CVE-2012-1641
https://notcve.org/view.php?id=CVE-2012-1641
The finder_import function in the Finder module 6.x-1.x before 6.x-1.26, 7.x-1.x, and 7.x-2.x before 7.x-2.0-alpha8 for Drupal allows remote authenticated users with the administer finder permission to execute arbitrary PHP code via admin/build/finder/import. La función finder_import en el módulo Finder v6.x-1.x anterior a v6.x-1.26, v7.x-1.x, y v7.x-2.x anterior a v7.x-2.0-alpha8 para Drupal permite a usuarios remotos autenticados con permisos de administración del finder ejecutar código PHP arbitrario a través de admin/build/finder/import. • http://drupal.org/node/1432318 http://drupal.org/node/1432320 http://drupalcode.org/project/finder.git/commit/bc0cc82 http://secunia.com/advisories/47915 http://secunia.com/advisories/47943 http://www.madirish.net/content/drupal-finder-6x-19-xss-and-remote-code-execution-vulnerabilities http://www.openwall.com/lists/oss-security/2012/03/16/9 http://www.openwall.com/lists/oss-security/2012/03/19/9 http://www.openwall.com/lists/oss-security/2012/04/07/1 http:/ • CWE-264: Permissions, Privileges, and Access Controls •
CVE-2012-1635
https://notcve.org/view.php?id=CVE-2012-1635
The hook_node_access function in the revisioning module 7.x-1.x before 7.x-1.3 for Drupal checks the permissions of the current user even when it is called to check permissions of other users, which allows remote attackers to bypass intended access restrictions, as demonstrated when using the XML sitemap module to obtain sensitive information about unpublished content. La funcion hook_node_access en el módulo revisioning v7.x-1.x anterior a v7.x-1.3 para Drupal comprueba los permisos del usuario actual, incluso cuando se le llama para comprobar los permisos de otros usuarios, lo que permite a atacantes remotos evitar las restricciones de acceso, como se demuestra cuando se utiliza el módulo XML Sitemap para obtener información sensible acerca del contenido publicado. • http://drupal.org/node/1407456 http://www.openwall.com/lists/oss-security/2012/04/07/1 https://drupal.org/node/1409268 • CWE-264: Permissions, Privileges, and Access Controls •
CVE-2012-2070
https://notcve.org/view.php?id=CVE-2012-2070
Cross-site scripting (XSS) vulnerability in the MultiBlock module 6.x-1.x before 6.x-1.4 and 7.x-1.x before 7.x-1.1 for Drupal allows remote authenticated users with the administer blocks permission to inject arbitrary web script or HTML via the block title. Una vulnerabilidad de ejecución de comandos en sitios cruzados (XSS) en el módulo MultiBlock v6.x-1.x antes de v6.x-1.4 y v7.x v1.x, antes v7.x-1.1 para Drupal permite inyectar secuencias de comandos web o HTML a usuarios remotos autenticados con permiso para administrar los bloques a través del bloque de título. • http://drupal.org/node/1505410 http://drupal.org/node/1505414 http://drupal.org/node/1506390 http://drupalcode.org/project/multiblock.git/commit/2c5177b http://drupalcode.org/project/multiblock.git/commit/aee07d3 http://osvdb.org/80673 http://secunia.com/advisories/48588 http://www.madirish.net/content/drupal-multiblock-6x-13-xss-vulnerability http://www.openwall.com/lists/oss-security/2012/04/07/1 http://www.securityfocus.com/bid/52800 https://exchange.xforce.ibmcloud.c • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2012-2296
https://notcve.org/view.php?id=CVE-2012-2296
The Janrain Engage (formerly RPX) module for Drupal 6.x-1.x. 6.x-2.x before 6.x-2.2, and 7.x-2.x before 7.x-2.2 stores user profile data from Engage in session tables, which might allow remote attackers to obtain sensitive information by leveraging a separate vulnerability. El módulo para Drupal The Janrain Engage (formerly RPX) v6.x-1.x. v6.x-2.x antes de v6.x-2.2 y v7.x 2.x antes v7.x-2.2 almacena los datos de perfil de usuario de Engage en las tablas de sesión, lo que podría permitir a atacantes remotos obtener información sensible mediante el aprovechamiento de una vulnerabilidad separada. • http://drupal.org/node/1515114 http://drupal.org/node/1515120 http://drupal.org/node/1515282 http://www.openwall.com/lists/oss-security/2012/04/10/12 http://www.openwall.com/lists/oss-security/2012/05/03/1 http://www.openwall.com/lists/oss-security/2012/05/03/2 https://exchange.xforce.ibmcloud.com/vulnerabilities/74616 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2012-2310
https://notcve.org/view.php?id=CVE-2012-2310
Cross-site scripting (XSS) vulnerability in the cctags module for Drupal 6.x-1.x before 6.x-1.10 and 7.x-1.x before 7.x-1.10 allows remote authenticated users with certain roles to inject arbitrary web script or HTML via unspecified vectors. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en el módulo cctags para Drupal v6.x-1.x antes de v6.x-1.10 y v7.x 1.x antes v7.x-1.10 permite a usuarios remotos autenticados con ciertos roles, inyectar secuencias de comandos web o HTML a través de vectores no especificados. • http://drupal.org/node/1508098 http://drupal.org/node/1508100 http://drupal.org/node/1558248 http://secunia.com/advisories/49018 http://www.openwall.com/lists/oss-security/2012/05/03/1 http://www.openwall.com/lists/oss-security/2012/05/03/2 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •