Drupal security compared to Sharepoint for the previous 3 months as of 5/16/2011, Drupal, not so good

Sharepoint over the past 3 months has had zero hack according to the https://nvd.nist.gov/, and Sharepoint Foundation can run for free on any licensed Windows Server.

See: https://web.nvd.nist.gov/view/vuln/search-results?query=sharepoint&search_type=last3months&cves=on (as of 5/16/2011 Sharepoint had zero security vulnerabilities for the past 3 months).

If my analysis is incorrect, please feel free comment.

Eight Drupal Security Vulnerabilities:

https://web.nvd.nist.gov/view/vuln/search-results?query=drupal&search_type=last3months&cves=on

1. Summary:

  • Cross-site request forgery (CSRF) vulnerability in Translation Management module 6.x before 6.x-1.21 for Drupal allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.
  • Published: 04/10/2011
  • CVSS Severity: 6.8 (MEDIUM)
  • CVE-2011-1663

2. Summary:

  • SQL injection vulnerability in Translation Management module 6.x before 6.x-1.21 for Drupal allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
  • Published: 04/10/2011
  • CVSS Severity: 7.5 (HIGH)
  • CVE-2011-1662

3. Summary:

  • Cross-site scripting (XSS) vulnerability in Translation Management module 6.x before 6.x-1.21 for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
  • Published: 04/10/2011
  • CVSS Severity: 4.3 (MEDIUM)
  • CVE-2011-1661

4. Summary:

  • The Node Quick Find module 6.x-1.1 for Drupal does not use db_rewrite_sql when presenting node titles, which allows remote attackers to bypass intended access restrictions and read potentially sensitive node titles via the autocomplete feature.
  • Published: 04/10/2011
  • CVSS Severity: 5.0 (MEDIUM)
  • CVE-2010-4775

5. Summary:

  • The Relevant Content module 5.x before 5.x-1.4 and 6.x before 6.x-1.5 for Drupal does not properly implement node access logic, which allows remote attackers to discover restricted node titles and relationships.
  • Published: 03/23/2011
  • CVSS Severity: 5.0 (MEDIUM)
  • CVE-2011-1066

6. Summary:

  • Cross-site scripting (XSS) vulnerability in the Messaging module 6.x-2.x before 6.x-2.4 and 6.x-4.x before 6.x-4.0-beta8 for Drupal allows remote attackers with administer messaging permissions to inject arbitrary web script or HTML via unspecified vectors.
  • Published: 02/23/2011
  • CVSS Severity: 2.6 (LOW)
  • CVE-2011-0899

7. Summary:

  • The AES encryption module 7.x-1.4 for Drupal leaves certain debugging code enabled in release, which records the plaintext password of the last logged-in user and allows remote attackers to gain privileges as that user.
  • Published: 02/07/2011
  • CVSS Severity: 5.0 (MEDIUM)
  • CVE-2011-0771

8. Summary:

  • Janrain Engage (formerly RPX) module 6.x-1.3 for Drupal does not validate the file for a profile image, which allows remote authenticated users to conduct cross-site scripting (XSS) attacks and possibly execute arbitrary PHP code by causing a crafted avatar to be downloaded from an external login provider site.
  • Published: 02/04/2011
  • CVSS Severity: 6.8 (MEDIUM)