|
201
|
-
4.3
|
MEDIUM
|
Multiple cross-site scripting (XSS) vulnerabilities in Drupal 6.x before 6.3 allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) free tagging taxonomy terms, whic…
|
CWE-79
Cross-site Scripting
|
CVE-2008-3218
|
cpe:2.3:a:drupal:drupal:*:*
|
6.0
|
|
|
6.3
|
2026-04-23 09:35
2008-07-19
|
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
202
|
-
4.3
|
MEDIUM
|
The Drupal filter_xss_admin function in 5.x before 5.8 and 6.x before 6.3 does not "prevent use of the object HTML tag in administrator input," which has unknown impact and attack vectors, probably r…
|
CWE-79
Cross-site Scripting
|
CVE-2008-3219
|
cpe:2.3:a:drupal:drupal:*:*
|
5.0 6.0
|
|
|
5.8 6.3
|
2026-04-23 09:35
2008-07-19
|
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
203
|
-
4.3
|
MEDIUM
|
Cross-site request forgery (CSRF) vulnerability in Drupal 5.x before 5.8 and 6.x before 6.3 allows remote attackers to perform administrative actions via vectors involving deletion of "translated str…
|
CWE-352
Origin Validation Error
|
CVE-2008-3220
|
cpe:2.3:a:drupal:drupal:*:*
|
5.0 6.0
|
|
|
5.8 6.3
|
2026-04-23 09:35
2008-07-19
|
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
204
|
-
4.3
|
MEDIUM
|
Cross-site request forgery (CSRF) vulnerability in Drupal 6.x before 6.3 allows remote attackers to perform administrative actions via vectors involving deletion of OpenID identities.
|
CWE-352
Origin Validation Error
|
CVE-2008-3221
|
cpe:2.3:a:drupal:drupal:*:*
|
6.0
|
|
|
6.3
|
2026-04-23 09:35
2008-07-19
|
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
205
|
-
5.8
|
MEDIUM
|
Session fixation vulnerability in Drupal 5.x before 5.9 and 6.x before 6.3, when contributed modules "terminate the current request during a login event," allows remote attackers to hijack web sessio…
|
CWE-384
Session Fixation
|
CVE-2008-3222
|
cpe:2.3:a:drupal:drupal:*:*
|
5.0 6.0
|
|
|
5.9 6.3
|
2026-04-23 09:35
2008-07-19
|
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
206
|
-
7.5
|
HIGH
|
SQL injection vulnerability in the Schema API in Drupal 6.x before 6.3 allows remote attackers to execute arbitrary SQL commands via vectors related to "an inappropriate placeholder for 'numeric' fie…
|
CWE-89
SQL Injection
|
CVE-2008-3223
|
cpe:2.3:a:drupal:drupal:*:*
|
6.0
|
|
|
6.3
|
2026-04-23 09:35
2008-07-19
|
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
207
|
-
7.5
|
HIGH
|
Multiple SQL injection vulnerabilities in the Aggregation module 5.x before 5.x-4.4 for Drupal allow remote attackers to execute arbitrary SQL commands via unspecified vectors.
|
CWE-89
SQL Injection
|
CVE-2008-2999
|
cpe:2.3:a:drupal:drupal:5.7:* cpe:2.3:a:drupal:drupal:5.5.:* cpe:2.3:a:drupal:drupal:5.4:* cpe:2.3:a:drupal:dr…
|
|
|
|
|
2026-04-23 09:35
2008-07-4
|
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
208
|
-
5.0
|
MEDIUM
|
The Node Hierarchy module 5.x before 5.x-1.1 and 6.x before 6.x-1.0 for Drupal does not properly implement access checks, which allows remote attackers with "access content" permissions to bypass res…
|
CWE-264
Permissions, Privileges, and Access Controls
|
CVE-2008-2771
|
cpe:2.3:a:drupal:drupal:6.0:* cpe:2.3:a:drupal:drupal:5.0:*
|
|
|
|
|
2026-04-23 09:35
2008-06-19
|
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
209
|
-
5.8
|
MEDIUM
|
The menu system in Drupal 6 before 6.2 has incorrect menu settings, which allows remote attackers to (1) edit the profile pages of arbitrary users, and obtain sensitive information from (2) tracker a…
|
NVD-CWE-noinfo
|
CVE-2008-1729
|
cpe:2.3:a:drupal:drupal:*:*
|
6.0
|
|
|
6.2
|
2026-04-23 09:35
2008-04-12
|
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
210
|
-
4.3
|
MEDIUM
|
The Drupal.checkPlain function in Drupal 6.0 only escapes the first instance of a character in ECMAScript, which allows remote attackers to conduct cross-site scripting (XSS) attacks.
|
CWE-79
Cross-site Scripting
|
CVE-2008-1133
|
cpe:2.3:a:drupal:drupal:6.0:*
|
|
|
|
|
2026-04-23 09:35
2008-03-5
|
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|