CVSS: 8.8EPSS: 0%CPEs: 3EXPL: 0CVE-2015-2559 – Mandriva Linux Security Advisory 2015-181
https://notcve.org/view.php?id=CVE-2015-2559
23 Mar 2015 — Drupal 6.x before 6.35 and 7.x before 7.35 allows remote authenticated users to reset the password of other accounts by leveraging an account with the same password hash as another account and a crafted password reset URL. Drupal 6.x anterior a 6.35 y 7.x anterior a 7.35 permite a usuarios remotos autenticados reconfigurar la contraseña de otras cuentas mediante el aprovechamiento del mismo hash de contraseña que otra cuenta y una URL de reconfiguración de contraseñas manipulada. Multiple vulnerabilities ha... • http://www.debian.org/security/2015/dsa-3200 • CWE-284: Improper Access Control •
CVSS: 9.8EPSS: 0%CPEs: 3EXPL: 0CVE-2014-9015 – Debian Security Advisory 3075-1
https://notcve.org/view.php?id=CVE-2014-9015
20 Nov 2014 — Drupal 6.x before 6.34 and 7.x before 7.34 allows remote attackers to hijack sessions via a crafted request, as demonstrated by a crafted request to a server that supports both HTTP and HTTPS sessions. Drupal 6.x anterior a 6.34 y 7.x anterior a 7.34 permite a atacantes remotos secuestrar sesiones a través de una solicitud manipulada, tal y como fue demostrado mediante una solicitud manipulada a un servidor que soporta sesiones tanto de HTTP como de HTTPS. Two vulnerabilities were discovered in Drupal, a fu... • http://secunia.com/advisories/59164 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 7.5EPSS: 0%CPEs: 88EXPL: 0CVE-2014-5267
https://notcve.org/view.php?id=CVE-2014-5267
30 Sep 2014 — modules/openid/xrds.inc in Drupal 6.x before 6.33 and 7.x before 7.31 allows remote attackers to have unspecified impact via a crafted DOCTYPE declaration in an XRDS document. modules/openid/xrds.inc en Drupal 6.x anterior a 6.33 y 7.x anterior a 7.31 permite a atacantes remotos tener un impacto no especificado a través de una declaración DOCTYPE manipulada en un documento XRDS. • http://cgit.drupalcode.org/drupal/diff/modules/openid/xrds.inc?id=1849830 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 7.5EPSS: 17%CPEs: 122EXPL: 0CVE-2014-5265 – WordPress Core < 3.9.2 - Denial of Service via XML
https://notcve.org/view.php?id=CVE-2014-5265
06 Aug 2014 — The Incutio XML-RPC (IXR) Library, as used in WordPress before 3.9.2 and Drupal 6.x before 6.33 and 7.x before 7.31, permits entity declarations without considering recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564. La librería Incutio XML-RPC (IXR), utilizada en WordPress anterior a 3.9.2 y Drupal 6.x anterior a 6.33 y 7.... • http://cgit.drupalcode.org/drupal/diff/includes/xmlrpc.inc?id=1849830 • CWE-399: Resource Management Errors CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.5EPSS: 89%CPEs: 122EXPL: 1CVE-2014-5266 – WordPress Core < 3.9.2 - Denial of Service via XML #2
https://notcve.org/view.php?id=CVE-2014-5266
06 Aug 2014 — The Incutio XML-RPC (IXR) Library, as used in WordPress before 3.9.2 and Drupal 6.x before 6.33 and 7.x before 7.31, does not limit the number of elements in an XML document, which allows remote attackers to cause a denial of service (CPU consumption) via a large document, a different vulnerability than CVE-2014-5265. La libraría Incutio XML-RPC (IXR) , utilizado en WordPress anterior a 3.9.2 y Drupal 6.x anterior a 6.33 y 7.x anterior a 7.31, no limita el número de elementos en un documento XML, lo que per... • https://packetstorm.news/files/id/180506 • CWE-399: Resource Management Errors CWE-400: Uncontrolled Resource Consumption •
CVSS: 5.4EPSS: 0%CPEs: 86EXPL: 0CVE-2014-5021 – Mandriva Linux Security Advisory 2015-181
https://notcve.org/view.php?id=CVE-2014-5021
22 Jul 2014 — Cross-site scripting (XSS) vulnerability in the Form API in Drupal 6.x before 6.32 and possibly 7.x before 7.29 allows remote authenticated users with the "administer taxonomy" permission to inject arbitrary web script or HTML via an option group label. Vulnerabilidad de XSS en la API Form en Drupal 6.x anterior a 6.32 y posiblemente 7.x anterior a 7.29 permite a usuarios remotos autenticados con el permiso 'administrar taxonomía' inyectar secuencias de comandos web o HTML arbitrarios a través de una etique... • http://www.debian.org/security/2014/dsa-2983 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 86EXPL: 0CVE-2014-5019 – Mandriva Linux Security Advisory 2015-181
https://notcve.org/view.php?id=CVE-2014-5019
22 Jul 2014 — The multisite feature in Drupal 6.x before 6.32 and 7.x before 7.29 allows remote attackers to cause a denial of service via a crafted HTTP Host header, related to determining which configuration file to use. La funcionalidad múltisitios en Drupal 6.x anterior a 6.32 y 7.x anterior a 7.29 permite a atacantes remotos causar una denegación de servicio a través de una cabecera HTTP Host manipulada, relacionado con determinar qué fichero de configuración utilizar. Updated drupal packages fix multiple security v... • http://www.debian.org/security/2014/dsa-2983 • CWE-20: Improper Input Validation •
CVSS: 5.0EPSS: 0%CPEs: 5EXPL: 0CVE-2014-2983 – Debian Security Advisory 2913-1
https://notcve.org/view.php?id=CVE-2014-2983
23 Apr 2014 — Drupal 6.x before 6.31 and 7.x before 7.27 does not properly isolate the cached data of different anonymous users, which allows remote anonymous users to obtain sensitive interim form input information in opportunistic situations via unspecified vectors. Drupal 6.x anterior a 6.31 y 7.x anterior a 7.27 no aísla debidamente los datos en caché de usuarios anónimos diferentes, lo que permite a usuarios remotos anónimos obtener información sensible de entradas de formularios parciales en situaciones oportunista... • http://www.debian.org/security/2014/dsa-2913 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.8EPSS: 0%CPEs: 68EXPL: 0CVE-2014-1475 – Debian Security Advisory 2847-1
https://notcve.org/view.php?id=CVE-2014-1475
21 Jan 2014 — The OpenID module in Drupal 6.x before 6.30 and 7.x before 7.26 allows remote OpenID users to authenticate as other users via unspecified vectors. El módulo OpenID en Drupal v6.x anterior a v6.30 y v7.x anterior a v7.26 permite a usuarios OpenID remotos autenticarse como otros usuarios a través de vectores no especificados. The OpenID module in Drupal 6.x before 6.30 and 7.x before 7.26 allows remote OpenID users to authenticate as other users via unspecified vectors. The Taxonomy module in Drupal 7.x befor... • http://secunia.com/advisories/56260 •
CVSS: 8.8EPSS: 5%CPEs: 78EXPL: 0CVE-2013-6385 – Debian Security Advisory 2828-1
https://notcve.org/view.php?id=CVE-2013-6385
27 Nov 2013 — The form API in Drupal 6.x before 6.29 and 7.x before 7.24, when used with unspecified third-party modules, performs form validation even when CSRF validation has failed, which might allow remote attackers to trigger application-specific impacts such as arbitrary code execution via application-specific vectors. La API de formularios en Drupal 6.x anteriores a 6.29 y 7.x anteriores a 7.24, cuando es utilizada con módulos no especificados de terceros, ejecuta validación del formulario incluso cuando la valida... • http://secunia.com/advisories/56148 • CWE-94: Improper Control of Generation of Code ('Code Injection') •