CVSS: 9.8EPSS: 0%CPEs: 68EXPL: 0CVE-2014-1475 – Debian Security Advisory 2847-1
https://notcve.org/view.php?id=CVE-2014-1475
21 Jan 2014 — The OpenID module in Drupal 6.x before 6.30 and 7.x before 7.26 allows remote OpenID users to authenticate as other users via unspecified vectors. El módulo OpenID en Drupal v6.x anterior a v6.30 y v7.x anterior a v7.26 permite a usuarios OpenID remotos autenticarse como otros usuarios a través de vectores no especificados. The OpenID module in Drupal 6.x before 6.30 and 7.x before 7.26 allows remote OpenID users to authenticate as other users via unspecified vectors. The Taxonomy module in Drupal 7.x befor... • http://secunia.com/advisories/56260 •
CVSS: 8.8EPSS: 5%CPEs: 78EXPL: 0CVE-2013-6385 – Debian Security Advisory 2828-1
https://notcve.org/view.php?id=CVE-2013-6385
27 Nov 2013 — The form API in Drupal 6.x before 6.29 and 7.x before 7.24, when used with unspecified third-party modules, performs form validation even when CSRF validation has failed, which might allow remote attackers to trigger application-specific impacts such as arbitrary code execution via application-specific vectors. La API de formularios en Drupal 6.x anteriores a 6.29 y 7.x anteriores a 7.24, cuando es utilizada con módulos no especificados de terceros, ejecuta validación del formulario incluso cuando la valida... • http://secunia.com/advisories/56148 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.1EPSS: 0%CPEs: 78EXPL: 0CVE-2013-6386 – Debian Security Advisory 2828-1
https://notcve.org/view.php?id=CVE-2013-6386
27 Nov 2013 — Drupal 6.x before 6.29 and 7.x before 7.24 uses the PHP mt_rand function to generate random numbers, which uses predictable seeds and allows remote attackers to predict security strings and bypass intended restrictions via a brute force attack. Drupal 6.x anteriores a 6.29 y 7.x anteriores a 7.24 utilizan la función de PHP mt_rand para generar números aleatorios, la cual usa semillas predecibles y permite a atacantes remotos predecir cadenas de seguridad y sortear restricciones intencionadas a través de ata... • http://secunia.com/advisories/56148 • CWE-310: Cryptographic Issues •
CVSS: 6.8EPSS: 0%CPEs: 54EXPL: 0CVE-2012-0825 – Debian Security Advisory 2776-1
https://notcve.org/view.php?id=CVE-2012-0825
11 Oct 2013 — Drupal 6.x before 6.23 and 7.x before 7.11 does not verify that Attribute Exchange (AX) information is signed, which allows remote attackers to modify potentially sensitive AX information without detection via a man-in-the-middle (MITM) attack. Drupal 6.x anterior a la versión 6.23 y 7.x anterior a 7.11 no verifica que la información Attribute Exchange (AX) se firme, lo que permite a atacantes remotos modificar información AX potencialmente sensible sin la detección a través de ataques man-in-the-middle (MI... • http://openid.net/2011/05/05/attribute-exchange-security-alert • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 8.8EPSS: 0%CPEs: 59EXPL: 0CVE-2012-0826 – Debian Security Advisory 2776-1
https://notcve.org/view.php?id=CVE-2012-0826
11 Oct 2013 — Cross-site request forgery (CSRF) vulnerability in the Aggregator module in Drupal 6.x before 6.23 and 7.x before 7.11 allows remote attackers to hijack the authentication of unspecified victims for requests that update feeds and possibly cause a denial of service (loss of updates due to rate limit) via unspecified vectors. Vulnerabilidad de Cross-site request forgery (CSRF) en el modulo Aggregator en Drupal 6.x anterior a 6.23 y 7.x anterior a 7.11 permite a atacantes remotos secuestrar la autenticación de... • http://www.debian.org/security/2013/dsa-2776 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.1EPSS: 0%CPEs: 72EXPL: 0CVE-2013-0244 – Debian Security Advisory 2776-1
https://notcve.org/view.php?id=CVE-2013-0244
11 Oct 2013 — Cross-site scripting (XSS) vulnerability in Drupal 6.x before 6.28 and 7.x before 7.19, when running with older versions of jQuery that are vulnerable to CVE-2011-4969, allows remote attackers to inject arbitrary web script or HTML via vectors involving unspecified Javascript functions that are used to select DOM elements. Cross-site scripting (XSS) en Drupal 6.x anterior a 6.28 y 7.x anterior a 7.19, cuando se ejecuta con versiones anteriores de jQuery que son vulnerables a CVE-2011-4969, que permite a ata... • http://osvdb.org/89306 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 72EXPL: 0CVE-2013-0245 – Debian Security Advisory 2776-1
https://notcve.org/view.php?id=CVE-2013-0245
16 Jul 2013 — The printer friendly version functionality in the Book module in Drupal 6.x before 6.28 and 7.x before 7.19 does not properly restrict access to node that are part of a book outline, which allows remote authenticated users with the "access printer-friendly version" permission to read node titles and possibly node content via unspecified vectors. La versión amigable de la funcionalidad de impresión del módulo Book para Drupal no restringe adecuadamente el acceso al nodo del que es parte del esquema del módul... • http://osvdb.org/89305 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 7.5EPSS: 0%CPEs: 70EXPL: 0CVE-2012-5651 – Debian Security Advisory 2776-1
https://notcve.org/view.php?id=CVE-2012-5651
03 Jan 2013 — Drupal 6.x before 6.27 and 7.x before 7.18 displays information for blocked users, which might allow remote attackers to obtain sensitive information by reading the search results. Drupal v6.x antes de v6.27 y v7.x antes de v7.18 muestra información a los usuarios bloqueados, lo que podría permitir a atacantes remotos obtener información sensible mediante la lectura de los resultados de búsqueda. Multiple vulnerabilities have been been fixed in the Drupal content management framework, resulting in informati... • http://drupal.org/SA-CORE-2012-004 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 7.5EPSS: 0%CPEs: 36EXPL: 0CVE-2012-5652 – Debian Security Advisory 2776-1
https://notcve.org/view.php?id=CVE-2012-5652
03 Jan 2013 — Drupal 6.x before 6.27 allows remote attackers to obtain sensitive information about uploaded files via a (1) RSS feed or (2) search result. Drupal v6.x antes de v6.27 permite a atacantes remotos obtener información sensible acerca de los archivos subidos a través de un (1) feed RSS o (2) resultados de búsqueda. Multiple vulnerabilities have been been fixed in the Drupal content management framework, resulting in information disclosure, insufficient validation, cross-site scripting and cross-site request fo... • http://drupal.org/SA-CORE-2012-004 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.8EPSS: 0%CPEs: 72EXPL: 2CVE-2012-5653 – Debian Security Advisory 2776-1
https://notcve.org/view.php?id=CVE-2012-5653
03 Jan 2013 — The file upload feature in Drupal 6.x before 6.27 and 7.x before 7.18 allows remote authenticated users to bypass the protection mechanism and execute arbitrary PHP code via a null byte in a file name. La característica de carga de archivos en Drupal v6.x antes de v6.27 y v7.x antes de v7.18 permite a usuarios remotos autenticados eludir el mecanismo de protección y ejecutar código PHP arbitrario a través de un byte nulo en un nombre de archivo. Multiple vulnerabilities have been been fixed in the Drupal co... • http://drupal.org/SA-CORE-2012-004 • CWE-20: Improper Input Validation •