CVSS: 6.0EPSS: 0%CPEs: 35EXPL: 0CVE-2012-1057
https://notcve.org/view.php?id=CVE-2012-1057
Cross-site request forgery (CSRF) vulnerability in the clickthrough tracking functionality in the Forward module 6.x-1.x before 6.x-1.21 and 7.x-1.x before 7.x-1.3 for Drupal allows remote attackers to hijack the authentication of administrators for requests that increase node rankings via the tracking code, possibly related to improper "flood control." Vulnerabilidad de falsificación de petición en sitios cruzados (CSRF) en la funcionalidad 'clickthrough tracking' en el módulo Forward v6.x-1.x anterior a v6.x-1.21 y v7.x-1.x anterior a v7.x-1.3 para Drupal permite a atacantes remotos secuestras la autenticación para administradores para peticiones de incremento de la clasificación del nodo a través de un código de seguimiento, posiblemente relacionado con un control incorrecto. • http://drupal.org/node/1423722 http://drupal.org/node/1425150 http://drupalcode.org/project/forward.git/commitdiff/72158fdbfbf5a068938985e3d10ce1d8f969d9c3 http://osvdb.org/78817 http://secunia.com/advisories/47851 http://www.securityfocus.com/bid/51826 https://exchange.xforce.ibmcloud.com/vulnerabilities/72922 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 1CVE-2011-3730
https://notcve.org/view.php?id=CVE-2011-3730
Drupal 7.0 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by modules/simpletest/tests/upgrade/drupal-6.upload.database.php and certain other files. Drupal v7.0 permite a atacantes remotos obtener información sensible a través de una petición directa a un archivo .php, lo que revela la ruta de instalación en un mensaje de error, como se demostró con modules/simpletest/tests/upgrade/drupal-6.upload.database.php y algunos otros archivos. • http://code.google.com/p/inspathx/source/browse/trunk/paths_vuln/%21_README http://code.google.com/p/inspathx/source/browse/trunk/paths_vuln/drupal-7.0 http://www.openwall.com/lists/oss-security/2011/06/27/6 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.5EPSS: 1%CPEs: 18EXPL: 0CVE-2011-2687
https://notcve.org/view.php?id=CVE-2011-2687
Drupal 7.x before 7.3 allows remote attackers to bypass intended node_access restrictions via vectors related to a listing that shows nodes but lacks a JOIN clause for the node table. Drupal 7.x en versiones anteriores a la 7.3 permite a atacantes remotos evitar las restricciones previstas node_access a través de vectores relacionados con un listado que muestra nodos pero falla una claúsula JOIN en la tabla de nodos. • http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=633385 http://drupal.org/node/1204582 http://lists.fedoraproject.org/pipermail/package-announce/2011-July/062714.html http://lists.fedoraproject.org/pipermail/package-announce/2011-July/062722.html http://secunia.com/advisories/45081 http://secunia.com/advisories/45291 http://www.openwall.com/lists/oss-security/2011/07/11/2 http://www.openwall.com/lists/oss-security/2011/07/12/16 http://www.securityfocus.com/bid/48505 https: • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2009-3352
https://notcve.org/view.php?id=CVE-2009-3352
Multiple unspecified vulnerabilities in the quota_by_role (Quota by role) module for Drupal have unknown impact and attack vectors. Múltiples vulnerabilidades no especificadas en el módulo quota_by_role (Quota by role) de Drupal, tienen impacto y vectores de ataque desconocidos. • http://drupal.org/node/572852 http://www.securityfocus.com/bid/36330 •