CVSS: 9.8EPSS: 0%CPEs: 32EXPL: 0CVE-2010-3091
https://notcve.org/view.php?id=CVE-2010-3091
29 Sep 2010 — The OpenID module in Drupal 6.x before 6.18, and the OpenID module 5.x before 5.x-1.4 for Drupal, violates the OpenID 2.0 protocol by not verifying the openid.return_to value, which allows remote attackers to bypass authentication by leveraging an assertion from an OpenID provider. El módulo OpenID en Drupal v6.x anterior a v6.18, y el módulo OpenID v5.x anterior a v5.x-1.4 para Drupal, viola el protocolo OpenID v2.0, al no verificar el valor openid.return_to, lo cual permite a atacantes remotos evitar la a... • http://drupal.org/node/880476 • CWE-287: Improper Authentication •
CVSS: 9.1EPSS: 0%CPEs: 32EXPL: 0CVE-2010-3686
https://notcve.org/view.php?id=CVE-2010-3686
29 Sep 2010 — The OpenID module in Drupal 6.x before 6.18, and the OpenID module 5.x before 5.x-1.4 for Drupal, violates the OpenID 2.0 protocol by not ensuring that fields are signed, which allows remote attackers to bypass authentication by leveraging an assertion from an OpenID provider. El módulo de OpenID en Drupal v6.x antes de v6.18, y el módulo de OpenID v5.x antes de v5.x-1.4 para Drupal, viola el protocolo OpenID v2.0, al no garantizar que los campos están firmados, lo cual permite a atacantes remotos evitar la... • http://drupal.org/node/880476 • CWE-287: Improper Authentication •
CVSS: 9.1EPSS: 0%CPEs: 32EXPL: 0CVE-2010-3685
https://notcve.org/view.php?id=CVE-2010-3685
29 Sep 2010 — The OpenID module in Drupal 6.x before 6.18, and the OpenID module 5.x before 5.x-1.4 for Drupal, violates the OpenID 2.0 protocol by not checking for reuse of openid.response_nonce values, which allows remote attackers to bypass authentication by leveraging an assertion from an OpenID provider. El módulo de OpenID en Drupal v6.x antes de v6.18, y el módulo de OpenID v5.x antes de v5.x-1.4 para Drupal, viola el protocolo OpenID v2.0, al no comprobar la reutilización de los valores openid.response_nonce, lo ... • http://drupal.org/node/880476 • CWE-287: Improper Authentication •
CVSS: 8.1EPSS: 0%CPEs: 55EXPL: 0CVE-2010-3093
https://notcve.org/view.php?id=CVE-2010-3093
21 Sep 2010 — The comment module in Drupal 5.x before 5.23 and 6.x before 6.18 allows remote authenticated users with certain privileges to bypass intended access restrictions and reinstate removed comments via a crafted URL, related to an "unpublishing bypass" issue. El módulo comentario en Drupal v5.x anterior a v5.23 y v6.x anterior a v6.18 permite a usuarios autenticados remotamente con ciertos privilegios evitar restricciones de acceso pretendidas y restaurar comentarios eliminados a través de una URL manipulada, re... • http://drupal.org/node/880476 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 5.4EPSS: 0%CPEs: 27EXPL: 0CVE-2010-3094
https://notcve.org/view.php?id=CVE-2010-3094
21 Sep 2010 — Multiple cross-site scripting (XSS) vulnerabilities in Drupal 6.x before 6.18 allow remote authenticated users with certain privileges to inject arbitrary web script or HTML via (1) an action description, (2) an action message, (3) a node, or (4) a taxonomy term, related to the actions feature and the trigger module. Múltiples vulnerabilidades de ejecución de secuencias de comandos en sitios cruzados (XSS) en Drupal v6.x anterior a v6.18 permiten a usuarios autenticados remotamente con ciertos privilegios i... • http://drupal.org/node/880476 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 55EXPL: 0CVE-2010-3092
https://notcve.org/view.php?id=CVE-2010-3092
21 Sep 2010 — The upload module in Drupal 5.x before 5.23 and 6.x before 6.18 does not properly support case-insensitive filename handling in a database configuration, which allows remote authenticated users to bypass the intended restrictions on downloading a file by uploading a different file with a similar name. El módulo de carga en Drupal v5.x anterior a v5.23 y v6.x anterior a v6.18 no soporta apropiadamente la manipulación de nombres de archivos insensibles a mayúsculas y minúsculas en la configuración de la base ... • http://drupal.org/node/880476 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 4.8EPSS: 0%CPEs: 23EXPL: 0CVE-2009-4370
https://notcve.org/view.php?id=CVE-2009-4370
21 Dec 2009 — Cross-site scripting (XSS) vulnerability in the Menu module (modules/menu/menu.admin.inc) in Drupal Core 6.x before 6.15 allows remote authenticated users with permissions to create new menus to inject arbitrary web script or HTML via a menu description, which is not properly handled in the menu administration overview. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en el módulo Menu (modules/menu/menu.admin.inc) en Drupal Core v6.x anteriores a v6.15 permite a usuarios autenticados remot... • http://drupal.org/files/sa-core-2009-009/SA-CORE-2009-009-6.14.patch • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 48EXPL: 2CVE-2009-4369
https://notcve.org/view.php?id=CVE-2009-4369
21 Dec 2009 — Cross-site scripting (XSS) vulnerability in the Contact module (modules/contact/contact.admin.inc or modules/contact/contact.module) in Drupal Core 5.x before 5.21 and 6.x before 6.15 allows remote authenticated users with "administer site-wide contact form" permissions to inject arbitrary web script or HTML via the contact category name. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en el módulo Contact (modules/contact/contact.admin.inc o modules/contact/contact.module) en Drupal Core ... • http://drupal.org/files/sa-core-2009-009/SA-CORE-2009-009-6.14.patch • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2009-3352
https://notcve.org/view.php?id=CVE-2009-3352
24 Sep 2009 — Multiple unspecified vulnerabilities in the quota_by_role (Quota by role) module for Drupal have unknown impact and attack vectors. Múltiples vulnerabilidades no especificadas en el módulo quota_by_role (Quota by role) de Drupal, tienen impacto y vectores de ataque desconocidos. • http://drupal.org/node/572852 •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2009-2372
https://notcve.org/view.php?id=CVE-2009-2372
08 Jul 2009 — Drupal 6.x before 6.13 does not prevent users from modifying user signatures after the associated comment format has been changed to an administrator-controlled input format, which allows remote authenticated users to inject arbitrary web script, HTML, and possibly PHP code via a crafted user signature. Drupal v.6x anteriores a v.6.13 no impide a los usuarios modificar sus firmas después de que el formato comentado asociado ha sido cambiado a un formato de entrada controlado por administrador, que permite a... • http://drupal.org/node/507572 • CWE-94: Improper Control of Generation of Code ('Code Injection') •