CVE-2012-4488
https://notcve.org/view.php?id=CVE-2012-4488
The Location module 6.x before 6.x-3.2 and 7.x before 7.x-3.0-alpha1 for Drupal does not properly check user or node access permissions, which allows remote attackers to read node or user results via the location search page. El módulo Location v6.x antes de v6.x-3.2 y v7.x antes de v7.x-3.0-alfa1 para Drupal no comprueba correctamente los permisos de usuario o nodo de acceso, lo que permite a atacantes remotos leer nodos o usuario a través de los resultados de la página de búsqueda de ubicación. • http://drupal.org/node/1699962 http://drupal.org/node/1699984 http://drupal.org/node/1700588 http://www.openwall.com/lists/oss-security/2012/10/04/6 http://www.openwall.com/lists/oss-security/2012/10/07/1 • CWE-264: Permissions, Privileges, and Access Controls •
CVE-2012-4492
https://notcve.org/view.php?id=CVE-2012-4492
Multiple cross-site scripting (XSS) vulnerabilities in the Shorten URLs module 6.x-1.x before 6.x-1.13 and 7.x-1.x before 7.x-1.2 for Drupal allow remote authenticated users with certain permissions to inject arbitrary web script or HTML via unspecified vectors to the (1) report or (2) Custom Services List page. Múltiples vulnerabilidades de ejecución de secuencias de comandos en sitios cruzados (XSS) en el módulo Shorten URLs v6.x-1.x antes de v6.x-1.13 y v7.x-1.x antes de v7.x-1.2 para Drupal, permite a usuarios autenticados remotamente inyectar secuencias de comandos web o HTML a través de vectores no especificados en (1) el informe o (2) la página Custom Services List. • http://drupal.org/node/1719392 http://www.openwall.com/lists/oss-security/2012/10/04/6 http://www.openwall.com/lists/oss-security/2012/10/07/1 http://www.securityfocus.com/bid/54911 https://drupal.org/node/1719306 https://drupal.org/node/1719310 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2012-5233
https://notcve.org/view.php?id=CVE-2012-5233
Cross-site scripting (XSS) vulnerability in the stickynote module before 7.x-1.1 for Drupal allows remote authenticated users with edit stickynotes privileges to inject arbitrary web script or HTML via unspecified vecotrs. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en el módulo stickynote anteriores a v7.x-1.1 para Drupal, permite a usuarios remotos autenticados, con privilegios de edición de stickynotes, inyectar secuencias de comandos web o HTML a través de vectores no especificados. • http://drupal.org/node/1408556 http://drupal.org/node/1409422 http://drupalcode.org/project/stickynote.git/commit/7413dd1 http://secunia.com/advisories/47650 http://www.openwall.com/lists/oss-security/2012/04/07/1 http://www.securityfocus.com/bid/51558 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2012-1639
https://notcve.org/view.php?id=CVE-2012-1639
Multiple cross-site scripting (XSS) vulnerabilities in product/commerce_product.module in the Drupal Commerce module for Drupal before 7.x-1.2 allow remote authenticated users to inject arbitrary web script or HTML via the (1) sku or (2) title parameters. Múltiples vulnerabilidades de falsificación de petición en sitios cruzados (CSRF) en el módulo enproduct/commerce_product.module en el módulo Drupal Commerce para Drupal anteriores a v7.x-1.2, permite a atacantes remotos secuestrar la autenticación de los usuarios para inyectar comandos web o html a través de los parámetros (1) sku o (2) title. • http://drupal.org/node/1416824 http://drupalcode.org/project/commerce.git/blobdiff/45bc53875f1675750afe60e709a34c95e3008366..b74cdcd:/modules/product/commerce_product.module http://osvdb.org/78528 http://secunia.com/advisories/47730 http://www.openwall.com/lists/oss-security/2012/04/07/1 http://www.securityfocus.com/bid/51668 https://exchange.xforce.ibmcloud.com/vulnerabilities/72743 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2012-2153
https://notcve.org/view.php?id=CVE-2012-2153
Drupal 7.x before 7.14 does not properly restrict access to nodes in a list when using a "contributed node access module," which allows remote authenticated users with the "Access the content overview page" permission to read all published nodes by accessing the admin/content page. Drupal 7.x anterior a 7.14 no restringe el acceso de forma adecuada a nodos en un listado cuando es usado "contributed node access module", lo que permite a usuarios autenticados de forma remota con "Acceso al contenido de la página" con permiso de lectura de nodos publicados accediendo a la página admin/content. • http://drupal.org/drupal-7.14 http://drupal.org/node/1557938 http://drupal.org/node/1558478 http://drupalcode.org/project/drupal.git/commit/c6d2b8311b82fe78d18732f01a68ceca3dea50af http://secunia.com/advisories/49012 http://www.mandriva.com/security/advisories?name=MDVSA-2013:074 http://www.securityfocus.com/bid/53362 • CWE-264: Permissions, Privileges, and Access Controls •