CVSS: 2.6EPSS: 0%CPEs: 8EXPL: 1CVE-2012-2723
https://notcve.org/view.php?id=CVE-2012-2723
Cross-site scripting (XSS) vulnerability in the Maestro module 7.x-1.x before 7.x-1.2 for Drupal allows remote authenticated users with maestro admin permissions to inject arbitrary web script or HTML via unspecified vectors. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en el módulo Maestro v7.x-1.x anterior a v7.x-1.2 para Drupal, permite a atacantes remotos inyectar secuencias de comandos web o HTML a través de vectores no especificados. • http://drupal.org/node/1617952 http://drupal.org/node/1619830 http://drupalcode.org/project/maestro.git/commitdiff/c499971 http://secunia.com/advisories/49393 http://www.openwall.com/lists/oss-security/2012/06/14/3 http://www.osvdb.org/82713 http://www.securityfocus.com/bid/53836 https://exchange.xforce.ibmcloud.com/vulnerabilities/76145 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.1EPSS: 0%CPEs: 8EXPL: 1CVE-2012-3799
https://notcve.org/view.php?id=CVE-2012-3799
Multiple cross-site request forgery (CSRF) vulnerabilities in the Maestro module 7.x-1.x before 7.x-1.2 for Drupal allow remote attackers to hijack the authentication of administrators for requests that (1) change workflows or (2) insert cross-site scripting (XSS) sequences. Vulnerabilidad de falsificación de petición en sitios cruzados (CSRF) en el módulo Maestro v7.x-1.x anteriores a v7.x-1.2 para Drupal, permite a atacantes remotos secuestrar la autenticación de los administradores para (1) cambiar los flujos de trabajo o (2) insertar secuencias de comandos en sitios cruzados. • http://drupal.org/node/1617952 http://drupal.org/node/1619830 http://drupalcode.org/project/maestro.git/commitdiff/c499971 http://secunia.com/advisories/49393 http://www.openwall.com/lists/oss-security/2012/06/14/3 http://www.osvdb.org/82714 http://www.securityfocus.com/bid/53836 https://exchange.xforce.ibmcloud.com/vulnerabilities/76146 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.8EPSS: 0%CPEs: 9EXPL: 0CVE-2010-2021
https://notcve.org/view.php?id=CVE-2010-2021
Open redirect vulnerability in the Global Redirect module 6.x-1.x before 6.x-1.4 and 7.x-1.x before 7.x-1.4 for Drupal, when non-clean to clean is enabled, allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the q parameter. Vulnerabilidad de redirección abierta en el módulo Global Redirect v6.x-1.x anteriores a v6.x-1.4 y v7.x-1.x anteriores a v7.x-1.4 para Drupal, cuando «non-clean to clean» está activado, permite a atacantes remotos redireccionar a usuarios a sitios web de su elección y llevar a cabo ataques de phishing a través de de una URL en el parámetro q. • http://drupal.org/node/1633054 http://drupal.org/node/768244 http://secunia.com/advisories/49523 http://www.madirish.net/?article=460 http://www.openwall.com/lists/oss-security/2012/06/14/3 http://www.osvdb.org/82959 http://www.securityfocus.com/bid/54002 https://drupal.org/node/1378116 https://drupal.org/node/1378118 https://exchange.xforce.ibmcloud.com/vulnerabilities/76293 • CWE-20: Improper Input Validation •
CVSS: 5.0EPSS: 0%CPEs: 79EXPL: 2CVE-2012-2922
https://notcve.org/view.php?id=CVE-2012-2922
The request_path function in includes/bootstrap.inc in Drupal 7.14 and earlier allows remote attackers to obtain sensitive information via the q[] parameter to index.php, which reveals the installation path in an error message. La función request_path en includes/bootstrap.inc en Drupal v7.14 y anteriores, permite a atacantes remotos obtener información sensible a través del parámetro q[] sobre index.php, lo que revela el path de instalación en un mensaje de error. • http://archives.neohapsis.com/archives/bugtraq/2012-05/0052.html http://archives.neohapsis.com/archives/bugtraq/2012-05/0053.html http://archives.neohapsis.com/archives/bugtraq/2012-05/0055.html http://osvdb.org/81817 http://secunia.com/advisories/49131 http://www.mandriva.com/security/advisories?name=MDVSA-2013:074 http://www.openwall.com/lists/oss-security/2012/08/02/8 http://www.securityfocus.com/bid/53454 https://exchange.xforce.ibmcloud.com/vulnerabilities/75531 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 3.5EPSS: 0%CPEs: 3EXPL: 0CVE-2012-2340
https://notcve.org/view.php?id=CVE-2012-2340
The Contact Forms module 7.x-1.x before 7.x-1.2 for Drupal does not specify sufficiently restrictive permissions, which allows remote authenticated users with the "access the site-wide contact form" permission to modify the module settings via unspecified vectors. El módulo Contact Forms v7.x-1.x y anteriores a v7.x-1.2 para Drupal no especifica permisos suficientemente restrictivos, lo que permite a usuarios remotos autenticados con "acceso al formulario de contacto" permiso para modificar los ajustes del módulo a través de no vectores no especificados. • http://drupal.org/node/1569352 http://drupal.org/node/1569508 http://drupalcode.org/project/contact_forms.git/commitdiff/d11ce2b http://secunia.com/advisories/49070 http://www.openwall.com/lists/oss-security/2012/05/10/6 http://www.openwall.com/lists/oss-security/2012/05/11/2 http://www.openwall.com/lists/oss-security/2012/06/14/3 http://www.openwall.com/lists/oss-security/2012/06/15/6 http://www.securityfocus.com/bid/53441 • CWE-264: Permissions, Privileges, and Access Controls •