CVSS: 6.1EPSS: 0%CPEs: 4EXPL: 0CVE-2020-13672
https://notcve.org/view.php?id=CVE-2020-13672
11 Feb 2022 — Cross-site Scripting (XSS) vulnerability in Drupal core's sanitization API fails to properly filter cross-site scripting under certain circumstances. This issue affects: Drupal Core 9.1.x versions prior to 9.1.7; 9.0.x versions prior to 9.0.12; 8.9.x versions prior to 8.9.14; 7.x versions prior to 7.80. Una vulnerabilidad de tipo Cross-site Scripting (XSS) en la API de saneo del núcleo de Drupal que no filtra apropiadamente las vulnerabilidades de tipo cross-site scripting en determinadas circunstancias. Es... • https://www.drupal.org/sa-core-2021-002 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 97%CPEs: 7EXPL: 44CVE-2018-7600 – Drupal Core Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2018-7600
29 Mar 2018 — Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations. Drupal en versiones anteriores a la 7.58, 8.x anteriores a la 8.3.9, 8.4.x anteriores a la 8.4.6 y 8.5.x anteriores a la 8.5.1 permite que los atacantes remotos ejecuten código arbitrario debido a un problema que afecta a múltiples subsistemas con configuraciones de módulos por defect... • https://packetstorm.news/files/id/147247 • CWE-20: Improper Input Validation •
CVSS: 5.3EPSS: 1%CPEs: 79EXPL: 2CVE-2012-2922
https://notcve.org/view.php?id=CVE-2012-2922
21 May 2012 — The request_path function in includes/bootstrap.inc in Drupal 7.14 and earlier allows remote attackers to obtain sensitive information via the q[] parameter to index.php, which reveals the installation path in an error message. La función request_path en includes/bootstrap.inc en Drupal v7.14 y anteriores, permite a atacantes remotos obtener información sensible a través del parámetro q[] sobre index.php, lo que revela el path de instalación en un mensaje de error. • http://archives.neohapsis.com/archives/bugtraq/2012-05/0052.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 8.8EPSS: 0%CPEs: 148EXPL: 3CVE-2007-6752 – Drupal 7.12 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2007-6752
28 Mar 2012 — Cross-site request forgery (CSRF) vulnerability in Drupal 7.12 and earlier allows remote attackers to hijack the authentication of arbitrary users for requests that end a session via the user/logout URI. NOTE: the vendor disputes the significance of this issue, by considering the "security benefit against platform complexity and performance impact" and concluding that a change to the logout behavior is not planned because "for most sites it is not worth the trade-off. ** DISCUTIDO ** Vulnerabilidad de falsi... • https://www.exploit-db.com/exploits/18564 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.5EPSS: 0%CPEs: 13EXPL: 0CVE-2008-4789
https://notcve.org/view.php?id=CVE-2008-4789
29 Oct 2008 — The validation functionality in the core upload module in Drupal 6.x before 6.5 allows remote authenticated users to bypass intended access restrictions and "attach files to content," related to a "logic error." La funcionalidad de validación del núcleo del módulo de subida en Drupal 6.x anterior a 6.5 permite a un usuario remoto autentificado sobrepasar las restricciones de acceso y "añadir archivos al contenido"; está relacionado con un "error lógico". • http://drupal.org/node/318706 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 6.5EPSS: 0%CPEs: 15EXPL: 0CVE-2008-4790
https://notcve.org/view.php?id=CVE-2008-4790
29 Oct 2008 — The core upload module in Drupal 5.x before 5.11 allows remote authenticated users to bypass intended access restrictions and read "files attached to content" via unknown vectors. El módulo central de subidas de Drupal 5.x Anterior a 5.11 permite a un usuario remoto autentificado sobrepasar las restricciones de acceso y leer "archivos adjuntos al contenido" mediante un método desconocido. • http://drupal.org/node/318706 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 9.1EPSS: 0%CPEs: 15EXPL: 0CVE-2008-4793
https://notcve.org/view.php?id=CVE-2008-4793
29 Oct 2008 — The node module API in Drupal 5.x before 5.11 allows remote attackers to bypass node validation and have unspecified other impact via unknown vectors related to contributed modules. El API del módulo nodo en Drupal 5.x anterior a 5.11 permite a un atacante remoto evitar la validación del nodo, y tiene otros impactos por medio de ataques desconocidos relacionados con los módulos contribuídos. • http://drupal.org/node/318706 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 5.4EPSS: 0%CPEs: 2EXPL: 0CVE-2008-1978
https://notcve.org/view.php?id=CVE-2008-1978
27 Apr 2008 — Cross-site scripting (XSS) vulnerability in the Ubercart 5.x before 5.x-1.0 rc3 module for Drupal allows remote authenticated users to inject arbitrary web script or HTML via node titles related to unspecified product features, a different vector than CVE-2008-1428. Vulnerabilidad de secuencias de órdenes en sitios cruzados (XSS) en el módulo Ubercart 5.x anteriores a 5.x-1.0 rc3 de Drupal permite a usuarios remotos autenticados inyectar 'script' web o HTML de su elección mediante títulos de nodos relaciona... • http://drupal.org/node/250343 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 0CVE-2008-1980
https://notcve.org/view.php?id=CVE-2008-1980
27 Apr 2008 — Cross-site scripting (XSS) vulnerability in E-Publish 5.x before 5.x-1.1 and 6.x before 6.x-1.0 beta1, a Drupal module, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Vulnerabilidad de secuencias de órdenes (XSS) en el módulo de Drupal "E-Publish" 5.x anteriores a 5.x-1.1 y 6.x anteriores a 6.x-1.0 beta1, permite a atacantes remotos inyectar 'script' web o HTML de su elección mediante vectores no especificados. • http://drupal.org/node/250408 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 48EXPL: 0CVE-2008-0273
https://notcve.org/view.php?id=CVE-2008-0273
15 Jan 2008 — Interpretation conflict in Drupal 4.7.x before 4.7.11 and 5.x before 5.6, when Internet Explorer 6 is used, allows remote attackers to conduct cross-site scripting (XSS) attacks via invalid UTF-8 byte sequences, which are not processed as UTF-8 by Drupal's HTML filtering, but are processed as UTF-8 by Internet Explorer, effectively removing characters from the document and defeating the HTML protection mechanism. Conflicto de interpretación en Drupal 4.7.x anterior a 4.7.11 y 5.x anterior a 5.6, cuando se u... • http://drupal.org/node/208564 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •