CVSS: 7.5EPSS: 0%CPEs: 12EXPL: 0CVE-2017-6379
https://notcve.org/view.php?id=CVE-2017-6379
16 Mar 2017 — Some administrative paths in Drupal 8.2.x before 8.2.7 did not include protection for CSRF. This would allow an attacker to disable some blocks on a site. This issue is mitigated by the fact that users would have to know the block ID. Algunos caminos administrativos en Drupal 8.2.x en versiones anteriores a 8.2.7 no incluyeron protección para CSRF. Esto permitiría a un atacante deshabilitar algunos bloques en un sitio. • http://www.securityfocus.com/bid/96919 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.5EPSS: 0%CPEs: 61EXPL: 0CVE-2016-9452
https://notcve.org/view.php?id=CVE-2016-9452
25 Nov 2016 — The transliterate mechanism in Drupal 8.x before 8.2.3 allows remote attackers to cause a denial of service via a crafted URL. El mecanismo de transliteración en Drupal 8.x en versiones anteriores a 8.2.3 permite a atacantes remotos provocar una denegación de servicio a través de una URL manipulada. • http://www.securityfocus.com/bid/94367 • CWE-20: Improper Input Validation •
CVSS: 7.5EPSS: 0%CPEs: 61EXPL: 0CVE-2016-9450
https://notcve.org/view.php?id=CVE-2016-9450
25 Nov 2016 — The user password reset form in Drupal 8.x before 8.2.3 allows remote attackers to conduct cache poisoning attacks by leveraging failure to specify a correct cache context. El formulario de reseteo de contraseña de usuario en Drupal 8.x en versiones anteriores a 8.2.3 permite a atacantes remotos llevar a cabo ataques de envenenamiento de caché aprovechando un error para especificar un contexto de caché correcto. • http://www.securityfocus.com/bid/94367 • CWE-345: Insufficient Verification of Data Authenticity •
CVSS: 4.3EPSS: 0%CPEs: 117EXPL: 0CVE-2016-9449
https://notcve.org/view.php?id=CVE-2016-9449
25 Nov 2016 — The taxonomy module in Drupal 7.x before 7.52 and 8.x before 8.2.3 might allow remote authenticated users to obtain sensitive information about taxonomy terms by leveraging inconsistent naming of access query tags. El módulo de taxonomía en Drupal 7.x en versiones anteriores a 7.52 y 8.x en versiones anteriores a 8.2.3 podría permitir a usuarios remotos autenticados obtener información sensible sobre términos de taxonomía aprovechando nomenclatura inconsistente de las etiquetas de consulta de acceso. • http://www.debian.org/security/2016/dsa-3718 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 4.3EPSS: 0%CPEs: 52EXPL: 0CVE-2016-7570
https://notcve.org/view.php?id=CVE-2016-7570
03 Oct 2016 — Drupal 8.x before 8.1.10 does not properly check for "Administer comments" permission, which allows remote authenticated users to set the visibility of comments for arbitrary nodes by leveraging rights to edit those nodes. Drupal 8.x en versiones anteriores a 8.1.10 no valida adecuadamente el permiso para "Administrar comentarios", lo que permite a usuarios remotos autenticados configurar la visibilidad de los comentarios para nodos arbitrarios aprovechando los derechos para editar estos nodos. • http://www.securityfocus.com/bid/93101 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 6.1EPSS: 0%CPEs: 52EXPL: 0CVE-2016-7571
https://notcve.org/view.php?id=CVE-2016-7571
03 Oct 2016 — Cross-site scripting (XSS) vulnerability in Drupal 8.x before 8.1.10 allows remote attackers to inject arbitrary web script or HTML via vectors involving an HTTP exception. Vulnerabilidad de XSS en Drupal 8.x en versiones anteriores a 8.1.10 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de vectores que involucran una excepción HTTP. • http://www.securityfocus.com/bid/93101 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 52EXPL: 0CVE-2016-7572
https://notcve.org/view.php?id=CVE-2016-7572
03 Oct 2016 — The system.temporary route in Drupal 8.x before 8.1.10 does not properly check for "Export configuration" permission, which allows remote authenticated users to bypass intended access restrictions and read a full config export via unspecified vectors. La ruta system.temporary en Drupal 8.x en versiones anteriores a 8.1.10 no valida adecuadamente el permiso para "Exportar configuración", lo que permite a usuarios remotos autenticados eludir las restricciones destinadas al acceso y leer una exportación de con... • http://www.securityfocus.com/bid/93101 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 5.3EPSS: 0%CPEs: 105EXPL: 0CVE-2016-6212
https://notcve.org/view.php?id=CVE-2016-6212
09 Sep 2016 — The Views module 7.x-3.x before 7.x-3.14 in Drupal 7.x and the Views module in Drupal 8.x before 8.1.3 might allow remote authenticated users to bypass intended access restrictions and obtain sensitive Statistics information via unspecified vectors. El módulo Views 7.x-3.x en versiones anteriores a 7.x-3.14 en Drupal 7.x y el módulo Views en Drupal 8.x en versiones anteriores a 8.1.3 podrían permitir a usuarios remotos autenticados eludir restricciones destinadas al acceso y obtener información de Statistic... • http://www.openwall.com/lists/oss-security/2016/07/13/4 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 8.1EPSS: 94%CPEs: 21EXPL: 0CVE-2016-5385 – PHP: sets environmental variable based on user supplied Proxy request header
https://notcve.org/view.php?id=CVE-2016-5385
19 Jul 2016 — PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, as demonstrated by (1) an application that makes a getenv('HTTP_PROXY') call or (2) a CGI configuration of PHP, aka an "httpoxy" issu... • http://lists.opensuse.org/opensuse-updates/2016-08/msg00003.html • CWE-20: Improper Input Validation CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 7.4EPSS: 0%CPEs: 143EXPL: 0CVE-2016-3164
https://notcve.org/view.php?id=CVE-2016-3164
12 Apr 2016 — Drupal 6.x before 6.38, 7.x before 7.43, and 8.x before 8.0.4 might allow remote attackers to conduct open redirect attacks by leveraging (1) custom code or (2) a form shown on a 404 error page, related to path manipulation. Drupal 6.x en versiones anteriores a 6.38, 7.x en versiones anteriores a 7.43 y 8.x en versiones anteriores a 8.0.4 podría permitir a atacantes remotos llevar a cabo ataques de redirección abierta aprovechando (1) código personalizado o (2) un formulario mostrado en un página de error 4... • http://www.debian.org/security/2016/dsa-3498 •