Drupal — система управления контентом с открытым исходным кодом. На Drupal работает более миллиона сайтов — от личных блогов до сайтов компаний, политических партий и государственных организаций.
Релизный цикл, информация об уязвимостях
График релизов
Количество 1 966
CVE-2007-5621
Multiple cross-site scripting (XSS) vulnerabilities in the Token module before 4.7.x-1.5, and 5.x before 5.x-1.9, for Drupal; as used by the ASIN Field, e-Commerce, Fullname field for CCK, Invite, Node Relativity, Pathauto, PayPal Node, and Ubercart modules; allow remote authenticated users with a post comments privilege to inject arbitrary web script or HTML via unspecified vectors related to (1) comments, (2) vocabulary names, (3) term names, and (4) usernames.
CVE-2007-5594
Drupal 5.x before 5.3 does not apply its Drupal Forms API protection against the user deletion form, which allows remote attackers to delete users via a cross-site request forgery (CSRF) attack.
CVE-2007-5596
The core Upload module in Drupal 4.7.x before 4.7.8 and 5.x before 5.3 places the .html extension on a whitelist, which allows remote attackers to conduct cross-site scripting (XSS) attacks by uploading .html files.
CVE-2007-5597
The hook_comments API in Drupal 4.7.x before 4.7.8 and 5.x before 5.3 does not pass publication status, which might allow attackers to bypass access restrictions and trigger e-mail with unpublished comments from some modules, as demonstrated by (1) Organic groups and (2) Subscriptions.
CVE-2007-5595
CRLF injection vulnerability in the drupal_goto function in includes/common.inc Drupal 4.7.x before 4.7.8 and 5.x before 5.3 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.
CVE-2007-5593
install.php in Drupal 5.x before 5.3, when the configured database server is not reachable, allows remote attackers to execute arbitrary code via vectors that cause settings.php to be modified.
CVE-2007-5593
install.php in Drupal 5.x before 5.3, when the configured database ser ...
CVE-2007-5596
The core Upload module in Drupal 4.7.x before 4.7.8 and 5.x before 5.3 ...
CVE-2007-5594
Drupal 5.x before 5.3 does not apply its Drupal Forms API protection a ...
CVE-2007-5597
The hook_comments API in Drupal 4.7.x before 4.7.8 and 5.x before 5.3 ...
Уязвимостей на страницу
Уязвимость | CVSS | EPSS | Опубликовано 1 | |
|---|---|---|---|---|
 | CVE-2007-5621 Multiple cross-site scripting (XSS) vulnerabilities in the Token module before 4.7.x-1.5, and 5.x before 5.x-1.9, for Drupal; as used by the ASIN Field, e-Commerce, Fullname field for CCK, Invite, Node Relativity, Pathauto, PayPal Node, and Ubercart modules; allow remote authenticated users with a post comments privilege to inject arbitrary web script or HTML via unspecified vectors related to (1) comments, (2) vocabulary names, (3) term names, and (4) usernames. | CVSS2: 3.5 | 0% Низкий | больше 17 лет назад |
| CVE-2007-5594 Drupal 5.x before 5.3 does not apply its Drupal Forms API protection against the user deletion form, which allows remote attackers to delete users via a cross-site request forgery (CSRF) attack. | CVSS2: 4.3 | 0% Низкий | больше 17 лет назад |
| CVE-2007-5596 The core Upload module in Drupal 4.7.x before 4.7.8 and 5.x before 5.3 places the .html extension on a whitelist, which allows remote attackers to conduct cross-site scripting (XSS) attacks by uploading .html files. | CVSS2: 4.3 | 1% Низкий | больше 17 лет назад |
| CVE-2007-5597 The hook_comments API in Drupal 4.7.x before 4.7.8 and 5.x before 5.3 does not pass publication status, which might allow attackers to bypass access restrictions and trigger e-mail with unpublished comments from some modules, as demonstrated by (1) Organic groups and (2) Subscriptions. | CVSS2: 4.3 | 1% Низкий | больше 17 лет назад |
| CVE-2007-5595 CRLF injection vulnerability in the drupal_goto function in includes/common.inc Drupal 4.7.x before 4.7.8 and 5.x before 5.3 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors. | CVSS2: 5.1 | 2% Низкий | больше 17 лет назад |
| CVE-2007-5593 install.php in Drupal 5.x before 5.3, when the configured database server is not reachable, allows remote attackers to execute arbitrary code via vectors that cause settings.php to be modified. | CVSS2: 6.8 | 2% Низкий | больше 17 лет назад |
| CVE-2007-5593 install.php in Drupal 5.x before 5.3, when the configured database ser ... | CVSS2: 6.8 | 2% Низкий | больше 17 лет назад |
| CVE-2007-5596 The core Upload module in Drupal 4.7.x before 4.7.8 and 5.x before 5.3 ... | CVSS2: 4.3 | 1% Низкий | больше 17 лет назад |
| CVE-2007-5594 Drupal 5.x before 5.3 does not apply its Drupal Forms API protection a ... | CVSS2: 4.3 | 0% Низкий | больше 17 лет назад |
| CVE-2007-5597 The hook_comments API in Drupal 4.7.x before 4.7.8 and 5.x before 5.3 ... | CVSS2: 4.3 | 1% Низкий | больше 17 лет назад |
Уязвимостей на страницу