CVSS: 7.5EPSS: 0%CPEs: 17EXPL: 0CVE-2013-4504
https://notcve.org/view.php?id=CVE-2013-4504
13 May 2014 — The Monster Menus module 7.x-1.x before 7.x-1.15 allows remote attackers to read arbitrary node comments via a crafted URL. El módulo Monster Menus 7.x-1.x anterior a 7.x-1.15 permite a atacantes remotos leer comentarios de nodo arbitrarios a través de una URL manipulada. • http://seclists.org/oss-sec/2013/q4/210 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 8.1EPSS: 0%CPEs: 45EXPL: 0CVE-2013-7302
https://notcve.org/view.php?id=CVE-2013-7302
29 Apr 2014 — Session fixation vulnerability in the Ubercart module 6.x-2.x before 6.x-2.13 and 7.x-3.x before 7.x-3.6 for Drupal, when the "Log in new customers after checkout" option is enabled, allows remote attackers to hijack web sessions by leveraging knowledge of the original session ID. Vulnerabilidad de fijación de sesión en el módulo Ubercart 6.x-2.x anterior a 6.x-2.13 y 7.x-3.x anterior a 7.x-3.6 para Drupal, cuando la opción "Registrar clientes nuevos después de comprobación" está habilitada, permite a ataca... • https://drupal.org/node/2158565 • CWE-287: Improper Authentication •
CVSS: 5.0EPSS: 0%CPEs: 5EXPL: 0CVE-2014-2983 – Debian Security Advisory 2913-1
https://notcve.org/view.php?id=CVE-2014-2983
23 Apr 2014 — Drupal 6.x before 6.31 and 7.x before 7.27 does not properly isolate the cached data of different anonymous users, which allows remote anonymous users to obtain sensitive interim form input information in opportunistic situations via unspecified vectors. Drupal 6.x anterior a 6.31 y 7.x anterior a 7.27 no aísla debidamente los datos en caché de usuarios anónimos diferentes, lo que permite a usuarios remotos anónimos obtener información sensible de entradas de formularios parciales en situaciones oportunista... • http://www.debian.org/security/2014/dsa-2913 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 0CVE-2013-1946
https://notcve.org/view.php?id=CVE-2013-1946
06 Apr 2014 — The RESTful Web Services (RESTWS) module 7.x-1.x before 7.x-1.3 and 7.x-2.x before 7.x-2.0-alpha5 for Drupal, when page caching is enabled and anonymous users are assigned RESTWS permissions, allows remote attackers to cause a denial of service via a GET request with an HTTP Accept header set to a non-HTML type, which can "interfere with Drupal's page cache." El módulo RESTful Web Services (RESTWS) 7.x-1.x anterior a 7.x-1.3 y 7.x-2.x anterior a 7.x-2.0-alpha5 para Drupal, cuando el cacheo de la página está... • http://www.openwall.com/lists/oss-security/2013/04/12/1 • CWE-20: Improper Input Validation •
CVSS: 5.4EPSS: 0%CPEs: 2EXPL: 0CVE-2013-4383
https://notcve.org/view.php?id=CVE-2013-4383
31 Jan 2014 — Cross-site scripting (XSS) vulnerability in the jQuery Countdown module 7.x-1.x before 7.x-1.1 for Drupal allows remote authenticated users with the "access administration pages" permission to inject arbitrary web script or HTML via unspecified vectors. Vulnerabilidad de XSS en el módulo jQuery Countdown 7.x-1.x anterior a 7.x-1.1 para Drupal permite a usuarios remotos no autenticados con el permiso "access administration pages" inyectar script Web o HTML arbitrarios a través de vectores no especificados. • http://www.securityfocus.com/bid/62340 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 0CVE-2014-1611
https://notcve.org/view.php?id=CVE-2014-1611
30 Jan 2014 — Cross-site scripting (XSS) vulnerability in the Anonymous Posting module 7.x-1.2 and 7.x-1.3 for Drupal allows remote attackers to inject arbitrary web script or HTML via the contact name field. Vulnerabilidad de XSS en el módulo Anonymous Posting 7.x-1.2 y 7.x-1.3 para Drupal permite a atacantes remotos inyectar script Web o HTML arbitrario a través del campo de nombre de contacto. • http://osvdb.org/102126 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 68EXPL: 0CVE-2014-1475 – Debian Security Advisory 2847-1
https://notcve.org/view.php?id=CVE-2014-1475
21 Jan 2014 — The OpenID module in Drupal 6.x before 6.30 and 7.x before 7.26 allows remote OpenID users to authenticate as other users via unspecified vectors. El módulo OpenID en Drupal v6.x anterior a v6.30 y v7.x anterior a v7.26 permite a usuarios OpenID remotos autenticarse como otros usuarios a través de vectores no especificados. The OpenID module in Drupal 6.x before 6.30 and 7.x before 7.26 allows remote OpenID users to authenticate as other users via unspecified vectors. The Taxonomy module in Drupal 7.x befor... • http://secunia.com/advisories/56260 •
CVSS: 4.3EPSS: 0%CPEs: 33EXPL: 0CVE-2014-1476 – Debian Security Advisory 2847-1
https://notcve.org/view.php?id=CVE-2014-1476
21 Jan 2014 — The Taxonomy module in Drupal 7.x before 7.26, when upgraded from an earlier version of Drupal, does not properly restrict access to unpublished content, which allows remote authenticated users to obtain sensitive information via a listing page. El módulo Taxonomy en Drupal 7.x anteriores a 7.26, cuando es actualizado desde una versión anterior de Drupal, no restringe correctamente el acceso a contenido no publicado, lo cual permite a usuarios no autenticados obtener información sensible a través de una pág... • http://secunia.com/advisories/56260 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 9.8EPSS: 0%CPEs: 39EXPL: 0CVE-2013-4445
https://notcve.org/view.php?id=CVE-2013-4445
07 Dec 2013 — The json rendering functionality in the Context module 6.x-2.x before 6.x-3.2 and 7.x-3.x before 7.x-3.0 for Drupal uses Drupal's token scheme to restrict access to blocks, which makes it easier for remote authenticated users to guess the access token for a block by leveraging the token from a block to which the user has access. La funcionalidad de renderización de json en el módulo Context 6.x-2.x anteriores a 6.x-3.2 y 7.x-3.x anteriores a 7.x-3.0 para Drupal utiliza el esquema de tokens de Drupal para re... • http://lists.fedoraproject.org/pipermail/package-announce/2013-November/121433.html • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 9.8EPSS: 1%CPEs: 39EXPL: 0CVE-2013-4446
https://notcve.org/view.php?id=CVE-2013-4446
07 Dec 2013 — The _json_decode function in plugins/context_reaction_block.inc in the Context module 6.x-2.x before 6.x-3.2 and 7.x-3.x before 7.x-3.0 for Drupal, when using a version of PHP that does not support the json_decode function, allows remote attackers to execute arbitrary PHP code via unspecified vectors related to Ajax operations, possibly involving eval injection. La función _json_decode en plugins/context_reaction_block.inc en el módulo Context 6.x-2.x anteriores a 6.x-3.2 y 7.x-3.x anteriores a 7.x-3.0 para... • http://drupalcode.org/project/context.git/commitdiff/63ef4d9 • CWE-94: Improper Control of Generation of Code ('Code Injection') •