CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0CVE-2008-3221
https://notcve.org/view.php?id=CVE-2008-3221
Cross-site request forgery (CSRF) vulnerability in Drupal 6.x before 6.3 allows remote attackers to perform administrative actions via vectors involving deletion of OpenID identities. Vulnerabilidad de Falsificación de petición en sitios cruzados (CSRF) en versiones de Drupal 6.X anteriores a 6.3 permite a atacantes remotos realizar acciones administrativas a través de vectores que impliquen la supresión de identidades OpenID. • http://drupal.org/node/280571 http://secunia.com/advisories/31079 http://www.openwall.com/lists/oss-security/2008/07/10/3 http://www.securityfocus.com/bid/30168 https://bugzilla.redhat.com/show_bug.cgi?id=454849 https://www.redhat.com/archives/fedora-package-announce/2008-August/msg00016.html https://www.redhat.com/archives/fedora-package-announce/2008-July/msg00527.html https://www.redhat.com/archives/fedora-package-announce/2008-July/msg00551.html • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.8EPSS: 0%CPEs: 4EXPL: 0CVE-2008-3222
https://notcve.org/view.php?id=CVE-2008-3222
Session fixation vulnerability in Drupal 5.x before 5.9 and 6.x before 6.3, when contributed modules "terminate the current request during a login event," allows remote attackers to hijack web sessions via unknown vectors. Una vulnerabilidad de fijación de sesión en Drupal versiones 5.x anteriores a 5.9 y versiones 6.x anteriores a 6.3, cuando los módulos aportados "terminate the current request during a login event", permite a los atacantes remotos secuestrar sesiones web por medio de vectores desconocidos. • http://drupal.org/node/280571 http://drupal.org/node/286417 http://secunia.com/advisories/31079 http://secunia.com/advisories/31211 http://www.openwall.com/lists/oss-security/2008/07/10/3 http://www.securityfocus.com/bid/30168 http://www.securityfocus.com/bid/30359 https://bugzilla.redhat.com/show_bug.cgi?id=454849 https://exchange.xforce.ibmcloud.com/vulnerabilities/43706 https://www.redhat.com/archives/fedora-package-announce/2008-August/msg00016.html https://www.red • CWE-384: Session Fixation •
CVSS: 5.0EPSS: 0%CPEs: 4EXPL: 0CVE-2008-2771
https://notcve.org/view.php?id=CVE-2008-2771
The Node Hierarchy module 5.x before 5.x-1.1 and 6.x before 6.x-1.0 for Drupal does not properly implement access checks, which allows remote attackers with "access content" permissions to bypass restrictions and modify the node hierarchy via unspecified attack vectors. El módulo Node Hierarchy 5.x anterior a 5.x-1.1 y 6.x anteriores a 6.x-1.0 para Drupal no implementa adecuadamente los controles de acceso, lo que permite a atacantes remotos con permiso de "acceso al contenido", evitar las restricciones y modificar la jerarquía a través de vectores de ataque indeterminados. • http://drupal.org/node/269473 http://secunia.com/advisories/30622 http://www.securityfocus.com/bid/29675 https://exchange.xforce.ibmcloud.com/vulnerabilities/43006 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 4.3EPSS: 0%CPEs: 7EXPL: 0CVE-2008-1792
https://notcve.org/view.php?id=CVE-2008-1792
Cross-site scripting (XSS) vulnerability in the insertion filter in the Flickr Drupal module 5.x before 5.x-1.3 and 6.x before 6.x-1.0-alpha allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en la insercción de filtros del módulo Flickr Drupal 5.x versiones anteriores a 5.x-1.3 y 6.x versiones anteriores a 6.x-1.0-alpha permite a atacantes remotos inyectar web script o HTML de su elección a través de vectores no especificados. • http://drupal.org/node/241939 http://secunia.com/advisories/29658 http://www.securityfocus.com/bid/28594 http://www.vupen.com/english/advisories/2008/1082/references https://exchange.xforce.ibmcloud.com/vulnerabilities/41603 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.8EPSS: 0%CPEs: 1EXPL: 0CVE-2008-1729
https://notcve.org/view.php?id=CVE-2008-1729
The menu system in Drupal 6 before 6.2 has incorrect menu settings, which allows remote attackers to (1) edit the profile pages of arbitrary users, and obtain sensitive information from (2) tracker and (3) blog pages, related to a missing check for the "access content" permission; and (4) allows remote authenticated users, with administration page view access, to edit content types. El menú de sistema en Drupal 6 anterior a 6.2 tiene configuraciones de menu incorrectas, que permiten a atacantes remotos (1) editar las páginas de perfil de usuarios a su elección, y obtener información sensible del (2) rastreador y (3) páginas de blog, relacionados con falta de comprobaciones de los permisos de "acceso a contenidos"; y (4) permite autenticación de usuarios remotos, con acceso a página de administración, para editar tipos de contenidos. • http://drupal.org/node/244637 http://secunia.com/advisories/29762 http://www.osvdb.org/44270 http://www.securityfocus.com/bid/28714 http://www.vupen.com/english/advisories/2008/1185/references https://exchange.xforce.ibmcloud.com/vulnerabilities/41755 •