CVE-2012-1657
https://notcve.org/view.php?id=CVE-2012-1657
Cross-site scripting (XSS) vulnerability in block_class.module in the Block Class module before 7.x-1.1 for Drupal allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via the class name. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en block_class.module en el módulo Block Class antes de v7.x-1.1 para Drupal, permite a usuarios autenticados remotamente, con algunos permisos, inyectar secuencias de comandos web o HTML a través del nombre de clase. • http://drupal.org/node/1471090 http://drupal.org/node/1471808 http://drupalcode.org/project/block_class.git/commit/9a5205d http://secunia.com/advisories/48298 http://www.openwall.com/lists/oss-security/2012/04/07/1 http://www.osvdb.org/79851 http://www.securityfocus.com/bid/52341 https://exchange.xforce.ibmcloud.com/vulnerabilities/73776 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2012-2067
https://notcve.org/view.php?id=CVE-2012-2067
Unspecified vulnerability in the CKeditor module 6.x-2.x before 6.x-2.3 and the CKEditor module 6.x-1.x before 6.x-1.9 and 7.x-1.x before 7.x-1.7 for Drupal, when the core PHP module is enabled, allows remote authenticated users or remote attackers to execute arbitrary PHP code via the text parameter to a text filter. NOTE: some of these details are obtained from third party information. Vulnerabilidad no especificada en el módulo CKEditor v6.x-2.x anterior a v6.x-2.3 y el módulo CKEditor v6.x-1.x anterior a v6.x-1.9 y v7.x-1.x anterior a v7.x-1.7 para Drupal, cuando el módulo de núcleo de PHP está activado, permite a usuarios remotos autenticados o atacantes remotos ejecutar código PHP arbitrario a través del parámetro de texto a un filtro de texto. NOTA: algunos de estos detalles han sido obtenidos a partir de información de terceros • http://drupal.org/node/1482442 http://drupal.org/node/1482466 http://drupal.org/node/1482480 http://drupal.org/node/1482528 http://secunia.com/advisories/48435 http://www.openwall.com/lists/oss-security/2012/04/07/1 http://www.osvdb.org/80080 https://exchange.xforce.ibmcloud.com/vulnerabilities/74037 •
CVE-2012-2066
https://notcve.org/view.php?id=CVE-2012-2066
Cross-site scripting (XSS) vulnerability in the FCKeditor module 6.x-2.x before 6.x-2.3 and the CKEditor module 6.x-1.x before 6.x-1.9 and 7.x-1.x before 7.x-1.7 for Drupal allows remote authenticated users or remote attackers to inject arbitrary web script or HTML via unspecified vectors. Vulnerabilidad de ejecución de código en sitios cruzados (XSS) en el módulo FCKeditor v6.x-2.x anterior a v6.x-2.3 y el módulo CKEditor v6.x-1.x anterior a v6.x-1.9 y v77.x-1.x anterior a v7.x-1.7 para Drupal permite a usuarios remotos autenticados o atacantes remotos inyectar secuencias de comandos web o HTML a través de vectores no especificados. • http://drupal.org/node/1482442 http://drupal.org/node/1482466 http://drupal.org/node/1482480 http://drupal.org/node/1482528 http://secunia.com/advisories/48435 http://www.openwall.com/lists/oss-security/2012/04/07/1 http://www.osvdb.org/80079 https://exchange.xforce.ibmcloud.com/vulnerabilities/74036 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2012-1641
https://notcve.org/view.php?id=CVE-2012-1641
The finder_import function in the Finder module 6.x-1.x before 6.x-1.26, 7.x-1.x, and 7.x-2.x before 7.x-2.0-alpha8 for Drupal allows remote authenticated users with the administer finder permission to execute arbitrary PHP code via admin/build/finder/import. La función finder_import en el módulo Finder v6.x-1.x anterior a v6.x-1.26, v7.x-1.x, y v7.x-2.x anterior a v7.x-2.0-alpha8 para Drupal permite a usuarios remotos autenticados con permisos de administración del finder ejecutar código PHP arbitrario a través de admin/build/finder/import. • http://drupal.org/node/1432318 http://drupal.org/node/1432320 http://drupalcode.org/project/finder.git/commit/bc0cc82 http://secunia.com/advisories/47915 http://secunia.com/advisories/47943 http://www.madirish.net/content/drupal-finder-6x-19-xss-and-remote-code-execution-vulnerabilities http://www.openwall.com/lists/oss-security/2012/03/16/9 http://www.openwall.com/lists/oss-security/2012/03/19/9 http://www.openwall.com/lists/oss-security/2012/04/07/1 http:/ • CWE-264: Permissions, Privileges, and Access Controls •
CVE-2012-2296
https://notcve.org/view.php?id=CVE-2012-2296
The Janrain Engage (formerly RPX) module for Drupal 6.x-1.x. 6.x-2.x before 6.x-2.2, and 7.x-2.x before 7.x-2.2 stores user profile data from Engage in session tables, which might allow remote attackers to obtain sensitive information by leveraging a separate vulnerability. El módulo para Drupal The Janrain Engage (formerly RPX) v6.x-1.x. v6.x-2.x antes de v6.x-2.2 y v7.x 2.x antes v7.x-2.2 almacena los datos de perfil de usuario de Engage en las tablas de sesión, lo que podría permitir a atacantes remotos obtener información sensible mediante el aprovechamiento de una vulnerabilidad separada. • http://drupal.org/node/1515114 http://drupal.org/node/1515120 http://drupal.org/node/1515282 http://www.openwall.com/lists/oss-security/2012/04/10/12 http://www.openwall.com/lists/oss-security/2012/05/03/1 http://www.openwall.com/lists/oss-security/2012/05/03/2 https://exchange.xforce.ibmcloud.com/vulnerabilities/74616 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •