CVE-2011-3730 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3730): Drupal 7.0 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by modules/simpletest/tests/upgrade/drupal-6.upload.database.php and certain other files.
*** Bug 386173 has been marked as a duplicate of this bug. ***
CVE-2011-2687 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2687): Drupal 7.x before 7.3 allows remote attackers to bypass intended node_access restrictions via vectors related to a listing that shows nodes but lacks a JOIN clause for the node table. CVE-2010-3686 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3686): The OpenID module in Drupal 6.x before 6.18, and the OpenID module 5.x before 5.x-1.4 for Drupal, violates the OpenID 2.0 protocol by not ensuring that fields are signed, which allows remote attackers to bypass authentication by leveraging an assertion from an OpenID provider. CVE-2010-3685 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3685): The OpenID module in Drupal 6.x before 6.18, and the OpenID module 5.x before 5.x-1.4 for Drupal, violates the OpenID 2.0 protocol by not checking for reuse of openid.response_nonce values, which allows remote attackers to bypass authentication by leveraging an assertion from an OpenID provider. CVE-2009-5096 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-5096): Cross-site scripting (XSS) vulnerability in the Flag Content module 5.x-2.x before 5.x-2.10 for Drupal allows remote attackers to inject arbitrary web script or HTML via the Reason parameter. CVE-2009-0382 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0382): Unspecified vulnerability in Internationalization (i18n) Translation 5.x before 5.x-2.5, a module for Drupal, allows remote attackers with "translate node" permissions to bypass intended access restrictions and read unpublished nodes via unspecified vectors.
Vulnerable versions dropped. Closing noglsa for ~arch only.
