Drupal security compared to Sharepoint for the previous 3 months as of 5/16/2011, Drupal, not so good
Sharepoint over the past 3 months has had zero hack according to the https://nvd.nist.gov/, and Sharepoint Foundation can run for free on any licensed Windows Server.
See: https://web.nvd.nist.gov/view/vuln/search-results?query=sharepoint&search_type=last3months&cves=on (as of 5/16/2011 Sharepoint had zero security vulnerabilities for the past 3 months).
If my analysis is incorrect, please feel free comment.
Eight Drupal Security Vulnerabilities:
https://web.nvd.nist.gov/view/vuln/search-results?query=drupal&search_type=last3months&cves=on
1. Summary:
- Cross-site request forgery (CSRF) vulnerability in Translation Management module 6.x before 6.x-1.21 for Drupal allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.
- Published: 04/10/2011
- CVSS Severity: 6.8 (MEDIUM)
- CVE-2011-1663
2. Summary:
- SQL injection vulnerability in Translation Management module 6.x before 6.x-1.21 for Drupal allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
- Published: 04/10/2011
- CVSS Severity: 7.5 (HIGH)
- CVE-2011-1662
3. Summary:
- Cross-site scripting (XSS) vulnerability in Translation Management module 6.x before 6.x-1.21 for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
- Published: 04/10/2011
- CVSS Severity: 4.3 (MEDIUM)
- CVE-2011-1661
4. Summary:
- The Node Quick Find module 6.x-1.1 for Drupal does not use db_rewrite_sql when presenting node titles, which allows remote attackers to bypass intended access restrictions and read potentially sensitive node titles via the autocomplete feature.
- Published: 04/10/2011
- CVSS Severity: 5.0 (MEDIUM)
- CVE-2010-4775
5. Summary:
- The Relevant Content module 5.x before 5.x-1.4 and 6.x before 6.x-1.5 for Drupal does not properly implement node access logic, which allows remote attackers to discover restricted node titles and relationships.
- Published: 03/23/2011
- CVSS Severity: 5.0 (MEDIUM)
- CVE-2011-1066
6. Summary:
- Cross-site scripting (XSS) vulnerability in the Messaging module 6.x-2.x before 6.x-2.4 and 6.x-4.x before 6.x-4.0-beta8 for Drupal allows remote attackers with administer messaging permissions to inject arbitrary web script or HTML via unspecified vectors.
- Published: 02/23/2011
- CVSS Severity: 2.6 (LOW)
- CVE-2011-0899
7. Summary:
- The AES encryption module 7.x-1.4 for Drupal leaves certain debugging code enabled in release, which records the plaintext password of the last logged-in user and allows remote attackers to gain privileges as that user.
- Published: 02/07/2011
- CVSS Severity: 5.0 (MEDIUM)
- CVE-2011-0771
8. Summary:
- Janrain Engage (formerly RPX) module 6.x-1.3 for Drupal does not validate the file for a profile image, which allows remote authenticated users to conduct cross-site scripting (XSS) attacks and possibly execute arbitrary PHP code by causing a crafted avatar to be downloaded from an external login provider site.
- Published: 02/04/2011
- CVSS Severity: 6.8 (MEDIUM)