CVE-2009-5096
https://notcve.org/view.php?id=CVE-2009-5096
Cross-site scripting (XSS) vulnerability in the Flag Content module 5.x-2.x before 5.x-2.10 for Drupal allows remote attackers to inject arbitrary web script or HTML via the Reason parameter. Una vulnerabilidad de ejecución de comandos en sitios cruzados(XSS) en el módulo 'Flag Content' v5.x-2.x antes de v5.x-2.10 para Drupal permite a atacantes remotos inyectar secuencias de comandos web o HTML a través del parámetro 'Reason'. • http://drupal.org/node/610868 http://drupal.org/node/610870 http://osvdb.org/59119 http://secunia.com/advisories/37124 http://www.securityfocus.com/bid/36785 http://www.vupen.com/english/advisories/2009/2999 https://exchange.xforce.ibmcloud.com/vulnerabilities/53900 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2010-4775
https://notcve.org/view.php?id=CVE-2010-4775
The Relevant Content module 5.x before 5.x-1.4 and 6.x before 6.x-1.5 for Drupal does not properly implement node access logic, which allows remote attackers to discover restricted node titles and relationships. El módulo Relevant Content v5.x anteriores a v5.x-1.4 y v6.x anteriores a v6.x-1.5 para Drupal no aplica adecuadamente la lógica de acceso a nodo, lo que permite a atacantes remotos a descubrir títulos de nodos restringidos y relaciones. • http://drupal.org/node/974668 http://drupal.org/node/974672 http://drupal.org/node/975094 http://osvdb.org/69368 http://secunia.com/advisories/42228 http://www.securityfocus.com/bid/44932 https://exchange.xforce.ibmcloud.com/vulnerabilities/63331 • CWE-20: Improper Input Validation •
CVE-2010-4519
https://notcve.org/view.php?id=CVE-2010-4519
Multiple cross-site request forgery (CSRF) vulnerabilities in the Views UI implementation in the Views module 5.x before 5.x-1.8 and 6.x before 6.x-2.11 for Drupal allow remote attackers to hijack the authentication of administrators for requests that (1) enable all Views or (2) disable all Views. Múltiples vulnerabilidades de secuencias de comandos en sitios cruzados (XSS) en la implementación de Views UI en el módulo Views v5.x anterior v5.x-1.8 y v6.x anterior v6.x-2.11 para Drupal permite a atacantes remotos secuestar la autenticación de administradores para peticiones que (1) activa todas las Views (2) inactiva todas Views. • http://drupal.org/node/829840 http://www.openwall.com/lists/oss-security/2010/12/16/7 http://www.openwall.com/lists/oss-security/2010/12/22/1 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2010-3685
https://notcve.org/view.php?id=CVE-2010-3685
The OpenID module in Drupal 6.x before 6.18, and the OpenID module 5.x before 5.x-1.4 for Drupal, violates the OpenID 2.0 protocol by not checking for reuse of openid.response_nonce values, which allows remote attackers to bypass authentication by leveraging an assertion from an OpenID provider. El módulo de OpenID en Drupal v6.x antes de v6.18, y el módulo de OpenID v5.x antes de v5.x-1.4 para Drupal, viola el protocolo OpenID v2.0, al no comprobar la reutilización de los valores openid.response_nonce, lo cual permite a atacantes remotos evitar la autenticación mediante el aprovechamiento de una afirmación de un proveedor de OpenID. • http://drupal.org/node/880476 http://drupal.org/node/880480 http://marc.info/?l=oss-security&m=128418560705305&w=2 http://marc.info/?l=oss-security&m=128440896914512&w=2 http://www.debian.org/security/2010/dsa-2113 http://www.securityfocus.com/bid/42388 • CWE-287: Improper Authentication •
CVE-2010-3686
https://notcve.org/view.php?id=CVE-2010-3686
The OpenID module in Drupal 6.x before 6.18, and the OpenID module 5.x before 5.x-1.4 for Drupal, violates the OpenID 2.0 protocol by not ensuring that fields are signed, which allows remote attackers to bypass authentication by leveraging an assertion from an OpenID provider. El módulo de OpenID en Drupal v6.x antes de v6.18, y el módulo de OpenID v5.x antes de v5.x-1.4 para Drupal, viola el protocolo OpenID v2.0, al no garantizar que los campos están firmados, lo cual permite a atacantes remotos evitar la autenticación mediante el aprovechamiento de una afirmación de un proveedor de OpenID. • http://drupal.org/node/880476 http://drupal.org/node/880480 http://marc.info/?l=oss-security&m=128418560705305&w=2 http://marc.info/?l=oss-security&m=128440896914512&w=2 http://www.debian.org/security/2010/dsa-2113 http://www.securityfocus.com/bid/42388 • CWE-287: Improper Authentication •