CVSS: 5.0EPSS: 0%CPEs: 10EXPL: 0CVE-2015-4394
https://notcve.org/view.php?id=CVE-2015-4394
The Services module 7.x-3.x before 7.x-3.12 for Drupal allows remote attackers to bypass the field_access restriction and obtain sensitive private field information via unspecified vectors. El módulo Services 7.x-3.x anterior a 7.x-3.12 para Drupal permite a atacantes remotos evadir la restricción field_access y obtener información sensible de campos privados a través de vectores no especificados. • http://www.openwall.com/lists/oss-security/2015/04/25/6 http://www.securityfocus.com/bid/74365 https://www.drupal.org/node/2471847 https://www.drupal.org/node/2471879 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 6.0EPSS: 0%CPEs: 11EXPL: 0CVE-2015-4393
https://notcve.org/view.php?id=CVE-2015-4393
The resource/endpoint for uploading files in the Services module 7.x-3.x before 7.x-3.12 for Drupal allows remote authenticated users with the "Save file information" permission to execute arbitrary code via a crafted filename. resource/endpoint para la subida de ficheros en el módulo Services 7.x-3.x anterior a 7.x-3.12 para Drupal permite a usuarios remotos autenticados con el permiso 'guardar la información del fichero' ejecutar código arbitrario a través de un nombre de fichero manipulado. • http://www.openwall.com/lists/oss-security/2015/04/25/6 http://www.securityfocus.com/bid/74365 https://www.drupal.org/node/2471847 https://www.drupal.org/node/2471879 • CWE-20: Improper Input Validation •
CVSS: 5.0EPSS: 0%CPEs: 8EXPL: 0CVE-2015-4345
https://notcve.org/view.php?id=CVE-2015-4345
The RESTWS Basic Auth submodule in the RESTful Web Services module 7.x-1.x before 7.x-1.5 and 7.x-2.x before 7.x-2.3 for Drupal caches pages for authenticated requests, which allows remote attackers to obtain sensitive information via unspecified vectors. El submódulo RESTWS Basic Auth en el módulo RESTful Web Services 7.x-1.x anterior a 7.x-1.5 y 7.x-2.x anterior a 7.x-2.3 para Drupal cachea páginas para solicitudes autenticadas, lo que permite a atacantes remotos obtener información sensible a través de vectores no especificados. • http://www.openwall.com/lists/oss-security/2015/04/25/6 http://www.securityfocus.com/bid/72676 https://www.drupal.org/node/2428855 https://www.drupal.org/node/2428857 https://www.drupal.org/node/2428863 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.8EPSS: 0%CPEs: 1EXPL: 0CVE-2015-2215
https://notcve.org/view.php?id=CVE-2015-2215
Open redirect vulnerability in the Services single sign-on server helper (services_sso_server_helper) module for Drupal allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified parameters. Vulnerabilidad de la redirección abierta en el módulo Services single sign-on server helper (services_sso_server_helper) para Drupal permite a atacantes remotos redirigir usuarios a sitios web arbitrarios y realizar ataques de phishing a través de parámetros no especificados. • http://www.securityfocus.com/bid/72803 https://www.drupal.org/node/2437965 •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 1CVE-2014-9335 – DandyID Services <= 1.5.9 - Cross-Site Request Forgery
https://notcve.org/view.php?id=CVE-2014-9335
Multiple cross-site request forgery (CSRF) vulnerabilities in the DandyID Services plugin 1.5.9 and earlier for WordPress allow remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the (1) email_address or (2) sidebarTitle parameter in the dandyid-services.php page to wp-admin/options-general.php. Múltiples vulnerabilidades de CSRF en el plugin DandyID Services 1.5.9 y anteriores para WordPress permite a atacantes remotos secuestrar la autenticación de los administradores para peticiones que provocan ataques de XSS a través del parámetro (1) email_address o (2) sidebarTitle en la página dandyid-services.php hacia wp-admin/options-general.php. WordPress DandyID Services plugin version 1.5.9 suffers from cross site request forgery and cross site scripting vulnerabilities. • http://packetstormsecurity.com/files/129575/WordPress-DandyID-Services-ID-1.5.9-CSRF-XSS.html https://exchange.xforce.ibmcloud.com/vulnerabilities/99502 • CWE-352: Cross-Site Request Forgery (CSRF) •