3 results (0.008 seconds)

CVSS: 3.5EPSS: 0%CPEs: 1EXPL: 0

Cross-site scripting (XSS) vulnerability in the Date module before 7.x-2.8 for Drupal allows remote authenticated users with the permission to create a date field to inject arbitrary web script or HTML via the date field title. Vulnerabilidad de XSS en el módulo Date anterior a 7.x-2.8 para Drupal permite a usuarios remotos autenticados con permiso para crear un campo de fecha inyectar secuencias de comandos web o HTML arbitrarios a través del título del campo de fecha. • http://www.openwall.com/lists/oss-security/2014/07/31/2 http://www.openwall.com/lists/oss-security/2014/07/31/4 http://www.securityfocus.com/bid/68974 https://www.drupal.org/node/2311887 https://www.drupal.org/node/2312609 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 6.0EPSS: 0%CPEs: 20EXPL: 0

SQL injection vulnerability in the conversion form for Events in the Date module 6.x-2.x before 6.x-2.8 for Drupal allows remote authenticated users with the "administer Date Tools" privilege to execute arbitrary SQL commands via unspecified vectors. Vulnerabilidad de inyección SQL en formulario de conversión para Eventos en el módulo Fecha v6.x-2.x antes de v6.x-2.8 para Drupal permite ejecutar comandos SQL a usuarios remotos autenticados con el privilegio "administrar Fecha de Herramientas" a través de vectores no especificados. • http://drupal.org/node/1401026 http://drupal.org/node/1401434 http://osvdb.org/78261 http://secunia.com/advisories/47533 http://www.openwall.com/lists/oss-security/2012/04/07/1 http://www.securityfocus.com/bid/51378 https://exchange.xforce.ibmcloud.com/vulnerabilities/72356 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVSS: 2.1EPSS: 0%CPEs: 16EXPL: 0

Cross-site scripting (XSS) vulnerability in the Date Tools sub-module in the Date module 6.x before 6.x-2.3 for Drupal allows remote authenticated users, with "use date tools" or "administer content types" privileges, to inject arbitrary web script or HTML via a "Content type label" field. Vulnerabilidad de ejecución de secuencias de comandos de sitios cruzados (XSS) en el sub-modulo Date Tools del modulo Date v6.x anteriores a 6.x-2.3 para Drupal permite a usuarios remotos autenticados con privilegios de "use date tools" o "administer content types" inyectar secuencias de comandos web o HTML arbitrarios a través del campo "Content type label". • http://drupal.org/node/534332 http://drupal.org/node/534636 http://lampsecurity.org/drupal-date-xss-vulnerability http://secunia.com/advisories/36006 http://www.osvdb.org/56608 http://www.securityfocus.com/bid/35790 http://www.vupen.com/english/advisories/2009/2103 https://exchange.xforce.ibmcloud.com/vulnerabilities/52143 https://www.redhat.com/archives/fedora-package-announce/2009-July/msg01312.html https://www.redhat.com/archives/fedora-package-announce/2009-July/msg01339.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •