CVSS: 2.1EPSS: 0%CPEs: 3EXPL: 0CVE-2013-1393
https://notcve.org/view.php?id=CVE-2013-1393
Cross-site scripting (XSS) vulnerability in the CurvyCorners module 6.x-1.x and 7.x-1.x for Drupal allows remote authenticated users with the "administer curvycorners" permission to inject arbitrary web script or HTML via unspecified vectors. Vulnerabilidades de secuencias de comandos entre sitios múltiples (XSS) en el módulo CurviCorners v6.x-1.x y v7.x-1.x para Drupal que permite a usuarios autenticados de forma remota con el permiso "administer curvycorners" inyectar secuencias de comandos web o HTML a través de vectores sin especficiar. • http://osvdb.org/89571 http://packetstormsecurity.com/files/119766/Drupal-CurvyCorners-6.x-7.x-Cross-Site-Scripting.html http://packetstormsecurity.com/files/119814/CurvyCorners-Cross-Site-Scripting.html http://seclists.org/fulldisclosure/2013/Jan/211 http://seclists.org/fulldisclosure/2013/Jan/218 http://www.csnc.ch/misc/files/advisories/CVE-2013-1393.txt http://www.securityfocus.com/bid/57526 https://drupal.org/node/1896718 https://exchange.xforce.ibmcloud.com/vulnerabilities/81499 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.0EPSS: 0%CPEs: 70EXPL: 0CVE-2012-5651
https://notcve.org/view.php?id=CVE-2012-5651
Drupal 6.x before 6.27 and 7.x before 7.18 displays information for blocked users, which might allow remote attackers to obtain sensitive information by reading the search results. Drupal v6.x antes de v6.27 y v7.x antes de v7.18 muestra información a los usuarios bloqueados, lo que podría permitir a atacantes remotos obtener información sensible mediante la lectura de los resultados de búsqueda. • http://drupal.org/SA-CORE-2012-004 http://drupalcode.org/project/drupal.git/commitdiff/b47f95d http://drupalcode.org/project/drupal.git/commitdiff/da8023a http://www.debian.org/security/2013/dsa-2776 http://www.mandriva.com/security/advisories?name=MDVSA-2013:074 http://www.openwall.com/lists/oss-security/2012/12/20/1 http://www.osvdb.org/88528 http://www.securityfocus.com/bid/56993 https://exchange.xforce.ibmcloud.com/vulnerabilities/80792 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 5.0EPSS: 0%CPEs: 24EXPL: 1CVE-2012-5655
https://notcve.org/view.php?id=CVE-2012-5655
The Context module 6.x-3.x before 6.x-3.1 and 7.x-3.x before 7.x-3.0-beta6 for Drupal does not properly restrict access to block content, which allows remote attackers to obtain sensitive information via a crafted request. El módulo Context v6.x-3.x antes de v6.x-3.1 y v7.x-3.x antes de v7.x-3.0-beta6 para Drupal no restringe adecuadamente el acceso para bloquear el contenido, lo que permite a atacantes remotos obtener información sensible a través de una petición modificada. • http://drupal.org/node/1870550 http://drupalcode.org/project/context.git/commitdiff/4452bf1 http://drupalcode.org/project/context.git/commitdiff/d8bf8b6 http://secunia.com/advisories/51517 http://www.openwall.com/lists/oss-security/2012/12/20/1 http://www.securityfocus.com/bid/56993 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 6.0EPSS: 1%CPEs: 72EXPL: 2CVE-2012-5653
https://notcve.org/view.php?id=CVE-2012-5653
The file upload feature in Drupal 6.x before 6.27 and 7.x before 7.18 allows remote authenticated users to bypass the protection mechanism and execute arbitrary PHP code via a null byte in a file name. La característica de carga de archivos en Drupal v6.x antes de v6.27 y v7.x antes de v7.18 permite a usuarios remotos autenticados eludir el mecanismo de protección y ejecutar código PHP arbitrario a través de un byte nulo en un nombre de archivo. • http://drupal.org/SA-CORE-2012-004 http://drupalcode.org/project/drupal.git/commitdiff/b47f95d http://drupalcode.org/project/drupal.git/commitdiff/da8023a http://osvdb.org/88529 http://www.debian.org/security/2013/dsa-2776 http://www.mandriva.com/security/advisories?name=MDVSA-2013:074 http://www.openwall.com/lists/oss-security/2012/12/20/1 http://www.securityfocus.com/bid/56993 https://exchange.xforce.ibmcloud.com/vulnerabilities/80795 • CWE-20: Improper Input Validation •
CVSS: 4.3EPSS: 0%CPEs: 26EXPL: 0CVE-2012-5591
https://notcve.org/view.php?id=CVE-2012-5591
Cross-site scripting (XSS) vulnerability in the Zero Point module 6.x-1.x before 6.x-1.18 and 7.x-1.x before 7.x-1.4 for Drupal allows remote attackers to inject arbitrary web script or HTML via the path aliases. Una vulnerabilidad de ejecución de comandos en sitios cruzados (XSS) en el módulo de Zero Point v6.x-1.x antes de v6.x-1.18 y v7.x-1.x antes de v7.x-1.4 para Drupal permite a atacantes remotos inyectar secuencias de comandos web o HTML a través de los alias de ruta. • http://drupal.org/node/1853350 http://drupal.org/node/1853358 http://drupal.org/node/1853376 http://www.openwall.com/lists/oss-security/2012/11/29/2 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •