CVSS: 5.0EPSS: 1%CPEs: 8EXPL: 1CVE-2012-2702
https://notcve.org/view.php?id=CVE-2012-2702
The Ubercart Product Keys module 6.x-1.x before 6.x-1.1 for Drupal does not properly check access for product keys, which allows remote attackers to read all unassigned product keys via certain conditions related to the uid. El módulo Ubercart Product Keys v6.x-1.x anterior a v6.x-1.1 para Drupal no comprueba correctamente el acceso a las claves, lo que permite a atacantes remotos leer todas las claves del producto no asignadas a través de ciertas condiciones relacionadas con el uid. • http://drupal.org/node/1580752 http://drupal.org/node/1585532 http://drupalcode.org/project/uc_product_keys.git/commitdiff/19fa261 http://osvdb.org/82005 http://secunia.com/advisories/49169 http://www.openwall.com/lists/oss-security/2012/06/14/3 https://exchange.xforce.ibmcloud.com/vulnerabilities/75720 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 5.8EPSS: 3%CPEs: 9EXPL: 1CVE-2012-2707
https://notcve.org/view.php?id=CVE-2012-2707
The Hostmaster (Aegir) module 6.x-1.x before 6.x-1.9 for Drupal does not properly exit when users do not have access to package/task nodes, which allows remote attackers to bypass intended access restrictions and edit unauthorized nodes. El módulo Hostmaster (Aegir) v6.x-1.x anterior a v6.x-1.9 para Drupal no se cierra de forma adecuada cuando los usuarios no han accedido a nodos paquete/tarea (package/task), lo que permite a atacantes remotos evitar las restricciones de acceso impuesto y modificar nodos no autorizados. • http://community.aegirproject.org/1.9 http://drupal.org/node/1585658 http://drupal.org/node/1585678 http://drupalcode.org/project/hostmaster.git/commitdiff/8a61101 http://www.openwall.com/lists/oss-security/2012/06/14/3 http://www.securityfocus.com/bid/53588 https://exchange.xforce.ibmcloud.com/vulnerabilities/75715 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 5.8EPSS: 0%CPEs: 3EXPL: 0CVE-2012-2727
https://notcve.org/view.php?id=CVE-2012-2727
Open redirect vulnerability in the Janrain Capture module 6.x-1.0 and 7.x-1.0 for Drupal, when synchronizing user data, allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the destination parameter. Vulnerabilidad de redirección en el módulo Janrain Capture v6.x-1.0 y 7.x-1.0 para Drupal, al sincronizar los datos del usuario, permite a atacantes remotos redirigir a los usuarios a sitios web arbitrarios y llevar a cabo ataques de phishing a través de una URL en el parámetro destination • http://drupal.org/node/1632702 http://drupal.org/node/1632704 http://drupal.org/node/1632734 http://secunia.com/advisories/49480 http://www.openwall.com/lists/oss-security/2012/06/14/3 http://www.osvdb.org/82958 http://www.securityfocus.com/bid/53992 https://exchange.xforce.ibmcloud.com/vulnerabilities/76292 • CWE-20: Improper Input Validation •
CVSS: 4.3EPSS: 1%CPEs: 9EXPL: 2CVE-2012-2722
https://notcve.org/view.php?id=CVE-2012-2722
The node selection interface in the WYSIWYG editor (CKEditor) in the Node Embed module 6.x-1.x before 6.x-1.5 and 7.x-1.x before 7.x-1.0 for Drupal does not properly check permissions, which allows remote attackers to bypass intended access restrictions and read node titles. La interfaz de selección de nodos en el editor WYSIWYG (CKEditor) en Node Embed module v6.x-1.x anterior a v6.x-1.5 y v7.x-1.x, anterior a v7.x-1.0 para Drupal no comprueba correctamente los permisos y permite a atacantes remotos eludir restricciones de acceso y destinados a leer los títulos de los nodos. • http://drupal.org/node/1618428 http://drupal.org/node/1618430 http://drupal.org/node/1619824 http://drupalcode.org/project/node_embed.git/commitdiff/7a2296c http://drupalcode.org/project/node_embed.git/commitdiff/d06f022 http://secunia.com/advisories/48348 http://www.openwall.com/lists/oss-security/2012/06/14/3 http://www.osvdb.org/82735 http://www.securityfocus.com/bid/53835 https://exchange.xforce.ibmcloud.com/vulnerabilities/76148 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 2.1EPSS: 0%CPEs: 9EXPL: 1CVE-2012-3800
https://notcve.org/view.php?id=CVE-2012-3800
Cross-site scripting (XSS) vulnerability in og.js in the Organic Groups (OG) module 6.x-2.x before 6.x-2.4 for Drupal, when used with the Vertical Tabs module, allows remote authenticated users to inject arbitrary web script or HTML via vectors related the group title. vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en og.js en el módulo Organic Groups (OG) v6.x-2.x anteriores a v6.x-2.4 para Drupal, permite a atacantes remotos inyectar secuencias de comandos web o HTML mediante vectores relacionados con el título del grupo. • http://drupal.org/node/1619736 http://drupal.org/node/1619810 http://drupalcode.org/project/og.git/commitdiff/d48fef5 http://secunia.com/advisories/49397 http://www.openwall.com/lists/oss-security/2012/06/14/3 http://www.osvdb.org/82712 http://www.securityfocus.com/bid/53838 https://exchange.xforce.ibmcloud.com/vulnerabilities/76149 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •