CVSS: 6.0EPSS: 1%CPEs: 84EXPL: 1CVE-2012-1641
https://notcve.org/view.php?id=CVE-2012-1641
The finder_import function in the Finder module 6.x-1.x before 6.x-1.26, 7.x-1.x, and 7.x-2.x before 7.x-2.0-alpha8 for Drupal allows remote authenticated users with the administer finder permission to execute arbitrary PHP code via admin/build/finder/import. La función finder_import en el módulo Finder v6.x-1.x anterior a v6.x-1.26, v7.x-1.x, y v7.x-2.x anterior a v7.x-2.0-alpha8 para Drupal permite a usuarios remotos autenticados con permisos de administración del finder ejecutar código PHP arbitrario a través de admin/build/finder/import. • http://drupal.org/node/1432318 http://drupal.org/node/1432320 http://drupalcode.org/project/finder.git/commit/bc0cc82 http://secunia.com/advisories/47915 http://secunia.com/advisories/47943 http://www.madirish.net/content/drupal-finder-6x-19-xss-and-remote-code-execution-vulnerabilities http://www.openwall.com/lists/oss-security/2012/03/16/9 http://www.openwall.com/lists/oss-security/2012/03/19/9 http://www.openwall.com/lists/oss-security/2012/04/07/1 http:/&#x • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 2.1EPSS: 0%CPEs: 5EXPL: 1CVE-2012-1644
https://notcve.org/view.php?id=CVE-2012-1644
The Organic Groups (OG) Vocabulary module 6.x-1.x before 6.x-1.2 for Drupal allows remote authenticated users with certain administrator permissions to modify the vocabularies of other groups via unspecified vectors. El módulo Organic Groups (OG) Vocabulary v6.x-1.x anterior a v6.x-1.2 para Drupal permite a atacantes remotos con ciertos permisos de administrador modificar el vocabulario de otros grupos a través de vectores no especificados. • http://drupal.org/node/1441086 http://drupalcode.org/project/og_vocab.git/commitdiff/cd8de08 http://secunia.com/advisories/48020 http://www.openwall.com/lists/oss-security/2012/04/07/1 http://www.osvdb.org/79336 https://drupal.org/node/1441450 https://exchange.xforce.ibmcloud.com/vulnerabilities/53902 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 4.3EPSS: 0%CPEs: 20EXPL: 2CVE-2012-1647
https://notcve.org/view.php?id=CVE-2012-1647
Multiple cross-site scripting (XSS) vulnerabilities in the "stand alone PHP application for the OSM Player," as used in the MediaFront module 6.x-1.x before 6.x-1.5 and 7.x-1.x before 7.x-1.5 for Drupal, allow remote attackers to inject arbitrary web script or HTML via (1) $_SERVER['HTTP_HOST'] or (2) $_SERVER['SCRIPT_NAME'] to players/osmplayer/player/OSMPlayer.php, (3) playlist parameter to players/osmplayer/player/getplaylist.php, and possibly other vectors related to $_SESSION. Múltiples vulnerabilidades de ejecución de secuencias de comandos en sitios cruzados (XSS) en "stand alone PHP application for the OSM Player," que es usada en el módulo MediaFront v6.x-1.x anterior a v6.x-1.5 y v7.x-1.x anterior a v7.x-1.5 para Drupal, permite a atacantes remotos inyectar código web y HTML de su elección a través de (1) $_SERVER['HTTP_HOST'] o (2) $_SERVER['SCRIPT_NAME'] a players/osmplayer/player/OSMPlayer.php, (3)parámetro playlist a players/osmplayer/player/getplaylist.php, y posiblemente otros vectores relacionados con $_SESSION. • http://drupalcode.org/project/mediafront.git/commitdiff/6300750 http://drupalcode.org/project/mediafront.git/commitdiff/b3857aa http://www.openwall.com/lists/oss-security/2012/04/07/1 http://www.osvdb.org/79684 http://www.securityfocus.com/bid/52229 https://drupal.org/node/1460892 https://drupal.org/node/1460894 https://drupal.org/node/1461424 https://exchange.xforce.ibmcloud.com/vulnerabilities/73606 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.0EPSS: 0%CPEs: 3EXPL: 0CVE-2012-1643
https://notcve.org/view.php?id=CVE-2012-1643
The Faster Permissions module 7.x-2.x before 7.x-1.2 for Drupal does not check the "administer permissions" permission, which allows remote attackers to modify access permissions via unspecified vectors. El módulo Faster Persmissions v7.x-2.x anterior a v7.x-1.2 para Drupal no comprueba los permisos "administer permissions", lo cual permite a atacantes remotos modificar los permisos de acceso a través de vectores desconocidos. • http://drupal.org/node/1441556 http://drupalcode.org/project/fp.git/commitdiff/39e7587 http://secunia.com/advisories/48019 http://www.openwall.com/lists/oss-security/2012/04/07/1 http://www.osvdb.org/79316 https://drupal.org/node/1441448 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 6.0EPSS: 0%CPEs: 4EXPL: 0CVE-2012-1650
https://notcve.org/view.php?id=CVE-2012-1650
The ZipCart module 6.x before 6.x-1.4 for Drupal checks the "access content" permission instead of the "access ZipCart downloads" permission when building archives, which allows remote authenticated users with access content permission to bypass intended access restrictions. El módulo ZipCart en v6.x anterior a v6.x-1.4 para Drupal comprueba los permisos "access content" en lugar de los permisos "access ZipCart downloads" cuando construye archivos, lo que permite a usuarios autenticados de forma remota con acceso evitar restricciones de acceso. • http://drupalcode.org/project/zipcart.git/commitdiff/fe143c2 http://www.openwall.com/lists/oss-security/2012/04/07/1 http://www.osvdb.org/79766 http://www.securityfocus.com/bid/52231 https://drupal.org/node/1460892 https://drupal.org/node/1461446 https://exchange.xforce.ibmcloud.com/vulnerabilities/73609 • CWE-264: Permissions, Privileges, and Access Controls •