests that the issue does not exist in 4.5.6 or 4.6.4 when "Filtered HTML" is enabled, and since "Full HTML" would not filter HTML by design, perhaps this should not be included in CVE • http://www.securityfocus.com/archive/1/420671/100/0/threaded http://www.securityfocus.com/archive/1/420683/100/0/threaded •

CVSS: 4.3EPSS: 0%CPEs: 10EXPL: 0

Multiple cross-site scripting (XSS) vulnerabilities in Drupal 4.5.0 through 4.5.5 and 4.6.0 through 4.6.3 allow remote attackers to inject arbitrary web script or HTML via various HTML tags and values, such as the (1) legend tag and the value parameter used in (2) label and (3) input tags, possibly due to an incomplete blacklist. • http://drupal.org/files/sa-2005-007/4.6.3.patch http://drupal.org/files/sa-2005-007/advisory.txt http://secunia.com/advisories/17824 http://secunia.com/advisories/18630 http://www.debian.org/security/2006/dsa-958 http://www.securityfocus.com/archive/1/418292/100/0/threaded http://www.securityfocus.com/bid/15677 http://www.vupen.com/english/advisories/2005/2684 •

CVSS: 6.4EPSS: 0%CPEs: 10EXPL: 0

Drupal 4.5.0 through 4.5.5 and 4.6.0 through 4.6.3, when running on PHP5, does not correctly enforce user privileges, which allows remote attackers to bypass the "access user profiles" permission. • http://drupal.org/files/sa-2005-009/4.6.3.patch http://drupal.org/files/sa-2005-009/advisory.txt http://secunia.com/advisories/17824 http://secunia.com/advisories/18630 http://www.debian.org/security/2006/dsa-958 http://www.securityfocus.com/archive/1/418336/100/0/threaded http://www.securityfocus.com/bid/15674 http://www.vupen.com/english/advisories/2005/2684 •