CVE-2008-6533
https://notcve.org/view.php?id=CVE-2008-6533
Drupal 5.x before 5.13 and 6.x before 6.7 does not delete all related content when an input format is deleted, which prevents the content from being properly filtered and allows remote attackers to conduct cross-site scripting (XSS) attacks via unspecified vectors. Drupal v5.x anterior a v5.13 y v6.x anterior a v6.7 no borra el contenido relacionado cuando un formato de entrada es eliminado, lo que evita que se filtre adecuadamente y permita a atacantes remotos llevar a cabo ataques de ejecución de secuencias de comandos en sitios cruzados (XSS) a través de vectores no especificados. • http://drupal.org/node/345441 http://secunia.com/advisories/33112 http://secunia.com/advisories/33147 http://www.osvdb.org/50662 http://www.vupen.com/english/advisories/2008/3414 https://exchange.xforce.ibmcloud.com/vulnerabilities/47259 https://www.redhat.com/archives/fedora-package-announce/2008-December/msg00740.html https://www.redhat.com/archives/fedora-package-announce/2008-December/msg00767.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2008-6532
https://notcve.org/view.php?id=CVE-2008-6532
Multiple cross-site request forgery (CSRF) vulnerabilities in the update feature in Drupal 5.x before 5.13 and 6.x before 6.7 allow remote attackers to perform unauthorized actions as the superuser via unspecified vectors, as demonstrated by causing the superuser to "execute old updates" that modify the database. Vulnerabilidad múltiple de falsificación de petición en sitios cruzados - CSRF - en la característica de actualización en Drupal v5.x anteriores a v5.13 y v6.x anteriores a v6.7, permiten a los atacantes remotos desarrollar acciones no autorizadas como el superusuarío a través de vectores no especificados, como se ha demostrado por provocación del superusuario la "ejecución de antiguas actualizaciones" que modifican la base de datos. • http://drupal.org/node/345441 http://secunia.com/advisories/33112 http://secunia.com/advisories/33147 http://www.osvdb.org/50661 http://www.vupen.com/english/advisories/2008/3414 https://exchange.xforce.ibmcloud.com/vulnerabilities/47260 https://www.redhat.com/archives/fedora-package-announce/2008-December/msg00740.html https://www.redhat.com/archives/fedora-package-announce/2008-December/msg00767.html • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2008-6170
https://notcve.org/view.php?id=CVE-2008-6170
Cross-site scripting (XSS) vulnerability in Drupal 5.x before 5.12 and 6.x before 6.6 allows remote authenticated users with create book content or edit node book hierarchy permissions to inject arbitrary web script or HTML via the book page title. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados(XSS) en Drupal v5.x anterior a v5.12 v6.x anterior a v6.6, lo que permite a usuarios remotos autenticados con permisos para crear contenidos de libros o editar la jerarquía de nodos de los libros inyectar secuencias de comandos web o HTML a través de la pagina de titulo del libro. • http://drupal.org/node/324824 http://secunia.com/advisories/32297 http://secunia.com/advisories/32441 http://www.securityfocus.com/bid/31882 http://www.vupen.com/english/advisories/2008/2913 https://exchange.xforce.ibmcloud.com/vulnerabilities/46052 https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00783.html https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00826.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2008-6171
https://notcve.org/view.php?id=CVE-2008-6171
includes/bootstrap.inc in Drupal 5.x before 5.12 and 6.x before 6.6, when the server is configured for "IP-based virtual hosts," allows remote attackers to include and execute arbitrary files via the HTTP Host header. El archivo includes/bootstrap.inc en Drupal versiones 5.x anterior a 5.12 y versiones 6.x anterior a 6.6, cuando el servidor está configurado para "IP-based virtual hosts," permite a los atacantes remotos incluir y ejecutar archivos arbitrarios por medio del encabezado Host de HTTP. • http://drupal.org/files/sa-2008-067/SA-2008-067-5.11.patch http://drupal.org/node/324824 http://secunia.com/advisories/32389 http://secunia.com/advisories/32441 http://www.securityfocus.com/bid/31900 http://www.vupen.com/english/advisories/2008/2913 https://exchange.xforce.ibmcloud.com/vulnerabilities/46049 https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00783.html https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00826.html • CWE-16: Configuration CWE-20: Improper Input Validation •
CVE-2009-0603
https://notcve.org/view.php?id=CVE-2009-0603
Cross-site scripting (XSS) vulnerability in index.php in the Link module 5.x-2.5 for Drupal 5.10 allows remote authenticated users, with "administer content types" privileges, to inject arbitrary web script or HTML via the description parameter (aka the Help field). NOTE: some of these details are obtained from third party information. Una vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados(XSS) en index.php en el módulo Link 5.x-2.5 para Drupal 5.10 permite inyectar, a los usuarios remotos autenticados (con privilegios para "administrar los tipos de contenido"), HTML o scripts Web arbitrarios a través del parámetro descripción (alias el campo Help). NOTA: Algunos de estos detalles se obtienen a partir de información de terceros. • http://archives.neohapsis.com/archives/fulldisclosure/2009-02/0036.html http://osvdb.org/51780 http://secunia.com/advisories/33835 http://www.securityfocus.com/bid/33642 https://exchange.xforce.ibmcloud.com/vulnerabilities/48553 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •