CVSS: 5.0EPSS: 0%CPEs: 5EXPL: 0CVE-2014-2983
https://notcve.org/view.php?id=CVE-2014-2983
Drupal 6.x before 6.31 and 7.x before 7.27 does not properly isolate the cached data of different anonymous users, which allows remote anonymous users to obtain sensitive interim form input information in opportunistic situations via unspecified vectors. Drupal 6.x anterior a 6.31 y 7.x anterior a 7.27 no aísla debidamente los datos en caché de usuarios anónimos diferentes, lo que permite a usuarios remotos anónimos obtener información sensible de entradas de formularios parciales en situaciones oportunistas a través de vectores no especificados. • http://www.debian.org/security/2014/dsa-2913 http://www.debian.org/security/2014/dsa-2914 http://www.openwall.com/lists/oss-security/2014/04/22/2 https://drupal.org/SA-CORE-2014-002 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 4.3EPSS: 1%CPEs: 5EXPL: 0CVE-2013-1946
https://notcve.org/view.php?id=CVE-2013-1946
The RESTful Web Services (RESTWS) module 7.x-1.x before 7.x-1.3 and 7.x-2.x before 7.x-2.0-alpha5 for Drupal, when page caching is enabled and anonymous users are assigned RESTWS permissions, allows remote attackers to cause a denial of service via a GET request with an HTTP Accept header set to a non-HTML type, which can "interfere with Drupal's page cache." El módulo RESTful Web Services (RESTWS) 7.x-1.x anterior a 7.x-1.3 y 7.x-2.x anterior a 7.x-2.0-alpha5 para Drupal, cuando el cacheo de la página está habilitado y usuarios anónimos se les asignan permisos RESTWS, permite a atacantes remotos causar una denegación de servicio a través de una solicitud GET con una cabecera HTTP Accept configurada hacia un tipo no HTML, lo que puede "interferir con el cacheo de página de Drupal." • http://www.openwall.com/lists/oss-security/2013/04/12/1 http://www.osvdb.org/92259 https://drupal.org/node/1966752 https://drupal.org/node/1966758 https://drupal.org/node/1966780 • CWE-20: Improper Input Validation •
CVSS: 2.1EPSS: 0%CPEs: 2EXPL: 0CVE-2013-4383
https://notcve.org/view.php?id=CVE-2013-4383
Cross-site scripting (XSS) vulnerability in the jQuery Countdown module 7.x-1.x before 7.x-1.1 for Drupal allows remote authenticated users with the "access administration pages" permission to inject arbitrary web script or HTML via unspecified vectors. Vulnerabilidad de XSS en el módulo jQuery Countdown 7.x-1.x anterior a 7.x-1.1 para Drupal permite a usuarios remotos no autenticados con el permiso "access administration pages" inyectar script Web o HTML arbitrarios a través de vectores no especificados. • http://www.securityfocus.com/bid/62340 https://drupal.org/node/2087089 https://drupal.org/node/2087095 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0CVE-2014-1611
https://notcve.org/view.php?id=CVE-2014-1611
Cross-site scripting (XSS) vulnerability in the Anonymous Posting module 7.x-1.2 and 7.x-1.3 for Drupal allows remote attackers to inject arbitrary web script or HTML via the contact name field. Vulnerabilidad de XSS en el módulo Anonymous Posting 7.x-1.2 y 7.x-1.3 para Drupal permite a atacantes remotos inyectar script Web o HTML arbitrario a través del campo de nombre de contacto. • http://osvdb.org/102126 http://packetstormsecurity.com/files/124803/Drupal-Anonymous-Posting-7.x-Cross-Site-Scripting.html http://seclists.org/fulldisclosure/2014/Jan/77 http://secunia.com/advisories/56476 https://drupal.org/node/2173321 https://drupal.org/node/2173437 https://exchange.xforce.ibmcloud.com/vulnerabilities/90526 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2014-1607 – Drupal 7.14 EventCalendar Cross Site Scripting
https://notcve.org/view.php?id=CVE-2014-1607
Cross-site scripting (XSS) vulnerability in the EventCalendar module for Drupal 7.14 allows remote attackers to inject arbitrary web script or HTML via the year parameter to eventcalander/. NOTE: this issue has been disputed by the Drupal Security Team; it may be site-specific. If so, then this CVE will be REJECTed in the future ** DISPUTADA ** Vulnerabilidad de XSS en el módulo EventCalendar para Drupal 7.14 permite a atacantes remotos inyectar secuencias de comandos web arbitrarios o HTML a través del parámetro year en eventcalander/. NOTA: este problema ha sido disputado por el equipo de seguridad de Drupal; puede resultar ser especifico a un sitio. Si esto es el caso, este CVE será RECHAZADA en el futuro. • http://osvdb.org/102574 http://www.securityfocus.com/archive/1/530876/100/0/threaded https://groups.drupal.org/node/402023 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •