CVE-2015-4345
https://notcve.org/view.php?id=CVE-2015-4345
The RESTWS Basic Auth submodule in the RESTful Web Services module 7.x-1.x before 7.x-1.5 and 7.x-2.x before 7.x-2.3 for Drupal caches pages for authenticated requests, which allows remote attackers to obtain sensitive information via unspecified vectors. El submódulo RESTWS Basic Auth en el módulo RESTful Web Services 7.x-1.x anterior a 7.x-1.5 y 7.x-2.x anterior a 7.x-2.3 para Drupal cachea páginas para solicitudes autenticadas, lo que permite a atacantes remotos obtener información sensible a través de vectores no especificados. • http://www.openwall.com/lists/oss-security/2015/04/25/6 http://www.securityfocus.com/bid/72676 https://www.drupal.org/node/2428855 https://www.drupal.org/node/2428857 https://www.drupal.org/node/2428863 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2015-4344
https://notcve.org/view.php?id=CVE-2015-4344
The Services Basic Authentication module 7.x-1.x through 7.x-1.3 for Drupal allows remote attackers to bypass intended resource restrictions via vectors related to page caching. El módulo Services Basic Authentication 7.x-1.x hasta 7.x-1.3 para Drupal permite a atacantes remotos evadir las restricciones de acceso a través de vectores relacionados con el cacheo de páginas. • http://www.openwall.com/lists/oss-security/2015/04/25/6 http://www.securityfocus.com/bid/72677 https://www.drupal.org/node/2428851 https://www.drupal.org/node/2444861 • CWE-264: Permissions, Privileges, and Access Controls •
CVE-2015-4393
https://notcve.org/view.php?id=CVE-2015-4393
The resource/endpoint for uploading files in the Services module 7.x-3.x before 7.x-3.12 for Drupal allows remote authenticated users with the "Save file information" permission to execute arbitrary code via a crafted filename. resource/endpoint para la subida de ficheros en el módulo Services 7.x-3.x anterior a 7.x-3.12 para Drupal permite a usuarios remotos autenticados con el permiso 'guardar la información del fichero' ejecutar código arbitrario a través de un nombre de fichero manipulado. • http://www.openwall.com/lists/oss-security/2015/04/25/6 http://www.securityfocus.com/bid/74365 https://www.drupal.org/node/2471847 https://www.drupal.org/node/2471879 • CWE-20: Improper Input Validation •
CVE-2015-2215
https://notcve.org/view.php?id=CVE-2015-2215
Open redirect vulnerability in the Services single sign-on server helper (services_sso_server_helper) module for Drupal allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified parameters. Vulnerabilidad de la redirección abierta en el módulo Services single sign-on server helper (services_sso_server_helper) para Drupal permite a atacantes remotos redirigir usuarios a sitios web arbitrarios y realizar ataques de phishing a través de parámetros no especificados. • http://www.securityfocus.com/bid/72803 https://www.drupal.org/node/2437965 •
CVE-2014-9335 – DandyID Services <= 1.5.9 - Cross-Site Request Forgery
https://notcve.org/view.php?id=CVE-2014-9335
Multiple cross-site request forgery (CSRF) vulnerabilities in the DandyID Services plugin 1.5.9 and earlier for WordPress allow remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the (1) email_address or (2) sidebarTitle parameter in the dandyid-services.php page to wp-admin/options-general.php. Múltiples vulnerabilidades de CSRF en el plugin DandyID Services 1.5.9 y anteriores para WordPress permite a atacantes remotos secuestrar la autenticación de los administradores para peticiones que provocan ataques de XSS a través del parámetro (1) email_address o (2) sidebarTitle en la página dandyid-services.php hacia wp-admin/options-general.php. WordPress DandyID Services plugin version 1.5.9 suffers from cross site request forgery and cross site scripting vulnerabilities. • http://packetstormsecurity.com/files/129575/WordPress-DandyID-Services-ID-1.5.9-CSRF-XSS.html https://exchange.xforce.ibmcloud.com/vulnerabilities/99502 • CWE-352: Cross-Site Request Forgery (CSRF) •