CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0CVE-2014-1611
https://notcve.org/view.php?id=CVE-2014-1611
Cross-site scripting (XSS) vulnerability in the Anonymous Posting module 7.x-1.2 and 7.x-1.3 for Drupal allows remote attackers to inject arbitrary web script or HTML via the contact name field. Vulnerabilidad de XSS en el módulo Anonymous Posting 7.x-1.2 y 7.x-1.3 para Drupal permite a atacantes remotos inyectar script Web o HTML arbitrario a través del campo de nombre de contacto. • http://osvdb.org/102126 http://packetstormsecurity.com/files/124803/Drupal-Anonymous-Posting-7.x-Cross-Site-Scripting.html http://seclists.org/fulldisclosure/2014/Jan/77 http://secunia.com/advisories/56476 https://drupal.org/node/2173321 https://drupal.org/node/2173437 https://exchange.xforce.ibmcloud.com/vulnerabilities/90526 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2014-1607 – Drupal 7.14 EventCalendar Cross Site Scripting
https://notcve.org/view.php?id=CVE-2014-1607
Cross-site scripting (XSS) vulnerability in the EventCalendar module for Drupal 7.14 allows remote attackers to inject arbitrary web script or HTML via the year parameter to eventcalander/. NOTE: this issue has been disputed by the Drupal Security Team; it may be site-specific. If so, then this CVE will be REJECTed in the future ** DISPUTADA ** Vulnerabilidad de XSS en el módulo EventCalendar para Drupal 7.14 permite a atacantes remotos inyectar secuencias de comandos web arbitrarios o HTML a través del parámetro year en eventcalander/. NOTA: este problema ha sido disputado por el equipo de seguridad de Drupal; puede resultar ser especifico a un sitio. Si esto es el caso, este CVE será RECHAZADA en el futuro. • http://osvdb.org/102574 http://www.securityfocus.com/archive/1/530876/100/0/threaded https://groups.drupal.org/node/402023 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 68EXPL: 0CVE-2014-1475
https://notcve.org/view.php?id=CVE-2014-1475
The OpenID module in Drupal 6.x before 6.30 and 7.x before 7.26 allows remote OpenID users to authenticate as other users via unspecified vectors. El módulo OpenID en Drupal v6.x anterior a v6.30 y v7.x anterior a v7.26 permite a usuarios OpenID remotos autenticarse como otros usuarios a través de vectores no especificados. • http://secunia.com/advisories/56260 http://secunia.com/advisories/56601 http://www.debian.org/security/2014/dsa-2847 http://www.debian.org/security/2014/dsa-2851 http://www.mandriva.com/security/advisories?name=MDVSA-2014:031 http://www.securityfocus.com/bid/64973 https://drupal.org/SA-CORE-2014-001 •
CVSS: 4.0EPSS: 0%CPEs: 33EXPL: 0CVE-2014-1476
https://notcve.org/view.php?id=CVE-2014-1476
The Taxonomy module in Drupal 7.x before 7.26, when upgraded from an earlier version of Drupal, does not properly restrict access to unpublished content, which allows remote authenticated users to obtain sensitive information via a listing page. El módulo Taxonomy en Drupal 7.x anteriores a 7.26, cuando es actualizado desde una versión anterior de Drupal, no restringe correctamente el acceso a contenido no publicado, lo cual permite a usuarios no autenticados obtener información sensible a través de una página de listado. • http://secunia.com/advisories/56260 http://www.debian.org/security/2014/dsa-2847 http://www.mandriva.com/security/advisories?name=MDVSA-2014:031 http://www.securityfocus.com/bid/64973 https://drupal.org/SA-CORE-2014-001 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 5.8EPSS: 0%CPEs: 10EXPL: 0CVE-2013-7067
https://notcve.org/view.php?id=CVE-2013-7067
The OG Features module 6.x-1.x before 6.x-1.4 for Drupal does not properly override pages that have an access callback set to false, which allows remote attackers to bypass intended access restrictions via a request. El modulo OG Features 6.x-1.x anteriores a 6.x-1.4 para Drupal no invalida páginas que tienen un callback de acceso establecido a false, lo cual permite a atacantes remotos sortear restricciones de acceso a través de una petición. • http://osvdb.org/100611 http://www.securityfocus.com/bid/64134 https://drupal.org/node/2149743 https://drupal.org/node/2149791 https://exchange.xforce.ibmcloud.com/vulnerabilities/89458 • CWE-264: Permissions, Privileges, and Access Controls •