Show advisories for only Drupal Core, only contributed projects, or only PSAs

DRUPAL-SA-2006-004 Mail header injection vulnerability

By jvandyk on
  • Advisory ID: DRUPAL-SA-2006-004
  • Project: Drupal core
  • Date: 2006-03-13
  • Security risk: moderately critical
  • Impact: security bypass
  • Where: from remote
  • Vulnerability: mail header injection attack
Categories: Drupal 4.5.x or older, Drupal 4.6.x

DRUPAL-SA-2006-003 Session fixation vulnerability

By jvandyk on
  • Advisory ID: DRUPAL-SA-2006-003
  • Project: Drupal core
  • Date: 2006-03-13
  • Security risk: less critical
  • Impact: hijacking
  • Where: from remote
  • Vulnerability: session fixation attack
Categories: Drupal 4.5.x or older, Drupal 4.6.x

DRUPAL-SA-2006-002 XSS vulnerabilities

By jvandyk on
  • Advisory ID: DRUPAL-SA-2006-002
  • Project: Drupal core
  • Date: 2006-03-13
  • Security risk: less critical
  • Impact: cross-site scripting
  • Where: from remote
  • Vulnerability: cross-site scripting
Categories: Drupal 4.5.x or older, Drupal 4.6.x

DRUPAL-SA-2006-001 Security bypass in menu.module

By jvandyk on
  • Advisory ID: DRUPAL-SA-2006-001
  • Project: Drupal core
  • Date: 2006-03-13
  • Security risk: less critical
  • Impact: security bypass
  • Where: from remote
  • Vulnerability: bypass access control
Categories: Drupal 4.5.x or older, Drupal 4.6.x

False Drupal XSS alarm on BugTraq - PSA-2006-001

Date: 
2006-January-04

Someone under the pseudonym "Liz0ziM" sent a false security alarm to BugTraq without first contacting the security team:

http://www.securityfocus.com/archive/1/420671/30/0/threaded

This vulnerability is fixed in Drupal 4.5.6, 4.6.4 and onwards. Drupal's new XSS filter mechanism takes care of all vulnerabilities listed on http://ha.ckers.org/xss.html (and even more).

DRUPAL-SA-2005-009 Bypass "view user profiles" permission

By dries on
  • Advisory ID: DRUPAL-SA-2005-009
  • Project: Drupal core
  • Date: 2005-11-30
  • Security risk: not critical
  • Impact: normal
  • Where: from remote
  • Vulnerability: bypass access control
Categories: Drupal 4.6.x

DRUPAL-SA-2005-008 XSS and HTTP header injection vulnerability with uploaded files

By dries on
  • Advisory ID: DRUPAL-SA-2005-008
  • Project: Drupal core
  • Date: 2005-11-30
  • Security risk: less critical
  • Impact: normal
  • Where: from remote
  • Vulnerability: XSS, HTTP header injection
Categories: Drupal 4.5.x or older, Drupal 4.6.x

DRUPAL-SA-2005-007 XSS vulnerability in submitted content

By dries on
  • Advisory ID: DRUPAL-SA-2005-007
  • Project: Drupal core
  • Date: 2005-11-30
  • Security risk: less critical
  • Impact: normal
  • Where: from remote
  • Vulnerability: XSS
Categories: Drupal 4.5.x or older, Drupal 4.6.x

Unintentionally logging credit card transactions

By chx on
  • Advisory ID: DRUPAL-SA-2005-006
  • Project: ecommerce
  • Date: 2005-Oct-30
  • Security risk: critical
  • Impact: authorize_net module, which is a part of the ecommerce package
  • Exploitable from: local
  • Vulnerability: System is unintentionally logging credit card transactions, including card numbers.

SQL injection and PHP code execution

By chx on
  • Advisory ID: DRUPAL-SA-2005-005
  • Project: flexinode
  • Date: 2005-Oct-03
  • Security risk: highly critical
  • Impact: flexinode module
  • Exploitable from: remote
  • Vulnerability: SQL injection and PHP execution by bypassing input format check

Pages

Subscribe with RSS Subscribe to Security advisories