CVE-2012-2153
https://notcve.org/view.php?id=CVE-2012-2153
Drupal 7.x before 7.14 does not properly restrict access to nodes in a list when using a "contributed node access module," which allows remote authenticated users with the "Access the content overview page" permission to read all published nodes by accessing the admin/content page. Drupal 7.x anterior a 7.14 no restringe el acceso de forma adecuada a nodos en un listado cuando es usado "contributed node access module", lo que permite a usuarios autenticados de forma remota con "Acceso al contenido de la página" con permiso de lectura de nodos publicados accediendo a la página admin/content. • http://drupal.org/drupal-7.14 http://drupal.org/node/1557938 http://drupal.org/node/1558478 http://drupalcode.org/project/drupal.git/commit/c6d2b8311b82fe78d18732f01a68ceca3dea50af http://secunia.com/advisories/49012 http://www.mandriva.com/security/advisories?name=MDVSA-2013:074 http://www.securityfocus.com/bid/53362 • CWE-264: Permissions, Privileges, and Access Controls •
CVE-2011-5189
https://notcve.org/view.php?id=CVE-2011-5189
Cross-site scripting (XSS) vulnerability in the Webform Validation module 6.x-1.x before 6.x-1.5 and 7.x-1.x before 7.x-1.1 for Drupal allows remote authenticated users with permissions to "update Webform nodes" to inject arbitrary web script or HTML via unspecified vectors. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en el módulo Webform Validation v6.x-1.x anterior a v6.x-1.5 y v7.x-1.x anterior a v7.x-1.1 para Drupal, permite a usuarios remotos autenticados con permisos para "actualizar nodos Webform" inyectar secuencias de comandos web o HTML de su elección a través de vectores no especificados. • http://drupal.org/node/1357354 http://drupal.org/node/1357356 http://drupal.org/node/1357360 http://secunia.com/advisories/47035 http://www.osvdb.org/77426 https://exchange.xforce.ibmcloud.com/vulnerabilities/71597 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2012-1625
https://notcve.org/view.php?id=CVE-2012-1625
Eval injection vulnerability in the fillpdf_form_export_decode function in fillpdf.admin.inc in the Fill PDF module 6.x-1.x before 6.x-1.16 and 7.x-1.x before 7.x-1.2 for Drupal allows remote authenticated users with administer PDFs privileges to execute arbitrary PHP code via unspecified vectors. NOTE: Some of these details are obtained from third party information. Vulnerabilidad de inyección mediante eval en la función fillpdf_form_export_decode en fillpdf.admin.inc en el módulo Fill PDF v6.x-1.x anteriores a v6.x-1.16 y v7.x-1.x anteriores a v7.x-1.2 para Drupal, permite a usuarios remotos autenticados con provilegios administrativos sobre PDFs a ejecutar comandos PHP a través de vectores no especificados. NOTA: alguna de esta información se ha obtenido de terceros. • http://drupal.org/node/1394428 http://osvdb.org/78182 http://secunia.com/advisories/47418 http://www.openwall.com/lists/oss-security/2012/04/07/1 http://www.securityfocus.com/bid/51288 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2012-1633
https://notcve.org/view.php?id=CVE-2012-1633
Cross-site request forgery (CSRF) vulnerability in the Password Policy module before 6.x-1.4 and 7.x-1.0 beta3 for Drupal allows remote attackers to hijack the authentication of administrative users for requests that unblock a user. Una vulnerabilidad de tipo cross-site request forgery (CSRF) en el módulo Password Policy anterior a versiones 6.x hasta 1.4 y 7.x hasta 1.0 beta3 para Drupal, permite a los atacantes remotos secuestrar la autenticación de usuarios administrativos para peticiones que desbloqueen a un usuario. • http://drupal.org/node/1401678 http://drupalcode.org/project/password_policy.git/commit/3c688c3b4a3ed96fdc4b89883595633338c7ebb6 http://secunia.com/advisories/47541 http://www.openwall.com/lists/oss-security/2012/04/07/1 http://www.securityfocus.com/bid/51385 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2012-1657
https://notcve.org/view.php?id=CVE-2012-1657
Cross-site scripting (XSS) vulnerability in block_class.module in the Block Class module before 7.x-1.1 for Drupal allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via the class name. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en block_class.module en el módulo Block Class antes de v7.x-1.1 para Drupal, permite a usuarios autenticados remotamente, con algunos permisos, inyectar secuencias de comandos web o HTML a través del nombre de clase. • http://drupal.org/node/1471090 http://drupal.org/node/1471808 http://drupalcode.org/project/block_class.git/commit/9a5205d http://secunia.com/advisories/48298 http://www.openwall.com/lists/oss-security/2012/04/07/1 http://www.osvdb.org/79851 http://www.securityfocus.com/bid/52341 https://exchange.xforce.ibmcloud.com/vulnerabilities/73776 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •