CVSS: 7.5EPSS: 7%CPEs: 122EXPL: 0CVE-2014-5265 – WordPress Core < 3.9.2 - Denial of Service via XML
https://notcve.org/view.php?id=CVE-2014-5265
06 Aug 2014 — The Incutio XML-RPC (IXR) Library, as used in WordPress before 3.9.2 and Drupal 6.x before 6.33 and 7.x before 7.31, permits entity declarations without considering recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564. La librería Incutio XML-RPC (IXR), utilizada en WordPress anterior a 3.9.2 y Drupal 6.x anterior a 6.33 y 7.... • http://cgit.drupalcode.org/drupal/diff/includes/xmlrpc.inc?id=1849830 • CWE-399: Resource Management Errors CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.5EPSS: 77%CPEs: 122EXPL: 2CVE-2014-5266 – WordPress Core < 3.9.2 - Denial of Service via XML #2
https://notcve.org/view.php?id=CVE-2014-5266
06 Aug 2014 — The Incutio XML-RPC (IXR) Library, as used in WordPress before 3.9.2 and Drupal 6.x before 6.33 and 7.x before 7.31, does not limit the number of elements in an XML document, which allows remote attackers to cause a denial of service (CPU consumption) via a large document, a different vulnerability than CVE-2014-5265. La libraría Incutio XML-RPC (IXR) , utilizado en WordPress anterior a 3.9.2 y Drupal 6.x anterior a 6.33 y 7.x anterior a 7.31, no limita el número de elementos en un documento XML, lo que per... • https://packetstorm.news/files/id/180506 • CWE-399: Resource Management Errors CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.5EPSS: 0%CPEs: 86EXPL: 0CVE-2014-5019 – Mandriva Linux Security Advisory 2015-181
https://notcve.org/view.php?id=CVE-2014-5019
22 Jul 2014 — The multisite feature in Drupal 6.x before 6.32 and 7.x before 7.29 allows remote attackers to cause a denial of service via a crafted HTTP Host header, related to determining which configuration file to use. La funcionalidad múltisitios en Drupal 6.x anterior a 6.32 y 7.x anterior a 7.29 permite a atacantes remotos causar una denegación de servicio a través de una cabecera HTTP Host manipulada, relacionado con determinar qué fichero de configuración utilizar. Updated drupal packages fix multiple security v... • http://www.debian.org/security/2014/dsa-2983 • CWE-20: Improper Input Validation •
CVSS: 9.8EPSS: 0%CPEs: 45EXPL: 0CVE-2014-5020 – Mandriva Linux Security Advisory 2015-181
https://notcve.org/view.php?id=CVE-2014-5020
22 Jul 2014 — The File module in Drupal 7.x before 7.29 does not properly check permissions to view files, which allows remote authenticated users with certain permissions to bypass intended restrictions and read files by attaching the file to content with a file field. El módulo File en Drupal 7.x anterior a 7.29 no comprueba debidamente los permisos para ver ficheros, lo que permite a usuarios remotos autenticados con ciertos permisos evadir las restricciones y leer ficheros al adjuntar el fichero al contenido con un c... • http://www.debian.org/security/2014/dsa-2983 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 5.4EPSS: 0%CPEs: 86EXPL: 0CVE-2014-5021 – Mandriva Linux Security Advisory 2015-181
https://notcve.org/view.php?id=CVE-2014-5021
22 Jul 2014 — Cross-site scripting (XSS) vulnerability in the Form API in Drupal 6.x before 6.32 and possibly 7.x before 7.29 allows remote authenticated users with the "administer taxonomy" permission to inject arbitrary web script or HTML via an option group label. Vulnerabilidad de XSS en la API Form en Drupal 6.x anterior a 6.32 y posiblemente 7.x anterior a 7.29 permite a usuarios remotos autenticados con el permiso 'administrar taxonomía' inyectar secuencias de comandos web o HTML arbitrarios a través de una etique... • http://www.debian.org/security/2014/dsa-2983 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 45EXPL: 0CVE-2014-5022 – Mandriva Linux Security Advisory 2015-181
https://notcve.org/view.php?id=CVE-2014-5022
22 Jul 2014 — Cross-site scripting (XSS) vulnerability in the Ajax system in Drupal 7.x before 7.29 allows remote attackers to inject arbitrary web script or HTML via vectors involving forms with an Ajax-enabled textfield and a file field. Vulnerabilidad de XSS en el sistema Ajax en Drupal 7.x anterior a 7.29 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de vectores involucrando formas con un campo de texto habilitado por Ajax y un campo de fichero. Updated drupal packages fi... • http://www.debian.org/security/2014/dsa-2983 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.1EPSS: 1%CPEs: 12EXPL: 0CVE-2013-4177
https://notcve.org/view.php?id=CVE-2013-4177
29 May 2014 — The Google Authenticator login module 6.x-1.x before 6.x-1.2 and 7.x-1.x before 7.x-1.4 for Drupal does not properly identify user account names, which might allow remote attackers to bypass the two-factor authentication requirement via unspecified vectors. El módulo de inicio de sesión de Google Authenticator 6.x-1.x anterior a 6.x-1.2 y 7.x-1.x anterior a 7.x-1.4 para Drupal no identifica debidamente nombres de cuentas de usuarios, lo que podría permitir a atacantes remotos evadir el requisito de autentic... • http://www.securityfocus.com/bid/59884 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 9.8EPSS: 0%CPEs: 12EXPL: 0CVE-2013-4178
https://notcve.org/view.php?id=CVE-2013-4178
29 May 2014 — The Google Authenticator login module 6.x-1.x before 6.x-1.2 and 7.x-1.x before 7.x-1.4 for Drupal allows remote attackers to obtain access by replaying the username, password, and one-time password (OTP). El módulo de inicio de sesión de Google Authenticator 6.x-1.x anterior a 6.x-1.2 y 7.x-1.x anterior a 7.x-1.4 para Drupal permite a atacantes remotos obtener acceso mediante la reproducción del nombre de usuario, la contraseña y la contraseña de un solo uso (OTP). • http://www.securityfocus.com/bid/59884 • CWE-287: Improper Authentication •
CVSS: 5.4EPSS: 0%CPEs: 59EXPL: 0CVE-2013-4380
https://notcve.org/view.php?id=CVE-2013-4380
20 May 2014 — Cross-site scripting (XSS) vulnerability in the MediaFront module 6.x-1.x before 6.x-1.6, 7.x-1.x before 7.x-1.6, and 7.x-2.x before 7.x-2.1 for Drupal allows remote authenticated users with the "administer mediafront" permission to inject arbitrary web script or HTML via the preset settings. Vulnerabilidad de XSS en el módulo MediaFront 6.x-1.x anterior a 6.x-1.6, 7.x-1.x anterior a 7.x-1.6 y 7.x-2.x anterior a 7.x-2.1 para Drupal permite a usuarios remotos autenticados con el permiso 'administrar mediafro... • http://www.openwall.com/lists/oss-security/2013/09/27/6 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 19EXPL: 0CVE-2013-4502
https://notcve.org/view.php?id=CVE-2013-4502
13 May 2014 — The FileField Sources module 6.x-1.x before 6.x-1.9 and 7.x-1.x before 7.x-1.9 for Drupal does not properly check file permissions, which allows remote authenticated users to read arbitrary files by attaching a file. El módulo FileField Sources 6.x-1.x anterior a 6.x-1.9 y 7.x-1.x anterior a 7.x-1.9 para Drupal no comprueba debidamente permisos de archivos, lo que permite a usuarios remotos autenticados leer archivos arbitrarios al ajuntar un archivo. • http://seclists.org/oss-sec/2013/q4/210 • CWE-264: Permissions, Privileges, and Access Controls •