Page 4 of 54 results (0.007 seconds)

CVSS: 4.3EPSS: 0%CPEs: 31EXPL: 0

Unspecified vulnerability in Drupal 5.x before 5.17 and 6.x before 6.11, as used in vbDrupal before 5.17.0, allows user-assisted remote attackers to obtain sensitive information by tricking victims into visiting the front page of the site with a crafted URL and causing form data to be sent to an attacker-controlled site, possibly related to multiple / (slash) characters that are not properly handled by includes/bootstrap.inc, as demonstrated using the search box. NOTE: this vulnerability can be leveraged to conduct cross-site request forgery (CSRF) attacks. Vulnerabilidad sin especificar en Drupal 5.x anterior a v5.17 y v6.x anterior a v6.11, usado en vbDrupal anterior a v5.17.0, permite a atacantes remotos asistidos por el usuario obtener información sensible engañando a las víctimas para que visiten la página de inicio a través de una URL manipulada y provocando que los datos de los formularios sean enviados a un sitio controlado por el atacante. Posiblemente relacionado con múltiples caracteres "/" (Slash) que no son manejados adecuadamente por includes/bootstrap.inc como ha sido demostrado usando el formulario de búsqueda. NOTA: esta vulnerabilidad puede ser aprovechada para llevar a cabo ataques de falsificación de petición en sitios cruzados (CSFR) • http://drupal.org/files/sa-core-2009-005/SA-CORE-2009-005-5.16.patch http://drupal.org/node/449078 http://secunia.com/advisories/34948 http://secunia.com/advisories/34950 http://secunia.com/advisories/34980 http://www.debian.org/security/2009/dsa-1792 http://www.osvdb.org/54153 http://www.vbdrupal.org/forum/showthread.php?p=9953#post9953 http://www.vupen.com/english/advisories/2009/1216 https://www.redhat.com/archives/fedora-package-announce/2009-May/msg00108.htm •

CVSS: 4.3EPSS: 0%CPEs: 44EXPL: 0

Cross-site scripting (XSS) vulnerability in Drupal 5.x before 5.17 and 6.x before 6.11, as used in vbDrupal before 5.17.0, allows remote attackers to inject arbitrary web script or HTML via crafted UTF-8 byte sequences before the Content-Type meta tag, which are treated as UTF-7 by Internet Explorer 6 and 7. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en Drupal v5.x anterior a v5.17 y v6.x anterior a v6.11, usado en vbDrupal anterior a v5.17.0, permite a atacantes remotos inyectar secuencias de comandos web o HTML de su elección a través de secuencias con bytes UTF-8 previas a los meta tags Content-Type que se tratan como UTF-7 en Internet Explorer 6 y 7. • http://drupal.org/node/449078 http://secunia.com/advisories/34948 http://secunia.com/advisories/34950 http://secunia.com/advisories/34980 http://www.debian.org/security/2009/dsa-1792 http://www.osvdb.org/54152 http://www.vbdrupal.org/forum/showthread.php?p=9953#post9953 http://www.vupen.com/english/advisories/2009/1216 https://exchange.xforce.ibmcloud.com/vulnerabilities/50250 https://www.redhat.com/archives/fedora-package-announce/2009-May/msg00108.html https://www.redhat& • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 4.3EPSS: 0%CPEs: 20EXPL: 0

Drupal 5.x before 5.13 and 6.x before 6.7 does not delete all related content when an input format is deleted, which prevents the content from being properly filtered and allows remote attackers to conduct cross-site scripting (XSS) attacks via unspecified vectors. Drupal v5.x anterior a v5.13 y v6.x anterior a v6.7 no borra el contenido relacionado cuando un formato de entrada es eliminado, lo que evita que se filtre adecuadamente y permita a atacantes remotos llevar a cabo ataques de ejecución de secuencias de comandos en sitios cruzados (XSS) a través de vectores no especificados. • http://drupal.org/node/345441 http://secunia.com/advisories/33112 http://secunia.com/advisories/33147 http://www.osvdb.org/50662 http://www.vupen.com/english/advisories/2008/3414 https://exchange.xforce.ibmcloud.com/vulnerabilities/47259 https://www.redhat.com/archives/fedora-package-announce/2008-December/msg00740.html https://www.redhat.com/archives/fedora-package-announce/2008-December/msg00767.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 6.8EPSS: 0%CPEs: 20EXPL: 0

Multiple cross-site request forgery (CSRF) vulnerabilities in the update feature in Drupal 5.x before 5.13 and 6.x before 6.7 allow remote attackers to perform unauthorized actions as the superuser via unspecified vectors, as demonstrated by causing the superuser to "execute old updates" that modify the database. Vulnerabilidad múltiple de falsificación de petición en sitios cruzados - CSRF - en la característica de actualización en Drupal v5.x anteriores a v5.13 y v6.x anteriores a v6.7, permiten a los atacantes remotos desarrollar acciones no autorizadas como el superusuarío a través de vectores no especificados, como se ha demostrado por provocación del superusuario la "ejecución de antiguas actualizaciones" que modifican la base de datos. • http://drupal.org/node/345441 http://secunia.com/advisories/33112 http://secunia.com/advisories/33147 http://www.osvdb.org/50661 http://www.vupen.com/english/advisories/2008/3414 https://exchange.xforce.ibmcloud.com/vulnerabilities/47260 https://www.redhat.com/archives/fedora-package-announce/2008-December/msg00740.html https://www.redhat.com/archives/fedora-package-announce/2008-December/msg00767.html • CWE-352: Cross-Site Request Forgery (CSRF) •

CVSS: 3.5EPSS: 0%CPEs: 18EXPL: 0

Cross-site scripting (XSS) vulnerability in Drupal 5.x before 5.12 and 6.x before 6.6 allows remote authenticated users with create book content or edit node book hierarchy permissions to inject arbitrary web script or HTML via the book page title. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados(XSS) en Drupal v5.x anterior a v5.12 v6.x anterior a v6.6, lo que permite a usuarios remotos autenticados con permisos para crear contenidos de libros o editar la jerarquía de nodos de los libros inyectar secuencias de comandos web o HTML a través de la pagina de titulo del libro. • http://drupal.org/node/324824 http://secunia.com/advisories/32297 http://secunia.com/advisories/32441 http://www.securityfocus.com/bid/31882 http://www.vupen.com/english/advisories/2008/2913 https://exchange.xforce.ibmcloud.com/vulnerabilities/46052 https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00783.html https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00826.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •