CVSS: 4.3EPSS: 0%CPEs: 20EXPL: 2CVE-2012-1647
https://notcve.org/view.php?id=CVE-2012-1647
Multiple cross-site scripting (XSS) vulnerabilities in the "stand alone PHP application for the OSM Player," as used in the MediaFront module 6.x-1.x before 6.x-1.5 and 7.x-1.x before 7.x-1.5 for Drupal, allow remote attackers to inject arbitrary web script or HTML via (1) $_SERVER['HTTP_HOST'] or (2) $_SERVER['SCRIPT_NAME'] to players/osmplayer/player/OSMPlayer.php, (3) playlist parameter to players/osmplayer/player/getplaylist.php, and possibly other vectors related to $_SESSION. Múltiples vulnerabilidades de ejecución de secuencias de comandos en sitios cruzados (XSS) en "stand alone PHP application for the OSM Player," que es usada en el módulo MediaFront v6.x-1.x anterior a v6.x-1.5 y v7.x-1.x anterior a v7.x-1.5 para Drupal, permite a atacantes remotos inyectar código web y HTML de su elección a través de (1) $_SERVER['HTTP_HOST'] o (2) $_SERVER['SCRIPT_NAME'] a players/osmplayer/player/OSMPlayer.php, (3)parámetro playlist a players/osmplayer/player/getplaylist.php, y posiblemente otros vectores relacionados con $_SESSION. • http://drupalcode.org/project/mediafront.git/commitdiff/6300750 http://drupalcode.org/project/mediafront.git/commitdiff/b3857aa http://www.openwall.com/lists/oss-security/2012/04/07/1 http://www.osvdb.org/79684 http://www.securityfocus.com/bid/52229 https://drupal.org/node/1460892 https://drupal.org/node/1460894 https://drupal.org/node/1461424 https://exchange.xforce.ibmcloud.com/vulnerabilities/73606 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.0EPSS: 0%CPEs: 4EXPL: 0CVE-2012-1650
https://notcve.org/view.php?id=CVE-2012-1650
The ZipCart module 6.x before 6.x-1.4 for Drupal checks the "access content" permission instead of the "access ZipCart downloads" permission when building archives, which allows remote authenticated users with access content permission to bypass intended access restrictions. El módulo ZipCart en v6.x anterior a v6.x-1.4 para Drupal comprueba los permisos "access content" en lugar de los permisos "access ZipCart downloads" cuando construye archivos, lo que permite a usuarios autenticados de forma remota con acceso evitar restricciones de acceso. • http://drupalcode.org/project/zipcart.git/commitdiff/fe143c2 http://www.openwall.com/lists/oss-security/2012/04/07/1 http://www.osvdb.org/79766 http://www.securityfocus.com/bid/52231 https://drupal.org/node/1460892 https://drupal.org/node/1461446 https://exchange.xforce.ibmcloud.com/vulnerabilities/73609 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 2.6EPSS: 0%CPEs: 3EXPL: 0CVE-2012-1645
https://notcve.org/view.php?id=CVE-2012-1645
The CDN module 6.x-2.2 and 7.x-2.2 for Drupal, when running in Origin Pull mode with the "Far Future expiration" option enabled, allows remote attackers to read arbitrary PHP files via unspecified vectors, as demonstrated by reading settings.php. El módulo CDN v6.x-2.2 y v7.x-2.2 para Drupal, cuando está en ejecución en modo Origin Pull con la opción "Far Future expiration" habilitada, permite a atacantes remotos leer ficheros PHP de su elección a través de vectores no especificados, como se ha demostrado leyendo settings.php. • http://drupal.org/node/1441480 http://drupal.org/node/1441482 http://drupalcode.org/project/cdn.git/commitdiff/cd2a5ff http://drupalcode.org/project/cdn.git/commitdiff/eca85e6 http://secunia.com/advisories/48032 http://www.openwall.com/lists/oss-security/2012/04/07/1 http://www.osvdb.org/79317 https://drupal.org/node/1441502 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 2.1EPSS: 0%CPEs: 2EXPL: 0CVE-2012-2297
https://notcve.org/view.php?id=CVE-2012-2297
Multiple cross-site scripting (XSS) vulnerabilities in the Creative Commons module 6.x-1.x before 6.x-1.1 for Drupal allow remote authenticated users with the administer creative commons permission to inject arbitrary web script or HTML via the (1) creativecommons_user_message or (2) creativecommons_site_license_additional_text parameter. Múltiples vulnerabilidades de ejecución de comandos en sitios cruzados (XSS) en el módulo Creative Commons v6.x-1.x y anteriores a v6.x-1.1 para Drupal que permite a usuarios remotos autenticados con permisos de administración (creative commons) inyectar código web o HTML arbitrario a través del parámetro (1) creativecommons_user_message o (2) creativecommons_site_license_additional_text. • http://drupal.org/node/1547478 http://drupal.org/node/1547520 http://secunia.com/advisories/48937 http://www.madirish.net/content/drupal-creative-commons-6x-10-xss-vulnerability http://www.openwall.com/lists/oss-security/2012/05/03/1 http://www.openwall.com/lists/oss-security/2012/05/03/2 http://www.securityfocus.com/bid/53248 https://exchange.xforce.ibmcloud.com/vulnerabilities/75180 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.0EPSS: 0%CPEs: 8EXPL: 0CVE-2012-2081
https://notcve.org/view.php?id=CVE-2012-2081
The Organic Groups (OG) module 6.x-2.x before 6.x-2.3 for Drupal does not properly restrict access, which allows remote attackers to obtain sensitive information such as private group titles via a request through the Views module. El módulo 'Organic Groups' (OG) v6.x-2.x, antes de v6.x-2.3 para Drupal no restringe adecuadamente el acceso, lo que permite a atacantes remotos obtener información sensible, tales como títulos de los grupos privados a través de una solicitud a través del módulo de Vistas (Views). • http://drupal.org/node/1507328 http://drupal.org/node/1507446 http://osvdb.org/80678 http://secunia.com/advisories/48620 http://www.openwall.com/lists/oss-security/2012/04/07/1 http://www.securityfocus.com/bid/52799 https://exchange.xforce.ibmcloud.com/vulnerabilities/74526 • CWE-264: Permissions, Privileges, and Access Controls •