CVSS: 9.8EPSS: 0%CPEs: 39EXPL: 0CVE-2013-4445
https://notcve.org/view.php?id=CVE-2013-4445
07 Dec 2013 — The json rendering functionality in the Context module 6.x-2.x before 6.x-3.2 and 7.x-3.x before 7.x-3.0 for Drupal uses Drupal's token scheme to restrict access to blocks, which makes it easier for remote authenticated users to guess the access token for a block by leveraging the token from a block to which the user has access. La funcionalidad de renderización de json en el módulo Context 6.x-2.x anteriores a 6.x-3.2 y 7.x-3.x anteriores a 7.x-3.0 para Drupal utiliza el esquema de tokens de Drupal para re... • http://lists.fedoraproject.org/pipermail/package-announce/2013-November/121433.html • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 9.8EPSS: 1%CPEs: 39EXPL: 0CVE-2013-4446
https://notcve.org/view.php?id=CVE-2013-4446
07 Dec 2013 — The _json_decode function in plugins/context_reaction_block.inc in the Context module 6.x-2.x before 6.x-3.2 and 7.x-3.x before 7.x-3.0 for Drupal, when using a version of PHP that does not support the json_decode function, allows remote attackers to execute arbitrary PHP code via unspecified vectors related to Ajax operations, possibly involving eval injection. La función _json_decode en plugins/context_reaction_block.inc en el módulo Context 6.x-2.x anteriores a 6.x-3.2 y 7.x-3.x anteriores a 7.x-3.0 para... • http://drupalcode.org/project/context.git/commitdiff/63ef4d9 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.8EPSS: 4%CPEs: 78EXPL: 0CVE-2013-6385 – Debian Security Advisory 2828-1
https://notcve.org/view.php?id=CVE-2013-6385
27 Nov 2013 — The form API in Drupal 6.x before 6.29 and 7.x before 7.24, when used with unspecified third-party modules, performs form validation even when CSRF validation has failed, which might allow remote attackers to trigger application-specific impacts such as arbitrary code execution via application-specific vectors. La API de formularios en Drupal 6.x anteriores a 6.29 y 7.x anteriores a 7.24, cuando es utilizada con módulos no especificados de terceros, ejecuta validación del formulario incluso cuando la valida... • http://secunia.com/advisories/56148 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.1EPSS: 0%CPEs: 78EXPL: 0CVE-2013-6386 – Debian Security Advisory 2828-1
https://notcve.org/view.php?id=CVE-2013-6386
27 Nov 2013 — Drupal 6.x before 6.29 and 7.x before 7.24 uses the PHP mt_rand function to generate random numbers, which uses predictable seeds and allows remote attackers to predict security strings and bypass intended restrictions via a brute force attack. Drupal 6.x anteriores a 6.29 y 7.x anteriores a 7.24 utilizan la función de PHP mt_rand para generar números aleatorios, la cual usa semillas predecibles y permite a atacantes remotos predecir cadenas de seguridad y sortear restricciones intencionadas a través de ata... • http://secunia.com/advisories/56148 • CWE-310: Cryptographic Issues •
CVSS: 6.1EPSS: 0%CPEs: 72EXPL: 0CVE-2013-0244 – Debian Security Advisory 2776-1
https://notcve.org/view.php?id=CVE-2013-0244
11 Oct 2013 — Cross-site scripting (XSS) vulnerability in Drupal 6.x before 6.28 and 7.x before 7.19, when running with older versions of jQuery that are vulnerable to CVE-2011-4969, allows remote attackers to inject arbitrary web script or HTML via vectors involving unspecified Javascript functions that are used to select DOM elements. Cross-site scripting (XSS) en Drupal 6.x anterior a 6.28 y 7.x anterior a 7.19, cuando se ejecuta con versiones anteriores de jQuery que son vulnerables a CVE-2011-4969, que permite a ata... • http://osvdb.org/89306 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.8EPSS: 0%CPEs: 54EXPL: 0CVE-2012-0825 – Debian Security Advisory 2776-1
https://notcve.org/view.php?id=CVE-2012-0825
11 Oct 2013 — Drupal 6.x before 6.23 and 7.x before 7.11 does not verify that Attribute Exchange (AX) information is signed, which allows remote attackers to modify potentially sensitive AX information without detection via a man-in-the-middle (MITM) attack. Drupal 6.x anterior a la versión 6.23 y 7.x anterior a 7.11 no verifica que la información Attribute Exchange (AX) se firme, lo que permite a atacantes remotos modificar información AX potencialmente sensible sin la detección a través de ataques man-in-the-middle (MI... • http://openid.net/2011/05/05/attribute-exchange-security-alert • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 8.8EPSS: 0%CPEs: 59EXPL: 0CVE-2012-0826 – Debian Security Advisory 2776-1
https://notcve.org/view.php?id=CVE-2012-0826
11 Oct 2013 — Cross-site request forgery (CSRF) vulnerability in the Aggregator module in Drupal 6.x before 6.23 and 7.x before 7.11 allows remote attackers to hijack the authentication of unspecified victims for requests that update feeds and possibly cause a denial of service (loss of updates due to rate limit) via unspecified vectors. Vulnerabilidad de Cross-site request forgery (CSRF) en el modulo Aggregator en Drupal 6.x anterior a 6.23 y 7.x anterior a 7.11 permite a atacantes remotos secuestrar la autenticación de... • http://www.debian.org/security/2013/dsa-2776 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.1EPSS: 0%CPEs: 5EXPL: 0CVE-2013-4379
https://notcve.org/view.php?id=CVE-2013-4379
09 Oct 2013 — The Make Meeting Scheduler module 6.x-1.x before 6.x-1.3 for Drupal allows remote attackers to bypass intended access restrictions for a poll via a direct request to the node's URL instead of the hashed URL. El módulo Make Meeting Scheduler 6.x-1.x anterior a la versión 6.x-1.3 para Drupal permite a atacantes remotos evadir restricciones de acceso de una encuesta a través de una petición directa a la URL del nodo en lugar the la URL hash. • http://secunia.com/advisories/54634 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 6.1EPSS: 0%CPEs: 20EXPL: 0CVE-2013-4384
https://notcve.org/view.php?id=CVE-2013-4384
09 Oct 2013 — Cross-site scripting (XSS) vulnerability in Google Site Search module 6.x-1.x before 6.x-1.4 and 7.x-1.x before 7.x-1.10 for Drupal allows remote attackers to inject arbitrary web script or HTML by causing crafted data to be returned by the Google API. Vulnerabilidad de XSS en el módulo Google Site Search 6.x-1.x anterior a la versión 6.x-1.4 y 7.x-1.x anterior a 7.x-1.10 para Drupal permite a atacantes remotos inyectar script web arbitrario o HTML, provocando que datos diseñados sean devueltos por la API d... • http://osvdb.org/97503 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2013-5937
https://notcve.org/view.php?id=CVE-2013-5937
25 Sep 2013 — Cross-site request forgery (CSRF) vulnerability in the Click2Sell Suite module 6.x-1.x for Drupal allows remote attackers to hijack the authentication of administrators for requests that delete database information via vectors involving the Drupal Form API. Vulnerabilidad CSRF en el módulo Click2Sell Suite v6.x-1.x para Drupal permite a atacantes remotos secuestrar la autenticación de administradores para peticiones que eliminen información de la base de datos a través de vectores que involucran la API Drup... • http://osvdb.org/97203 • CWE-352: Cross-Site Request Forgery (CSRF) •