CVSS: 5.0EPSS: 0%CPEs: 23EXPL: 0CVE-2012-2296
https://notcve.org/view.php?id=CVE-2012-2296
The Janrain Engage (formerly RPX) module for Drupal 6.x-1.x. 6.x-2.x before 6.x-2.2, and 7.x-2.x before 7.x-2.2 stores user profile data from Engage in session tables, which might allow remote attackers to obtain sensitive information by leveraging a separate vulnerability. El módulo para Drupal The Janrain Engage (formerly RPX) v6.x-1.x. v6.x-2.x antes de v6.x-2.2 y v7.x 2.x antes v7.x-2.2 almacena los datos de perfil de usuario de Engage en las tablas de sesión, lo que podría permitir a atacantes remotos obtener información sensible mediante el aprovechamiento de una vulnerabilidad separada. • http://drupal.org/node/1515114 http://drupal.org/node/1515120 http://drupal.org/node/1515282 http://www.openwall.com/lists/oss-security/2012/04/10/12 http://www.openwall.com/lists/oss-security/2012/05/03/1 http://www.openwall.com/lists/oss-security/2012/05/03/2 https://exchange.xforce.ibmcloud.com/vulnerabilities/74616 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 3.5EPSS: 0%CPEs: 21EXPL: 0CVE-2012-2310
https://notcve.org/view.php?id=CVE-2012-2310
Cross-site scripting (XSS) vulnerability in the cctags module for Drupal 6.x-1.x before 6.x-1.10 and 7.x-1.x before 7.x-1.10 allows remote authenticated users with certain roles to inject arbitrary web script or HTML via unspecified vectors. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en el módulo cctags para Drupal v6.x-1.x antes de v6.x-1.10 y v7.x 1.x antes v7.x-1.10 permite a usuarios remotos autenticados con ciertos roles, inyectar secuencias de comandos web o HTML a través de vectores no especificados. • http://drupal.org/node/1508098 http://drupal.org/node/1508100 http://drupal.org/node/1558248 http://secunia.com/advisories/49018 http://www.openwall.com/lists/oss-security/2012/05/03/1 http://www.openwall.com/lists/oss-security/2012/05/03/2 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 2.1EPSS: 0%CPEs: 5EXPL: 2CVE-2012-2726
https://notcve.org/view.php?id=CVE-2012-2726
Cross-site scripting (XSS) vulnerability in the Protest module 6.x-1.x before 6.x-1.2 or 7.x-1.x before 7.x-1.2 for Drupal allows remote authenticated users with the "administer protest" permission to inject arbitrary web script or HTML via the protest_body parameter. vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en el módulo Protest v6.x-1.x anterior a v6.x-1.2 o v7.x 1.x, anterior a v7.x-1.2 para Drupal permite a usuarios remotos autenticados con la "administración de la protesta" permiso para inyectar secuencias de comandos web o HTML a través del parámetro protest_body • http://drupal.org/node/1618090 http://drupal.org/node/1618092 http://drupal.org/node/1619856 http://drupalcode.org/project/protest.git/commitdiff/c85eaed http://drupalcode.org/project/protest.git/commitdiff/cf8c543 http://secunia.com/advisories/49386 http://www.openwall.com/lists/oss-security/2012/06/14/3 http://www.osvdb.org/82715 https://exchange.xforce.ibmcloud.com/vulnerabilities/76126 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.8EPSS: 0%CPEs: 3EXPL: 0CVE-2012-2727
https://notcve.org/view.php?id=CVE-2012-2727
Open redirect vulnerability in the Janrain Capture module 6.x-1.0 and 7.x-1.0 for Drupal, when synchronizing user data, allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the destination parameter. Vulnerabilidad de redirección en el módulo Janrain Capture v6.x-1.0 y 7.x-1.0 para Drupal, al sincronizar los datos del usuario, permite a atacantes remotos redirigir a los usuarios a sitios web arbitrarios y llevar a cabo ataques de phishing a través de una URL en el parámetro destination • http://drupal.org/node/1632702 http://drupal.org/node/1632704 http://drupal.org/node/1632734 http://secunia.com/advisories/49480 http://www.openwall.com/lists/oss-security/2012/06/14/3 http://www.osvdb.org/82958 http://www.securityfocus.com/bid/53992 https://exchange.xforce.ibmcloud.com/vulnerabilities/76292 • CWE-20: Improper Input Validation •
CVSS: 4.3EPSS: 1%CPEs: 9EXPL: 2CVE-2012-2722
https://notcve.org/view.php?id=CVE-2012-2722
The node selection interface in the WYSIWYG editor (CKEditor) in the Node Embed module 6.x-1.x before 6.x-1.5 and 7.x-1.x before 7.x-1.0 for Drupal does not properly check permissions, which allows remote attackers to bypass intended access restrictions and read node titles. La interfaz de selección de nodos en el editor WYSIWYG (CKEditor) en Node Embed module v6.x-1.x anterior a v6.x-1.5 y v7.x-1.x, anterior a v7.x-1.0 para Drupal no comprueba correctamente los permisos y permite a atacantes remotos eludir restricciones de acceso y destinados a leer los títulos de los nodos. • http://drupal.org/node/1618428 http://drupal.org/node/1618430 http://drupal.org/node/1619824 http://drupalcode.org/project/node_embed.git/commitdiff/7a2296c http://drupalcode.org/project/node_embed.git/commitdiff/d06f022 http://secunia.com/advisories/48348 http://www.openwall.com/lists/oss-security/2012/06/14/3 http://www.osvdb.org/82735 http://www.securityfocus.com/bid/53835 https://exchange.xforce.ibmcloud.com/vulnerabilities/76148 • CWE-264: Permissions, Privileges, and Access Controls •