CVE-2018-7600 – Drupal Core Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2018-7600
Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations. Drupal en versiones anteriores a la 7.58, 8.x anteriores a la 8.3.9, 8.4.x anteriores a la 8.4.6 y 8.5.x anteriores a la 8.5.1 permite que los atacantes remotos ejecuten código arbitrario debido a un problema que afecta a múltiples subsistemas con configuraciones de módulos por defecto o comunes. Drupal Core contains a remote code execution vulnerability that could allow an attacker to exploit multiple attack vectors on a Drupal site, resulting in complete site compromise. • https://www.exploit-db.com/exploits/44482 https://www.exploit-db.com/exploits/44449 https://www.exploit-db.com/exploits/44448 https://github.com/a2u/CVE-2018-7600 https://github.com/pimps/CVE-2018-7600 https://github.com/g0rx/CVE-2018-7600-Drupal-RCE https://github.com/firefart/CVE-2018-7600 https://github.com/r3dxpl0it/CVE-2018-7600 https://github.com/dr-iman/CVE-2018-7600-Drupal-0day-RCE https://github.com/sl4cky/CVE-2018-7600 https://github.com/s • CWE-20: Improper Input Validation •
CVE-2012-5654
https://notcve.org/view.php?id=CVE-2012-5654
The Nodewords: D6 Meta Tags module before 6.x-1.14 for Drupal, when configured to automatically generate description meta tags from node text, does not properly filter node content when creating tags, which might allow remote attackers to obtain sensitive information by reading the (1) description, (2) dc.description or (3) og:description meta tags. El módulo Nodewords: D6 Meta Tags antes de v6.x-1.14 para Drupal, cuando se configura para generar automáticamente las etiquetas meta descripción de texto del nodo, no filtra correctamente el contenido del nodo al crear las etiquetas, lo que podría permitir a atacantes remotos obtener información sensible mediante la lectura de las etiquetas (1) description, (2) dc.description o (3) og:description • http://drupal.org/node/1859208 http://drupal.org/node/1859282 http://www.openwall.com/lists/oss-security/2012/12/20/1 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2012-4488
https://notcve.org/view.php?id=CVE-2012-4488
The Location module 6.x before 6.x-3.2 and 7.x before 7.x-3.0-alpha1 for Drupal does not properly check user or node access permissions, which allows remote attackers to read node or user results via the location search page. El módulo Location v6.x antes de v6.x-3.2 y v7.x antes de v7.x-3.0-alfa1 para Drupal no comprueba correctamente los permisos de usuario o nodo de acceso, lo que permite a atacantes remotos leer nodos o usuario a través de los resultados de la página de búsqueda de ubicación. • http://drupal.org/node/1699962 http://drupal.org/node/1699984 http://drupal.org/node/1700588 http://www.openwall.com/lists/oss-security/2012/10/04/6 http://www.openwall.com/lists/oss-security/2012/10/07/1 • CWE-264: Permissions, Privileges, and Access Controls •
CVE-2010-5276
https://notcve.org/view.php?id=CVE-2010-5276
The Memcache module 5.x before 5.x-1.10 and 6.x before 6.x-1.6 for Drupal does not properly handle the $user object in memcache_admin, which might "lead to a role change not being recognized until the user logs in again." El módulo Memcache v5.x antes de v5.x-1.10 y v6.x antes de v6.x-1.6 para Drupal, no maneja adecuadamente el objeto $user en memcache_admin, lo que puede "conducir a un cambio de rol no reconocido hasta que el usuario se conecta de nuevo." • http://drupal.org/node/926478 http://drupal.org/node/927016 http://secunia.com/advisories/41663 http://www.vupen.com/english/advisories/2010/2543 • CWE-264: Permissions, Privileges, and Access Controls •
CVE-2010-5275
https://notcve.org/view.php?id=CVE-2010-5275
Cross-site scripting (XSS) vulnerability in memcache_admin in the Memcache module 5.x before 5.x-1.10 and 6.x before 6.x-1.6 for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en memcache_admin en el módulo Memcache v5.x antes de v5.x-1.10 y v6.x antes de v6.x-1.6 para Drupal, permite a atacantes remotos inyectar secuencias de comandos web o HTML a través de vectores no especificados. • http://drupal.org/node/926478 http://drupal.org/node/927016 http://secunia.com/advisories/41663 http://www.vupen.com/english/advisories/2010/2543 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •