Services 5.x before 5.x-0.92 and 6.x before 6.x-0.13, a module for Drupal, does not use timeouts for signed requests, which allows remote attackers to impersonate other users and gain privileges via a replay attack that sends the same request.
CVSS Score
7.5
EPSS Score
0.006
Published
2009-08-06
Services 5.x before 5.x-0.92 and 6.x before 6.x-0.13, a module for Drupal, uses an insecure hash when signing requests, which allows remote attackers to impersonate other users and gain privileges.
CVSS Score
7.5
EPSS Score
0.006
Published
2009-08-06
Cross-site scripting (XSS) vulnerability in the Links Related module in the Links Package 5.x before 5.x-1.13 and 6.x before 6.x-1.2, a module for Drupal, allows remote authenticated users to inject arbitrary web script or HTML via the title field.
CVSS Score
3.5
EPSS Score
0.003
Published
2009-07-27
Cross-site request forgery (CSRF) vulnerability in the Fivestar module 5.x-1.x before 5.x-1.14 and 6.x-1.x before 6.x-1.14, a module for Drupal, allows remote attackers to hijack the authentication of arbitrary users for requests that cast votes.
CVSS Score
6.8
EPSS Score
0.003
Published
2009-07-22
Cross-site scripting (XSS) vulnerability in Advanced Forum 5.x before 5.x-1.1 and 6.x before 6.x-1.1, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVSS Score
4.3
EPSS Score
0.005
Published
2009-07-08
Advanced Forum 6.x before 6.x-1.1, a module for Drupal, does not prevent users from modifying user signatures after the associated comment format has been changed to an administrator-controlled input format, which allows remote authenticated users to inject arbitrary web script, HTML, and possibly PHP code via a crafted user signature.
CVSS Score
6.5
EPSS Score
0.005
Published
2009-07-08
Cross-site scripting (XSS) vulnerability in the Forum module in Drupal 6.x before 6.13 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVSS Score
4.3
EPSS Score
0.003
Published
2009-07-08
Drupal 5.x before 5.19 and 6.x before 6.13 does not properly sanitize failed login attempts for pages that contain a sortable table, which includes the username and password in links that can be read from (1) the HTTP referer header of external web sites that are visited from those links or (2) when page caching is enabled, the Drupal page cache.
CVSS Score
4.3
EPSS Score
0.003
Published
2009-07-08
Unspecified vulnerability in LoginToboggan 6.x-1.x before 6.x-1.5, a module for Drupal, when "Allow users to login using their e-mail address" is enabled, allows remote blocked users to bypass intended access restrictions via unspecified vectors.
CVSS Score
6.8
EPSS Score
0.006
Published
2009-07-01
Unspecified vulnerability in Views Bulk Operations 5.x-1.x before 5.x-1.4 and 6.x-1.x before 6.x-1.7, a module for Drupal, allows remote attackers to bypass intended access restrictions and modify "nodes or classes of nodes" via unknown vectors, probably related to registered procedures (aka actions).
CVSS Score
7.5
EPSS Score
0.003
Published
2009-06-27