Drupal — система управления контентом с открытым исходным кодом. На Drupal работает более миллиона сайтов — от личных блогов до сайтов компаний, политических партий и государственных организаций.

Unspecified vulnerability in Drupal 5.x before 5.17 and 6.x before 6.11, as used in vbDrupal before 5.17.0, allows user-assisted remote attackers to obtain sensitive information by tricking victims into visiting the front page of the site with a crafted URL and causing form data to be sent to an attacker-controlled site, possibly related to multiple / (slash) characters that are not properly handled by includes/bootstrap.inc, as demonstrated using the search box. NOTE: this vulnerability can be leveraged to conduct cross-site request forgery (CSRF) attacks.

Cross-site scripting (XSS) vulnerability in the Exif module 5.x-1.x before 5.x-1.2 and 6.x-1.x-dev before April 13, 2009, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via EXIF tags in an image.

SQL injection vulnerability in the News Page module 5.x before 5.x-1.2 for Drupal allows remote authenticated users, with News Page nodes create and edit privileges, to execute arbitrary SQL commands via the Include Words (aka keywords) field.

The Node Access User Reference module 5.x before 5.x-2.0-beta4 and 6.x before 6.x-2.0-beta6, a module for Drupal, interprets an empty CCK user reference as a reference to the anonymous user, which might allow remote attackers to bypass intended access restrictions to read or modify a node.

Cross-site scripting (XSS) vulnerability in the Print (aka Printer, e-mail and PDF versions) module 5.x before 5.x-4.5 and 6.x before 6.x-1.5, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via content titles.

Cross-site scripting (XSS) vulnerability in the Localization client module 5.x before 5.x-1.2 and 6.x before 6.x-1.7, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via input to the translation functionality.

Cross-site scripting (XSS) vulnerability in the CCK comment reference module 6.x before 6.x-1.2, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via certain comment titles associated with a node edit form.

Cross-site scripting (XSS) vulnerability in Feed element mapper 5.x before 5.x-1.1, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via the content title in admin/content/node-type/nodetype/map.

Multiple cross-site scripting (XSS) vulnerabilities in the node edit form feature in Drupal Content Construction Kit (CCK) 6.x before 6.x-2.2, a module for Drupal, allow remote attackers to inject arbitrary web script or HTML via the (1) titles of candidate referenced nodes in the Node reference sub-module and the (2) names of candidate referenced users in the User reference sub-module.

Cross-site scripting (XSS) vulnerability in the Send by e-mail module in the "Printer, e-mail and PDF versions" module 5.x before 5.x-4.4 and 6.x before 6.x-1.4, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via vectors involving outbound HTML e-mail.