CVSS: 4.3EPSS: 0%CPEs: 9EXPL: 1CVE-2012-4485
https://notcve.org/view.php?id=CVE-2012-4485
Multiple cross-site scripting (XSS) vulnerabilities in the galleryformatter_field_formatter_view functiuon in galleryformatter.tpl.php the Gallery formatter module before 7.x-1.2 for Drupal allow remote authenticated users with permissions to create a node or entity to inject arbitrary web script or HTML via the (1) title or (2) alt parameter. Múltiples vulnerabilidades de ejecución de secuencias de comandos en sitios cruzados (XSS) en la función galleryformatter_field_formatter_view en galleryformatter.tpl.php en el módulo Gallery formatter antes de v7.x-1.2 para Drupal permite a usuarios autenticados remotamente con permisos para crear un nodo o entidad inyectar secuencias de comandos web o HTML a través del parámetro (1) title o (2) alt. • http://drupal.org/node/1699744 http://drupal.org/node/1700578 http://drupalcode.org/project/galleryformatter.git/commitdiff/b0392a1 http://www.openwall.com/lists/oss-security/2012/10/04/6 http://www.openwall.com/lists/oss-security/2012/10/07/1 http://www.securityfocus.com/bid/54674 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.0EPSS: 0%CPEs: 13EXPL: 0CVE-2012-4495
https://notcve.org/view.php?id=CVE-2012-4495
The Mime Mail module 6.x-1.x before 6.x-1.1 for Drupal does not properly restrict access to files outside Drupal's publish files directory, which allows remote authenticated users to send arbitrary files as attachments. El módulo Mime Mail v6.x-1.x antes de v6.x-1.1 para Drupal no restringe correctamente el acceso a archivos fuera de los directorios de archivos publicados de Drupal, lo que permite a usuarios autenticados remotamente enviar archivos arbitrarios como adjuntos. • http://drupal.org/node/1719446 http://drupal.org/node/1719482 http://drupalcode.org/project/mimemail.git/commitdiff/ae065d1 http://www.openwall.com/lists/oss-security/2012/10/04/6 http://www.openwall.com/lists/oss-security/2012/10/07/1 http://www.securityfocus.com/bid/54914 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 5.8EPSS: 0%CPEs: 4EXPL: 0CVE-2012-4491
https://notcve.org/view.php?id=CVE-2012-4491
The Monthly Archive by Node Type module 6.x for Drupal does not properly check permissions defined by node_access modules, which allows remote attackers to access restricted nodes via unspecified vectors. El módulo Monthly Archive de Node Type v6.x para Drupal no comprueba correctamente permisos definidos por los módulos node_access, lo que permite a atacantes remotos acceder a los nodos restringidos a través de vectores no especificados. • http://drupal.org/node/1708198 http://www.openwall.com/lists/oss-security/2012/10/04/6 http://www.openwall.com/lists/oss-security/2012/10/07/1 http://www.securityfocus.com/bid/54768 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 3.5EPSS: 0%CPEs: 8EXPL: 0CVE-2012-4500
https://notcve.org/view.php?id=CVE-2012-4500
The Announcements module 6.x-1.x before 6.x-1.5 for Drupal allows remote authenticated users with the "access announcements" permission to bypass node access restrictions and possibly have other unspecified impact. El módulo Announcements v6.x-1.x antes de v6.x-1.5 para Drupal permite a usuarios autenticados remotamente con permisos "access announcements" evitar restricciones y posiblemente tener otro impacto no especificado. • http://drupal.org/node/1761038 http://drupal.org/node/1762480 http://www.openwall.com/lists/oss-security/2012/10/04/6 http://www.openwall.com/lists/oss-security/2012/10/07/1 http://www.securityfocus.com/bid/55283 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 2.1EPSS: 0%CPEs: 19EXPL: 0CVE-2012-4492
https://notcve.org/view.php?id=CVE-2012-4492
Multiple cross-site scripting (XSS) vulnerabilities in the Shorten URLs module 6.x-1.x before 6.x-1.13 and 7.x-1.x before 7.x-1.2 for Drupal allow remote authenticated users with certain permissions to inject arbitrary web script or HTML via unspecified vectors to the (1) report or (2) Custom Services List page. Múltiples vulnerabilidades de ejecución de secuencias de comandos en sitios cruzados (XSS) en el módulo Shorten URLs v6.x-1.x antes de v6.x-1.13 y v7.x-1.x antes de v7.x-1.2 para Drupal, permite a usuarios autenticados remotamente inyectar secuencias de comandos web o HTML a través de vectores no especificados en (1) el informe o (2) la página Custom Services List. • http://drupal.org/node/1719392 http://www.openwall.com/lists/oss-security/2012/10/04/6 http://www.openwall.com/lists/oss-security/2012/10/07/1 http://www.securityfocus.com/bid/54911 https://drupal.org/node/1719306 https://drupal.org/node/1719310 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •