CVSS: 6.8EPSS: 0%CPEs: 54EXPL: 0CVE-2012-0825
https://notcve.org/view.php?id=CVE-2012-0825
Drupal 6.x before 6.23 and 7.x before 7.11 does not verify that Attribute Exchange (AX) information is signed, which allows remote attackers to modify potentially sensitive AX information without detection via a man-in-the-middle (MITM) attack. Drupal 6.x anterior a la versión 6.23 y 7.x anterior a 7.11 no verifica que la información Attribute Exchange (AX) se firme, lo que permite a atacantes remotos modificar información AX potencialmente sensible sin la detección a través de ataques man-in-the-middle (MITM). • http://openid.net/2011/05/05/attribute-exchange-security-alert http://www.debian.org/security/2013/dsa-2776 https://drupal.org/node/1425084 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 2.6EPSS: 0%CPEs: 72EXPL: 0CVE-2013-0244
https://notcve.org/view.php?id=CVE-2013-0244
Cross-site scripting (XSS) vulnerability in Drupal 6.x before 6.28 and 7.x before 7.19, when running with older versions of jQuery that are vulnerable to CVE-2011-4969, allows remote attackers to inject arbitrary web script or HTML via vectors involving unspecified Javascript functions that are used to select DOM elements. Cross-site scripting (XSS) en Drupal 6.x anterior a 6.28 y 7.x anterior a 7.19, cuando se ejecuta con versiones anteriores de jQuery que son vulnerables a CVE-2011-4969, que permite a atacantes remotos inyectar secuencias de comandos web o HTML a través vectores que involucran funciones Javascript sin especificar que se utilizan para seleccionar los elementos DOM. • http://osvdb.org/89306 http://packetstormsecurity.com/files/119598/Drupal-Core-6.x-7.x-Cross-Site-Scripting-Access-Bypass.html http://seclists.org/fulldisclosure/2013/Jan/120 http://seclists.org/oss-sec/2013/q1/211 http://www.debian.org/security/2013/dsa-2776 https://drupal.org/SA-CORE-2013-001 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 5EXPL: 0CVE-2013-4379
https://notcve.org/view.php?id=CVE-2013-4379
The Make Meeting Scheduler module 6.x-1.x before 6.x-1.3 for Drupal allows remote attackers to bypass intended access restrictions for a poll via a direct request to the node's URL instead of the hashed URL. El módulo Make Meeting Scheduler 6.x-1.x anterior a la versión 6.x-1.3 para Drupal permite a atacantes remotos evadir restricciones de acceso de una encuesta a través de una petición directa a la URL del nodo en lugar the la URL hash. • http://secunia.com/advisories/54634 http://www.openwall.com/lists/oss-security/2013/09/27/6 https://drupal.org/node/2081637 https://drupal.org/node/2081647 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 4.3EPSS: 0%CPEs: 20EXPL: 0CVE-2013-4384
https://notcve.org/view.php?id=CVE-2013-4384
Cross-site scripting (XSS) vulnerability in Google Site Search module 6.x-1.x before 6.x-1.4 and 7.x-1.x before 7.x-1.10 for Drupal allows remote attackers to inject arbitrary web script or HTML by causing crafted data to be returned by the Google API. Vulnerabilidad de XSS en el módulo Google Site Search 6.x-1.x anterior a la versión 6.x-1.4 y 7.x-1.x anterior a 7.x-1.10 para Drupal permite a atacantes remotos inyectar script web arbitrario o HTML, provocando que datos diseñados sean devueltos por la API de Google. • http://osvdb.org/97503 http://www.securityfocus.com/bid/62495 https://drupal.org/node/2092395 https://exchange.xforce.ibmcloud.com/vulnerabilities/87285 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2013-5938
https://notcve.org/view.php?id=CVE-2013-5938
Cross-site scripting (XSS) vulnerability in the Click2Sell Suite module 6.x-1.x for Drupal allows remote attackers to inject arbitrary web script or HTML via a confirmation form. Vulnerabilidad XSS en el módulo Click2Sell Suite v6.x-1.x para Drupal permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarias a través de un formulario de confirmación. • http://osvdb.org/97204 http://seclists.org/fulldisclosure/2013/Sep/64 http://www.openwall.com/lists/oss-security/2013/10/21/5 https://drupal.org/node/2087055 https://exchange.xforce.ibmcloud.com/vulnerabilities/87050 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •