CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 0CVE-2018-9861
https://notcve.org/view.php?id=CVE-2018-9861
Cross-site scripting (XSS) vulnerability in the Enhanced Image (aka image2) plugin for CKEditor (in versions 4.5.10 through 4.9.1; fixed in 4.9.2), as used in Drupal 8 before 8.4.7 and 8.5.x before 8.5.2 and other products, allows remote attackers to inject arbitrary web script through a crafted IMG element. Vulnerabilidad Cross-Site Scripting (XSS) en el plugin Enhanced Image (también conocido como image2) para CKEditor (de la versión 4.5.10 a la 4.9.1; solucionado en la versión 4.9.2), tal y como se emplea en Drupal 8 en versiones anteriores a la 8.4.7 y versiones 8.5.x anteriores a la 8.5.2 y en otros productos, permite que atacantes remotos inyecten scripts web arbitrarios mediante un elemento IMG manipulado. • http://www.securityfocus.com/bid/103924 https://github.com/ckeditor/ckeditor-dev/blob/master/CHANGES.md https://www.drupal.org/sa-core-2018-003 https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 2%CPEs: 1EXPL: 2CVE-2018-9205 – Drupal avatar_uploader v7.x-1.0-beta8 - Arbitrary File Disclosure
https://notcve.org/view.php?id=CVE-2018-9205
Vulnerability in avatar_uploader v7.x-1.0-beta8 , The code in view.php doesn't verify users or sanitize the file path. Vulnerabilidad en avatar_uploader v7.x-1.0-beta8 en la que el código en view.php no verifica usuarios o sanea la ruta del archivo. • https://www.exploit-db.com/exploits/44501 http://www.vapidlabs.com/advisory.php?v=202 https://www.drupal.org/project/avatar_uploader https://www.drupal.org/project/avatar_uploader/issues/2957966 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.8EPSS: 2%CPEs: 7EXPL: 0CVE-2014-5170
https://notcve.org/view.php?id=CVE-2014-5170
The Storage API module 7.x before 7.x-1.6 for Drupal might allow remote attackers to execute arbitrary code by leveraging failure to update .htaccess file contents after SA-CORE-2013-003. El módulo API Storage, en versiones 7.x anteriores a la 7.x-1.6 para Drupal podría permitir que atacantes remotos ejecuten código arbitrario aprovechando el error a la hora de actualizar el contenido del archivo .htaccess tras SA-CORE-2013-003. • http://www.openwall.com/lists/oss-security/2014/07/31/4 https://exchange.xforce.ibmcloud.com/vulnerabilities/95054 https://www.drupal.org/node/2312655 https://www.drupal.org/node/2312769 • CWE-20: Improper Input Validation •
CVSS: 9.8EPSS: 97%CPEs: 7EXPL: 27CVE-2018-7600 – Drupal Core Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2018-7600
Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations. Drupal en versiones anteriores a la 7.58, 8.x anteriores a la 8.3.9, 8.4.x anteriores a la 8.4.6 y 8.5.x anteriores a la 8.5.1 permite que los atacantes remotos ejecuten código arbitrario debido a un problema que afecta a múltiples subsistemas con configuraciones de módulos por defecto o comunes. Drupal Core contains a remote code execution vulnerability that could allow an attacker to exploit multiple attack vectors on a Drupal site, resulting in complete site compromise. • https://www.exploit-db.com/exploits/44482 https://www.exploit-db.com/exploits/44449 https://www.exploit-db.com/exploits/44448 https://github.com/a2u/CVE-2018-7600 https://github.com/pimps/CVE-2018-7600 https://github.com/g0rx/CVE-2018-7600-Drupal-RCE https://github.com/firefart/CVE-2018-7600 https://github.com/r3dxpl0it/CVE-2018-7600 https://github.com/dr-iman/CVE-2018-7600-Drupal-0day-RCE https://github.com/sl4cky/CVE-2018-7600 https://github.com/s • CWE-20: Improper Input Validation •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2017-6926
https://notcve.org/view.php?id=CVE-2017-6926
In Drupal versions 8.4.x versions before 8.4.5 users with permission to post comments are able to view content and comments they do not have access to, and are also able to add comments to this content. This vulnerability is mitigated by the fact that the comment system must be enabled and the attacker must have permission to post comments. En las versiones 8.4.x de Drupal anteriores a la 8.4.5, los usuarios con permisos para publicar comentarios pueden ver contenido y comentarios a los que no tienen acceso y, además, también pueden añadir comentarios en estos contenidos. Esta vulnerabilidad se mitiga por el hecho de que el sistema de comentarios debe estar activado y el atacante debe tener permiso para publicar comentarios. • https://www.drupal.org/sa-core-2018-001 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •