CVSS: 6.1EPSS: 0%CPEs: 5EXPL: 0CVE-2017-6927
https://notcve.org/view.php?id=CVE-2017-6927
01 Mar 2018 — Drupal 8.4.x versions before 8.4.5 and Drupal 7.x versions before 7.57 has a Drupal.checkPlain() JavaScript function which is used to escape potentially dangerous text before outputting it to HTML (as JavaScript output does not typically go through Twig autoescaping). This function does not correctly handle all methods of injecting malicious HTML, leading to a cross-site scripting vulnerability under certain circumstances. The PHP functions which Drupal provides for HTML escaping are not affected. Las versi... • http://www.securityfocus.com/bid/103138 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2017-6931
https://notcve.org/view.php?id=CVE-2017-6931
01 Mar 2018 — In Drupal versions 8.4.x versions before 8.4.5 the Settings Tray module has a vulnerability that allows users to update certain data that they do not have the permissions for. If you have implemented a Settings Tray form in contrib or a custom module, the correct access checks should be added. This release fixes the only two implementations in core, but does not harden against other such bypasses. This vulnerability can be mitigated by disabling the Settings Tray module. En las versiones 8.4.x de Drupal ant... • https://www.drupal.org/sa-core-2018-001 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2017-6926
https://notcve.org/view.php?id=CVE-2017-6926
01 Mar 2018 — In Drupal versions 8.4.x versions before 8.4.5 users with permission to post comments are able to view content and comments they do not have access to, and are also able to add comments to this content. This vulnerability is mitigated by the fact that the comment system must be enabled and the attacker must have permission to post comments. En las versiones 8.4.x de Drupal anteriores a la 8.4.5, los usuarios con permisos para publicar comentarios pueden ver contenido y comentarios a los que no tienen acceso... • https://www.drupal.org/sa-core-2018-001 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.5EPSS: 0%CPEs: 71EXPL: 0CVE-2017-6919
https://notcve.org/view.php?id=CVE-2017-6919
20 Apr 2017 — Drupal 8 before 8.2.8 and 8.3 before 8.3.1 allows critical access bypass by authenticated users if the RESTful Web Services (rest) module is enabled and the site allows PATCH requests. Drupal 8 en versiones anteriores a 8.2.8 y 8.3 en versiones anteriores a 8.3.1 permite elusión de acceso crítica por usuarios autenticados si el módulo RESTful Web Services (resto) está habilitado y el sitio permite solicitudes PATCH. • http://www.securityfocus.com/bid/97941 •
CVSS: 8.1EPSS: 2%CPEs: 60EXPL: 0CVE-2017-6381
https://notcve.org/view.php?id=CVE-2017-6381
16 Mar 2017 — A 3rd party development library including with Drupal 8 development dependencies is vulnerable to remote code execution. This is mitigated by the default .htaccess protection against PHP execution, and the fact that Composer development dependencies aren't normal installed. You might be vulnerable to this if you are running a version of Drupal before 8.2.2. To be sure you aren't vulnerable, you can remove the
CVSS: 7.5EPSS: 0%CPEs: 12EXPL: 0CVE-2017-6377
https://notcve.org/view.php?id=CVE-2017-6377
16 Mar 2017 — When adding a private file via the editor in Drupal 8.2.x before 8.2.7, the editor will not correctly check access for the file being attached, resulting in an access bypass. Cuando se añade un archivo privado a través del editor en Drupal 8.2.x en versiones anteriores a 8.2.7, el editor no comprobará correctamente el acceso para el archivo que se adjunta, resultando en una elusión de acceso. • http://www.securityfocus.com/bid/96919 • CWE-863: Incorrect Authorization •
CVSS: 7.5EPSS: 0%CPEs: 12EXPL: 0CVE-2017-6379
https://notcve.org/view.php?id=CVE-2017-6379
16 Mar 2017 — Some administrative paths in Drupal 8.2.x before 8.2.7 did not include protection for CSRF. This would allow an attacker to disable some blocks on a site. This issue is mitigated by the fact that users would have to know the block ID. Algunos caminos administrativos en Drupal 8.2.x en versiones anteriores a 8.2.7 no incluyeron protección para CSRF. Esto permitiría a un atacante deshabilitar algunos bloques en un sitio. • http://www.securityfocus.com/bid/96919 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.5EPSS: 0%CPEs: 61EXPL: 0CVE-2016-9452
https://notcve.org/view.php?id=CVE-2016-9452
25 Nov 2016 — The transliterate mechanism in Drupal 8.x before 8.2.3 allows remote attackers to cause a denial of service via a crafted URL. El mecanismo de transliteración en Drupal 8.x en versiones anteriores a 8.2.3 permite a atacantes remotos provocar una denegación de servicio a través de una URL manipulada. • http://www.securityfocus.com/bid/94367 • CWE-20: Improper Input Validation •
CVSS: 7.5EPSS: 0%CPEs: 61EXPL: 0CVE-2016-9450
https://notcve.org/view.php?id=CVE-2016-9450
25 Nov 2016 — The user password reset form in Drupal 8.x before 8.2.3 allows remote attackers to conduct cache poisoning attacks by leveraging failure to specify a correct cache context. El formulario de reseteo de contraseña de usuario en Drupal 8.x en versiones anteriores a 8.2.3 permite a atacantes remotos llevar a cabo ataques de envenenamiento de caché aprovechando un error para especificar un contexto de caché correcto. • http://www.securityfocus.com/bid/94367 • CWE-345: Insufficient Verification of Data Authenticity •
CVSS: 4.3EPSS: 0%CPEs: 117EXPL: 0CVE-2016-9449
https://notcve.org/view.php?id=CVE-2016-9449
25 Nov 2016 — The taxonomy module in Drupal 7.x before 7.52 and 8.x before 8.2.3 might allow remote authenticated users to obtain sensitive information about taxonomy terms by leveraging inconsistent naming of access query tags. El módulo de taxonomía en Drupal 7.x en versiones anteriores a 7.52 y 8.x en versiones anteriores a 8.2.3 podría permitir a usuarios remotos autenticados obtener información sensible sobre términos de taxonomía aprovechando nomenclatura inconsistente de las etiquetas de consulta de acceso. • http://www.debian.org/security/2016/dsa-3718 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •