CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2008-3745
https://notcve.org/view.php?id=CVE-2008-3745
The Upload module in Drupal 6.x before 6.4 allows remote authenticated users to edit nodes, delete files, and download unauthorized attachments via unspecified vectors. El módulo Upload en Drupal 6.x anterior a 6.4, permite a usuarios autenticados en remoto editar nodos, eliminar ficheros y descargar adjuntos no autorizados a través de vectores no especificados. • http://drupal.org/node/295053 http://secunia.com/advisories/31825 http://www.securityfocus.com/bid/30689 http://www.vupen.com/english/advisories/2008/2392 https://bugzilla.redhat.com/show_bug.cgi?id=459108 https://exchange.xforce.ibmcloud.com/vulnerabilities/44458 https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00259.html https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00508.html • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 3.5EPSS: 0%CPEs: 14EXPL: 0CVE-2008-3741
https://notcve.org/view.php?id=CVE-2008-3741
The private filesystem in Drupal 5.x before 5.10 and 6.x before 6.4 trusts the MIME type sent by a web browser, which allows remote authenticated users to conduct cross-site scripting (XSS) attacks by uploading files containing arbitrary web script or HTML. El filesystem privado de Drupal 5.x versiones anteriores a la 5.10 y 6.x versiones anteriores a la 6.4, confía en el tipo MIME enviado por el navegador, lo cual permite a los usuarios remotos autenticados dirigir ataques de secuencias de comandos en sitios cruzados (XSS) subiendo ficheros que contienen arbitrariamente secuencias de comandos web o HTML. • http://drupal.org/node/295053 http://secunia.com/advisories/31462 http://secunia.com/advisories/31825 http://www.securityfocus.com/bid/30689 http://www.vupen.com/english/advisories/2008/2392 https://bugzilla.redhat.com/show_bug.cgi?id=459108 https://exchange.xforce.ibmcloud.com/vulnerabilities/44446 https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00259.html https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00508.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.8EPSS: 0%CPEs: 4EXPL: 0CVE-2008-3743
https://notcve.org/view.php?id=CVE-2008-3743
Multiple cross-site request forgery (CSRF) vulnerabilities in forms in Drupal 6.x before 6.4 allow remote attackers to perform unspecified actions via unknown vectors, related to improper token validation for (1) cached forms and (2) forms with AHAH elements. Múltiples vulnerabilidades de falsificación de petición en sitios cruzados (CSRF) en forms de Drupal 6.x antes de 6.4 permiten a atacantes remotos realizar acciones no especificadas mediante vectores desconocidos, relacionados a validaciones de testigo (token) incorrectas para (1) cached forms y (2) forms con elementos AHAH. • http://drupal.org/node/295053 http://secunia.com/advisories/31462 http://secunia.com/advisories/31825 http://www.securityfocus.com/bid/30689 http://www.vupen.com/english/advisories/2008/2392 https://bugzilla.redhat.com/show_bug.cgi?id=459108 https://exchange.xforce.ibmcloud.com/vulnerabilities/44453 https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00259.html https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00508.html • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 4.3EPSS: 0%CPEs: 14EXPL: 0CVE-2008-3740
https://notcve.org/view.php?id=CVE-2008-3740
Cross-site scripting (XSS) vulnerability in the output filter in Drupal 5.x before 5.10 and 6.x before 6.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en el filtro de salida de Drupal 5.x anterior a 5.10 y 6.x anterior a 6.4, permite a atacantes remotos inyectar secuencias de comandos Web o HTML de su elección a través de vectores no especificados. • http://drupal.org/node/295053 http://secunia.com/advisories/31462 http://secunia.com/advisories/31825 http://www.securityfocus.com/bid/30689 http://www.vupen.com/english/advisories/2008/2392 https://bugzilla.redhat.com/show_bug.cgi?id=459108 https://exchange.xforce.ibmcloud.com/vulnerabilities/44445 https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00259.html https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00508.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •