CVSS: 6.0EPSS: 0%CPEs: 13EXPL: 0CVE-2008-4789
https://notcve.org/view.php?id=CVE-2008-4789
The validation functionality in the core upload module in Drupal 6.x before 6.5 allows remote authenticated users to bypass intended access restrictions and "attach files to content," related to a "logic error." La funcionalidad de validación del núcleo del módulo de subida en Drupal 6.x anterior a 6.5 permite a un usuario remoto autentificado sobrepasar las restricciones de acceso y "añadir archivos al contenido"; está relacionado con un "error lógico". • http://drupal.org/node/318706 http://secunia.com/advisories/32198 http://www.openwall.com/lists/oss-security/2008/10/21/7 https://exchange.xforce.ibmcloud.com/vulnerabilities/45755 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 7.5EPSS: 0%CPEs: 15EXPL: 0CVE-2008-4793
https://notcve.org/view.php?id=CVE-2008-4793
The node module API in Drupal 5.x before 5.11 allows remote attackers to bypass node validation and have unspecified other impact via unknown vectors related to contributed modules. El API del módulo nodo en Drupal 5.x anterior a 5.11 permite a un atacante remoto evitar la validación del nodo, y tiene otros impactos por medio de ataques desconocidos relacionados con los módulos contribuídos. • http://drupal.org/node/318706 http://secunia.com/advisories/32200 http://www.openwall.com/lists/oss-security/2008/10/21/7 https://exchange.xforce.ibmcloud.com/vulnerabilities/45763 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 5.0EPSS: 0%CPEs: 2EXPL: 0CVE-2008-3661
https://notcve.org/view.php?id=CVE-2008-3661
Drupal, probably 5.10 and 6.4, does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie. Drupal, probablemente v5.10 y v6.4, no establece el indicador seguro para la cookie de sesión en una sesión https, lo que puede provocar que sea enviada en una petición http y facilitar a los atacantes remotos el capturar la misma. • http://int21.de/cve/CVE-2008-3661-drupal.html http://www.securityfocus.com/archive/1/496575/100/0/threaded http://www.securityfocus.com/bid/31285 https://exchange.xforce.ibmcloud.com/vulnerabilities/45298 •
CVSS: 3.5EPSS: 0%CPEs: 14EXPL: 0CVE-2008-3741
https://notcve.org/view.php?id=CVE-2008-3741
The private filesystem in Drupal 5.x before 5.10 and 6.x before 6.4 trusts the MIME type sent by a web browser, which allows remote authenticated users to conduct cross-site scripting (XSS) attacks by uploading files containing arbitrary web script or HTML. El filesystem privado de Drupal 5.x versiones anteriores a la 5.10 y 6.x versiones anteriores a la 6.4, confía en el tipo MIME enviado por el navegador, lo cual permite a los usuarios remotos autenticados dirigir ataques de secuencias de comandos en sitios cruzados (XSS) subiendo ficheros que contienen arbitrariamente secuencias de comandos web o HTML. • http://drupal.org/node/295053 http://secunia.com/advisories/31462 http://secunia.com/advisories/31825 http://www.securityfocus.com/bid/30689 http://www.vupen.com/english/advisories/2008/2392 https://bugzilla.redhat.com/show_bug.cgi?id=459108 https://exchange.xforce.ibmcloud.com/vulnerabilities/44446 https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00259.html https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00508.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 14EXPL: 0CVE-2008-3740
https://notcve.org/view.php?id=CVE-2008-3740
Cross-site scripting (XSS) vulnerability in the output filter in Drupal 5.x before 5.10 and 6.x before 6.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en el filtro de salida de Drupal 5.x anterior a 5.10 y 6.x anterior a 6.4, permite a atacantes remotos inyectar secuencias de comandos Web o HTML de su elección a través de vectores no especificados. • http://drupal.org/node/295053 http://secunia.com/advisories/31462 http://secunia.com/advisories/31825 http://www.securityfocus.com/bid/30689 http://www.vupen.com/english/advisories/2008/2392 https://bugzilla.redhat.com/show_bug.cgi?id=459108 https://exchange.xforce.ibmcloud.com/vulnerabilities/44445 https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00259.html https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00508.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •