CVSS: 6.8EPSS: 0%CPEs: 10EXPL: 0CVE-2012-2307
https://notcve.org/view.php?id=CVE-2012-2307
Cross-site request forgery (CSRF) vulnerability in the Addressbook module for Drupal 6.x-4.2 and earlier allows remote attackers to hijack the authentication of unspecified victims via unknown vectors. Vulnerabilidad de falsificación de peticiones en sitios cruzados (CSRF) en el módulo Addressbook para Drupal v6.x-4.2 y anteriores, permite a atacantes remotos secuestrar la autenticación de víctimas no especificadas a través de vectores desconocidos. • http://drupal.org/node/1557868 http://www.openwall.com/lists/oss-security/2012/05/03/1 http://www.openwall.com/lists/oss-security/2012/05/03/2 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 3.5EPSS: 0%CPEs: 21EXPL: 0CVE-2012-2310
https://notcve.org/view.php?id=CVE-2012-2310
Cross-site scripting (XSS) vulnerability in the cctags module for Drupal 6.x-1.x before 6.x-1.10 and 7.x-1.x before 7.x-1.10 allows remote authenticated users with certain roles to inject arbitrary web script or HTML via unspecified vectors. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en el módulo cctags para Drupal v6.x-1.x antes de v6.x-1.10 y v7.x 1.x antes v7.x-1.10 permite a usuarios remotos autenticados con ciertos roles, inyectar secuencias de comandos web o HTML a través de vectores no especificados. • http://drupal.org/node/1508098 http://drupal.org/node/1508100 http://drupal.org/node/1558248 http://secunia.com/advisories/49018 http://www.openwall.com/lists/oss-security/2012/05/03/1 http://www.openwall.com/lists/oss-security/2012/05/03/2 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 1%CPEs: 15EXPL: 1CVE-2012-2303
https://notcve.org/view.php?id=CVE-2012-2303
The Spaces module 6.x-3.x before 6.x-3.4 for Drupal does not enforce permissions on non-object pages, which allows remote attackers to obtain sensitive information and possibly have other impacts via unspecified vectors to the (1) Spaces or (2) Spaces OG module. El módulo Spaces v6.x-3.x antes de v6.x-3.4 para Drupal no cumple los permisos de páginas no-objeto, lo que permite a atacantes remotos obtener información sensible y posiblemente tener otros impactos a través de vectores no especificados sobre (1) Spaces o (2) el módulo Spaces OG. • http://drupal.org/node/1547730 http://drupal.org/node/1547736 http://drupalcode.org/project/spaces.git/commitdiff/cee919c http://secunia.com/advisories/48930 http://www.openwall.com/lists/oss-security/2012/05/03/1 http://www.openwall.com/lists/oss-security/2012/05/03/2 http://www.osvdb.org/81556 http://www.securityfocus.com/bid/53252 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 4.3EPSS: 0%CPEs: 5EXPL: 1CVE-2012-2717
https://notcve.org/view.php?id=CVE-2012-2717
Multiple cross-site scripting (XSS) vulnerabilities in the Mobile Tools module 6.x-2.x before 6.x-2.3 for Drupal allow remote attackers to inject arbitrary web script or HTML via the (1) Mobile URL field or (2) Desktop URL field to the General configuration page, or the (3) message to the Mobile Tools block message options. Múltiples vulnerabilidades de ejecución de secuencias de comandos en sitios cruzados (XSS) en el módulo Mobile Tools v6.x-2.x antes de v6.x-2.3 para Drupal, permite a atacantes remotos inyectar secuencias de comandos web o HTML a través de (1) el campo Mobile URL o (2) el campo Desktop URL a la página de configuración general, o (3) el mensaje a las opciones de bloqueo de mensajes de Mobile Tools. • http://drupal.org/node/1169008 http://drupal.org/node/1608828 http://drupalcode.org/project/mobile_tools.git/commitdiff/614b0fc http://osvdb.org/82410 http://secunia.com/advisories/49318 http://www.madirish.net/content/drupal-mobile-tools-6x-23-xss http://www.openwall.com/lists/oss-security/2012/06/14/3 http://www.securityfocus.com/bid/53734 https://exchange.xforce.ibmcloud.com/vulnerabilities/76002 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 2.6EPSS: 0%CPEs: 20EXPL: 1CVE-2012-2731
https://notcve.org/view.php?id=CVE-2012-2731
The Ubercart AJAX Cart 6.x-2.x before 6.x-2.1 for Drupal stores the PHP session id in the JavaScript settings array in page loads, which might allow remote attackers to obtain sensitive information by sniffing or reading the cache of the HTML of a webpage. Ubercart AJAX Cart v6.x-2.x anterior a v6.x-2.1 para Drupal almacena la id de la sesión en la tabla de configuración de páginas cargadas, lo que podría permitir a atacantes remotos obtener información sensible espiando o leyendo la caché del HTML de una página Web. • http://drupal.org/node/1619586 http://drupal.org/node/1633048 http://drupalcode.org/project/uc_ajax_cart.git/commitdiff/b59cdd5 http://www.openwall.com/lists/oss-security/2012/06/14/3 http://www.securityfocus.com/bid/53999 https://exchange.xforce.ibmcloud.com/vulnerabilities/76332 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •