CVSS: 6.1EPSS: 0%CPEs: 96EXPL: 0CVE-2015-2750 – Mandriva Linux Security Advisory 2015-181
https://notcve.org/view.php?id=CVE-2015-2750
31 Mar 2015 — Open redirect vulnerability in URL-related API functions in Drupal 6.x before 6.35 and 7.x before 7.35 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via vectors involving the "//" initial sequence. Una vulnerabilidad de redirección abierta en funciones de API relacionadas con URL en Drupal, en las versiones 6.x anteriores a la 6.35 y 7.x anteriores a la 7.35 permite a atacantes remotos redirigir a los usuarios a páginas web arbitrarias y realizar ataques de ph... • http://cgit.drupalcode.org/drupal/commit/includes/common.inc?h=7.x&id=b44056d2f8e8c71d35c85ec5c2fb8f7c8a02d8a8 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 6.1EPSS: 0%CPEs: 96EXPL: 0CVE-2015-2749 – Mandriva Linux Security Advisory 2015-181
https://notcve.org/view.php?id=CVE-2015-2749
31 Mar 2015 — Open redirect vulnerability in Drupal 6.x before 6.35 and 7.x before 7.35 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the destination parameter. Una vulnerabilidad de redirección abierta en Drupal en las versiones 6.x anteriores a la 6.35 y 7.x anteriores a la 7.35 permite a atacantes remotos redirigir a los usuarios a páginas web arbitrarias y realizar ataques de phishing mediante una URL en el parámetro destination. Updated drupal packages fix... • http://cgit.drupalcode.org/drupal/commit/?id=d2304f840c43c190c6e136ee9901ed9797b4c3ca • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 8.8EPSS: 0%CPEs: 3EXPL: 0CVE-2015-2559 – Mandriva Linux Security Advisory 2015-181
https://notcve.org/view.php?id=CVE-2015-2559
23 Mar 2015 — Drupal 6.x before 6.35 and 7.x before 7.35 allows remote authenticated users to reset the password of other accounts by leveraging an account with the same password hash as another account and a crafted password reset URL. Drupal 6.x anterior a 6.35 y 7.x anterior a 7.35 permite a usuarios remotos autenticados reconfigurar la contraseña de otras cuentas mediante el aprovechamiento del mismo hash de contraseña que otra cuenta y una URL de reconfiguración de contraseñas manipulada. Multiple vulnerabilities ha... • http://www.debian.org/security/2015/dsa-3200 • CWE-284: Improper Access Control •
CVSS: 9.8EPSS: 0%CPEs: 3EXPL: 0CVE-2014-9015 – Debian Security Advisory 3075-1
https://notcve.org/view.php?id=CVE-2014-9015
20 Nov 2014 — Drupal 6.x before 6.34 and 7.x before 7.34 allows remote attackers to hijack sessions via a crafted request, as demonstrated by a crafted request to a server that supports both HTTP and HTTPS sessions. Drupal 6.x anterior a 6.34 y 7.x anterior a 7.34 permite a atacantes remotos secuestrar sesiones a través de una solicitud manipulada, tal y como fue demostrado mediante una solicitud manipulada a un servidor que soporta sesiones tanto de HTTP como de HTTPS. Two vulnerabilities were discovered in Drupal, a fu... • http://secunia.com/advisories/59164 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 7.5EPSS: 0%CPEs: 88EXPL: 0CVE-2014-5267
https://notcve.org/view.php?id=CVE-2014-5267
30 Sep 2014 — modules/openid/xrds.inc in Drupal 6.x before 6.33 and 7.x before 7.31 allows remote attackers to have unspecified impact via a crafted DOCTYPE declaration in an XRDS document. modules/openid/xrds.inc en Drupal 6.x anterior a 6.33 y 7.x anterior a 7.31 permite a atacantes remotos tener un impacto no especificado a través de una declaración DOCTYPE manipulada en un documento XRDS. • http://cgit.drupalcode.org/drupal/diff/modules/openid/xrds.inc?id=1849830 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 7.5EPSS: 17%CPEs: 122EXPL: 0CVE-2014-5265 – WordPress Core < 3.9.2 - Denial of Service via XML
https://notcve.org/view.php?id=CVE-2014-5265
06 Aug 2014 — The Incutio XML-RPC (IXR) Library, as used in WordPress before 3.9.2 and Drupal 6.x before 6.33 and 7.x before 7.31, permits entity declarations without considering recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564. La librería Incutio XML-RPC (IXR), utilizada en WordPress anterior a 3.9.2 y Drupal 6.x anterior a 6.33 y 7.... • http://cgit.drupalcode.org/drupal/diff/includes/xmlrpc.inc?id=1849830 • CWE-399: Resource Management Errors CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.5EPSS: 89%CPEs: 122EXPL: 1CVE-2014-5266 – WordPress Core < 3.9.2 - Denial of Service via XML #2
https://notcve.org/view.php?id=CVE-2014-5266
06 Aug 2014 — The Incutio XML-RPC (IXR) Library, as used in WordPress before 3.9.2 and Drupal 6.x before 6.33 and 7.x before 7.31, does not limit the number of elements in an XML document, which allows remote attackers to cause a denial of service (CPU consumption) via a large document, a different vulnerability than CVE-2014-5265. La libraría Incutio XML-RPC (IXR) , utilizado en WordPress anterior a 3.9.2 y Drupal 6.x anterior a 6.33 y 7.x anterior a 7.31, no limita el número de elementos en un documento XML, lo que per... • https://packetstorm.news/files/id/180506 • CWE-399: Resource Management Errors CWE-400: Uncontrolled Resource Consumption •
CVSS: 5.4EPSS: 0%CPEs: 86EXPL: 0CVE-2014-5021 – Mandriva Linux Security Advisory 2015-181
https://notcve.org/view.php?id=CVE-2014-5021
22 Jul 2014 — Cross-site scripting (XSS) vulnerability in the Form API in Drupal 6.x before 6.32 and possibly 7.x before 7.29 allows remote authenticated users with the "administer taxonomy" permission to inject arbitrary web script or HTML via an option group label. Vulnerabilidad de XSS en la API Form en Drupal 6.x anterior a 6.32 y posiblemente 7.x anterior a 7.29 permite a usuarios remotos autenticados con el permiso 'administrar taxonomía' inyectar secuencias de comandos web o HTML arbitrarios a través de una etique... • http://www.debian.org/security/2014/dsa-2983 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 86EXPL: 0CVE-2014-5019 – Mandriva Linux Security Advisory 2015-181
https://notcve.org/view.php?id=CVE-2014-5019
22 Jul 2014 — The multisite feature in Drupal 6.x before 6.32 and 7.x before 7.29 allows remote attackers to cause a denial of service via a crafted HTTP Host header, related to determining which configuration file to use. La funcionalidad múltisitios en Drupal 6.x anterior a 6.32 y 7.x anterior a 7.29 permite a atacantes remotos causar una denegación de servicio a través de una cabecera HTTP Host manipulada, relacionado con determinar qué fichero de configuración utilizar. Updated drupal packages fix multiple security v... • http://www.debian.org/security/2014/dsa-2983 • CWE-20: Improper Input Validation •
CVSS: 5.0EPSS: 0%CPEs: 5EXPL: 0CVE-2014-2983 – Debian Security Advisory 2913-1
https://notcve.org/view.php?id=CVE-2014-2983
23 Apr 2014 — Drupal 6.x before 6.31 and 7.x before 7.27 does not properly isolate the cached data of different anonymous users, which allows remote anonymous users to obtain sensitive interim form input information in opportunistic situations via unspecified vectors. Drupal 6.x anterior a 6.31 y 7.x anterior a 7.27 no aísla debidamente los datos en caché de usuarios anónimos diferentes, lo que permite a usuarios remotos anónimos obtener información sensible de entradas de formularios parciales en situaciones oportunista... • http://www.debian.org/security/2014/dsa-2913 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •