CVSS: 4.8EPSS: 0%CPEs: 2EXPL: 0CVE-2010-2472
https://notcve.org/view.php?id=CVE-2010-2472
07 Nov 2019 — Locale module and dependent contributed modules in Drupal 6.x before 6.16 and 5.x before version 5.22 do not sanitize the display of language codes, native and English language names properly which could allow an attacker to perform a cross-site scripting (XSS) attack. This vulnerability is mitigated by the fact that an attacker must have a role with the 'administer languages' permission. El módulo local y los módulos contribuidos dependientes en Drupal versiones 6.x anteriores a 6.16 y versiones 5.x anteri... • https://security-tracker.debian.org/tracker/CVE-2010-2472 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2010-2250
https://notcve.org/view.php?id=CVE-2010-2250
07 Nov 2019 — Drupal 5.x and 6.x before 6.16 uses a user-supplied value in output during site installation which could allow an attacker to craft a URL and perform a cross-site scripting attack. Drupal versiones 5.x y 6.x anteriores a la versión 6.16, utiliza un valor suministrado por el usuario en la salida durante la instalación del sitio, lo que podría permitir a un atacante crear una URL y realizar un ataque de tipo cross-site scripting • http://www.openwall.com/lists/oss-security/2014/02/12/8 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 0CVE-2010-2471
https://notcve.org/view.php?id=CVE-2010-2471
06 Nov 2019 — Drupal versions 5.x and 6.x has open redirection Drupal versiones 5.x y 6.x, tiene un redireccionamiento abierto • http://www.openwall.com/lists/oss-security/2014/02/12/8 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 9.8EPSS: 0%CPEs: 11EXPL: 0CVE-2019-11831 – Debian Security Advisory 4445-1
https://notcve.org/view.php?id=CVE-2019-11831
09 May 2019 — The PharStreamWrapper (aka phar-stream-wrapper) package 2.x before 2.1.1 and 3.x before 3.1.1 for TYPO3 does not prevent directory traversal, which allows attackers to bypass a deserialization protection mechanism, as demonstrated by a phar:///path/bad.phar/../good.phar URL. El paquete PharStreamWrapper (también conocido como phar-stream-wrapper), versiones 2.x anteriores a 2.1.1 y 3.x anteriores a 3.1.1 para TYPO3, no impide el salto de directorio, lo que permite a los atacantes eludir un mecanismo de prot... • http://www.securityfocus.com/bid/108302 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-502: Deserialization of Untrusted Data •
CVSS: 6.1EPSS: 0%CPEs: 218EXPL: 7CVE-2019-11358 – jquery: Prototype pollution in object's prototype leading to denial of service, remote code execution, or property injection
https://notcve.org/view.php?id=CVE-2019-11358
19 Apr 2019 — jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype. jQuery, en versiones anteriores a 3.4.0, como es usado en Drupal, Backdrop CMS, y otros productos, maneja mal jQuery.extend(true, {}, ...) debido a la contaminación de Object.prototype. Si un objeto fuente no sanitizado contenía una propi... • https://github.com/isacaya/CVE-2019-11358 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') •
CVSS: 6.1EPSS: 58%CPEs: 6EXPL: 0CVE-2019-6341 – Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2019-004
https://notcve.org/view.php?id=CVE-2019-6341
26 Mar 2019 — In Drupal 7 versions prior to 7.65; Drupal 8.6 versions prior to 8.6.13;Drupal 8.5 versions prior to 8.5.14. Under certain circumstances the File module/subsystem allows a malicious user to upload a file that can trigger a cross-site scripting (XSS) vulnerability. En Drupal 7, en versiones anteriores a la 7.65; Drupal 8.6, en versiones anteriores a la 8.6.13 y Drupal 8.5, en versiones anteriores a la 8.5.14. En ciertas condiciones, el módulo/subsistema File permite que un usuario malicioso suba un archivo q... • https://lists.debian.org/debian-lts-announce/2019/04/msg00003.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 4EXPL: 0CVE-2017-6922 – Files uploaded by anonymous users into a private file system can be accessed by other anonymous users
https://notcve.org/view.php?id=CVE-2017-6922
22 Jan 2019 — In Drupal core 8.x prior to 8.3.4 and Drupal core 7.x prior to 7.56; Private files that have been uploaded by an anonymous user but not permanently attached to content on the site should only be visible to the anonymous user that uploaded them, rather than all anonymous users. Drupal core did not previously provide this protection, allowing an access bypass vulnerability to occur. This issue is mitigated by the fact that in order to be affected, the site must allow anonymous users to upload files into a pri... • http://www.securityfocus.com/bid/99219 • CWE-552: Files or Directories Accessible to External Parties •
CVSS: 9.8EPSS: 77%CPEs: 5EXPL: 1CVE-2019-6339 – PHAR stream wrapper Arbitrary PHP code execution
https://notcve.org/view.php?id=CVE-2019-6339
22 Jan 2019 — In Drupal Core versions 7.x prior to 7.62, 8.6.x prior to 8.6.6 and 8.5.x prior to 8.5.9; A remote code execution vulnerability exists in PHP's built-in phar stream wrapper when performing file operations on an untrusted phar:// URI. Some Drupal code (core, contrib, and custom) may be performing file operations on insufficiently validated user input, thereby being exposed to this vulnerability. This vulnerability is mitigated by the fact that such code paths typically require access to an administrative per... • https://github.com/Vulnmachines/drupal-cve-2019-6339 • CWE-20: Improper Input Validation •
CVSS: 8.0EPSS: 1%CPEs: 5EXPL: 0CVE-2019-6338 – third-party PEAR Archive_Tar library updates
https://notcve.org/view.php?id=CVE-2019-6338
22 Jan 2019 — In Drupal Core versions 7.x prior to 7.62, 8.6.x prior to 8.6.6 and 8.5.x prior to 8.5.9; Drupal core uses the third-party PEAR Archive_Tar library. This library has released a security update which impacts some Drupal configurations. Refer to CVE-2018-1000888 for details Drupal Core, en sus versiones 7.x anteriores a la 7.62, en las 8.6.x anteriores a la 8.6.6 y en las 8.5.x anteriores a la 8.5.9, utiliza la biblioteca "PEAR Archive_Tar" de terceros. Esta biblioteca ha publicado una actualización de seguri... • http://www.securityfocus.com/bid/106706 • CWE-502: Deserialization of Untrusted Data •
CVSS: 9.8EPSS: 94%CPEs: 6EXPL: 9CVE-2018-7602 – Drupal Core Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2018-7602
26 Apr 2018 — A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being compromised. This vulnerability is related to Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002. Both SA-CORE-2018-002 and this vulnerability are being exploited in the wild. Existe una vulnerabilidad de ejecución remota de código en múltiples subsistemas de Drupal en v... • https://packetstorm.news/files/id/147380 • CWE-94: Improper Control of Generation of Code ('Code Injection') •