CVE-2012-2299
https://notcve.org/view.php?id=CVE-2012-2299
The Ubercart module 6.x-2.x before 6.x-2.8 and 7.x-3.x before 7.x-3.1 for Drupal stores passwords for new customers in plaintext during checkout, which allows local users to obtain sensitive information by reading from the database. El módulo Ubercart v6.x-2.x antes de v6.x-2.8 y v7.x-v3.x antes de v7.x-3.1 para Drupal almacena las contraseñas para los nuevos clientes en el texto plano durante el pago, lo que permite a usuarios locales obtener información sensible mediante la lectura de la base de datos. • http://drupal.org/node/1547506 http://drupal.org/node/1547508 http://drupal.org/node/1547674 http://drupalcode.org/project/ubercart.git/commitdiff/035d2cb http://drupalcode.org/project/ubercart.git/commitdiff/8c61e84 http://secunia.com/advisories/48935 http://www.openwall.com/lists/oss-security/2012/05/03/1 http://www.openwall.com/lists/oss-security/2012/05/03/2 http://www.securityfocus.com/bid/53251 • CWE-255: Credentials Management Errors •
CVE-2012-2096
https://notcve.org/view.php?id=CVE-2012-2096
The Fivestar module 6.x-1.x before 6.x-1.20 for Drupal does not properly validate voting data, which allows remote attackers to manipulate voting averages via a negative value in the vote parameter. El módulo FiveStar v6.x-1.x antes de v6.x-1.20 para Drupal no valida correctamente los datos de la votación, lo que permite a atacantes remotos manipular los promedios de votación a través de un valor negativo en el parámetro de voto. • http://drupal.org/node/1528600 http://drupal.org/node/1528614 http://drupalcode.org/project/fivestar.git/commitdiff/75dba2c http://secunia.com/advisories/48788 http://www.openwall.com/lists/oss-security/2012/04/11/4 http://www.openwall.com/lists/oss-security/2012/04/12/2 http://www.securityfocus.com/bid/52984 • CWE-20: Improper Input Validation •
CVE-2012-2097
https://notcve.org/view.php?id=CVE-2012-2097
Cross-site request forgery (CSRF) vulnerability in the Autosave module 6.x before 6.x-2.10 and 7.x-2.x before 7.x-2.0 for Drupal allows remote attackers to hijack the authentication of arbitrary users for requests involving "submitting saved results to a node." Una vulnerabilidad de falsificación de peticiones en sitios cruzados (CSRF) en el módulo de guardado automático (AutoSave) v6.x antes de v6.x-2.10 y v7.x-2.x antes de v7.x-2.0 para Drupal permite a atacantes remotos secuestrar la autenticación de usuarios de su elección que realicen solicitudes que incluyan "el envío de resultados guardados a un nodo." • http://drupal.org/node/1525998 http://drupal.org/node/1528864 http://drupal.org/node/1528906 http://drupalcode.org/project/autosave.git/commitdiff/39f7fb0 http://drupalcode.org/project/autosave.git/commitdiff/f7bfd2d http://www.openwall.com/lists/oss-security/2012/04/11/4 http://www.openwall.com/lists/oss-security/2012/04/12/2 http://www.securityfocus.com/bid/52985 https://exchange.xforce.ibmcloud.com/vulnerabilities/74838 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2012-2302
https://notcve.org/view.php?id=CVE-2012-2302
Site Documentation (Sitedoc) module for Drupal 6.x-1.x before 6.x-1.4 does not properly check the save location when archiving, which allows remote attackers to obtain sensitive information via unspecified vectors. El módulo para Drupal Site Documentation (Sitedoc) no comprueba correctamente la ubicación de almacenamiento al comprimir, lo que permite a atacantes remotos obtener información sensible a través de vectores no especificados. • http://drupal.org/node/1546224 http://drupal.org/node/1547686 http://drupalcode.org/project/sitedoc.git/commitdiff/521721c http://www.openwall.com/lists/oss-security/2012/05/03/1 http://www.openwall.com/lists/oss-security/2012/05/03/2 http://www.osvdb.org/81555 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2012-2296
https://notcve.org/view.php?id=CVE-2012-2296
The Janrain Engage (formerly RPX) module for Drupal 6.x-1.x. 6.x-2.x before 6.x-2.2, and 7.x-2.x before 7.x-2.2 stores user profile data from Engage in session tables, which might allow remote attackers to obtain sensitive information by leveraging a separate vulnerability. El módulo para Drupal The Janrain Engage (formerly RPX) v6.x-1.x. v6.x-2.x antes de v6.x-2.2 y v7.x 2.x antes v7.x-2.2 almacena los datos de perfil de usuario de Engage en las tablas de sesión, lo que podría permitir a atacantes remotos obtener información sensible mediante el aprovechamiento de una vulnerabilidad separada. • http://drupal.org/node/1515114 http://drupal.org/node/1515120 http://drupal.org/node/1515282 http://www.openwall.com/lists/oss-security/2012/04/10/12 http://www.openwall.com/lists/oss-security/2012/05/03/1 http://www.openwall.com/lists/oss-security/2012/05/03/2 https://exchange.xforce.ibmcloud.com/vulnerabilities/74616 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •