CVSS: 5.3EPSS: 1%CPEs: 24EXPL: 0CVE-2012-2724
https://notcve.org/view.php?id=CVE-2012-2724
The Simplenews module 6.x-1.x before 6.x-1.4, 6.x-2.x before 6.x-2.0-alpha4, and 7.x-1.x before 7.x-1.0-rc1 for Drupal reveals the email addresses of new mailing list subscribers when confirmation is required, which allows remote attackers to obtain sensitive information via the confirmation page. El módulo Simplenews versiones 6.x-1.x anteriores a 6.x-1.4, versiones 6.x-2.x anteriores a 6.x-2.0-alpha4 y versiones 7.x-1.x anteriores a 7.x-1.0-rc1 para Drupal, revela las direcciones de correo electrónico de los nuevos suscriptores de la lista de correo cuando la confirmación es requerida, lo que permite a atacantes remotos obtener información confidencial por medio de la página confirmation. • http://drupal.org/node/1619812 http://drupal.org/node/1619818 http://drupal.org/node/1619820 http://drupal.org/node/1619848 http://drupalcode.org/project/simplenews.git/commitdiff/36352c1 http://drupalcode.org/project/simplenews.git/commitdiff/6d5704c http://drupalcode.org/project/simplenews.git/commitdiff/faec6a6 http://www.openwall.com/lists/oss-security/2012/06/14/3 http://www.securityfocus.com/bid/53839 https://exchange.xforce.ibmcloud.com/vulnerabilities/76143 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 4.3EPSS: 0%CPEs: 24EXPL: 0CVE-2013-4447
https://notcve.org/view.php?id=CVE-2013-4447
Cross-site scripting (XSS) vulnerability in the API in the Simplenews module 6.x-1.x before 6.x-1.5 and 7.x-1.x before 7.x-1.1 for Drupal allows remote attackers to inject arbitrary web script or HTML via an email address. Vulnerabilidad Cross-site scripting (XSS) en el API del módulo Simplenews 6.x-1.x anterior a 6.x-1.5 y 7.x-1.x anterior a 7.x-1.1 para Drupal que permite a atacantes remotos inyectar secuencias arbitraria de comandos web o HTML a través de una dirección de correo electrónico. • http://osvdb.org/98628 http://packetstormsecurity.com/files/123660/Drupal-Simplenews-6.x-7.x-Cross-Site-Scripting.html http://seclists.org/fulldisclosure/2013/Oct/120 http://secunia.com/advisories/55209 https://drupal.org/node/2113487 https://drupal.org/node/2113491 https://drupal.org/node/2113515 https://exchange.xforce.ibmcloud.com/vulnerabilities/88101 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •