CVE-2013-4230
https://notcve.org/view.php?id=CVE-2013-4230
The mm_webform submodule in the Monster Menus module 6.x-6.x before 6.x-6.61 and 7.x-1.x before 7.x-1.13 for Drupal does not properly restrict access to webform submissions, which allows remote authenticated users with the "Who can read data submitted to this webform" permission to delete arbitrary submissions via unspecified vectors. El submodulo mm_webform en el modulo Monster Menus v6.x-6.x anterior a v6.x-6.61 y v7.x-1.x anterior a v7.x-1.13 para Drupal no restringe adecuadamente el acceso a envíos en formularios web, lo que permite a usuarios remotos autenticados con el permiso "Who can read data submitted to this webform" eliminar envíos arbitrarios mediante vectores no especificados. • http://secunia.com/advisories/54391 http://www.openwall.com/lists/oss-security/2013/08/10/1 http://www.securityfocus.com/bid/61711 https://drupal.org/node/2059805 https://drupal.org/node/2059807 https://drupal.org/node/2059823 https://exchange.xforce.ibmcloud.com/vulnerabilities/86326 • CWE-264: Permissions, Privileges, and Access Controls •
CVE-2013-4229
https://notcve.org/view.php?id=CVE-2013-4229
Cross-site scripting (XSS) vulnerability in the Monster Menus module 7.x-1.x before 7.x-1.12 for Drupal allows remote authenticated users with permissions to add pages to inject arbitrary web script or HTML via a title in the page settings. Vulnerabilidad Cross-site scripting (XSS) en el modulo Monster Menus v7.x-1.x anterior a v7.x-1.12 para Drupal permite a los usuarios remotos autenticados con permisos para añadir páginas, inyectar secuencias de comandos web o HTML a través de un título en la página de configuración. • http://drupalcode.org/project/monster_menus.git/blobdiff/4841dcb4e36bdc74efe4ae2459637029df929940..4adcb6b:/mm_static.inc http://secunia.com/advisories/54391 http://www.openwall.com/lists/oss-security/2013/08/10/1 http://www.securityfocus.com/bid/61710 https://drupal.org/node/2059789 https://drupal.org/node/2059823 https://exchange.xforce.ibmcloud.com/vulnerabilities/86327 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2013-0246
https://notcve.org/view.php?id=CVE-2013-0246
The Image module in Drupal 7.x before 7.19, when a private file system is used, does not properly restrict access to derivative images, which allows remote attackers to read derivative images of otherwise restricted images via unspecified vectors. El módulo Image en Drupal v7.x anterior a v7.19, cuando un sistema de ficheros privado es utilizado, no restringe adecuadamente el acceso a imágenes derivadas, lo que permite a atacantes remotos leer imágenes derivadas de imágenes restringidas a través de vectores no especificados. • http://packetstormsecurity.com/files/119598/Drupal-Core-6.x-7.x-Cross-Site-Scripting-Access-Bypass.html http://seclists.org/fulldisclosure/2013/Jan/120 http://seclists.org/oss-sec/2013/q1/211 http://secunia.com/advisories/51717 https://drupal.org/SA-CORE-2013-001 • CWE-264: Permissions, Privileges, and Access Controls •
CVE-2013-0245
https://notcve.org/view.php?id=CVE-2013-0245
The printer friendly version functionality in the Book module in Drupal 6.x before 6.28 and 7.x before 7.19 does not properly restrict access to node that are part of a book outline, which allows remote authenticated users with the "access printer-friendly version" permission to read node titles and possibly node content via unspecified vectors. La versión amigable de la funcionalidad de impresión del módulo Book para Drupal no restringe adecuadamente el acceso al nodo del que es parte del esquema del módulo Book, lo que permite a usuarios autenticados remotamente con acceso a esta aplicación, permiso de lectura sobre los títulos y posiblemente al contenido del nodo a través de vectores no especificados. • http://osvdb.org/89305 http://packetstormsecurity.com/files/119598/Drupal-Core-6.x-7.x-Cross-Site-Scripting-Access-Bypass.html http://seclists.org/fulldisclosure/2013/Jan/120 http://seclists.org/oss-sec/2013/q1/211 http://secunia.com/advisories/51717 http://www.debian.org/security/2013/dsa-2776 https://drupal.org/SA-CORE-2013-001 https://exchange.xforce.ibmcloud.com/vulnerabilities/81380 • CWE-264: Permissions, Privileges, and Access Controls •
CVE-2012-6574
https://notcve.org/view.php?id=CVE-2012-6574
Cross-site scripting (XSS) vulnerability in the Fonecta verify module 7.x-1.x before 7.x-1.6 for Drupal allows remote attackers from certain sources to inject arbitrary web script or HTML via unspecified vectors. Vulnerabilidad XSS en el módulo Fonecta verify 7.x-1.x anterior a 7.x-1.6 para Drupal, lo que permite a atacantes remotos desde diferentes orígenes inyectar secuencias de comandos web o HTML arbitrarias a través de vectores no especificados. • http://www.securityfocus.com/bid/55614 https://drupal.org/node/1778782 https://drupal.org/node/1789258 https://exchange.xforce.ibmcloud.com/vulnerabilities/78699 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •