CVSS: 3.6EPSS: 0%CPEs: 11EXPL: 0CVE-2012-5557
https://notcve.org/view.php?id=CVE-2012-5557
The User Read-Only module 6.x-1.x before 6.x-1.4 and 7.x-1.x before 7.x-1.4 for Drupal, does not properly assign roles when there are more than three roles on the site and certain unspecified configurations, which might allow remote authenticated users to gain privileges by performing certain operations, as demonstrated by changing a password. El módulo User Read-Only v6.x-1.x antes de v6.x-1.4 y v7.x-1.x antes de v7.x-1.4 para Drupal no asigna roles adecuadamente cuando hay más de tres roles en el sitio y se dan algunas configuraciones no especificadas, lo que podría permitir a usuarios autenticados remotamente ganar privilegios a través de ciertas operaciones, como se demostró con un cambio de contraseña. • http://drupal.org/node/1840038 http://drupal.org/node/1840054 http://drupal.org/node/1840886 http://www.openwall.com/lists/oss-security/2012/11/20/4 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 4.3EPSS: 0%CPEs: 30EXPL: 0CVE-2012-2084
https://notcve.org/view.php?id=CVE-2012-2084
Cross-site scripting (XSS) vulnerability in the Printer, email and PDF versions module 6.x-1.x before 6.x-1.15 and 7.x-1.x before 7.x-1.0 for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, probably the PATH_INFO. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en el módulo de impresión, correo electrónico y PDF versiones 6.x-1.x antes de 6.x-1.15 y 7.x-1.x antes 7.x-1.0 para Drupal, permite a atacantes remotos inyectar secuencias de comandos web o HTML a través vectores no especificados, probablemente el PATH_INFO. • http://drupal.org/node/1515060 http://drupal.org/node/1515076 http://drupal.org/node/1515722 http://drupalcode.org/project/print.git/commit/30480e0 http://drupalcode.org/project/print.git/commit/6771c3f http://secunia.com/advisories/48625 http://www.openwall.com/lists/oss-security/2012/04/07/1 http://www.securityfocus.com/bid/52896 https://exchange.xforce.ibmcloud.com/vulnerabilities/74611 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.8EPSS: 0%CPEs: 31EXPL: 0CVE-2012-4553
https://notcve.org/view.php?id=CVE-2012-4553
Drupal 7.x before 7.16 allows remote attackers to obtain sensitive information and possibly re-install Drupal and execute arbitrary PHP code via an external database server, related to "transient conditions." Drupal v7.x antes de v7.16 permite a atacantes remotos obtener información sensible y posiblemente reinstalar Drupal y ejecutar código PHP arbitrario a través de un servidor de base de datos externa, relacionado con "las condiciones transitorias". • http://drupal.org/node/1815904 http://drupal.org/node/1815912 http://drupalcode.org/project/drupal.git/commit/b912710 http://www.openwall.com/lists/oss-security/2012/10/29/4 http://www.openwall.com/lists/oss-security/2012/10/30/5 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 5.0EPSS: 19%CPEs: 31EXPL: 0CVE-2012-4554 – Drupal OpenID External Entity Injection
https://notcve.org/view.php?id=CVE-2012-4554
The OpenID module in Drupal 7.x before 7.16 allows remote OpenID servers to read arbitrary files via a crafted DOCTYPE declaration in an XRDS file. El módulo OpenID en Drupal v7.x antes de v7.16 permite a servidores OpenID remotos leer archivos arbitrarios mediante una declaración DOCTYPE manipulada en un archivo XRDS. • http://drupal.org/node/1815912 http://drupalcode.org/project/drupal.git/commit/b912710 http://www.openwall.com/lists/oss-security/2012/10/29/4 http://www.openwall.com/lists/oss-security/2012/10/30/5 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 2.1EPSS: 0%CPEs: 19EXPL: 0CVE-2012-4492
https://notcve.org/view.php?id=CVE-2012-4492
Multiple cross-site scripting (XSS) vulnerabilities in the Shorten URLs module 6.x-1.x before 6.x-1.13 and 7.x-1.x before 7.x-1.2 for Drupal allow remote authenticated users with certain permissions to inject arbitrary web script or HTML via unspecified vectors to the (1) report or (2) Custom Services List page. Múltiples vulnerabilidades de ejecución de secuencias de comandos en sitios cruzados (XSS) en el módulo Shorten URLs v6.x-1.x antes de v6.x-1.13 y v7.x-1.x antes de v7.x-1.2 para Drupal, permite a usuarios autenticados remotamente inyectar secuencias de comandos web o HTML a través de vectores no especificados en (1) el informe o (2) la página Custom Services List. • http://drupal.org/node/1719392 http://www.openwall.com/lists/oss-security/2012/10/04/6 http://www.openwall.com/lists/oss-security/2012/10/07/1 http://www.securityfocus.com/bid/54911 https://drupal.org/node/1719306 https://drupal.org/node/1719310 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •