CVE-2012-2723
https://notcve.org/view.php?id=CVE-2012-2723
Cross-site scripting (XSS) vulnerability in the Maestro module 7.x-1.x before 7.x-1.2 for Drupal allows remote authenticated users with maestro admin permissions to inject arbitrary web script or HTML via unspecified vectors. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en el módulo Maestro v7.x-1.x anterior a v7.x-1.2 para Drupal, permite a atacantes remotos inyectar secuencias de comandos web o HTML a través de vectores no especificados. • http://drupal.org/node/1617952 http://drupal.org/node/1619830 http://drupalcode.org/project/maestro.git/commitdiff/c499971 http://secunia.com/advisories/49393 http://www.openwall.com/lists/oss-security/2012/06/14/3 http://www.osvdb.org/82713 http://www.securityfocus.com/bid/53836 https://exchange.xforce.ibmcloud.com/vulnerabilities/76145 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2012-2713
https://notcve.org/view.php?id=CVE-2012-2713
Cross-site request forgery (CSRF) vulnerability in the BrowserID (Mozilla Persona) module 7.x-1.x before 7.x-1.3 for Drupal allows remote attackers to hijack the authentication of arbitrary users for requests that login a user to another web site. Una vulnerabilidad de falsificación de peticiones en sitios cruzados(CSRF) en el BrowserID (Mozilla Persona) Módulo v7.x-1.x anterior a v7.x-1.3 para Drupal permite a atacantes remotos secuestrar la autenticación de los usuarios arbitrarios para las solicitudes de ese inicio de sesión de un usuario a otro del sitio web. • http://drupal.org/node/1597414 http://drupalcode.org/project/browserid.git/commitdiff/5e5cdcd http://secunia.com/advisories/49227 http://www.openwall.com/lists/oss-security/2012/06/14/3 http://www.osvdb.org/82466 http://www.securityfocus.com/bid/53673 https://drupal.org/node/1596464 https://exchange.xforce.ibmcloud.com/vulnerabilities/75869 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2010-2021
https://notcve.org/view.php?id=CVE-2010-2021
Open redirect vulnerability in the Global Redirect module 6.x-1.x before 6.x-1.4 and 7.x-1.x before 7.x-1.4 for Drupal, when non-clean to clean is enabled, allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the q parameter. Vulnerabilidad de redirección abierta en el módulo Global Redirect v6.x-1.x anteriores a v6.x-1.4 y v7.x-1.x anteriores a v7.x-1.4 para Drupal, cuando «non-clean to clean» está activado, permite a atacantes remotos redireccionar a usuarios a sitios web de su elección y llevar a cabo ataques de phishing a través de de una URL en el parámetro q. • http://drupal.org/node/1633054 http://drupal.org/node/768244 http://secunia.com/advisories/49523 http://www.madirish.net/?article=460 http://www.openwall.com/lists/oss-security/2012/06/14/3 http://www.osvdb.org/82959 http://www.securityfocus.com/bid/54002 https://drupal.org/node/1378116 https://drupal.org/node/1378118 https://exchange.xforce.ibmcloud.com/vulnerabilities/76293 • CWE-20: Improper Input Validation •
CVE-2012-2922
https://notcve.org/view.php?id=CVE-2012-2922
The request_path function in includes/bootstrap.inc in Drupal 7.14 and earlier allows remote attackers to obtain sensitive information via the q[] parameter to index.php, which reveals the installation path in an error message. La función request_path en includes/bootstrap.inc en Drupal v7.14 y anteriores, permite a atacantes remotos obtener información sensible a través del parámetro q[] sobre index.php, lo que revela el path de instalación en un mensaje de error. • http://archives.neohapsis.com/archives/bugtraq/2012-05/0052.html http://archives.neohapsis.com/archives/bugtraq/2012-05/0053.html http://archives.neohapsis.com/archives/bugtraq/2012-05/0055.html http://osvdb.org/81817 http://secunia.com/advisories/49131 http://www.mandriva.com/security/advisories?name=MDVSA-2013:074 http://www.openwall.com/lists/oss-security/2012/08/02/8 http://www.securityfocus.com/bid/53454 https://exchange.xforce.ibmcloud.com/vulnerabilities/75531 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2012-2340
https://notcve.org/view.php?id=CVE-2012-2340
The Contact Forms module 7.x-1.x before 7.x-1.2 for Drupal does not specify sufficiently restrictive permissions, which allows remote authenticated users with the "access the site-wide contact form" permission to modify the module settings via unspecified vectors. El módulo Contact Forms v7.x-1.x y anteriores a v7.x-1.2 para Drupal no especifica permisos suficientemente restrictivos, lo que permite a usuarios remotos autenticados con "acceso al formulario de contacto" permiso para modificar los ajustes del módulo a través de no vectores no especificados. • http://drupal.org/node/1569352 http://drupal.org/node/1569508 http://drupalcode.org/project/contact_forms.git/commitdiff/d11ce2b http://secunia.com/advisories/49070 http://www.openwall.com/lists/oss-security/2012/05/10/6 http://www.openwall.com/lists/oss-security/2012/05/11/2 http://www.openwall.com/lists/oss-security/2012/06/14/3 http://www.openwall.com/lists/oss-security/2012/06/15/6 http://www.securityfocus.com/bid/53441 • CWE-264: Permissions, Privileges, and Access Controls •