CVSS: 3.6EPSS: 0%CPEs: 11EXPL: 0CVE-2012-5557
https://notcve.org/view.php?id=CVE-2012-5557
The User Read-Only module 6.x-1.x before 6.x-1.4 and 7.x-1.x before 7.x-1.4 for Drupal, does not properly assign roles when there are more than three roles on the site and certain unspecified configurations, which might allow remote authenticated users to gain privileges by performing certain operations, as demonstrated by changing a password. El módulo User Read-Only v6.x-1.x antes de v6.x-1.4 y v7.x-1.x antes de v7.x-1.4 para Drupal no asigna roles adecuadamente cuando hay más de tres roles en el sitio y se dan algunas configuraciones no especificadas, lo que podría permitir a usuarios autenticados remotamente ganar privilegios a través de ciertas operaciones, como se demostró con un cambio de contraseña. • http://drupal.org/node/1840038 http://drupal.org/node/1840054 http://drupal.org/node/1840886 http://www.openwall.com/lists/oss-security/2012/11/20/4 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 5.0EPSS: 0%CPEs: 24EXPL: 0CVE-2012-5552
https://notcve.org/view.php?id=CVE-2012-5552
The Password policy module 6.x-1.x before 6.x-1.5 and 7.x-1.x before 7.x-1.3 for Drupal allows remote attackers to obtain password hashes by sniffing the network, related to "client-side password history checks." El módulo Password policy v6.x-1.x antes de v6.x-1.5 y v7.x-1.x antes de v7.x-1.3 para Drupal permite a atacantes remotos obtener resúmenes de contraseñas esnifando la red, relacionado con "verificación del historial de contraseñas del lado de cliente" • http://drupal.org/node/1828130 http://drupal.org/node/1828142 http://drupal.org/node/1828340 http://www.openwall.com/lists/oss-security/2012/11/20/4 http://www.securityfocus.com/bid/56350 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.8EPSS: 0%CPEs: 3EXPL: 0CVE-2012-5542
https://notcve.org/view.php?id=CVE-2012-5542
Cross-site request forgery (CSRF) vulnerability in the Commerce Extra Panes module 7.x-1.x before 7.x-1.1 in Drupal allows remote attackers to hijack the authentication of administrators for requests that enable or disable a Commerce extra panes pane via unspecified vectors related to "the link to reorder items." Vulnerabilidad de falsificación de peticiones en sitios cruzados (CSRF) en el módulo Commerce Extra Panes v7.x-1.x antes de v7.x-1.1 para Drupal permite a atacantes remotos secuestrar la autenticación de administradores para peticiones que activan o desactivan un panel Commerce extra panes a través de vectores no especificados relacionados con "el enlace a la reordenación de elementos" • http://drupal.org/node/1802192 http://drupal.org/node/1802258 http://osvdb.org/85892 http://secunia.com/advisories/50802 http://www.openwall.com/lists/oss-security/2012/11/20/4 http://www.securityfocus.com/bid/55776 https://exchange.xforce.ibmcloud.com/vulnerabilities/79025 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 4.6EPSS: 0%CPEs: 53EXPL: 0CVE-2012-6065
https://notcve.org/view.php?id=CVE-2012-6065
The OM Maximenu module 6.x-1.43 and earlier for Drupal, when the "Title has PHP" option is enabled, allows remote authenticated users with the "Administer OM Maximenu" permission to execute arbitrary PHP code via a "Link Title," a different vulnerability than CVE-2012-5553. El módulo OM Maximenu v6.x-1.43 y anteriores para Drupal, cuando la opción "Title has PHP" está activada, permite a usuarios autenticados remotamente con permisos "Administer OM Maximenu" ejecutar código PHP de su elección a través de "Link Title", una vulnerabilidad diferente de CVE-2012-5553. • http://drupal.org/node/1834046 http://drupal.org/node/1834048 http://www.madirish.net/551 •
CVSS: 4.3EPSS: 0%CPEs: 14EXPL: 0CVE-2012-5551
https://notcve.org/view.php?id=CVE-2012-5551
Multiple cross-site scripting (XSS) vulnerabilities in the MailChimp module 7.x-2.x before 7.x-2.7 for Drupal allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) a predictable "webhook URL key" and (2) improper sanitization of "Webhook variables from POST requests." Múltiples vulnerabilidades de ejecución de secuencias de comandos en sitios cruzados (XSS) en el módulo MailChimp v7.x-2.x antes de v7.x-2.7 para Drupal permite a atacantes remotos inyectar secuencias de comandos web o HTML a través de vectores relacionados con (1) una "clave URL webhook" predecible y (2) saneamiento incorrecto de "variables Webhook de peticiones POST. • http://drupal.org/node/1821330 http://drupal.org/node/1822166 http://www.openwall.com/lists/oss-security/2012/11/20/4 http://www.securityfocus.com/bid/56234 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •