CVE-2008-0274
https://notcve.org/view.php?id=CVE-2008-0274
Cross-site scripting (XSS) vulnerability in Drupal 4.7.x and 5.x, when certain .htaccess protections are disabled, allows remote attackers to inject arbitrary web script or HTML via crafted links involving theme .tpl.php files. Vulnerabilidad de secuencia de comandos en sitios cruzados (XSS) en Drupal 4.7.x y 5.x, cuando ciertas protecciones .htaccess son desactivadas, permite a atacantes remotos inyectar secuencias de comandos web o HTML a través de enlaces manipulados afectando a los archivos del tema .tpl.php. • http://drupal.org/node/208565 http://secunia.com/advisories/28422 http://secunia.com/advisories/28486 http://www.securityfocus.com/bid/27238 http://www.vbdrupal.org/forum/showthread.php?p=6878 http://www.vbdrupal.org/forum/showthread.php?t=1349 http://www.vupen.com/english/advisories/2008/0127 http://www.vupen.com/english/advisories/2008/0134 https://exchange.xforce.ibmcloud.com/vulnerabilities/39605 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2008-0272
https://notcve.org/view.php?id=CVE-2008-0272
Cross-site request forgery (CSRF) vulnerability in the aggregator module in Drupal 4.7.x before 4.7.11 and 5.x before 5.6 allows remote attackers to delete items from a feed as privileged users. Vulnerabilidad de falsificación de petición en sitios cruzados (CSRF) en el módulo aggregator en Drupal 4.7.x anterior a 4.7.11 y 5.x anterior a 5.6 permite a atacantes remotos borrar campos desde un alimentador con privilegios de usuario. • http://drupal.org/node/208562 http://secunia.com/advisories/28422 http://secunia.com/advisories/28486 http://www.securityfocus.com/bid/27238 http://www.vbdrupal.org/forum/showthread.php?p=6878 http://www.vbdrupal.org/forum/showthread.php?t=1349 http://www.vupen.com/english/advisories/2008/0127 http://www.vupen.com/english/advisories/2008/0134 https://exchange.xforce.ibmcloud.com/vulnerabilities/39617 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2008-0276
https://notcve.org/view.php?id=CVE-2008-0276
Cross-site scripting (XSS) vulnerability in the Devel module before 5.x-0.1 for Drupal allows remote attackers to inject arbitrary web script or HTML via a site variable, related to lack of escaping of the variable table. Vulnerabilidad de secuencia de comandos en sitios cruzados (XSS) en el módulo Devel anterior a 5.x-0.1 para Drupal permite a atacantes remotos inyectar secuencias de comandos web o HTML a través de la variable site, Relacionado con la falta de escape de la variable tabla. • http://drupal.org/node/208524 https://exchange.xforce.ibmcloud.com/vulnerabilities/39606 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2008-0273
https://notcve.org/view.php?id=CVE-2008-0273
Interpretation conflict in Drupal 4.7.x before 4.7.11 and 5.x before 5.6, when Internet Explorer 6 is used, allows remote attackers to conduct cross-site scripting (XSS) attacks via invalid UTF-8 byte sequences, which are not processed as UTF-8 by Drupal's HTML filtering, but are processed as UTF-8 by Internet Explorer, effectively removing characters from the document and defeating the HTML protection mechanism. Conflicto de interpretación en Drupal 4.7.x anterior a 4.7.11 y 5.x anterior a 5.6, cuando se utiliza Internet Explorer 6, permite a atacantes remotos llevar a cabo ataques de secuencias de comandos en sitios cruzados a través de secuencias de bytes UTF-8 no válidas, las cuales no son procesadas como UTF-8 por el filtro HTML de Drupal, pero son procesadas por UTF-8 por el Internet Explorer, eliminando los caracteres del documento HTML y derrotando el mecanismo de protección. • http://drupal.org/node/208564 http://secunia.com/advisories/28422 http://secunia.com/advisories/28486 http://www.securityfocus.com/bid/27238 http://www.vbdrupal.org/forum/showthread.php?p=6878 http://www.vbdrupal.org/forum/showthread.php?t=1349 http://www.vupen.com/english/advisories/2008/0127 http://www.vupen.com/english/advisories/2008/0134 https://exchange.xforce.ibmcloud.com/vulnerabilities/39619 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2007-6299
https://notcve.org/view.php?id=CVE-2007-6299
Multiple SQL injection vulnerabilities in Drupal and vbDrupal 4.7.x before 4.7.9 and 5.x before 5.4 allow remote attackers to execute arbitrary SQL commands via modules that pass input to the taxonomy_select_nodes function, as demonstrated by the (1) taxonomy_menu, (2) ajaxLoader, and (3) ubrowser contributed modules. Múltiples vulnerabilidades de inyección SQL en Drupal y vbDrupal 4.7.x versiones anteriores a 4.7.9 y 5.x versiones anteriores a 5.4 permiten a atacantes remotos ejecutar comandos SQL de su elección mediante módulos que pasan la entrada a la función taxonomy_select_nodes, como se demuestra con los módulos (1) taxonomy_menu, (2) ajaxLoader, y (3) ubrowser. • http://drupal.org/node/198162 http://secunia.com/advisories/27932 http://secunia.com/advisories/27951 http://secunia.com/advisories/27973 http://sourceforge.net/project/shownotes.php?release_id=559532 http://sourceforge.net/project/shownotes.php?release_id=559538 http://www.securityfocus.com/bid/26735 https://exchange.xforce.ibmcloud.com/vulnerabilities/38884 https://exchange.xforce.ibmcloud.com/vulnerabilities/38886 https://www.redhat.com/archives/fedora-package-announce/2007-December/msg00190.ht • CWE-20: Improper Input Validation CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •