CVSS: 5.0EPSS: 0%CPEs: 2EXPL: 0CVE-2008-3661
https://notcve.org/view.php?id=CVE-2008-3661
Drupal, probably 5.10 and 6.4, does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie. Drupal, probablemente v5.10 y v6.4, no establece el indicador seguro para la cookie de sesión en una sesión https, lo que puede provocar que sea enviada en una petición http y facilitar a los atacantes remotos el capturar la misma. • http://int21.de/cve/CVE-2008-3661-drupal.html http://www.securityfocus.com/archive/1/496575/100/0/threaded http://www.securityfocus.com/bid/31285 https://exchange.xforce.ibmcloud.com/vulnerabilities/45298 •
CVSS: 4.3EPSS: 0%CPEs: 11EXPL: 0CVE-2008-4147
https://notcve.org/view.php?id=CVE-2008-4147
Cross-site scripting (XSS) vulnerability in the Mailsave module 5.x before 5.x-3.3 and 6.x before 6.x-1.3, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via an e-mail message with an attached file that has a modified Content-Type. Vulnerabilidad de secuencias de comandos en sitios cruzados - XSS en el módulo Mailsave 5.x y versiones anteriores a 5.x-3.3 y 6.x y versiones anteriores a 6.x-1.3, para Drupal, que permite a los atacantes remotos inyectar arbitrariamente una secuencia de comandos web o HTML a través de un mensaje de e-mail con un fichero adjunto que tiene un Content-Type modificado. • http://drupal.org/node/309802 http://secunia.com/advisories/31889 http://www.securityfocus.com/bid/31232 http://www.vupen.com/english/advisories/2008/2617 https://exchange.xforce.ibmcloud.com/vulnerabilities/45212 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2008-4149
https://notcve.org/view.php?id=CVE-2008-4149
Cross-site scripting (XSS) vulnerability in the Greg Holsclaw Link to Us module 5.x before 5.x-1.1 for Drupal allows remote authenticated users to inject arbitrary web script or HTML via the "Link page header" field. Vulnerabilidad ejecución de secuencias de comandos en sitios cruzados - XSS en el módulo Greg Holsclaw Link to Us 5.x y versiones anteriores a 5.x-1.1 para Drupal, que permite a los usuarios autenticados remotamente inyectar una secuencia de comandos web o HTML arbitrariamente a través del campo "Link page header". • http://drupal.org/node/309861 http://lists.grok.org.uk/pipermail/full-disclosure/2008-September/064527.html http://secunia.com/advisories/31914 http://www.securityfocus.com/bid/31224 http://www.vupen.com/english/advisories/2008/2618 https://exchange.xforce.ibmcloud.com/vulnerabilities/45221 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.0EPSS: 0%CPEs: 7EXPL: 0CVE-2008-4153
https://notcve.org/view.php?id=CVE-2008-4153
The Talk module 5.x before 5.x-1.3 and 6.x before 6.x-1.5, a module for Drupal, does not perform access checks for a node before displaying comments, which allows remote attackers to obtain sensitive information. El módulo Talk 5.x y versiones anteriores a 5.x-1.3 y 6.x y versiones anteriores a 6.x-1.5, para Drupal, no realiza comprobación de acceso para un nodo antes de mostrar comentarios, lo que permite a los atacantes remotos obtener información delicada. • http://drupal.org/node/309758 http://secunia.com/advisories/31908 http://www.securityfocus.com/bid/31236 http://www.vupen.com/english/advisories/2008/2615 https://exchange.xforce.ibmcloud.com/vulnerabilities/45223 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 7.5EPSS: 0%CPEs: 10EXPL: 0CVE-2008-4148
https://notcve.org/view.php?id=CVE-2008-4148
SQL injection vulnerability in the Mailhandler module 5.x before 5.x-1.4 and 6.x before 6.x-1.4, a module for Drupal, allows remote attackers to execute arbitrary SQL commands via unspecified vectors, related to composing queries without using the Drupal database API. Vulnerabilidad de inyección SQL en el módulo Mailhandler 5.x y versiones anteriores 5.x-1.4 y 6.x y versiones anteriores 6.x-1.4, a módulo para Drupal, que permite a los atacantes remotos ejecutar arbitrariamente comandos SQL a través de un vector no especificado, en relación a componer consultas sin usar la base de datos de la API de Drupal. • http://drupal.org/node/309769 http://secunia.com/advisories/31877 http://www.securityfocus.com/bid/31230 http://www.vupen.com/english/advisories/2008/2616 https://exchange.xforce.ibmcloud.com/vulnerabilities/45216 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •