Application: Drupal
Affected Version: all 5.x versions prior to 5.x-1.1 and all 6.x versions prior to 6.x-1.6.
Vendor’s URL: Localization client Module
Bug Type: Cross Site Scripting
Risk Level: Medium

Solution:
Update to version 5.x-1.1 or 6.x-1.6.

Content Management, Cross Site Scripting

Application: Drupal
Affected Version: all 5.x versions prior to 5.12 and all 6.x versions prior to 6.6.
Vendor’s URL: Virtual Hosts
Bug Type: File Inclusion
Risk Level: Critical

Solution:
Update to version 5.12 or 6.6.
Apply the vendor’s official patches to versions 5.11 or 6.5:

Content Management, File Inclusion

Application: WordPress
Affected Version: version 2.x
Vendor’s URL: Newsletter Plugin
Bug Type: SQL Injection
Risk Level: Critical

Solution:
Edit the source code to ensure that input is properly sanitised.

Content Management, SQL Injection

Application: XOOPS
Affected Version: version 0.26 and other versions.
Vendor’s URL: Makale Module
Bug Type: SQL Injection
Risk Level: Critical

Solution:
Edit the source code to ensure that input is properly sanitised.

Content Management, SQL Injection

Application: Movable Type
Affected Version: version 4.21 and prior versions.
Vendor’s URL: Movable Type
Bug Type: Cross Site Scripting
Risk Level: Medium

Solution:

Content Management, Cross Site Scripting

Application: Joomla
Affected Version: version 1.1.1 and other versions.
Vendor’s URL: DS-Syndicate Component
Bug Type: SQL Injection
Risk Level: Critical

Solution:
Edit the source code to ensure that input is properly sanitised.

Content Management, SQL Injection

Application: Drupal
Affected Version: version 5.x-1.0.
Vendor’s URL: Node Vote Module Vote Again
Bug Type: SQL Injection
Risk Level: Critical

Solution:
Update to version 5.x-1.1.

Content Management, SQL Injection

Application: Drupal
Affected Version: all 5.x-1.x versions prior to 5.x-1.6 and all 5.x-2.x versions prior to 5.x-2.6.
Vendor’s URL: Node clone Module
Bug Type: Security Bypass
Risk Level: Medium

Solution:
Update to version 5.x-1.6 or 5.x-2.6.

Access Bypass, Content Management

Application: Drupal
Affected Version: all versions of Shindig-Integrator.
Vendor’s URL: Shindig-Integrator Module
Bug Type: Security Bypass, Cross Site Scripting
Risk Level: Critical

Solution:
Use another product.

Access Bypass, Content Management, Cross Site Scripting

Application: Joomla
Affected Version: version 1.5.3 (1.5_fixed). Other versions may also be affected.
Vendor’s URL: OwnBiblio Component
Bug Type: SQL Injection
Risk Level: Critical

Solution:
Edit the source code to ensure that input is properly sanitised.

Content Management, SQL Injection

Application: Joomla
Affected Version: all versions prior to 1.1.8.2.
Vendor’s URL: Mad4Joomla Mailforms Component
Bug Type: SQL Injection
Risk Level: Critical

Solution:
Update to version 1.1.8.2.

Content Management, SQL Injection

Application: Joomla
Affected Version: versions from 0.8.0 up to and including 0.8.3.
Vendor’s URL: Ignite Gallery Component
Bug Type: SQL Injection
Risk Level: Critical

Solution:
Update to version 0.8.3.1.

Content Management, SQL Injection

Application: Drupal
Affected Version: all 5.x and 6.x versions.
Vendor’s URL: EveryBlog Module
Bug Type: Security Bypass, Cross Site Scripting, Privilege Escalation
Risk Level: Critical

Solution:
Use another product as all releases of the module have been removed from Drupal.org.

Access Bypass, Content Management, Cross Site Scripting, Privilege Escalation

Application: Drupal
Affected Version: all 5.x versions prior to 5.x-1.2 and all 6.x versions prior to 6.x-1.1.
Vendor’s URL: SIOC Module
Bug Type: Security Bypass
Risk Level: Critical

Solution:
Update to version 5.x-1.2 or 6.x-1.1.

Access Bypass, Content Management

Application: Drupal
Affected Version:
- Live prior to version 6.x-1.0
- AJAX Picture Preview prior to version 6.x-1.2
- Banner Rotor prior to version 6.x-1.3
- Creative Commons Lite prior to version 6.x-1.1
- Keyboard shortcut utiilty prior to version 6.x-1.1
- LiveJournal CrossPoster prior to version 6.x-1.4
- Taxonomy import/export via XML prior to version 6.x-1.2

Bug Type: Security Bypass
Risk Level: Critical

Solution:
Update to:
- Live version 6.x-1.0
- AJAX Picture Preview version 6.x-1.2
- Banner Rotor version 6.x-1.3
- Creative Commons Lite version 6.x-1.1
- Keyboard shortcut utiilty version 6.x-1.1
- LiveJournal CrossPoster version 6.x-1.4
- Taxonomy import/export via XML version 6.x-1.2

Access Bypass, Content Management

Application: Drupal
Affected Version: versions prior to 5.11.
Vendor’s URL: Upload and Node Module
Bug Type: Security Bypass
Risk Level: Medium

Solution:
Update to version 5.11.

Access Bypass, Content Management

Application: Drupal
Affected Version: all 6.x versions prior to 6.5.
Vendor’s URL: Drupal
Bug Type: Security Bypass
Risk Level: Critical

Solution:
Update to version 6.5.

Access Bypass, Content Management

Application: Drupal
Affected Version: all 5.x versions prior to 5.11 and all 6.x versions prior to 6.5.
Vendor’s URL: Drupal
Bug Type: Security Bypass
Risk Level: Critical

Solution:
Update to version 5.11 or 6.5. Grant the “Administer content with BlogAPI” permission to trusted users only.

Access Bypass, Discussion Boards

Application: vbDrupal
Affected Version: all 5.x versions prior to 5.11.0.
Vendor’s URL: vbDrupal
Bug Type: Security Bypass
Risk Level: Critical

Solution:
Update to version 5.11.0. Grant the “Administer content with BlogAPI” permission to trusted users only.

Access Bypass, Discussion Boards

Application: TWiki
Affected Version: versions prior to 4.2.3.
Vendor’s URL: TWiki
Bug Type: Command Execution
Risk Level: Critical

Solution:
Update to version 4.2.3.

Content Management, Remote Command Execution