Page 6 of 33 results (0.014 seconds)

CVSS: 5.8EPSS: 0%CPEs: 14EXPL: 0

Multiple cross-site request forgery (CSRF) vulnerabilities in Drupal 5.x before 5.10 and 6.x before 6.4 allow remote attackers to hijack the authentication of administrators for requests that (1) add or (2) delete user access rules. Múltiples vulnerabilidades de falsificación de petición en sitios cruzados (CSRF) en Drupal 5.x versiones anteriores a 5.10 y 6.x versiones anteriores a 6.4 permiten a atacantes remotos (1) añadir o (2) borrar reglas de acceso de usuarios como administradores a través de una URL sin especificar. • http://drupal.org/node/295053 http://secunia.com/advisories/31462 http://secunia.com/advisories/31825 http://www.securityfocus.com/bid/30689 http://www.vupen.com/english/advisories/2008/2392 https://bugzilla.redhat.com/show_bug.cgi?id=459108 https://exchange.xforce.ibmcloud.com/vulnerabilities/44448 https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00259.html https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00508.html • CWE-352: Cross-Site Request Forgery (CSRF) •

CVSS: 6.5EPSS: 1%CPEs: 14EXPL: 0

Unrestricted file upload vulnerability in the BlogAPI module in Drupal 5.x before 5.10 and 6.x before 6.4 allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, which is not validated. Vulnerabilidad de subida de ficheros sin restricción en el módulo BlogAPI de Drupal 5.x anterior a 5.10 y 6.x anterior a 6.4, permite a a usuarios autenticados en remotos ejecutar código de su elección mediante la subida de un fichero con la extensión de un ejecutable, lo cual no es validado. • http://drupal.org/node/295053 http://secunia.com/advisories/31462 http://secunia.com/advisories/31825 http://www.securityfocus.com/bid/30689 http://www.vupen.com/english/advisories/2008/2392 https://bugzilla.redhat.com/show_bug.cgi?id=459108 https://exchange.xforce.ibmcloud.com/vulnerabilities/44447 https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00259.html https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00508.html • CWE-264: Permissions, Privileges, and Access Controls •

CVSS: 3.5EPSS: 0%CPEs: 14EXPL: 0

The private filesystem in Drupal 5.x before 5.10 and 6.x before 6.4 trusts the MIME type sent by a web browser, which allows remote authenticated users to conduct cross-site scripting (XSS) attacks by uploading files containing arbitrary web script or HTML. El filesystem privado de Drupal 5.x versiones anteriores a la 5.10 y 6.x versiones anteriores a la 6.4, confía en el tipo MIME enviado por el navegador, lo cual permite a los usuarios remotos autenticados dirigir ataques de secuencias de comandos en sitios cruzados (XSS) subiendo ficheros que contienen arbitrariamente secuencias de comandos web o HTML. • http://drupal.org/node/295053 http://secunia.com/advisories/31462 http://secunia.com/advisories/31825 http://www.securityfocus.com/bid/30689 http://www.vupen.com/english/advisories/2008/2392 https://bugzilla.redhat.com/show_bug.cgi?id=459108 https://exchange.xforce.ibmcloud.com/vulnerabilities/44446 https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00259.html https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00508.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 4.3EPSS: 0%CPEs: 14EXPL: 0

Cross-site scripting (XSS) vulnerability in the output filter in Drupal 5.x before 5.10 and 6.x before 6.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en el filtro de salida de Drupal 5.x anterior a 5.10 y 6.x anterior a 6.4, permite a atacantes remotos inyectar secuencias de comandos Web o HTML de su elección a través de vectores no especificados. • http://drupal.org/node/295053 http://secunia.com/advisories/31462 http://secunia.com/advisories/31825 http://www.securityfocus.com/bid/30689 http://www.vupen.com/english/advisories/2008/2392 https://bugzilla.redhat.com/show_bug.cgi?id=459108 https://exchange.xforce.ibmcloud.com/vulnerabilities/44445 https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00259.html https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00508.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 4.3EPSS: 0%CPEs: 4EXPL: 0

The Drupal filter_xss_admin function in 5.x before 5.8 and 6.x before 6.3 does not "prevent use of the object HTML tag in administrator input," which has unknown impact and attack vectors, probably related to an insufficient cross-site scripting (XSS) protection mechanism. La función filter_xss_admin en versiones de Drupal 5.X anteriores a la 5.8 y 6.X anteriores a la 6.3 no "impide la utilización del objeto etiqueta HTML en la entrada de administrador" lo cual tiene un impacto desconocido y vectores de ataque, probablemente relacionados con un mecanismo de protección insuficiente de cross-site scripting (XSS). • http://drupal.org/node/280571 http://secunia.com/advisories/31079 http://www.openwall.com/lists/oss-security/2008/07/10/3 http://www.securityfocus.com/bid/30168 https://bugzilla.redhat.com/show_bug.cgi?id=454849 https://exchange.xforce.ibmcloud.com/vulnerabilities/43701 https://www.redhat.com/archives/fedora-package-announce/2008-August/msg00016.html https://www.redhat.com/archives/fedora-package-announce/2008-July/msg00527.html https://www.redhat.com/archives/fedora-package-announce& • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •