Shodan

213.171.197.131

Regular View Raw Data
Last Seen: 2024-09-21

GeneralInformation

Hostnames server213-171-197-131.live-servers.net
www2.optimus2020.com
Domains live-servers.net optimus2020.com 
Country United Kingdom
City Bakewell
Organization Fasthosts Internet Limited
ISP IONOS SE
ASN AS8560
Operating System Windows

WebTechnologies

CMS
Drupal
JavaScript libraries
jQuery1.7.1
jQuery UI1.8.18
Programming languages
PHP

Vulnerabilities

Note: the device may not be impacted by all of these issues. The vulnerabilities are implied based on the software and version.

OpenPorts 

-37685824 | 2024-09-13T18:32:01.545535
21 / tcp 
301703492 | 2024-09-11T23:57:38.319439
25 / tcp 
1489525118 | 2024-09-21T18:33:53.724994
80 / tcp 
-1283034168 | 2024-09-14T01:20:00.562449
110 / tcp 
2112747071 | 2024-09-21T12:16:18.052268
135 / tcp 
27672397 | 2024-09-11T03:51:02.882278
143 / tcp 
-1433597656 | 2024-09-01T00:17:04.269906
443 / tcp 
563343987 | 2024-09-19T03:48:40.007020
3389 / tcp



Products
Pricing
Contact Us

Shodan ® - All rights reserved

\", which results in the enclosed script logic to be executed.","verified":false},"CVE-2019-11358":{"cvss":4.3,"ports":[443],"summary":"jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.","verified":false},"CVE-2019-9641":{"cvss":7.5,"ports":[443],"summary":"An issue was discovered in the EXIF component in PHP before 7.1.27, 7.2.x before 7.2.16, and 7.3.x before 7.3.3. There is an uninitialized read in exif_process_IFD_in_TIFF.","verified":false},"CVE-2019-9639":{"cvss":5.0,"ports":[443],"summary":"An issue was discovered in the EXIF component in PHP before 7.1.27, 7.2.x before 7.2.16, and 7.3.x before 7.3.3. There is an uninitialized read in exif_process_IFD_in_MAKERNOTE because of mishandling the data_len variable.","verified":false},"CVE-2019-9638":{"cvss":5.0,"ports":[443],"summary":"An issue was discovered in the EXIF component in PHP before 7.1.27, 7.2.x before 7.2.16, and 7.3.x before 7.3.3. There is an uninitialized read in exif_process_IFD_in_MAKERNOTE because of mishandling the maker_note->offset relationship to value_len.","verified":false},"CVE-2019-9637":{"cvss":5.0,"ports":[443],"summary":"An issue was discovered in PHP before 7.1.27, 7.2.x before 7.2.16, and 7.3.x before 7.3.3. Due to the way rename() across filesystems is implemented, it is possible that file being renamed is briefly available with wrong permissions while the rename is ongoing, thus enabling unauthorized users to access the data.","verified":false},"CVE-2019-9024":{"cvss":5.0,"ports":[443],"summary":"An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. xmlrpc_decode() can allow a hostile XMLRPC server to cause PHP to read memory outside of allocated areas in base64_decode_xmlrpc in ext/xmlrpc/libxmlrpc/base64.c.","verified":false},"CVE-2019-9023":{"cvss":7.5,"ports":[443],"summary":"An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. A number of heap-based buffer over-read instances are present in mbstring regular expression functions when supplied with invalid multibyte data. These occur in ext/mbstring/oniguruma/regcomp.c, ext/mbstring/oniguruma/regexec.c, ext/mbstring/oniguruma/regparse.c, ext/mbstring/oniguruma/enc/unicode.c, and ext/mbstring/oniguruma/src/utf32_be.c when a multibyte regular expression pattern contains invalid multibyte sequences.","verified":false},"CVE-2019-9021":{"cvss":7.5,"ports":[443],"summary":"An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. A heap-based buffer over-read in PHAR reading functions in the PHAR extension may allow an attacker to read allocated or unallocated memory past the actual data when trying to parse the file name, a different vulnerability than CVE-2018-20783. This is related to phar_detect_phar_fname_ext in ext/phar/phar.c.","verified":false},"CVE-2019-9020":{"cvss":7.5,"ports":[443],"summary":"An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. Invalid input to the function xmlrpc_decode() can lead to an invalid memory access (heap out of bounds read or read after free). This is related to xml_elem_parse_buf in ext/xmlrpc/libxmlrpc/xml_element.c.","verified":false},"CVE-2019-6977":{"cvss":6.8,"ports":[443],"summary":"gdImageColorMatch in gd_color_match.c in the GD Graphics Library (aka LibGD) 2.2.5, as used in the imagecolormatch function in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1, has a heap-based buffer overflow. This can be exploited by an attacker who is able to trigger imagecolormatch calls with crafted image data.","verified":false},"CVE-2018-20783":{"cvss":5.0,"ports":[443],"summary":"In PHP before 5.6.39, 7.x before 7.0.33, 7.1.x before 7.1.25, and 7.2.x before 7.2.13, a buffer over-read in PHAR reading functions may allow an attacker to read allocated or unallocated memory past the actual data when trying to parse a .phar file. This is related to phar_parse_pharfile in ext/phar/phar.c.","verified":false},"CVE-2018-19520":{"cvss":6.5,"ports":[443],"summary":"An issue was discovered in SDCMS 1.6 with PHP 5.x. app/admin/controller/themecontroller.php uses a check_bad function in an attempt to block certain PHP functions such as eval, but does not prevent use of preg_replace 'e' calls, allowing users to execute arbitrary code by leveraging access to admin template management.","verified":false},"CVE-2018-19396":{"cvss":5.0,"ports":[443],"summary":"ext/standard/var_unserializer.c in PHP 5.x through 7.1.24 allows attackers to cause a denial of service (application crash) via an unserialize call for the com, dotnet, or variant class.","verified":false},"CVE-2018-19395":{"cvss":5.0,"ports":[443],"summary":"ext/standard/var.c in PHP 5.x through 7.1.24 on Windows allows attackers to cause a denial of service (NULL pointer dereference and application crash) because com and com_safearray_proxy return NULL in com_properties_get in ext/com_dotnet/com_handlers.c, as demonstrated by a serialize call on COM(\"WScript.Shell\").","verified":false},"CVE-2018-17082":{"cvss":4.3,"ports":[443],"summary":"The Apache2 component in PHP before 5.6.38, 7.0.x before 7.0.32, 7.1.x before 7.1.22, and 7.2.x before 7.2.10 allows XSS via the body of a \"Transfer-Encoding: chunked\" request, because the bucket brigade is mishandled in the php_handler function in sapi/apache2handler/sapi_apache2.c.","verified":false},"CVE-2018-15132":{"cvss":5.0,"ports":[443],"summary":"An issue was discovered in ext/standard/link_win32.c in PHP before 5.6.37, 7.0.x before 7.0.31, 7.1.x before 7.1.20, and 7.2.x before 7.2.8. The linkinfo function on Windows doesn't implement the open_basedir check. This could be abused to find files on paths outside of the allowed directories.","verified":false},"CVE-2018-14883":{"cvss":5.0,"ports":[443],"summary":"An issue was discovered in PHP before 5.6.37, 7.0.x before 7.0.31, 7.1.x before 7.1.20, and 7.2.x before 7.2.8. An Integer Overflow leads to a heap-based buffer over-read in exif_thumbnail_extract of exif.c.","verified":false},"CVE-2018-14851":{"cvss":4.3,"ports":[443],"summary":"exif_process_IFD_in_MAKERNOTE in ext/exif/exif.c in PHP before 5.6.37, 7.0.x before 7.0.31, 7.1.x before 7.1.20, and 7.2.x before 7.2.8 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted JPEG file.","verified":false},"CVE-2018-10549":{"cvss":6.8,"ports":[443],"summary":"An issue was discovered in PHP before 5.6.36, 7.0.x before 7.0.30, 7.1.x before 7.1.17, and 7.2.x before 7.2.5. exif_read_data in ext/exif/exif.c has an out-of-bounds read for crafted JPEG data because exif_iif_add_value mishandles the case of a MakerNote that lacks a final '\\0' character.","verified":false},"CVE-2018-10548":{"cvss":5.0,"ports":[443],"summary":"An issue was discovered in PHP before 5.6.36, 7.0.x before 7.0.30, 7.1.x before 7.1.17, and 7.2.x before 7.2.5. ext/ldap/ldap.c allows remote LDAP servers to cause a denial of service (NULL pointer dereference and application crash) because of mishandling of the ldap_get_dn return value.","verified":false},"CVE-2018-10547":{"cvss":4.3,"ports":[443],"summary":"An issue was discovered in ext/phar/phar_object.c in PHP before 5.6.36, 7.0.x before 7.0.30, 7.1.x before 7.1.17, and 7.2.x before 7.2.5. There is Reflected XSS on the PHAR 403 and 404 error pages via request data of a request for a .phar file. NOTE: this vulnerability exists because of an incomplete fix for CVE-2018-5712.","verified":false},"CVE-2018-10546":{"cvss":5.0,"ports":[443],"summary":"An issue was discovered in PHP before 5.6.36, 7.0.x before 7.0.30, 7.1.x before 7.1.17, and 7.2.x before 7.2.5. An infinite loop exists in ext/iconv/iconv.c because the iconv stream filter does not reject invalid multibyte sequences.","verified":false},"CVE-2018-10545":{"cvss":1.9,"ports":[443],"summary":"An issue was discovered in PHP before 5.6.35, 7.0.x before 7.0.29, 7.1.x before 7.1.16, and 7.2.x before 7.2.4. Dumpable FPM child processes allow bypassing opcache access controls because fpm_unix.c makes a PR_SET_DUMPABLE prctl call, allowing one user (in a multiuser environment) to obtain sensitive information from the process memory of a second user's PHP applications by running gcore on the PID of the PHP-FPM worker process.","verified":false},"CVE-2018-7600":{"cvss":7.5,"ports":[443],"summary":"Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations.","verified":false},"CVE-2018-7584":{"cvss":7.5,"ports":[443],"summary":"In PHP through 5.6.33, 7.0.x before 7.0.28, 7.1.x through 7.1.14, and 7.2.x through 7.2.2, there is a stack-based buffer under-read while parsing an HTTP response in the php_stream_url_wrap_http_ex function in ext/standard/http_fopen_wrapper.c. This subsequently results in copying a large string.","verified":false},"CVE-2018-5712":{"cvss":4.3,"ports":[443],"summary":"An issue was discovered in PHP before 5.6.33, 7.0.x before 7.0.27, 7.1.x before 7.1.13, and 7.2.x before 7.2.1. There is Reflected XSS on the PHAR 404 error page via the URI of a request for a .phar file.","verified":false},"CVE-2018-5711":{"cvss":4.3,"ports":[443],"summary":"gd_gif_in.c in the GD Graphics Library (aka libgd), as used in PHP before 5.6.33, 7.0.x before 7.0.27, 7.1.x before 7.1.13, and 7.2.x before 7.2.1, has an integer signedness error that leads to an infinite loop via a crafted GIF file, as demonstrated by a call to the imagecreatefromgif or imagecreatefromstring PHP function. This is related to GetCode_ and gdImageCreateFromGifCtx.","verified":false},"CVE-2017-16642":{"cvss":5.0,"ports":[443],"summary":"In PHP before 5.6.32, 7.x before 7.0.25, and 7.1.x before 7.1.11, an error in the date extension's timelib_meridian handling of 'front of' and 'back of' directives could be used by attackers able to supply date strings to leak information from the interpreter, related to ext/date/lib/parse_date.c out-of-bounds reads affecting the php_parse_date function. NOTE: this is a different issue than CVE-2017-11145.","verified":false},"CVE-2017-12933":{"cvss":7.5,"ports":[443],"summary":"The finish_nested_data function in ext/standard/var_unserializer.re in PHP before 5.6.31, 7.0.x before 7.0.21, and 7.1.x before 7.1.7 is prone to a buffer over-read while unserializing untrusted data. Exploitation of this issue can have an unspecified impact on the integrity of PHP.","verified":false},"CVE-2017-12868":{"cvss":7.5,"ports":[443],"summary":"The secureCompare method in lib/SimpleSAML/Utils/Crypto.php in SimpleSAMLphp 1.14.13 and earlier, when used with PHP before 5.6, allows attackers to conduct session fixation attacks or possibly bypass authentication by leveraging missing character conversions before an XOR operation.","verified":false},"CVE-2017-11628":{"cvss":6.8,"ports":[443],"summary":"In PHP before 5.6.31, 7.x before 7.0.21, and 7.1.x before 7.1.7, a stack-based buffer overflow in the zend_ini_do_op() function in Zend/zend_ini_parser.c could cause a denial of service or potentially allow executing code. NOTE: this is only relevant for PHP applications that accept untrusted input (instead of the system's php.ini file) for the parse_ini_string or parse_ini_file function, e.g., a web application for syntax validation of php.ini directives.","verified":false},"CVE-2017-11147":{"cvss":6.4,"ports":[443],"summary":"In PHP before 5.6.30 and 7.x before 7.0.15, the PHAR archive handler could be used by attackers supplying malicious archive files to crash the PHP interpreter or potentially disclose information due to a buffer over-read in the phar_parse_pharfile function in ext/phar/phar.c.","verified":false},"CVE-2017-11145":{"cvss":5.0,"ports":[443],"summary":"In PHP before 5.6.31, 7.x before 7.0.21, and 7.1.x before 7.1.7, an error in the date extension's timelib_meridian parsing code could be used by attackers able to supply date strings to leak information from the interpreter, related to ext/date/lib/parse_date.c out-of-bounds reads affecting the php_parse_date function. NOTE: the correct fix is in the e8b7698f5ee757ce2c8bd10a192a491a498f891c commit, not the bd77ac90d3bdf31ce2a5251ad92e9e75 gist.","verified":false},"CVE-2017-11144":{"cvss":5.0,"ports":[443],"summary":"In PHP before 5.6.31, 7.x before 7.0.21, and 7.1.x before 7.1.7, the openssl extension PEM sealing code did not check the return value of the OpenSSL sealing function, which could lead to a crash of the PHP interpreter, related to an interpretation conflict for a negative number in ext/openssl/openssl.c, and an OpenSSL documentation omission.","verified":false},"CVE-2017-11143":{"cvss":5.0,"ports":[443],"summary":"In PHP before 5.6.31, an invalid free in the WDDX deserialization of boolean parameters could be used by attackers able to inject XML for deserialization to crash the PHP interpreter, related to an invalid free for an empty boolean element in ext/wddx/wddx.c.","verified":false},"CVE-2017-11142":{"cvss":7.8,"ports":[443],"summary":"In PHP before 5.6.31, 7.x before 7.0.17, and 7.1.x before 7.1.3, remote attackers could cause a CPU consumption denial of service attack by injecting long form variables, related to main/php_variables.c.","verified":false},"CVE-2017-9226":{"cvss":7.5,"ports":[443],"summary":"An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A heap out-of-bounds write or read occurs in next_state_val() during regular expression compilation. Octal numbers larger than 0xff are not handled correctly in fetch_token() and fetch_token_in_cc(). A malformed regular expression containing an octal number in the form of '\\700' would produce an invalid code point value larger than 0xff in next_state_val(), resulting in an out-of-bounds write memory corruption.","verified":false},"CVE-2017-9224":{"cvss":7.5,"ports":[443],"summary":"An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A stack out-of-bounds read occurs in match_at() during regular expression searching. A logical error involving order of validation and access in match_at() could result in an out-of-bounds read from a stack buffer.","verified":false},"CVE-2017-8923":{"cvss":7.5,"ports":[443],"summary":"The zend_string_extend function in Zend/zend_string.h in PHP through 7.1.5 does not prevent changes to string objects that result in a negative length, which allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact by leveraging a script's use of .= with a long string.","verified":false},"CVE-2017-7963":{"cvss":5.0,"ports":[443],"summary":"The GNU Multiple Precision Arithmetic Library (GMP) interfaces for PHP through 7.1.4 allow attackers to cause a denial of service (memory consumption and application crash) via operations on long strings. NOTE: the vendor disputes this, stating \"There is no security issue here, because GMP safely aborts in case of an OOM condition. The only attack vector here is denial of service. However, if you allow attacker-controlled, unbounded allocations you have a DoS vector regardless of GMP's OOM behavior.","verified":false},"CVE-2017-7890":{"cvss":4.3,"ports":[443],"summary":"The GIF decoding function gdImageCreateFromGifCtx in gd_gif_in.c in the GD Graphics Library (aka libgd), as used in PHP before 5.6.31 and 7.x before 7.1.7, does not zero colorMap arrays before use. A specially crafted GIF image could use the uninitialized tables to read ~700 bytes from the top of the stack, potentially disclosing sensitive information.","verified":false},"CVE-2017-7272":{"cvss":5.8,"ports":[443],"summary":"PHP through 7.1.11 enables potential SSRF in applications that accept an fsockopen or pfsockopen hostname argument with an expectation that the port number is constrained. Because a :port syntax is recognized, fsockopen will use the port number that is specified in the hostname argument, instead of the port number in the second argument of the function.","verified":false},"CVE-2016-10397":{"cvss":5.0,"ports":[443],"summary":"In PHP before 5.6.28 and 7.x before 7.0.13, incorrect handling of various URI components in the URL parser could be used by attackers to bypass hostname-specific URL checks, as demonstrated by evil.example.com:80#@good.example.com/ and evil.example.com:80?@good.example.com/ inputs to the parse_url function (implemented in the php_url_parse_ex function in ext/standard/url.c).","verified":false},"CVE-2016-10161":{"cvss":5.0,"ports":[443],"summary":"The object_common1 function in ext/standard/var_unserializer.c in PHP before 5.6.30, 7.0.x before 7.0.15, and 7.1.x before 7.1.1 allows remote attackers to cause a denial of service (buffer over-read and application crash) via crafted serialized data that is mishandled in a finish_nested_data call.","verified":false},"CVE-2016-10159":{"cvss":5.0,"ports":[443],"summary":"Integer overflow in the phar_parse_pharfile function in ext/phar/phar.c in PHP before 5.6.30 and 7.0.x before 7.0.15 allows remote attackers to cause a denial of service (memory consumption or application crash) via a truncated manifest entry in a PHAR archive.","verified":false},"CVE-2016-10158":{"cvss":5.0,"ports":[443],"summary":"The exif_convert_any_to_int function in ext/exif/exif.c in PHP before 5.6.30, 7.0.x before 7.0.15, and 7.1.x before 7.1.1 allows remote attackers to cause a denial of service (application crash) via crafted EXIF data that triggers an attempt to divide the minimum representable negative integer by -1.","verified":false},"CVE-2016-9935":{"cvss":7.5,"ports":[443],"summary":"The php_wddx_push_element function in ext/wddx/wddx.c in PHP before 5.6.29 and 7.x before 7.0.14 allows remote attackers to cause a denial of service (out-of-bounds read and memory corruption) or possibly have unspecified other impact via an empty boolean element in a wddxPacket XML document.","verified":false},"CVE-2016-9934":{"cvss":5.0,"ports":[443],"summary":"ext/wddx/wddx.c in PHP before 5.6.28 and 7.x before 7.0.13 allows remote attackers to cause a denial of service (NULL pointer dereference) via crafted serialized data in a wddxPacket XML document, as demonstrated by a PDORow string.","verified":false},"CVE-2016-9933":{"cvss":5.0,"ports":[443],"summary":"Stack consumption vulnerability in the gdImageFillToBorder function in gd.c in the GD Graphics Library (aka libgd) before 2.2.2, as used in PHP before 5.6.28 and 7.x before 7.0.13, allows remote attackers to cause a denial of service (segmentation violation) via a crafted imagefilltoborder call that triggers use of a negative color value.","verified":false},"CVE-2016-9138":{"cvss":7.5,"ports":[443],"summary":"PHP through 5.6.27 and 7.x through 7.0.12 mishandles property modification during __wakeup processing, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted serialized data, as demonstrated by Exception::__toString with DateInterval::__wakeup.","verified":false},"CVE-2016-9137":{"cvss":7.5,"ports":[443],"summary":"Use-after-free vulnerability in the CURLFile implementation in ext/curl/curl_file.c in PHP before 5.6.27 and 7.x before 7.0.12 allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted serialized data that is mishandled during __wakeup processing.","verified":false},"CVE-2016-8670":{"cvss":7.5,"ports":[443],"summary":"Integer signedness error in the dynamicGetbuf function in gd_io_dp.c in the GD Graphics Library (aka libgd) through 2.2.3, as used in PHP before 5.6.28 and 7.x before 7.0.13, allows remote attackers to cause a denial of service (stack-based buffer overflow) or possibly have unspecified other impact via a crafted imagecreatefromstring call.","verified":false},"CVE-2016-7418":{"cvss":5.0,"ports":[443],"summary":"The php_wddx_push_element function in ext/wddx/wddx.c in PHP before 5.6.26 and 7.x before 7.0.11 allows remote attackers to cause a denial of service (invalid pointer access and out-of-bounds read) or possibly have unspecified other impact via an incorrect boolean element in a wddxPacket XML document, leading to mishandling in a wddx_deserialize call.","verified":false},"CVE-2016-7417":{"cvss":7.5,"ports":[443],"summary":"ext/spl/spl_array.c in PHP before 5.6.26 and 7.x before 7.0.11 proceeds with SplArray unserialization without validating a return value and data type, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted serialized data.","verified":false},"CVE-2016-7416":{"cvss":5.0,"ports":[443],"summary":"ext/intl/msgformat/msgformat_format.c in PHP before 5.6.26 and 7.x before 7.0.11 does not properly restrict the locale length provided to the Locale class in the ICU library, which allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a MessageFormatter::formatMessage call with a long first argument.","verified":false},"CVE-2016-7414":{"cvss":7.5,"ports":[443],"summary":"The ZIP signature-verification feature in PHP before 5.6.26 and 7.x before 7.0.11 does not ensure that the uncompressed_filesize field is large enough, which allows remote attackers to cause a denial of service (out-of-bounds memory access) or possibly have unspecified other impact via a crafted PHAR archive, related to ext/phar/util.c and ext/phar/zip.c.","verified":false},"CVE-2016-7413":{"cvss":7.5,"ports":[443],"summary":"Use-after-free vulnerability in the wddx_stack_destroy function in ext/wddx/wddx.c in PHP before 5.6.26 and 7.x before 7.0.11 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a wddxPacket XML document that lacks an end-tag for a recordset field element, leading to mishandling in a wddx_deserialize call.","verified":false},"CVE-2016-7412":{"cvss":6.8,"ports":[443],"summary":"ext/mysqlnd/mysqlnd_wireprotocol.c in PHP before 5.6.26 and 7.x before 7.0.11 does not verify that a BIT field has the UNSIGNED_FLAG flag, which allows remote MySQL servers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via crafted field metadata.","verified":false},"CVE-2016-7411":{"cvss":7.5,"ports":[443],"summary":"ext/standard/var_unserializer.re in PHP before 5.6.26 mishandles object-deserialization failures, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via an unserialize call that references a partially constructed object.","verified":false},"CVE-2016-7132":{"cvss":5.0,"ports":[443],"summary":"ext/wddx/wddx.c in PHP before 5.6.25 and 7.x before 7.0.10 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) or possibly have unspecified other impact via an invalid wddxPacket XML document that is mishandled in a wddx_deserialize call, as demonstrated by a stray element inside a boolean element, leading to incorrect pop processing.","verified":false},"CVE-2016-7131":{"cvss":5.0,"ports":[443],"summary":"ext/wddx/wddx.c in PHP before 5.6.25 and 7.x before 7.0.10 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) or possibly have unspecified other impact via a malformed wddxPacket XML document that is mishandled in a wddx_deserialize call, as demonstrated by a tag that lacks a < (less than) character.","verified":false},"CVE-2016-7130":{"cvss":5.0,"ports":[443],"summary":"The php_wddx_pop_element function in ext/wddx/wddx.c in PHP before 5.6.25 and 7.x before 7.0.10 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) or possibly have unspecified other impact via an invalid base64 binary value, as demonstrated by a wddx_deserialize call that mishandles a binary element in a wddxPacket XML document.","verified":false},"CVE-2016-7129":{"cvss":7.5,"ports":[443],"summary":"The php_wddx_process_data function in ext/wddx/wddx.c in PHP before 5.6.25 and 7.x before 7.0.10 allows remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via an invalid ISO 8601 time value, as demonstrated by a wddx_deserialize call that mishandles a dateTime element in a wddxPacket XML document.","verified":false},"CVE-2016-7128":{"cvss":5.0,"ports":[443],"summary":"The exif_process_IFD_in_TIFF function in ext/exif/exif.c in PHP before 5.6.25 and 7.x before 7.0.10 mishandles the case of a thumbnail offset that exceeds the file size, which allows remote attackers to obtain sensitive information from process memory via a crafted TIFF image.","verified":false},"CVE-2016-7127":{"cvss":7.5,"ports":[443],"summary":"The imagegammacorrect function in ext/gd/gd.c in PHP before 5.6.25 and 7.x before 7.0.10 does not properly validate gamma values, which allows remote attackers to cause a denial of service (out-of-bounds write) or possibly have unspecified other impact by providing different signs for the second and third arguments.","verified":false},"CVE-2016-7126":{"cvss":7.5,"ports":[443],"summary":"The imagetruecolortopalette function in ext/gd/gd.c in PHP before 5.6.25 and 7.x before 7.0.10 does not properly validate the number of colors, which allows remote attackers to cause a denial of service (select_colors allocation error and out-of-bounds write) or possibly have unspecified other impact via a large value in the third argument.","verified":false},"CVE-2016-7125":{"cvss":5.0,"ports":[443],"summary":"ext/session/session.c in PHP before 5.6.25 and 7.x before 7.0.10 skips invalid session names in a way that triggers incorrect parsing, which allows remote attackers to inject arbitrary-type session data by leveraging control of a session name, as demonstrated by object injection.","verified":false},"CVE-2016-7124":{"cvss":7.5,"ports":[443],"summary":"ext/standard/var_unserializer.c in PHP before 5.6.25 and 7.x before 7.0.10 mishandles certain invalid objects, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted serialized data that leads to a (1) __destruct call or (2) magic method call.","verified":false},"CVE-2016-3171":{"cvss":6.8,"ports":[443],"summary":"Drupal 6.x before 6.38, when used with PHP before 5.4.45, 5.5.x before 5.5.29, or 5.6.x before 5.6.13, might allow remote attackers to execute arbitrary code via vectors related to session data truncation.","verified":false},"CVE-2016-3169":{"cvss":6.8,"ports":[443],"summary":"The User module in Drupal 6.x before 6.38 and 7.x before 7.43 allows remote attackers to gain privileges by leveraging contributed or custom code that calls the user_save function with an explicit category and loads all roles into the array.","verified":false},"CVE-2016-3168":{"cvss":8.5,"ports":[443],"summary":"The System module in Drupal 6.x before 6.38 and 7.x before 7.43 might allow remote attackers to hijack the authentication of site administrators for requests that download and run files with arbitrary JSON-encoded content, aka a \"reflected file download vulnerability.\"","verified":false},"CVE-2016-3167":{"cvss":6.4,"ports":[443],"summary":"Open redirect vulnerability in the drupal_goto function in Drupal 6.x before 6.38, when used with PHP before 5.4.7, allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a double-encoded URL in the \"destination\" parameter.","verified":false},"CVE-2016-3166":{"cvss":4.3,"ports":[443],"summary":"CRLF injection vulnerability in the drupal_set_header function in Drupal 6.x before 6.38, when used with PHP before 5.1.2, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks by leveraging a module that allows user-submitted data to appear in HTTP headers.","verified":false},"CVE-2016-3165":{"cvss":5.0,"ports":[443],"summary":"The Form API in Drupal 6.x before 6.38 ignores access restrictions on submit buttons, which might allow remote attackers to bypass intended access restrictions by leveraging permission to submit a form with a button that has \"#access\" set to FALSE in the server-side form definition.","verified":false},"CVE-2016-3164":{"cvss":5.8,"ports":[443],"summary":"Drupal 6.x before 6.38, 7.x before 7.43, and 8.x before 8.0.4 might allow remote attackers to conduct open redirect attacks by leveraging (1) custom code or (2) a form shown on a 404 error page, related to path manipulation.","verified":false},"CVE-2016-3163":{"cvss":5.0,"ports":[443],"summary":"The XML-RPC system in Drupal 6.x before 6.38 and 7.x before 7.43 might make it easier for remote attackers to conduct brute-force attacks via a large number of calls made at once to the same method.","verified":false},"CVE-2015-9253":{"cvss":6.8,"ports":[443],"summary":"An issue was discovered in PHP 7.3.x before 7.3.0alpha3, 7.2.x before 7.2.8, and before 7.1.20. The php-fpm master process restarts a child process in an endless loop when using program execution functions (e.g., passthru, exec, shell_exec, or system) with a non-blocking STDIN stream, causing this master process to consume 100% of the CPU, and consume disk space with a large volume of error logs, as demonstrated by an attack by a customer of a shared-hosting facility.","verified":false},"CVE-2015-9251":{"cvss":4.3,"ports":[443],"summary":"jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.","verified":false},"CVE-2015-8994":{"cvss":6.8,"ports":[443],"summary":"An issue was discovered in PHP 5.x and 7.x, when the configuration uses apache2handler/mod_php or php-fpm with OpCache enabled. With 5.x after 5.6.28 or 7.x after 7.0.13, the issue is resolved in a non-default configuration with the opcache.validate_permission=1 setting. The vulnerability details are as follows. In PHP SAPIs where PHP interpreters share a common parent process, Zend OpCache creates a shared memory object owned by the common parent during initialization. Child PHP processes inherit the SHM descriptor, using it to cache and retrieve compiled script bytecode (\"opcode\" in PHP jargon). Cache keys vary depending on configuration, but filename is a central key component, and compiled opcode can generally be run if a script's filename is known or can be guessed. Many common shared-hosting configurations change EUID in child processes to enforce privilege separation among hosted users (for example using mod_ruid2 for the Apache HTTP Server, or php-fpm user settings). In these scenarios, the default Zend OpCache behavior defeats script file permissions by sharing a single SHM cache among all child PHP processes. PHP scripts often contain sensitive information: Think of CMS configurations where reading or running another user's script usually means gaining privileges to the CMS database.","verified":false},"CVE-2015-8877":{"cvss":5.0,"ports":[443],"summary":"The gdImageScaleTwoPass function in gd_interpolation.c in the GD Graphics Library (aka libgd) before 2.2.0, as used in PHP before 5.6.12, uses inconsistent allocate and free approaches, which allows remote attackers to cause a denial of service (memory consumption) via a crafted call, as demonstrated by a call to the PHP imagescale function.","verified":false},"CVE-2015-8874":{"cvss":5.0,"ports":[443],"summary":"Stack consumption vulnerability in GD in PHP before 5.6.12 allows remote attackers to cause a denial of service via a crafted imagefilltoborder call.","verified":false},"CVE-2015-6661":{"cvss":5.0,"ports":[443],"summary":"Drupal 6.x before 6.37 and 7.x before 7.39 allows remote attackers to obtain sensitive node titles by reading the menu.","verified":false},"CVE-2015-6660":{"cvss":6.8,"ports":[443],"summary":"The Form API in Drupal 6.x before 6.37 and 7.x before 7.39 does not properly validate the form token, which allows remote attackers to conduct CSRF attacks that upload files in a different user's account via vectors related to \"file upload value callbacks.\"","verified":false},"CVE-2015-6658":{"cvss":4.3,"ports":[443],"summary":"Cross-site scripting (XSS) vulnerability in the Autocomplete system in Drupal 6.x before 6.37 and 7.x before 7.39 allows remote attackers to inject arbitrary web script or HTML via a crafted URL, related to uploading files.","verified":false},"CVE-2015-4601":{"cvss":10.0,"ports":[443],"summary":"PHP before 5.6.7 might allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via an unexpected data type, related to \"type confusion\" issues in (1) ext/soap/php_encoding.c, (2) ext/soap/php_http.c, and (3) ext/soap/soap.c, a different issue than CVE-2015-4600.","verified":false},"CVE-2015-3234":{"cvss":4.3,"ports":[443],"summary":"The OpenID module in Drupal 6.x before 6.36 and 7.x before 7.38 allows remote attackers to log into other users' accounts by leveraging an OpenID identity from certain providers, as demonstrated by the Verisign, LiveJournal, and StackExchange providers.","verified":false},"CVE-2015-2750":{"cvss":5.8,"ports":[443],"summary":"Open redirect vulnerability in URL-related API functions in Drupal 6.x before 6.35 and 7.x before 7.35 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via vectors involving the \"//\" initial sequence.","verified":false},"CVE-2015-2749":{"cvss":5.8,"ports":[443],"summary":"Open redirect vulnerability in Drupal 6.x before 6.35 and 7.x before 7.35 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the destination parameter.","verified":false},"CVE-2015-2559":{"cvss":3.5,"ports":[443],"summary":"Drupal 6.x before 6.35 and 7.x before 7.35 allows remote authenticated users to reset the password of other accounts by leveraging an account with the same password hash as another account and a crafted password reset URL.","verified":false},"CVE-2014-9426":{"cvss":7.5,"ports":[443],"summary":"The apprentice_load function in libmagic/apprentice.c in the Fileinfo component in PHP through 5.6.4 attempts to perform a free operation on a stack-based character array, which allows remote attackers to cause a denial of service (memory corruption or application crash) or possibly have unspecified other impact via unknown vectors. NOTE: this is disputed by the vendor because the standard erealloc behavior makes the free operation unreachable","verified":false},"CVE-2014-9015":{"cvss":6.8,"ports":[443],"summary":"Drupal 6.x before 6.34 and 7.x before 7.34 allows remote attackers to hijack sessions via a crafted request, as demonstrated by a crafted request to a server that supports both HTTP and HTTPS sessions.","verified":false},"CVE-2014-5459":{"cvss":3.6,"ports":[443],"summary":"The PEAR_REST class in REST.php in PEAR in PHP through 5.6.0 allows local users to write to arbitrary files via a symlink attack on a (1) rest.cachefile or (2) rest.cacheid file in /tmp/pear/cache/, related to the retrieveCacheFirst and useLocalCache functions.","verified":false},"CVE-2014-5267":{"cvss":6.8,"ports":[443],"summary":"modules/openid/xrds.inc in Drupal 6.x before 6.33 and 7.x before 7.31 allows remote attackers to have unspecified impact via a crafted DOCTYPE declaration in an XRDS document.","verified":false},"CVE-2014-5266":{"cvss":5.0,"ports":[443],"summary":"The Incutio XML-RPC (IXR) Library, as used in WordPress before 3.9.2 and Drupal 6.x before 6.33 and 7.x before 7.31, does not limit the number of elements in an XML document, which allows remote attackers to cause a denial of service (CPU consumption) via a large document, a different vulnerability than CVE-2014-5265.","verified":false},"CVE-2014-5265":{"cvss":5.0,"ports":[443],"summary":"The Incutio XML-RPC (IXR) Library, as used in WordPress before 3.9.2 and Drupal 6.x before 6.33 and 7.x before 7.31, permits entity declarations without considering recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564.","verified":false},"CVE-2014-5021":{"cvss":2.1,"ports":[443],"summary":"Cross-site scripting (XSS) vulnerability in the Form API in Drupal 6.x before 6.32 and possibly 7.x before 7.29 allows remote authenticated users with the \"administer taxonomy\" permission to inject arbitrary web script or HTML via an option group label.","verified":false},"CVE-2014-5019":{"cvss":5.0,"ports":[443],"summary":"The multisite feature in Drupal 6.x before 6.32 and 7.x before 7.29 allows remote attackers to cause a denial of service via a crafted HTTP Host header, related to determining which configuration file to use.","verified":false},"CVE-2014-2983":{"cvss":5.0,"ports":[443],"summary":"Drupal 6.x before 6.31 and 7.x before 7.27 does not properly isolate the cached data of different anonymous users, which allows remote anonymous users to obtain sensitive interim form input information in opportunistic situations via unspecified vectors.","verified":false},"CVE-2014-1475":{"cvss":7.5,"ports":[443],"summary":"The OpenID module in Drupal 6.x before 6.30 and 7.x before 7.26 allows remote OpenID users to authenticate as other users via unspecified vectors.","verified":false},"CVE-2013-6501":{"cvss":4.6,"ports":[443],"summary":"The default soap.wsdl_cache_dir setting in (1) php.ini-production and (2) php.ini-development in PHP through 5.6.7 specifies the /tmp directory, which makes it easier for local users to conduct WSDL injection attacks by creating a file under /tmp with a predictable filename that is used by the get_sdl function in ext/soap/php_sdl.c.","verified":false},"CVE-2013-6386":{"cvss":6.8,"ports":[443],"summary":"Drupal 6.x before 6.29 and 7.x before 7.24 uses the PHP mt_rand function to generate random numbers, which uses predictable seeds and allows remote attackers to predict security strings and bypass intended restrictions via a brute force attack.","verified":false},"CVE-2013-6385":{"cvss":5.1,"ports":[443],"summary":"The form API in Drupal 6.x before 6.29 and 7.x before 7.24, when used with unspecified third-party modules, performs form validation even when CSRF validation has failed, which might allow remote attackers to trigger application-specific impacts such as arbitrary code execution via application-specific vectors.","verified":false},"CVE-2013-2220":{"cvss":7.5,"ports":[443],"summary":"Buffer overflow in the radius_get_vendor_attr function in the Radius extension before 1.2.7 for PHP allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a large Vendor Specific Attributes (VSA) length value.","verified":false},"CVE-2013-0245":{"cvss":2.1,"ports":[443],"summary":"The printer friendly version functionality in the Book module in Drupal 6.x before 6.28 and 7.x before 7.19 does not properly restrict access to node that are part of a book outline, which allows remote authenticated users with the \"access printer-friendly version\" permission to read node titles and possibly node content via unspecified vectors.","verified":false},"CVE-2013-0244":{"cvss":2.6,"ports":[443],"summary":"Cross-site scripting (XSS) vulnerability in Drupal 6.x before 6.28 and 7.x before 7.19, when running with older versions of jQuery that are vulnerable to CVE-2011-4969, allows remote attackers to inject arbitrary web script or HTML via vectors involving unspecified Javascript functions that are used to select DOM elements.","verified":false},"CVE-2012-6708":{"cvss":4.3,"ports":[443],"summary":"jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.","verified":false},"CVE-2012-5653":{"cvss":6.0,"ports":[443],"summary":"The file upload feature in Drupal 6.x before 6.27 and 7.x before 7.18 allows remote authenticated users to bypass the protection mechanism and execute arbitrary PHP code via a null byte in a file name.","verified":false},"CVE-2012-5652":{"cvss":5.0,"ports":[443],"summary":"Drupal 6.x before 6.27 allows remote attackers to obtain sensitive information about uploaded files via a (1) RSS feed or (2) search result.","verified":false},"CVE-2012-5651":{"cvss":5.0,"ports":[443],"summary":"Drupal 6.x before 6.27 and 7.x before 7.18 displays information for blocked users, which might allow remote attackers to obtain sensitive information by reading the search results.","verified":false},"CVE-2012-2922":{"cvss":5.0,"ports":[443],"summary":"The request_path function in includes/bootstrap.inc in Drupal 7.14 and earlier allows remote attackers to obtain sensitive information via the q[] parameter to index.php, which reveals the installation path in an error message.","verified":false},"CVE-2012-2907":{"cvss":2.6,"ports":[443],"summary":"Cross-site scripting (XSS) vulnerability in the aberdeen_breadcrumb function in template.php in the Aberdeen theme 6.x-1.x before 6.x-1.11 for Drupal, when set to append the content title to the breadcrumb, allows remote attackers to inject arbitrary web script or HTML via the content title in a breadcrumb.","verified":false},"CVE-2012-2341":{"cvss":6.8,"ports":[443],"summary":"Cross-site request forgery (CSRF) vulnerability in the Take Control module 6.x-2.x before 6.x-2.2 for Drupal allows remote attackers to hijack the authentication of unspecified users for Ajax requests that manipulate files.","verified":false},"CVE-2012-2340":{"cvss":3.5,"ports":[443],"summary":"The Contact Forms module 7.x-1.x before 7.x-1.2 for Drupal does not specify sufficiently restrictive permissions, which allows remote authenticated users with the \"access the site-wide contact form\" permission to modify the module settings via unspecified vectors.","verified":false},"CVE-2012-2339":{"cvss":4.3,"ports":[443],"summary":"Cross-site scripting (XSS) vulnerability in the Glossary module 6.x-1.x before 6.x-1.8 for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to \"taxonomy information.\"","verified":false},"CVE-2012-2056":{"cvss":6.8,"ports":[443],"summary":"Cross-site request forgery (CSRF) vulnerability in the Content Lock module for Drupal allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.","verified":false},"CVE-2012-1060":{"cvss":2.1,"ports":[443],"summary":"Multiple cross-site scripting (XSS) vulnerabilities in revisioning_theme.inc in the Taxonomy module in the Revisioning module 6.x-3.13 and other versions before 6.x-3.14 for Drupal allow remote authenticated users with certain privileges to inject arbitrary web script or HTML via the (1) tags or (2) term parameters.","verified":false},"CVE-2012-1057":{"cvss":6.0,"ports":[443],"summary":"Cross-site request forgery (CSRF) vulnerability in the clickthrough tracking functionality in the Forward module 6.x-1.x before 6.x-1.21 and 7.x-1.x before 7.x-1.3 for Drupal allows remote attackers to hijack the authentication of administrators for requests that increase node rankings via the tracking code, possibly related to improper \"flood control.\"","verified":false},"CVE-2012-1056":{"cvss":5.0,"ports":[443],"summary":"The Forward module 6.x-1.x before 6.x-1.21 and 7.x-1.x before 7.x-1.3 for Drupal does not properly enforce permissions for (1) Recent forwards, (2) Most forwarded, or (3) Dynamic blocks, which allows remote attackers to obtain node titles via unspecified vectors.","verified":false},"CVE-2012-0914":{"cvss":4.3,"ports":[443],"summary":"Cross-site scripting (XSS) vulnerability in display_renderers/panels_renderer_editor.class.php in the admin view in the Panels module 6.x-2.x before 6.x-3.10 and 7.x-3.x before 7.x-3.0 for Drupal allows remote authenticated users with certain privileges to inject arbitrary web script or HTML via the Region title.","verified":false},"CVE-2011-5030":{"cvss":3.5,"ports":[443],"summary":"Cross-site scripting (XSS) vulnerability in the Meta tags quick module 7.x-2.x before 7.x-2.3 for Drupal allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via unspecified vectors, probably related to \"names of entity bundles.\"","verified":false},"CVE-2011-4560":{"cvss":3.5,"ports":[443],"summary":"Cross-site scripting (XSS) vulnerability in the Petition Node module 6.x-1.x before 6.x-1.5 for Drupal allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors related to signing a petition.","verified":false},"CVE-2011-4113":{"cvss":7.5,"ports":[443],"summary":"SQL injection vulnerability in the Views module before 6.x-2.13 for Drupal allows remote attackers to execute arbitrary SQL commands via vectors related to \"filters/arguments on certain types of views with specific configurations of arguments.\"","verified":false},"CVE-2011-1664":{"cvss":6.8,"ports":[443],"summary":"Cross-site request forgery (CSRF) vulnerability in the Translation Management module 6.x before 6.x-1.21 for Drupal allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.","verified":false},"CVE-2011-1663":{"cvss":7.5,"ports":[443],"summary":"SQL injection vulnerability in the Translation Management module 6.x before 6.x-1.21 for Drupal allows remote attackers to execute arbitrary SQL commands via unspecified vectors.","verified":false},"CVE-2011-1662":{"cvss":4.3,"ports":[443],"summary":"Cross-site scripting (XSS) vulnerability in Translation Management module 6.x before 6.x-1.21 for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.","verified":false},"CVE-2011-1661":{"cvss":5.0,"ports":[443],"summary":"The Node Quick Find module 6.x-1.1 for Drupal does not use db_rewrite_sql when presenting node titles, which allows remote attackers to bypass intended access restrictions and read potentially sensitive node titles via the autocomplete feature.","verified":false},"CVE-2011-1066":{"cvss":2.6,"ports":[443],"summary":"Cross-site scripting (XSS) vulnerability in the Messaging module 6.x-2.x before 6.x-2.4 and 6.x-4.x before 6.x-4.0-beta8 for Drupal allows remote attackers with administer messaging permissions to inject arbitrary web script or HTML via unspecified vectors.","verified":false},"CVE-2011-0899":{"cvss":5.0,"ports":[443],"summary":"The AES encryption module 7.x-1.4 for Drupal leaves certain debugging code enabled in release, which records the plaintext password of the last logged-in user and allows remote attackers to gain privileges as that user.","verified":false},"CVE-2010-4813":{"cvss":3.5,"ports":[443],"summary":"Cross-site scripting (XSS) vulnerability in the Category Tokens module 6.x before 6.x-1.1 for Drupal allows remote authenticated users with administer taxonomy permissions to inject arbitrary web script or HTML by editing or creating vocabulary names, which are not properly handled in token help.","verified":false},"CVE-2010-4775":{"cvss":5.0,"ports":[443],"summary":"The Relevant Content module 5.x before 5.x-1.4 and 6.x before 6.x-1.5 for Drupal does not properly implement node access logic, which allows remote attackers to discover restricted node titles and relationships.","verified":false},"CVE-2010-4521":{"cvss":4.3,"ports":[443],"summary":"Cross-site scripting (XSS) vulnerability in the Views module 6.x before 6.x-2.12 for Drupal allows remote attackers to inject arbitrary web script or HTML via a page path.","verified":false},"CVE-2010-4520":{"cvss":4.3,"ports":[443],"summary":"Multiple cross-site scripting (XSS) vulnerabilities in the Views module 6.x before 6.x-2.11 for Drupal allow remote attackers to inject arbitrary web script or HTML via (1) a URL or (2) an aggregator feed title.","verified":false},"CVE-2010-4519":{"cvss":6.8,"ports":[443],"summary":"Multiple cross-site request forgery (CSRF) vulnerabilities in the Views UI implementation in the Views module 5.x before 5.x-1.8 and 6.x before 6.x-2.11 for Drupal allow remote attackers to hijack the authentication of administrators for requests that (1) enable all Views or (2) disable all Views.","verified":false},"CVE-2010-3972":{"cvss":10.0,"ports":[443],"summary":"Heap-based buffer overflow in the TELNET_STREAM_CONTEXT::OnSendData function in ftpsvc.dll in Microsoft FTP Service 7.0 and 7.5 for Internet Information Services (IIS) 7.0, and IIS 7.5, allows remote attackers to execute arbitrary code or cause a denial of service (daemon crash) via a crafted FTP command, aka \"IIS FTP Service Heap Buffer Overrun Vulnerability.\" NOTE: some of these details are obtained from third party information.","verified":false},"CVE-2010-3423":{"cvss":7.5,"ports":[443],"summary":"SQL injection vulnerability in the Yr Weatherdata module for Drupal 6.x before 6.x-1.6 allows remote attackers to execute arbitrary SQL commands via the sorting method.","verified":false},"CVE-2010-2730":{"cvss":9.3,"ports":[443],"summary":"Buffer overflow in Microsoft Internet Information Services (IIS) 7.5, when FastCGI is enabled, allows remote attackers to execute arbitrary code via crafted headers in a request, aka \"Request Header Buffer Overflow Vulnerability.\"","verified":false},"CVE-2010-2724":{"cvss":2.1,"ports":[443],"summary":"Cross-site scripting (XSS) vulnerability in the Hierarchical Select module 5.x before 5.x-3.2 and 6.x before 6.x-3.2 for Drupal allows remote authenticated users, with administer taxonomy permissions, to inject arbitrary web script or HTML via unspecified vectors in the hierarchical_select form.","verified":false},"CVE-2010-2353":{"cvss":5.0,"ports":[443],"summary":"The Node Reference module in Content Construction Kit (CCK) module 6.x before 6.x-2.7 for Drupal does not perform access checks for the source field in the backend URL for the autocomplete widget, which allows remote attackers to discover titles and IDs of controlled nodes.","verified":false},"CVE-2010-2352":{"cvss":5.0,"ports":[443],"summary":"The Node Reference module in Content Construction Kit (CCK) module 5.x before 5.x-1.11 and 6.x before 6.x-2.7 for Drupal does not perform access checks before displaying referenced nodes, which allows remote attackers to read controlled nodes.","verified":false},"CVE-2010-2158":{"cvss":2.1,"ports":[443],"summary":"Multiple cross-site scripting (XSS) vulnerabilities in the Storm module 5.x and 6.x before 6.x-1.33 for Drupal allow remote authenticated users, with certain module privileges, to inject arbitrary web script or HTML via the (1) fullname, (2) phone, or (3) im parameter in a stormperson action to index.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.","verified":false},"CVE-2010-2125":{"cvss":2.1,"ports":[443],"summary":"Multiple cross-site scripting (XSS) vulnerabilities in the Rotor Banner module 5.x before 5.x-1.8 and 6.x before 6.x-2.5 for Drupal allow remote authenticated users, with \"create rotor item\" or \"edit any rotor item\" privileges, to inject arbitrary web script or HTML via the (1) srs, (2) title, or (3) alt image attribute.","verified":false},"CVE-2010-2123":{"cvss":2.1,"ports":[443],"summary":"Multiple cross-site scripting (XSS) vulnerabilities in the Storm module 5.x and 6.x before 6.x-1.33 for Drupal allow remote authenticated users, with certain module privileges, to inject arbitrary web script or HTML via the (1) fullname, (2) address, (3) city, (4) provstate (aka state), (5) phone, or (6) taxid parameter in a stormorganization action to index.php; the (7) name parameter in a stormperson action to index.php; the (8) stepno (aka Step no.) or (9) title parameter in a stormtask action to index.php; the (10) title (aka Project) parameter in a stormticket action to index.php; or (11) unspecified parameters in a stormproject action to index.php. NOTE: some of these details are obtained from third party information.","verified":false},"CVE-2010-2048":{"cvss":3.5,"ports":[443],"summary":"Multiple cross-site scripting (XSS) vulnerabilities in the Heartbeat module 6.x before 6.x-4.9 for Drupal allow remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.","verified":false},"CVE-2010-2030":{"cvss":4.3,"ports":[443],"summary":"Cross-site scripting (XSS) vulnerability in the External Link Page module 5.x before 5.x-1.0 and 6.x before 6.x-1.2 for Drupal allows remote attackers to inject arbitrary web script or HTML via vectors related to the administration and redirect pages.","verified":false},"CVE-2010-2002":{"cvss":2.1,"ports":[443],"summary":"Cross-site scripting (XSS) vulnerability in the Wordfilter module 5.x before 5.x-1.1 and 6.x before 6.x-1.1 for Drupal allows remote authenticated users, with \"administer words filtered\" privileges, to inject arbitrary web script or HTML via the word list.","verified":false},"CVE-2010-2001":{"cvss":2.6,"ports":[443],"summary":"Cross-site scripting (XSS) vulnerability in the CiviRegister module before 6.x-1.1 for Drupal allows remote attackers to inject arbitrary web script or HTML via the URI.","verified":false},"CVE-2010-2000":{"cvss":2.1,"ports":[443],"summary":"Cross-site scripting (XSS) vulnerability in the Bibliography (Biblio) module 5.x through 5.x-1.17 and 6.x through 6.x-1.9 for Drupal allows remote authenticated users, with \"administer biblio\" privileges, to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2010-1358.","verified":false},"CVE-2010-1998":{"cvss":2.1,"ports":[443],"summary":"Cross-site scripting (XSS) vulnerability in the CCK TableField module 6.x before 6.x-1.2 for Drupal allows remote authenticated users, with certain node creation or editing privileges, to inject arbitrary web script or HTML via table headers.","verified":false},"CVE-2010-1984":{"cvss":2.1,"ports":[443],"summary":"Cross-site scripting (XSS) vulnerability in the Taxonomy Breadcrumb module 5.x before 5.x-1.5 and 6.x before 6.x-1.1 for Drupal allows remote authenticated users, with administer taxonomy permissions, to inject arbitrary web script or HTML via the taxonomy term name in a Breadcrumb display.","verified":false},"CVE-2010-1976":{"cvss":2.1,"ports":[443],"summary":"Cross-site scripting (XSS) vulnerability in the Taxonomy Breadcrumb module 6.x before 6.x-1.1 for Drupal allows remote authenticated users, with administer taxonomy permissions, to inject arbitrary web script or HTML via the node title in a Breadcrumb display.","verified":false},"CVE-2010-1958":{"cvss":2.1,"ports":[443],"summary":"Cross-site scripting (XSS) vulnerability in the FileField module 5.x before 5.x-2.5 and 6.x before 6.x-3.4 for Drupal allows remote authenticated users, with create or edit permissions and 'Path to File' or 'URL to File' display enabled, to inject arbitrary web script or HTML via the file name (filepath parameter).","verified":false},"CVE-2010-1899":{"cvss":4.3,"ports":[443],"summary":"Stack consumption vulnerability in the ASP implementation in Microsoft Internet Information Services (IIS) 5.1, 6.0, 7.0, and 7.5 allows remote attackers to cause a denial of service (daemon outage) via a crafted request, related to asp.dll, aka \"IIS Repeated Parameter Request Denial of Service Vulnerability.\"","verified":false},"CVE-2010-1584":{"cvss":2.1,"ports":[443],"summary":"Cross-site scripting (XSS) vulnerability in the Context module before 6.x-2.0-rc4 for Drupal allows remote authenticated users, with Administer Blocks privileges, to inject arbitrary web script or HTML via a block description.","verified":false},"CVE-2010-1543":{"cvss":4.3,"ports":[443],"summary":"Cross-site scripting (XSS) vulnerability in the eTracker module before 6.x-1.2 for Drupal allows remote attackers to inject arbitrary web script or HTML by appending a crafted string to an arbitrary URL associated with the Drupal site.","verified":false},"CVE-2010-1539":{"cvss":2.1,"ports":[443],"summary":"Cross-site scripting (XSS) vulnerability in the Workflow module 5.x-2.x before 5.x-2.6 and 6.x-1.x before 6.x-1.4 for Drupal, when used with the Token module, might allow remote authenticated users to inject arbitrary web script or HTML via a certain Comment field.","verified":false},"CVE-2010-1536":{"cvss":2.1,"ports":[443],"summary":"Cross-site scripting (XSS) vulnerability in the AddThis Button module 5.x before 5.x-2.2 and 6.x before 6.x-2.9 for Drupal allows remote authenticated users, with administer addthis privileges, to inject arbitrary web script or HTML via unspecified vectors.","verified":false},"CVE-2010-1530":{"cvss":2.1,"ports":[443],"summary":"Multiple cross-site scripting (XSS) vulnerabilities in the Internationalization module 6.x before 6.x-1.4 for Drupal allow remote authenticated users, with translate interface or administer blocks privileges, to inject arbitrary web script or HTML via (1) strings used in block translation or (2) the untranslated input.","verified":false},"CVE-2010-1362":{"cvss":2.1,"ports":[443],"summary":"Cross-site scripting (XSS) vulnerability in the Own Term module 6.x-1.0 for Drupal allows remote authenticated users, with \"create additional terms\" privileges, to inject arbitrary web script or HTML via the term description field in a term listing page.","verified":false},"CVE-2010-1358":{"cvss":2.1,"ports":[443],"summary":"Cross-site scripting (XSS) vulnerability in the Bibliography (Biblio) module 5.x through 5.x-1.17 and 6.x through 6.x-1.9 for Drupal allows remote authenticated users, with \"administer biblio\" privileges, to inject arbitrary web script or HTML via unspecified vectors.","verified":false},"CVE-2010-1303":{"cvss":2.1,"ports":[443],"summary":"Multiple cross-site scripting (XSS) vulnerabilities in the Taxonomy Filter module 6.x before 6.x-1.1 for Drupal allow remote authenticated users, with administer taxonomy permissions or create node permissions when free tagging is enabled, to inject arbitrary web script or HTML via vocabulary (1) names, (2) terms, and (3) filter menus.","verified":false},"CVE-2010-1108":{"cvss":3.5,"ports":[443],"summary":"Cross-site scripting (XSS) vulnerability in the Control Panel module 5.x through 5.x-1.5 and 6.x through 6.x-1.2 for Drupal allows remote authenticated users, with \"administer blocks\" privileges, to inject arbitrary web script or HTML via unspecified vectors.","verified":false},"CVE-2010-1107":{"cvss":3.5,"ports":[443],"summary":"Cross-site scripting (XSS) vulnerability in the Recent Comments module 5.x through 5.x-1.2 and 6.x through 6.x-1.0 for Drupal allows remote authenticated users to inject arbitrary web script or HTML via a \"custom block title interface.\"","verified":false},"CVE-2010-1074":{"cvss":4.3,"ports":[443],"summary":"Cross-site scripting (XSS) vulnerability in the Currency Exchange module before 6.x-1.2 for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, related to watchdog logging.","verified":false},"CVE-2010-0752":{"cvss":5.0,"ports":[443],"summary":"The week_post_page function in the Weekly Archive by Node Type module 6.x before 6.x-2.7 for Drupal does not properly implement node access restrictions when constructing SQL queries, which allows remote attackers to read restricted node listings via unspecified vectors.","verified":false},"CVE-2010-0697":{"cvss":3.5,"ports":[443],"summary":"Cross-site scripting (XSS) vulnerability in the iTweak Upload module 6.x-1.x before 6.x-1.2 and 6.x-2.x before 6.x-2.3 for Drupal allows remote authenticated users, with create content and upload file permissions, to inject arbitrary web script or HTML via the file name of an uploaded file.","verified":false},"CVE-2010-0370":{"cvss":3.5,"ports":[443],"summary":"Cross-site scripting (XSS) vulnerability in the Node Blocks module 5.x-1.1 and earlier, and 6.x-1.3 and earlier, a module for Drupal, allows remote authenticated users, with permissions to create or edit content and administer blocks, to inject arbitrary web script or HTML via the edit-title parameter (aka block title).","verified":false},"CVE-2009-5096":{"cvss":4.3,"ports":[443],"summary":"Cross-site scripting (XSS) vulnerability in the Flag Content module 5.x-2.x before 5.x-2.10 for Drupal allows remote attackers to inject arbitrary web script or HTML via the Reason parameter.","verified":false},"CVE-2009-4990":{"cvss":4.3,"ports":[443],"summary":"Cross-site scripting (XSS) vulnerability in the Webform report module 5.x and 6.x for Drupal allows remote attackers to inject arbitrary web script or HTML via a submission.","verified":false},"CVE-2009-4829":{"cvss":2.1,"ports":[443],"summary":"Cross-site scripting (XSS) vulnerability in the Automated Logout module 6.x-1.x before 6.x-1.7 and 6.x-2.x before 6.x-2.3 for Drupal allows remote authenticated users with administer autologout privileges to inject arbitrary web script or HTML via unspecified vectors.","verified":false},"CVE-2009-4773":{"cvss":6.8,"ports":[443],"summary":"Cross-site request forgery (CSRF) vulnerability in the order-management functionality in the Ubercart module 5.x before 5.x-1.9 and 6.x before 6.x-2.1 for Drupal allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.","verified":false},"CVE-2009-4772":{"cvss":4.3,"ports":[443],"summary":"Unspecified vulnerability in the PayPal Website Payments Standard functionality in the Ubercart module 5.x before 5.x-1.9 and 6.x before 6.x-2.1 for Drupal, when a custom checkout completion message is enabled, allows attackers to obtain sensitive information via unknown vectors.","verified":false},"CVE-2009-4771":{"cvss":5.0,"ports":[443],"summary":"The PayPal Website Payments Standard functionality in the Ubercart module 5.x before 5.x-1.9 and 6.x before 6.x-2.1 for Drupal does not properly validate orders, which allows remote attackers to trigger unspecified \"duplicate actions\" via unknown vectors.","verified":false},"CVE-2009-4602":{"cvss":4.3,"ports":[443],"summary":"Cross-site scripting (XSS) vulnerability in the Randomizer module 5.x through 5.x-1.0 and 6.x through 6.x-1.0, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.","verified":false},"CVE-2009-4559":{"cvss":3.5,"ports":[443],"summary":"Cross-site scripting (XSS) vulnerability in the Submitted By module 6.x before 6.x-1.3 for Drupal allows remote authenticated users, with \"administer content types\" privileges, to inject arbitrary web script or HTML via an input string for \"submitted by\" text.","verified":false},"CVE-2009-4558":{"cvss":5.0,"ports":[443],"summary":"The Image Assist module 5.x-1.x before 5.x-1.8, 5.x-2.x before 2.0-alpha4, 6.x-1.x before 6.x-1.1, 6.x-2.x before 2.0-alpha4, and 6.x-3.x-dev before 2009-07-15, a module for Drupal, does not properly enforce privilege requirements for unspecified pages, which allows remote attackers to read the (1) title or (2) body of an arbitrary node via unknown vectors.","verified":false},"CVE-2009-4557":{"cvss":2.1,"ports":[443],"summary":"Cross-site scripting (XSS) vulnerability in the Image Assist module 5.x-1.x before 5.x-1.8, 5.x-2.x before 2.0-alpha4, 6.x-1.x before 6.x-1.1, 6.x-2.x before 2.0-alpha4, and 6.x-3.x-dev before 2009-07-15, a module for Drupal, allows remote authenticated users, with image-node creation privileges, to inject arbitrary web script or HTML via a node title.","verified":false},"CVE-2009-4534":{"cvss":4.3,"ports":[443],"summary":"Open redirect vulnerability in the FAQ Ask module 5.x and 6.x before 6.x-2.0, a module for Drupal, allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.","verified":false},"CVE-2009-4533":{"cvss":5.0,"ports":[443],"summary":"The Webform module 5.x before 5.x-2.8 and 6.x before 6.x-2.8, a module for Drupal, does not prevent caching of a page that contains token placeholders for a default value, which allows remote attackers to read session variables via unspecified vectors.","verified":false},"CVE-2009-4532":{"cvss":3.5,"ports":[443],"summary":"Cross-site scripting (XSS) vulnerability in the Webform module 5.x before 5.x-2.8 and 6.x before 6.x-2.8, a module for Drupal, allows remote authenticated users, with webform creation privileges, to inject arbitrary web script or HTML via a field label.","verified":false},"CVE-2009-4528":{"cvss":6.5,"ports":[443],"summary":"The Organic Groups (OG) Vocabulary module 6.x before 6.x-1.0 for Drupal allows remote authenticated group members to bypass intended access restrictions, and create, modify, or read a vocabulary, via unspecified vectors.","verified":false},"CVE-2009-4527":{"cvss":4.6,"ports":[443],"summary":"The Shibboleth authentication module 5.x before 5.x-3.4 and 6.x before 6.x-3.2, a module for Drupal, does not properly remove statically granted privileges after a logout or other session change, which allows physically proximate attackers to gain privileges by using an unattended web browser.","verified":false},"CVE-2009-4526":{"cvss":5.0,"ports":[443],"summary":"The Send by e-mail sub-module in the Print (aka Printer, e-mail and PDF versions) module 5.x before 5.x-4.9 and 6.x before 6.x-1.9, a module for Drupal, does not properly enforce privilege requirements, which allows remote attackers to read page titles by requesting a \"Send to friend\" form.","verified":false},"CVE-2009-4525":{"cvss":4.3,"ports":[443],"summary":"Cross-site scripting (XSS) vulnerability in the Print (aka Printer, e-mail and PDF versions) module 5.x before 5.x-4.9 and 6.x before 6.x-1.9, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via crafted data in a list of links.","verified":false},"CVE-2009-4524":{"cvss":4.3,"ports":[443],"summary":"Cross-site scripting (XSS) vulnerability in the RealName module 6.x-1.x before 6.x-1.3 for Drupal allows remote attackers to inject arbitrary web script or HTML via a realname (aka real name) element.","verified":false},"CVE-2009-4520":{"cvss":5.0,"ports":[443],"summary":"The CCK Comment Reference module 5.x before 5.x-1.2 and 6.x before 6.x-1.3, a module for Drupal, allows remote attackers to bypass intended access restrictions and read comments by using the autocomplete path.","verified":false},"CVE-2009-4518":{"cvss":4.3,"ports":[443],"summary":"Cross-site scripting (XSS) vulnerability in the Insert Node module 5.x before 5.x-1.2 for Drupal allows remote attackers to inject arbitrary web script or HTML via an inserted node.","verified":false},"CVE-2009-4517":{"cvss":6.8,"ports":[443],"summary":"Cross-site request forgery (CSRF) vulnerability in the FAQ Ask module 5.x and 6.x before 6.x-2.0, a module for Drupal, allows remote attackers to hijack the authentication of arbitrary users for requests that access unpublished content.","verified":false},"CVE-2009-4516":{"cvss":4.3,"ports":[443],"summary":"Cross-site scripting (XSS) vulnerability in the FAQ Ask module 5.x and 6.x before 6.x-2.0, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.","verified":false},"CVE-2009-4515":{"cvss":5.0,"ports":[443],"summary":"The Storm module 6.x before 6.x-1.25 for Drupal does not enforce privilege requirements for storminvoiceitem nodes, which allows remote attackers to read node titles via unspecified vectors.","verified":false},"CVE-2009-4514":{"cvss":3.5,"ports":[443],"summary":"Cross-site scripting (XSS) vulnerability in the OpenSocial Shindig-Integrator module 5.x and 6.x before 6.x-2.1, a module for Drupal, allows remote authenticated users, with \"create application\" privileges, to inject arbitrary web script or HTML via unspecified vectors.","verified":false},"CVE-2009-4513":{"cvss":3.5,"ports":[443],"summary":"Multiple cross-site scripting (XSS) vulnerabilities in the Workflow module 5.x before 5.x-2.4 and 6.x before 6.x-1.2, a module for Drupal, allow remote authenticated users, with \"administer workflow\" privileges, to inject arbitrary web script or HTML via the name of a (1) workflow or (2) workflow state.","verified":false},"CVE-2009-4429":{"cvss":3.5,"ports":[443],"summary":"Cross-site scripting (XSS) vulnerability in the Sections module 5.x before 5.x-1.3 and 6.x before 6.x-1.3 for Drupal allows remote authenticated users with \"administer sections\" privileges to inject arbitrary web script or HTML via a section name (aka the Name field).","verified":false},"CVE-2009-4296":{"cvss":7.5,"ports":[443],"summary":"SQL injection vulnerability in the Taxonomy Timer module 5.x-1.8 and earlier and 6.x-alpha1 and earlier for Drupal allows remote attackers to execute arbitrary SQL commands via unspecified vectors.","verified":false},"CVE-2009-4207":{"cvss":4.3,"ports":[443],"summary":"Cross-site scripting (XSS) vulnerability in the Webform module 5.x before 5.x-2.7 and 6.x before 6.x-2.7, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via a submission.","verified":false},"CVE-2009-4119":{"cvss":4.3,"ports":[443],"summary":"Cross-site scripting (XSS) vulnerability in Feed Element Mapper module 5.x before 5.x-1.3, 6.x before 6.x-1.3, and 6.x-2.0-alpha before 6.x-2.0-alpha4 for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.","verified":false},"CVE-2009-4066":{"cvss":6.8,"ports":[443],"summary":"Multiple cross-site request forgery (CSRF) vulnerabilities in the \"My Account\" feature in PHPList Integration module 5 before 5.x-1.2 and 6 before 6.x-1.1 for Drupal allow remote attackers to hijack the authentication of arbitrary users via vectors related to (1) subscribing or (2) unsubscribing to mailing lists.","verified":false},"CVE-2009-4065":{"cvss":4.3,"ports":[443],"summary":"Cross-site scripting (XSS) vulnerability in the settings page in the Strongarm module 6.x before 6.x-1.1 for Drupal allows remote attackers to inject arbitrary web script or HTML via the value field when viewing overridden variables.","verified":false},"CVE-2009-4064":{"cvss":4.3,"ports":[443],"summary":"Cross-site scripting (XSS) vulnerability in the Gallery Assist module 6.x before 6.x-1.7 for Drupal allows remote attackers to inject arbitrary web script or HTML via node titles.","verified":false},"CVE-2009-4063":{"cvss":4.3,"ports":[443],"summary":"Cross-site scripting (XSS) vulnerability in the Subgroups for Organic Groups (OG) module 5.x before 5.x-4.0 and 5.x before 5.x-3.4 for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified node titles.","verified":false},"CVE-2009-4062":{"cvss":4.3,"ports":[443],"summary":"Multiple cross-site scripting (XSS) vulnerabilities in the Printfriendly module 6.x before 6.x-1.6 for Drupal allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.","verified":false},"CVE-2009-4061":{"cvss":4.3,"ports":[443],"summary":"Multiple cross-site scripting (XSS) vulnerabilities in the Agreement module 6.x before 6.x-1.2 for Drupal allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.","verified":false},"CVE-2009-4044":{"cvss":7.5,"ports":[443],"summary":"The Web Services module 6.x for Drupal does not perform the expected access control, which allows remote attackers to make unspecified use of an API via unknown vectors.","verified":false},"CVE-2009-4043":{"cvss":4.3,"ports":[443],"summary":"Cross-site scripting (XSS) vulnerability in the AddToAny module 5.x before 5.x-2.4 and 6.x before 6.x-2.4 for Drupal allows remote attackers to inject arbitrary web script or HTML via a node title.","verified":false},"CVE-2009-4042":{"cvss":4.3,"ports":[443],"summary":"Cross-site scripting (XSS) vulnerability in the RootCandy theme 6.x before 6.x-1.5 for Drupal allows remote attackers to inject arbitrary web script or HTML via the URI.","verified":false},"CVE-2009-3922":{"cvss":6.8,"ports":[443],"summary":"Multiple cross-site request forgery (CSRF) vulnerabilities in the User Protect module 5.x before 5.x-1.4 and 6.x before 6.x-1.3, a module for Drupal, allow remote attackers to hijack the authentication of administrators for requests that (1) delete the editing protection of a user or (2) delete a certain type of administrative-bypass rule.","verified":false},"CVE-2009-3921":{"cvss":4.0,"ports":[443],"summary":"The Smartqueue_og module 5.x before 5.x-1.3 and 6.x before 6.x-1.0-rc3, a module for Drupal, does not verify group-node privileges in certain circumstances involving subqueue creation, which allows remote authenticated users to discover arbitrary organic group names by reading confirmation messages.","verified":false},"CVE-2009-3920":{"cvss":5.0,"ports":[443],"summary":"An administration page in the NGP COO/CWP Integration (crmngp) module 6.x before 6.x-1.12 for Drupal does not perform the expected access control, which allows remote attackers to read log information via unspecified vectors.","verified":false},"CVE-2009-3919":{"cvss":4.3,"ports":[443],"summary":"Cross-site scripting (XSS) vulnerability in the NGP COO/CWP Integration (crmngp) module 6.x before 6.x-1.12 for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified \"user-supplied information.\"","verified":false},"CVE-2009-3918":{"cvss":4.3,"ports":[443],"summary":"Cross-site scripting (XSS) vulnerability in the Zoomify module 5.x before 5.x-2.2 and 6.x before 6.x-1.4, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via the node title.","verified":false},"CVE-2009-3917":{"cvss":4.3,"ports":[443],"summary":"Cross-site scripting (XSS) vulnerability in the S5 Presentation Player module 6.x-1.x before 6.x-1.1 for Drupal allows remote attackers to inject arbitrary web script or HTML via an unspecified field that is copied to the HTML HEAD element.","verified":false},"CVE-2009-3916":{"cvss":4.3,"ports":[443],"summary":"Cross-site scripting (XSS) vulnerability in the Node Hierarchy module 5.x before 5.x-1.3 and 6.x before 6.x-1.3, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via a child node title.","verified":false},"CVE-2009-3915":{"cvss":4.3,"ports":[443],"summary":"Cross-site scripting (XSS) vulnerability in the \"Separate title and URL\" formatter in the Link module 5.x before 5.x-2.6 and 6.x before 6.x-2.7, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via the link title field.","verified":false},"CVE-2009-3914":{"cvss":4.3,"ports":[443],"summary":"Cross-site scripting (XSS) vulnerability in the Temporary Invitation module 5.x before 5.x-2.3 for Drupal allows remote attackers to inject arbitrary web script or HTML via the Name field in an invitation.","verified":false},"CVE-2009-3786":{"cvss":4.3,"ports":[443],"summary":"Cross-site scripting (XSS) vulnerability in Organic Groups (OG) Vocabulary 5.x before 5.x-1.1 and 6.x before 6.x-1.1, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via the group title.","verified":false},"CVE-2009-3785":{"cvss":6.8,"ports":[443],"summary":"Multiple cross-site request forgery (CSRF) vulnerabilities in Simplenews Statistics 6.x before 6.x-2.0, a module for Drupal, allow remote attackers to hijack the authentication of arbitrary users via unknown vectors.","verified":false},"CVE-2009-3784":{"cvss":6.8,"ports":[443],"summary":"Open redirect vulnerability in Simplenews Statistics 6.x before 6.x-2.0, a module for Drupal, allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.","verified":false},"CVE-2009-3783":{"cvss":4.3,"ports":[443],"summary":"Cross-site scripting (XSS) vulnerability in Simplenews Statistics 6.x before 6.x-2.0, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via unspecified vector.","verified":false},"CVE-2009-3782":{"cvss":3.5,"ports":[443],"summary":"Unspecified vulnerability in Userpoints 6.x before 6.x-1.1, a module for Drupal, allows remote authenticated users with \"View own userpoints\" permissions to read the userpoint data of arbitrary users via unknown attack vectors.","verified":false},"CVE-2009-3780":{"cvss":4.3,"ports":[443],"summary":"Cross-site scripting (XSS) vulnerability in Abuse 5.x before 5.x-2.1 and 6.x before 6.x-1.1-alpha1, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.","verified":false},"CVE-2009-3779":{"cvss":4.3,"ports":[443],"summary":"Cross-site scripting (XSS) vulnerability in vCard 5.x before 5.x-1.4 and 6.x before 6.x-1.3, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, related to the addition of the theme_vcard function to a theme and the use of default content.","verified":false},"CVE-2009-3778":{"cvss":7.5,"ports":[443],"summary":"SQL injection vulnerability in Moodle Course List 6.x before 6.x-1.2, a module for Drupal, allows remote attackers to execute arbitrary SQL commands via unspecified vectors.","verified":false},"CVE-2009-3657":{"cvss":5.8,"ports":[443],"summary":"Session fixation vulnerability in Shared Sign-On 5.x and 6.x, a module for Drupal, allows remote attackers to hijack web sessions via unspecified vectors.","verified":false},"CVE-2009-3656":{"cvss":6.8,"ports":[443],"summary":"Cross-site request forgery (CSRF) vulnerability in Shared Sign-On 5.x and 6.x, a module for Drupal, allows remote attackers to hijack the authentication of arbitrary users via unknown vectors.","verified":false},"CVE-2009-3654":{"cvss":6.4,"ports":[443],"summary":"Unspecified vulnerability in Boost before 6.x-1.03, a module for Drupal, allows remote attackers to create new webroot directories via unknown attack vectors.","verified":false},"CVE-2009-3653":{"cvss":3.5,"ports":[443],"summary":"Cross-site scripting (XSS) vulnerability in the additional links interface in XML Sitemap 5.x-1.6, a module for Drupal, allows remote authenticated users, with \"administer site configuration\" permission, to inject arbitrary web script or HTML via unspecified vectors, related to link path output.","verified":false},"CVE-2009-3652":{"cvss":3.5,"ports":[443],"summary":"Cross-site scripting (XSS) vulnerability in Organic Groups (OG) 5.x-7.x before 5.x-7.4, 5.x-8.x before 5.x-8.1, and 6.x-1.x before 6.x-1.4, a module for Drupal, allows remote authenticated users, with create or edit group nodes permissions, to inject arbitrary web script or HTML via the User-Agent HTTP header, a different issue than CVE-2008-3095.","verified":false},"CVE-2009-3651":{"cvss":4.3,"ports":[443],"summary":"Cross-site scripting (XSS) vulnerability in the \"Monitor browsers' feature in Browscap before 5.x-1.1 and 6.x-1.1, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via the User-Agent HTTP header.","verified":false},"CVE-2009-3650":{"cvss":4.3,"ports":[443],"summary":"Cross-site scripting (XSS) vulnerability in Dex 5.x-1.0 and earlier and 6.x-1.0-rc1 and earlier, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.","verified":false},"CVE-2009-3648":{"cvss":3.5,"ports":[443],"summary":"Cross-site scripting (XSS) vulnerability in Service Links 6.x-1.0, a module for Drupal, allows remote authenticated users, with 'administer content types' permissions, to inject arbitrary web script or HTML via unspecified vectors when displaying content type names.","verified":false},"CVE-2009-3568":{"cvss":5.0,"ports":[443],"summary":"Comment RSS 5.x before 5.x-2.2 and 6.x before 6.x-2.2, a module for Drupal, does not properly enforce permissions when a link is added to the RSS feed, which allows remote attackers to obtain the node title and possibly other sensitive content by reading the feed.","verified":false},"CVE-2009-3488":{"cvss":2.1,"ports":[443],"summary":"Cross-site scripting (XSS) vulnerability in the Bibliography (aka Biblio) module 6.x-1.6 for Drupal allows remote authenticated users, with certain content-creation privileges, to inject arbitrary web script or HTML via the Title field, probably a different vulnerability than CVE-2009-3479.","verified":false},"CVE-2009-3479":{"cvss":4.3,"ports":[443],"summary":"Cross-site scripting (XSS) vulnerability in Bibliography (Biblio) 5.x before 5.x-1.17 and 6.x before 6.x-1.6, a module for Drupal, allows remote attackers, with \"create content displayed by the Bibliography module\" permissions, to inject arbitrary web script or HTML via a title.","verified":false},"CVE-2009-3442":{"cvss":5.0,"ports":[443],"summary":"The Meta tags (aka Nodewords) module before 6.x-1.1 for Drupal does not properly follow permissions during assignment of node meta tags, which allows remote attackers to obtain sensitive information via unspecified vectors.","verified":false},"CVE-2009-3437":{"cvss":4.3,"ports":[443],"summary":"Cross-site scripting (XSS) vulnerability in the live preview feature in the Markdown Preview module 6.x for Drupal allows remote attackers to inject arbitrary web script or HTML via \"Markdown input.\"","verified":false},"CVE-2009-3435":{"cvss":4.3,"ports":[443],"summary":"Cross-site scripting (XSS) vulnerability in the variable editor in the Devel module 5.x before 5.x-1.2 and 6.x before 6.x-1.18, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via a variable name.","verified":false},"CVE-2009-3363":{"cvss":4.3,"ports":[443],"summary":"Cross-site scripting (XSS) vulnerability in the BUEditor module 5.x before 5.x-1.2 and 6.x before 6.x-1.4, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via input to the \"plain textarea editor.\"","verified":false},"CVE-2009-3354":{"cvss":10.0,"ports":[443],"summary":"Multiple unspecified vulnerabilities in the Rest API module for Drupal have unknown impact and attack vectors.","verified":false},"CVE-2009-3353":{"cvss":10.0,"ports":[443],"summary":"Multiple unspecified vulnerabilities in the Node2Node module for Drupal have unknown impact and attack vectors.","verified":false},"CVE-2009-3352":{"cvss":10.0,"ports":[443],"summary":"Multiple unspecified vulnerabilities in the quota_by_role (Quota by role) module for Drupal have unknown impact and attack vectors.","verified":false},"CVE-2009-3351":{"cvss":10.0,"ports":[443],"summary":"Multiple unspecified vulnerabilities in the Node Browser module for Drupal have unknown impact and attack vectors.","verified":false},"CVE-2009-3350":{"cvss":10.0,"ports":[443],"summary":"Multiple unspecified vulnerabilities in the Subdomain Manager module for Drupal have unknown impact and attack vectors.","verified":false},"CVE-2009-3210":{"cvss":3.5,"ports":[443],"summary":"Multiple cross-site scripting (XSS) vulnerabilities in the Print (aka Printer, e-mail and PDF versions) module 5.x before 5.x-4.8 and 6.x before 6.x-1.8, a module for Drupal, allow remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.","verified":false},"CVE-2009-3207":{"cvss":6.8,"ports":[443],"summary":"The ImageCache module 5.x before 5.x-2.5 and 6.x before 6.x-2.0-beta10, a module for Drupal, when the private file system is used, does not properly perform access control for derivative images, which allows remote attackers to view arbitrary images via a request that specifies an image's filename.","verified":false},"CVE-2009-3206":{"cvss":3.5,"ports":[443],"summary":"Multiple cross-site scripting (XSS) vulnerabilities in the ImageCache module 5.x before 5.x-2.5 and 6.x before 6.x-2.0-beta10, a module for Drupal, allow remote authenticated users, with \"administer imagecache\" permissions, to inject arbitrary web script or HTML via unspecified vectors.","verified":false},"CVE-2009-3157":{"cvss":3.5,"ports":[443],"summary":"Cross-site scripting (XSS) vulnerability in the Calendar module 6.x before 6.x-2.2 for Drupal allows remote authenticated users, with \"create new content types\" privileges, to inject arbitrary web script or HTML via the title of a content type.","verified":false},"CVE-2009-3156":{"cvss":2.1,"ports":[443],"summary":"Cross-site scripting (XSS) vulnerability in the Date Tools sub-module in the Date module 6.x before 6.x-2.3 for Drupal allows remote authenticated users, with \"use date tools\" or \"administer content types\" privileges, to inject arbitrary web script or HTML via a \"Content type label\" field.","verified":false},"CVE-2009-3122":{"cvss":6.4,"ports":[443],"summary":"The Ajax Table module 5.x for Drupal does not perform access control, which allows remote attackers to delete arbitrary users and nodes via unspecified vectors.","verified":false},"CVE-2009-3121":{"cvss":4.3,"ports":[443],"summary":"Cross-site scripting (XSS) vulnerability in the Ajax Table module 5.x for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.","verified":false},"CVE-2009-2610":{"cvss":3.5,"ports":[443],"summary":"Cross-site scripting (XSS) vulnerability in the Links Related module in the Links Package 5.x before 5.x-1.13 and 6.x before 6.x-1.2, a module for Drupal, allows remote authenticated users to inject arbitrary web script or HTML via the title field.","verified":false},"CVE-2009-2572":{"cvss":6.8,"ports":[443],"summary":"Cross-site request forgery (CSRF) vulnerability in the Fivestar module 5.x-1.x before 5.x-1.14 and 6.x-1.x before 6.x-1.14, a module for Drupal, allows remote attackers to hijack the authentication of arbitrary users for requests that cast votes.","verified":false},"CVE-2009-2371":{"cvss":6.5,"ports":[443],"summary":"Advanced Forum 6.x before 6.x-1.1, a module for Drupal, does not prevent users from modifying user signatures after the associated comment format has been changed to an administrator-controlled input format, which allows remote authenticated users to inject arbitrary web script, HTML, and possibly PHP code via a crafted user signature.","verified":false},"CVE-2009-2370":{"cvss":4.3,"ports":[443],"summary":"Cross-site scripting (XSS) vulnerability in Advanced Forum 5.x before 5.x-1.1 and 6.x before 6.x-1.1, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.","verified":false},"CVE-2009-2291":{"cvss":6.8,"ports":[443],"summary":"Unspecified vulnerability in LoginToboggan 6.x-1.x before 6.x-1.5, a module for Drupal, when \"Allow users to login using their e-mail address\" is enabled, allows remote blocked users to bypass intended access restrictions via unspecified vectors.","verified":false},"CVE-2009-2237":{"cvss":7.5,"ports":[443],"summary":"Unspecified vulnerability in Views Bulk Operations 5.x-1.x before 5.x-1.4 and 6.x-1.x before 6.x-1.7, a module for Drupal, allows remote attackers to bypass intended access restrictions and modify \"nodes or classes of nodes\" via unknown vectors, probably related to registered procedures (aka actions).","verified":false},"CVE-2009-2083":{"cvss":3.5,"ports":[443],"summary":"Cross-site scripting (XSS) vulnerability in the term data detail page in Taxonomy manager 5.x before 5.x-1.2, a module for Drupal, allows remote authenticated users, with administer taxonomy privileges or the ability to use free tagging to add taxonomy terms, to inject arbitrary web script or HTML via \"Parent and related terms.\"","verified":false},"CVE-2009-2079":{"cvss":3.5,"ports":[443],"summary":"Cross-site scripting (XSS) vulnerability in the administrative page interface in Taxonomy manager 5.x before 5.x-1.2 and 6.x before 6.x-1.1, a module for Drupal, allows remote authenticated users, with administer taxonomy privileges or the ability to use free tagging to add taxonomy terms, to inject arbitrary web script or HTML via (1) vocabulary names, (2) synonyms, and (3) term names.","verified":false},"CVE-2009-2078":{"cvss":4.3,"ports":[443],"summary":"Multiple cross-site scripting (XSS) vulnerabilities in Booktree 5.x before 5.x-7.3 and 6.x before 6.x-1.1, a module for Drupal, allow remote attackers to inject arbitrary web script or HTML via the (1) node title and (2) node body in a tree root page.","verified":false},"CVE-2009-2077":{"cvss":4.0,"ports":[443],"summary":"Drupal 6.x before 6.x-2.6, a module for Drupal, allows remote authenticated users to bypass access restrictions and (1) read unpublished content from anonymous users when a view is already configured to display the content, and (2) read private content in generated queries.","verified":false},"CVE-2009-2076":{"cvss":3.5,"ports":[443],"summary":"Cross-site scripting (XSS) vulnerability in Views 6.x before 6.x-2.6, a module for Drupal, allows remote authenticated users to inject arbitrary web script or HTML via (1) exposed filters in the Views UI administrative interface and in the (2) view name parameter in the define custom views feature. NOTE: vector 2 is only exploitable by users with administer views permissions.","verified":false},"CVE-2009-2075":{"cvss":7.5,"ports":[443],"summary":"Nodequeue 5.x before 5.x-2.7 and 6.x before 6.x-2.2, a module for Drupal, does not properly restrict access when displaying node titles, which has unknown impact and attack vectors.","verified":false},"CVE-2009-2074":{"cvss":3.5,"ports":[443],"summary":"Cross-site scripting (XSS) vulnerability in Nodequeue 5.x before 5.x-2.7 and 6.x before 6.x-2.2, a module for Drupal, allows remote authenticated users with administer taxonomy permissions to inject arbitrary web script or HTML via vocabulary names.","verified":false},"CVE-2009-1823":{"cvss":2.6,"ports":[443],"summary":"Cross-site scripting (XSS) vulnerability in the Print (aka Printer, e-mail and PDF versions) module 5.x before 5.x-4.7 and 6.x before 6.x-1.7, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML by modifying a document head, before the Content-Type META element, to contain crafted UTF-8 byte sequences that are treated as UTF-7 by Internet Explorer 6 and 7, a related issue to CVE-2009-1575.","verified":false},"CVE-2009-1507":{"cvss":7.5,"ports":[443],"summary":"The Node Access User Reference module 5.x before 5.x-2.0-beta4 and 6.x before 6.x-2.0-beta6, a module for Drupal, interprets an empty CCK user reference as a reference to the anonymous user, which might allow remote attackers to bypass intended access restrictions to read or modify a node.","verified":false},"CVE-2009-1505":{"cvss":6.5,"ports":[443],"summary":"SQL injection vulnerability in the News Page module 5.x before 5.x-1.2 for Drupal allows remote authenticated users, with News Page nodes create and edit privileges, to execute arbitrary SQL commands via the Include Words (aka keywords) field.","verified":false},"CVE-2009-1501":{"cvss":4.3,"ports":[443],"summary":"Cross-site scripting (XSS) vulnerability in the Exif module 5.x-1.x before 5.x-1.2 and 6.x-1.x-dev before April 13, 2009, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via EXIF tags in an image.","verified":false},"CVE-2009-1344":{"cvss":4.3,"ports":[443],"summary":"Cross-site scripting (XSS) vulnerability in the Localization client module 5.x before 5.x-1.2 and 6.x before 6.x-1.7, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via input to the translation functionality.","verified":false},"CVE-2009-1343":{"cvss":4.3,"ports":[443],"summary":"Cross-site scripting (XSS) vulnerability in the Print (aka Printer, e-mail and PDF versions) module 5.x before 5.x-4.5 and 6.x before 6.x-1.5, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via content titles.","verified":false},"CVE-2009-1342":{"cvss":4.3,"ports":[443],"summary":"Cross-site scripting (XSS) vulnerability in the CCK comment reference module 6.x before 6.x-1.2, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via certain comment titles associated with a node edit form.","verified":false},"CVE-2009-1249":{"cvss":4.3,"ports":[443],"summary":"Cross-site scripting (XSS) vulnerability in Feed element mapper 5.x before 5.x-1.1, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via the content title in admin/content/node-type/nodetype/map.","verified":false},"CVE-2009-1069":{"cvss":4.3,"ports":[443],"summary":"Multiple cross-site scripting (XSS) vulnerabilities in the node edit form feature in Drupal Content Construction Kit (CCK) 6.x before 6.x-2.2, a module for Drupal, allow remote attackers to inject arbitrary web script or HTML via the (1) titles of candidate referenced nodes in the Node reference sub-module and the (2) names of candidate referenced users in the User reference sub-module.","verified":false},"CVE-2009-1047":{"cvss":4.3,"ports":[443],"summary":"Cross-site scripting (XSS) vulnerability in the Send by e-mail module in the \"Printer, e-mail and PDF versions\" module 5.x before 5.x-4.4 and 6.x before 6.x-1.4, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via vectors involving outbound HTML e-mail.","verified":false},"CVE-2009-1037":{"cvss":5.0,"ports":[443],"summary":"Unspecified vulnerability in the Send by e-mail module in the \"Printer, e-mail and PDF versions\" module 5.x before 5.x-4.4 and 6.x before 6.x-1.4, a module for Drupal, allows remote attackers to send unlimited spam messages via unknown vectors related to the flood control API.","verified":false},"CVE-2009-1036":{"cvss":6.8,"ports":[443],"summary":"Cross-site request forgery (CSRF) vulnerability in the Plus 1 module before 6.x-2.6, a module for Drupal, allows remote attackers to cast votes for content via unspecified aspects of the URI.","verified":false},"CVE-2009-1035":{"cvss":4.3,"ports":[443],"summary":"Cross-site scripting (XSS) vulnerability in the Tasklist module 5.x-1.x before 5.x-1.3 and 5.x-2.x before 5.x-2.0-alpha1, a module for Drupal, allows remote authenticated users to inject arbitrary web script or HTML via Cascading Style Sheets (CSS).","verified":false},"CVE-2009-0818":{"cvss":3.5,"ports":[443],"summary":"Cross-site scripting (XSS) vulnerability in the taxonomy_theme_admin_table_builder function (taxonomy_theme_admin.inc) in Taxonomy Theme module before 5.x-1.2, a module for Drupal, allows remote authenticated users with the \"administer taxonomy\" permission, or the ability to create pages when tagging is enabled, to inject arbitrary web script or HTML via the Vocabulary name (name parameter) to index.php. NOTE: some of these details are obtained from third party information.","verified":false},"CVE-2009-0817":{"cvss":3.5,"ports":[443],"summary":"Cross-site scripting (XSS) vulnerability in the Protected Node module 5.x before 5.x-1.4 and 6.x before 6.x-1.5, a module for Drupal, allows remote authenticated users with \"administer site configuration\" permissions to inject arbitrary web script or HTML via the Password page info field, which is not properly handled by the protected_node_enterpassword function in protected_node.module.","verified":false},"CVE-2009-0382":{"cvss":4.3,"ports":[443],"summary":"Unspecified vulnerability in Internationalization (i18n) Translation 5.x before 5.x-2.5, a module for Drupal, allows remote attackers with \"translate node\" permissions to bypass intended access restrictions and read unpublished nodes via unspecified vectors.","verified":false},"CVE-2008-7151":{"cvss":6.8,"ports":[443],"summary":"Cross-site request forgery (CSRF) vulnerability in Live 5.x before 5.x-0.1, a module for Drupal, allows remote attackers to hijack the authentication of unspecified privileged users for requests that can be leveraged to execute arbitrary PHP code.","verified":false},"CVE-2008-7150":{"cvss":4.3,"ports":[443],"summary":"Cross-site scripting (XSS) vulnerability in Refine by Taxonomy 5.x before 5.x-0.1, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via a taxonomy term, which is not properly handled by refine_by_taxo when displaying tags.","verified":false},"CVE-2008-6972":{"cvss":3.5,"ports":[443],"summary":"Multiple cross-site scripting (XSS) vulnerabilities in Drupal Content Construction Kit (CCK) 5.x through 5.x-1.8 allow remote authenticated users with \"administer content\" permissions to inject arbitrary web script or HTML via the (1) \"field label,\" (2) \"help text,\" or (3) \"allowed values\" settings.","verified":false},"CVE-2008-6910":{"cvss":7.5,"ports":[443],"summary":"Services 5.x before 5.x-0.92 and 6.x before 6.x-0.13, a module for Drupal, does not use timeouts for signed requests, which allows remote attackers to impersonate other users and gain privileges via a replay attack that sends the same request.","verified":false},"CVE-2008-6909":{"cvss":6.5,"ports":[443],"summary":"Services 5.x before 5.x-0.92 and 6.x before 6.x-0.13, a module for Drupal, does not sign all required data in requests, which has unspecified impact, probably related to man-in-the-middle attacks that modify critical data and allow remote attackers to impersonate other users and gain privileges.","verified":false},"CVE-2008-6908":{"cvss":7.5,"ports":[443],"summary":"Services 5.x before 5.x-0.92 and 6.x before 6.x-0.13, a module for Drupal, uses an insecure hash when signing requests, which allows remote attackers to impersonate other users and gain privileges.","verified":false},"CVE-2008-6836":{"cvss":6.8,"ports":[443],"summary":"Cross-site request forgery (CSRF) vulnerability in OpenID 5.x before 5x.-1.2, a module for Drupal, allows remote attackers to hijack the authentication of unspecified victims to delete OpenID identities via unknown vectors.","verified":false},"CVE-2008-6835":{"cvss":4.3,"ports":[443],"summary":"Cross-site scripting (XSS) vulnerability in OpenID 5.x before 5.x-1.2, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.","verified":false},"CVE-2008-6413":{"cvss":4.3,"ports":[443],"summary":"Cross-site scripting (XSS) vulnerability in the Answers module 5.x-1.x-dev and possibly other 5.x versions, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via a Simple Answer to a question.","verified":false},"CVE-2008-6383":{"cvss":6.0,"ports":[443],"summary":"SQL injection vulnerability in SpeedTech Organization and Resource Manager (Storm) 5.x before 5.x-1.14 and 6.x before 6.x-1.18, a module for Drupal, allows remote authenticated users with storm project access to execute arbitrary SQL commands via unspecified vectors.","verified":false},"CVE-2008-6137":{"cvss":7.5,"ports":[443],"summary":"EveryBlog 5.x and 6.x, a module for Drupal, allows remote attackers to bypass access restrictions via unknown vectors.","verified":false},"CVE-2008-6135":{"cvss":4.3,"ports":[443],"summary":"Cross-site scripting (XSS) vulnerability in EveryBlog 5.x and 6.x, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.","verified":false},"CVE-2008-6134":{"cvss":7.5,"ports":[443],"summary":"SQL injection vulnerability in EveryBlog 5.x and 6.x, a module for Drupal, allows remote attackers to execute arbitrary SQL commands via unspecified vectors.","verified":false},"CVE-2008-6020":{"cvss":7.5,"ports":[443],"summary":"SQL injection vulnerability in the Views module 6.x before 6.x-2.2 for Drupal allows remote attackers to execute arbitrary SQL commands via unspecified vectors related to \"an exposed filter on CCK text fields.\"","verified":false},"CVE-2008-5999":{"cvss":3.5,"ports":[443],"summary":"Cross-site scripting (XSS) vulnerability in the Ajax Checklist module 5.x before 5.x-1.1 for Drupal allows remote authenticated users, with create and edit permissions for posts, to inject arbitrary web script or HTML via unspecified vectors involving the ajax_checklist filter.","verified":false},"CVE-2008-5998":{"cvss":6.0,"ports":[443],"summary":"Multiple SQL injection vulnerabilities in the ajax_checklist_save function in the Ajax Checklist module 5.x before 5.x-1.1 for Drupal allow remote authenticated users, with \"update ajax checklists\" permissions, to execute arbitrary SQL commands via a save operation, related to the (1) nid, (2) qid, and (3) state parameters.","verified":false},"CVE-2008-5996":{"cvss":3.5,"ports":[443],"summary":"Cross-site scripting (XSS) vulnerability in the Simplenews module 5.x before 5.x-1.5 and 6.x before 6.x-1.0-beta4, a module for Drupal, allows remote authenticated users, with \"administer taxonomy\" permissions, to inject arbitrary web script or HTML via a Newsletter category field.","verified":false},"CVE-2008-4710":{"cvss":4.3,"ports":[443],"summary":"Cross-site scripting (XSS) vulnerability in the stock quotes page in Stock 6.x before 6.x-1.0, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.","verified":false},"CVE-2008-4633":{"cvss":6.0,"ports":[443],"summary":"SQL injection vulnerability in Node Vote 5.x before 5.x-1.1 and 6.x before 6.x-1.0, a module for Drupal, when \"Allow user to vote again\" is enabled, allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors related to a \"previously cast vote.\"","verified":false},"CVE-2008-2629":{"cvss":7.5,"ports":[443],"summary":"SQL injection vulnerability in the LifeType (formerly pLog) module for Drupal allows remote attackers to execute arbitrary SQL commands via the albumId parameter in a ViewAlbum action to index.php.","verified":false},"CVE-2008-1792":{"cvss":4.3,"ports":[443],"summary":"Cross-site scripting (XSS) vulnerability in the insertion filter in the Flickr Drupal module 5.x before 5.x-1.3 and 6.x before 6.x-1.0-alpha allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.","verified":false},"CVE-2008-1731":{"cvss":7.5,"ports":[443],"summary":"The Simple Access module for Drupal 5.x through 5.x-1.2-2 does not properly handle the privacy information for nodes, which might allow remote attackers to bypass intended access restrictions, and read or modify nodes, in opportunistic circumstances related to interaction between Simple Access and (1) Node clone or (2) Project issue tracking.","verified":false},"CVE-2008-0462":{"cvss":4.3,"ports":[443],"summary":"Cross-site scripting (XSS) vulnerability in the Archive 5.x before 5.x-1.8 module for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.","verified":false},"CVE-2007-6752":{"cvss":6.8,"ports":[443],"summary":"Cross-site request forgery (CSRF) vulnerability in Drupal 7.12 and earlier allows remote attackers to hijack the authentication of arbitrary users for requests that end a session via the user/logout URI. NOTE: the vendor disputes the significance of this issue, by considering the \"security benefit against platform complexity and performance impact\" and concluding that a change to the logout behavior is not planned because \"for most sites it is not worth the trade-off.","verified":false},"CVE-2007-3205":{"cvss":5.0,"ports":[443],"summary":"The parse_str function in (1) PHP, (2) Hardened-PHP, and (3) Suhosin, when called without a second parameter, might allow remote attackers to overwrite arbitrary variables by specifying variable names and values in the string to be parsed. NOTE: it is not clear whether this is a design limitation of the function or a bug in PHP, although it is likely to be regarded as a bug in Hardened-PHP and Suhosin.","verified":false}}; setupBannerCve(); setupVulns(VULNS); })();