3 results (0.013 seconds)

CVSS: 5.3EPSS: 1%CPEs: 24EXPL: 0

The Simplenews module 6.x-1.x before 6.x-1.4, 6.x-2.x before 6.x-2.0-alpha4, and 7.x-1.x before 7.x-1.0-rc1 for Drupal reveals the email addresses of new mailing list subscribers when confirmation is required, which allows remote attackers to obtain sensitive information via the confirmation page. El módulo Simplenews versiones 6.x-1.x anteriores a 6.x-1.4, versiones 6.x-2.x anteriores a 6.x-2.0-alpha4 y versiones 7.x-1.x anteriores a 7.x-1.0-rc1 para Drupal, revela las direcciones de correo electrónico de los nuevos suscriptores de la lista de correo cuando la confirmación es requerida, lo que permite a atacantes remotos obtener información confidencial por medio de la página confirmation. • http://drupal.org/node/1619812 http://drupal.org/node/1619818 http://drupal.org/node/1619820 http://drupal.org/node/1619848 http://drupalcode.org/project/simplenews.git/commitdiff/36352c1 http://drupalcode.org/project/simplenews.git/commitdiff/6d5704c http://drupalcode.org/project/simplenews.git/commitdiff/faec6a6 http://www.openwall.com/lists/oss-security/2012/06/14/3 http://www.securityfocus.com/bid/53839 https://exchange.xforce.ibmcloud.com/vulnerabilities/76143 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •

CVSS: 4.3EPSS: 0%CPEs: 24EXPL: 0

Cross-site scripting (XSS) vulnerability in the API in the Simplenews module 6.x-1.x before 6.x-1.5 and 7.x-1.x before 7.x-1.1 for Drupal allows remote attackers to inject arbitrary web script or HTML via an email address. Vulnerabilidad Cross-site scripting (XSS) en el API del módulo Simplenews 6.x-1.x anterior a 6.x-1.5 y 7.x-1.x anterior a 7.x-1.1 para Drupal que permite a atacantes remotos inyectar secuencias arbitraria de comandos web o HTML a través de una dirección de correo electrónico. • http://osvdb.org/98628 http://packetstormsecurity.com/files/123660/Drupal-Simplenews-6.x-7.x-Cross-Site-Scripting.html http://seclists.org/fulldisclosure/2013/Oct/120 http://secunia.com/advisories/55209 https://drupal.org/node/2113487 https://drupal.org/node/2113491 https://drupal.org/node/2113515 https://exchange.xforce.ibmcloud.com/vulnerabilities/88101 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 3.5EPSS: 0%CPEs: 15EXPL: 0

Cross-site scripting (XSS) vulnerability in the Simplenews module 5.x before 5.x-1.5 and 6.x before 6.x-1.0-beta4, a module for Drupal, allows remote authenticated users, with "administer taxonomy" permissions, to inject arbitrary web script or HTML via a Newsletter category field. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en el módulo Simplenews v5.x anterior a v5.x-1.5 y v6.x previo a v6.x-1.0-beta4, para Drupal, permite a usuarios autenticados remotamente con "administrar taxonomy (administer taxonomy)" inyectar secuencias de comandos web o HTML de su elección a través de un campo de la categoría Newsletter. • http://drupal.org/node/312944 http://secunia.com/advisories/32022 http://www.securityfocus.com/bid/31377 https://exchange.xforce.ibmcloud.com/vulnerabilities/45407 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •