drupal.xml

<Vulns>   <Vulnerability addData="2017-09-18" gvid="ID105562" id="105562" modifyDate="2017-09-18">      <cvsscode>4.3</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2002-1806: 跨站点脚本（XSS）漏洞</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Cross-site scripting (XSS) vulnerability in Drupal 4.0.0 allows remote attackers to inject arbitrary web script or HTML via Javascript in an IMG tag.</Description>      <cnnvd>CNNVD-200212-094</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2002-1806</id>      </AlternateIds>      <Solutions>The vendor recommends updating to the latest release of Drupal.</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">5</high>                     
                               <low inclusive="1">4.0.0</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-09-18" gvid="ID105563" id="105563" modifyDate="2017-09-18">      <cvsscode>4.3</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2005-0682: common.inc中的跨站点脚本（XSS）漏洞</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Cross-site scripting (XSS) vulnerability in common.inc in Drupal before 4.5.2 allows remote attackers to inject arbitrary web script or HTML via certain inputs.</Description>      <cnnvd>CNNVD-200505-189</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2005-0682</id>      </AlternateIds>      <Solutions framework="1" xml:lang="zh-hk">         
           
           
         升級到 Drupal 到最新版本,下載并申请升級:https://www.drupal.org/project/drupal/releases      </Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">4.5.2</high>                     
                               <low inclusive="1">4.4.0</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-09-18" gvid="ID105564" id="105564" modifyDate="2017-09-18">      <cvsscode>7.5</cvsscode>      <severity>Critical</severity>      <name>Drupal: CVE-2005-1871: 权限系统中的未知漏洞</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Unknown vulnerability in the privilege system in Drupal 4.4.0 through 4.6.0, when public registration is enabled, allows remote attackers to gain privileges, due to an &amp;quot;input check&amp;quot; that &amp;quot;is not implemented properly.&amp;quot;</Description>      <cnnvd>CNNVD-200506-090</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2005-1871</id>      </AlternateIds>      <Solutions framework="1" xml:lang="zh-hk">         
           
           
         升級到 Drupal 到最新版本,下載并申请升級:https://www.drupal.org/project/drupal/releases      </Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">4.6.1</high>                     
                               <low inclusive="1">4.4.0</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105566" id="105566" modifyDate="2017-08-02">      <cvsscode>4.3</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2005-3973 : DRUPAL-SA-2005-007 提交内容中存在XSS漏洞</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Multiple cross-site scripting (XSS) vulnerabilities in Drupal 4.5.0 through 4.5.5 and 4.6.0 through 4.6.3 allow remote attackers to inject arbitrary web script or HTML via various HTML tags and values, such as the (1) legend tag and the value parameter used in (2) label and (3) input tags, possibly due to an incomplete blacklist.</Description>      <cnnvd>CNNVD-200512-048</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2005-3973</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
http://drupal.org/files/projects/drupal-4.5.6.tar.gz 
http://drupal.org/files/projects/drupal-4.6.4.tar.gz 
</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">4.5.6</high>                     
                               <low>4.5.0</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105566" id="105566" modifyDate="2017-08-02">      <cvsscode>4.3</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2005-3973 : DRUPAL-SA-2005-007 提交内容中存在XSS漏洞</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Multiple cross-site scripting (XSS) vulnerabilities in Drupal 4.5.0 through 4.5.5 and 4.6.0 through 4.6.3 allow remote attackers to inject arbitrary web script or HTML via various HTML tags and values, such as the (1) legend tag and the value parameter used in (2) label and (3) input tags, possibly due to an incomplete blacklist.</Description>      <cnnvd>CNNVD-200512-048</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2005-3973</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
http://drupal.org/files/projects/drupal-4.5.6.tar.gz 
http://drupal.org/files/projects/drupal-4.6.4.tar.gz 
</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">4.6.4</high>                     
                               <low>4.6.0</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105567" id="105567" modifyDate="2017-08-02">      <cvsscode>6.4</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2005-3974 : DRUPAL-SA-2005-009 绕过“查看用户配置文件”权限</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Drupal 4.5.0 through 4.5.5 and 4.6.0 through 4.6.3, when running on PHP5, does not correctly enforce user privileges, which allows remote attackers to bypass the &amp;quot;access user profiles&amp;quot; permission.</Description>      <cnnvd>CNNVD-200512-036</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2005-3974</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
http://drupal.org/files/projects/drupal-4.6.4.tar.gz</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">4.6.4</high>                     
                               <low>4.6.0</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105569" id="105569" modifyDate="2017-08-02">      <cvsscode>4.0</cvsscode>      <severity>Severe</severity>      <name>drupal:cve-2005-3975:drupal-sa-2005-008上传文件的XSS和HTTP头注入漏洞
</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Interpretation conflict in file.inc in Drupal 4.5.0 through 4.5.5 and 4.6.0 through 4.6.3 allows remote authenticated users to inject arbitrary web script or HTML via HTML in a file with a GIF or JPEG file extension, which causes the HTML to be executed by a victim who views the file in Internet Explorer as a result of CVE-2005-3312. NOTE: it could be argued that this vulnerability is due to a design flaw in Internet Explorer and the proper fix should be in that browser; if so, then this should not be treated as a vulnerability in Drupal.</Description>      <cnnvd>CNNVD-200512-039</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2005-3975</id>      </AlternateIds>      <Solutions>
 
Drupal Drupal 4.5 
&lt;ul&gt;&lt;li&gt; 
Drupal drupal-4.5.6.tar.gz 
&lt;a href=&quot; 
http://drupal.org/files/projects/drupal-4.5.6.tar.gz&quot;&gt; 
http://drupal.org/files/projects/drupal-4.5.6.tar.gz&lt;/a&gt;&lt;/li&gt; 
&lt;/ul&gt; 
 
Drupal Drupal 4.5.1 
&lt;ul&gt;&lt;li&gt; 
Drupal drupal-4.5.6.tar.gz 
&lt;a href=&quot; 
http://drupal.org/files/projects/drupal-4.5.6.tar.gz&quot;&gt; 
http://drupal.org/files/projects/drupal-4.5.6.tar.gz&lt;/a&gt;&lt;/li&gt; 
&lt;/ul&gt; 
 
Drupal Drupal 4.5.2 
&lt;ul&gt;&lt;li&gt; 
Drupal drupal-4.5.6.tar.gz 
&lt;a href=&quot; 
http://drupal.org/files/projects/drupal-4.5.6.tar.gz&quot;&gt; 
http://drupal.org/files/projects/drupal-4.5.6.tar.gz&lt;/a&gt;&lt;/li&gt; 
&lt;/ul&gt; 
 
Drupal Drupal 4.5.2 
&lt;ul&gt;&lt;li&gt; 
Drupal drupal-4.5.6.tar.gz 
&lt;a href=&quot; 
http://drupal.org/files/projects/drupal-4.5.6.tar.gz&quot;&gt; 
http://drupal.org/files/projects/drupal-4.5.6.tar.gz&lt;/a&gt;&lt;/li&gt; 
&lt;/ul&gt; 
 
Drupal Drupal 4.5.3 
&lt;ul&gt;&lt;li&gt; 
Drupal drupal-4.5.6.tar.gz 
&lt;a href=&quot; 
http://drupal.org/files/projects/drupal-4.5.6.tar.gz&quot;&gt; 
http://drupal.org/files/projects/drupal-4.5.6.tar.gz&lt;/a&gt;&lt;/li&gt; 
&lt;/ul&gt; 
 
Drupal Drupal 4.5.4 
&lt;ul&gt;&lt;li&gt; 
Drupal drupal-4.5.6.tar.gz 
&lt;a href=&quot; 
http://drupal.org/files/projects/drupal-4.5.6.tar.gz&quot;&gt; 
http://drupal.org/files/projects/drupal-4.5.6.tar.gz&lt;/a&gt;&lt;/li&gt; 
&lt;/ul&gt; 
 
Drupal Drupal 4.5.5 
&lt;ul&gt;&lt;li&gt; 
Drupal drupal-4.5.6.tar.gz 
&lt;a href=&quot; 
http://drupal.org/files/projects/drupal-4.5.6.tar.gz&quot;&gt; 
http://drupal.org/files/projects/drupal-4.5.6.tar.gz&lt;/a&gt;&lt;/li&gt; 
&lt;/ul&gt; 
 
Drupal Drupal 4.6 
&lt;ul&gt;&lt;li&gt; 
Drupal drupal-4.6.4.tar.gz 
&lt;a href=&quot; 
http://drupal.org/files/projects/drupal-4.6.4.tar.gz&quot;&gt; 
http://drupal.org/files/projects/drupal-4.6.4.tar.gz&lt;/a&gt;&lt;/li&gt; 
&lt;/ul&gt; 
 
Drupal Drupal 4.6.1 
&lt;ul&gt;&lt;li&gt; 
Drupal drupal-4.6.4.tar.gz 
&lt;a href=&quot; 
http://drupal.org/files/projects/drupal-4.6.4.tar.gz&quot;&gt; 
http://drupal.org/files/projects/drupal-4.6.4.tar.gz&lt;/a&gt;&lt;/li&gt; 
&lt;/ul&gt; 
 
Drupal Drupal 4.6.2 
&lt;ul&gt;&lt;li&gt; 
Drupal drupal-4.6.4.tar.gz 
&lt;a href=&quot; 
http://drupal.org/files/projects/drupal-4.6.4.tar.gz&quot;&gt; 
http://drupal.org/files/projects/drupal-4.6.4.tar.gz&lt;/a&gt;&lt;/li&gt; 
&lt;/ul&gt; 
 
Drupal Drupal 4.6.3 
&lt;ul&gt;&lt;li&gt; 
Drupal drupal-4.6.4.tar.gz 
&lt;a href=&quot; 
http://drupal.org/files/projects/drupal-4.6.4.tar.gz&quot;&gt; 
http://drupal.org/files/projects/drupal-4.6.4.tar.gz&lt;/a&gt;&lt;/li&gt; 
&lt;/ul&gt;</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">4.5.6</high>                     
                               <low>4.5.0</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105569" id="105569" modifyDate="2017-08-02">      <cvsscode>4.0</cvsscode>      <severity>Severe</severity>      <name>drupal:cve-2005-3975:drupal-sa-2005-008上传文件的XSS和HTTP头注入漏洞
</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Interpretation conflict in file.inc in Drupal 4.5.0 through 4.5.5 and 4.6.0 through 4.6.3 allows remote authenticated users to inject arbitrary web script or HTML via HTML in a file with a GIF or JPEG file extension, which causes the HTML to be executed by a victim who views the file in Internet Explorer as a result of CVE-2005-3312. NOTE: it could be argued that this vulnerability is due to a design flaw in Internet Explorer and the proper fix should be in that browser; if so, then this should not be treated as a vulnerability in Drupal.</Description>      <cnnvd>CNNVD-200512-039</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2005-3975</id>      </AlternateIds>      <Solutions>
 
Drupal Drupal 4.5 
&lt;ul&gt;&lt;li&gt; 
Drupal drupal-4.5.6.tar.gz 
&lt;a href=&quot; 
http://drupal.org/files/projects/drupal-4.5.6.tar.gz&quot;&gt; 
http://drupal.org/files/projects/drupal-4.5.6.tar.gz&lt;/a&gt;&lt;/li&gt; 
&lt;/ul&gt; 
 
Drupal Drupal 4.5.1 
&lt;ul&gt;&lt;li&gt; 
Drupal drupal-4.5.6.tar.gz 
&lt;a href=&quot; 
http://drupal.org/files/projects/drupal-4.5.6.tar.gz&quot;&gt; 
http://drupal.org/files/projects/drupal-4.5.6.tar.gz&lt;/a&gt;&lt;/li&gt; 
&lt;/ul&gt; 
 
Drupal Drupal 4.5.2 
&lt;ul&gt;&lt;li&gt; 
Drupal drupal-4.5.6.tar.gz 
&lt;a href=&quot; 
http://drupal.org/files/projects/drupal-4.5.6.tar.gz&quot;&gt; 
http://drupal.org/files/projects/drupal-4.5.6.tar.gz&lt;/a&gt;&lt;/li&gt; 
&lt;/ul&gt; 
 
Drupal Drupal 4.5.2 
&lt;ul&gt;&lt;li&gt; 
Drupal drupal-4.5.6.tar.gz 
&lt;a href=&quot; 
http://drupal.org/files/projects/drupal-4.5.6.tar.gz&quot;&gt; 
http://drupal.org/files/projects/drupal-4.5.6.tar.gz&lt;/a&gt;&lt;/li&gt; 
&lt;/ul&gt; 
 
Drupal Drupal 4.5.3 
&lt;ul&gt;&lt;li&gt; 
Drupal drupal-4.5.6.tar.gz 
&lt;a href=&quot; 
http://drupal.org/files/projects/drupal-4.5.6.tar.gz&quot;&gt; 
http://drupal.org/files/projects/drupal-4.5.6.tar.gz&lt;/a&gt;&lt;/li&gt; 
&lt;/ul&gt; 
 
Drupal Drupal 4.5.4 
&lt;ul&gt;&lt;li&gt; 
Drupal drupal-4.5.6.tar.gz 
&lt;a href=&quot; 
http://drupal.org/files/projects/drupal-4.5.6.tar.gz&quot;&gt; 
http://drupal.org/files/projects/drupal-4.5.6.tar.gz&lt;/a&gt;&lt;/li&gt; 
&lt;/ul&gt; 
 
Drupal Drupal 4.5.5 
&lt;ul&gt;&lt;li&gt; 
Drupal drupal-4.5.6.tar.gz 
&lt;a href=&quot; 
http://drupal.org/files/projects/drupal-4.5.6.tar.gz&quot;&gt; 
http://drupal.org/files/projects/drupal-4.5.6.tar.gz&lt;/a&gt;&lt;/li&gt; 
&lt;/ul&gt; 
 
Drupal Drupal 4.6 
&lt;ul&gt;&lt;li&gt; 
Drupal drupal-4.6.4.tar.gz 
&lt;a href=&quot; 
http://drupal.org/files/projects/drupal-4.6.4.tar.gz&quot;&gt; 
http://drupal.org/files/projects/drupal-4.6.4.tar.gz&lt;/a&gt;&lt;/li&gt; 
&lt;/ul&gt; 
 
Drupal Drupal 4.6.1 
&lt;ul&gt;&lt;li&gt; 
Drupal drupal-4.6.4.tar.gz 
&lt;a href=&quot; 
http://drupal.org/files/projects/drupal-4.6.4.tar.gz&quot;&gt; 
http://drupal.org/files/projects/drupal-4.6.4.tar.gz&lt;/a&gt;&lt;/li&gt; 
&lt;/ul&gt; 
 
Drupal Drupal 4.6.2 
&lt;ul&gt;&lt;li&gt; 
Drupal drupal-4.6.4.tar.gz 
&lt;a href=&quot; 
http://drupal.org/files/projects/drupal-4.6.4.tar.gz&quot;&gt; 
http://drupal.org/files/projects/drupal-4.6.4.tar.gz&lt;/a&gt;&lt;/li&gt; 
&lt;/ul&gt; 
 
Drupal Drupal 4.6.3 
&lt;ul&gt;&lt;li&gt; 
Drupal drupal-4.6.4.tar.gz 
&lt;a href=&quot; 
http://drupal.org/files/projects/drupal-4.6.4.tar.gz&quot;&gt; 
http://drupal.org/files/projects/drupal-4.6.4.tar.gz&lt;/a&gt;&lt;/li&gt; 
&lt;/ul&gt;</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">4.6.4</high>                     
                               <low>4.6.0</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-09-18" gvid="ID105571" id="105571" modifyDate="2017-09-18">      <cvsscode>4.3</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2006-0070: Drupal允许远程攻击者执行跨站点脚本（XSS）</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>** DISPUTED **  Drupal allows remote attackers to conduct cross-site scripting (XSS) attacks via an IMG tag with an unusual encoded Javascript function name, as demonstrated using variations of the alert() function.  NOTE: a followup by the vendor suggests that the issue does not exist in 4.5.6 or 4.6.4 when &amp;quot;Filtered HTML&amp;quot; is enabled, and since &amp;quot;Full HTML&amp;quot; would not filter HTML by design, perhaps this should not be included in CVE.</Description>      <cnnvd></cnnvd>      <AlternateIds>         <id name="CVE">CVE-2006-0070</id>      </AlternateIds>      <Solutions framework="1" xml:lang="zh-hk">         
           
           
         升級到 Drupal 到最新版本,下載并申请升級:https://www.drupal.org/project/drupal/releases      </Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">4.5.7</high>                     
                               <low inclusive="1">4.5.6</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-09-18" gvid="ID105571" id="105571" modifyDate="2017-09-18">      <cvsscode>4.3</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2006-0070: Drupal允许远程攻击者执行跨站点脚本（XSS）</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>** DISPUTED **  Drupal allows remote attackers to conduct cross-site scripting (XSS) attacks via an IMG tag with an unusual encoded Javascript function name, as demonstrated using variations of the alert() function.  NOTE: a followup by the vendor suggests that the issue does not exist in 4.5.6 or 4.6.4 when &amp;quot;Filtered HTML&amp;quot; is enabled, and since &amp;quot;Full HTML&amp;quot; would not filter HTML by design, perhaps this should not be included in CVE.</Description>      <cnnvd></cnnvd>      <AlternateIds>         <id name="CVE">CVE-2006-0070</id>      </AlternateIds>      <Solutions framework="1" xml:lang="zh-hk">         
           
           
         升級到 Drupal 到最新版本,下載并申请升級:https://www.drupal.org/project/drupal/releases      </Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">4.6.5</high>                     
                               <low inclusive="1">4.6.4</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105573" id="105573" modifyDate="2017-08-02">      <cvsscode>5.0</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2006-1225 : DRUPAL-SA-2006-004 邮件头注入漏洞</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>CRLF injection vulnerability in Drupal 4.5.x before 4.5.8 and 4.6.x before 4.5.8 allows remote attackers to inject headers of outgoing e-mail messages and use Drupal as a spam proxy.</Description>      <cnnvd>CNNVD-200603-247</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2006-1225</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复这个安全问题，补丁下载链接： 
Drupal Drupal 4.5.3 
Debian drupal_4.5.3-6_all.deb 
Debian GNU/Linux 3.1 alias sarge 
http://security.debian.org/pool/updates/main/d/drupal/drupal_4.5.3-6_all.deb</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">4.5.8</high>                     
                               <low>4.5</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105573" id="105573" modifyDate="2017-08-02">      <cvsscode>5.0</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2006-1225 : DRUPAL-SA-2006-004 邮件头注入漏洞</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>CRLF injection vulnerability in Drupal 4.5.x before 4.5.8 and 4.6.x before 4.5.8 allows remote attackers to inject headers of outgoing e-mail messages and use Drupal as a spam proxy.</Description>      <cnnvd>CNNVD-200603-247</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2006-1225</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复这个安全问题，补丁下载链接： 
Drupal Drupal 4.5.3 
Debian drupal_4.5.3-6_all.deb 
Debian GNU/Linux 3.1 alias sarge 
http://security.debian.org/pool/updates/main/d/drupal/drupal_4.5.3-6_all.deb</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">4.6.6</high>                     
                               <low>4.6</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105575" id="105575" modifyDate="2017-08-02">      <cvsscode>4.3</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2006-1226 : DRUPAL-SA-2006-002 XSS 漏洞</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Cross-site scripting (XSS) vulnerability in Drupal 4.5.x before 4.5.8 and 4.6.x before 4.5.8 allows remote attackers to inject arbitrary web script or HTML via unknown attack vectors.</Description>      <cnnvd>CNNVD-200603-246</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2006-1226</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复这个安全问题，补丁下载链接： 
Drupal Drupal 4.5.3 
Debian drupal_4.5.3-6_all.deb 
Debian GNU/Linux 3.1 alias sarge 
http://security.debian.org/pool/updates/main/d/drupal/drupal_4.5.3-6_all.deb</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">4.5.8</high>                     
                               <low>4.5</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105575" id="105575" modifyDate="2017-08-02">      <cvsscode>4.3</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2006-1226 : DRUPAL-SA-2006-002 XSS 漏洞</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Cross-site scripting (XSS) vulnerability in Drupal 4.5.x before 4.5.8 and 4.6.x before 4.5.8 allows remote attackers to inject arbitrary web script or HTML via unknown attack vectors.</Description>      <cnnvd>CNNVD-200603-246</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2006-1226</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复这个安全问题，补丁下载链接： 
Drupal Drupal 4.5.3 
Debian drupal_4.5.3-6_all.deb 
Debian GNU/Linux 3.1 alias sarge 
http://security.debian.org/pool/updates/main/d/drupal/drupal_4.5.3-6_all.deb</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">4.6.6</high>                     
                               <low>4.6</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105577" id="105577" modifyDate="2017-09-08">      <cvsscode>4.6</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2006-1227 : DRUPAL-SA-2006-001 menu.module中的安全绕过</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Drupal 4.5.x before 4.5.8 and 4.6.x before 4.5.8, when menu.module is used to create a menu item, does not implement access control for the page that is referenced, which might allow remote attackers to access administrator pages.</Description>      <cnnvd>CNNVD-200603-260</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2006-1227</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复这个安全问题，补丁下载链接： 
Drupal Drupal 4.5.3 
Debian drupal_4.5.3-6_all.deb 
Debian GNU/Linux 3.1 alias sarge 
http://security.debian.org/pool/updates/main/d/drupal/drupal_4.5.3-6_all.deb</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">4.5.8</high>                     
                               <low>4.5</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105577" id="105577" modifyDate="2017-09-08">      <cvsscode>4.6</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2006-1227 : DRUPAL-SA-2006-001 menu.module中的安全绕过</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Drupal 4.5.x before 4.5.8 and 4.6.x before 4.5.8, when menu.module is used to create a menu item, does not implement access control for the page that is referenced, which might allow remote attackers to access administrator pages.</Description>      <cnnvd>CNNVD-200603-260</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2006-1227</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复这个安全问题，补丁下载链接： 
Drupal Drupal 4.5.3 
Debian drupal_4.5.3-6_all.deb 
Debian GNU/Linux 3.1 alias sarge 
http://security.debian.org/pool/updates/main/d/drupal/drupal_4.5.3-6_all.deb</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">4.6.6</high>                     
                               <low>4.6</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105579" id="105579" modifyDate="2017-09-08">      <cvsscode>5.1</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2006-1228 : DRUPAL-SA-2006-003 会话固定漏洞</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Session fixation vulnerability in Drupal 4.5.x before 4.5.8 and 4.6.x before 4.5.8 allows remote attackers to gain privileges by tricking a user to click on a URL that fixes the session identifier.</Description>      <cnnvd>CNNVD-200603-266</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2006-1228</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复这个安全问题，补丁下载链接： 
Drupal Drupal 4.5.3 
Debian drupal_4.5.3-6_all.deb 
Debian GNU/Linux 3.1 alias sarge 
http://security.debian.org/pool/updates/main/d/drupal/drupal_4.5.3-6_a ll.deb 
</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">4.5.8</high>                     
                               <low>4.5</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105579" id="105579" modifyDate="2017-09-08">      <cvsscode>5.1</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2006-1228 : DRUPAL-SA-2006-003 会话固定漏洞</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Session fixation vulnerability in Drupal 4.5.x before 4.5.8 and 4.6.x before 4.5.8 allows remote attackers to gain privileges by tricking a user to click on a URL that fixes the session identifier.</Description>      <cnnvd>CNNVD-200603-266</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2006-1228</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复这个安全问题，补丁下载链接： 
Drupal Drupal 4.5.3 
Debian drupal_4.5.3-6_all.deb 
Debian GNU/Linux 3.1 alias sarge 
http://security.debian.org/pool/updates/main/d/drupal/drupal_4.5.3-6_a ll.deb 
</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">4.6.6</high>                     
                               <low>4.6</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105581" id="105581" modifyDate="2017-08-02">      <cvsscode>7.5</cvsscode>      <severity>Critical</severity>      <name>Drupal: CVE-2006-2742 : DRUPAL-SA-2006-005 - Drupal core - SQL注入漏洞</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>SQL injection vulnerability in Drupal 4.6.x before 4.6.7 and 4.7.0 allows remote attackers to execute arbitrary SQL commands via the (1) count and (2) from variables to (a) database.mysql.inc, (b) database.pgsql.inc, and (c) database.mysqli.inc.</Description>      <cnnvd>CNNVD-200606-005</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2006-2742</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复这个安全问题，补丁下载链接： 
Drupal Drupal 4.5.3 
Debian drupal_4.5.3-6.1sarge1_all.debDebian GNU/Linux 3.1 alias sarge 
http://security.debian.org/pool/updates/main/d/drupal/drupal_4.5.3-6.1 
sarge1_all.deb</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">4.6.7</high>                     
                               <low>4.6</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105581" id="105581" modifyDate="2017-08-02">      <cvsscode>7.5</cvsscode>      <severity>Critical</severity>      <name>Drupal: CVE-2006-2742 : DRUPAL-SA-2006-005 - Drupal core - SQL注入漏洞</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>SQL injection vulnerability in Drupal 4.6.x before 4.6.7 and 4.7.0 allows remote attackers to execute arbitrary SQL commands via the (1) count and (2) from variables to (a) database.mysql.inc, (b) database.pgsql.inc, and (c) database.mysqli.inc.</Description>      <cnnvd>CNNVD-200606-005</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2006-2742</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复这个安全问题，补丁下载链接： 
Drupal Drupal 4.5.3 
Debian drupal_4.5.3-6.1sarge1_all.debDebian GNU/Linux 3.1 alias sarge 
http://security.debian.org/pool/updates/main/d/drupal/drupal_4.5.3-6.1 
sarge1_all.deb</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">4.7.1</high>                     
                               <low>4.7</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105583" id="105583" modifyDate="2017-08-02">      <cvsscode>5.1</cvsscode>      <severity>Severe</severity>      <name>drupal:cve-2006-2743:sa-2006-006-drupal core-在某些Apache配置中执行任意文件
</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Drupal 4.6.x before 4.6.7 and 4.7.0, when running on Apache with mod_mime, does not properly handle files with multiple extensions, which allows remote attackers to upload, modify, or execute arbitrary files in the files directory.</Description>      <cnnvd>CNNVD-200606-027</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2006-2743</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复这个安全问题，补丁下载链接： 
Drupal Drupal 4.5.3 
Debian drupal_4.5.3-6.1sarge1_all.debDebian GNU/Linux 3.1 alias sarge 
http://security.debian.org/pool/updates/main/d/drupal/drupal_4.5.3-6.1 
sarge1_all.deb</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">4.6.7</high>                     
                               <low>4.6</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105583" id="105583" modifyDate="2017-08-02">      <cvsscode>5.1</cvsscode>      <severity>Severe</severity>      <name>drupal:cve-2006-2743:sa-2006-006-drupal core-在某些Apache配置中执行任意文件
</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Drupal 4.6.x before 4.6.7 and 4.7.0, when running on Apache with mod_mime, does not properly handle files with multiple extensions, which allows remote attackers to upload, modify, or execute arbitrary files in the files directory.</Description>      <cnnvd>CNNVD-200606-027</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2006-2743</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复这个安全问题，补丁下载链接： 
Drupal Drupal 4.5.3 
Debian drupal_4.5.3-6.1sarge1_all.debDebian GNU/Linux 3.1 alias sarge 
http://security.debian.org/pool/updates/main/d/drupal/drupal_4.5.3-6.1 
sarge1_all.deb</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">4.7.1</high>                     
                               <low>4.7</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105585" id="105585" modifyDate="2017-08-02">      <cvsscode>7.5</cvsscode>      <severity>Critical</severity>      <name>Drupal: CVE-2006-2831 : SA-2006-007 - 在某些Apache配置中执行任意文件</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Drupal 4.6.x before 4.6.8 and 4.7.x before 4.7.2, when running under certain Apache configurations such as when FileInfo overrides are disabled within .htaccess, allows remote attackers to execute arbitrary code by uploading a file with multiple extensions, a variant of CVE-2006-2743.</Description>      <cnnvd>CNNVD-200606-114</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2006-2831</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复这个安全问题，补丁下载链接： 
http://security.debian.org/pool/updates/main/d/drupal/drupal_4.5.3-6.1 
sarge1_all.deb</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">4.6.8</high>                     
                               <low>4.6</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105585" id="105585" modifyDate="2017-08-02">      <cvsscode>7.5</cvsscode>      <severity>Critical</severity>      <name>Drupal: CVE-2006-2831 : SA-2006-007 - 在某些Apache配置中执行任意文件</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Drupal 4.6.x before 4.6.8 and 4.7.x before 4.7.2, when running under certain Apache configurations such as when FileInfo overrides are disabled within .htaccess, allows remote attackers to execute arbitrary code by uploading a file with multiple extensions, a variant of CVE-2006-2743.</Description>      <cnnvd>CNNVD-200606-114</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2006-2831</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复这个安全问题，补丁下载链接： 
http://security.debian.org/pool/updates/main/d/drupal/drupal_4.5.3-6.1 
sarge1_all.deb</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">4.7.2</high>                     
                               <low>4.7</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105587" id="105587" modifyDate="2017-08-02">      <cvsscode>2.6</cvsscode>      <severity>Moderate</severity>      <name>Drupal: CVE-2006-2832 : SA-2006-007 - Drupal Core - 修订DRUPAL-SA-2006-006</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Cross-site scripting (XSS) vulnerability in the upload module (upload.module) in Drupal 4.6.x before 4.6.8 and 4.7.x before 4.7.2 allows remote attackers to inject arbitrary web script or HTML via the uploaded filename.</Description>      <cnnvd>CNNVD-200606-113</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2006-2832</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复这个安全问题，补丁下载链接： 
http://security.debian.org/pool/updates/main/d/drupal/drupal_4.5.3-6.1 
sarge1_all.deb</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">4.6.8</high>                     
                               <low>4.6</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105587" id="105587" modifyDate="2017-08-02">      <cvsscode>2.6</cvsscode>      <severity>Moderate</severity>      <name>Drupal: CVE-2006-2832 : SA-2006-007 - Drupal Core - 修订DRUPAL-SA-2006-006</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Cross-site scripting (XSS) vulnerability in the upload module (upload.module) in Drupal 4.6.x before 4.6.8 and 4.7.x before 4.7.2 allows remote attackers to inject arbitrary web script or HTML via the uploaded filename.</Description>      <cnnvd>CNNVD-200606-113</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2006-2832</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复这个安全问题，补丁下载链接： 
http://security.debian.org/pool/updates/main/d/drupal/drupal_4.5.3-6.1 
sarge1_all.deb</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">4.7.2</high>                     
                               <low>4.7</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105589" id="105589" modifyDate="2017-08-02">      <cvsscode>2.6</cvsscode>      <severity>Moderate</severity>      <name>Drupal: CVE-2006-2833 : DRUPAL-SA-2006-008 分类模块中的XSS漏洞</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Cross-site scripting (XSS) vulnerability in the taxonomy module in Drupal 4.6.8 and 4.7.2 allows remote attackers to inject arbitrary web script or HTML via inputs that are not properly validated when the page title is output, possibly involving the $names variable.</Description>      <cnnvd>CNNVD-200606-098</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2006-2833</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复这个安全问题，补丁下载链接： 
Drupal Drupal 4.5.3 
Debian drupal_4.5.3-6.1sarge1_all.debDebian GNU/Linux 3.1 alias sarge 
http://security.debian.org/pool/updates/main/d/drupal/drupal_4.5.3-6.1 
sarge1_all.deb</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">4.6.8</high>                     
                               <low>4.6</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105589" id="105589" modifyDate="2017-08-02">      <cvsscode>2.6</cvsscode>      <severity>Moderate</severity>      <name>Drupal: CVE-2006-2833 : DRUPAL-SA-2006-008 分类模块中的XSS漏洞</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Cross-site scripting (XSS) vulnerability in the taxonomy module in Drupal 4.6.8 and 4.7.2 allows remote attackers to inject arbitrary web script or HTML via inputs that are not properly validated when the page title is output, possibly involving the $names variable.</Description>      <cnnvd>CNNVD-200606-098</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2006-2833</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复这个安全问题，补丁下载链接： 
Drupal Drupal 4.5.3 
Debian drupal_4.5.3-6.1sarge1_all.debDebian GNU/Linux 3.1 alias sarge 
http://security.debian.org/pool/updates/main/d/drupal/drupal_4.5.3-6.1 
sarge1_all.deb</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">4.7.2</high>                     
                               <low>4.7</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105591" id="105591" modifyDate="2017-08-02">      <cvsscode>4.3</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2006-4002 : DRUPAL-SA-2006-011 用户模块中的XSS漏洞</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Cross-site scripting (XSS) vulnerability in user.module in Drupal 4.6 before 4.6.9, and 4.7 before 4.7.3, allows remote attackers to inject arbitrary web script or HTML via the msg parameter.  NOTE: portions of these details are obtained from third party information.</Description>      <cnnvd>CNNVD-200608-090</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2006-4002</id>      </AlternateIds>      <Solutions framework="1" xml:lang="zh-hk">         
           
           
         升級到 Drupal 到最新版本,下載并申请升級:https://www.drupal.org/project/drupal/releases      </Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">4.6.9</high>                     
                               <low>4.6</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105591" id="105591" modifyDate="2017-08-02">      <cvsscode>4.3</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2006-4002 : DRUPAL-SA-2006-011 用户模块中的XSS漏洞</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Cross-site scripting (XSS) vulnerability in user.module in Drupal 4.6 before 4.6.9, and 4.7 before 4.7.3, allows remote attackers to inject arbitrary web script or HTML via the msg parameter.  NOTE: portions of these details are obtained from third party information.</Description>      <cnnvd>CNNVD-200608-090</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2006-4002</id>      </AlternateIds>      <Solutions framework="1" xml:lang="zh-hk">         
           
           
         升級到 Drupal 到最新版本,下載并申请升級:https://www.drupal.org/project/drupal/releases      </Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">4.7.3</high>                     
                               <low>4.7</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105593" id="105593" modifyDate="2017-08-02">      <cvsscode>6.8</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2006-5475 : DRUPAL-SA-2006-024 - Drupal core - 跨站脚本</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Multiple cross-site scripting (XSS) vulnerabilities in the XML parser in Drupal 4.6.x before 4.6.10 and 4.7.x before 4.7.4 allow remote attackers to inject arbitrary web script or HTML via a crafted RSS feed.</Description>      <cnnvd>CNNVD-200610-389</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2006-5475</id>      </AlternateIds>      <Solutions framework="1" xml:lang="zh-hk">         
           
           
         升級到 Drupal 到最新版本,下載并申请升級:https://www.drupal.org/project/drupal/releases      </Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">4.6.10</high>                     
                               <low>4.6</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105593" id="105593" modifyDate="2017-08-02">      <cvsscode>6.8</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2006-5475 : DRUPAL-SA-2006-024 - Drupal core - 跨站脚本</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Multiple cross-site scripting (XSS) vulnerabilities in the XML parser in Drupal 4.6.x before 4.6.10 and 4.7.x before 4.7.4 allow remote attackers to inject arbitrary web script or HTML via a crafted RSS feed.</Description>      <cnnvd>CNNVD-200610-389</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2006-5475</id>      </AlternateIds>      <Solutions framework="1" xml:lang="zh-hk">         
           
           
         升級到 Drupal 到最新版本,下載并申请升級:https://www.drupal.org/project/drupal/releases      </Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">4.7.4</high>                     
                               <low>4.7</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105595" id="105595" modifyDate="2017-08-02">      <cvsscode>7.5</cvsscode>      <severity>Critical</severity>      <name>Drupal: CVE-2006-5476 : DRUPAL-SA-2006-024 - Drupal core - 跨站请求伪造</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Cross-site request forgery (CSRF) vulnerability in Drupal 4.6.x before 4.6.10 and 4.7.x before 4.7.4 allows remote attackers to perform unauthorized actions as an arbitrary user via unspecified vectors.</Description>      <cnnvd>CNNVD-200610-393</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2006-5476</id>      </AlternateIds>      <Solutions framework="1" xml:lang="zh-hk">         
           
           
         升級到 Drupal 到最新版本,下載并申请升級:https://www.drupal.org/project/drupal/releases      </Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">4.6.10</high>                     
                               <low>4.6</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105595" id="105595" modifyDate="2017-08-02">      <cvsscode>7.5</cvsscode>      <severity>Critical</severity>      <name>Drupal: CVE-2006-5476 : DRUPAL-SA-2006-024 - Drupal core - 跨站请求伪造</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Cross-site request forgery (CSRF) vulnerability in Drupal 4.6.x before 4.6.10 and 4.7.x before 4.7.4 allows remote attackers to perform unauthorized actions as an arbitrary user via unspecified vectors.</Description>      <cnnvd>CNNVD-200610-393</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2006-5476</id>      </AlternateIds>      <Solutions framework="1" xml:lang="zh-hk">         
           
           
         升級到 Drupal 到最新版本,下載并申请升級:https://www.drupal.org/project/drupal/releases      </Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">4.7.4</high>                     
                               <low>4.7</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105597" id="105597" modifyDate="2017-08-02">      <cvsscode>2.6</cvsscode>      <severity>Moderate</severity>      <name>Drupal: CVE-2006-5477 : DRUPAL-SA-2006-024 - Drupal core - 表单模块重定向</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Drupal 4.6.x before 4.6.10 and 4.7.x before 4.7.4 allows form submissions to be redirected, which allows remote attackers to obtain arbitrary form information via a crafted URL.</Description>      <cnnvd>CNNVD-200610-403</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2006-5477</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
Drupal Drupal 4.6 
Drupal drupal-4.6.10.tar.gz 
http://ftp.osuosl.org/pub/drupal/files/projects/drupal-4.6.10.tar.gz 
Drupal Drupal 4.6.1 
Drupal drupal-4.6.10.tar.gz 
http://ftp.osuosl.org/pub/drupal/files/projects/drupal-4.6.10.tar.gz 
Drupal Drupal 4.6.2 
Drupal drupal-4.6.10.tar.gz 
http://ftp.osuosl.org/pub/drupal/files/projects/drupal-4.6.10.tar.gz 
Drupal Drupal 4.6.3 
Drupal drupal-4.6.10.tar.gz 
http://ftp.osuosl.org/pub/drupal/files/projects/drupal-4.6.10.tar.gz 
Drupal Drupal 4.6.4 
Drupal drupal-4.6.10.tar.gz 
http://ftp.osuosl.org/pub/drupal/files/projects/drupal-4.6.10.tar.gz 
Drupal Drupal 4.6.5 
Drupal drupal-4.6.10.tar.gz 
http://ftp.osuosl.org/pub/drupal/files/projects/drupal-4.6.10.tar.gz 
Drupal Drupal 4.6.6 
Drupal drupal-4.6.10.tar.gz 
http://ftp.osuosl.org/pub/drupal/files/projects/drupal-4.6.10.tar.gz 
Drupal Drupal 4.6.7 
Drupal drupal-4.6.10.tar.gz 
http://ftp.osuosl.org/pub/drupal/files/projects/drupal-4.6.10.tar.gz 
Drupal Drupal 4.6.8 
Drupal drupal-4.6.10.tar.gz 
http://ftp.osuosl.org/pub/drupal/files/projects/drupal-4.6.10.tar.gz 
Drupal Drupal 4.6.9 
Drupal drupal-4.6.10.tar.gz 
http://ftp.osuosl.org/pub/drupal/files/projects/drupal-4.6.10.tar.gz 
Drupal Drupal 4.7 
Drupal drupal-4.7.4.tar.gz 
http://ftp.osuosl.org/pub/drupal/files/projects/drupal-4.7.4.tar.gz 
Drupal Drupal 4.7.1 
Drupal drupal-4.7.4.tar.gz 
http://ftp.osuosl.org/pub/drupal/files/projects/drupal-4.7.4.tar.gz 
Drupal Drupal 4.7.2 
Drupal drupal-4.7.4.tar.gz 
http://ftp.osuosl.org/pub/drupal/files/projects/drupal-4.7.4.tar.gz 
Drupal Drupal 4.7.3 
Drupal drupal-4.7.4.tar.gz 
http://ftp.osuosl.org/pub/drupal/files/projects/drupal-4.7.4.tar.gz</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">4.6.10</high>                     
                               <low>4.6</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105597" id="105597" modifyDate="2017-08-02">      <cvsscode>2.6</cvsscode>      <severity>Moderate</severity>      <name>Drupal: CVE-2006-5477 : DRUPAL-SA-2006-024 - Drupal core - 表单模块重定向</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Drupal 4.6.x before 4.6.10 and 4.7.x before 4.7.4 allows form submissions to be redirected, which allows remote attackers to obtain arbitrary form information via a crafted URL.</Description>      <cnnvd>CNNVD-200610-403</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2006-5477</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
Drupal Drupal 4.6 
Drupal drupal-4.6.10.tar.gz 
http://ftp.osuosl.org/pub/drupal/files/projects/drupal-4.6.10.tar.gz 
Drupal Drupal 4.6.1 
Drupal drupal-4.6.10.tar.gz 
http://ftp.osuosl.org/pub/drupal/files/projects/drupal-4.6.10.tar.gz 
Drupal Drupal 4.6.2 
Drupal drupal-4.6.10.tar.gz 
http://ftp.osuosl.org/pub/drupal/files/projects/drupal-4.6.10.tar.gz 
Drupal Drupal 4.6.3 
Drupal drupal-4.6.10.tar.gz 
http://ftp.osuosl.org/pub/drupal/files/projects/drupal-4.6.10.tar.gz 
Drupal Drupal 4.6.4 
Drupal drupal-4.6.10.tar.gz 
http://ftp.osuosl.org/pub/drupal/files/projects/drupal-4.6.10.tar.gz 
Drupal Drupal 4.6.5 
Drupal drupal-4.6.10.tar.gz 
http://ftp.osuosl.org/pub/drupal/files/projects/drupal-4.6.10.tar.gz 
Drupal Drupal 4.6.6 
Drupal drupal-4.6.10.tar.gz 
http://ftp.osuosl.org/pub/drupal/files/projects/drupal-4.6.10.tar.gz 
Drupal Drupal 4.6.7 
Drupal drupal-4.6.10.tar.gz 
http://ftp.osuosl.org/pub/drupal/files/projects/drupal-4.6.10.tar.gz 
Drupal Drupal 4.6.8 
Drupal drupal-4.6.10.tar.gz 
http://ftp.osuosl.org/pub/drupal/files/projects/drupal-4.6.10.tar.gz 
Drupal Drupal 4.6.9 
Drupal drupal-4.6.10.tar.gz 
http://ftp.osuosl.org/pub/drupal/files/projects/drupal-4.6.10.tar.gz 
Drupal Drupal 4.7 
Drupal drupal-4.7.4.tar.gz 
http://ftp.osuosl.org/pub/drupal/files/projects/drupal-4.7.4.tar.gz 
Drupal Drupal 4.7.1 
Drupal drupal-4.7.4.tar.gz 
http://ftp.osuosl.org/pub/drupal/files/projects/drupal-4.7.4.tar.gz 
Drupal Drupal 4.7.2 
Drupal drupal-4.7.4.tar.gz 
http://ftp.osuosl.org/pub/drupal/files/projects/drupal-4.7.4.tar.gz 
Drupal Drupal 4.7.3 
Drupal drupal-4.7.4.tar.gz 
http://ftp.osuosl.org/pub/drupal/files/projects/drupal-4.7.4.tar.gz</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">4.7.4</high>                     
                               <low>4.7</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105599" id="105599" modifyDate="2017-08-02">      <cvsscode>3.5</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2007-0124 : Drupal core - 拒绝服务</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Unspecified vulnerability in Drupal before 4.6.11, and 4.7 before 4.7.5, when MySQL is used, allows remote authenticated users to cause a denial of service by poisoning the page cache via unspecified vectors, which triggers erroneous 404 HTTP errors for pages that exist.</Description>      <cnnvd></cnnvd>      <AlternateIds>         <id name="CVE">CVE-2007-0124</id>      </AlternateIds>      <Solutions framework="1" xml:lang="zh-hk">         
           
           
         升級到 Drupal 到最新版本,下載并申请升級:https://www.drupal.org/project/drupal/releases      </Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">4.6.11</high>                     
                               <low>4.6</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105599" id="105599" modifyDate="2017-08-02">      <cvsscode>3.5</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2007-0124 : Drupal core - 拒绝服务</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Unspecified vulnerability in Drupal before 4.6.11, and 4.7 before 4.7.5, when MySQL is used, allows remote authenticated users to cause a denial of service by poisoning the page cache via unspecified vectors, which triggers erroneous 404 HTTP errors for pages that exist.</Description>      <cnnvd></cnnvd>      <AlternateIds>         <id name="CVE">CVE-2007-0124</id>      </AlternateIds>      <Solutions framework="1" xml:lang="zh-hk">         
           
           
         升級到 Drupal 到最新版本,下載并申请升級:https://www.drupal.org/project/drupal/releases      </Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">4.7.5</high>                     
                               <low>4.7</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105601" id="105601" modifyDate="2017-08-02">      <cvsscode>7.6</cvsscode>      <severity>Critical</severity>      <name>Drupal: CVE-2007-0626 : DRUPAL-SA-2007-005 - Drupal core - 任意代码执行</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>The comment_form_add_preview function in comment.module in Drupal before 4.7.6, and 5.x before 5.1, and vbDrupal, allows remote attackers with &amp;quot;post comments&amp;quot; privileges and access to multiple input filters to execute arbitrary code by previewing comments, which are not processed by &amp;quot;normal form validation routines.&amp;quot;</Description>      <cnnvd></cnnvd>      <AlternateIds>         <id name="CVE">CVE-2007-0626</id>      </AlternateIds>      <Solutions framework="1" xml:lang="zh-hk">         
           
           
         升級到 Drupal 到最新版本,下載并申请升級:https://www.drupal.org/project/drupal/releases      </Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">4.7.6</high>                     
                               <low>4.7</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105601" id="105601" modifyDate="2017-08-02">      <cvsscode>7.6</cvsscode>      <severity>Critical</severity>      <name>Drupal: CVE-2007-0626 : DRUPAL-SA-2007-005 - Drupal core - 任意代码执行</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>The comment_form_add_preview function in comment.module in Drupal before 4.7.6, and 5.x before 5.1, and vbDrupal, allows remote attackers with &amp;quot;post comments&amp;quot; privileges and access to multiple input filters to execute arbitrary code by previewing comments, which are not processed by &amp;quot;normal form validation routines.&amp;quot;</Description>      <cnnvd></cnnvd>      <AlternateIds>         <id name="CVE">CVE-2007-0626</id>      </AlternateIds>      <Solutions framework="1" xml:lang="zh-hk">         
           
           
         升級到 Drupal 到最新版本,下載并申请升級:https://www.drupal.org/project/drupal/releases      </Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">5.1</high>                     
                               <low>5</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105602" id="105602" modifyDate="2017-08-02">      <cvsscode>4.3</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2007-4063 : Drupal core - 跨站请求伪造</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Multiple cross-site request forgery (CSRF) vulnerabilities in Drupal 5.x before 5.2 allow remote attackers to (1) delete comments, (2) delete content revisions, and (3) disable menu items as privileged users, related to improper use of HTTP GET and the Forms API.</Description>      <cnnvd></cnnvd>      <AlternateIds>         <id name="CVE">CVE-2007-4063</id>      </AlternateIds>      <Solutions framework="1" xml:lang="zh-hk">         
           
           
         升級到 Drupal 到最新版本,下載并申请升級:https://www.drupal.org/project/drupal/releases      </Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">5.2</high>                     
                               <low>5</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105604" id="105604" modifyDate="2017-08-02">      <cvsscode>4.3</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2007-4064 : Drupal core - 多个跨站点脚本漏洞</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Multiple cross-site scripting (XSS) vulnerabilities in Drupal 5.x before 5.2, and 4.7.x before 4.7.7, (1) allow remote attackers to inject arbitrary web script or HTML via &amp;quot;some server variables,&amp;quot; including PHP_SELF; and (2) allow remote authenticated administrators to inject arbitrary web script or HTML via custom content type names.</Description>      <cnnvd></cnnvd>      <AlternateIds>         <id name="CVE">CVE-2007-4064</id>      </AlternateIds>      <Solutions framework="1" xml:lang="zh-hk">         
           
           
         升級到 Drupal 到最新版本,下載并申请升級:https://www.drupal.org/project/drupal/releases      </Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">4.7.7</high>                     
                               <low>4.7</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105604" id="105604" modifyDate="2017-08-02">      <cvsscode>4.3</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2007-4064 : Drupal core - 多个跨站点脚本漏洞</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Multiple cross-site scripting (XSS) vulnerabilities in Drupal 5.x before 5.2, and 4.7.x before 4.7.7, (1) allow remote attackers to inject arbitrary web script or HTML via &amp;quot;some server variables,&amp;quot; including PHP_SELF; and (2) allow remote authenticated administrators to inject arbitrary web script or HTML via custom content type names.</Description>      <cnnvd></cnnvd>      <AlternateIds>         <id name="CVE">CVE-2007-4064</id>      </AlternateIds>      <Solutions framework="1" xml:lang="zh-hk">         
           
           
         升級到 Drupal 到最新版本,下載并申请升級:https://www.drupal.org/project/drupal/releases      </Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">5.2</high>                     
                               <low>5</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105605" id="105605" modifyDate="2017-08-02">      <cvsscode>6.8</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2007-5593 : SA-2007-025 - Drupal core - 通过安装程序执行任意代码</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>install.php in Drupal 5.x before 5.3, when the configured database server is not reachable, allows remote attackers to execute arbitrary code via vectors that cause settings.php to be modified.</Description>      <cnnvd></cnnvd>      <AlternateIds>         <id name="CVE">CVE-2007-5593</id>      </AlternateIds>      <Solutions framework="1" xml:lang="zh-hk">         
           
           
         升級到 Drupal 到最新版本,下載并申请升級:https://www.drupal.org/project/drupal/releases      </Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">5.3</high>                     
                               <low>5</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105606" id="105606" modifyDate="2017-08-02">      <cvsscode>4.3</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2007-5594 : SA-2007-030 - Drupal Core - 处理未发布评论的API</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Drupal 5.x before 5.3 does not apply its Drupal Forms API protection against the user deletion form, which allows remote attackers to delete users via a cross-site request forgery (CSRF) attack.</Description>      <cnnvd></cnnvd>      <AlternateIds>         <id name="CVE">CVE-2007-5594</id>      </AlternateIds>      <Solutions framework="1" xml:lang="zh-hk">         
           
           
         升級到 Drupal 到最新版本,下載并申请升級:https://www.drupal.org/project/drupal/releases      </Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">5.3</high>                     
                               <low>5</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105608" id="105608" modifyDate="2017-08-02">      <cvsscode>5.1</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2007-5595 : SA-2007-024 - Drupal Core - HTTP 响应分割</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>CRLF injection vulnerability in the drupal_goto function in includes/common.inc Drupal 4.7.x before 4.7.8 and 5.x before 5.3 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.</Description>      <cnnvd></cnnvd>      <AlternateIds>         <id name="CVE">CVE-2007-5595</id>      </AlternateIds>      <Solutions framework="1" xml:lang="zh-hk">         
           
           
         升級到 Drupal 到最新版本,下載并申请升級:https://www.drupal.org/project/drupal/releases      </Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">4.7.8</high>                     
                               <low>4.7</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105608" id="105608" modifyDate="2017-08-02">      <cvsscode>5.1</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2007-5595 : SA-2007-024 - Drupal Core - HTTP 响应分割</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>CRLF injection vulnerability in the drupal_goto function in includes/common.inc Drupal 4.7.x before 4.7.8 and 5.x before 5.3 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.</Description>      <cnnvd></cnnvd>      <AlternateIds>         <id name="CVE">CVE-2007-5595</id>      </AlternateIds>      <Solutions framework="1" xml:lang="zh-hk">         
           
           
         升級到 Drupal 到最新版本,下載并申请升級:https://www.drupal.org/project/drupal/releases      </Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">5.3</high>                     
                               <low>5</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105610" id="105610" modifyDate="2017-08-02">      <cvsscode>4.3</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2007-5596 : SA-2007-026 - Drupal Core - 通过上传跨站脚本</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>The core Upload module in Drupal 4.7.x before 4.7.8 and 5.x before 5.3 places the .html extension on a whitelist, which allows remote attackers to conduct cross-site scripting (XSS) attacks by uploading .html files.</Description>      <cnnvd></cnnvd>      <AlternateIds>         <id name="CVE">CVE-2007-5596</id>      </AlternateIds>      <Solutions framework="1" xml:lang="zh-hk">         
           
           
         升級到 Drupal 到最新版本,下載并申请升級:https://www.drupal.org/project/drupal/releases      </Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">4.7.8</high>                     
                               <low>4.7</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105610" id="105610" modifyDate="2017-08-02">      <cvsscode>4.3</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2007-5596 : SA-2007-026 - Drupal Core - 通过上传跨站脚本</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>The core Upload module in Drupal 4.7.x before 4.7.8 and 5.x before 5.3 places the .html extension on a whitelist, which allows remote attackers to conduct cross-site scripting (XSS) attacks by uploading .html files.</Description>      <cnnvd></cnnvd>      <AlternateIds>         <id name="CVE">CVE-2007-5596</id>      </AlternateIds>      <Solutions framework="1" xml:lang="zh-hk">         
           
           
         升級到 Drupal 到最新版本,下載并申请升級:https://www.drupal.org/project/drupal/releases      </Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">5.3</high>                     
                               <low>5</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105612" id="105612" modifyDate="2017-08-02">      <cvsscode>7.5</cvsscode>      <severity>Critical</severity>      <name>drupal:cve-2007-6299:sa-2007-031-drupal core-启用某些贡献模块时可能进行SQL注入
</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Multiple SQL injection vulnerabilities in Drupal and vbDrupal 4.7.x before 4.7.9 and 5.x before 5.4 allow remote attackers to execute arbitrary SQL commands via modules that pass input to the taxonomy_select_nodes function, as demonstrated by the (1) taxonomy_menu, (2) ajaxLoader, and (3) ubrowser contributed modules.</Description>      <cnnvd></cnnvd>      <AlternateIds>         <id name="CVE">CVE-2007-6299</id>      </AlternateIds>      <Solutions framework="1" xml:lang="zh-hk">         
           
           
         升級到 Drupal 到最新版本,下載并申请升級:https://www.drupal.org/project/drupal/releases      </Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">4.7.9</high>                     
                               <low>4.7</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105612" id="105612" modifyDate="2017-08-02">      <cvsscode>7.5</cvsscode>      <severity>Critical</severity>      <name>drupal:cve-2007-6299:sa-2007-031-drupal core-启用某些贡献模块时可能进行SQL注入
</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Multiple SQL injection vulnerabilities in Drupal and vbDrupal 4.7.x before 4.7.9 and 5.x before 5.4 allow remote attackers to execute arbitrary SQL commands via modules that pass input to the taxonomy_select_nodes function, as demonstrated by the (1) taxonomy_menu, (2) ajaxLoader, and (3) ubrowser contributed modules.</Description>      <cnnvd></cnnvd>      <AlternateIds>         <id name="CVE">CVE-2007-6299</id>      </AlternateIds>      <Solutions framework="1" xml:lang="zh-hk">         
           
           
         升級到 Drupal 到最新版本,下載并申请升級:https://www.drupal.org/project/drupal/releases      </Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">5.4</high>                     
                               <low>5</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-09-18" gvid="ID105613" id="105613" modifyDate="2017-09-18">      <cvsscode>6.8</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2007-6752: 跨站请求伪造（CSRF）漏洞</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>** DISPUTED ** Cross-site request forgery (CSRF) vulnerability in Drupal 7.12 and earlier allows remote attackers to hijack the authentication of arbitrary users for requests that end a session via the user/logout URI.  NOTE: the vendor disputes the significance of this issue, by considering the &amp;quot;security benefit against platform complexity and performance impact&amp;quot; and concluding that a change to the logout behavior is not planned because &amp;quot;for most sites it is not worth the trade-off.&amp;quot;</Description>      <cnnvd>CNNVD-201203-525</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2007-6752</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
http://drupal.org/node/1425104</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">7.13</high>                     
                               <low inclusive="1">4.0</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105615" id="105615" modifyDate="2017-08-02">      <cvsscode>4.3</cvsscode>      <severity>Severe</severity>      <name>drupal:cve-2008-0272:sa-2007-031-drupal core-启用某些贡献模块时可能进行SQL注入
</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Cross-site request forgery (CSRF) vulnerability in the aggregator module in Drupal 4.7.x before 4.7.11 and 5.x before 5.6 allows remote attackers to delete items from a feed as privileged users.</Description>      <cnnvd>CNNVD-200801-202</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2008-0272</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复这个安全问题，补丁下载链接： 
Drupal Drupal 5.2 
Drupal drupal-5.6.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.6.tar.gz 
Drupal Drupal 5.3 
Drupal drupal-5.6.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.6.tar.gz 
Drupal Drupal 4.7 revision 1.2 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 5.1 
Drupal drupal-5.6.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.6.tar.gz 
Drupal Drupal 5.0 
Drupal drupal-5.6.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.6.tar.gz 
Drupal Drupal 4.6 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 5.1 revision 1.1 
Drupal drupal-5.6.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.6.tar.gz 
Drupal Drupal 5.5 
Drupal drupal-5.6.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.6.tar.gz 
Drupal Drupal 4.7 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.7 revision 1.15 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 5.4 
Drupal drupal-5.6.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.6.tar.gz 
Drupal Drupal 4.0 .0 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.1 .0 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.2 .0 RC 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.4 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.4.1 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.4.2 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.4.3 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.5 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.5.1 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.5.2 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.5.2 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.5.3 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.5.4 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.5.5 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.5.6 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.5.7 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.5.8 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.6 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.6.1 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.6.10 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.6.11 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.6.2 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.6.3 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.6.4 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.6.5 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.6.6 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.6.7 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.6.8 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.6.9 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.7 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.7.1 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.7.10 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.7.2 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.7.3 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.7.3 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.7.4 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.7.4 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.7.5 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
vbDrupal vbDrupal 4.7.5 
vbDrupal vbDrupal-4.7.11.0.zip 
http://downloads.sourceforge.net/vbdrupal/vbDrupal-4.7.11.0.zip?modtim e=1200153027&amp;big_mirror=0 
vbDrupal vbDrupal 4.7.6 
vbDrupal vbDrupal-4.7.11.0.zip 
http://downloads.sourceforge.net/vbdrupal/vbDrupal-4.7.11.0.zip?modtim e=1200153027&amp;big_mirror=0 
vbDrupal vbDrupal 4.7.6 4 
vbDrupal vbDrupal-4.7.11.0.zip 
http://downloads.sourceforge.net/vbdrupal/vbDrupal-4.7.11.0.zip?modtim e=1200153027&amp;big_mirror=0 
Drupal Drupal 4.7.6 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.7.7 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.7.8 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.7.9 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
vbDrupal vbDrupal 5.2 
vbDrupal vbDrupal-5.6.0a.tar.gz 
http://downloads.sourceforge.net/vbdrupal/vbDrupal-5.6.0a.tar.gz?modti me=1200158794&amp;big_mirror=0 
vbDrupal vbDrupal 5.3 
vbDrupal vbDrupal-5.6.0a.tar.gz 
http://downloads.sourceforge.net/vbdrupal/vbDrupal-5.6.0a.tar.gz?modti me=1200158794&amp;big_mirror=0 
</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">4.7.9</high>                     
                               <low>4.7</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105615" id="105615" modifyDate="2017-08-02">      <cvsscode>4.3</cvsscode>      <severity>Severe</severity>      <name>drupal:cve-2008-0272:sa-2007-031-drupal core-启用某些贡献模块时可能进行SQL注入
</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Cross-site request forgery (CSRF) vulnerability in the aggregator module in Drupal 4.7.x before 4.7.11 and 5.x before 5.6 allows remote attackers to delete items from a feed as privileged users.</Description>      <cnnvd>CNNVD-200801-202</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2008-0272</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复这个安全问题，补丁下载链接： 
Drupal Drupal 5.2 
Drupal drupal-5.6.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.6.tar.gz 
Drupal Drupal 5.3 
Drupal drupal-5.6.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.6.tar.gz 
Drupal Drupal 4.7 revision 1.2 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 5.1 
Drupal drupal-5.6.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.6.tar.gz 
Drupal Drupal 5.0 
Drupal drupal-5.6.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.6.tar.gz 
Drupal Drupal 4.6 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 5.1 revision 1.1 
Drupal drupal-5.6.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.6.tar.gz 
Drupal Drupal 5.5 
Drupal drupal-5.6.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.6.tar.gz 
Drupal Drupal 4.7 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.7 revision 1.15 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 5.4 
Drupal drupal-5.6.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.6.tar.gz 
Drupal Drupal 4.0 .0 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.1 .0 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.2 .0 RC 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.4 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.4.1 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.4.2 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.4.3 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.5 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.5.1 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.5.2 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.5.2 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.5.3 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.5.4 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.5.5 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.5.6 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.5.7 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.5.8 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.6 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.6.1 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.6.10 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.6.11 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.6.2 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.6.3 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.6.4 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.6.5 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.6.6 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.6.7 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.6.8 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.6.9 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.7 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.7.1 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.7.10 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.7.2 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.7.3 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.7.3 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.7.4 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.7.4 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.7.5 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
vbDrupal vbDrupal 4.7.5 
vbDrupal vbDrupal-4.7.11.0.zip 
http://downloads.sourceforge.net/vbdrupal/vbDrupal-4.7.11.0.zip?modtim e=1200153027&amp;big_mirror=0 
vbDrupal vbDrupal 4.7.6 
vbDrupal vbDrupal-4.7.11.0.zip 
http://downloads.sourceforge.net/vbdrupal/vbDrupal-4.7.11.0.zip?modtim e=1200153027&amp;big_mirror=0 
vbDrupal vbDrupal 4.7.6 4 
vbDrupal vbDrupal-4.7.11.0.zip 
http://downloads.sourceforge.net/vbdrupal/vbDrupal-4.7.11.0.zip?modtim e=1200153027&amp;big_mirror=0 
Drupal Drupal 4.7.6 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.7.7 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.7.8 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.7.9 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
vbDrupal vbDrupal 5.2 
vbDrupal vbDrupal-5.6.0a.tar.gz 
http://downloads.sourceforge.net/vbdrupal/vbDrupal-5.6.0a.tar.gz?modti me=1200158794&amp;big_mirror=0 
vbDrupal vbDrupal 5.3 
vbDrupal vbDrupal-5.6.0a.tar.gz 
http://downloads.sourceforge.net/vbdrupal/vbDrupal-5.6.0a.tar.gz?modti me=1200158794&amp;big_mirror=0 
</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">5.4</high>                     
                               <low>5</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105617" id="105617" modifyDate="2017-08-02">      <cvsscode>4.3</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2008-0273 : SA-2008-006 - Drupal core - 跨站脚本 (UTF8)</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Interpretation conflict in Drupal 4.7.x before 4.7.11 and 5.x before 5.6, when Internet Explorer 6 is used, allows remote attackers to conduct cross-site scripting (XSS) attacks via invalid UTF-8 byte sequences, which are not processed as UTF-8 by Drupal&amp;#39;s HTML filtering, but are processed as UTF-8 by Internet Explorer, effectively removing characters from the document and defeating the HTML protection mechanism.</Description>      <cnnvd>CNNVD-200801-191</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2008-0273</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复这个安全问题，补丁下载链接： 
Drupal Drupal 5.2 
Drupal drupal-5.6.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.6.tar.gz 
Drupal Drupal 5.3 
Drupal drupal-5.6.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.6.tar.gz 
Drupal Drupal 4.7 revision 1.2 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 5.1 
Drupal drupal-5.6.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.6.tar.gz 
Drupal Drupal 5.0 
Drupal drupal-5.6.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.6.tar.gz 
Drupal Drupal 4.6 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 5.1 revision 1.1 
Drupal drupal-5.6.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.6.tar.gz 
Drupal Drupal 5.5 
Drupal drupal-5.6.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.6.tar.gz 
Drupal Drupal 4.7 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.7 revision 1.15 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 5.4 
Drupal drupal-5.6.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.6.tar.gz 
Drupal Drupal 4.0 .0 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.1 .0 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.2 .0 RC 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.4 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.4.1 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.4.2 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.4.3 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.5 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.5.1 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.5.2 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.5.2 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.5.3 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.5.4 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.5.5 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.5.6 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.5.7 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.5.8 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.6 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.6.1 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.6.10 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.6.11 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.6.2 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.6.3 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.6.4 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.6.5 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.6.6 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">4.7.11</high>                     
                               <low>4.7</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105617" id="105617" modifyDate="2017-08-02">      <cvsscode>4.3</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2008-0273 : SA-2008-006 - Drupal core - 跨站脚本 (UTF8)</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Interpretation conflict in Drupal 4.7.x before 4.7.11 and 5.x before 5.6, when Internet Explorer 6 is used, allows remote attackers to conduct cross-site scripting (XSS) attacks via invalid UTF-8 byte sequences, which are not processed as UTF-8 by Drupal&amp;#39;s HTML filtering, but are processed as UTF-8 by Internet Explorer, effectively removing characters from the document and defeating the HTML protection mechanism.</Description>      <cnnvd>CNNVD-200801-191</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2008-0273</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复这个安全问题，补丁下载链接： 
Drupal Drupal 5.2 
Drupal drupal-5.6.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.6.tar.gz 
Drupal Drupal 5.3 
Drupal drupal-5.6.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.6.tar.gz 
Drupal Drupal 4.7 revision 1.2 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 5.1 
Drupal drupal-5.6.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.6.tar.gz 
Drupal Drupal 5.0 
Drupal drupal-5.6.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.6.tar.gz 
Drupal Drupal 4.6 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 5.1 revision 1.1 
Drupal drupal-5.6.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.6.tar.gz 
Drupal Drupal 5.5 
Drupal drupal-5.6.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.6.tar.gz 
Drupal Drupal 4.7 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.7 revision 1.15 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 5.4 
Drupal drupal-5.6.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.6.tar.gz 
Drupal Drupal 4.0 .0 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.1 .0 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.2 .0 RC 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.4 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.4.1 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.4.2 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.4.3 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.5 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.5.1 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.5.2 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.5.2 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.5.3 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.5.4 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.5.5 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.5.6 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.5.7 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.5.8 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.6 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.6.1 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.6.10 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.6.11 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.6.2 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.6.3 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.6.4 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.6.5 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.6.6 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">5.6</high>                     
                               <low>5</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105619" id="105619" modifyDate="2017-08-02">      <cvsscode>2.6</cvsscode>      <severity>Moderate</severity>      <name>Drupal: CVE-2008-0274 : SA-2008-007 - Drupal core - 跨站脚本 (register_globals)</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Cross-site scripting (XSS) vulnerability in Drupal 4.7.x and 5.x, when certain .htaccess protections are disabled, allows remote attackers to inject arbitrary web script or HTML via crafted links involving theme .tpl.php files.</Description>      <cnnvd>CNNVD-200801-198</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2008-0274</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复这个安全问题，补丁下载链接： 
Drupal Drupal 5.2 
Drupal drupal-5.6.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.6.tar.gz 
Drupal Drupal 5.3 
Drupal drupal-5.6.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.6.tar.gz 
Drupal Drupal 4.7 revision 1.2 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 5.1 
Drupal drupal-5.6.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.6.tar.gz 
Drupal Drupal 5.0 
Drupal drupal-5.6.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.6.tar.gz 
Drupal Drupal 4.6 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 5.1 revision 1.1 
Drupal drupal-5.6.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.6.tar.gz 
Drupal Drupal 5.5 
Drupal drupal-5.6.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.6.tar.gz 
Drupal Drupal 4.7 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.7 revision 1.15 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 5.4 
Drupal drupal-5.6.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.6.tar.gz 
Drupal Drupal 4.0 .0 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.1 .0 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.2 .0 RC 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.4 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.4.1 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.4.2 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.4.3 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.5 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.5.1 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.5.2 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.5.2 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.5.3 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.5.4 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.5.5 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.5.6 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.5.7 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.5.8 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.6 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.6.1 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.6.10 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.6.11 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.6.2 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.6.3 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.6.4 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.6.5 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.6.6 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.6.7 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.6.8 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.6.9 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.7 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.7.1 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.7.10 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.7.2 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.7.3 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.7.3 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.7.4 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.7.4 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.7.5 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
vbDrupal vbDrupal 4.7.5 
vbDrupal vbDrupal-4.7.11.0.zip 
http://downloads.sourceforge.net/vbdrupal/vbDrupal-4.7.11.0.zip?modtim e=1200153027&amp;big_mirror=0 
vbDrupal vbDrupal 4.7.6 
vbDrupal vbDrupal-4.7.11.0.zip 
http://downloads.sourceforge.net/vbdrupal/vbDrupal-4.7.11.0.zip?modtim e=1200153027&amp;big_mirror=0 
vbDrupal vbDrupal 4.7.6 4 
vbDrupal vbDrupal-4.7.11.0.zip 
http://downloads.sourceforge.net/vbdrupal/vbDrupal-4.7.11.0.zip?modtim e=1200153027&amp;big_mirror=0 
Drupal Drupal 4.7.6 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.7.7 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.7.8 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.7.9 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
vbDrupal vbDrupal 5.2 
vbDrupal vbDrupal-5.6.0a.tar.gz 
http://downloads.sourceforge.net/vbdrupal/vbDrupal-5.6.0a.tar.gz?modti me=1200158794&amp;big_mirror=0 
vbDrupal vbDrupal 5.3 
vbDrupal vbDrupal-5.6.0a.tar.gz 
http://downloads.sourceforge.net/vbdrupal/vbDrupal-5.6.0a.tar.gz?modti me=1200158794&amp;big_mirror=0 
</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">4.7.11</high>                     
                               <low>4.7</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105619" id="105619" modifyDate="2017-08-02">      <cvsscode>2.6</cvsscode>      <severity>Moderate</severity>      <name>Drupal: CVE-2008-0274 : SA-2008-007 - Drupal core - 跨站脚本 (register_globals)</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Cross-site scripting (XSS) vulnerability in Drupal 4.7.x and 5.x, when certain .htaccess protections are disabled, allows remote attackers to inject arbitrary web script or HTML via crafted links involving theme .tpl.php files.</Description>      <cnnvd>CNNVD-200801-198</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2008-0274</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复这个安全问题，补丁下载链接： 
Drupal Drupal 5.2 
Drupal drupal-5.6.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.6.tar.gz 
Drupal Drupal 5.3 
Drupal drupal-5.6.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.6.tar.gz 
Drupal Drupal 4.7 revision 1.2 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 5.1 
Drupal drupal-5.6.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.6.tar.gz 
Drupal Drupal 5.0 
Drupal drupal-5.6.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.6.tar.gz 
Drupal Drupal 4.6 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 5.1 revision 1.1 
Drupal drupal-5.6.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.6.tar.gz 
Drupal Drupal 5.5 
Drupal drupal-5.6.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.6.tar.gz 
Drupal Drupal 4.7 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.7 revision 1.15 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 5.4 
Drupal drupal-5.6.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.6.tar.gz 
Drupal Drupal 4.0 .0 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.1 .0 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.2 .0 RC 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.4 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.4.1 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.4.2 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.4.3 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.5 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.5.1 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.5.2 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.5.2 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.5.3 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.5.4 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.5.5 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.5.6 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.5.7 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.5.8 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.6 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.6.1 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.6.10 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.6.11 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.6.2 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.6.3 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.6.4 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.6.5 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.6.6 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.6.7 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.6.8 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.6.9 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.7 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.7.1 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.7.10 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.7.2 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.7.3 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.7.3 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.7.4 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.7.4 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.7.5 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
vbDrupal vbDrupal 4.7.5 
vbDrupal vbDrupal-4.7.11.0.zip 
http://downloads.sourceforge.net/vbdrupal/vbDrupal-4.7.11.0.zip?modtim e=1200153027&amp;big_mirror=0 
vbDrupal vbDrupal 4.7.6 
vbDrupal vbDrupal-4.7.11.0.zip 
http://downloads.sourceforge.net/vbdrupal/vbDrupal-4.7.11.0.zip?modtim e=1200153027&amp;big_mirror=0 
vbDrupal vbDrupal 4.7.6 4 
vbDrupal vbDrupal-4.7.11.0.zip 
http://downloads.sourceforge.net/vbdrupal/vbDrupal-4.7.11.0.zip?modtim e=1200153027&amp;big_mirror=0 
Drupal Drupal 4.7.6 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.7.7 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.7.8 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
Drupal Drupal 4.7.9 
Drupal drupal-4.7.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz 
vbDrupal vbDrupal 5.2 
vbDrupal vbDrupal-5.6.0a.tar.gz 
http://downloads.sourceforge.net/vbdrupal/vbDrupal-5.6.0a.tar.gz?modti me=1200158794&amp;big_mirror=0 
vbDrupal vbDrupal 5.3 
vbDrupal vbDrupal-5.6.0a.tar.gz 
http://downloads.sourceforge.net/vbdrupal/vbDrupal-5.6.0a.tar.gz?modti me=1200158794&amp;big_mirror=0 
</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">5.6</high>                     
                               <low>5</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105620" id="105620" modifyDate="2017-08-02">      <cvsscode>3.5</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2008-1131 : SA-2008-018 - Drupal core - 跨站脚本</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Cross-site scripting (XSS) vulnerability in Drupal 6.0 allows remote authenticated users to inject arbitrary web script or HTML via titles in content edit forms.</Description>      <cnnvd>CNNVD-200803-022</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2008-1131</id>      </AlternateIds>      <Solutions framework="1" xml:lang="zh-hk">         
           
           
         升級到 Drupal 到最新版本,下載并申请升級:https://www.drupal.org/project/drupal/releases      </Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">6.1</high>                     
                               <low>6</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-09-18" gvid="ID105621" id="105621" modifyDate="2017-09-18">      <cvsscode>4.3</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2008-1133: Drupal core - 跨站脚本</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>The Drupal.checkPlain function in Drupal 6.0 only escapes the first instance of a character in ECMAScript, which allows remote attackers to conduct cross-site scripting (XSS) attacks.</Description>      <cnnvd>CNNVD-200803-028</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2008-1133</id>      </AlternateIds>      <Solutions framework="1" xml:lang="zh-hk">         
           
           
         升級到 Drupal 到最新版本,下載并申请升級:https://www.drupal.org/project/drupal/releases      </Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">6.1</high>                     
                               <low inclusive="1">6.0</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105622" id="105622" modifyDate="2017-08-02">      <cvsscode>5.8</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2008-1729 : SA-2008-026 - Drupal core - 访问绕过</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>The menu system in Drupal 6 before 6.2 has incorrect menu settings, which allows remote attackers to (1) edit the profile pages of arbitrary users, and obtain sensitive information from (2) tracker and (3) blog pages, related to a missing check for the &amp;quot;access content&amp;quot; permission; and (4) allows remote authenticated users, with administration page view access, to edit content types.</Description>      <cnnvd>CNNVD-200804-150</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2008-1729</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复这个安全问题，补丁下载链接： 
Drupal Drupal 6.1 
Drupal drupal-6.2.tar.gz 
http://ftp.drupal.org/files/projects/drupal-6.2.tar.gz 
Drupal Drupal 6.0 
Drupal drupal-6.2.tar.gz 
http://ftp.drupal.org/files/projects/drupal-6.2.tar.gz 
</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">6.2</high>                     
                               <low>6</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105623" id="105623" modifyDate="2017-08-02">      <cvsscode>4.3</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2008-3218 : SA-2008-044 - Drupal core - 跨站脚本</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Multiple cross-site scripting (XSS) vulnerabilities in Drupal 6.x before 6.3 allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) free tagging taxonomy terms, which are not properly handled on node preview pages, and (2) unspecified OpenID values.</Description>      <cnnvd>CNNVD-200807-322</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2008-3218</id>      </AlternateIds>      <Solutions framework="1" xml:lang="zh-hk">         
           
           
         升級到 Drupal 到最新版本,下載并申请升級:https://www.drupal.org/project/drupal/releases      </Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">6.3</high>                     
                               <low>6</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105625" id="105625" modifyDate="2017-08-02">      <cvsscode>5.0</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2008-3219 : SA-2008-044 - Drupal core - 跨站脚本</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>The Drupal filter_xss_admin function in 5.x before 5.8 and 6.x before 6.3 does not &amp;quot;prevent use of the object HTML tag in administrator input,&amp;quot; which has unknown impact and attack vectors, probably related to an insufficient cross-site scripting (XSS) protection mechanism.</Description>      <cnnvd>CNNVD-200807-323</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2008-3219</id>      </AlternateIds>      <Solutions framework="1" xml:lang="zh-hk">         
           
           
         升級到 Drupal 到最新版本,下載并申请升級:https://www.drupal.org/project/drupal/releases      </Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">5.8</high>                     
                               <low>5</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105625" id="105625" modifyDate="2017-08-02">      <cvsscode>5.0</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2008-3219 : SA-2008-044 - Drupal core - 跨站脚本</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>The Drupal filter_xss_admin function in 5.x before 5.8 and 6.x before 6.3 does not &amp;quot;prevent use of the object HTML tag in administrator input,&amp;quot; which has unknown impact and attack vectors, probably related to an insufficient cross-site scripting (XSS) protection mechanism.</Description>      <cnnvd>CNNVD-200807-323</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2008-3219</id>      </AlternateIds>      <Solutions framework="1" xml:lang="zh-hk">         
           
           
         升級到 Drupal 到最新版本,下載并申请升級:https://www.drupal.org/project/drupal/releases      </Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">6.3</high>                     
                               <low>6</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105627" id="105627" modifyDate="2017-08-02">      <cvsscode>6.8</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2008-3220 : SA-2008-044 - Drupal core - 跨站请求伪造</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Cross-site request forgery (CSRF) vulnerability in Drupal 5.x before 5.8 and 6.x before 6.3 allows remote attackers to perform administrative actions via vectors involving deletion of &amp;quot;translated strings.&amp;quot;</Description>      <cnnvd>CNNVD-200807-324</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2008-3220</id>      </AlternateIds>      <Solutions framework="1" xml:lang="zh-hk">         
           
           
         升級到 Drupal 到最新版本,下載并申请升級:https://www.drupal.org/project/drupal/releases      </Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">5.8</high>                     
                               <low>5</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105627" id="105627" modifyDate="2017-08-02">      <cvsscode>6.8</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2008-3220 : SA-2008-044 - Drupal core - 跨站请求伪造</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Cross-site request forgery (CSRF) vulnerability in Drupal 5.x before 5.8 and 6.x before 6.3 allows remote attackers to perform administrative actions via vectors involving deletion of &amp;quot;translated strings.&amp;quot;</Description>      <cnnvd>CNNVD-200807-324</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2008-3220</id>      </AlternateIds>      <Solutions framework="1" xml:lang="zh-hk">         
           
           
         升級到 Drupal 到最新版本,下載并申请升級:https://www.drupal.org/project/drupal/releases      </Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">6.3</high>                     
                               <low>6</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105629" id="105629" modifyDate="2017-08-02">      <cvsscode>4.3</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2008-3221 : SA-2008-044 - Drupal core - 跨站请求伪造</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Cross-site request forgery (CSRF) vulnerability in Drupal 6.x before 6.3 allows remote attackers to perform administrative actions via vectors involving deletion of OpenID identities.</Description>      <cnnvd>CNNVD-200807-325</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2008-3221</id>      </AlternateIds>      <Solutions framework="1" xml:lang="zh-hk">         
           
           
         升級到 Drupal 到最新版本,下載并申请升級:https://www.drupal.org/project/drupal/releases      </Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">5.8</high>                     
                               <low>5</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105629" id="105629" modifyDate="2017-08-02">      <cvsscode>4.3</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2008-3221 : SA-2008-044 - Drupal core - 跨站请求伪造</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Cross-site request forgery (CSRF) vulnerability in Drupal 6.x before 6.3 allows remote attackers to perform administrative actions via vectors involving deletion of OpenID identities.</Description>      <cnnvd>CNNVD-200807-325</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2008-3221</id>      </AlternateIds>      <Solutions framework="1" xml:lang="zh-hk">         
           
           
         升級到 Drupal 到最新版本,下載并申请升級:https://www.drupal.org/project/drupal/releases      </Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">6.3</high>                     
                               <low>6</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105631" id="105631" modifyDate="2017-08-02">      <cvsscode>6.8</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2008-3222 : SA-2008-044 - Drupal core - 会话固定</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Session fixation vulnerability in Drupal 5.x before 5.9 and 6.x before 6.3, when contributed modules &amp;quot;terminate the current request during a login event,&amp;quot; allows remote attackers to hijack web sessions via unknown vectors.</Description>      <cnnvd>CNNVD-200807-326</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2008-3222</id>      </AlternateIds>      <Solutions framework="1" xml:lang="zh-hk">         
           
           
         升級到 Drupal 到最新版本,下載并申请升級:https://www.drupal.org/project/drupal/releases      </Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">5.8</high>                     
                               <low>5</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105631" id="105631" modifyDate="2017-08-02">      <cvsscode>6.8</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2008-3222 : SA-2008-044 - Drupal core - 会话固定</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Session fixation vulnerability in Drupal 5.x before 5.9 and 6.x before 6.3, when contributed modules &amp;quot;terminate the current request during a login event,&amp;quot; allows remote attackers to hijack web sessions via unknown vectors.</Description>      <cnnvd>CNNVD-200807-326</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2008-3222</id>      </AlternateIds>      <Solutions framework="1" xml:lang="zh-hk">         
           
           
         升級到 Drupal 到最新版本,下載并申请升級:https://www.drupal.org/project/drupal/releases      </Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">6.3</high>                     
                               <low>6</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105632" id="105632" modifyDate="2017-08-02">      <cvsscode>7.5</cvsscode>      <severity>Critical</severity>      <name>Drupal: CVE-2008-3223 : SA-2008-044 - Drupal core - SQL注入</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>SQL injection vulnerability in the Schema API in Drupal 6.x before 6.3 allows remote attackers to execute arbitrary SQL commands via vectors related to &amp;quot;an inappropriate placeholder for &amp;#39;numeric&amp;#39; fields.&amp;quot;</Description>      <cnnvd>CNNVD-200807-327</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2008-3223</id>      </AlternateIds>      <Solutions framework="1" xml:lang="zh-hk">         
           
           
         升級到 Drupal 到最新版本,下載并申请升級:https://www.drupal.org/project/drupal/releases      </Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">6.3</high>                     
                               <low>6</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-09-18" gvid="ID105633" id="105633" modifyDate="2017-09-18">      <cvsscode>5.0</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2008-3661: 会话劫持漏洞</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Drupal, probably 5.10 and 6.4, does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.</Description>      <cnnvd>CNNVD-200809-289</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2008-3661</id>      </AlternateIds>      <Solutions framework="1" xml:lang="zh-hk">         
           
           
         升級到 Drupal 到最新版本,下載并申请升級:https://www.drupal.org/project/drupal/releases      </Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">6.5</high>                     
                               <low inclusive="1">5.0</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105635" id="105635" modifyDate="2017-08-02">      <cvsscode>4.3</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2008-3740 : SA-2008-047 - Drupal core - 跨站脚本</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Cross-site scripting (XSS) vulnerability in the output filter in Drupal 5.x before 5.10 and 6.x before 6.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.</Description>      <cnnvd>CNNVD-200808-325</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2008-3740</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
http://drupal.org/node/295053</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">5.10</high>                     
                               <low>5</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105635" id="105635" modifyDate="2017-08-02">      <cvsscode>4.3</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2008-3740 : SA-2008-047 - Drupal core - 跨站脚本</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Cross-site scripting (XSS) vulnerability in the output filter in Drupal 5.x before 5.10 and 6.x before 6.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.</Description>      <cnnvd>CNNVD-200808-325</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2008-3740</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
http://drupal.org/node/295053</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">6.4</high>                     
                               <low>6</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105637" id="105637" modifyDate="2017-08-02">      <cvsscode>3.5</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2008-3741 : SA-2008-047 - Drupal core - 跨站脚本</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>The private filesystem in Drupal 5.x before 5.10 and 6.x before 6.4 trusts the MIME type sent by a web browser, which allows remote authenticated users to conduct cross-site scripting (XSS) attacks by uploading files containing arbitrary web script or HTML.</Description>      <cnnvd>CNNVD-200808-326</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2008-3741</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
http://drupal.org/node/295053</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">5.10</high>                     
                               <low>5</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105637" id="105637" modifyDate="2017-08-02">      <cvsscode>3.5</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2008-3741 : SA-2008-047 - Drupal core - 跨站脚本</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>The private filesystem in Drupal 5.x before 5.10 and 6.x before 6.4 trusts the MIME type sent by a web browser, which allows remote authenticated users to conduct cross-site scripting (XSS) attacks by uploading files containing arbitrary web script or HTML.</Description>      <cnnvd>CNNVD-200808-326</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2008-3741</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
http://drupal.org/node/295053</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">6.4</high>                     
                               <low>6</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105639" id="105639" modifyDate="2017-08-02">      <cvsscode>6.5</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2008-3742 : SA-2008-047 - Drupal core - 通过BlogAPI上传任意文件</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Unrestricted file upload vulnerability in the BlogAPI module in Drupal 5.x before 5.10 and 6.x before 6.4 allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, which is not validated.</Description>      <cnnvd>CNNVD-200808-327</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2008-3742</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
http://drupal.org/node/295053</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">5.10</high>                     
                               <low>5</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105639" id="105639" modifyDate="2017-08-02">      <cvsscode>6.5</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2008-3742 : SA-2008-047 - Drupal core - 通过BlogAPI上传任意文件</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Unrestricted file upload vulnerability in the BlogAPI module in Drupal 5.x before 5.10 and 6.x before 6.4 allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, which is not validated.</Description>      <cnnvd>CNNVD-200808-327</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2008-3742</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
http://drupal.org/node/295053</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">6.4</high>                     
                               <low>6</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105640" id="105640" modifyDate="2017-08-02">      <cvsscode>5.8</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2008-3743 : SA-2008-047 - Drupal core - 跨站请求伪造</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Multiple cross-site request forgery (CSRF) vulnerabilities in forms in Drupal 6.x before 6.4 allow remote attackers to perform unspecified actions via unknown vectors, related to improper token validation for (1) cached forms and (2) forms with AHAH elements.</Description>      <cnnvd>CNNVD-200808-328</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2008-3743</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
http://drupal.org/node/295053</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">6.4</high>                     
                               <low>6</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105642" id="105642" modifyDate="2017-08-02">      <cvsscode>5.8</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2008-3744 : SA-2008-047 - Drupal core - 跨站请求伪造</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Multiple cross-site request forgery (CSRF) vulnerabilities in Drupal 5.x before 5.10 and 6.x before 6.4 allow remote attackers to hijack the authentication of administrators for requests that (1) add or (2) delete user access rules.</Description>      <cnnvd>CNNVD-200808-329</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2008-3744</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
http://drupal.org/node/295053</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">5.10</high>                     
                               <low>5</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105642" id="105642" modifyDate="2017-08-02">      <cvsscode>5.8</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2008-3744 : SA-2008-047 - Drupal core - 跨站请求伪造</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Multiple cross-site request forgery (CSRF) vulnerabilities in Drupal 5.x before 5.10 and 6.x before 6.4 allow remote attackers to hijack the authentication of administrators for requests that (1) add or (2) delete user access rules.</Description>      <cnnvd>CNNVD-200808-329</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2008-3744</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
http://drupal.org/node/295053</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">6.4</high>                     
                               <low>6</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105643" id="105643" modifyDate="2017-08-02">      <cvsscode>5.5</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2008-3745 : SA-2008-047 - Drupal core - 各种上传模块漏洞</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>The Upload module in Drupal 6.x before 6.4 allows remote authenticated users to edit nodes, delete files, and download unauthorized attachments via unspecified vectors.</Description>      <cnnvd>CNNVD-200808-330</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2008-3745</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
http://drupal.org/node/295053</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">6.4</high>                     
                               <low>6</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105644" id="105644" modifyDate="2017-08-02">      <cvsscode>6.0</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2008-4789 : SA-2008-060 - Drupal core - 文件上传访问绕过</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>The validation functionality in the core upload module in Drupal 6.x before 6.5 allows remote authenticated users to bypass intended access restrictions and &amp;quot;attach files to content,&amp;quot; related to a &amp;quot;logic error.&amp;quot;</Description>      <cnnvd>CNNVD-200810-498</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2008-4789</id>      </AlternateIds>      <Solutions framework="1" xml:lang="zh-hk">         
           
           
         升級到 Drupal 到最新版本,下載并申请升級:https://www.drupal.org/project/drupal/releases      </Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">6.5</high>                     
                               <low>6</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105645" id="105645" modifyDate="2017-08-02">      <cvsscode>6.0</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2008-4790 : SA-2008-060 - Drupal core - 文件上传访问绕过</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>The core upload module in Drupal 5.x before 5.11 allows remote authenticated users to bypass intended access restrictions and read &amp;quot;files attached to content&amp;quot; via unknown vectors.</Description>      <cnnvd>CNNVD-200810-499</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2008-4790</id>      </AlternateIds>      <Solutions framework="1" xml:lang="zh-hk">         
           
           
         升級到 Drupal 到最新版本,下載并申请升級:https://www.drupal.org/project/drupal/releases      </Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">5.11</high>                     
                               <low>5</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105647" id="105647" modifyDate="2017-08-02">      <cvsscode>6.0</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2008-4791 : SA-2008-060 - Drupal core - 访问规则绕过</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>The user module in Drupal 5.x before 5.11 and 6.x before 6.5 might allow remote authenticated users to bypass intended login access rules and successfully login via unknown vectors.</Description>      <cnnvd>CNNVD-200810-500</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2008-4791</id>      </AlternateIds>      <Solutions framework="1" xml:lang="zh-hk">         
           
           
         升級到 Drupal 到最新版本,下載并申请升級:https://www.drupal.org/project/drupal/releases      </Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">5.11</high>                     
                               <low>5</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105647" id="105647" modifyDate="2017-08-02">      <cvsscode>6.0</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2008-4791 : SA-2008-060 - Drupal core - 访问规则绕过</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>The user module in Drupal 5.x before 5.11 and 6.x before 6.5 might allow remote authenticated users to bypass intended login access rules and successfully login via unknown vectors.</Description>      <cnnvd>CNNVD-200810-500</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2008-4791</id>      </AlternateIds>      <Solutions framework="1" xml:lang="zh-hk">         
           
           
         升級到 Drupal 到最新版本,下載并申请升級:https://www.drupal.org/project/drupal/releases      </Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">6.5</high>                     
                               <low>6</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105649" id="105649" modifyDate="2017-08-02">      <cvsscode>6.0</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2008-4792 : SA-2008-060 - Drupal core - BlogAPI访问绕过</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>The core BlogAPI module in Drupal 5.x before 5.11 and 6.x before 6.5 does not properly validate unspecified content fields of an internal Drupal form, which allows remote authenticated users to bypass intended access restrictions via modified field values.</Description>      <cnnvd>CNNVD-200810-501</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2008-4792</id>      </AlternateIds>      <Solutions framework="1" xml:lang="zh-hk">         
           
           
         升級到 Drupal 到最新版本,下載并申请升級:https://www.drupal.org/project/drupal/releases      </Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">5.11</high>                     
                               <low>5</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105649" id="105649" modifyDate="2017-08-02">      <cvsscode>6.0</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2008-4792 : SA-2008-060 - Drupal core - BlogAPI访问绕过</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>The core BlogAPI module in Drupal 5.x before 5.11 and 6.x before 6.5 does not properly validate unspecified content fields of an internal Drupal form, which allows remote authenticated users to bypass intended access restrictions via modified field values.</Description>      <cnnvd>CNNVD-200810-501</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2008-4792</id>      </AlternateIds>      <Solutions framework="1" xml:lang="zh-hk">         
           
           
         升級到 Drupal 到最新版本,下載并申请升級:https://www.drupal.org/project/drupal/releases      </Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">6.5</high>                     
                               <low>6</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105650" id="105650" modifyDate="2017-08-02">      <cvsscode>7.5</cvsscode>      <severity>Critical</severity>      <name>Drupal: CVE-2008-4793 : SA-2008-060 - Drupal core - 节点验证绕过</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>The node module API in Drupal 5.x before 5.11 allows remote attackers to bypass node validation and have unspecified other impact via unknown vectors related to contributed modules.</Description>      <cnnvd>CNNVD-200810-502</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2008-4793</id>      </AlternateIds>      <Solutions framework="1" xml:lang="zh-hk">         
           
           
         升級到 Drupal 到最新版本,下載并申请升級:https://www.drupal.org/project/drupal/releases      </Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">5.11</high>                     
                               <low>5</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105651" id="105651" modifyDate="2017-08-02">      <cvsscode>3.5</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2008-6170 : SA-2008-067 - Drupal core - 跨站脚本</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Cross-site scripting (XSS) vulnerability in Drupal 5.x before 5.12 and 6.x before 6.6 allows remote authenticated users with create book content or edit node book hierarchy permissions to inject arbitrary web script or HTML via the book page title.</Description>      <cnnvd>CNNVD-200902-397</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2008-6170</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复这个安全问题，补丁下载链接： 
Drupal Drupal 6.1-6.5 
Drupal drupal-6.6.tar.gz 
http://ftp.drupal.org/files/projects/drupal-6.6.tar.gz</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">6.6</high>                     
                               <low>6</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105653" id="105653" modifyDate="2017-08-02">      <cvsscode>9.3</cvsscode>      <severity>Critical</severity>      <name>Drupal: CVE-2008-6171 : SA-2008-067 - Drupal core - 文件包含</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>includes/bootstrap.inc in Drupal 5.x before 5.12 and 6.x before 6.6, when the server is configured for &amp;quot;IP-based virtual hosts,&amp;quot; allows remote attackers to include and execute arbitrary files via the HTTP Host header.</Description>      <cnnvd>CNNVD-200902-398</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2008-6171</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复这个安全问题，补丁下载链接： 
Drupal Drupal 5.0-5.11 
Drupal drupal-5.12.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.12.tar.gz 
Drupal Drupal 6.0-6.5 
Drupal drupal-6.6.tar.gz 
http://ftp.drupal.org/files/projects/drupal-6.6.tar.gz</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">5.12</high>                     
                               <low>5</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105653" id="105653" modifyDate="2017-08-02">      <cvsscode>9.3</cvsscode>      <severity>Critical</severity>      <name>Drupal: CVE-2008-6171 : SA-2008-067 - Drupal core - 文件包含</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>includes/bootstrap.inc in Drupal 5.x before 5.12 and 6.x before 6.6, when the server is configured for &amp;quot;IP-based virtual hosts,&amp;quot; allows remote attackers to include and execute arbitrary files via the HTTP Host header.</Description>      <cnnvd>CNNVD-200902-398</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2008-6171</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复这个安全问题，补丁下载链接： 
Drupal Drupal 5.0-5.11 
Drupal drupal-5.12.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.12.tar.gz 
Drupal Drupal 6.0-6.5 
Drupal drupal-6.6.tar.gz 
http://ftp.drupal.org/files/projects/drupal-6.6.tar.gz</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">6.6</high>                     
                               <low>6</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105655" id="105655" modifyDate="2017-08-02">      <cvsscode>6.8</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2008-6532 : SA-2008-073 - Drupal core - 跨站请求伪造</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Multiple cross-site request forgery (CSRF) vulnerabilities in the update feature in Drupal 5.x before 5.13 and 6.x before 6.7 allow remote attackers to perform unauthorized actions as the superuser via unspecified vectors, as demonstrated by causing the superuser to &amp;quot;execute old updates&amp;quot; that modify the database.</Description>      <cnnvd>CNNVD-200903-457</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2008-6532</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复这个安全问题，补丁下载链接： 
Drupal 
Drupal 6.1 
Drupal drupal-6.7.tar.gz 
http://ftp.drupal.org/files/projects/drupal-6.7.tar.gz 
Drupal 5.10 
Drupal drupal-5.13.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.13.tar.gz 
Drupal 5.12 
Drupal drupal-5.13.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.13.tar.gz 
Drupal Drupal 5.8 
Drupal drupal-5.13.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.13.tar.gz 
Drupal Drupal 5.1 revision 1.1 
Drupal drupal-5.13.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.13.tar.gz 
Drupal Drupal 5.11 
Drupal drupal-5.13.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.13.tar.gz 
Drupal Drupal 5.5 
Drupal drupal-5.13.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.13.tar.gz 
Drupal Drupal 5.2 
Drupal drupal-5.13.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.13.tar.gz 
Drupal Drupal 5.7 
Drupal drupal-5.13.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.13.tar.gz 
Drupal Drupal 6.5 
Drupal drupal-6.7.tar.gz 
http://ftp.drupal.org/files/projects/drupal-6.7.tar.gz 
Drupal Drupal 6.3 
Drupal drupal-6.7.tar.gz 
http://ftp.drupal.org/files/projects/drupal-6.7.tar.gz 
Drupal Drupal 6.0 
Drupal drupal-6.7.tar.gz 
http://ftp.drupal.org/files/projects/drupal-6.7.tar.gz 
Drupal Drupal 5.3 
Drupal drupal-5.13.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.13.tar.gz 
Drupal Drupal 6.2 
Drupal drupal-6.7.tar.gz 
http://ftp.drupal.org/files/projects/drupal-6.7.tar.gz 
Drupal Drupal 5.9 
Drupal drupal-5.13.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.13.tar.gz 
Drupal 5.1 
Drupal drupal-5.13.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.13.tar.gz 
Drupal 6.6 
Drupal drupal-6.7.tar.gz 
http://ftp.drupal.org/files/projects/drupal-6.7.tar.gz 
Drupal 5.0 
Drupal drupal-5.13.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.13.tar.gz 
Drupal 5.6 
Drupal drupal-5.13.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.13.tar.gz 
Drupal 6.4 
Drupal drupal-6.7.tar.gz 
http://ftp.drupal.org/files/projects/drupal-6.7.tar.gz 
Drupal 5.4 
Drupal drupal-5.13.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.13.tar.gz</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">5.13</high>                     
                               <low>5</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105655" id="105655" modifyDate="2017-08-02">      <cvsscode>6.8</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2008-6532 : SA-2008-073 - Drupal core - 跨站请求伪造</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Multiple cross-site request forgery (CSRF) vulnerabilities in the update feature in Drupal 5.x before 5.13 and 6.x before 6.7 allow remote attackers to perform unauthorized actions as the superuser via unspecified vectors, as demonstrated by causing the superuser to &amp;quot;execute old updates&amp;quot; that modify the database.</Description>      <cnnvd>CNNVD-200903-457</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2008-6532</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复这个安全问题，补丁下载链接： 
Drupal 
Drupal 6.1 
Drupal drupal-6.7.tar.gz 
http://ftp.drupal.org/files/projects/drupal-6.7.tar.gz 
Drupal 5.10 
Drupal drupal-5.13.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.13.tar.gz 
Drupal 5.12 
Drupal drupal-5.13.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.13.tar.gz 
Drupal Drupal 5.8 
Drupal drupal-5.13.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.13.tar.gz 
Drupal Drupal 5.1 revision 1.1 
Drupal drupal-5.13.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.13.tar.gz 
Drupal Drupal 5.11 
Drupal drupal-5.13.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.13.tar.gz 
Drupal Drupal 5.5 
Drupal drupal-5.13.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.13.tar.gz 
Drupal Drupal 5.2 
Drupal drupal-5.13.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.13.tar.gz 
Drupal Drupal 5.7 
Drupal drupal-5.13.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.13.tar.gz 
Drupal Drupal 6.5 
Drupal drupal-6.7.tar.gz 
http://ftp.drupal.org/files/projects/drupal-6.7.tar.gz 
Drupal Drupal 6.3 
Drupal drupal-6.7.tar.gz 
http://ftp.drupal.org/files/projects/drupal-6.7.tar.gz 
Drupal Drupal 6.0 
Drupal drupal-6.7.tar.gz 
http://ftp.drupal.org/files/projects/drupal-6.7.tar.gz 
Drupal Drupal 5.3 
Drupal drupal-5.13.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.13.tar.gz 
Drupal Drupal 6.2 
Drupal drupal-6.7.tar.gz 
http://ftp.drupal.org/files/projects/drupal-6.7.tar.gz 
Drupal Drupal 5.9 
Drupal drupal-5.13.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.13.tar.gz 
Drupal 5.1 
Drupal drupal-5.13.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.13.tar.gz 
Drupal 6.6 
Drupal drupal-6.7.tar.gz 
http://ftp.drupal.org/files/projects/drupal-6.7.tar.gz 
Drupal 5.0 
Drupal drupal-5.13.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.13.tar.gz 
Drupal 5.6 
Drupal drupal-5.13.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.13.tar.gz 
Drupal 6.4 
Drupal drupal-6.7.tar.gz 
http://ftp.drupal.org/files/projects/drupal-6.7.tar.gz 
Drupal 5.4 
Drupal drupal-5.13.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.13.tar.gz</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">6.7</high>                     
                               <low>6</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105657" id="105657" modifyDate="2017-08-02">      <cvsscode>4.3</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2008-6533 : SA-2008-073 - Drupal core - 跨站脚本</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Drupal 5.x before 5.13 and 6.x before 6.7 does not delete all related content when an input format is deleted, which prevents the content from being properly filtered and allows remote attackers to conduct cross-site scripting (XSS) attacks via unspecified vectors.</Description>      <cnnvd>CNNVD-200903-458</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2008-6533</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复这个安全问题，补丁下载链接： 
Drupal 
Drupal 6.1 
Drupal drupal-6.7.tar.gz 
http://ftp.drupal.org/files/projects/drupal-6.7.tar.gz 
Drupal 5.10 
Drupal drupal-5.13.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.13.tar.gz 
Drupal 5.12 
Drupal drupal-5.13.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.13.tar.gz 
Drupal Drupal 5.8 
Drupal drupal-5.13.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.13.tar.gz 
Drupal Drupal 5.1 revision 1.1 
Drupal drupal-5.13.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.13.tar.gz 
Drupal Drupal 5.11 
Drupal drupal-5.13.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.13.tar.gz 
Drupal Drupal 5.5 
Drupal drupal-5.13.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.13.tar.gz 
Drupal Drupal 5.2 
Drupal drupal-5.13.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.13.tar.gz 
Drupal Drupal 5.7 
Drupal drupal-5.13.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.13.tar.gz 
Drupal Drupal 6.5 
Drupal drupal-6.7.tar.gz 
http://ftp.drupal.org/files/projects/drupal-6.7.tar.gz 
Drupal Drupal 6.3 
Drupal drupal-6.7.tar.gz 
http://ftp.drupal.org/files/projects/drupal-6.7.tar.gz 
Drupal Drupal 6.0 
Drupal drupal-6.7.tar.gz 
http://ftp.drupal.org/files/projects/drupal-6.7.tar.gz 
Drupal Drupal 5.3 
Drupal drupal-5.13.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.13.tar.gz 
Drupal Drupal 6.2 
Drupal drupal-6.7.tar.gz 
http://ftp.drupal.org/files/projects/drupal-6.7.tar.gz 
Drupal Drupal 5.9 
Drupal drupal-5.13.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.13.tar.gz 
Drupal 5.1 
Drupal drupal-5.13.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.13.tar.gz 
Drupal 6.6 
Drupal drupal-6.7.tar.gz 
http://ftp.drupal.org/files/projects/drupal-6.7.tar.gz 
Drupal 5.0 
Drupal drupal-5.13.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.13.tar.gz 
Drupal 5.6 
Drupal drupal-5.13.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.13.tar.gz 
Drupal 6.4 
Drupal drupal-6.7.tar.gz 
http://ftp.drupal.org/files/projects/drupal-6.7.tar.gz 
Drupal 5.4 
Drupal drupal-5.13.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.13.tar.gz</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">5.13</high>                     
                               <low>5</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105657" id="105657" modifyDate="2017-08-02">      <cvsscode>4.3</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2008-6533 : SA-2008-073 - Drupal core - 跨站脚本</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Drupal 5.x before 5.13 and 6.x before 6.7 does not delete all related content when an input format is deleted, which prevents the content from being properly filtered and allows remote attackers to conduct cross-site scripting (XSS) attacks via unspecified vectors.</Description>      <cnnvd>CNNVD-200903-458</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2008-6533</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复这个安全问题，补丁下载链接： 
Drupal 
Drupal 6.1 
Drupal drupal-6.7.tar.gz 
http://ftp.drupal.org/files/projects/drupal-6.7.tar.gz 
Drupal 5.10 
Drupal drupal-5.13.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.13.tar.gz 
Drupal 5.12 
Drupal drupal-5.13.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.13.tar.gz 
Drupal Drupal 5.8 
Drupal drupal-5.13.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.13.tar.gz 
Drupal Drupal 5.1 revision 1.1 
Drupal drupal-5.13.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.13.tar.gz 
Drupal Drupal 5.11 
Drupal drupal-5.13.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.13.tar.gz 
Drupal Drupal 5.5 
Drupal drupal-5.13.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.13.tar.gz 
Drupal Drupal 5.2 
Drupal drupal-5.13.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.13.tar.gz 
Drupal Drupal 5.7 
Drupal drupal-5.13.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.13.tar.gz 
Drupal Drupal 6.5 
Drupal drupal-6.7.tar.gz 
http://ftp.drupal.org/files/projects/drupal-6.7.tar.gz 
Drupal Drupal 6.3 
Drupal drupal-6.7.tar.gz 
http://ftp.drupal.org/files/projects/drupal-6.7.tar.gz 
Drupal Drupal 6.0 
Drupal drupal-6.7.tar.gz 
http://ftp.drupal.org/files/projects/drupal-6.7.tar.gz 
Drupal Drupal 5.3 
Drupal drupal-5.13.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.13.tar.gz 
Drupal Drupal 6.2 
Drupal drupal-6.7.tar.gz 
http://ftp.drupal.org/files/projects/drupal-6.7.tar.gz 
Drupal Drupal 5.9 
Drupal drupal-5.13.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.13.tar.gz 
Drupal 5.1 
Drupal drupal-5.13.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.13.tar.gz 
Drupal 6.6 
Drupal drupal-6.7.tar.gz 
http://ftp.drupal.org/files/projects/drupal-6.7.tar.gz 
Drupal 5.0 
Drupal drupal-5.13.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.13.tar.gz 
Drupal 5.6 
Drupal drupal-5.13.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.13.tar.gz 
Drupal 6.4 
Drupal drupal-6.7.tar.gz 
http://ftp.drupal.org/files/projects/drupal-6.7.tar.gz 
Drupal 5.4 
Drupal drupal-5.13.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.13.tar.gz</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">6.7</high>                     
                               <low>6</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105659" id="105659" modifyDate="2017-08-02">      <cvsscode>4.3</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2009-1576 : SA-CORE-2009-005 - Drupal core - 跨站脚本</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Unspecified vulnerability in Drupal 5.x before 5.17 and 6.x before 6.11, as used in vbDrupal before 5.17.0, allows user-assisted remote attackers to obtain sensitive information by tricking victims into visiting the front page of the site with a crafted URL and causing form data to be sent to an attacker-controlled site, possibly related to multiple / (slash) characters that are not properly handled by includes/bootstrap.inc, as demonstrated using the search box.  NOTE: this vulnerability can be leveraged to conduct cross-site request forgery (CSRF) attacks.</Description>      <cnnvd>CNNVD-200905-080</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2009-1576</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复这个安全问题，补丁下载链接： 
 
Drupal Drupal 5.13 
Drupal drupal-5.17.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.17.tar.gz 
Drupal Drupal 5.10 
Drupal drupal-5.17.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.17.tar.gz 
Debian Linux 5.0 ia-64 
Debian drupal6_6.6-3lenny1_all.deb 
http://security.debian.org/pool/updates/main/d/drupal6/drupal6_6.6-3lenny1_all.deb 
Drupal Drupal 5.12 
Drupal drupal-5.17.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.17.tar.gz 
Drupal Drupal 5.2 
Drupal drupal-5.17.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.17.tar.gz 
Debian Linux 5.0 alpha 
Debian drupal6_6.6-3lenny1_all.deb 
http://security.debian.org/pool/updates/main/d/drupal6/drupal6_6.6-3lenny1_all.deb 
Drupal Drupal 5.3 
Drupal drupal-5.17.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.17.tar.gz 
Debian Linux 5.0 ia-32 
Debian drupal6_6.6-3lenny1_all.deb 
http://security.debian.org/pool/updates/main/d/drupal6/drupal6_6.6-3lenny1_all.deb 
Drupal Drupal 6.9 
Drupal drupal-6.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-6.11.tar.gz 
Debian Linux 5.0 s/390 
Debian drupal6_6.6-3lenny1_all.deb 
http://security.debian.org/pool/updates/main/d/drupal6/drupal6_6.6-3lenny1_all.deb 
Drupal Drupal 5.9 
Drupal drupal-5.17.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.17.tar.gz 
Debian Linux 5.0 mipsel 
Debian drupal6_6.6-3lenny1_all.deb 
http://security.debian.org/pool/updates/main/d/drupal6/drupal6_6.6-3lenny1_all.deb 
Drupal Drupal 5.1 
Drupal drupal-5.17.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.17.tar.gz 
Drupal Drupal 5.0 
Drupal drupal-5.17.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.17.tar.gz 
Drupal Drupal 5.6 
Drupal drupal-5.17.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.17.tar.gz 
Drupal Drupal 6.1 
Drupal drupal-6.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-6.11.tar.gz 
Drupal Drupal 5.16 
Drupal drupal-5.17.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.17.tar.gz 
Debian Linux 5.0 hppa 
Debian drupal6_6.6-3lenny1_all.deb 
http://security.debian.org/pool/updates/main/d/drupal6/drupal6_6.6-3lenny1_all.deb 
Drupal Drupal 5.8 
Drupal drupal-5.17.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.17.tar.gz 
Drupal Drupal 5.15 
Drupal drupal-5.17.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.17.tar.gz 
Drupal Drupal 5.1 revision 1.1 
Drupal drupal-5.17.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.17.tar.gz 
Debian Linux 5.0 m68k 
Debian drupal6_6.6-3lenny1_all.deb 
http://security.debian.org/pool/updates/main/d/drupal6/drupal6_6.6-3lenny1_all.deb 
Debian Linux 5.0 arm 
Debian drupal6_6.6-3lenny1_all.deb 
http://security.debian.org/pool/updates/main/d/drupal6/drupal6_6.6-3lenny1_all.deb 
Drupal Drupal 5.11 
Drupal drupal-5.17.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.17.tar.gz 
Drupal Drupal 6.10 
Drupal drupal-6.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-6.11.tar.gz 
Drupal Drupal 5.5 
Drupal drupal-5.17.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.17.tar.gz 
Debian Linux 5.0 armel 
Debian drupal6_6.6-3lenny1_all.deb 
http://security.debian.org/pool/updates/main/d/drupal6/drupal6_6.6-3lenny1_all.deb 
Debian Linux 5.0 
Debian drupal6_6.6-3lenny1_all.deb 
http://security.debian.org/pool/updates/main/d/drupal6/drupal6_6.6-3lenny1_all.deb 
Drupal Drupal 6.5 
Drupal drupal-6.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-6.11.tar.gz 
Drupal Drupal 5.7 
Drupal drupal-5.17.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.17.tar.gz 
Drupal Drupal 6.7 
Drupal drupal-6.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-6.11.tar.gz 
Debian Linux 5.0 amd64 
Debian drupal6_6.6-3lenny1_all.deb 
http://security.debian.org/pool/updates/main/d/drupal6/drupal6_6.6-3lenny1_all.deb 
Drupal Drupal 6.3 
Drupal drupal-6.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-6.11.tar.gz 
</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">5.17</high>                     
                               <low>5</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105659" id="105659" modifyDate="2017-08-02">      <cvsscode>4.3</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2009-1576 : SA-CORE-2009-005 - Drupal core - 跨站脚本</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Unspecified vulnerability in Drupal 5.x before 5.17 and 6.x before 6.11, as used in vbDrupal before 5.17.0, allows user-assisted remote attackers to obtain sensitive information by tricking victims into visiting the front page of the site with a crafted URL and causing form data to be sent to an attacker-controlled site, possibly related to multiple / (slash) characters that are not properly handled by includes/bootstrap.inc, as demonstrated using the search box.  NOTE: this vulnerability can be leveraged to conduct cross-site request forgery (CSRF) attacks.</Description>      <cnnvd>CNNVD-200905-080</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2009-1576</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复这个安全问题，补丁下载链接： 
 
Drupal Drupal 5.13 
Drupal drupal-5.17.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.17.tar.gz 
Drupal Drupal 5.10 
Drupal drupal-5.17.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.17.tar.gz 
Debian Linux 5.0 ia-64 
Debian drupal6_6.6-3lenny1_all.deb 
http://security.debian.org/pool/updates/main/d/drupal6/drupal6_6.6-3lenny1_all.deb 
Drupal Drupal 5.12 
Drupal drupal-5.17.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.17.tar.gz 
Drupal Drupal 5.2 
Drupal drupal-5.17.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.17.tar.gz 
Debian Linux 5.0 alpha 
Debian drupal6_6.6-3lenny1_all.deb 
http://security.debian.org/pool/updates/main/d/drupal6/drupal6_6.6-3lenny1_all.deb 
Drupal Drupal 5.3 
Drupal drupal-5.17.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.17.tar.gz 
Debian Linux 5.0 ia-32 
Debian drupal6_6.6-3lenny1_all.deb 
http://security.debian.org/pool/updates/main/d/drupal6/drupal6_6.6-3lenny1_all.deb 
Drupal Drupal 6.9 
Drupal drupal-6.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-6.11.tar.gz 
Debian Linux 5.0 s/390 
Debian drupal6_6.6-3lenny1_all.deb 
http://security.debian.org/pool/updates/main/d/drupal6/drupal6_6.6-3lenny1_all.deb 
Drupal Drupal 5.9 
Drupal drupal-5.17.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.17.tar.gz 
Debian Linux 5.0 mipsel 
Debian drupal6_6.6-3lenny1_all.deb 
http://security.debian.org/pool/updates/main/d/drupal6/drupal6_6.6-3lenny1_all.deb 
Drupal Drupal 5.1 
Drupal drupal-5.17.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.17.tar.gz 
Drupal Drupal 5.0 
Drupal drupal-5.17.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.17.tar.gz 
Drupal Drupal 5.6 
Drupal drupal-5.17.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.17.tar.gz 
Drupal Drupal 6.1 
Drupal drupal-6.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-6.11.tar.gz 
Drupal Drupal 5.16 
Drupal drupal-5.17.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.17.tar.gz 
Debian Linux 5.0 hppa 
Debian drupal6_6.6-3lenny1_all.deb 
http://security.debian.org/pool/updates/main/d/drupal6/drupal6_6.6-3lenny1_all.deb 
Drupal Drupal 5.8 
Drupal drupal-5.17.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.17.tar.gz 
Drupal Drupal 5.15 
Drupal drupal-5.17.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.17.tar.gz 
Drupal Drupal 5.1 revision 1.1 
Drupal drupal-5.17.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.17.tar.gz 
Debian Linux 5.0 m68k 
Debian drupal6_6.6-3lenny1_all.deb 
http://security.debian.org/pool/updates/main/d/drupal6/drupal6_6.6-3lenny1_all.deb 
Debian Linux 5.0 arm 
Debian drupal6_6.6-3lenny1_all.deb 
http://security.debian.org/pool/updates/main/d/drupal6/drupal6_6.6-3lenny1_all.deb 
Drupal Drupal 5.11 
Drupal drupal-5.17.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.17.tar.gz 
Drupal Drupal 6.10 
Drupal drupal-6.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-6.11.tar.gz 
Drupal Drupal 5.5 
Drupal drupal-5.17.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.17.tar.gz 
Debian Linux 5.0 armel 
Debian drupal6_6.6-3lenny1_all.deb 
http://security.debian.org/pool/updates/main/d/drupal6/drupal6_6.6-3lenny1_all.deb 
Debian Linux 5.0 
Debian drupal6_6.6-3lenny1_all.deb 
http://security.debian.org/pool/updates/main/d/drupal6/drupal6_6.6-3lenny1_all.deb 
Drupal Drupal 6.5 
Drupal drupal-6.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-6.11.tar.gz 
Drupal Drupal 5.7 
Drupal drupal-5.17.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.17.tar.gz 
Drupal Drupal 6.7 
Drupal drupal-6.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-6.11.tar.gz 
Debian Linux 5.0 amd64 
Debian drupal6_6.6-3lenny1_all.deb 
http://security.debian.org/pool/updates/main/d/drupal6/drupal6_6.6-3lenny1_all.deb 
Drupal Drupal 6.3 
Drupal drupal-6.11.tar.gz 
http://ftp.drupal.org/files/projects/drupal-6.11.tar.gz 
</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">6.11</high>                     
                               <low>6</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105661" id="105661" modifyDate="2017-08-02">      <cvsscode>3.5</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2009-1844 : SA-CORE-2009-006 - Drupal core - 跨站脚本</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Multiple cross-site scripting (XSS) vulnerabilities in Drupal 5.x before 5.18 and 6.x before 6.12 allow (1) remote authenticated users to inject arbitrary web script or HTML via crafted UTF-8 byte sequences that are treated as UTF-7 by Internet Explorer 6 and 7, which are not properly handled in the &amp;quot;HTML exports of books&amp;quot; feature; and (2) allow remote authenticated users with administer taxonomy permissions to inject arbitrary web script or HTML via the help text of an arbitrary vocabulary.  NOTE: vector 1 exists because of an incomplete fix for CVE-2009-1575.</Description>      <cnnvd>CNNVD-200906-010</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2009-1844</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复这个安全问题，补丁下载链接： 
Drupal Drupal 6.11 
Drupal drupal-6.12.tar.gz 
http://ftp.drupal.org/files/projects/drupal-6.12.tar.gz 
Drupal Drupal 5.17 
Drupal drupal-5.18.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.18.tar.gz</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">5.18</high>                     
                               <low>5</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105661" id="105661" modifyDate="2017-08-02">      <cvsscode>3.5</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2009-1844 : SA-CORE-2009-006 - Drupal core - 跨站脚本</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Multiple cross-site scripting (XSS) vulnerabilities in Drupal 5.x before 5.18 and 6.x before 6.12 allow (1) remote authenticated users to inject arbitrary web script or HTML via crafted UTF-8 byte sequences that are treated as UTF-7 by Internet Explorer 6 and 7, which are not properly handled in the &amp;quot;HTML exports of books&amp;quot; feature; and (2) allow remote authenticated users with administer taxonomy permissions to inject arbitrary web script or HTML via the help text of an arbitrary vocabulary.  NOTE: vector 1 exists because of an incomplete fix for CVE-2009-1575.</Description>      <cnnvd>CNNVD-200906-010</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2009-1844</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复这个安全问题，补丁下载链接： 
Drupal Drupal 6.11 
Drupal drupal-6.12.tar.gz 
http://ftp.drupal.org/files/projects/drupal-6.12.tar.gz 
Drupal Drupal 5.17 
Drupal drupal-5.18.tar.gz 
http://ftp.drupal.org/files/projects/drupal-5.18.tar.gz</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">6.12</high>                     
                               <low>6</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105663" id="105663" modifyDate="2017-08-02">      <cvsscode>4.3</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2009-2370 : SA-CORE-2009-007 - 跨站脚本</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Cross-site scripting (XSS) vulnerability in Advanced Forum 5.x before 5.x-1.1 and 6.x before 6.x-1.1, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.</Description>      <cnnvd>CNNVD-200907-118</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2009-2370</id>      </AlternateIds>      <Solutions framework="1" xml:lang="zh-hk">         
           
           
         升級到 Drupal 到最新版本,下載并申请升級:https://www.drupal.org/project/drupal/releases      </Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">5.19</high>                     
                               <low>5</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105663" id="105663" modifyDate="2017-08-02">      <cvsscode>4.3</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2009-2370 : SA-CORE-2009-007 - 跨站脚本</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Cross-site scripting (XSS) vulnerability in Advanced Forum 5.x before 5.x-1.1 and 6.x before 6.x-1.1, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.</Description>      <cnnvd>CNNVD-200907-118</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2009-2370</id>      </AlternateIds>      <Solutions framework="1" xml:lang="zh-hk">         
           
           
         升級到 Drupal 到最新版本,下載并申请升級:https://www.drupal.org/project/drupal/releases      </Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">6.1</high>                     
                               <low>6</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105664" id="105664" modifyDate="2017-08-02">      <cvsscode>6.5</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2009-2371 : SA-CORE-2009-007 - Drupal core -</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Advanced Forum 6.x before 6.x-1.1, a module for Drupal, does not prevent users from modifying user signatures after the associated comment format has been changed to an administrator-controlled input format, which allows remote authenticated users to inject arbitrary web script, HTML, and possibly PHP code via a crafted user signature.</Description>      <cnnvd>CNNVD-200907-119</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2009-2371</id>      </AlternateIds>      <Solutions framework="1" xml:lang="zh-hk">         
           
           
         升級到 Drupal 到最新版本,下載并申请升級:https://www.drupal.org/project/drupal/releases      </Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">6.13</high>                     
                               <low>6</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105665" id="105665" modifyDate="2017-08-02">      <cvsscode>6.5</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2009-2372 : SA-CORE-2009-007 - Drupal core -</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Drupal 6.x before 6.13 does not prevent users from modifying user signatures after the associated comment format has been changed to an administrator-controlled input format, which allows remote authenticated users to inject arbitrary web script, HTML, and possibly PHP code via a crafted user signature.</Description>      <cnnvd>CNNVD-200907-120</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2009-2372</id>      </AlternateIds>      <Solutions framework="1" xml:lang="zh-hk">         
           
           
         升級到 Drupal 到最新版本,下載并申请升級:https://www.drupal.org/project/drupal/releases      </Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">6.13</high>                     
                               <low>6</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105666" id="105666" modifyDate="2017-08-02">      <cvsscode>4.3</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2009-2373 : SA-CORE-2009-007 - Drupal core - 跨站脚本</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Cross-site scripting (XSS) vulnerability in the Forum module in Drupal 6.x before 6.13 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.</Description>      <cnnvd>CNNVD-200907-121</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2009-2373</id>      </AlternateIds>      <Solutions framework="1" xml:lang="zh-hk">         
           
           
         升級到 Drupal 到最新版本,下載并申请升級:https://www.drupal.org/project/drupal/releases      </Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">6.13</high>                     
                               <low>6</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105668" id="105668" modifyDate="2017-08-02">      <cvsscode>5.0</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2009-2374 : SA-CORE-2009-007 - Drupal core - 密码泄露在URL中</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Drupal 5.x before 5.19 and 6.x before 6.13 does not properly sanitize failed login attempts for pages that contain a sortable table, which includes the username and password in links that can be read from (1) the HTTP referer header of external web sites that are visited from those links or (2) when page caching is enabled, the Drupal page cache.</Description>      <cnnvd>CNNVD-200907-122</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2009-2374</id>      </AlternateIds>      <Solutions framework="1" xml:lang="zh-hk">         
           
           
         升級到 Drupal 到最新版本,下載并申请升級:https://www.drupal.org/project/drupal/releases      </Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">5.19</high>                     
                               <low>5</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105668" id="105668" modifyDate="2017-08-02">      <cvsscode>5.0</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2009-2374 : SA-CORE-2009-007 - Drupal core - 密码泄露在URL中</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Drupal 5.x before 5.19 and 6.x before 6.13 does not properly sanitize failed login attempts for pages that contain a sortable table, which includes the username and password in links that can be read from (1) the HTTP referer header of external web sites that are visited from those links or (2) when page caching is enabled, the Drupal page cache.</Description>      <cnnvd>CNNVD-200907-122</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2009-2374</id>      </AlternateIds>      <Solutions framework="1" xml:lang="zh-hk">         
           
           
         升級到 Drupal 到最新版本,下載并申请升級:https://www.drupal.org/project/drupal/releases      </Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">6.13</high>                     
                               <low>6</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105670" id="105670" modifyDate="2017-08-02">      <cvsscode>3.5</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2009-4369 : DRUPAL-SA-2006-002 XSS漏洞</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Cross-site scripting (XSS) vulnerability in the Contact module (modules/contact/contact.admin.inc or modules/contact/contact.module) in Drupal Core 5.x before 5.21 and 6.x before 6.15 allows remote authenticated users with &amp;quot;administer site-wide contact form&amp;quot; permissions to inject arbitrary web script or HTML via the contact category name.</Description>      <cnnvd>CNNVD-200912-289</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2009-4369</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复这个安全问题，补丁下载链接： 
Drupal Drupal 6.14 
Drupal SA-CORE-2009-009-6.14.patch 
http://drupal.org/files/sa-core-2009-009/SA-CORE-2009-009-6.14.patch 
Drupal Drupal 5.20 
Drupal SA-CORE-2009-009-5.20.patch 
http://drupal.org/files/sa-core-2009-009/SA-CORE-2009-009-5.20.patch</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">4.5.8</high>                     
                               <low>4.5</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105670" id="105670" modifyDate="2017-08-02">      <cvsscode>3.5</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2009-4369 : DRUPAL-SA-2006-002 XSS漏洞</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Cross-site scripting (XSS) vulnerability in the Contact module (modules/contact/contact.admin.inc or modules/contact/contact.module) in Drupal Core 5.x before 5.21 and 6.x before 6.15 allows remote authenticated users with &amp;quot;administer site-wide contact form&amp;quot; permissions to inject arbitrary web script or HTML via the contact category name.</Description>      <cnnvd>CNNVD-200912-289</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2009-4369</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复这个安全问题，补丁下载链接： 
Drupal Drupal 6.14 
Drupal SA-CORE-2009-009-6.14.patch 
http://drupal.org/files/sa-core-2009-009/SA-CORE-2009-009-6.14.patch 
Drupal Drupal 5.20 
Drupal SA-CORE-2009-009-5.20.patch 
http://drupal.org/files/sa-core-2009-009/SA-CORE-2009-009-5.20.patch</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">4.6.6</high>                     
                               <low>4.6</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-09-18" gvid="ID105671" id="105671" modifyDate="2017-09-18">      <cvsscode>3.5</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2009-4371: 跨站点脚本（XSS）漏洞</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Cross-site scripting (XSS) vulnerability in the Locale module (modules/locale/locale.module) in Drupal Core 6.14, and possibly other versions including 6.15, allows remote authenticated users with &amp;quot;administer languages&amp;quot; permissions to inject arbitrary web script or HTML via the (1) Language name in English or (2) Native language name fields in the Custom language form.</Description>      <cnnvd>CNNVD-200912-291</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2009-4371</id>      </AlternateIds>      <Solutions framework="1" xml:lang="zh-hk">         
           
           
         升級到 Drupal 到最新版本,下載并申请升級:https://www.drupal.org/project/drupal/releases      </Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">6.16</high>                     
                               <low inclusive="1">6.14</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105673" id="105673" modifyDate="2017-08-02">      <cvsscode>5.0</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2010-3091 : SA-CORE-2010-002 - Drupal core - OpenID身份验证绕过</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>The OpenID module in Drupal 6.x before 6.18, and the OpenID module 5.x before 5.x-1.4 for Drupal, violates the OpenID 2.0 protocol by not verifying the openid.return_to value, which allows remote attackers to bypass authentication by leveraging an assertion from an OpenID provider.</Description>      <cnnvd>CNNVD-201009-284</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2010-3091</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
http://drupal.org/node/880476 
http://drupal.org/node/880666</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">5.23</high>                     
                               <low>5</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105673" id="105673" modifyDate="2017-08-02">      <cvsscode>5.0</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2010-3091 : SA-CORE-2010-002 - Drupal core - OpenID身份验证绕过</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>The OpenID module in Drupal 6.x before 6.18, and the OpenID module 5.x before 5.x-1.4 for Drupal, violates the OpenID 2.0 protocol by not verifying the openid.return_to value, which allows remote attackers to bypass authentication by leveraging an assertion from an OpenID provider.</Description>      <cnnvd>CNNVD-201009-284</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2010-3091</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
http://drupal.org/node/880476 
http://drupal.org/node/880666</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">6.18</high>                     
                               <low>6</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105675" id="105675" modifyDate="2017-08-02">      <cvsscode>5.5</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2010-3092 : SA-CORE-2010-002 - Drupal core - 文件下载访问绕过</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>The upload module in Drupal 5.x before 5.23 and 6.x before 6.18 does not properly support case-insensitive filename handling in a database configuration, which allows remote authenticated users to bypass the intended restrictions on downloading a file by uploading a different file with a similar name.</Description>      <cnnvd>CNNVD-201009-218</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2010-3092</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
http://drupal.org/node/880476 
</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">5.23</high>                     
                               <low>5</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105675" id="105675" modifyDate="2017-08-02">      <cvsscode>5.5</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2010-3092 : SA-CORE-2010-002 - Drupal core - 文件下载访问绕过</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>The upload module in Drupal 5.x before 5.23 and 6.x before 6.18 does not properly support case-insensitive filename handling in a database configuration, which allows remote authenticated users to bypass the intended restrictions on downloading a file by uploading a different file with a similar name.</Description>      <cnnvd>CNNVD-201009-218</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2010-3092</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
http://drupal.org/node/880476 
</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">6.18</high>                     
                               <low>6</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105677" id="105677" modifyDate="2017-08-02">      <cvsscode>3.5</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2010-3093 : SA-CORE-2010-002 - Drupal core - 评论取消发布绕过</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>The comment module in Drupal 5.x before 5.23 and 6.x before 6.18 allows remote authenticated users with certain privileges to bypass intended access restrictions and reinstate removed comments via a crafted URL, related to an &amp;quot;unpublishing bypass&amp;quot; issue.</Description>      <cnnvd>CNNVD-201009-219</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2010-3093</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
http://drupal.org/node/880476 
</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">5.23</high>                     
                               <low>5</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105677" id="105677" modifyDate="2017-08-02">      <cvsscode>3.5</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2010-3093 : SA-CORE-2010-002 - Drupal core - 评论取消发布绕过</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>The comment module in Drupal 5.x before 5.23 and 6.x before 6.18 allows remote authenticated users with certain privileges to bypass intended access restrictions and reinstate removed comments via a crafted URL, related to an &amp;quot;unpublishing bypass&amp;quot; issue.</Description>      <cnnvd>CNNVD-201009-219</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2010-3093</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
http://drupal.org/node/880476 
</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">6.18</high>                     
                               <low>6</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105678" id="105678" modifyDate="2017-08-02">      <cvsscode>2.1</cvsscode>      <severity>Moderate</severity>      <name>Drupal: CVE-2010-3094 : SA-CORE-2010-002 - Drupal core - 操作跨站点脚本</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Multiple cross-site scripting (XSS) vulnerabilities in Drupal 6.x before 6.18 allow remote authenticated users with certain privileges to inject arbitrary web script or HTML via (1) an action description, (2) an action message, (3) a node, or (4) a taxonomy term, related to the actions feature and the trigger module.</Description>      <cnnvd>CNNVD-201009-220</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2010-3094</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
http://drupal.org/node/880476 
</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">6.18</high>                     
                               <low>6</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-09-18" gvid="ID105679" id="105679" modifyDate="2017-09-18">      <cvsscode>5.0</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2010-3685: OpenID身份验证绕过</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>The OpenID module in Drupal 6.x before 6.18, and the OpenID module 5.x before 5.x-1.4 for Drupal, violates the OpenID 2.0 protocol by not checking for reuse of openid.response_nonce values, which allows remote attackers to bypass authentication by leveraging an assertion from an OpenID provider.</Description>      <cnnvd>CNNVD-201009-289</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2010-3685</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
http://drupal.org/node/880476 
http://drupal.org/node/880666</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">6.18</high>                     
                               <low inclusive="1">6</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-09-18" gvid="ID105680" id="105680" modifyDate="2017-09-18">      <cvsscode>5.0</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2010-3686: OpenID身份验证绕过</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>The OpenID module in Drupal 6.x before 6.18, and the OpenID module 5.x before 5.x-1.4 for Drupal, violates the OpenID 2.0 protocol by not ensuring that fields are signed, which allows remote attackers to bypass authentication by leveraging an assertion from an OpenID provider.</Description>      <cnnvd>CNNVD-201009-290</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2010-3686</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
http://drupal.org/node/880476 
http://drupal.org/node/880666</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">6.18</high>                     
                               <low inclusive="1">6</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105681" id="105681" modifyDate="2017-08-02">      <cvsscode>7.5</cvsscode>      <severity>Critical</severity>      <name>Drupal: CVE-2011-2687 : SA-CORE-2011-001 - Drupal core - 多个漏洞</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Drupal 7.x before 7.3 allows remote attackers to bypass intended node_access restrictions via vectors related to a listing that shows nodes but lacks a JOIN clause for the node table.</Description>      <cnnvd>CNNVD-201107-213</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2011-2687</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
http://drupal.org/node/1204582</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">7.2</high>                     
                               <low>7</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105682" id="105682" modifyDate="2017-08-02">      <cvsscode>4.4</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2011-2726 : SA-CORE-2011-003 - Drupal core - 访问绕过</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>SA-CORE-2011-003 - Drupal core - Access bypass</Description>      <cnnvd>CNNVD-201911-1043</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2011-2726</id>      </AlternateIds>      <Solutions>目前厂商已发布升级补丁以修复漏洞，补丁获取链接： 
https://www.drupal.org/node/1231510</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">7.5</high>                     
                               <low>7</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-09-18" gvid="ID105683" id="105683" modifyDate="2017-09-18">      <cvsscode>5.0</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2011-3730: Drupal允许远程攻击者获取敏感信息</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Drupal 7.0 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by modules/simpletest/tests/upgrade/drupal-6.upload.database.php and certain other files.</Description>      <cnnvd>CNNVD-201109-419</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2011-3730</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
http://drupal.org/drupal-7.0</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">7.1</high>                     
                               <low inclusive="1">7</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105685" id="105685" modifyDate="2017-08-02">      <cvsscode>6.8</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2012-0825 : SA-CORE-2012-001 - OpenID不验证SREG和AX中的签名属性</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Drupal 6.x before 6.23 and 7.x before 7.11 does not verify that Attribute Exchange (AX) information is signed, which allows remote attackers to modify potentially sensitive AX information without detection via a man-in-the-middle (MITM) attack.</Description>      <cnnvd>CNNVD-201204-191</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2012-0825</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
https://drupal.org/node/1425084</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">6.23</high>                     
                               <low>6</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105685" id="105685" modifyDate="2017-08-02">      <cvsscode>6.8</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2012-0825 : SA-CORE-2012-001 - OpenID不验证SREG和AX中的签名属性</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Drupal 6.x before 6.23 and 7.x before 7.11 does not verify that Attribute Exchange (AX) information is signed, which allows remote attackers to modify potentially sensitive AX information without detection via a man-in-the-middle (MITM) attack.</Description>      <cnnvd>CNNVD-201204-191</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2012-0825</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
https://drupal.org/node/1425084</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">7.11</high>                     
                               <low>7</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105687" id="105687" modifyDate="2017-08-02">      <cvsscode>6.8</cvsscode>      <severity>Severe</severity>      <name>drupal:cve-2012-0826:sa-core-2012-001-聚合器模块中的跨站点请求伪造漏洞
</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Cross-site request forgery (CSRF) vulnerability in the Aggregator module in Drupal 6.x before 6.23 and 7.x before 7.11 allows remote attackers to hijack the authentication of unspecified victims for requests that update feeds and possibly cause a denial of service (loss of updates due to rate limit) via unspecified vectors.</Description>      <cnnvd>CNNVD-201204-190</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2012-0826</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
https://drupal.org/node/1425084</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">6.23</high>                     
                               <low>6</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105687" id="105687" modifyDate="2017-08-02">      <cvsscode>6.8</cvsscode>      <severity>Severe</severity>      <name>drupal:cve-2012-0826:sa-core-2012-001-聚合器模块中的跨站点请求伪造漏洞
</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Cross-site request forgery (CSRF) vulnerability in the Aggregator module in Drupal 6.x before 6.23 and 7.x before 7.11 allows remote attackers to hijack the authentication of unspecified victims for requests that update feeds and possibly cause a denial of service (loss of updates due to rate limit) via unspecified vectors.</Description>      <cnnvd>CNNVD-201204-190</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2012-0826</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
https://drupal.org/node/1425084</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">7.11</high>                     
                               <low>7</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105688" id="105688" modifyDate="2017-08-02">      <cvsscode>3.5</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2012-0827 : SA-CORE-2012-001 - Drupal core 多个漏洞</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>The File module in Drupal 7.x before 7.11, when using unspecified field access modules, allows remote authenticated users to read arbitrary private files that are associated with restricted fields via unspecified vectors.</Description>      <cnnvd>CNNVD-201204-192</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2012-0827</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
https://drupal.org/node/1425084</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">7.11</high>                     
                               <low>7</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105689" id="105689" modifyDate="2017-08-02">      <cvsscode>3.5</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2012-1588 : SA-CORE-2012-002 - Drupal core 多个漏洞</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Algorithmic complexity vulnerability in the _filter_url function in the text filtering system (modules/filter/filter.module) in Drupal 7.x before 7.14 allows remote authenticated users with certain roles to cause a denial of service (CPU consumption) via a long email address.</Description>      <cnnvd>CNNVD-201210-001</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2012-1588</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
http://drupal.org/node/1557938</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">7.13</high>                     
                               <low>7</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105690" id="105690" modifyDate="2017-08-02">      <cvsscode>5.8</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2012-1589 : SA-CORE-2012-002 - Drupal core 多个漏洞</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Open redirect vulnerability in the Form API in Drupal 7.x before 7.13 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via crafted parameters in a destination URL.</Description>      <cnnvd>CNNVD-201205-084</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2012-1589</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
http://drupal.org/node/1557938</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">7.13</high>                     
                               <low>7</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105691" id="105691" modifyDate="2017-08-02">      <cvsscode>4.0</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2012-1590 : SA-CORE-2012-002 - Drupal core 多个漏洞</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>The forum list in Drupal 7.x before 7.14 does not properly check user permissions for unpublished forum posts, which allows remote authenticated users to obtain sensitive information such as the post title via the forum overview page.</Description>      <cnnvd>CNNVD-201210-002</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2012-1590</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
http://drupal.org/node/1557938</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">7.13</high>                     
                               <low>7</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105692" id="105692" modifyDate="2017-08-02">      <cvsscode>5.0</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2012-1591 : SA-CORE-2012-002 - Drupal core 多个漏洞</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>The image module in Drupal 7.x before 7.14 does not properly check permissions when caching derivative image styles of private images, which allows remote attackers to read private image styles.</Description>      <cnnvd>CNNVD-201210-003</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2012-1591</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
http://drupal.org/node/1557938</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">7.13</high>                     
                               <low>7</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105693" id="105693" modifyDate="2017-08-02">      <cvsscode>4.0</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2012-2153 : SA-CORE-2012-002 - Drupal core 多个漏洞</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Drupal 7.x before 7.14 does not properly restrict access to nodes in a list when using a &amp;quot;contributed node access module,&amp;quot; which allows remote authenticated users with the &amp;quot;Access the content overview page&amp;quot; permission to read all published nodes by accessing the admin/content page.</Description>      <cnnvd>CNNVD-201210-004</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2012-2153</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
http://drupal.org/node/1557938</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">7.13</high>                     
                               <low>7</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-09-18" gvid="ID105694" id="105694" modifyDate="2017-09-18">      <cvsscode>5.0</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2012-2922: Drupal允许远程攻击者获取敏感信息</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>The request_path function in includes/bootstrap.inc in Drupal 7.14 and earlier allows remote attackers to obtain sensitive information via the q[] parameter to index.php, which reveals the installation path in an error message.</Description>      <cnnvd>CNNVD-201205-204</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2012-2922</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
http://drupal.org/</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">7.15</high>                     
                               <low inclusive="1">5.0</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105695" id="105695" modifyDate="2017-08-02">      <cvsscode>6.8</cvsscode>      <severity>Severe</severity>      <name>drupal:cve-2012-4553:sa-core-2012-003-drupal core-任意PHP代码执行和信息披露
</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Drupal 7.x before 7.16 allows remote attackers to obtain sensitive information and possibly re-install Drupal and execute arbitrary PHP code via an external database server, related to &amp;quot;transient conditions.&amp;quot;</Description>      <cnnvd>CNNVD-201210-612</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2012-4553</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
http://drupal.org/node/1815912</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">7.16</high>                     
                               <low>7</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105696" id="105696" modifyDate="2017-08-02">      <cvsscode>5.0</cvsscode>      <severity>Severe</severity>      <name>drupal:cve-2012-4554:sa-core-2012-003-drupal core-任意PHP代码执行和信息披露
</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>The OpenID module in Drupal 7.x before 7.16 allows remote OpenID servers to read arbitrary files via a crafted DOCTYPE declaration in an XRDS file.</Description>      <cnnvd>CNNVD-201210-770</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2012-4554</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
http://drupal.org/node/1815912</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">7.16</high>                     
                               <low>7</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105698" id="105698" modifyDate="2017-08-02">      <cvsscode>5.0</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2012-5651 : SA-CORE-2012-004 - 访问绕过 (用户模块搜索 - Drupal 6和7)</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Drupal 6.x before 6.27 and 7.x before 7.18 displays information for blocked users, which might allow remote attackers to obtain sensitive information by reading the search results.</Description>      <cnnvd>CNNVD-201212-275</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2012-5651</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
http://drupal.org/SA-CORE-2012-004</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">6.27</high>                     
                               <low>6</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105698" id="105698" modifyDate="2017-08-02">      <cvsscode>5.0</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2012-5651 : SA-CORE-2012-004 - 访问绕过 (用户模块搜索 - Drupal 6和7)</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Drupal 6.x before 6.27 and 7.x before 7.18 displays information for blocked users, which might allow remote attackers to obtain sensitive information by reading the search results.</Description>      <cnnvd>CNNVD-201212-275</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2012-5651</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
http://drupal.org/SA-CORE-2012-004</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">7.18</high>                     
                               <low>7</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105699" id="105699" modifyDate="2017-08-02">      <cvsscode>5.0</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2012-5652 : SA-CORE-2012-004 - 访问绕过 (上传模块 - Drupal 6)</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Drupal 6.x before 6.27 allows remote attackers to obtain sensitive information about uploaded files via a (1) RSS feed or (2) search result.</Description>      <cnnvd>CNNVD-201212-292</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2012-5652</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
http://drupal.org/SA-CORE-2012-004</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">6.27</high>                     
                               <low>6</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105701" id="105701" modifyDate="2017-08-02">      <cvsscode>6.0</cvsscode>      <severity>Severe</severity>      <name>drupal:cve-2012-5653:sa-core-2012-004-任意PHP代码执行（文件上传模块-drupal 6和7）
</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>The file upload feature in Drupal 6.x before 6.27 and 7.x before 7.18 allows remote authenticated users to bypass the protection mechanism and execute arbitrary PHP code via a null byte in a file name.</Description>      <cnnvd>CNNVD-201301-026</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2012-5653</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
http://drupal.org/SA-CORE-2012-004</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">6.27</high>                     
                               <low>6</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105701" id="105701" modifyDate="2017-08-02">      <cvsscode>6.0</cvsscode>      <severity>Severe</severity>      <name>drupal:cve-2012-5653:sa-core-2012-004-任意PHP代码执行（文件上传模块-drupal 6和7）
</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>The file upload feature in Drupal 6.x before 6.27 and 7.x before 7.18 allows remote authenticated users to bypass the protection mechanism and execute arbitrary PHP code via a null byte in a file name.</Description>      <cnnvd>CNNVD-201301-026</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2012-5653</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
http://drupal.org/SA-CORE-2012-004</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">7.18</high>                     
                               <low>7</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105703" id="105703" modifyDate="2017-08-02">      <cvsscode>2.6</cvsscode>      <severity>Moderate</severity>      <name>Drupal: CVE-2013-0244 : SA-CORE-2013-001 - 跨站脚本</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Cross-site scripting (XSS) vulnerability in Drupal 6.x before 6.28 and 7.x before 7.19, when running with older versions of jQuery that are vulnerable to CVE-2011-4969, allows remote attackers to inject arbitrary web script or HTML via vectors involving unspecified Javascript functions that are used to select DOM elements.</Description>      <cnnvd>CNNVD-201301-432</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2013-0244</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
https://drupal.org/SA-CORE-2013-001</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">6.28</high>                     
                               <low>6</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105703" id="105703" modifyDate="2017-08-02">      <cvsscode>2.6</cvsscode>      <severity>Moderate</severity>      <name>Drupal: CVE-2013-0244 : SA-CORE-2013-001 - 跨站脚本</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Cross-site scripting (XSS) vulnerability in Drupal 6.x before 6.28 and 7.x before 7.19, when running with older versions of jQuery that are vulnerable to CVE-2011-4969, allows remote attackers to inject arbitrary web script or HTML via vectors involving unspecified Javascript functions that are used to select DOM elements.</Description>      <cnnvd>CNNVD-201301-432</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2013-0244</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
https://drupal.org/SA-CORE-2013-001</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">7.19</high>                     
                               <low>7</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105705" id="105705" modifyDate="2017-08-02">      <cvsscode>2.1</cvsscode>      <severity>Moderate</severity>      <name>Drupal: CVE-2013-0245 : SA-CORE-2013-001 - 访问绕过</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>The printer friendly version functionality in the Book module in Drupal 6.x before 6.28 and 7.x before 7.19 does not properly restrict access to node that are part of a book outline, which allows remote authenticated users with the &amp;quot;access printer-friendly version&amp;quot; permission to read node titles and possibly node content via unspecified vectors.</Description>      <cnnvd>CNNVD-201307-286</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2013-0245</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
https://drupal.org/SA-CORE-2013-001</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">6.28</high>                     
                               <low>6</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105705" id="105705" modifyDate="2017-08-02">      <cvsscode>2.1</cvsscode>      <severity>Moderate</severity>      <name>Drupal: CVE-2013-0245 : SA-CORE-2013-001 - 访问绕过</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>The printer friendly version functionality in the Book module in Drupal 6.x before 6.28 and 7.x before 7.19 does not properly restrict access to node that are part of a book outline, which allows remote authenticated users with the &amp;quot;access printer-friendly version&amp;quot; permission to read node titles and possibly node content via unspecified vectors.</Description>      <cnnvd>CNNVD-201307-286</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2013-0245</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
https://drupal.org/SA-CORE-2013-001</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">7.19</high>                     
                               <low>7</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105706" id="105706" modifyDate="2017-08-02">      <cvsscode>4.3</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2013-0246 : SA-CORE-2013-001 - 访问绕过 (图像模块 - Drupal 7)</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>The Image module in Drupal 7.x before 7.19, when a private file system is used, does not properly restrict access to derivative images, which allows remote attackers to read derivative images of otherwise restricted images via unspecified vectors.</Description>      <cnnvd>CNNVD-201307-287</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2013-0246</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
https://drupal.org/SA-CORE-2013-001</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">7.19</high>                     
                               <low>7</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105707" id="105707" modifyDate="2017-08-02">      <cvsscode>5.0</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2013-0316 : SA-CORE-2013-002 - Drupal core - 拒绝服务</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>The Image module in Drupal 7.x before 7.20 allows remote attackers to cause a denial of service (CPU and disk space consumption) via a large number of new derivative requests.</Description>      <cnnvd>CNNVD-201302-453</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2013-0316</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
http://drupal.org/SA-CORE-2013-002</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">7.20</high>                     
                               <low>7</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105709" id="105709" modifyDate="2017-08-02">      <cvsscode>5.1</cvsscode>      <severity>Severe</severity>      <name>drupal:cve-2013-6385:sa-core-2013-003-乐观跨站点请求伪造保护导致的多个漏洞
</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>The form API in Drupal 6.x before 6.29 and 7.x before 7.24, when used with unspecified third-party modules, performs form validation even when CSRF validation has failed, which might allow remote attackers to trigger application-specific impacts such as arbitrary code execution via application-specific vectors.</Description>      <cnnvd>CNNVD-201311-455</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2013-6385</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
https://drupal.org/SA-CORE-2013-003</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">6.29</high>                     
                               <low>6</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105709" id="105709" modifyDate="2017-08-02">      <cvsscode>5.1</cvsscode>      <severity>Severe</severity>      <name>drupal:cve-2013-6385:sa-core-2013-003-乐观跨站点请求伪造保护导致的多个漏洞
</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>The form API in Drupal 6.x before 6.29 and 7.x before 7.24, when used with unspecified third-party modules, performs form validation even when CSRF validation has failed, which might allow remote attackers to trigger application-specific impacts such as arbitrary code execution via application-specific vectors.</Description>      <cnnvd>CNNVD-201311-455</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2013-6385</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
https://drupal.org/SA-CORE-2013-003</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">7.24</high>                     
                               <low>7</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105711" id="105711" modifyDate="2017-08-02">      <cvsscode>6.8</cvsscode>      <severity>Severe</severity>      <name>drupal:cve-2013-6386:sa-core-2013-003-由于使用mt_rand（）生成伪随机数的弱点而导致的多个漏洞
</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Drupal 6.x before 6.29 and 7.x before 7.24 uses the PHP mt_rand function to generate random numbers, which uses predictable seeds and allows remote attackers to predict security strings and bypass intended restrictions via a brute force attack.</Description>      <cnnvd>CNNVD-201311-456</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2013-6386</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
https://drupal.org/SA-CORE-2013-003</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">6.29</high>                     
                               <low>6</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105711" id="105711" modifyDate="2017-08-02">      <cvsscode>6.8</cvsscode>      <severity>Severe</severity>      <name>drupal:cve-2013-6386:sa-core-2013-003-由于使用mt_rand（）生成伪随机数的弱点而导致的多个漏洞
</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Drupal 6.x before 6.29 and 7.x before 7.24 uses the PHP mt_rand function to generate random numbers, which uses predictable seeds and allows remote attackers to predict security strings and bypass intended restrictions via a brute force attack.</Description>      <cnnvd>CNNVD-201311-456</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2013-6386</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
https://drupal.org/SA-CORE-2013-003</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">7.24</high>                     
                               <low>7</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105712" id="105712" modifyDate="2017-08-02">      <cvsscode>2.1</cvsscode>      <severity>Moderate</severity>      <name>Drupal: CVE-2013-6387 : SA-CORE-2013-003 - 跨站脚本 (图像模块 - Drupal 7)</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Cross-site scripting (XSS) vulnerability in the Image module in Drupal 7.x before 7.24 allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via the description field.</Description>      <cnnvd>CNNVD-201311-459</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2013-6387</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
https://drupal.org/SA-CORE-2013-003</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">7.24</high>                     
                               <low>7</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105713" id="105713" modifyDate="2017-08-02">      <cvsscode>4.3</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2013-6388 : SA-CORE-2013-003 - 跨站脚本 (颜色模块 - Drupal 7)</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Cross-site scripting (XSS) vulnerability in the Color module in Drupal 7.x before 7.24 allows remote attackers to inject arbitrary web script or HTML via vectors related to CSS.</Description>      <cnnvd>CNNVD-201311-458</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2013-6388</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
https://drupal.org/SA-CORE-2013-003</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">7.24</high>                     
                               <low>7</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105714" id="105714" modifyDate="2017-08-02">      <cvsscode>5.8</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2013-6389 : SA-CORE-2013-003 - 开放重定向 (覆盖模块 - Drupal 7)</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Open redirect vulnerability in the Overlay module in Drupal 7.x before 7.24 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.</Description>      <cnnvd>CNNVD-201311-457</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2013-6389</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
https://drupal.org/SA-CORE-2013-003</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">7.24</high>                     
                               <low>7</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105716" id="105716" modifyDate="2017-08-02">      <cvsscode>7.5</cvsscode>      <severity>Critical</severity>      <name>Drupal: CVE-2014-1475 : SA-CORE-2014-001 - 模仿 (OpenID模块 - Drupal 6 和 7)</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>The OpenID module in Drupal 6.x before 6.30 and 7.x before 7.26 allows remote OpenID users to authenticate as other users via unspecified vectors.</Description>      <cnnvd>CNNVD-201401-517</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2014-1475</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
https://drupal.org/SA-CORE-2014-001</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">6.30</high>                     
                               <low>6</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105716" id="105716" modifyDate="2017-08-02">      <cvsscode>7.5</cvsscode>      <severity>Critical</severity>      <name>Drupal: CVE-2014-1475 : SA-CORE-2014-001 - 模仿 (OpenID模块 - Drupal 6 和 7)</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>The OpenID module in Drupal 6.x before 6.30 and 7.x before 7.26 allows remote OpenID users to authenticate as other users via unspecified vectors.</Description>      <cnnvd>CNNVD-201401-517</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2014-1475</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
https://drupal.org/SA-CORE-2014-001</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">7.26</high>                     
                               <low>7</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105717" id="105717" modifyDate="2017-08-02">      <cvsscode>4.0</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2014-1476 : SA-CORE-2014-001 - 访问绕过 (分类模块 - Drupal 7)</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>The Taxonomy module in Drupal 7.x before 7.26, when upgraded from an earlier version of Drupal, does not properly restrict access to unpublished content, which allows remote authenticated users to obtain sensitive information via a listing page.</Description>      <cnnvd>CNNVD-201401-518</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2014-1476</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
https://drupal.org/SA-CORE-2014-001</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">7.26</high>                     
                               <low>7</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105719" id="105719" modifyDate="2017-12-18">      <cvsscode>4.3</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2014-2983 : SA-CORE-2014-002 - Drupal core - 信息泄漏</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Drupal 6.x before 6.31 and 7.x before 7.27 does not properly isolate the cached data of different anonymous users, which allows remote anonymous users to obtain sensitive interim form input information in opportunistic situations via unspecified vectors.</Description>      <cnnvd>CNNVD-201404-485</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2014-2983</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
https://drupal.org/SA-CORE-2014-002</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">6.31</high>                     
                               <low>6</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105719" id="105719" modifyDate="2017-12-18">      <cvsscode>4.3</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2014-2983 : SA-CORE-2014-002 - Drupal core - 信息泄漏</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Drupal 6.x before 6.31 and 7.x before 7.27 does not properly isolate the cached data of different anonymous users, which allows remote anonymous users to obtain sensitive interim form input information in opportunistic situations via unspecified vectors.</Description>      <cnnvd>CNNVD-201404-485</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2014-2983</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
https://drupal.org/SA-CORE-2014-002</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">7.27</high>                     
                               <low>7</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105720" id="105720" modifyDate="2017-08-02">      <cvsscode>7.5</cvsscode>      <severity>Critical</severity>      <name>Drupal: CVE-2014-3704 : SA-CORE-2014-005 - Drupal core - SQL注入</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>The expandArguments function in the database abstraction API in Drupal core 7.x before 7.32 does not properly construct prepared statements, which allows remote attackers to conduct SQL injection attacks via an array containing crafted keys.</Description>      <cnnvd>CNNVD-201410-462</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2014-3704</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
https://www.drupal.org/SA-CORE-2014-005</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">7.32</high>                     
                               <low>7</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105722" id="105722" modifyDate="2017-08-02">      <cvsscode>5.0</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2014-5019 : SA-CORE-2014-003 - 拒绝服务 (基本系统 - Drupal 6 和 7)</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>The multisite feature in Drupal 6.x before 6.32 and 7.x before 7.29 allows remote attackers to cause a denial of service via a crafted HTTP Host header, related to determining which configuration file to use.</Description>      <cnnvd>CNNVD-201407-527</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2014-5019</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
https://www.drupal.org/SA-CORE-2014-003</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">6.32</high>                     
                               <low>6</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105722" id="105722" modifyDate="2017-08-02">      <cvsscode>5.0</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2014-5019 : SA-CORE-2014-003 - 拒绝服务 (基本系统 - Drupal 6 和 7)</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>The multisite feature in Drupal 6.x before 6.32 and 7.x before 7.29 allows remote attackers to cause a denial of service via a crafted HTTP Host header, related to determining which configuration file to use.</Description>      <cnnvd>CNNVD-201407-527</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2014-5019</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
https://www.drupal.org/SA-CORE-2014-003</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">7.29</high>                     
                               <low>7</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105723" id="105723" modifyDate="2017-08-02">      <cvsscode>4.9</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2014-5020 : SA-CORE-2014-003 - 访问绕过 (文件模块 - Drupal 7)</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>The File module in Drupal 7.x before 7.29 does not properly check permissions to view files, which allows remote authenticated users with certain permissions to bypass intended restrictions and read files by attaching the file to content with a file field.</Description>      <cnnvd>CNNVD-201407-528</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2014-5020</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
https://www.drupal.org/SA-CORE-2014-003</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">6.32</high>                     
                               <low>6</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105725" id="105725" modifyDate="2017-08-02">      <cvsscode>2.1</cvsscode>      <severity>Moderate</severity>      <name>Drupal: CVE-2014-5021 : SA-CORE-2014-003 - 跨站脚本 (表单API - Drupal 6 和 7) </name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Cross-site scripting (XSS) vulnerability in the Form API in Drupal 6.x before 6.32 and possibly 7.x before 7.29 allows remote authenticated users with the &amp;quot;administer taxonomy&amp;quot; permission to inject arbitrary web script or HTML via an option group label.</Description>      <cnnvd>CNNVD-201407-529</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2014-5021</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
https://www.drupal.org/SA-CORE-2014-003</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">6.32</high>                     
                               <low>6</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105725" id="105725" modifyDate="2017-08-02">      <cvsscode>2.1</cvsscode>      <severity>Moderate</severity>      <name>Drupal: CVE-2014-5021 : SA-CORE-2014-003 - 跨站脚本 (表单API - Drupal 6 和 7) </name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Cross-site scripting (XSS) vulnerability in the Form API in Drupal 6.x before 6.32 and possibly 7.x before 7.29 allows remote authenticated users with the &amp;quot;administer taxonomy&amp;quot; permission to inject arbitrary web script or HTML via an option group label.</Description>      <cnnvd>CNNVD-201407-529</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2014-5021</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
https://www.drupal.org/SA-CORE-2014-003</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">7.29</high>                     
                               <low>7</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105726" id="105726" modifyDate="2017-08-02">      <cvsscode>4.3</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2014-5022 : SA-CORE-2014-003 - 跨站脚本 (Ajax系统 - Drupal 7)</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Cross-site scripting (XSS) vulnerability in the Ajax system in Drupal 7.x before 7.29 allows remote attackers to inject arbitrary web script or HTML via vectors involving forms with an Ajax-enabled textfield and a file field.</Description>      <cnnvd>CNNVD-201407-530</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2014-5022</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
https://www.drupal.org/SA-CORE-2014-003</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">7.29</high>                     
                               <low>7</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105728" id="105728" modifyDate="2017-08-02">      <cvsscode>5.0</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2014-5265 : SA-CORE-2014-004 - Drupal core - 拒绝服务</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>The Incutio XML-RPC (IXR) Library, as used in WordPress before 3.9.2 and Drupal 6.x before 6.33 and 7.x before 7.31, permits entity declarations without considering recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564.</Description>      <cnnvd>CNNVD-201408-282</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2014-5265</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
https://wordpress.org/news/2014/08/wordpress-3-9-2/ 
https://www.drupal.org/SA-CORE-2014-004</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">7.31</high>                     
                               <low>7</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105728" id="105728" modifyDate="2017-08-02">      <cvsscode>5.0</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2014-5265 : SA-CORE-2014-004 - Drupal core - 拒绝服务</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>The Incutio XML-RPC (IXR) Library, as used in WordPress before 3.9.2 and Drupal 6.x before 6.33 and 7.x before 7.31, permits entity declarations without considering recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564.</Description>      <cnnvd>CNNVD-201408-282</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2014-5265</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
https://wordpress.org/news/2014/08/wordpress-3-9-2/ 
https://www.drupal.org/SA-CORE-2014-004</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">6.33</high>                     
                               <low>6</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105730" id="105730" modifyDate="2017-08-02">      <cvsscode>5.0</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2014-5266 : SA-CORE-2014-004 - Drupal core - 拒绝服务</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>The Incutio XML-RPC (IXR) Library, as used in WordPress before 3.9.2 and Drupal 6.x before 6.33 and 7.x before 7.31, does not limit the number of elements in an XML document, which allows remote attackers to cause a denial of service (CPU consumption) via a large document, a different vulnerability than CVE-2014-5265.</Description>      <cnnvd>CNNVD-201408-283</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2014-5266</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
https://wordpress.org/news/2014/08/wordpress-3-9-2/ 
https://www.drupal.org/SA-CORE-2014-004</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">7.31</high>                     
                               <low>7</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105730" id="105730" modifyDate="2017-08-02">      <cvsscode>5.0</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2014-5266 : SA-CORE-2014-004 - Drupal core - 拒绝服务</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>The Incutio XML-RPC (IXR) Library, as used in WordPress before 3.9.2 and Drupal 6.x before 6.33 and 7.x before 7.31, does not limit the number of elements in an XML document, which allows remote attackers to cause a denial of service (CPU consumption) via a large document, a different vulnerability than CVE-2014-5265.</Description>      <cnnvd>CNNVD-201408-283</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2014-5266</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
https://wordpress.org/news/2014/08/wordpress-3-9-2/ 
https://www.drupal.org/SA-CORE-2014-004</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">6.33</high>                     
                               <low>6</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105732" id="105732" modifyDate="2017-08-02">      <cvsscode>6.8</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2014-5267 : SA-CORE-2014-004 - Drupal core - 拒绝服务</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>modules/openid/xrds.inc in Drupal 6.x before 6.33 and 7.x before 7.31 allows remote attackers to have unspecified impact via a crafted DOCTYPE declaration in an XRDS document.</Description>      <cnnvd>CNNVD-201409-1164</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2014-5267</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
https://www.drupal.org/SA-CORE-2014-004</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">7.31</high>                     
                               <low>7</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105732" id="105732" modifyDate="2017-08-02">      <cvsscode>6.8</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2014-5267 : SA-CORE-2014-004 - Drupal core - 拒绝服务</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>modules/openid/xrds.inc in Drupal 6.x before 6.33 and 7.x before 7.31 allows remote attackers to have unspecified impact via a crafted DOCTYPE declaration in an XRDS document.</Description>      <cnnvd>CNNVD-201409-1164</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2014-5267</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
https://www.drupal.org/SA-CORE-2014-004</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">6.33</high>                     
                               <low>6</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105734" id="105734" modifyDate="2017-08-02">      <cvsscode>6.8</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2014-9015 : 会议劫持 (Drupal 6 和 7) - SA-CORE-2014-006</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Drupal 6.x before 6.34 and 7.x before 7.34 allows remote attackers to hijack sessions via a crafted request, as demonstrated by a crafted request to a server that supports both HTTP and HTTPS sessions.</Description>      <cnnvd>CNNVD-201411-446</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2014-9015</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
https://www.drupal.org/SA-CORE-2014-006</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">6.34</high>                     
                               <low>6</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105734" id="105734" modifyDate="2017-08-02">      <cvsscode>6.8</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2014-9015 : 会议劫持 (Drupal 6 和 7) - SA-CORE-2014-006</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Drupal 6.x before 6.34 and 7.x before 7.34 allows remote attackers to hijack sessions via a crafted request, as demonstrated by a crafted request to a server that supports both HTTP and HTTPS sessions.</Description>      <cnnvd>CNNVD-201411-446</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2014-9015</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
https://www.drupal.org/SA-CORE-2014-006</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">7.34</high>                     
                               <low>7</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105735" id="105735" modifyDate="2017-09-08">      <cvsscode>5.0</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2014-9016 : 拒绝服务 (Drupal 7) - SA-CORE-2014-006</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>The password hashing API in Drupal 7.x before 7.34 and the Secure Password Hashes (aka phpass) module 6.x-2.x before 6.x-2.1 for Drupal allows remote attackers to cause a denial of service (CPU and memory consumption) via a crafted request.</Description>      <cnnvd>CNNVD-201411-387</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2014-9016</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
https://www.drupal.org/node/2378367</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">7.34</high>                     
                               <low>7</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105737" id="105737" modifyDate="2017-08-02">      <cvsscode>3.5</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2015-2559 : 通过密码重置URL访问绕过 - SA-CORE-2015-001</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Drupal 6.x before 6.35 and 7.x before 7.35 allows remote authenticated users to reset the password of other accounts by leveraging an account with the same password hash as another account and a crafted password reset URL.</Description>      <cnnvd>CNNVD-201503-509</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2015-2559</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
https://www.drupal.org/SA-CORE-2015-001</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">6.35</high>                     
                               <low>6</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105737" id="105737" modifyDate="2017-08-02">      <cvsscode>3.5</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2015-2559 : 通过密码重置URL访问绕过 - SA-CORE-2015-001</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Drupal 6.x before 6.35 and 7.x before 7.35 allows remote authenticated users to reset the password of other accounts by leveraging an account with the same password hash as another account and a crafted password reset URL.</Description>      <cnnvd>CNNVD-201503-509</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2015-2559</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
https://www.drupal.org/SA-CORE-2015-001</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">7.35</high>                     
                               <low>7</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105739" id="105739" modifyDate="2017-12-06">      <cvsscode>5.8</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2015-2749 : 通过“目标”URL参数开放重定向 - SA-CORE-2015-001</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Open redirect vulnerability in Drupal 6.x before 6.35 and 7.x before 7.35 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the destination parameter.</Description>      <cnnvd>CNNVD-201709-588</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2015-2749</id>      </AlternateIds>      <Solutions>目前厂商已发布升级补丁以修复漏洞，补丁获取链接： 
https://www.drupal.org/SA-CORE-2015-001</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">6.35</high>                     
                               <low>6</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105739" id="105739" modifyDate="2017-12-06">      <cvsscode>5.8</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2015-2749 : 通过“目标”URL参数开放重定向 - SA-CORE-2015-001</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Open redirect vulnerability in Drupal 6.x before 6.35 and 7.x before 7.35 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the destination parameter.</Description>      <cnnvd>CNNVD-201709-588</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2015-2749</id>      </AlternateIds>      <Solutions>目前厂商已发布升级补丁以修复漏洞，补丁获取链接： 
https://www.drupal.org/SA-CORE-2015-001</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">7.35</high>                     
                               <low>7</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105741" id="105741" modifyDate="2017-12-06">      <cvsscode>5.8</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2015-2750 : 通过URL相关API函数开放重定向 - SA-CORE-2015-001</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Open redirect vulnerability in URL-related API functions in Drupal 6.x before 6.35 and 7.x before 7.35 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via vectors involving the &amp;quot;//&amp;quot; initial sequence.</Description>      <cnnvd>CNNVD-201709-587</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2015-2750</id>      </AlternateIds>      <Solutions>目前厂商已发布升级补丁以修复漏洞，补丁获取链接： 
https://www.drupal.org/SA-CORE-2015-001</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">6.35</high>                     
                               <low>6</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105741" id="105741" modifyDate="2017-12-06">      <cvsscode>5.8</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2015-2750 : 通过URL相关API函数开放重定向 - SA-CORE-2015-001</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Open redirect vulnerability in URL-related API functions in Drupal 6.x before 6.35 and 7.x before 7.35 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via vectors involving the &amp;quot;//&amp;quot; initial sequence.</Description>      <cnnvd>CNNVD-201709-587</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2015-2750</id>      </AlternateIds>      <Solutions>目前厂商已发布升级补丁以修复漏洞，补丁获取链接： 
https://www.drupal.org/SA-CORE-2015-001</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">7.35</high>                     
                               <low>7</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105742" id="105742" modifyDate="2017-09-08">      <cvsscode>4.0</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2015-3231 : 信息泄漏 (渲染缓存系统 - Drupal 7) - SA-CORE-2015-002</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>The Render cache system in Drupal 7.x before 7.38, when used to cache content by user role, allows remote authenticated users to obtain private content viewed by user 1 by reading the cache.</Description>      <cnnvd>CNNVD-201506-355</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2015-3231</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
https://www.drupal.org/SA-CORE-2015-002</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">7.38</high>                     
                               <low>7</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105743" id="105743" modifyDate="2017-08-02">      <cvsscode>5.8</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2015-3232 : 开放重定向 (字段UI模块 - Drupal 7) - SA-CORE-2015-002</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Open redirect vulnerability in the Field UI module in Drupal 7.x before 7.38 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the destinations parameter.</Description>      <cnnvd>CNNVD-201506-356</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2015-3232</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
https://www.drupal.org/SA-CORE-2015-002</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">7.38</high>                     
                               <low>7</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105744" id="105744" modifyDate="2017-08-02">      <cvsscode>5.8</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2015-3233 : 开放重定向 (覆盖模块 - Drupal 7) - SA-CORE-2015-002</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Open redirect vulnerability in the Overlay module in Drupal 7.x before 7.38 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.</Description>      <cnnvd>CNNVD-201506-357</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2015-3233</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
https://www.drupal.org/SA-CORE-2015-002</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">7.38</high>                     
                               <low>7</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105746" id="105746" modifyDate="2017-08-02">      <cvsscode>4.3</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2015-3234 : 模仿 (OpenID模块 - Drupal 6 和 7) - SA-CORE-2015-002</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>The OpenID module in Drupal 6.x before 6.36 and 7.x before 7.38 allows remote attackers to log into other users&amp;#39; accounts by leveraging an OpenID identity from certain providers, as demonstrated by the Verisign, LiveJournal, and StackExchange providers.</Description>      <cnnvd>CNNVD-201506-358</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2015-3234</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
https://www.drupal.org/SA-CORE-2015-002</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">6.36</high>                     
                               <low>6</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105746" id="105746" modifyDate="2017-08-02">      <cvsscode>4.3</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2015-3234 : 模仿 (OpenID模块 - Drupal 6 和 7) - SA-CORE-2015-002</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>The OpenID module in Drupal 6.x before 6.36 and 7.x before 7.38 allows remote attackers to log into other users&amp;#39; accounts by leveraging an OpenID identity from certain providers, as demonstrated by the Verisign, LiveJournal, and StackExchange providers.</Description>      <cnnvd>CNNVD-201506-358</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2015-3234</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
https://www.drupal.org/SA-CORE-2015-002</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">7.38</high>                     
                               <low>7</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105748" id="105748" modifyDate="2017-08-02">      <cvsscode>4.3</cvsscode>      <severity>Severe</severity>      <name>Drupal:CVE-2015-6658:跨站点脚本（自动完成系统-Drupal 6和7）-SA-CORE-2015-003
</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Cross-site scripting (XSS) vulnerability in the Autocomplete system in Drupal 6.x before 6.37 and 7.x before 7.39 allows remote attackers to inject arbitrary web script or HTML via a crafted URL, related to uploading files.</Description>      <cnnvd>CNNVD-201508-479</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2015-6658</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
https://www.drupal.org/SA-CORE-2015-003</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">6.37</high>                     
                               <low>6</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105748" id="105748" modifyDate="2017-08-02">      <cvsscode>4.3</cvsscode>      <severity>Severe</severity>      <name>Drupal:CVE-2015-6658:跨站点脚本（自动完成系统-Drupal 6和7）-SA-CORE-2015-003
</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Cross-site scripting (XSS) vulnerability in the Autocomplete system in Drupal 6.x before 6.37 and 7.x before 7.39 allows remote attackers to inject arbitrary web script or HTML via a crafted URL, related to uploading files.</Description>      <cnnvd>CNNVD-201508-479</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2015-6658</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
https://www.drupal.org/SA-CORE-2015-003</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">7.39</high>                     
                               <low>7</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105749" id="105749" modifyDate="2017-08-02">      <cvsscode>7.5</cvsscode>      <severity>Critical</severity>      <name>Drupal: CVE-2015-6659 : SQL注入 (数据库API - Drupal 7) - SA-CORE-2015-003</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>SQL injection vulnerability in the SQL comment filtering system in the Database API in Drupal 7.x before 7.39 allows remote attackers to execute arbitrary SQL commands via an SQL comment.</Description>      <cnnvd>CNNVD-201508-481</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2015-6659</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
https://www.drupal.org/SA-CORE-2015-003</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">7.39</high>                     
                               <low>7</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105751" id="105751" modifyDate="2017-08-02">      <cvsscode>6.8</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2015-6660 : 跨站请求伪造 (表单API - Drupal 6 和 7) - SA-CORE-2015-003</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>The Form API in Drupal 6.x before 6.37 and 7.x before 7.39 does not properly validate the form token, which allows remote attackers to conduct CSRF attacks that upload files in a different user&amp;#39;s account via vectors related to &amp;quot;file upload value callbacks.&amp;quot;</Description>      <cnnvd>CNNVD-201508-483</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2015-6660</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
https://www.drupal.org/SA-CORE-2015-003</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">6.37</high>                     
                               <low>6</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105751" id="105751" modifyDate="2017-08-02">      <cvsscode>6.8</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2015-6660 : 跨站请求伪造 (表单API - Drupal 6 和 7) - SA-CORE-2015-003</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>The Form API in Drupal 6.x before 6.37 and 7.x before 7.39 does not properly validate the form token, which allows remote attackers to conduct CSRF attacks that upload files in a different user&amp;#39;s account via vectors related to &amp;quot;file upload value callbacks.&amp;quot;</Description>      <cnnvd>CNNVD-201508-483</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2015-6660</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
https://www.drupal.org/SA-CORE-2015-003</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">7.39</high>                     
                               <low>7</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105753" id="105753" modifyDate="2017-09-08">      <cvsscode>5.0</cvsscode>      <severity>Severe</severity>      <name>Drupal:CVE-2015-6661：菜单链接中的信息披露（访问系统-Drupal 6和7）-SA-CORE-2015-003
</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Drupal 6.x before 6.37 and 7.x before 7.39 allows remote attackers to obtain sensitive node titles by reading the menu.</Description>      <cnnvd>CNNVD-201508-480</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2015-6661</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
https://www.drupal.org/SA-CORE-2015-003</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">6.37</high>                     
                               <low>6</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105753" id="105753" modifyDate="2017-09-08">      <cvsscode>5.0</cvsscode>      <severity>Severe</severity>      <name>Drupal:CVE-2015-6661：菜单链接中的信息披露（访问系统-Drupal 6和7）-SA-CORE-2015-003
</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Drupal 6.x before 6.37 and 7.x before 7.39 allows remote attackers to obtain sensitive node titles by reading the menu.</Description>      <cnnvd>CNNVD-201508-480</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2015-6661</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
https://www.drupal.org/SA-CORE-2015-003</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">7.39</high>                     
                               <low>7</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105754" id="105754" modifyDate="2017-08-02">      <cvsscode>4.3</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2015-6665 : 跨站脚本 (Ajax系统 - Drupal 7) - SA-CORE-2015-003</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Cross-site scripting (XSS) vulnerability in the Ajax handler in Drupal 7.x before 7.39 and the Ctools module 6.x-1.x before 6.x-1.14 for Drupal allows remote attackers to inject arbitrary web script or HTML via vectors involving a whitelisted HTML element, possibly related to the &amp;quot;a&amp;quot; tag.</Description>      <cnnvd>CNNVD-201508-482</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2015-6665</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
https://www.drupal.org/SA-CORE-2015-003</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">6.37</high>                     
                               <low>6</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105755" id="105755" modifyDate="2017-12-06">      <cvsscode>5.8</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2015-7943 : Drupal Core - Overlay - 开放重定向 - SA-CORE-2015-004</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Open redirect vulnerability in the Overlay module in Drupal 7.x before 7.41, the jQuery Update module 7.x-2.x before 7.x-2.7 for Drupal, and the LABjs module 7.x-1.x before 7.x-1.8 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-3233.</Description>      <cnnvd>CNNVD-201510-631</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2015-7943</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
https://www.drupal.org/SA-CORE-2015-004</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">7.41</high>                     
                               <low>7</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105757" id="105757" modifyDate="2017-10-30">      <cvsscode>6.5</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2016-3162 : 文件上传访问绕过和拒绝服务 - SA-CORE-2016-001</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>The File module in Drupal 7.x before 7.43 and 8.x before 8.0.4 allows remote authenticated users to bypass access restrictions and read, delete, or substitute a link to a file uploaded to an unprocessed form by leveraging permission to create content or comment and upload files.</Description>      <cnnvd>CNNVD-201603-440</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2016-3162</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
https://www.drupal.org/SA-CORE-2016-001</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">7.43</high>                     
                               <low>7</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105757" id="105757" modifyDate="2017-10-30">      <cvsscode>6.5</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2016-3162 : 文件上传访问绕过和拒绝服务 - SA-CORE-2016-001</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>The File module in Drupal 7.x before 7.43 and 8.x before 8.0.4 allows remote authenticated users to bypass access restrictions and read, delete, or substitute a link to a file uploaded to an unprocessed form by leveraging permission to create content or comment and upload files.</Description>      <cnnvd>CNNVD-201603-440</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2016-3162</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
https://www.drupal.org/SA-CORE-2016-001</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">8.0.4</high>                     
                               <low>8.0</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105759" id="105759" modifyDate="2017-10-30">      <cvsscode>5.0</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2016-3163 : 通过XML-RPC进行暴力放大攻击 - SA-CORE-2016-001</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>The XML-RPC system in Drupal 6.x before 6.38 and 7.x before 7.43 might make it easier for remote attackers to conduct brute-force attacks via a large number of calls made at once to the same method.</Description>      <cnnvd>CNNVD-201603-434</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2016-3163</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
https://www.drupal.org/SA-CORE-2016-001</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">6.38</high>                     
                               <low>6</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105759" id="105759" modifyDate="2017-10-30">      <cvsscode>5.0</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2016-3163 : 通过XML-RPC进行暴力放大攻击 - SA-CORE-2016-001</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>The XML-RPC system in Drupal 6.x before 6.38 and 7.x before 7.43 might make it easier for remote attackers to conduct brute-force attacks via a large number of calls made at once to the same method.</Description>      <cnnvd>CNNVD-201603-434</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2016-3163</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
https://www.drupal.org/SA-CORE-2016-001</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">7.43</high>                     
                               <low>7</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105762" id="105762" modifyDate="2017-10-30">      <cvsscode>5.8</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2016-3164 : 通过路径操作开放重定向 - SA-CORE-2016-001</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Drupal 6.x before 6.38, 7.x before 7.43, and 8.x before 8.0.4 might allow remote attackers to conduct open redirect attacks by leveraging (1) custom code or (2) a form shown on a 404 error page, related to path manipulation.</Description>      <cnnvd>CNNVD-201603-441</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2016-3164</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
https://www.drupal.org/SA-CORE-2016-001</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">6.38</high>                     
                               <low>6</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105762" id="105762" modifyDate="2017-10-30">      <cvsscode>5.8</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2016-3164 : 通过路径操作开放重定向 - SA-CORE-2016-001</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Drupal 6.x before 6.38, 7.x before 7.43, and 8.x before 8.0.4 might allow remote attackers to conduct open redirect attacks by leveraging (1) custom code or (2) a form shown on a 404 error page, related to path manipulation.</Description>      <cnnvd>CNNVD-201603-441</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2016-3164</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
https://www.drupal.org/SA-CORE-2016-001</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">7.43</high>                     
                               <low>7</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105762" id="105762" modifyDate="2017-10-30">      <cvsscode>5.8</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2016-3164 : 通过路径操作开放重定向 - SA-CORE-2016-001</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Drupal 6.x before 6.38, 7.x before 7.43, and 8.x before 8.0.4 might allow remote attackers to conduct open redirect attacks by leveraging (1) custom code or (2) a form shown on a 404 error page, related to path manipulation.</Description>      <cnnvd>CNNVD-201603-441</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2016-3164</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
https://www.drupal.org/SA-CORE-2016-001</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">8.0.4</high>                     
                               <low>8.0</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105763" id="105763" modifyDate="2017-10-30">      <cvsscode>5.0</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2016-3165 : 表单API忽略提交按钮的访问限制 - SA-CORE-2016-001</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>The Form API in Drupal 6.x before 6.38 ignores access restrictions on submit buttons, which might allow remote attackers to bypass intended access restrictions by leveraging permission to submit a form with a button that has &amp;quot;#access&amp;quot; set to FALSE in the server-side form definition.</Description>      <cnnvd>CNNVD-201603-442</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2016-3165</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
https://www.drupal.org/SA-CORE-2016-001</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">6.38</high>                     
                               <low>6</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105764" id="105764" modifyDate="2017-10-30">      <cvsscode>4.3</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2016-3166 : HTTP头注入使用换行符 - SA-CORE-2016-001</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>CRLF injection vulnerability in the drupal_set_header function in Drupal 6.x before 6.38, when used with PHP before 5.1.2, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks by leveraging a module that allows user-submitted data to appear in HTTP headers.</Description>      <cnnvd>CNNVD-201603-435</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2016-3166</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
https://www.drupal.org/SA-CORE-2016-001</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">6.38</high>                     
                               <low>6</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105765" id="105765" modifyDate="2017-10-30">      <cvsscode>6.4</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2016-3167 : 通过双重编码的“目标”参数打开重定向 - SA-CORE-2016-001</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Open redirect vulnerability in the drupal_goto function in Drupal 6.x before 6.38, when used with PHP before 5.4.7, allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a double-encoded URL in the &amp;quot;destination&amp;quot; parameter.</Description>      <cnnvd>CNNVD-201603-436</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2016-3167</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
https://www.drupal.org/SA-CORE-2016-001</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">6.38</high>                     
                               <low>6</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105767" id="105767" modifyDate="2017-10-30">      <cvsscode>8.5</cvsscode>      <severity>Critical</severity>      <name>Drupal: CVE-2016-3168 : 反射文件下载漏洞 - SA-CORE-2016-001</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>The System module in Drupal 6.x before 6.38 and 7.x before 7.43 might allow remote attackers to hijack the authentication of site administrators for requests that download and run files with arbitrary JSON-encoded content, aka a &amp;quot;reflected file download vulnerability.&amp;quot;</Description>      <cnnvd>CNNVD-201603-437</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2016-3168</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
https://www.drupal.org/SA-CORE-2016-001</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">6.38</high>                     
                               <low>6</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105767" id="105767" modifyDate="2017-10-30">      <cvsscode>8.5</cvsscode>      <severity>Critical</severity>      <name>Drupal: CVE-2016-3168 : 反射文件下载漏洞 - SA-CORE-2016-001</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>The System module in Drupal 6.x before 6.38 and 7.x before 7.43 might allow remote attackers to hijack the authentication of site administrators for requests that download and run files with arbitrary JSON-encoded content, aka a &amp;quot;reflected file download vulnerability.&amp;quot;</Description>      <cnnvd>CNNVD-201603-437</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2016-3168</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
https://www.drupal.org/SA-CORE-2016-001</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">7.43</high>                     
                               <low>7</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105769" id="105769" modifyDate="2017-10-30">      <cvsscode>6.8</cvsscode>      <severity>Severe</severity>      <name>drupal:cve-2016-3169:保存用户帐户有时可以授予用户所有角色-sa-core-2016-001
</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>The User module in Drupal 6.x before 6.38 and 7.x before 7.43 allows remote attackers to gain privileges by leveraging contributed or custom code that calls the user_save function with an explicit category and loads all roles into the array.</Description>      <cnnvd>CNNVD-201603-438</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2016-3169</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
https://www.drupal.org/SA-CORE-2016-001</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">6.38</high>                     
                               <low>6</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105769" id="105769" modifyDate="2017-10-30">      <cvsscode>6.8</cvsscode>      <severity>Severe</severity>      <name>drupal:cve-2016-3169:保存用户帐户有时可以授予用户所有角色-sa-core-2016-001
</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>The User module in Drupal 6.x before 6.38 and 7.x before 7.43 allows remote attackers to gain privileges by leveraging contributed or custom code that calls the user_save function with an explicit category and loads all roles into the array.</Description>      <cnnvd>CNNVD-201603-438</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2016-3169</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
https://www.drupal.org/SA-CORE-2016-001</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">7.43</high>                     
                               <low>7</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105771" id="105771" modifyDate="2017-10-30">      <cvsscode>5.0</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2016-3170 : 电子邮件地址可以匹配一个帐户 - SA-CORE-2016-001</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>The &amp;quot;have you forgotten your password&amp;quot; links in the User module in Drupal 7.x before 7.43 and 8.x before 8.0.4 allow remote attackers to obtain sensitive username information by leveraging a configuration that permits using an email address to login and a module that permits logging in.</Description>      <cnnvd>CNNVD-201603-439</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2016-3170</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
https://www.drupal.org/SA-CORE-2016-001</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">7.43</high>                     
                               <low>7</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105771" id="105771" modifyDate="2017-10-30">      <cvsscode>5.0</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2016-3170 : 电子邮件地址可以匹配一个帐户 - SA-CORE-2016-001</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>The &amp;quot;have you forgotten your password&amp;quot; links in the User module in Drupal 7.x before 7.43 and 8.x before 8.0.4 allow remote attackers to obtain sensitive username information by leveraging a configuration that permits using an email address to login and a module that permits logging in.</Description>      <cnnvd>CNNVD-201603-439</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2016-3170</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
https://www.drupal.org/SA-CORE-2016-001</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">8.0.4</high>                     
                               <low>8.0</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105772" id="105772" modifyDate="2017-10-30">      <cvsscode>6.8</cvsscode>      <severity>Severe</severity>      <name>Drupal:CVE-2016-3171:会话数据截断可能导致用户提供数据的非序列化-SA-CORE-2016-001
</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Drupal 6.x before 6.38, when used with PHP before 5.4.45, 5.5.x before 5.5.29, or 5.6.x before 5.6.13, might allow remote attackers to execute arbitrary code via vectors related to session data truncation.</Description>      <cnnvd>CNNVD-201603-443</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2016-3171</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
https://www.drupal.org/SA-CORE-2016-001</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">6.38</high>                     
                               <low>6</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105773" id="105773" modifyDate="2019-04-04">      <cvsscode>5.1</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2016-5385 : Drupal Core -  非常关键 - 注入 - SA-CORE-2016-003</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application&amp;#39;s outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, as demonstrated by (1) an application that makes a getenv(&amp;#39;HTTP_PROXY&amp;#39;) call or (2) a CGI configuration of PHP, aka an &amp;quot;httpoxy&amp;quot; issue.</Description>      <cnnvd>CNNVD-201607-538</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2016-5385</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，详情请关注厂商主页： 
http://php.net/</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">8.1.7</high>                     
                               <low>8</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105774" id="105774" modifyDate="2017-10-30">      <cvsscode>6.5</cvsscode>      <severity>Severe</severity>      <name>drupal:cve-2016-6211:保存用户帐户有时可以授予用户所有角色-sa-core-2016-002
</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>The User module in Drupal 7.x before 7.44 allows remote authenticated users to gain privileges via vectors involving contributed or custom code that triggers a rebuild of the user profile form.</Description>      <cnnvd>CNNVD-201607-411</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2016-6211</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
https://www.drupal.org/SA-CORE-2016-002</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">7.44</high>                     
                               <low>7</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105776" id="105776" modifyDate="2017-10-30">      <cvsscode>5.0</cvsscode>      <severity>Severe</severity>      <name>drupal:cve-2016-6212:视图允许未经授权的用户查看统计信息-sa-core-2016-002
</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>The Views module 7.x-3.x before 7.x-3.14 in Drupal 7.x and the Views module in Drupal 8.x before 8.1.3 might allow remote authenticated users to bypass intended access restrictions and obtain sensitive Statistics information via unspecified vectors.</Description>      <cnnvd>CNNVD-201607-412</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2016-6212</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
https://www.drupal.org/SA-CORE-2016-002</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">7.44</high>                     
                               <low>7</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105776" id="105776" modifyDate="2017-10-30">      <cvsscode>5.0</cvsscode>      <severity>Severe</severity>      <name>drupal:cve-2016-6212:视图允许未经授权的用户查看统计信息-sa-core-2016-002
</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>The Views module 7.x-3.x before 7.x-3.14 in Drupal 7.x and the Views module in Drupal 8.x before 8.1.3 might allow remote authenticated users to bypass intended access restrictions and obtain sensitive Statistics information via unspecified vectors.</Description>      <cnnvd>CNNVD-201607-412</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2016-6212</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
https://www.drupal.org/SA-CORE-2016-002</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">8.1.3</high>                     
                               <low>8</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-09-18" gvid="ID105777" id="105777" modifyDate="2017-10-30">      <cvsscode>4.0</cvsscode>      <severity>Severe</severity>      <name>drupal:cve-2016-7570:没有“管理注释”的用户可以在他们可以编辑的节点上设置注释可见性
</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Drupal 8.x before 8.1.10 does not properly check for &amp;quot;Administer comments&amp;quot; permission, which allows remote authenticated users to set the visibility of comments for arbitrary nodes by leveraging rights to edit those nodes.</Description>      <cnnvd>CNNVD-201609-661</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2016-7570</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
https://www.drupal.org/SA-CORE-2016-004</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">8.1.10</high>                     
                               <low inclusive="1">8</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-09-18" gvid="ID105778" id="105778" modifyDate="2017-10-30">      <cvsscode>4.3</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2016-7571: http异常中的跨站脚本</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Cross-site scripting (XSS) vulnerability in Drupal 8.x before 8.1.10 allows remote attackers to inject arbitrary web script or HTML via vectors involving an HTTP exception.</Description>      <cnnvd>CNNVD-201609-662</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2016-7571</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
https://www.drupal.org/SA-CORE-2016-004</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">8.1.10</high>                     
                               <low inclusive="1">8</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-09-18" gvid="ID105779" id="105779" modifyDate="2017-10-30">      <cvsscode>4.0</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2016-7572: 无需管理权限即可下载完整配置导出</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>The system.temporary route in Drupal 8.x before 8.1.10 does not properly check for &amp;quot;Export configuration&amp;quot; permission, which allows remote authenticated users to bypass intended access restrictions and read a full config export via unspecified vectors.</Description>      <cnnvd>CNNVD-201609-663</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2016-7572</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
https://www.drupal.org/SA-CORE-2016-004</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">8.1.10</high>                     
                               <low inclusive="1">8</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105781" id="105781" modifyDate="2019-04-04">      <cvsscode>4.0</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2016-9449 : 术语访问查询的名称不一致 - SA-CORE-2016-005</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>The taxonomy module in Drupal 7.x before 7.52 and 8.x before 8.2.3 might allow remote authenticated users to obtain sensitive information about taxonomy terms by leveraging inconsistent naming of access query tags.</Description>      <cnnvd>CNNVD-201611-461</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2016-9449</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
https://www.drupal.org/SA-CORE-2016-005</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">7.52</high>                     
                               <low>7</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105781" id="105781" modifyDate="2019-04-04">      <cvsscode>4.0</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2016-9449 : 术语访问查询的名称不一致 - SA-CORE-2016-005</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>The taxonomy module in Drupal 7.x before 7.52 and 8.x before 8.2.3 might allow remote authenticated users to obtain sensitive information about taxonomy terms by leveraging inconsistent naming of access query tags.</Description>      <cnnvd>CNNVD-201611-461</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2016-9449</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
https://www.drupal.org/SA-CORE-2016-005</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">8.2.3</high>                     
                               <low>8</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105782" id="105782" modifyDate="2019-04-04">      <cvsscode>5.0</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2016-9450 : 密码重置页面上的缓存上下文不正确 - SA-CORE-2016-005</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>The user password reset form in Drupal 8.x before 8.2.3 allows remote attackers to conduct cache poisoning attacks by leveraging failure to specify a correct cache context.</Description>      <cnnvd>CNNVD-201611-462</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2016-9450</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
https://www.drupal.org/SA-CORE-2016-005</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">8.2.3</high>                     
                               <low>8</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105783" id="105783" modifyDate="2019-04-04">      <cvsscode>4.9</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2016-9451 : 确认表单允许注入外部URL - SA-CORE-2016-005</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Confirmation forms in Drupal 7.x before 7.52 make it easier for remote authenticated users to conduct open redirect attacks via unspecified vectors.</Description>      <cnnvd>CNNVD-201611-463</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2016-9451</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
https://www.drupal.org/SA-CORE-2016-005</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">7.52</high>                     
                               <low>7</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105784" id="105784" modifyDate="2019-04-04">      <cvsscode>4.3</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2016-9452 : 通过音译机制拒绝服务 - SA-CORE-2016-005</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>The transliterate mechanism in Drupal 8.x before 8.2.3 allows remote attackers to cause a denial of service via a crafted URL.</Description>      <cnnvd>CNNVD-201611-464</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2016-9452</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
https://www.drupal.org/SA-CORE-2016-005</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">8.2.3</high>                     
                               <low>8</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-09-18" gvid="ID105785" id="105785" modifyDate="2019-04-02">      <cvsscode>5.0</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2017-6377: Drupal Core - Multiple Vulnerabilities - SA-CORE-2017-001</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>When adding a private file via the editor in Drupal 8.2.x before 8.2.7, the editor will not correctly check access for the file being attached, resulting in an access bypass.</Description>      <cnnvd>CNNVD-201703-202</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2017-6377</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
https://www.drupal.org/SA-2017-001</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">8.2.7</high>                     
                               <low inclusive="1">8</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-09-18" gvid="ID105786" id="105786" modifyDate="2019-04-02">      <cvsscode>5.1</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2017-6379: Drupal Core - Multiple Vulnerabilities - SA-CORE-2017-001</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Some administrative paths in Drupal 8.2.x before 8.2.7 did not include protection for CSRF. This would allow an attacker to disable some blocks on a site. This issue is mitigated by the fact that users would have to know the block ID.</Description>      <cnnvd>CNNVD-201703-716</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2017-6379</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
https://www.drupal.org/SA-2017-001</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">8.2.7</high>                     
                               <low inclusive="1">8</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-09-18" gvid="ID105788" id="105788" modifyDate="2019-11-05">      <cvsscode>6.8</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2017-6381: Drupal Core - 多个漏洞 - SA-CORE-2017-001</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>A 3rd party development library including with Drupal 8 development dependencies is vulnerable to remote code execution. This is mitigated by the default .htaccess protection against PHP execution, and the fact that Composer development dependencies aren&amp;#39;t normal installed. You might be vulnerable to this if you are running a version of Drupal before 8.2.2. To be sure you aren&amp;#39;t vulnerable, you can remove the &amp;lt;siteroot&amp;gt;/vendor/phpunit directory from your production deployments</Description>      <cnnvd>CNNVD-201703-715</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2017-6381</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
https://www.drupal.org/SA-2017-001</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">8.2.2</high>                     
                               <low inclusive="1">8</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-09-18" gvid="ID105788" id="105788" modifyDate="2019-11-05">      <cvsscode>6.8</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2017-6381: Drupal Core - 多个漏洞 - SA-CORE-2017-001</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>A 3rd party development library including with Drupal 8 development dependencies is vulnerable to remote code execution. This is mitigated by the default .htaccess protection against PHP execution, and the fact that Composer development dependencies aren&amp;#39;t normal installed. You might be vulnerable to this if you are running a version of Drupal before 8.2.2. To be sure you aren&amp;#39;t vulnerable, you can remove the &amp;lt;siteroot&amp;gt;/vendor/phpunit directory from your production deployments</Description>      <cnnvd>CNNVD-201703-715</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2017-6381</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
https://www.drupal.org/SA-2017-001</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">8.2.7</high>                     
                               <low inclusive="1">8</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105790" id="105790" modifyDate="2017-10-30">      <cvsscode>6.0</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2017-6919 : Drupal Core - 关键 - 访问绕过 - SA-CORE-2017-002</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Drupal 8 before 8.2.8 and 8.3 before 8.3.1 allows critical access bypass by authenticated users if the RESTful Web Services (rest) module is enabled and the site allows PATCH requests.</Description>      <cnnvd>CNNVD-201704-949</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2017-6919</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
https://www.drupal.org/SA-CORE-2017-002</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high>8.2.8</high>                     
                               <low>8</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105790" id="105790" modifyDate="2017-10-30">      <cvsscode>6.0</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2017-6919 : Drupal Core - 关键 - 访问绕过 - SA-CORE-2017-002</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Drupal 8 before 8.2.8 and 8.3 before 8.3.1 allows critical access bypass by authenticated users if the RESTful Web Services (rest) module is enabled and the site allows PATCH requests.</Description>      <cnnvd>CNNVD-201704-949</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2017-6919</id>      </AlternateIds>      <Solutions>目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： 
https://www.drupal.org/SA-CORE-2017-002</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high>8.3.1</high>                     
                               <low>8.3</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105791" id="105791" modifyDate="2018-10-09">      <cvsscode>7.5</cvsscode>      <severity>Critical</severity>      <name>Drupal: CVE-2017-6920 : PECL YAML解析器不安全的对象处理 - SA-CORE-2017-003</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Drupal core 8 before versions 8.3.4 allows remote attackers to execute arbitrary code due to the PECL YAML parser not handling PHP objects safely during certain operations.</Description>      <cnnvd>CNNVD-201706-995</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2017-6920</id>      </AlternateIds>      <Solutions>目前厂商已发布升级补丁以修复漏洞，补丁获取链接： 
https://www.drupal.org/forum/newsletters/security-advisories-for-drupal-core/2017-06-21/drupal-core-multiple</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">8.3.4</high>                     
                               <low>8</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105792" id="105792" modifyDate="2019-03-26">      <cvsscode>4.3</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2017-6921 : 文件REST资源没有正确验证 - SA-CORE-2017-003</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>In Drupal 8 prior to 8.3.4; The file REST resource does not properly validate some fields when manipulating files. A site is only affected by this if the site has the RESTful Web Services (rest) module enabled, the file REST resource is enabled and allows PATCH requests, and an attacker can get or register a user account on the site with permissions to upload files and to modify the file resource.</Description>      <cnnvd>CNNVD-201706-1001</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2017-6921</id>      </AlternateIds>      <Solutions>目前厂商已发布升级补丁以修复漏洞，补丁获取链接： 
https://www.drupal.org/forum/newsletters/security-advisories-for-drupal-core/2017-06-21/drupal-core-multiple</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">8.3.4</high>                     
                               <low>8</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105794" id="105794" modifyDate="2019-03-26">      <cvsscode>4.0</cvsscode>      <severity>Severe</severity>      <name>Drupal:CVE-2017-6922：匿名用户上传到私有文件系统的文件可由其他匿名用户访问-SA-CORE-2017-003
</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>In Drupal core 8.x prior to 8.3.4 and Drupal core 7.x prior to 7.56; Private files that have been uploaded by an anonymous user but not permanently attached to content on the site should only be visible to the anonymous user that uploaded them, rather than all anonymous users. Drupal core did not previously provide this protection, allowing an access bypass vulnerability to occur. This issue is mitigated by the fact that in order to be affected, the site must allow anonymous users to upload files into a private file system.</Description>      <cnnvd>CNNVD-201706-1004</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2017-6922</id>      </AlternateIds>      <Solutions>目前厂商已发布升级补丁以修复漏洞，补丁获取链接： 
https://www.drupal.org/forum/newsletters/security-advisories-for-drupal-core/2017-06-21/drupal-core-multiple</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">7.56</high>                     
                               <low>7</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-02" gvid="ID105794" id="105794" modifyDate="2019-03-26">      <cvsscode>4.0</cvsscode>      <severity>Severe</severity>      <name>Drupal:CVE-2017-6922：匿名用户上传到私有文件系统的文件可由其他匿名用户访问-SA-CORE-2017-003
</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>In Drupal core 8.x prior to 8.3.4 and Drupal core 7.x prior to 7.56; Private files that have been uploaded by an anonymous user but not permanently attached to content on the site should only be visible to the anonymous user that uploaded them, rather than all anonymous users. Drupal core did not previously provide this protection, allowing an access bypass vulnerability to occur. This issue is mitigated by the fact that in order to be affected, the site must allow anonymous users to upload files into a private file system.</Description>      <cnnvd>CNNVD-201706-1004</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2017-6922</id>      </AlternateIds>      <Solutions>目前厂商已发布升级补丁以修复漏洞，补丁获取链接： 
https://www.drupal.org/forum/newsletters/security-advisories-for-drupal-core/2017-06-21/drupal-core-multiple</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">8.3.4</high>                     
                               <low>8</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2018-01-16" gvid="ID105795" id="105795" modifyDate="2019-04-02">      <cvsscode>4.0</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2017-6923: Drupal Core - 多个漏洞 - SA-CORE-2017-004</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>In Drupal 8.x prior to 8.3.7 When creating a view, you can optionally use Ajax to update the displayed data via filter parameters. The views subsystem/module did not restrict access to the Ajax endpoint to only views configured to use Ajax. This is mitigated if you have access restrictions on the view. It is best practice to always include some form of access restrictions on all views, even if you are using another module to display them.</Description>      <cnnvd>CNNVD-201708-798</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2017-6923</id>      </AlternateIds>      <Solutions>目前厂商已发布升级补丁以修复漏洞，补丁获取链接： 
https://www.drupal.org/forum/newsletters/security-advisories-for-drupal-core/2017-08-16/drupal-core-multiple</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">8.3.7</high>                     
                               <low inclusive="1">8</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2018-01-16" gvid="ID105796" id="105796" modifyDate="2019-04-02">      <cvsscode>5.8</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2017-6924: Drupal Core - 多个漏洞 - SA-CORE-2017-004</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>In Drupal 8 prior to 8.3.7; When using the REST API, users without the correct permission can post comments via REST that are approved even if the user does not have permission to post approved comments. This issue only affects sites that have the RESTful Web Services (rest) module enabled, the comment entity REST resource enabled, and where an attacker can access a user account on the site with permissions to post comments, or where anonymous users can post comments.</Description>      <cnnvd>CNNVD-201708-799</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2017-6924</id>      </AlternateIds>      <Solutions>目前厂商已发布升级补丁以修复漏洞，补丁获取链接： 
https://www.drupal.org/forum/newsletters/security-advisories-for-drupal-core/2017-08-16/drupal-core-multiple</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">8.3.7</high>                     
                               <low inclusive="1">8</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2018-01-16" gvid="ID105797" id="105797" modifyDate="2019-04-02">      <cvsscode>7.5</cvsscode>      <severity>Critical</severity>      <name>Drupal: CVE-2017-6925: Drupal Core - Multiple Vulnerabilities - SA-CORE-2017-004</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>In versions of Drupal 8 core prior to 8.3.7; There is a vulnerability in the entity access system that could allow unwanted access to view, create, update, or delete entities. This only affects entities that do not use or do not have UUIDs, and entities that have different access restrictions on different revisions of the same entity.</Description>      <cnnvd>CNNVD-201708-800</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2017-6925</id>      </AlternateIds>      <Solutions>目前厂商已发布升级补丁以修复漏洞，补丁获取链接： 
https://www.drupal.org/forum/newsletters/security-advisories-for-drupal-core/2017-08-16/drupal-core-multiple</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">8.3.7</high>                     
                               <low inclusive="1">8</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2019-03-26" gvid="ID105798" id="105798" modifyDate="2019-04-02">      <cvsscode>5.5</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2017-6926: Comment reply form allows access to restricted content</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>In Drupal versions 8.4.x versions before 8.4.5 users with permission to post comments are able to view content and comments they do not have access to, and are also able to add comments to this content. This vulnerability is mitigated by the fact that the comment system must be enabled and the attacker must have permission to post comments.</Description>      <cnnvd>CNNVD-201803-006</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2017-6926</id>      </AlternateIds>      <Solutions>目前厂商已发布升级补丁以修复漏洞，补丁获取链接： 
https://www.drupal.org/sa-core-2018-001</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">8.4.5</high>                     
                               <low inclusive="1">8.4</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2018-08-08" gvid="ID105800" id="105800" modifyDate="2019-04-02">      <cvsscode>4.3</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2017-6927: JavaScript cross-site scripting prevention is incomplete</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Drupal 8.4.x versions before 8.4.5 and Drupal 7.x versions before 7.57 has a Drupal.checkPlain() JavaScript function which is used to escape potentially dangerous text before outputting it to HTML (as JavaScript output does not typically go through Twig autoescaping). This function does not correctly handle all methods of injecting malicious HTML, leading to a cross-site scripting vulnerability under certain circumstances. The PHP functions which Drupal provides for HTML escaping are not affected.</Description>      <cnnvd>CNNVD-201803-005</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2017-6927</id>      </AlternateIds>      <Solutions>目前厂商已发布升级补丁以修复漏洞，补丁获取链接： 
https://www.drupal.org/sa-core-2018-001</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">7.57</high>                     
                               <low inclusive="1">7</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2018-08-08" gvid="ID105800" id="105800" modifyDate="2019-04-02">      <cvsscode>4.3</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2017-6927: JavaScript cross-site scripting prevention is incomplete</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Drupal 8.4.x versions before 8.4.5 and Drupal 7.x versions before 7.57 has a Drupal.checkPlain() JavaScript function which is used to escape potentially dangerous text before outputting it to HTML (as JavaScript output does not typically go through Twig autoescaping). This function does not correctly handle all methods of injecting malicious HTML, leading to a cross-site scripting vulnerability under certain circumstances. The PHP functions which Drupal provides for HTML escaping are not affected.</Description>      <cnnvd>CNNVD-201803-005</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2017-6927</id>      </AlternateIds>      <Solutions>目前厂商已发布升级补丁以修复漏洞，补丁获取链接： 
https://www.drupal.org/sa-core-2018-001</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">8.4.5</high>                     
                               <low inclusive="1">8.4</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2018-08-08" gvid="ID105801" id="105801" modifyDate="2019-04-02">      <cvsscode>3.5</cvsscode>      <severity>Severe</severity>      <name>Drupal:CVE-2017-6928:专用文件访问旁路</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Drupal core 7.x versions before 7.57 when using Drupal&amp;#39;s private file system, Drupal will check to make sure a user has access to a file before allowing the user to view or download it. This check fails under certain conditions in which one module is trying to grant access to the file and another is trying to deny it, leading to an access bypass vulnerability. This vulnerability is mitigated by the fact that it only occurs for unusual site configurations.</Description>      <cnnvd>CNNVD-201803-004</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2017-6928</id>      </AlternateIds>      <Solutions>目前厂商已发布升级补丁以修复漏洞，补丁获取链接： 
https://www.drupal.org/sa-core-2018-001</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">7.57</high>                     
                               <low inclusive="1">7</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2018-08-08" gvid="ID105802" id="105802" modifyDate="2019-04-02">      <cvsscode>4.3</cvsscode>      <severity>Severe</severity>      <name>Drupal:CVE-2017-6929:带有不受信任域的jQuery漏洞</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>A jQuery cross site scripting vulnerability is present when making Ajax requests to untrusted domains. This vulnerability is mitigated by the fact that it requires contributed or custom modules in order to exploit. For Drupal 8, this vulnerability was already fixed in Drupal 8.4.0 in the Drupal core upgrade to jQuery 3. For Drupal 7, it is fixed in the current release (Drupal 7.57) for jQuery 1.4.4 (the version that ships with Drupal 7 core) as well as for other newer versions of jQuery that might be used on the site, for example using the jQuery Update module.</Description>      <cnnvd>CNNVD-201803-003</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2017-6929</id>      </AlternateIds>      <Solutions>目前厂商已发布升级补丁以修复漏洞，补丁获取链接： 
https://www.drupal.org/sa-core-2018-001</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">7.57</high>                     
                               <low inclusive="1">7</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2019-03-26" gvid="ID105803" id="105803" modifyDate="2019-04-02">      <cvsscode>6.8</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2017-6930:具有节点访问限制的多语言站点上的语言回退可能不正确
</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>In Drupal versions 8.4.x versions before 8.4.5 when using node access controls with a multilingual site, Drupal marks the untranslated version of a node as the default fallback for access queries. This fallback is used for languages that do not yet have a translated version of the created node. This can result in an access bypass vulnerability. This issue is mitigated by the fact that it only applies to sites that a) use the Content Translation module; and b) use a node access module such as Domain Access which implement hook_node_access_records().</Description>      <cnnvd>CNNVD-201803-002</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2017-6930</id>      </AlternateIds>      <Solutions>目前厂商已发布升级补丁以修复漏洞，补丁获取链接： 
https://www.drupal.org/sa-core-2018-001</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">8.4.5</high>                     
                               <low inclusive="1">8.4</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2019-03-26" gvid="ID105804" id="105804" modifyDate="2019-04-02">      <cvsscode>4.0</cvsscode>      <severity>Severe</severity>      <name>Drupal:CVE-2017-6931:设置托盘访问旁路</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>In Drupal versions 8.4.x versions before 8.4.5 the Settings Tray module has a vulnerability that allows users to update certain data that they do not have the permissions for. If you have implemented a Settings Tray form in contrib or a custom module, the correct access checks should be added. This release fixes the only two implementations in core, but does not harden against other such bypasses. This vulnerability can be mitigated by disabling the Settings Tray module.</Description>      <cnnvd>CNNVD-201703-709</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2017-6931</id>      </AlternateIds>      <Solutions>目前厂商已发布升级补丁以修复漏洞，补丁获取链接： 
https://www.drupal.org/sa-core-2018-001</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">8.4.5</high>                     
                               <low inclusive="1">8.4</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2019-03-26" gvid="ID105805" id="105805" modifyDate="2019-04-02">      <cvsscode>5.8</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2017-6932: External link injection on 404 pages when linking to the current page</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Drupal core 7.x versions before 7.57 has an external link injection vulnerability when the language switcher block is used. A similar vulnerability exists in various custom and contributed modules. This vulnerability could allow an attacker to trick users into unwillingly navigating to an external site.</Description>      <cnnvd>CNNVD-201703-708</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2017-6932</id>      </AlternateIds>      <Solutions>目前厂商已发布升级补丁以修复漏洞，补丁获取链接： 
https://www.drupal.org/sa-core-2018-001</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">7.57</high>                     
                               <low inclusive="1">7</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2019-04-04" gvid="ID105808" id="105808" modifyDate="2019-04-08">      <cvsscode>6.8</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2018-1000888: Drupal core - Critical - Third Party Libraries  - SA-CORE-2019-001</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>PEAR Archive_Tar version 1.4.3 and earlier contains a CWE-502, CWE-915 vulnerability in the Archive_Tar class. There are several file operations with `$v_header[&amp;#39;filename&amp;#39;]` as parameter (such as file_exists, is_file, is_dir, etc). When extract is called without a specific prefix path, we can trigger unserialization by crafting a tar file with `phar://[path_to_malicious_phar_file]` as path. Object injection can be used to trigger destruct in the loaded PHP classes, e.g. the Archive_Tar class itself. With Archive_Tar object injection, arbitrary file deletion can occur because `@unlink($this-&amp;gt;_temp_tarname)` is called. If another class with useful gadget is loaded, it may possible to cause remote code execution that can result in files being deleted or possibly modified. This vulnerability appears to have been fixed in 1.4.4.</Description>      <cnnvd>CNNVD-201812-1185</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2018-1000888</id>      </AlternateIds>      <Solutions>目前厂商已发布升级补丁以修复漏洞，补丁获取链接： 
https://pear.php.net/package/Archive_Tar/download/</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">7.62</high>                     
                               <low inclusive="1">7</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2019-04-04" gvid="ID105808" id="105808" modifyDate="2019-04-08">      <cvsscode>6.8</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2018-1000888: Drupal core - Critical - Third Party Libraries  - SA-CORE-2019-001</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>PEAR Archive_Tar version 1.4.3 and earlier contains a CWE-502, CWE-915 vulnerability in the Archive_Tar class. There are several file operations with `$v_header[&amp;#39;filename&amp;#39;]` as parameter (such as file_exists, is_file, is_dir, etc). When extract is called without a specific prefix path, we can trigger unserialization by crafting a tar file with `phar://[path_to_malicious_phar_file]` as path. Object injection can be used to trigger destruct in the loaded PHP classes, e.g. the Archive_Tar class itself. With Archive_Tar object injection, arbitrary file deletion can occur because `@unlink($this-&amp;gt;_temp_tarname)` is called. If another class with useful gadget is loaded, it may possible to cause remote code execution that can result in files being deleted or possibly modified. This vulnerability appears to have been fixed in 1.4.4.</Description>      <cnnvd>CNNVD-201812-1185</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2018-1000888</id>      </AlternateIds>      <Solutions>目前厂商已发布升级补丁以修复漏洞，补丁获取链接： 
https://pear.php.net/package/Archive_Tar/download/</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">8.5.9</high>                     
                               <low inclusive="1">8.5</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2019-04-04" gvid="ID105808" id="105808" modifyDate="2019-04-08">      <cvsscode>6.8</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2018-1000888: Drupal core - Critical - Third Party Libraries  - SA-CORE-2019-001</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>PEAR Archive_Tar version 1.4.3 and earlier contains a CWE-502, CWE-915 vulnerability in the Archive_Tar class. There are several file operations with `$v_header[&amp;#39;filename&amp;#39;]` as parameter (such as file_exists, is_file, is_dir, etc). When extract is called without a specific prefix path, we can trigger unserialization by crafting a tar file with `phar://[path_to_malicious_phar_file]` as path. Object injection can be used to trigger destruct in the loaded PHP classes, e.g. the Archive_Tar class itself. With Archive_Tar object injection, arbitrary file deletion can occur because `@unlink($this-&amp;gt;_temp_tarname)` is called. If another class with useful gadget is loaded, it may possible to cause remote code execution that can result in files being deleted or possibly modified. This vulnerability appears to have been fixed in 1.4.4.</Description>      <cnnvd>CNNVD-201812-1185</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2018-1000888</id>      </AlternateIds>      <Solutions>目前厂商已发布升级补丁以修复漏洞，补丁获取链接： 
https://pear.php.net/package/Archive_Tar/download/</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">8.6.6</high>                     
                               <low inclusive="1">8.6</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2018-08-09" gvid="ID105809" id="105809" modifyDate="2019-05-13">      <cvsscode>4.0</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2018-14773: Drupal核心 - 3rd-party库 -SA-CORE-2018-005</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>An issue was discovered in Http Foundation in Symfony 2.7.0 through 2.7.48, 2.8.0 through 2.8.43, 3.3.0 through 3.3.17, 3.4.0 through 3.4.13, 4.0.0 through 4.0.13, and 4.1.0 through 4.1.2. It arises from support for a (legacy) IIS header that lets users override the path in the request URL via the X-Original-URL or X-Rewrite-URL HTTP request header. These headers are designed for IIS support, but it&amp;#39;s not verified that the server is in fact running IIS, which means anybody who can send these requests to an application can trigger this. This affects \Symfony\Component\HttpFoundation\Request::prepareRequestUri() where X-Original-URL and X_REWRITE_URL are both used. The fix drops support for these methods so that they cannot be used as attack vectors such as web cache poisoning.</Description>      <cnnvd>CNNVD-201808-148</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2018-14773</id>      </AlternateIds>      <Solutions>目前厂商已发布升级补丁以修复漏洞，补丁获取链接： 
https://symfony.com/blog/cve-2018-14773-remove-support-for-legacy-and-risky-http-headers</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">8.5.6</high>                     
                               <low inclusive="1">8</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2018-03-29" gvid="ID105813" id="105813" modifyDate="2019-04-02">      <cvsscode>7.5</cvsscode>      <severity>Critical</severity>      <name>Drupal:CVE-2018-7600:远程执行代码 - SA-CORE-2018-002</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations.</Description>      <cnnvd>CNNVD-201803-1136</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2018-7600</id>      </AlternateIds>      <Solutions>目前厂商已发布升级补丁以修复漏洞，补丁获取链接： 
https://www.drupal.org/sa-core-2018-002</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">7.58</high>                     
                               <low inclusive="1">7</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2018-03-29" gvid="ID105813" id="105813" modifyDate="2019-04-02">      <cvsscode>7.5</cvsscode>      <severity>Critical</severity>      <name>Drupal:CVE-2018-7600:远程执行代码 - SA-CORE-2018-002</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations.</Description>      <cnnvd>CNNVD-201803-1136</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2018-7600</id>      </AlternateIds>      <Solutions>目前厂商已发布升级补丁以修复漏洞，补丁获取链接： 
https://www.drupal.org/sa-core-2018-002</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">8.3.9</high>                     
                               <low inclusive="1">8.3</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2018-03-29" gvid="ID105813" id="105813" modifyDate="2019-04-02">      <cvsscode>7.5</cvsscode>      <severity>Critical</severity>      <name>Drupal:CVE-2018-7600:远程执行代码 - SA-CORE-2018-002</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations.</Description>      <cnnvd>CNNVD-201803-1136</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2018-7600</id>      </AlternateIds>      <Solutions>目前厂商已发布升级补丁以修复漏洞，补丁获取链接： 
https://www.drupal.org/sa-core-2018-002</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">8.4.6</high>                     
                               <low inclusive="1">8.4</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2018-03-29" gvid="ID105813" id="105813" modifyDate="2019-04-02">      <cvsscode>7.5</cvsscode>      <severity>Critical</severity>      <name>Drupal:CVE-2018-7600:远程执行代码 - SA-CORE-2018-002</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations.</Description>      <cnnvd>CNNVD-201803-1136</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2018-7600</id>      </AlternateIds>      <Solutions>目前厂商已发布升级补丁以修复漏洞，补丁获取链接： 
https://www.drupal.org/sa-core-2018-002</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">8.5.1</high>                     
                               <low inclusive="1">8.5</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2018-04-26" gvid="ID105816" id="105816" modifyDate="2019-04-02">      <cvsscode>7.5</cvsscode>      <severity>Critical</severity>      <name>Drupal:CVE-2018-7602:非常关键 - 远程执行代码</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being compromised. This vulnerability is related to Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002. Both SA-CORE-2018-002 and this vulnerability are being exploited in the wild.</Description>      <cnnvd>CNNVD-201804-1490</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2018-7602</id>      </AlternateIds>      <Solutions>目前厂商已发布升级补丁以修复漏洞，补丁获取链接： 
https://www.drupal.org/sa-core-2018-004</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">7.59</high>                     
                               <low inclusive="1">7</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2018-04-26" gvid="ID105816" id="105816" modifyDate="2019-04-02">      <cvsscode>7.5</cvsscode>      <severity>Critical</severity>      <name>Drupal:CVE-2018-7602:非常关键 - 远程执行代码</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being compromised. This vulnerability is related to Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002. Both SA-CORE-2018-002 and this vulnerability are being exploited in the wild.</Description>      <cnnvd>CNNVD-201804-1490</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2018-7602</id>      </AlternateIds>      <Solutions>目前厂商已发布升级补丁以修复漏洞，补丁获取链接： 
https://www.drupal.org/sa-core-2018-004</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">8.4.8</high>                     
                               <low inclusive="1">8.4</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2018-04-26" gvid="ID105816" id="105816" modifyDate="2019-04-02">      <cvsscode>7.5</cvsscode>      <severity>Critical</severity>      <name>Drupal:CVE-2018-7602:非常关键 - 远程执行代码</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being compromised. This vulnerability is related to Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002. Both SA-CORE-2018-002 and this vulnerability are being exploited in the wild.</Description>      <cnnvd>CNNVD-201804-1490</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2018-7602</id>      </AlternateIds>      <Solutions>目前厂商已发布升级补丁以修复漏洞，补丁获取链接： 
https://www.drupal.org/sa-core-2018-004</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">8.5.3</high>                     
                               <low inclusive="1">8.5</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2019-03-29" gvid="ID105818" id="105818" modifyDate="2019-07-26">      <cvsscode>4.3</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2018-9861: Drupal core - Moderately critical - Cross Site Scripting</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Cross-site scripting (XSS) vulnerability in the Enhanced Image (aka image2) plugin for CKEditor (in versions 4.5.10 through 4.9.1; fixed in 4.9.2), as used in Drupal 8 before 8.4.7 and 8.5.x before 8.5.2 and other products, allows remote attackers to inject arbitrary web script through a crafted IMG element.</Description>      <cnnvd>CNNVD-201804-1117</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2018-9861</id>      </AlternateIds>      <Solutions>目前厂商已发布升级补丁以修复漏洞，补丁获取链接： 
https://www.drupal.org/sa-core-2018-003</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">8.4.7</high>                     
                               <low inclusive="1">8</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2019-03-29" gvid="ID105818" id="105818" modifyDate="2019-07-26">      <cvsscode>4.3</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2018-9861: Drupal core - Moderately critical - Cross Site Scripting</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Cross-site scripting (XSS) vulnerability in the Enhanced Image (aka image2) plugin for CKEditor (in versions 4.5.10 through 4.9.1; fixed in 4.9.2), as used in Drupal 8 before 8.4.7 and 8.5.x before 8.5.2 and other products, allows remote attackers to inject arbitrary web script through a crafted IMG element.</Description>      <cnnvd>CNNVD-201804-1117</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2018-9861</id>      </AlternateIds>      <Solutions>目前厂商已发布升级补丁以修复漏洞，补丁获取链接： 
https://www.drupal.org/sa-core-2018-003</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">8.5.2</high>                     
                               <low inclusive="1">8</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2019-04-18" gvid="ID105820" id="105820" modifyDate="2019-05-22">      <cvsscode>3.5</cvsscode>      <severity>Severe</severity>      <name>Drupal:CVE-2019-10909:Drupal核心-中等严重-多个漏洞-SA-CORE-2019-005
</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, validation messages are not escaped, which can lead to XSS when user input is included. This is related to symfony/framework-bundle.</Description>      <cnnvd></cnnvd>      <AlternateIds>         <id name="CVE">CVE-2019-10909</id>      </AlternateIds>      <Solutions framework="1" xml:lang="zh-hk">         
           
           
         升級到 Drupal 到最新版本,下載并申请升級:https://www.drupal.org/project/drupal/releases      </Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">8.5.1</high>                     
                               <low inclusive="1">8.5</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2019-04-18" gvid="ID105820" id="105820" modifyDate="2019-05-22">      <cvsscode>3.5</cvsscode>      <severity>Severe</severity>      <name>Drupal:CVE-2019-10909:Drupal核心-中等严重-多个漏洞-SA-CORE-2019-005
</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, validation messages are not escaped, which can lead to XSS when user input is included. This is related to symfony/framework-bundle.</Description>      <cnnvd></cnnvd>      <AlternateIds>         <id name="CVE">CVE-2019-10909</id>      </AlternateIds>      <Solutions framework="1" xml:lang="zh-hk">         
           
           
         升級到 Drupal 到最新版本,下載并申请升級:https://www.drupal.org/project/drupal/releases      </Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">8.6.1</high>                     
                               <low inclusive="1">8.6</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2019-04-18" gvid="ID105822" id="105822" modifyDate="2019-05-21">      <cvsscode>7.5</cvsscode>      <severity>Critical</severity>      <name>Drupal:CVE-2019-10910:Drupal核心-中等严重-多个漏洞-SA-CORE-2019-005
</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, when service ids allow user input, this could allow for SQL Injection and remote code execution. This is related to symfony/dependency-injection.</Description>      <cnnvd></cnnvd>      <AlternateIds>         <id name="CVE">CVE-2019-10910</id>      </AlternateIds>      <Solutions framework="1" xml:lang="zh-hk">         
           
           
         升級到 Drupal 到最新版本,下載并申请升級:https://www.drupal.org/project/drupal/releases      </Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">8.5.1</high>                     
                               <low inclusive="1">8.5</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2019-04-18" gvid="ID105822" id="105822" modifyDate="2019-05-21">      <cvsscode>7.5</cvsscode>      <severity>Critical</severity>      <name>Drupal:CVE-2019-10910:Drupal核心-中等严重-多个漏洞-SA-CORE-2019-005
</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, when service ids allow user input, this could allow for SQL Injection and remote code execution. This is related to symfony/dependency-injection.</Description>      <cnnvd></cnnvd>      <AlternateIds>         <id name="CVE">CVE-2019-10910</id>      </AlternateIds>      <Solutions framework="1" xml:lang="zh-hk">         
           
           
         升級到 Drupal 到最新版本,下載并申请升級:https://www.drupal.org/project/drupal/releases      </Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">8.6.1</high>                     
                               <low inclusive="1">8.6</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2019-04-18" gvid="ID105824" id="105824" modifyDate="2019-05-21">      <cvsscode>6.0</cvsscode>      <severity>Severe</severity>      <name>Drupal:CVE-2019-10911:Drupal核心-中等严重-多个漏洞-SA-CORE-2019-005
</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, a vulnerability would allow an attacker to authenticate as a privileged user on sites with user registration and remember me login functionality enabled. This is related to symfony/security.</Description>      <cnnvd></cnnvd>      <AlternateIds>         <id name="CVE">CVE-2019-10911</id>      </AlternateIds>      <Solutions framework="1" xml:lang="zh-hk">         
           
           
         升級到 Drupal 到最新版本,下載并申请升級:https://www.drupal.org/project/drupal/releases      </Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">8.5.1</high>                     
                               <low inclusive="1">8.5</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2019-04-18" gvid="ID105824" id="105824" modifyDate="2019-05-21">      <cvsscode>6.0</cvsscode>      <severity>Severe</severity>      <name>Drupal:CVE-2019-10911:Drupal核心-中等严重-多个漏洞-SA-CORE-2019-005
</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, a vulnerability would allow an attacker to authenticate as a privileged user on sites with user registration and remember me login functionality enabled. This is related to symfony/security.</Description>      <cnnvd></cnnvd>      <AlternateIds>         <id name="CVE">CVE-2019-10911</id>      </AlternateIds>      <Solutions framework="1" xml:lang="zh-hk">         
           
           
         升級到 Drupal 到最新版本,下載并申请升級:https://www.drupal.org/project/drupal/releases      </Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">8.6.1</high>                     
                               <low inclusive="1">8.6</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2019-04-23" gvid="ID105827" id="105827" modifyDate="2019-10-15">      <cvsscode>4.3</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2019-11358: Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2019-006</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.</Description>      <cnnvd></cnnvd>      <AlternateIds>         <id name="CVE">CVE-2019-11358</id>      </AlternateIds>      <Solutions framework="1" xml:lang="zh-hk">         
           
           
         升級到 Drupal 到最新版本,下載并申请升級:https://www.drupal.org/project/drupal/releases      </Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">7.66</high>                     
                               <low inclusive="1">7</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2019-04-23" gvid="ID105827" id="105827" modifyDate="2019-10-15">      <cvsscode>4.3</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2019-11358: Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2019-006</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.</Description>      <cnnvd></cnnvd>      <AlternateIds>         <id name="CVE">CVE-2019-11358</id>      </AlternateIds>      <Solutions framework="1" xml:lang="zh-hk">         
           
           
         升級到 Drupal 到最新版本,下載并申请升級:https://www.drupal.org/project/drupal/releases      </Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">8.5.1</high>                     
                               <low inclusive="1">8.5</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2019-04-23" gvid="ID105827" id="105827" modifyDate="2019-10-15">      <cvsscode>4.3</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2019-11358: Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2019-006</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.</Description>      <cnnvd></cnnvd>      <AlternateIds>         <id name="CVE">CVE-2019-11358</id>      </AlternateIds>      <Solutions framework="1" xml:lang="zh-hk">         
           
           
         升級到 Drupal 到最新版本,下載并申请升級:https://www.drupal.org/project/drupal/releases      </Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">8.6.1</high>                     
                               <low inclusive="1">8.6</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2019-05-10" gvid="ID105830" id="105830" modifyDate="2019-05-17">      <cvsscode>7.5</cvsscode>      <severity>Critical</severity>      <name>Drupal: CVE-2019-11831: Drupal core - Moderately critical - Third-party libraries - SA-CORE-2019-007</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>The PharStreamWrapper (aka phar-stream-wrapper) package 2.x before 2.1.1 and 3.x before 3.1.1 for TYPO3 does not prevent directory traversal, which allows attackers to bypass a deserialization protection mechanism, as demonstrated by a phar:///path/bad.phar/../good.phar URL.</Description>      <cnnvd></cnnvd>      <AlternateIds>         <id name="CVE">CVE-2019-11831</id>      </AlternateIds>      <Solutions framework="1" xml:lang="zh-hk">         
           
           
         升級到 Drupal 到最新版本,下載并申请升級:https://www.drupal.org/project/drupal/releases      </Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">7.67</high>                     
                               <low inclusive="1">7</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2019-05-10" gvid="ID105830" id="105830" modifyDate="2019-05-17">      <cvsscode>7.5</cvsscode>      <severity>Critical</severity>      <name>Drupal: CVE-2019-11831: Drupal core - Moderately critical - Third-party libraries - SA-CORE-2019-007</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>The PharStreamWrapper (aka phar-stream-wrapper) package 2.x before 2.1.1 and 3.x before 3.1.1 for TYPO3 does not prevent directory traversal, which allows attackers to bypass a deserialization protection mechanism, as demonstrated by a phar:///path/bad.phar/../good.phar URL.</Description>      <cnnvd></cnnvd>      <AlternateIds>         <id name="CVE">CVE-2019-11831</id>      </AlternateIds>      <Solutions framework="1" xml:lang="zh-hk">         
           
           
         升級到 Drupal 到最新版本,下載并申请升級:https://www.drupal.org/project/drupal/releases      </Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">8.6.1</high>                     
                               <low inclusive="1">8.6</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2019-05-10" gvid="ID105830" id="105830" modifyDate="2019-05-17">      <cvsscode>7.5</cvsscode>      <severity>Critical</severity>      <name>Drupal: CVE-2019-11831: Drupal core - Moderately critical - Third-party libraries - SA-CORE-2019-007</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>The PharStreamWrapper (aka phar-stream-wrapper) package 2.x before 2.1.1 and 3.x before 3.1.1 for TYPO3 does not prevent directory traversal, which allows attackers to bypass a deserialization protection mechanism, as demonstrated by a phar:///path/bad.phar/../good.phar URL.</Description>      <cnnvd></cnnvd>      <AlternateIds>         <id name="CVE">CVE-2019-11831</id>      </AlternateIds>      <Solutions framework="1" xml:lang="zh-hk">         
           
           
         升級到 Drupal 到最新版本,下載并申请升級:https://www.drupal.org/project/drupal/releases      </Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">8.7.1</high>                     
                               <low inclusive="1">8.7</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2019-03-29" gvid="ID105833" id="105833" modifyDate="2019-04-02">      <cvsscode>6.0</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2019-6338: Drupal core - Critical - Third Party Libraries  - SA-CORE-2019-001</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>In Drupal Core versions 7.x prior to 7.62, 8.6.x prior to 8.6.6 and 8.5.x prior to 8.5.9; Drupal core uses the third-party PEAR Archive_Tar library. This library has released a security update which impacts some Drupal configurations. Refer to CVE-2018-1000888 for details</Description>      <cnnvd>CNNVD-201901-789</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2019-6338</id>      </AlternateIds>      <Solutions>目前厂商已发布升级补丁以修复漏洞，补丁获取链接： 
https://www.drupal.org/sa-core-2019-001</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">7.62</high>                     
                               <low inclusive="1">7</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2019-03-29" gvid="ID105833" id="105833" modifyDate="2019-04-02">      <cvsscode>6.0</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2019-6338: Drupal core - Critical - Third Party Libraries  - SA-CORE-2019-001</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>In Drupal Core versions 7.x prior to 7.62, 8.6.x prior to 8.6.6 and 8.5.x prior to 8.5.9; Drupal core uses the third-party PEAR Archive_Tar library. This library has released a security update which impacts some Drupal configurations. Refer to CVE-2018-1000888 for details</Description>      <cnnvd>CNNVD-201901-789</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2019-6338</id>      </AlternateIds>      <Solutions>目前厂商已发布升级补丁以修复漏洞，补丁获取链接： 
https://www.drupal.org/sa-core-2019-001</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">8.5.9</high>                     
                               <low inclusive="1">8.5</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2019-03-29" gvid="ID105833" id="105833" modifyDate="2019-04-02">      <cvsscode>6.0</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2019-6338: Drupal core - Critical - Third Party Libraries  - SA-CORE-2019-001</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>In Drupal Core versions 7.x prior to 7.62, 8.6.x prior to 8.6.6 and 8.5.x prior to 8.5.9; Drupal core uses the third-party PEAR Archive_Tar library. This library has released a security update which impacts some Drupal configurations. Refer to CVE-2018-1000888 for details</Description>      <cnnvd>CNNVD-201901-789</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2019-6338</id>      </AlternateIds>      <Solutions>目前厂商已发布升级补丁以修复漏洞，补丁获取链接： 
https://www.drupal.org/sa-core-2019-001</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">8.6.6</high>                     
                               <low inclusive="1">8.6</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2019-03-26" gvid="ID105836" id="105836" modifyDate="2019-04-02">      <cvsscode>7.5</cvsscode>      <severity>Critical</severity>      <name>Drupal: CVE-2019-6339: Drupal core - Critical - Arbitrary PHP code execution - SA-CORE-2019-002</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>In Drupal Core versions 7.x prior to 7.62, 8.6.x prior to 8.6.6 and 8.5.x prior to 8.5.9; A remote code execution vulnerability exists in PHP&amp;#39;s built-in phar stream wrapper when performing file operations on an untrusted phar:// URI. Some Drupal code (core, contrib, and custom) may be performing file operations on insufficiently validated user input, thereby being exposed to this vulnerability. This vulnerability is mitigated by the fact that such code paths typically require access to an administrative permission or an atypical configuration.</Description>      <cnnvd>CNNVD-201901-783</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2019-6339</id>      </AlternateIds>      <Solutions>目前厂商已发布升级补丁以修复漏洞，补丁获取链接： 
https://www.drupal.org/sa-core-2019-002</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">7.62</high>                     
                               <low inclusive="1">7</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2019-03-26" gvid="ID105836" id="105836" modifyDate="2019-04-02">      <cvsscode>7.5</cvsscode>      <severity>Critical</severity>      <name>Drupal: CVE-2019-6339: Drupal core - Critical - Arbitrary PHP code execution - SA-CORE-2019-002</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>In Drupal Core versions 7.x prior to 7.62, 8.6.x prior to 8.6.6 and 8.5.x prior to 8.5.9; A remote code execution vulnerability exists in PHP&amp;#39;s built-in phar stream wrapper when performing file operations on an untrusted phar:// URI. Some Drupal code (core, contrib, and custom) may be performing file operations on insufficiently validated user input, thereby being exposed to this vulnerability. This vulnerability is mitigated by the fact that such code paths typically require access to an administrative permission or an atypical configuration.</Description>      <cnnvd>CNNVD-201901-783</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2019-6339</id>      </AlternateIds>      <Solutions>目前厂商已发布升级补丁以修复漏洞，补丁获取链接： 
https://www.drupal.org/sa-core-2019-002</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">8.5.9</high>                     
                               <low inclusive="1">8.5</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2019-03-26" gvid="ID105836" id="105836" modifyDate="2019-04-02">      <cvsscode>7.5</cvsscode>      <severity>Critical</severity>      <name>Drupal: CVE-2019-6339: Drupal core - Critical - Arbitrary PHP code execution - SA-CORE-2019-002</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>In Drupal Core versions 7.x prior to 7.62, 8.6.x prior to 8.6.6 and 8.5.x prior to 8.5.9; A remote code execution vulnerability exists in PHP&amp;#39;s built-in phar stream wrapper when performing file operations on an untrusted phar:// URI. Some Drupal code (core, contrib, and custom) may be performing file operations on insufficiently validated user input, thereby being exposed to this vulnerability. This vulnerability is mitigated by the fact that such code paths typically require access to an administrative permission or an atypical configuration.</Description>      <cnnvd>CNNVD-201901-783</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2019-6339</id>      </AlternateIds>      <Solutions>目前厂商已发布升级补丁以修复漏洞，补丁获取链接： 
https://www.drupal.org/sa-core-2019-002</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">8.6.6</high>                     
                               <low inclusive="1">8.6</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2019-02-20" gvid="ID105842" id="105842" modifyDate="2019-11-05">      <cvsscode>6.8</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2019-6340: Drupal core - Highly critical - Remote Code Execution - SA-CORE-2019-003</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Some field types do not properly sanitize data from non-form sources in Drupal 8.5.x before 8.5.11 and Drupal 8.6.x before 8.6.10. This can lead to arbitrary PHP code execution in some cases. A site is only affected by this if one of the following conditions is met: The site has the Drupal 8 core RESTful Web Services (rest) module enabled and allows PATCH or POST requests, or the site has another web services module enabled, like JSON:API in Drupal 8, or Services or RESTful Web Services in Drupal 7. (Note: The Drupal 7 Services module itself does not require an update at this time, but you should apply other contributed updates associated with this advisory if Services is in use.)</Description>      <cnnvd>CNNVD-201902-806</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2019-6340</id>      </AlternateIds>      <Solutions>目前厂商已发布升级补丁以修复漏洞，补丁获取链接： 
https://www.drupal.org/sa-core-2019-003</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">8.5.1</high>                     
                               <low inclusive="1">8.5</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2019-02-20" gvid="ID105842" id="105842" modifyDate="2019-11-05">      <cvsscode>6.8</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2019-6340: Drupal core - Highly critical - Remote Code Execution - SA-CORE-2019-003</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Some field types do not properly sanitize data from non-form sources in Drupal 8.5.x before 8.5.11 and Drupal 8.6.x before 8.6.10. This can lead to arbitrary PHP code execution in some cases. A site is only affected by this if one of the following conditions is met: The site has the Drupal 8 core RESTful Web Services (rest) module enabled and allows PATCH or POST requests, or the site has another web services module enabled, like JSON:API in Drupal 8, or Services or RESTful Web Services in Drupal 7. (Note: The Drupal 7 Services module itself does not require an update at this time, but you should apply other contributed updates associated with this advisory if Services is in use.)</Description>      <cnnvd>CNNVD-201902-806</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2019-6340</id>      </AlternateIds>      <Solutions>目前厂商已发布升级补丁以修复漏洞，补丁获取链接： 
https://www.drupal.org/sa-core-2019-003</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">8.5.11</high>                     
                               <low inclusive="1">8.5</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2019-02-20" gvid="ID105842" id="105842" modifyDate="2019-11-05">      <cvsscode>6.8</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2019-6340: Drupal core - Highly critical - Remote Code Execution - SA-CORE-2019-003</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Some field types do not properly sanitize data from non-form sources in Drupal 8.5.x before 8.5.11 and Drupal 8.6.x before 8.6.10. This can lead to arbitrary PHP code execution in some cases. A site is only affected by this if one of the following conditions is met: The site has the Drupal 8 core RESTful Web Services (rest) module enabled and allows PATCH or POST requests, or the site has another web services module enabled, like JSON:API in Drupal 8, or Services or RESTful Web Services in Drupal 7. (Note: The Drupal 7 Services module itself does not require an update at this time, but you should apply other contributed updates associated with this advisory if Services is in use.)</Description>      <cnnvd>CNNVD-201902-806</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2019-6340</id>      </AlternateIds>      <Solutions>目前厂商已发布升级补丁以修复漏洞，补丁获取链接： 
https://www.drupal.org/sa-core-2019-003</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">8.6.1</high>                     
                               <low inclusive="1">8.6</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2019-02-20" gvid="ID105842" id="105842" modifyDate="2019-11-05">      <cvsscode>6.8</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2019-6340: Drupal core - Highly critical - Remote Code Execution - SA-CORE-2019-003</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Some field types do not properly sanitize data from non-form sources in Drupal 8.5.x before 8.5.11 and Drupal 8.6.x before 8.6.10. This can lead to arbitrary PHP code execution in some cases. A site is only affected by this if one of the following conditions is met: The site has the Drupal 8 core RESTful Web Services (rest) module enabled and allows PATCH or POST requests, or the site has another web services module enabled, like JSON:API in Drupal 8, or Services or RESTful Web Services in Drupal 7. (Note: The Drupal 7 Services module itself does not require an update at this time, but you should apply other contributed updates associated with this advisory if Services is in use.)</Description>      <cnnvd>CNNVD-201902-806</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2019-6340</id>      </AlternateIds>      <Solutions>目前厂商已发布升级补丁以修复漏洞，补丁获取链接： 
https://www.drupal.org/sa-core-2019-003</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">8.6.10</high>                     
                               <low inclusive="1">8.6</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2019-02-20" gvid="ID105842" id="105842" modifyDate="2019-11-05">      <cvsscode>6.8</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2019-6340: Drupal core - Highly critical - Remote Code Execution - SA-CORE-2019-003</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Some field types do not properly sanitize data from non-form sources in Drupal 8.5.x before 8.5.11 and Drupal 8.6.x before 8.6.10. This can lead to arbitrary PHP code execution in some cases. A site is only affected by this if one of the following conditions is met: The site has the Drupal 8 core RESTful Web Services (rest) module enabled and allows PATCH or POST requests, or the site has another web services module enabled, like JSON:API in Drupal 8, or Services or RESTful Web Services in Drupal 7. (Note: The Drupal 7 Services module itself does not require an update at this time, but you should apply other contributed updates associated with this advisory if Services is in use.)</Description>      <cnnvd>CNNVD-201902-806</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2019-6340</id>      </AlternateIds>      <Solutions>目前厂商已发布升级补丁以修复漏洞，补丁获取链接： 
https://www.drupal.org/sa-core-2019-003</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">8.5.11</high>                     
                               <low>8.5</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2019-02-20" gvid="ID105842" id="105842" modifyDate="2019-11-05">      <cvsscode>6.8</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2019-6340: Drupal core - Highly critical - Remote Code Execution - SA-CORE-2019-003</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>Some field types do not properly sanitize data from non-form sources in Drupal 8.5.x before 8.5.11 and Drupal 8.6.x before 8.6.10. This can lead to arbitrary PHP code execution in some cases. A site is only affected by this if one of the following conditions is met: The site has the Drupal 8 core RESTful Web Services (rest) module enabled and allows PATCH or POST requests, or the site has another web services module enabled, like JSON:API in Drupal 8, or Services or RESTful Web Services in Drupal 7. (Note: The Drupal 7 Services module itself does not require an update at this time, but you should apply other contributed updates associated with this advisory if Services is in use.)</Description>      <cnnvd>CNNVD-201902-806</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2019-6340</id>      </AlternateIds>      <Solutions>目前厂商已发布升级补丁以修复漏洞，补丁获取链接： 
https://www.drupal.org/sa-core-2019-003</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">8.6.10</high>                     
                               <low>8.6</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2019-03-29" gvid="ID105847" id="105847" modifyDate="2019-11-05">      <cvsscode>3.5</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2019-6341: Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2019-004</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>In Drupal 7 versions prior to 7.65; Drupal 8.6 versions prior to 8.6.13;Drupal 8.5 versions prior to 8.5.14. Under certain circumstances the File module/subsystem allows a malicious user to upload a file that can trigger a cross-site scripting (XSS) vulnerability.</Description>      <cnnvd>CNNVD-201903-1006</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2019-6341</id>      </AlternateIds>      <Solutions>目前厂商已发布升级补丁以修复漏洞，补丁获取链接： 
https://www.drupal.org/sa-core-2019-004</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">7.65</high>                     
                               <low inclusive="1">7</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2019-03-29" gvid="ID105847" id="105847" modifyDate="2019-11-05">      <cvsscode>3.5</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2019-6341: Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2019-004</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>In Drupal 7 versions prior to 7.65; Drupal 8.6 versions prior to 8.6.13;Drupal 8.5 versions prior to 8.5.14. Under certain circumstances the File module/subsystem allows a malicious user to upload a file that can trigger a cross-site scripting (XSS) vulnerability.</Description>      <cnnvd>CNNVD-201903-1006</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2019-6341</id>      </AlternateIds>      <Solutions>目前厂商已发布升级补丁以修复漏洞，补丁获取链接： 
https://www.drupal.org/sa-core-2019-004</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">8.5.1</high>                     
                               <low inclusive="1">8.5</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2019-03-29" gvid="ID105847" id="105847" modifyDate="2019-11-05">      <cvsscode>3.5</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2019-6341: Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2019-004</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>In Drupal 7 versions prior to 7.65; Drupal 8.6 versions prior to 8.6.13;Drupal 8.5 versions prior to 8.5.14. Under certain circumstances the File module/subsystem allows a malicious user to upload a file that can trigger a cross-site scripting (XSS) vulnerability.</Description>      <cnnvd>CNNVD-201903-1006</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2019-6341</id>      </AlternateIds>      <Solutions>目前厂商已发布升级补丁以修复漏洞，补丁获取链接： 
https://www.drupal.org/sa-core-2019-004</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">8.5.14</high>                     
                               <low inclusive="1">8.5</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2019-03-29" gvid="ID105847" id="105847" modifyDate="2019-11-05">      <cvsscode>3.5</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2019-6341: Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2019-004</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>In Drupal 7 versions prior to 7.65; Drupal 8.6 versions prior to 8.6.13;Drupal 8.5 versions prior to 8.5.14. Under certain circumstances the File module/subsystem allows a malicious user to upload a file that can trigger a cross-site scripting (XSS) vulnerability.</Description>      <cnnvd>CNNVD-201903-1006</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2019-6341</id>      </AlternateIds>      <Solutions>目前厂商已发布升级补丁以修复漏洞，补丁获取链接： 
https://www.drupal.org/sa-core-2019-004</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">8.6.1</high>                     
                               <low inclusive="1">8.6</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2019-03-29" gvid="ID105847" id="105847" modifyDate="2019-11-05">      <cvsscode>3.5</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2019-6341: Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2019-004</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>In Drupal 7 versions prior to 7.65; Drupal 8.6 versions prior to 8.6.13;Drupal 8.5 versions prior to 8.5.14. Under certain circumstances the File module/subsystem allows a malicious user to upload a file that can trigger a cross-site scripting (XSS) vulnerability.</Description>      <cnnvd>CNNVD-201903-1006</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2019-6341</id>      </AlternateIds>      <Solutions>目前厂商已发布升级补丁以修复漏洞，补丁获取链接： 
https://www.drupal.org/sa-core-2019-004</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">8.6.13</high>                     
                               <low inclusive="1">8.6</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2019-07-26" gvid="ID105848" id="105848" modifyDate="2019-07-26">      <cvsscode>4.4</cvsscode>      <severity>Severe</severity>      <name>Drupal: CVE-2019-6342: Drupal核心 - 高危 - 访问绕过 - SA-CORE-2019-008</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>In Drupal 8.7.4, when the experimental Workspaces module is enabled, an access bypass condition is created.</Description>      <cnnvd>CNNVD-201907-1046</cnnvd>      <AlternateIds>         <id name="CVE">CVE-2019-6342</id>      </AlternateIds>      <Solutions>目前厂商已发布升级补丁以修复漏洞，补丁获取链接： 
https://www.drupal.org/sa-core-2019-008</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal">               
                     <version>                  
                          <range>                     
                               <high inclusive="0">8.7.5</high>                     
                               <low inclusive="1">8.7.4</low>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability>   <Vulnerability addData="2017-08-01" gvid="ID105849" id="105849" modifyDate="2019-02-20">      <cvsscode>10.0</cvsscode>      <severity>Critical</severity>      <name>Drupal 过时版本</name>      <Tags>         <tag></tag>      </Tags>      <cvss></cvss>      <Description>drupal (早于 7) 的旧版本官方已不再支持。 这些版本可能存在未报告的漏洞。应该升级到最新版本以减轻这些未知风险。</Description>      <AlternateIds>         <id name="CVE"></id>      </AlternateIds>      <Solutions>目前厂商还没有提供此漏洞的相关补丁或者升级程序，建议使用此软件的用户随时关注厂商的主页以获取最新版本： 
https://www.alice-dsl.de/</Solutions>      <Check scope="node">         <NetworkService>            <Product name="Drupal" vendor="Drupal">               
                     <version>                  
                          <range>                     
                               <high>7</high>                     
                          </range>                  
                     </version>               
                     <version>                  
                          <range>                     
                               <low>8</low>                     
                               <high>8.5</high>                     
                          </range>                  
                     </version>               
                </Product>         </NetworkService>      </Check>   </Vulnerability></Vulns>