CVSS: 6.8EPSS: 1%CPEs: 39EXPL: 0CVE-2013-4446
https://notcve.org/view.php?id=CVE-2013-4446
The _json_decode function in plugins/context_reaction_block.inc in the Context module 6.x-2.x before 6.x-3.2 and 7.x-3.x before 7.x-3.0 for Drupal, when using a version of PHP that does not support the json_decode function, allows remote attackers to execute arbitrary PHP code via unspecified vectors related to Ajax operations, possibly involving eval injection. La función _json_decode en plugins/context_reaction_block.inc en el módulo Context 6.x-2.x anteriores a 6.x-3.2 y 7.x-3.x anteriores a 7.x-3.0 para Drupal, cuando se utiliza una versión de PHP que no soporta la función json_decode, permite a atacantes remotos ejecutar código PHP arbitrario a través de vectores no especificados relacionados con operaciones Ajax, posiblemente incluyendo una inyección eval. • http://drupalcode.org/project/context.git/commitdiff/63ef4d9 http://drupalcode.org/project/context.git/commitdiff/d7b4afa http://lists.fedoraproject.org/pipermail/package-announce/2013-November/121433.html http://lists.fedoraproject.org/pipermail/package-announce/2013-November/122298.html http://lists.fedoraproject.org/pipermail/package-announce/2013-November/122308.html https://drupal.org/node/2112785 https://drupal.org/node/2112791 https://drupal.org/node/2113317 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 4.9EPSS: 0%CPEs: 39EXPL: 0CVE-2013-4445
https://notcve.org/view.php?id=CVE-2013-4445
The json rendering functionality in the Context module 6.x-2.x before 6.x-3.2 and 7.x-3.x before 7.x-3.0 for Drupal uses Drupal's token scheme to restrict access to blocks, which makes it easier for remote authenticated users to guess the access token for a block by leveraging the token from a block to which the user has access. La funcionalidad de renderización de json en el módulo Context 6.x-2.x anteriores a 6.x-3.2 y 7.x-3.x anteriores a 7.x-3.0 para Drupal utiliza el esquema de tokens de Drupal para restringir el acceso a bloques, lo cual facilita a usuarios autenticados remotamente adivinar el token de acceso para un bloque aprovechando el token de un bloque al cual el usuario tiene acceso. • http://lists.fedoraproject.org/pipermail/package-announce/2013-November/121433.html http://lists.fedoraproject.org/pipermail/package-announce/2013-November/122298.html http://lists.fedoraproject.org/pipermail/package-announce/2013-November/122308.html https://drupal.org/node/2112785 https://drupal.org/node/2112791 https://drupal.org/node/2113317 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 5.0EPSS: 0%CPEs: 24EXPL: 1CVE-2012-5655
https://notcve.org/view.php?id=CVE-2012-5655
The Context module 6.x-3.x before 6.x-3.1 and 7.x-3.x before 7.x-3.0-beta6 for Drupal does not properly restrict access to block content, which allows remote attackers to obtain sensitive information via a crafted request. El módulo Context v6.x-3.x antes de v6.x-3.1 y v7.x-3.x antes de v7.x-3.0-beta6 para Drupal no restringe adecuadamente el acceso para bloquear el contenido, lo que permite a atacantes remotos obtener información sensible a través de una petición modificada. • http://drupal.org/node/1870550 http://drupalcode.org/project/context.git/commitdiff/4452bf1 http://drupalcode.org/project/context.git/commitdiff/d8bf8b6 http://secunia.com/advisories/51517 http://www.openwall.com/lists/oss-security/2012/12/20/1 http://www.securityfocus.com/bid/56993 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 2.1EPSS: 0%CPEs: 13EXPL: 1CVE-2010-1584 – Drupal 6.16 With Context 6.x-2.0-rc3 Cross Site Scripting
https://notcve.org/view.php?id=CVE-2010-1584
Cross-site scripting (XSS) vulnerability in the Context module before 6.x-2.0-rc4 for Drupal allows remote authenticated users, with Administer Blocks privileges, to inject arbitrary web script or HTML via a block description. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en el módulo Context anterior a v6.x-2.0-rc4 para Drupal permite a usuarios autenticados remotamente, con privilegios "Administer Blocks", inyectar código web o HTML a través de una descripción "block". Drupal version 6.16 with Context 6.x-2.0-rc3 suffers from a cross site scripting vulnerability. • http://crackingdrupal.com/blog/greggles/mitigation-against-cve-2010-1584-drupal-context-module-xss http://drupal.org/cvs?commit=365210 http://drupal.org/node/794718 http://drupal.org/node/795118 http://www.madirish.net/?article=457 http://www.packetstormsecurity.com/1005-exploits/drupalab-xss.txt http://www.securityfocus.com/bid/40056 http://www.theregister.co.uk/2010/05/10/drupal_security_bug https://exchange.xforce.ibmcloud.com/vulnerabilities/58521 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •