CVSS: 9.1EPSS: 0%CPEs: 78EXPL: 0CVE-2013-6386 – Debian Security Advisory 2828-1
https://notcve.org/view.php?id=CVE-2013-6386
27 Nov 2013 — Drupal 6.x before 6.29 and 7.x before 7.24 uses the PHP mt_rand function to generate random numbers, which uses predictable seeds and allows remote attackers to predict security strings and bypass intended restrictions via a brute force attack. Drupal 6.x anteriores a 6.29 y 7.x anteriores a 7.24 utilizan la función de PHP mt_rand para generar números aleatorios, la cual usa semillas predecibles y permite a atacantes remotos predecir cadenas de seguridad y sortear restricciones intencionadas a través de ata... • http://secunia.com/advisories/56148 • CWE-310: Cryptographic Issues •
CVSS: 6.8EPSS: 0%CPEs: 54EXPL: 0CVE-2012-0825 – Debian Security Advisory 2776-1
https://notcve.org/view.php?id=CVE-2012-0825
11 Oct 2013 — Drupal 6.x before 6.23 and 7.x before 7.11 does not verify that Attribute Exchange (AX) information is signed, which allows remote attackers to modify potentially sensitive AX information without detection via a man-in-the-middle (MITM) attack. Drupal 6.x anterior a la versión 6.23 y 7.x anterior a 7.11 no verifica que la información Attribute Exchange (AX) se firme, lo que permite a atacantes remotos modificar información AX potencialmente sensible sin la detección a través de ataques man-in-the-middle (MI... • http://openid.net/2011/05/05/attribute-exchange-security-alert • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 8.8EPSS: 0%CPEs: 59EXPL: 0CVE-2012-0826 – Debian Security Advisory 2776-1
https://notcve.org/view.php?id=CVE-2012-0826
11 Oct 2013 — Cross-site request forgery (CSRF) vulnerability in the Aggregator module in Drupal 6.x before 6.23 and 7.x before 7.11 allows remote attackers to hijack the authentication of unspecified victims for requests that update feeds and possibly cause a denial of service (loss of updates due to rate limit) via unspecified vectors. Vulnerabilidad de Cross-site request forgery (CSRF) en el modulo Aggregator en Drupal 6.x anterior a 6.23 y 7.x anterior a 7.11 permite a atacantes remotos secuestrar la autenticación de... • http://www.debian.org/security/2013/dsa-2776 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.1EPSS: 0%CPEs: 72EXPL: 0CVE-2013-0244 – Debian Security Advisory 2776-1
https://notcve.org/view.php?id=CVE-2013-0244
11 Oct 2013 — Cross-site scripting (XSS) vulnerability in Drupal 6.x before 6.28 and 7.x before 7.19, when running with older versions of jQuery that are vulnerable to CVE-2011-4969, allows remote attackers to inject arbitrary web script or HTML via vectors involving unspecified Javascript functions that are used to select DOM elements. Cross-site scripting (XSS) en Drupal 6.x anterior a 6.28 y 7.x anterior a 7.19, cuando se ejecuta con versiones anteriores de jQuery que son vulnerables a CVE-2011-4969, que permite a ata... • http://osvdb.org/89306 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 72EXPL: 0CVE-2013-0245 – Debian Security Advisory 2776-1
https://notcve.org/view.php?id=CVE-2013-0245
16 Jul 2013 — The printer friendly version functionality in the Book module in Drupal 6.x before 6.28 and 7.x before 7.19 does not properly restrict access to node that are part of a book outline, which allows remote authenticated users with the "access printer-friendly version" permission to read node titles and possibly node content via unspecified vectors. La versión amigable de la funcionalidad de impresión del módulo Book para Drupal no restringe adecuadamente el acceso al nodo del que es parte del esquema del módul... • http://osvdb.org/89305 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 7.5EPSS: 0%CPEs: 70EXPL: 0CVE-2012-5651 – Debian Security Advisory 2776-1
https://notcve.org/view.php?id=CVE-2012-5651
03 Jan 2013 — Drupal 6.x before 6.27 and 7.x before 7.18 displays information for blocked users, which might allow remote attackers to obtain sensitive information by reading the search results. Drupal v6.x antes de v6.27 y v7.x antes de v7.18 muestra información a los usuarios bloqueados, lo que podría permitir a atacantes remotos obtener información sensible mediante la lectura de los resultados de búsqueda. Multiple vulnerabilities have been been fixed in the Drupal content management framework, resulting in informati... • http://drupal.org/SA-CORE-2012-004 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 7.5EPSS: 0%CPEs: 36EXPL: 0CVE-2012-5652 – Debian Security Advisory 2776-1
https://notcve.org/view.php?id=CVE-2012-5652
03 Jan 2013 — Drupal 6.x before 6.27 allows remote attackers to obtain sensitive information about uploaded files via a (1) RSS feed or (2) search result. Drupal v6.x antes de v6.27 permite a atacantes remotos obtener información sensible acerca de los archivos subidos a través de un (1) feed RSS o (2) resultados de búsqueda. Multiple vulnerabilities have been been fixed in the Drupal content management framework, resulting in information disclosure, insufficient validation, cross-site scripting and cross-site request fo... • http://drupal.org/SA-CORE-2012-004 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.8EPSS: 0%CPEs: 72EXPL: 2CVE-2012-5653 – Debian Security Advisory 2776-1
https://notcve.org/view.php?id=CVE-2012-5653
03 Jan 2013 — The file upload feature in Drupal 6.x before 6.27 and 7.x before 7.18 allows remote authenticated users to bypass the protection mechanism and execute arbitrary PHP code via a null byte in a file name. La característica de carga de archivos en Drupal v6.x antes de v6.27 y v7.x antes de v7.18 permite a usuarios remotos autenticados eludir el mecanismo de protección y ejecutar código PHP arbitrario a través de un byte nulo en un nombre de archivo. Multiple vulnerabilities have been been fixed in the Drupal co... • http://drupal.org/SA-CORE-2012-004 • CWE-20: Improper Input Validation •
CVSS: 5.3EPSS: 1%CPEs: 79EXPL: 2CVE-2012-2922
https://notcve.org/view.php?id=CVE-2012-2922
21 May 2012 — The request_path function in includes/bootstrap.inc in Drupal 7.14 and earlier allows remote attackers to obtain sensitive information via the q[] parameter to index.php, which reveals the installation path in an error message. La función request_path en includes/bootstrap.inc en Drupal v7.14 y anteriores, permite a atacantes remotos obtener información sensible a través del parámetro q[] sobre index.php, lo que revela el path de instalación en un mensaje de error. • http://archives.neohapsis.com/archives/bugtraq/2012-05/0052.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 8.8EPSS: 0%CPEs: 148EXPL: 3CVE-2007-6752 – Drupal 7.12 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2007-6752
28 Mar 2012 — Cross-site request forgery (CSRF) vulnerability in Drupal 7.12 and earlier allows remote attackers to hijack the authentication of arbitrary users for requests that end a session via the user/logout URI. NOTE: the vendor disputes the significance of this issue, by considering the "security benefit against platform complexity and performance impact" and concluding that a change to the logout behavior is not planned because "for most sites it is not worth the trade-off. ** DISCUTIDO ** Vulnerabilidad de falsi... • https://www.exploit-db.com/exploits/18564 • CWE-352: Cross-Site Request Forgery (CSRF) •