Hofmockel.org

• Advisory ID: DRUPAL-SA-CONTRIB-2009-045
• Project: Moderation (third-party module)
• Version: 5.x, 6.x
• Date: 2009-07-22
• Security risk: Less critical
• Exploitable from: Remote
• Vulnerability: Cross-site Request Forgery

• Advisory ID: DRUPAL-SA-CONTRIB-2009-044
• Project: Bubbletimer (third-party module)
• Version: 6.x
• Date: 2009-July-22
• Security risk: Moderately critical
• Exploitable from: Remote
• Vulnerability: Multiple vulnerabilities

• Advisory ID: DRUPAL-SA-CONTRIB-2009-043
• Project: Image Assist (third-party module)
• Version: 5.x, 6.x
• Date: 2009-07-15
• Security risk: Moderately critical
• Exploitable from: Remote
• Vulnerability: Cross site scripting, Information disclosure

• Advisory ID: DRUPAL-SA-CONTRIB-2009-042
• Project: Submitted By (third-party module)
• Version: 6.x
• Date: 2009-July-15
• Security risk: Less critical
• Exploitable from: Remote
• Vulnerability: Cross Site Scripting

• Advisory ID: DRUPAL-SA-CONTRIB-2009-041
• Project: Nodequeue (third-party module)
• Version: 5.x, 6.x
• Date: 2009-July-08
• Security risk: Not critical
• Exploitable from: Remote
• Vulnerability: Access bypass

• Advisory ID: DRUPAL-SA-CONTRIB-2009-040
• Project: Advanced Forum (third-party module)
• Version: 5.x, 6.x
• Date: 2009-July-1
• Security risk: Moderately critical
• Exploitable from: Remote
• Vulnerability: Multiple vulnerabilities

• Advisory ID: DRUPAL-SA-CORE-2009-007
• Project: Drupal core
• Version: 5.x, 6.x
• Date: 2009-July-1
• Security risk: Moderately critical
• Exploitable from: Remote
• Vulnerability: Multiple vulnerabilities

• Advisory ID: DRUPAL-SA-CONTRIB-2009-039
• Project: Links Package (third-party module)
• Version: 5.x, 6.x
• Date: 2009-June-25
• Security risk: Moderately critical
• Exploitable from: Remote
• Vulnerability: Cross Site Scripting

• Advisory ID: DRUPAL-SA-CONTRIB-2009-038
• Project: Nodequeue (third-party module)
• Version: 5.x, 6.x
• Date: 2009-June-10
• Security risk: Moderately critical
• Exploitable from: Remote
• Vulnerability: Multiple vulnerabilities

• Advisory ID: DRUPAL-SA-CONTRIB-2009-037
• Project: Views
• Versions: 6.x-2.x
• Date: 2009-June-10
• Security risk: Moderately critical
• Exploitable from: Remote
• Vulnerability: Cross Site Scripting (XSS), Access Bypass

• Advisory ID: SA-CONTRIB-2009-036
• Project: Services (third-party module)
• Version: 6.x
• Date: 2009 June 10
• Security risk: Critical
• Exploitable from: Remote
• Vulnerability: Impersonation

• Advisory ID: DRUPAL-SA-CONTRIB-2009-033
• Project: Quiz (third-party module)
• Version: 5.x, 6.x
• Date: 2009-June-03
• Security risk: Less critical
• Exploitable from: Remote
• Vulnerability: Cross Site Scripting

The Quiz module provides tools for authoring and administering quizzes through Drupal. A quiz is given as a series of questions, with only one question appearing per page. Scores are then stored in the database. The module does not properly escape user-supplied data on some pages, allowing malicious users to insert arbitrary HTML and script code into these pages. A user who has access to create quizzes or quiz questions could attempt a cross site scripting (XSS) attack which may lead to the user gaining full administrative access.

• All versions of Quiz for Drupal 5.x
• Quiz 6.x-2.x prior to 6.x-2.2
• Quiz 6.x-3.x prior to 6.x-3.0

Drupal core is not affected. If you do not use the contributed Quiz module, there is nothing you need to do.

If you use Drupal 5.x, uninstall the Quiz module which has been marked unmaintained for six months or upgrade to Quiz for Drupal 6.x.

• Advisory ID: DRUPAL-SA-CONTRIB-2009-032
• Project: Webform (third-party module)
• Versions: 5.x, 6.x
• Date: 2009-June-03
• Security risk: Moderately critical
• Exploitable from: Remote
• Vulnerability: Cross-site scripting

• Advisory ID: DRUPAL-SA-CONTRIB-2009-031
• Project: Ajax Session (third-party module)
• Version: 5.x
• Date: 2009 May 27
• Security risk: Moderately critical
• Exploitable from: Remote
• Vulnerability: Multiple vulnerabilities