CVE-2012-0825
https://notcve.org/view.php?id=CVE-2012-0825
Drupal 6.x before 6.23 and 7.x before 7.11 does not verify that Attribute Exchange (AX) information is signed, which allows remote attackers to modify potentially sensitive AX information without detection via a man-in-the-middle (MITM) attack. Drupal 6.x anterior a la versión 6.23 y 7.x anterior a 7.11 no verifica que la información Attribute Exchange (AX) se firme, lo que permite a atacantes remotos modificar información AX potencialmente sensible sin la detección a través de ataques man-in-the-middle (MITM). • http://openid.net/2011/05/05/attribute-exchange-security-alert http://www.debian.org/security/2013/dsa-2776 https://drupal.org/node/1425084 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2013-0244
https://notcve.org/view.php?id=CVE-2013-0244
Cross-site scripting (XSS) vulnerability in Drupal 6.x before 6.28 and 7.x before 7.19, when running with older versions of jQuery that are vulnerable to CVE-2011-4969, allows remote attackers to inject arbitrary web script or HTML via vectors involving unspecified Javascript functions that are used to select DOM elements. Cross-site scripting (XSS) en Drupal 6.x anterior a 6.28 y 7.x anterior a 7.19, cuando se ejecuta con versiones anteriores de jQuery que son vulnerables a CVE-2011-4969, que permite a atacantes remotos inyectar secuencias de comandos web o HTML a través vectores que involucran funciones Javascript sin especificar que se utilizan para seleccionar los elementos DOM. • http://osvdb.org/89306 http://packetstormsecurity.com/files/119598/Drupal-Core-6.x-7.x-Cross-Site-Scripting-Access-Bypass.html http://seclists.org/fulldisclosure/2013/Jan/120 http://seclists.org/oss-sec/2013/q1/211 http://www.debian.org/security/2013/dsa-2776 https://drupal.org/SA-CORE-2013-001 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2013-0245
https://notcve.org/view.php?id=CVE-2013-0245
The printer friendly version functionality in the Book module in Drupal 6.x before 6.28 and 7.x before 7.19 does not properly restrict access to node that are part of a book outline, which allows remote authenticated users with the "access printer-friendly version" permission to read node titles and possibly node content via unspecified vectors. La versión amigable de la funcionalidad de impresión del módulo Book para Drupal no restringe adecuadamente el acceso al nodo del que es parte del esquema del módulo Book, lo que permite a usuarios autenticados remotamente con acceso a esta aplicación, permiso de lectura sobre los títulos y posiblemente al contenido del nodo a través de vectores no especificados. • http://osvdb.org/89305 http://packetstormsecurity.com/files/119598/Drupal-Core-6.x-7.x-Cross-Site-Scripting-Access-Bypass.html http://seclists.org/fulldisclosure/2013/Jan/120 http://seclists.org/oss-sec/2013/q1/211 http://secunia.com/advisories/51717 http://www.debian.org/security/2013/dsa-2776 https://drupal.org/SA-CORE-2013-001 https://exchange.xforce.ibmcloud.com/vulnerabilities/81380 • CWE-264: Permissions, Privileges, and Access Controls •
CVE-2012-5651
https://notcve.org/view.php?id=CVE-2012-5651
Drupal 6.x before 6.27 and 7.x before 7.18 displays information for blocked users, which might allow remote attackers to obtain sensitive information by reading the search results. Drupal v6.x antes de v6.27 y v7.x antes de v7.18 muestra información a los usuarios bloqueados, lo que podría permitir a atacantes remotos obtener información sensible mediante la lectura de los resultados de búsqueda. • http://drupal.org/SA-CORE-2012-004 http://drupalcode.org/project/drupal.git/commitdiff/b47f95d http://drupalcode.org/project/drupal.git/commitdiff/da8023a http://www.debian.org/security/2013/dsa-2776 http://www.mandriva.com/security/advisories?name=MDVSA-2013:074 http://www.openwall.com/lists/oss-security/2012/12/20/1 http://www.osvdb.org/88528 http://www.securityfocus.com/bid/56993 https://exchange.xforce.ibmcloud.com/vulnerabilities/80792 • CWE-264: Permissions, Privileges, and Access Controls •
CVE-2012-5652
https://notcve.org/view.php?id=CVE-2012-5652
Drupal 6.x before 6.27 allows remote attackers to obtain sensitive information about uploaded files via a (1) RSS feed or (2) search result. Drupal v6.x antes de v6.27 permite a atacantes remotos obtener información sensible acerca de los archivos subidos a través de un (1) feed RSS o (2) resultados de búsqueda. • http://drupal.org/SA-CORE-2012-004 http://drupalcode.org/project/drupal.git/commitdiff/da8023a http://osvdb.org/88527 http://secunia.com/advisories/51517 http://www.debian.org/security/2013/dsa-2776 http://www.openwall.com/lists/oss-security/2012/12/20/1 http://www.securityfocus.com/bid/56993 https://exchange.xforce.ibmcloud.com/vulnerabilities/80794 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •