CVSS: 7.5EPSS: 0%CPEs: 68EXPL: 0CVE-2014-1475
https://notcve.org/view.php?id=CVE-2014-1475
The OpenID module in Drupal 6.x before 6.30 and 7.x before 7.26 allows remote OpenID users to authenticate as other users via unspecified vectors. El módulo OpenID en Drupal v6.x anterior a v6.30 y v7.x anterior a v7.26 permite a usuarios OpenID remotos autenticarse como otros usuarios a través de vectores no especificados. • http://secunia.com/advisories/56260 http://secunia.com/advisories/56601 http://www.debian.org/security/2014/dsa-2847 http://www.debian.org/security/2014/dsa-2851 http://www.mandriva.com/security/advisories?name=MDVSA-2014:031 http://www.securityfocus.com/bid/64973 https://drupal.org/SA-CORE-2014-001 •
CVSS: 5.1EPSS: 5%CPEs: 78EXPL: 0CVE-2013-6385
https://notcve.org/view.php?id=CVE-2013-6385
The form API in Drupal 6.x before 6.29 and 7.x before 7.24, when used with unspecified third-party modules, performs form validation even when CSRF validation has failed, which might allow remote attackers to trigger application-specific impacts such as arbitrary code execution via application-specific vectors. La API de formularios en Drupal 6.x anteriores a 6.29 y 7.x anteriores a 7.24, cuando es utilizada con módulos no especificados de terceros, ejecuta validación del formulario incluso cuando la validación CSRF ha fallado, lo cual podría permitir a atacantes remotos provocar impacto específico en la aplicación como ejecución de código arbitrario a través de vectores específicos de la aplicación. • http://secunia.com/advisories/56148 http://www.debian.org/security/2013/dsa-2804 http://www.debian.org/security/2013/dsa-2828 http://www.openwall.com/lists/oss-security/2013/11/22/4 https://drupal.org/SA-CORE-2013-003 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 6.8EPSS: 0%CPEs: 78EXPL: 0CVE-2013-6386
https://notcve.org/view.php?id=CVE-2013-6386
Drupal 6.x before 6.29 and 7.x before 7.24 uses the PHP mt_rand function to generate random numbers, which uses predictable seeds and allows remote attackers to predict security strings and bypass intended restrictions via a brute force attack. Drupal 6.x anteriores a 6.29 y 7.x anteriores a 7.24 utilizan la función de PHP mt_rand para generar números aleatorios, la cual usa semillas predecibles y permite a atacantes remotos predecir cadenas de seguridad y sortear restricciones intencionadas a través de ataques de fuerza bruta. • http://secunia.com/advisories/56148 http://www.debian.org/security/2013/dsa-2804 http://www.debian.org/security/2013/dsa-2828 http://www.openwall.com/lists/oss-security/2013/11/22/4 https://drupal.org/SA-CORE-2013-003 • CWE-310: Cryptographic Issues •
CVSS: 2.6EPSS: 0%CPEs: 72EXPL: 0CVE-2013-0244
https://notcve.org/view.php?id=CVE-2013-0244
Cross-site scripting (XSS) vulnerability in Drupal 6.x before 6.28 and 7.x before 7.19, when running with older versions of jQuery that are vulnerable to CVE-2011-4969, allows remote attackers to inject arbitrary web script or HTML via vectors involving unspecified Javascript functions that are used to select DOM elements. Cross-site scripting (XSS) en Drupal 6.x anterior a 6.28 y 7.x anterior a 7.19, cuando se ejecuta con versiones anteriores de jQuery que son vulnerables a CVE-2011-4969, que permite a atacantes remotos inyectar secuencias de comandos web o HTML a través vectores que involucran funciones Javascript sin especificar que se utilizan para seleccionar los elementos DOM. • http://osvdb.org/89306 http://packetstormsecurity.com/files/119598/Drupal-Core-6.x-7.x-Cross-Site-Scripting-Access-Bypass.html http://seclists.org/fulldisclosure/2013/Jan/120 http://seclists.org/oss-sec/2013/q1/211 http://www.debian.org/security/2013/dsa-2776 https://drupal.org/SA-CORE-2013-001 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.8EPSS: 0%CPEs: 54EXPL: 0CVE-2012-0825
https://notcve.org/view.php?id=CVE-2012-0825
Drupal 6.x before 6.23 and 7.x before 7.11 does not verify that Attribute Exchange (AX) information is signed, which allows remote attackers to modify potentially sensitive AX information without detection via a man-in-the-middle (MITM) attack. Drupal 6.x anterior a la versión 6.23 y 7.x anterior a 7.11 no verifica que la información Attribute Exchange (AX) se firme, lo que permite a atacantes remotos modificar información AX potencialmente sensible sin la detección a través de ataques man-in-the-middle (MITM). • http://openid.net/2011/05/05/attribute-exchange-security-alert http://www.debian.org/security/2013/dsa-2776 https://drupal.org/node/1425084 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •