CVSS: 6.1EPSS: 0%CPEs: 4EXPL: 0CVE-2020-13672
https://notcve.org/view.php?id=CVE-2020-13672
11 Feb 2022 — Cross-site Scripting (XSS) vulnerability in Drupal core's sanitization API fails to properly filter cross-site scripting under certain circumstances. This issue affects: Drupal Core 9.1.x versions prior to 9.1.7; 9.0.x versions prior to 9.0.12; 8.9.x versions prior to 8.9.14; 7.x versions prior to 7.80. Una vulnerabilidad de tipo Cross-site Scripting (XSS) en la API de saneo del núcleo de Drupal que no filtra apropiadamente las vulnerabilidades de tipo cross-site scripting en determinadas circunstancias. Es... • https://www.drupal.org/sa-core-2021-002 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2010-2473
https://notcve.org/view.php?id=CVE-2010-2473
07 Nov 2019 — Drupal 6.x before 6.16 and 5.x before version 5.22 does not properly block users under certain circumstances. A user with an open session that was blocked could maintain their session on the Drupal site despite being blocked. Drupal versiones 6.x anteriores a 6.16 y versiones 5.x anteriores a 5.22, no bloquea apropiadamente a usuarios bajo determinadas circunstancias. Un usuario con una sesión abierta que fue bloqueada podría mantener su sesión en el sitio de Drupal a pesar de estar bloqueado. • https://security-tracker.debian.org/tracker/CVE-2010-2473 • CWE-20: Improper Input Validation •
CVSS: 4.8EPSS: 0%CPEs: 2EXPL: 0CVE-2010-2472
https://notcve.org/view.php?id=CVE-2010-2472
07 Nov 2019 — Locale module and dependent contributed modules in Drupal 6.x before 6.16 and 5.x before version 5.22 do not sanitize the display of language codes, native and English language names properly which could allow an attacker to perform a cross-site scripting (XSS) attack. This vulnerability is mitigated by the fact that an attacker must have a role with the 'administer languages' permission. El módulo local y los módulos contribuidos dependientes en Drupal versiones 6.x anteriores a 6.16 y versiones 5.x anteri... • https://security-tracker.debian.org/tracker/CVE-2010-2472 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2010-2250
https://notcve.org/view.php?id=CVE-2010-2250
07 Nov 2019 — Drupal 5.x and 6.x before 6.16 uses a user-supplied value in output during site installation which could allow an attacker to craft a URL and perform a cross-site scripting attack. Drupal versiones 5.x y 6.x anteriores a la versión 6.16, utiliza un valor suministrado por el usuario en la salida durante la instalación del sitio, lo que podría permitir a un atacante crear una URL y realizar un ataque de tipo cross-site scripting • http://www.openwall.com/lists/oss-security/2014/02/12/8 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 0CVE-2010-2471
https://notcve.org/view.php?id=CVE-2010-2471
06 Nov 2019 — Drupal versions 5.x and 6.x has open redirection Drupal versiones 5.x y 6.x, tiene un redireccionamiento abierto • http://www.openwall.com/lists/oss-security/2014/02/12/8 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 9.8EPSS: 94%CPEs: 7EXPL: 45CVE-2018-7600 – Drupal Core Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2018-7600
29 Mar 2018 — Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations. Drupal en versiones anteriores a la 7.58, 8.x anteriores a la 8.3.9, 8.4.x anteriores a la 8.4.6 y 8.5.x anteriores a la 8.5.1 permite que los atacantes remotos ejecuten código arbitrario debido a un problema que afecta a múltiples subsistemas con configuraciones de módulos por defect... • https://packetstorm.news/files/id/147247 • CWE-20: Improper Input Validation •
CVSS: 5.3EPSS: 0%CPEs: 79EXPL: 2CVE-2012-2922
https://notcve.org/view.php?id=CVE-2012-2922
21 May 2012 — The request_path function in includes/bootstrap.inc in Drupal 7.14 and earlier allows remote attackers to obtain sensitive information via the q[] parameter to index.php, which reveals the installation path in an error message. La función request_path en includes/bootstrap.inc en Drupal v7.14 y anteriores, permite a atacantes remotos obtener información sensible a través del parámetro q[] sobre index.php, lo que revela el path de instalación en un mensaje de error. • http://archives.neohapsis.com/archives/bugtraq/2012-05/0052.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 8.8EPSS: 1%CPEs: 148EXPL: 3CVE-2007-6752 – Drupal 7.12 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2007-6752
28 Mar 2012 — Cross-site request forgery (CSRF) vulnerability in Drupal 7.12 and earlier allows remote attackers to hijack the authentication of arbitrary users for requests that end a session via the user/logout URI. NOTE: the vendor disputes the significance of this issue, by considering the "security benefit against platform complexity and performance impact" and concluding that a change to the logout behavior is not planned because "for most sites it is not worth the trade-off. ** DISCUTIDO ** Vulnerabilidad de falsi... • https://www.exploit-db.com/exploits/18564 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.5EPSS: 0%CPEs: 55EXPL: 0CVE-2010-3092
https://notcve.org/view.php?id=CVE-2010-3092
21 Sep 2010 — The upload module in Drupal 5.x before 5.23 and 6.x before 6.18 does not properly support case-insensitive filename handling in a database configuration, which allows remote authenticated users to bypass the intended restrictions on downloading a file by uploading a different file with a similar name. El módulo de carga en Drupal v5.x anterior a v5.23 y v6.x anterior a v6.18 no soporta apropiadamente la manipulación de nombres de archivos insensibles a mayúsculas y minúsculas en la configuración de la base ... • http://drupal.org/node/880476 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 8.1EPSS: 0%CPEs: 55EXPL: 0CVE-2010-3093
https://notcve.org/view.php?id=CVE-2010-3093
21 Sep 2010 — The comment module in Drupal 5.x before 5.23 and 6.x before 6.18 allows remote authenticated users with certain privileges to bypass intended access restrictions and reinstate removed comments via a crafted URL, related to an "unpublishing bypass" issue. El módulo comentario en Drupal v5.x anterior a v5.23 y v6.x anterior a v6.18 permite a usuarios autenticados remotamente con ciertos privilegios evitar restricciones de acceso pretendidas y restaurar comentarios eliminados a través de una URL manipulada, re... • http://drupal.org/node/880476 • CWE-264: Permissions, Privileges, and Access Controls •