CVSS: 4.3EPSS: 0%CPEs: 35EXPL: 0CVE-2013-0246
https://notcve.org/view.php?id=CVE-2013-0246
The Image module in Drupal 7.x before 7.19, when a private file system is used, does not properly restrict access to derivative images, which allows remote attackers to read derivative images of otherwise restricted images via unspecified vectors. El módulo Image en Drupal v7.x anterior a v7.19, cuando un sistema de ficheros privado es utilizado, no restringe adecuadamente el acceso a imágenes derivadas, lo que permite a atacantes remotos leer imágenes derivadas de imágenes restringidas a través de vectores no especificados. • http://packetstormsecurity.com/files/119598/Drupal-Core-6.x-7.x-Cross-Site-Scripting-Access-Bypass.html http://seclists.org/fulldisclosure/2013/Jan/120 http://seclists.org/oss-sec/2013/q1/211 http://secunia.com/advisories/51717 https://drupal.org/SA-CORE-2013-001 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 5.0EPSS: 0%CPEs: 36EXPL: 0CVE-2013-0316
https://notcve.org/view.php?id=CVE-2013-0316
The Image module in Drupal 7.x before 7.20 allows remote attackers to cause a denial of service (CPU and disk space consumption) via a large number of new derivative requests. El módulo Image en Drupal v7.x antes v7.20 permite a atacantes remotos provocar una denegación de servicio (CPU y el consumo de espacio en disco) a través de un gran número de nuevas solicitudes derivantes . • http://drupal.org/SA-CORE-2013-002 http://www.openwall.com/lists/oss-security/2013/02/21/5 • CWE-399: Resource Management Errors •
CVSS: 6.8EPSS: 0%CPEs: 6EXPL: 0CVE-2013-0205
https://notcve.org/view.php?id=CVE-2013-0205
Cross-site request forgery (CSRF) vulnerability in the RESTful Web Services (restws) module 7.x-1.x before 7.x-1.2 and 7.x-2.x before 7.x-2.0-alpha4 for Drupal allows remote attackers to hijack the authentication of arbitrary users via unknown vectors. Múltiples vulnerabilidades de falsificación de petición en sitios cruzados (CSRF) en el módulo RESTful Web Services (restws) v7.x-1.x anterior a v7.x-1.2 y v7.x-2.x anterior a v7.x-2.0-alpha4 para Drupal, permite a atacantes remotos secuestrar la autenticación de usuarios de su elección a traves de vectores desconocidos. • http://www.openwall.com/lists/oss-security/2013/01/21/5 https://drupal.org/node/1890212 https://drupal.org/node/1890216 https://drupal.org/node/1890222 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.0EPSS: 0%CPEs: 70EXPL: 0CVE-2012-5651
https://notcve.org/view.php?id=CVE-2012-5651
Drupal 6.x before 6.27 and 7.x before 7.18 displays information for blocked users, which might allow remote attackers to obtain sensitive information by reading the search results. Drupal v6.x antes de v6.27 y v7.x antes de v7.18 muestra información a los usuarios bloqueados, lo que podría permitir a atacantes remotos obtener información sensible mediante la lectura de los resultados de búsqueda. • http://drupal.org/SA-CORE-2012-004 http://drupalcode.org/project/drupal.git/commitdiff/b47f95d http://drupalcode.org/project/drupal.git/commitdiff/da8023a http://www.debian.org/security/2013/dsa-2776 http://www.mandriva.com/security/advisories?name=MDVSA-2013:074 http://www.openwall.com/lists/oss-security/2012/12/20/1 http://www.osvdb.org/88528 http://www.securityfocus.com/bid/56993 https://exchange.xforce.ibmcloud.com/vulnerabilities/80792 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 6.0EPSS: 1%CPEs: 72EXPL: 2CVE-2012-5653
https://notcve.org/view.php?id=CVE-2012-5653
The file upload feature in Drupal 6.x before 6.27 and 7.x before 7.18 allows remote authenticated users to bypass the protection mechanism and execute arbitrary PHP code via a null byte in a file name. La característica de carga de archivos en Drupal v6.x antes de v6.27 y v7.x antes de v7.18 permite a usuarios remotos autenticados eludir el mecanismo de protección y ejecutar código PHP arbitrario a través de un byte nulo en un nombre de archivo. • http://drupal.org/SA-CORE-2012-004 http://drupalcode.org/project/drupal.git/commitdiff/b47f95d http://drupalcode.org/project/drupal.git/commitdiff/da8023a http://osvdb.org/88529 http://www.debian.org/security/2013/dsa-2776 http://www.mandriva.com/security/advisories?name=MDVSA-2013:074 http://www.openwall.com/lists/oss-security/2012/12/20/1 http://www.securityfocus.com/bid/56993 https://exchange.xforce.ibmcloud.com/vulnerabilities/80795 • CWE-20: Improper Input Validation •