CVSS: 2.1EPSS: 0%CPEs: 45EXPL: 0CVE-2012-1660
https://notcve.org/view.php?id=CVE-2012-1660
Multiple cross-site scripting (XSS) vulnerabilities in components/select.inc in the Webform module 6.x-3.x before 6.x-3.17 and 7.x-3.x before 7.x-3.17 for Drupal, when the "Select (or other)" module is enabled, allow remote authenticated users with the create webform content permission to inject arbitrary web script or HTML via vectors related to (1) checkboxes or (2) radios. Múltiples vulnerabilidades de ejecución de secuencias de comandos en sitios cruzados (XSS) en components/select.inc en el módulo Webform v6.x-3.x antes de v6.x-3.17 y v7.x-3.x antes de v7.x-3.17 para Drupal, cuando el módulo "Select (or other)" está habilitado, permite a usuarios autenticados remotamente con permisos de creación de contenidos webform, inyectar secuencias de comandos web o HTML a través de vectores relacionados con (1) casillas de verificación o (2) botones radio. • http://drupal.org/node/1472178 http://drupal.org/node/1472180 http://drupal.org/node/1472214 http://drupalcode.org/project/webform.git/commit/90af819 http://drupalcode.org/project/webform.git/commit/917fa91 http://secunia.com/advisories/48310 http://www.openwall.com/lists/oss-security/2012/04/07/1 http://www.osvdb.org/79852 http://www.securityfocus.com/bid/52345 https://exchange.xforce.ibmcloud.com/vulnerabilities/73779 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.8EPSS: 0%CPEs: 6EXPL: 1CVE-2012-2069
https://notcve.org/view.php?id=CVE-2012-2069
Cross-site request forgery (CSRF) vulnerability in the Wishlist module 6.x-2.x before 6.x-2.6 and 7.x-2.x before 7.x-2.6 for Drupal allows remote attackers to hijack the authentication of arbitrary users for requests that insert cross-site scripting (XSS) sequences via the (1) wl_reveal or (2) q parameters. Vulnerabilidad de fasificación de peticiones en sitios cruzados (CSRF) en el módulo Wishlist v6.x-2.x anterior a v6.x-2.6 y 7.x-2.x anterior a v7.x-2.6 para Drupal permite a atacantes remotos secuestrar la autenticación de usuarios arbitrarios para las solicitudes que insertan cross-site scripting (XSS) secuencias a través de la wl_reveal (1) o (2) los parámetros q. • http://drupal.org/node/1483634 http://drupal.org/node/1483636 http://drupal.org/node/1492624 http://drupalcode.org/project/wishlist.git/commit/6660c33 http://drupalcode.org/project/wishlist.git/commit/73aaf98 http://secunia.com/advisories/48486 http://www.madirish.net/content/drupal-wishlist-6x-24-xss-vulnerability http://www.openwall.com/lists/oss-security/2012/04/07/1 http://www.securityfocus.com/bid/52660 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 4.3EPSS: 0%CPEs: 4EXPL: 0CVE-2012-2064
https://notcve.org/view.php?id=CVE-2012-2064
Cross-site scripting (XSS) vulnerability in theme/views_lang_switch.theme.inc in the Views Language Switcher module before 7.x-1.2 for Drupal allows remote attackers to inject arbitrary web script or HTML via the q parameter. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en theme/views_lang_switch.theme.inc en el módulo Views Language Switcher anterior a v7.x-1.2 para Drupal permite a atacantes remotos inyectar secuencias de comandos web o HTML a través del parámetro q. • http://drupal.org/node/1482420 http://drupalcode.org/project/views_lang_switch.git/commit/c27c318 http://secunia.com/advisories/48355 http://www.openwall.com/lists/oss-security/2012/04/07/1 http://www.osvdb.org/80071 http://www.securityfocus.com/bid/52497 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.0EPSS: 0%CPEs: 7EXPL: 0CVE-2012-2063
https://notcve.org/view.php?id=CVE-2012-2063
The Slidebox module before 7.x-1.4 for Drupal does not properly check permissions, which allows remote attackers to obtain sensitive information via unspecified vectors. El módulo Slidebox en versiones anteriores a 7.x-1.4 para Drupal no comprueba adecuadamente los permisos, lo que permite a atacantes remotos obtener información sensible a través de vectores no especificados. • http://drupal.org/node/1482166 http://drupal.org/node/1482342 http://drupalcode.org/project/slidebox.git/commit/3dae144 http://secunia.com/advisories/48360 http://www.openwall.com/lists/oss-security/2012/04/07/1 http://www.securityfocus.com/bid/52500 https://exchange.xforce.ibmcloud.com/vulnerabilities/74067 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 6.8EPSS: 1%CPEs: 56EXPL: 0CVE-2012-2067
https://notcve.org/view.php?id=CVE-2012-2067
Unspecified vulnerability in the CKeditor module 6.x-2.x before 6.x-2.3 and the CKEditor module 6.x-1.x before 6.x-1.9 and 7.x-1.x before 7.x-1.7 for Drupal, when the core PHP module is enabled, allows remote authenticated users or remote attackers to execute arbitrary PHP code via the text parameter to a text filter. NOTE: some of these details are obtained from third party information. Vulnerabilidad no especificada en el módulo CKEditor v6.x-2.x anterior a v6.x-2.3 y el módulo CKEditor v6.x-1.x anterior a v6.x-1.9 y v7.x-1.x anterior a v7.x-1.7 para Drupal, cuando el módulo de núcleo de PHP está activado, permite a usuarios remotos autenticados o atacantes remotos ejecutar código PHP arbitrario a través del parámetro de texto a un filtro de texto. NOTA: algunos de estos detalles han sido obtenidos a partir de información de terceros • http://drupal.org/node/1482442 http://drupal.org/node/1482466 http://drupal.org/node/1482480 http://drupal.org/node/1482528 http://secunia.com/advisories/48435 http://www.openwall.com/lists/oss-security/2012/04/07/1 http://www.osvdb.org/80080 https://exchange.xforce.ibmcloud.com/vulnerabilities/74037 •