CVE-2015-2750
https://notcve.org/view.php?id=CVE-2015-2750
Open redirect vulnerability in URL-related API functions in Drupal 6.x before 6.35 and 7.x before 7.35 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via vectors involving the "//" initial sequence. Una vulnerabilidad de redirección abierta en funciones de API relacionadas con URL en Drupal, en las versiones 6.x anteriores a la 6.35 y 7.x anteriores a la 7.35 permite a atacantes remotos redirigir a los usuarios a páginas web arbitrarias y realizar ataques de phishing mediante vectores que incluyan la secuencia inicial "//". • http://cgit.drupalcode.org/drupal/commit/includes/common.inc?h=7.x&id=b44056d2f8e8c71d35c85ec5c2fb8f7c8a02d8a8 http://cgit.drupalcode.org/drupal/commit/includes/menu.inc?h=6.x&id=8ffc5db3c0ab926f3d4b2cf8bc51714c8c0f3c93 http://www.debian.org/security/2015/dsa-3200 http://www.openwall.com/lists/oss-security/2015/03/26/4 http://www.securityfocus.com/bid/73219 https://www.drupal.org/SA-CORE-2015-001 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVE-2015-2749
https://notcve.org/view.php?id=CVE-2015-2749
Open redirect vulnerability in Drupal 6.x before 6.35 and 7.x before 7.35 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the destination parameter. Una vulnerabilidad de redirección abierta en Drupal en las versiones 6.x anteriores a la 6.35 y 7.x anteriores a la 7.35 permite a atacantes remotos redirigir a los usuarios a páginas web arbitrarias y realizar ataques de phishing mediante una URL en el parámetro destination. • http://cgit.drupalcode.org/drupal/commit/?id=d2304f840c43c190c6e136ee9901ed9797b4c3ca http://www.debian.org/security/2015/dsa-3200 http://www.openwall.com/lists/oss-security/2015/03/26/4 http://www.securityfocus.com/bid/73219 https://bugzilla.redhat.com/show_bug.cgi?id=1204753 https://www.drupal.org/SA-CORE-2015-001 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVE-2015-2559
https://notcve.org/view.php?id=CVE-2015-2559
Drupal 6.x before 6.35 and 7.x before 7.35 allows remote authenticated users to reset the password of other accounts by leveraging an account with the same password hash as another account and a crafted password reset URL. Drupal 6.x anterior a 6.35 y 7.x anterior a 7.35 permite a usuarios remotos autenticados reconfigurar la contraseña de otras cuentas mediante el aprovechamiento del mismo hash de contraseña que otra cuenta y una URL de reconfiguración de contraseñas manipulada. • http://www.debian.org/security/2015/dsa-3200 http://www.securityfocus.com/bid/73219 https://www.drupal.org/SA-CORE-2015-001 • CWE-284: Improper Access Control •
CVE-2010-5312 – jquery-ui: XSS vulnerability in jQuery.ui.dialog title option
https://notcve.org/view.php?id=CVE-2010-5312
Cross-site scripting (XSS) vulnerability in jquery.ui.dialog.js in the Dialog widget in jQuery UI before 1.10.0 allows remote attackers to inject arbitrary web script or HTML via the title option. Vulnerabilidad de XSS en jquery.ui.dialog.js en el widget Dialog en jQuery UI anterior a 1.10.0 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de la opción del título. • http://bugs.jqueryui.com/ticket/6016 http://rhn.redhat.com/errata/RHSA-2015-0442.html http://rhn.redhat.com/errata/RHSA-2015-1462.html http://seclists.org/oss-sec/2014/q4/613 http://seclists.org/oss-sec/2014/q4/616 http://www.debian.org/security/2015/dsa-3249 http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html http://www.securityfocus.com/bid/71106 http://www.securitytracker.com/id/1037035 https://exchange.xforce.ibmcloud.com/vulnerabilities/ • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2014-9015
https://notcve.org/view.php?id=CVE-2014-9015
Drupal 6.x before 6.34 and 7.x before 7.34 allows remote attackers to hijack sessions via a crafted request, as demonstrated by a crafted request to a server that supports both HTTP and HTTPS sessions. Drupal 6.x anterior a 6.34 y 7.x anterior a 7.34 permite a atacantes remotos secuestrar sesiones a través de una solicitud manipulada, tal y como fue demostrado mediante una solicitud manipulada a un servidor que soporta sesiones tanto de HTTP como de HTTPS. • http://secunia.com/advisories/59164 http://secunia.com/advisories/59814 http://www.debian.org/security/2014/dsa-3075 http://www.openwall.com/lists/oss-security/2014/11/20/21 http://www.openwall.com/lists/oss-security/2014/11/20/3 https://www.drupal.org/SA-CORE-2014-006 • CWE-264: Permissions, Privileges, and Access Controls •