CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0CVE-2014-1611
https://notcve.org/view.php?id=CVE-2014-1611
Cross-site scripting (XSS) vulnerability in the Anonymous Posting module 7.x-1.2 and 7.x-1.3 for Drupal allows remote attackers to inject arbitrary web script or HTML via the contact name field. Vulnerabilidad de XSS en el módulo Anonymous Posting 7.x-1.2 y 7.x-1.3 para Drupal permite a atacantes remotos inyectar script Web o HTML arbitrario a través del campo de nombre de contacto. • http://osvdb.org/102126 http://packetstormsecurity.com/files/124803/Drupal-Anonymous-Posting-7.x-Cross-Site-Scripting.html http://seclists.org/fulldisclosure/2014/Jan/77 http://secunia.com/advisories/56476 https://drupal.org/node/2173321 https://drupal.org/node/2173437 https://exchange.xforce.ibmcloud.com/vulnerabilities/90526 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 68EXPL: 0CVE-2014-1475
https://notcve.org/view.php?id=CVE-2014-1475
The OpenID module in Drupal 6.x before 6.30 and 7.x before 7.26 allows remote OpenID users to authenticate as other users via unspecified vectors. El módulo OpenID en Drupal v6.x anterior a v6.30 y v7.x anterior a v7.26 permite a usuarios OpenID remotos autenticarse como otros usuarios a través de vectores no especificados. • http://secunia.com/advisories/56260 http://secunia.com/advisories/56601 http://www.debian.org/security/2014/dsa-2847 http://www.debian.org/security/2014/dsa-2851 http://www.mandriva.com/security/advisories?name=MDVSA-2014:031 http://www.securityfocus.com/bid/64973 https://drupal.org/SA-CORE-2014-001 •
CVSS: 4.0EPSS: 0%CPEs: 33EXPL: 0CVE-2014-1476
https://notcve.org/view.php?id=CVE-2014-1476
The Taxonomy module in Drupal 7.x before 7.26, when upgraded from an earlier version of Drupal, does not properly restrict access to unpublished content, which allows remote authenticated users to obtain sensitive information via a listing page. El módulo Taxonomy en Drupal 7.x anteriores a 7.26, cuando es actualizado desde una versión anterior de Drupal, no restringe correctamente el acceso a contenido no publicado, lo cual permite a usuarios no autenticados obtener información sensible a través de una página de listado. • http://secunia.com/advisories/56260 http://www.debian.org/security/2014/dsa-2847 http://www.mandriva.com/security/advisories?name=MDVSA-2014:031 http://www.securityfocus.com/bid/64973 https://drupal.org/SA-CORE-2014-001 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 4.9EPSS: 0%CPEs: 39EXPL: 0CVE-2013-4445
https://notcve.org/view.php?id=CVE-2013-4445
The json rendering functionality in the Context module 6.x-2.x before 6.x-3.2 and 7.x-3.x before 7.x-3.0 for Drupal uses Drupal's token scheme to restrict access to blocks, which makes it easier for remote authenticated users to guess the access token for a block by leveraging the token from a block to which the user has access. La funcionalidad de renderización de json en el módulo Context 6.x-2.x anteriores a 6.x-3.2 y 7.x-3.x anteriores a 7.x-3.0 para Drupal utiliza el esquema de tokens de Drupal para restringir el acceso a bloques, lo cual facilita a usuarios autenticados remotamente adivinar el token de acceso para un bloque aprovechando el token de un bloque al cual el usuario tiene acceso. • http://lists.fedoraproject.org/pipermail/package-announce/2013-November/121433.html http://lists.fedoraproject.org/pipermail/package-announce/2013-November/122298.html http://lists.fedoraproject.org/pipermail/package-announce/2013-November/122308.html https://drupal.org/node/2112785 https://drupal.org/node/2112791 https://drupal.org/node/2113317 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 6.8EPSS: 1%CPEs: 39EXPL: 0CVE-2013-4446
https://notcve.org/view.php?id=CVE-2013-4446
The _json_decode function in plugins/context_reaction_block.inc in the Context module 6.x-2.x before 6.x-3.2 and 7.x-3.x before 7.x-3.0 for Drupal, when using a version of PHP that does not support the json_decode function, allows remote attackers to execute arbitrary PHP code via unspecified vectors related to Ajax operations, possibly involving eval injection. La función _json_decode en plugins/context_reaction_block.inc en el módulo Context 6.x-2.x anteriores a 6.x-3.2 y 7.x-3.x anteriores a 7.x-3.0 para Drupal, cuando se utiliza una versión de PHP que no soporta la función json_decode, permite a atacantes remotos ejecutar código PHP arbitrario a través de vectores no especificados relacionados con operaciones Ajax, posiblemente incluyendo una inyección eval. • http://drupalcode.org/project/context.git/commitdiff/63ef4d9 http://drupalcode.org/project/context.git/commitdiff/d7b4afa http://lists.fedoraproject.org/pipermail/package-announce/2013-November/121433.html http://lists.fedoraproject.org/pipermail/package-announce/2013-November/122298.html http://lists.fedoraproject.org/pipermail/package-announce/2013-November/122308.html https://drupal.org/node/2112785 https://drupal.org/node/2112791 https://drupal.org/node/2113317 • CWE-94: Improper Control of Generation of Code ('Code Injection') •