CVSS: 6.4EPSS: 0%CPEs: 22EXPL: 0CVE-2012-1635
https://notcve.org/view.php?id=CVE-2012-1635
The hook_node_access function in the revisioning module 7.x-1.x before 7.x-1.3 for Drupal checks the permissions of the current user even when it is called to check permissions of other users, which allows remote attackers to bypass intended access restrictions, as demonstrated when using the XML sitemap module to obtain sensitive information about unpublished content. La funcion hook_node_access en el módulo revisioning v7.x-1.x anterior a v7.x-1.3 para Drupal comprueba los permisos del usuario actual, incluso cuando se le llama para comprobar los permisos de otros usuarios, lo que permite a atacantes remotos evitar las restricciones de acceso, como se demuestra cuando se utiliza el módulo XML Sitemap para obtener información sensible acerca del contenido publicado. • http://drupal.org/node/1407456 http://www.openwall.com/lists/oss-security/2012/04/07/1 https://drupal.org/node/1409268 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 2.6EPSS: 0%CPEs: 3EXPL: 0CVE-2012-1645
https://notcve.org/view.php?id=CVE-2012-1645
The CDN module 6.x-2.2 and 7.x-2.2 for Drupal, when running in Origin Pull mode with the "Far Future expiration" option enabled, allows remote attackers to read arbitrary PHP files via unspecified vectors, as demonstrated by reading settings.php. El módulo CDN v6.x-2.2 y v7.x-2.2 para Drupal, cuando está en ejecución en modo Origin Pull con la opción "Far Future expiration" habilitada, permite a atacantes remotos leer ficheros PHP de su elección a través de vectores no especificados, como se ha demostrado leyendo settings.php. • http://drupal.org/node/1441480 http://drupal.org/node/1441482 http://drupalcode.org/project/cdn.git/commitdiff/cd2a5ff http://drupalcode.org/project/cdn.git/commitdiff/eca85e6 http://secunia.com/advisories/48032 http://www.openwall.com/lists/oss-security/2012/04/07/1 http://www.osvdb.org/79317 https://drupal.org/node/1441502 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.0EPSS: 0%CPEs: 3EXPL: 0CVE-2012-2073
https://notcve.org/view.php?id=CVE-2012-2073
The Bundle copy module 7.x-1.x before 7.x-1.1 for Drupal does not check for the "use PHP for settings" permission while importing settings, which allows remote authenticated users with certain permissions to execute arbitrary PHP code via unspecified vectors. El módulo de copia Bundle v7.x-1.x antes de v7.x-1.1 para Drupal no comprueba el permiso de uso de PHP para la configuración ('use PHP for settings') cuando importa una configuración, lo que permite ejecutar código PHP de su elección a usuarios remotos autenticados con determinados permisos a través de vectores no especificados. • http://drupal.org/node/1506166 http://drupal.org/node/1506420 http://drupalcode.org/project/bundle_copy.git/commit/299bdca http://osvdb.org/80676 http://secunia.com/advisories/48626 http://www.openwall.com/lists/oss-security/2012/04/07/1 http://www.securityfocus.com/bid/52811 https://exchange.xforce.ibmcloud.com/vulnerabilities/74439 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 2.1EPSS: 0%CPEs: 9EXPL: 1CVE-2012-2070
https://notcve.org/view.php?id=CVE-2012-2070
Cross-site scripting (XSS) vulnerability in the MultiBlock module 6.x-1.x before 6.x-1.4 and 7.x-1.x before 7.x-1.1 for Drupal allows remote authenticated users with the administer blocks permission to inject arbitrary web script or HTML via the block title. Una vulnerabilidad de ejecución de comandos en sitios cruzados (XSS) en el módulo MultiBlock v6.x-1.x antes de v6.x-1.4 y v7.x v1.x, antes v7.x-1.1 para Drupal permite inyectar secuencias de comandos web o HTML a usuarios remotos autenticados con permiso para administrar los bloques a través del bloque de título. • http://drupal.org/node/1505410 http://drupal.org/node/1505414 http://drupal.org/node/1506390 http://drupalcode.org/project/multiblock.git/commit/2c5177b http://drupalcode.org/project/multiblock.git/commit/aee07d3 http://osvdb.org/80673 http://secunia.com/advisories/48588 http://www.madirish.net/content/drupal-multiblock-6x-13-xss-vulnerability http://www.openwall.com/lists/oss-security/2012/04/07/1 http://www.securityfocus.com/bid/52800 https://exchange.xforce.ibmcloud.c • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 2.1EPSS: 0%CPEs: 5EXPL: 0CVE-2012-2076
https://notcve.org/view.php?id=CVE-2012-2076
Cross-site scripting (XSS) vulnerability in the administration forms in the ShareThis module 7.x-2.x before 7.x-2.3 for Drupal allows remote authenticated users with administer sharethis permissions to inject arbitrary web script or HTML via unspecified vectors. Una vulnerabilidad de ejecución de comandos en sitios cruzados (XSS) en los formularios de administración del módulo ShareThis v7.x-2.x antes de v7.x-2.3 para Drupal permite inyectar secuencias de comandos web o HTML a usuarios remotos autenticados con permisos de adminitración de ShareThis a través de vectores no especificados. • http://drupal.org/node/1504746 http://drupal.org/node/1506448 http://drupalcode.org/project/sharethis.git/commit/11f247a http://osvdb.org/80670 http://secunia.com/advisories/48598 http://www.openwall.com/lists/oss-security/2012/04/07/1 http://www.securityfocus.com/bid/52778 https://exchange.xforce.ibmcloud.com/vulnerabilities/74516 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •