CVE-2014-9016 – Drupal < 7.34 - Denial of Service
https://notcve.org/view.php?id=CVE-2014-9016
The password hashing API in Drupal 7.x before 7.34 and the Secure Password Hashes (aka phpass) module 6.x-2.x before 6.x-2.1 for Drupal allows remote attackers to cause a denial of service (CPU and memory consumption) via a crafted request. La API del hasheo de contraseñas en Drupal 7.x anterior a 7.34 y el módulo Secure Password Hashes (también conocido como phpass) 6.x-2.x anterior a 6.x-2.1 para Drupal permite a atacantes remotos causar una denegación de servicio (consumo de CPU y memoria) a través de una solicitud manipulada. A vulnerability present in Drupal versions prior to 7.34 and WordPress versions prior to 4.0.1 allows an attacker to send specially crafted requests resulting in CPU and memory exhaustion. This may lead to the site becoming unavailable or unresponsive (denial of service). • https://www.exploit-db.com/exploits/35415 http://secunia.com/advisories/59164 http://secunia.com/advisories/59814 http://www.debian.org/security/2014/dsa-3075 http://www.openwall.com/lists/oss-security/2014/11/20/21 http://www.openwall.com/lists/oss-security/2014/11/20/3 http://www.openwall.com/lists/oss-security/2014/11/21/1 https://www.drupal.org/SA-CORE-2014-006 https://www.drupal.org/node/2378367 https://www.drupal.org/node/2378375 https:/ •
CVE-2014-3704 – Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Add Admin User)
https://notcve.org/view.php?id=CVE-2014-3704
The expandArguments function in the database abstraction API in Drupal core 7.x before 7.32 does not properly construct prepared statements, which allows remote attackers to conduct SQL injection attacks via an array containing crafted keys. La función expandArguments en la API de la base de datos de abstracción para Drupal core 7.x anterior a 7.32 no construye correctamente las declaraciones, lo que permite a atacantes remotos inducir a ataques de inyección SQL a través de un array que contiene claves manipuladas. Drupal versions 7.0 through 7.31 suffer from a remote SQL injection vulnerability. • https://www.exploit-db.com/exploits/34992 https://www.exploit-db.com/exploits/34993 https://www.exploit-db.com/exploits/44355 https://www.exploit-db.com/exploits/35150 https://www.exploit-db.com/exploits/34984 https://github.com/happynote3966/CVE-2014-3704 http://osvdb.org/show/osvdb/113371 http://packetstormsecurity.com/files/128720/Drupal-7.X-SQL-Injection.html http://packetstormsecurity.com/files/128721/Drupal-7.31-SQL-Injection.html http://packetstormsecurity.com/files/128 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2014-5267
https://notcve.org/view.php?id=CVE-2014-5267
modules/openid/xrds.inc in Drupal 6.x before 6.33 and 7.x before 7.31 allows remote attackers to have unspecified impact via a crafted DOCTYPE declaration in an XRDS document. modules/openid/xrds.inc en Drupal 6.x anterior a 6.33 y 7.x anterior a 7.31 permite a atacantes remotos tener un impacto no especificado a través de una declaración DOCTYPE manipulada en un documento XRDS. • http://cgit.drupalcode.org/drupal/diff/modules/openid/xrds.inc?id=1849830 http://openwall.com/lists/oss-security/2014/08/16/4 http://www.debian.org/security/2014/dsa-2999 https://www.drupal.org/SA-CORE-2014-004 • CWE-264: Permissions, Privileges, and Access Controls •
CVE-2014-2983
https://notcve.org/view.php?id=CVE-2014-2983
Drupal 6.x before 6.31 and 7.x before 7.27 does not properly isolate the cached data of different anonymous users, which allows remote anonymous users to obtain sensitive interim form input information in opportunistic situations via unspecified vectors. Drupal 6.x anterior a 6.31 y 7.x anterior a 7.27 no aísla debidamente los datos en caché de usuarios anónimos diferentes, lo que permite a usuarios remotos anónimos obtener información sensible de entradas de formularios parciales en situaciones oportunistas a través de vectores no especificados. • http://www.debian.org/security/2014/dsa-2913 http://www.debian.org/security/2014/dsa-2914 http://www.openwall.com/lists/oss-security/2014/04/22/2 https://drupal.org/SA-CORE-2014-002 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2014-1607 – Drupal 7.14 EventCalendar Cross Site Scripting
https://notcve.org/view.php?id=CVE-2014-1607
Cross-site scripting (XSS) vulnerability in the EventCalendar module for Drupal 7.14 allows remote attackers to inject arbitrary web script or HTML via the year parameter to eventcalander/. NOTE: this issue has been disputed by the Drupal Security Team; it may be site-specific. If so, then this CVE will be REJECTed in the future ** DISPUTADA ** Vulnerabilidad de XSS en el módulo EventCalendar para Drupal 7.14 permite a atacantes remotos inyectar secuencias de comandos web arbitrarios o HTML a través del parámetro year en eventcalander/. NOTA: este problema ha sido disputado por el equipo de seguridad de Drupal; puede resultar ser especifico a un sitio. Si esto es el caso, este CVE será RECHAZADA en el futuro. • http://osvdb.org/102574 http://www.securityfocus.com/archive/1/530876/100/0/threaded https://groups.drupal.org/node/402023 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •