CVSS: 3.5EPSS: 0%CPEs: 3EXPL: 0CVE-2015-2559
https://notcve.org/view.php?id=CVE-2015-2559
Drupal 6.x before 6.35 and 7.x before 7.35 allows remote authenticated users to reset the password of other accounts by leveraging an account with the same password hash as another account and a crafted password reset URL. Drupal 6.x anterior a 6.35 y 7.x anterior a 7.35 permite a usuarios remotos autenticados reconfigurar la contraseña de otras cuentas mediante el aprovechamiento del mismo hash de contraseña que otra cuenta y una URL de reconfiguración de contraseñas manipulada. • http://www.debian.org/security/2015/dsa-3200 http://www.securityfocus.com/bid/73219 https://www.drupal.org/SA-CORE-2015-001 • CWE-284: Improper Access Control •
CVSS: 6.1EPSS: 0%CPEs: 8EXPL: 1CVE-2010-5312 – jquery-ui: XSS vulnerability in jQuery.ui.dialog title option
https://notcve.org/view.php?id=CVE-2010-5312
Cross-site scripting (XSS) vulnerability in jquery.ui.dialog.js in the Dialog widget in jQuery UI before 1.10.0 allows remote attackers to inject arbitrary web script or HTML via the title option. Vulnerabilidad de XSS en jquery.ui.dialog.js en el widget Dialog en jQuery UI anterior a 1.10.0 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de la opción del título. • http://bugs.jqueryui.com/ticket/6016 http://rhn.redhat.com/errata/RHSA-2015-0442.html http://rhn.redhat.com/errata/RHSA-2015-1462.html http://seclists.org/oss-sec/2014/q4/613 http://seclists.org/oss-sec/2014/q4/616 http://www.debian.org/security/2015/dsa-3249 http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html http://www.securityfocus.com/bid/71106 http://www.securitytracker.com/id/1037035 https://exchange.xforce.ibmcloud.com/vulnerabilities/ • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.8EPSS: 0%CPEs: 3EXPL: 0CVE-2014-9015
https://notcve.org/view.php?id=CVE-2014-9015
Drupal 6.x before 6.34 and 7.x before 7.34 allows remote attackers to hijack sessions via a crafted request, as demonstrated by a crafted request to a server that supports both HTTP and HTTPS sessions. Drupal 6.x anterior a 6.34 y 7.x anterior a 7.34 permite a atacantes remotos secuestrar sesiones a través de una solicitud manipulada, tal y como fue demostrado mediante una solicitud manipulada a un servidor que soporta sesiones tanto de HTTP como de HTTPS. • http://secunia.com/advisories/59164 http://secunia.com/advisories/59814 http://www.debian.org/security/2014/dsa-3075 http://www.openwall.com/lists/oss-security/2014/11/20/21 http://www.openwall.com/lists/oss-security/2014/11/20/3 https://www.drupal.org/SA-CORE-2014-006 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 5.0EPSS: 4%CPEs: 3EXPL: 1CVE-2014-9016 – Drupal < 7.34 - Denial of Service
https://notcve.org/view.php?id=CVE-2014-9016
The password hashing API in Drupal 7.x before 7.34 and the Secure Password Hashes (aka phpass) module 6.x-2.x before 6.x-2.1 for Drupal allows remote attackers to cause a denial of service (CPU and memory consumption) via a crafted request. La API del hasheo de contraseñas en Drupal 7.x anterior a 7.34 y el módulo Secure Password Hashes (también conocido como phpass) 6.x-2.x anterior a 6.x-2.1 para Drupal permite a atacantes remotos causar una denegación de servicio (consumo de CPU y memoria) a través de una solicitud manipulada. A vulnerability present in Drupal versions prior to 7.34 and WordPress versions prior to 4.0.1 allows an attacker to send specially crafted requests resulting in CPU and memory exhaustion. This may lead to the site becoming unavailable or unresponsive (denial of service). • https://www.exploit-db.com/exploits/35415 http://secunia.com/advisories/59164 http://secunia.com/advisories/59814 http://www.debian.org/security/2014/dsa-3075 http://www.openwall.com/lists/oss-security/2014/11/20/21 http://www.openwall.com/lists/oss-security/2014/11/20/3 http://www.openwall.com/lists/oss-security/2014/11/21/1 https://www.drupal.org/SA-CORE-2014-006 https://www.drupal.org/node/2378367 https://www.drupal.org/node/2378375 https:/ •
CVSS: 6.8EPSS: 0%CPEs: 6EXPL: 0CVE-2013-0205
https://notcve.org/view.php?id=CVE-2013-0205
Cross-site request forgery (CSRF) vulnerability in the RESTful Web Services (restws) module 7.x-1.x before 7.x-1.2 and 7.x-2.x before 7.x-2.0-alpha4 for Drupal allows remote attackers to hijack the authentication of arbitrary users via unknown vectors. Múltiples vulnerabilidades de falsificación de petición en sitios cruzados (CSRF) en el módulo RESTful Web Services (restws) v7.x-1.x anterior a v7.x-1.2 y v7.x-2.x anterior a v7.x-2.0-alpha4 para Drupal, permite a atacantes remotos secuestrar la autenticación de usuarios de su elección a traves de vectores desconocidos. • http://www.openwall.com/lists/oss-security/2013/01/21/5 https://drupal.org/node/1890212 https://drupal.org/node/1890216 https://drupal.org/node/1890222 • CWE-352: Cross-Site Request Forgery (CSRF) •