CVSS: 9.8EPSS: 0%CPEs: 72EXPL: 2CVE-2012-5653 – Debian Security Advisory 2776-1
https://notcve.org/view.php?id=CVE-2012-5653
03 Jan 2013 — The file upload feature in Drupal 6.x before 6.27 and 7.x before 7.18 allows remote authenticated users to bypass the protection mechanism and execute arbitrary PHP code via a null byte in a file name. La característica de carga de archivos en Drupal v6.x antes de v6.27 y v7.x antes de v7.18 permite a usuarios remotos autenticados eludir el mecanismo de protección y ejecutar código PHP arbitrario a través de un byte nulo en un nombre de archivo. Multiple vulnerabilities have been been fixed in the Drupal co... • http://drupal.org/SA-CORE-2012-004 • CWE-20: Improper Input Validation •
CVSS: 6.1EPSS: 0%CPEs: 8EXPL: 0CVE-2012-4484
https://notcve.org/view.php?id=CVE-2012-4484
31 Oct 2012 — Cross-site scripting (XSS) vulnerability in the administrative interface in the Campaign Monitor module before 6.x-2.5 for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. NOTE: this refers to an issue in an independently developed Drupal module, and NOT an issue in the Campaign Monitor software itself (described on the campaignmonitor.com web site). Vulnerabilidad Cross-Site Scripting (XSS) en la interfaz administrativa en el módulo Campaign Monitor en versione... • http://drupal.org/node/1689790 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 1%CPEs: 84EXPL: 1CVE-2012-1641
https://notcve.org/view.php?id=CVE-2012-1641
28 Aug 2012 — The finder_import function in the Finder module 6.x-1.x before 6.x-1.26, 7.x-1.x, and 7.x-2.x before 7.x-2.0-alpha8 for Drupal allows remote authenticated users with the administer finder permission to execute arbitrary PHP code via admin/build/finder/import. La función finder_import en el módulo Finder v6.x-1.x anterior a v6.x-1.26, v7.x-1.x, y v7.x-2.x anterior a v7.x-2.0-alpha8 para Drupal permite a usuarios remotos autenticados con permisos de administración del finder ejecutar código PHP arbitrario a t... • http://drupal.org/node/1432318 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 5.4EPSS: 0%CPEs: 8EXPL: 1CVE-2012-2711
https://notcve.org/view.php?id=CVE-2012-2711
27 Jun 2012 — Multiple cross-site scripting (XSS) vulnerabilities in the Taxonomy List module 6.x-1.x before 6.x-1.4 for Drupal allow remote authenticated users with create or edit taxonomy terms permissions to inject arbitrary web script or HTML via vectors related to taxonomy information. vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en el módulo Taxonomy List v6.x-1.x anterior a v6.x-1.4 para Drupal, permite a usuarios remotos autenticados, con permisos para crear o editar términos de ... • http://drupal.org/node/1595396 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 3EXPL: 1CVE-2012-2716
https://notcve.org/view.php?id=CVE-2012-2716
21 Jun 2012 — Cross-site request forgery (CSRF) vulnerability in the Comment Moderation module 6.x-1.x before 6.x-1.1 for Drupal allows remote attackers to hijack the authentication of administrators for requests that publish comments. Una vulnerabilidad de falsificación de peticiones en sitios cruzados(CSRF) en el módulo 'Comment Moderation' v6.x-1.x antes de v6.x-1.1 para Drupal permite a atacantes remotos secuestrar la autentificación de los administradores en las solicitudes que publican comentarios. • http://drupal.org/node/1538768 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.3EPSS: 0%CPEs: 79EXPL: 2CVE-2012-2922
https://notcve.org/view.php?id=CVE-2012-2922
21 May 2012 — The request_path function in includes/bootstrap.inc in Drupal 7.14 and earlier allows remote attackers to obtain sensitive information via the q[] parameter to index.php, which reveals the installation path in an error message. La función request_path en includes/bootstrap.inc en Drupal v7.14 y anteriores, permite a atacantes remotos obtener información sensible a través del parámetro q[] sobre index.php, lo que revela el path de instalación en un mensaje de error. • http://archives.neohapsis.com/archives/bugtraq/2012-05/0052.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 8.8EPSS: 1%CPEs: 148EXPL: 3CVE-2007-6752 – Drupal 7.12 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2007-6752
28 Mar 2012 — Cross-site request forgery (CSRF) vulnerability in Drupal 7.12 and earlier allows remote attackers to hijack the authentication of arbitrary users for requests that end a session via the user/logout URI. NOTE: the vendor disputes the significance of this issue, by considering the "security benefit against platform complexity and performance impact" and concluding that a change to the logout behavior is not planned because "for most sites it is not worth the trade-off. ** DISCUTIDO ** Vulnerabilidad de falsi... • https://www.exploit-db.com/exploits/18564 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.5EPSS: 0%CPEs: 35EXPL: 0CVE-2012-1056
https://notcve.org/view.php?id=CVE-2012-1056
14 Feb 2012 — The Forward module 6.x-1.x before 6.x-1.21 and 7.x-1.x before 7.x-1.3 for Drupal does not properly enforce permissions for (1) Recent forwards, (2) Most forwarded, or (3) Dynamic blocks, which allows remote attackers to obtain node titles via unspecified vectors. El módulo Forward v6.x-1.x anterior a v6.x-1.21 y v7.x-1.x anterior a v7.x-1.3 para Drupal no aplica correctamente los permisos para (1) reenvíos 'Recent' (2) enviado 'Most', o (3) bloques 'Dynamic', lo que permite a atacantes remotos obtener títul... • http://drupal.org/node/1423722 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 8.8EPSS: 0%CPEs: 35EXPL: 0CVE-2012-1057
https://notcve.org/view.php?id=CVE-2012-1057
14 Feb 2012 — Cross-site request forgery (CSRF) vulnerability in the clickthrough tracking functionality in the Forward module 6.x-1.x before 6.x-1.21 and 7.x-1.x before 7.x-1.3 for Drupal allows remote attackers to hijack the authentication of administrators for requests that increase node rankings via the tracking code, possibly related to improper "flood control." Vulnerabilidad de falsificación de petición en sitios cruzados (CSRF) en la funcionalidad 'clickthrough tracking' en el módulo Forward v6.x-1.x anterior a v... • http://drupal.org/node/1423722 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.5EPSS: 0%CPEs: 12EXPL: 0CVE-2010-4775
https://notcve.org/view.php?id=CVE-2010-4775
23 Mar 2011 — The Relevant Content module 5.x before 5.x-1.4 and 6.x before 6.x-1.5 for Drupal does not properly implement node access logic, which allows remote attackers to discover restricted node titles and relationships. El módulo Relevant Content v5.x anteriores a v5.x-1.4 y v6.x anteriores a v6.x-1.5 para Drupal no aplica adecuadamente la lógica de acceso a nodo, lo que permite a atacantes remotos a descubrir títulos de nodos restringidos y relaciones. • http://drupal.org/node/974668 • CWE-20: Improper Input Validation •