38 results (0.011 seconds)

CVSS: 6.1EPSS: 0%CPEs: 4EXPL: 0

Cross-site Scripting (XSS) vulnerability in Drupal core's sanitization API fails to properly filter cross-site scripting under certain circumstances. This issue affects: Drupal Core 9.1.x versions prior to 9.1.7; 9.0.x versions prior to 9.0.12; 8.9.x versions prior to 8.9.14; 7.x versions prior to 7.80. Una vulnerabilidad de tipo Cross-site Scripting (XSS) en la API de saneo del núcleo de Drupal que no filtra apropiadamente las vulnerabilidades de tipo cross-site scripting en determinadas circunstancias. Este problema afecta a: Drupal Core versiones 9.1.x anteriores a la 9.1.7; versiones 9.0.x anteriores a la 9.0.12; versiones 8.9.x anteriores a la 8.9.14; versiones 7.x anteriores a la 7.80 • https://www.drupal.org/sa-core-2021-002 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 9.8EPSS: 97%CPEs: 7EXPL: 27

Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations. Drupal en versiones anteriores a la 7.58, 8.x anteriores a la 8.3.9, 8.4.x anteriores a la 8.4.6 y 8.5.x anteriores a la 8.5.1 permite que los atacantes remotos ejecuten código arbitrario debido a un problema que afecta a múltiples subsistemas con configuraciones de módulos por defecto o comunes. Drupal Core contains a remote code execution vulnerability that could allow an attacker to exploit multiple attack vectors on a Drupal site, resulting in complete site compromise. • https://www.exploit-db.com/exploits/44482 https://www.exploit-db.com/exploits/44449 https://www.exploit-db.com/exploits/44448 https://github.com/a2u/CVE-2018-7600 https://github.com/pimps/CVE-2018-7600 https://github.com/g0rx/CVE-2018-7600-Drupal-RCE https://github.com/firefart/CVE-2018-7600 https://github.com/r3dxpl0it/CVE-2018-7600 https://github.com/dr-iman/CVE-2018-7600-Drupal-0day-RCE https://github.com/sl4cky/CVE-2018-7600 https://github.com/s • CWE-20: Improper Input Validation •

CVSS: 5.0EPSS: 0%CPEs: 79EXPL: 2

The request_path function in includes/bootstrap.inc in Drupal 7.14 and earlier allows remote attackers to obtain sensitive information via the q[] parameter to index.php, which reveals the installation path in an error message. La función request_path en includes/bootstrap.inc en Drupal v7.14 y anteriores, permite a atacantes remotos obtener información sensible a través del parámetro q[] sobre index.php, lo que revela el path de instalación en un mensaje de error. • http://archives.neohapsis.com/archives/bugtraq/2012-05/0052.html http://archives.neohapsis.com/archives/bugtraq/2012-05/0053.html http://archives.neohapsis.com/archives/bugtraq/2012-05/0055.html http://osvdb.org/81817 http://secunia.com/advisories/49131 http://www.mandriva.com/security/advisories?name=MDVSA-2013:074 http://www.openwall.com/lists/oss-security/2012/08/02/8 http://www.securityfocus.com/bid/53454 https://exchange.xforce.ibmcloud.com/vulnerabilities/75531 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •

CVSS: 6.8EPSS: 0%CPEs: 148EXPL: 3

Cross-site request forgery (CSRF) vulnerability in Drupal 7.12 and earlier allows remote attackers to hijack the authentication of arbitrary users for requests that end a session via the user/logout URI. NOTE: the vendor disputes the significance of this issue, by considering the "security benefit against platform complexity and performance impact" and concluding that a change to the logout behavior is not planned because "for most sites it is not worth the trade-off. ** DISCUTIDO ** Vulnerabilidad de falsificación de petición en sitios cruzados (CSRF) en Drupal 7.12 y anteriores permite a atacantes remotos secuestrar la autenticación de los usuarios arbitrarios para solicitudes que terminan una sesión a través de la URI usuario / cierre de sesión. NOTA: el vendedor se opone a la importancia de esta cuestión, teniendo en cuenta el "beneficio de la seguridad frente a la complejidad y la plataforma de impacto en el rendimiento" y la conclusión de que un cambio en el comportamiento de cierre de sesión no está previsto porque "la mayoría de los sitios no vale la pena la compensación." • https://www.exploit-db.com/exploits/18564 http://drupal.org/node/144538 http://groups.drupal.org/node/216314 http://ivanobinetti.blogspot.it/2012/03/drupal-cms-712-latest-stable-release.html http://packetstormsecurity.org/files/110404/drupal712-xsrf.txt http://www.exploit-db.com/exploits/18564 • CWE-352: Cross-Site Request Forgery (CSRF) •

CVSS: 6.0EPSS: 0%CPEs: 15EXPL: 0

The core upload module in Drupal 5.x before 5.11 allows remote authenticated users to bypass intended access restrictions and read "files attached to content" via unknown vectors. El módulo central de subidas de Drupal 5.x Anterior a 5.11 permite a un usuario remoto autentificado sobrepasar las restricciones de acceso y leer "archivos adjuntos al contenido" mediante un método desconocido. • http://drupal.org/node/318706 http://secunia.com/advisories/32198 http://secunia.com/advisories/32200 http://www.openwall.com/lists/oss-security/2008/10/21/7 https://exchange.xforce.ibmcloud.com/vulnerabilities/45758 • CWE-264: Permissions, Privileges, and Access Controls •