CVSS: 6.0EPSS: 0%CPEs: 24EXPL: 0CVE-2012-1625
https://notcve.org/view.php?id=CVE-2012-1625
Eval injection vulnerability in the fillpdf_form_export_decode function in fillpdf.admin.inc in the Fill PDF module 6.x-1.x before 6.x-1.16 and 7.x-1.x before 7.x-1.2 for Drupal allows remote authenticated users with administer PDFs privileges to execute arbitrary PHP code via unspecified vectors. NOTE: Some of these details are obtained from third party information. Vulnerabilidad de inyección mediante eval en la función fillpdf_form_export_decode en fillpdf.admin.inc en el módulo Fill PDF v6.x-1.x anteriores a v6.x-1.16 y v7.x-1.x anteriores a v7.x-1.2 para Drupal, permite a usuarios remotos autenticados con provilegios administrativos sobre PDFs a ejecutar comandos PHP a través de vectores no especificados. NOTA: alguna de esta información se ha obtenido de terceros. • http://drupal.org/node/1394428 http://osvdb.org/78182 http://secunia.com/advisories/47418 http://www.openwall.com/lists/oss-security/2012/04/07/1 http://www.securityfocus.com/bid/51288 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 2.1EPSS: 0%CPEs: 14EXPL: 0CVE-2012-1632
https://notcve.org/view.php?id=CVE-2012-1632
Cross-site scripting (XSS) vulnerability in password_policy.admin.inc in the Password Policy module before 6.x-1.4 and 7.x-1.0 beta3 for Drupal allows remote authenticated users with administer policies permissions to inject arbitrary web script or HTML via the name parameter. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en password_policy.admin.inc en el módulo Password Policy anteriores a v6.x-1.4 y v7.x-1.0 beta3 para Drupal, permite a usuarios remotos autenticados inyectar secuencias de comandos web o HTML a través del parámetro name. • http://drupal.org/node/1401678 http://drupalcode.org/project/password_policy.git/commit/3c688c3b4a3ed96fdc4b89883595633338c7ebb6 http://secunia.com/advisories/47541 http://www.openwall.com/lists/oss-security/2012/04/07/1 http://www.securityfocus.com/bid/51385 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.8EPSS: 0%CPEs: 10EXPL: 1CVE-2012-1633
https://notcve.org/view.php?id=CVE-2012-1633
Cross-site request forgery (CSRF) vulnerability in the Password Policy module before 6.x-1.4 and 7.x-1.0 beta3 for Drupal allows remote attackers to hijack the authentication of administrative users for requests that unblock a user. Una vulnerabilidad de tipo cross-site request forgery (CSRF) en el módulo Password Policy anterior a versiones 6.x hasta 1.4 y 7.x hasta 1.0 beta3 para Drupal, permite a los atacantes remotos secuestrar la autenticación de usuarios administrativos para peticiones que desbloqueen a un usuario. • http://drupal.org/node/1401678 http://drupalcode.org/project/password_policy.git/commit/3c688c3b4a3ed96fdc4b89883595633338c7ebb6 http://secunia.com/advisories/47541 http://www.openwall.com/lists/oss-security/2012/04/07/1 http://www.securityfocus.com/bid/51385 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 2.1EPSS: 0%CPEs: 15EXPL: 0CVE-2012-1657
https://notcve.org/view.php?id=CVE-2012-1657
Cross-site scripting (XSS) vulnerability in block_class.module in the Block Class module before 7.x-1.1 for Drupal allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via the class name. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en block_class.module en el módulo Block Class antes de v7.x-1.1 para Drupal, permite a usuarios autenticados remotamente, con algunos permisos, inyectar secuencias de comandos web o HTML a través del nombre de clase. • http://drupal.org/node/1471090 http://drupal.org/node/1471808 http://drupalcode.org/project/block_class.git/commit/9a5205d http://secunia.com/advisories/48298 http://www.openwall.com/lists/oss-security/2012/04/07/1 http://www.osvdb.org/79851 http://www.securityfocus.com/bid/52341 https://exchange.xforce.ibmcloud.com/vulnerabilities/73776 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.0EPSS: 0%CPEs: 7EXPL: 0CVE-2012-2063
https://notcve.org/view.php?id=CVE-2012-2063
The Slidebox module before 7.x-1.4 for Drupal does not properly check permissions, which allows remote attackers to obtain sensitive information via unspecified vectors. El módulo Slidebox en versiones anteriores a 7.x-1.4 para Drupal no comprueba adecuadamente los permisos, lo que permite a atacantes remotos obtener información sensible a través de vectores no especificados. • http://drupal.org/node/1482166 http://drupal.org/node/1482342 http://drupalcode.org/project/slidebox.git/commit/3dae144 http://secunia.com/advisories/48360 http://www.openwall.com/lists/oss-security/2012/04/07/1 http://www.securityfocus.com/bid/52500 https://exchange.xforce.ibmcloud.com/vulnerabilities/74067 • CWE-264: Permissions, Privileges, and Access Controls •