CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2012-2706
https://notcve.org/view.php?id=CVE-2012-2706
Cross-site scripting (XSS) vulnerability in the Post Affiliate Pro (PAP) module for Drupal allows remote attackers to inject arbitrary web script or HTML via vectors related to user registration. Una vulnerabilidad de tipo cross-site scripting (XSS) en el módulo Post Affiliate Pro (PAP) para Drupal, permite a los atacantes remotos inyectar script web o HTML arbitrario por medio de vectores relacionados con el registro de usuarios. • http://drupal.org/node/1585648 http://www.openwall.com/lists/oss-security/2012/06/14/3 http://www.securityfocus.com/bid/53589 https://exchange.xforce.ibmcloud.com/vulnerabilities/75716 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.8EPSS: 3%CPEs: 9EXPL: 1CVE-2012-2707
https://notcve.org/view.php?id=CVE-2012-2707
The Hostmaster (Aegir) module 6.x-1.x before 6.x-1.9 for Drupal does not properly exit when users do not have access to package/task nodes, which allows remote attackers to bypass intended access restrictions and edit unauthorized nodes. El módulo Hostmaster (Aegir) v6.x-1.x anterior a v6.x-1.9 para Drupal no se cierra de forma adecuada cuando los usuarios no han accedido a nodos paquete/tarea (package/task), lo que permite a atacantes remotos evitar las restricciones de acceso impuesto y modificar nodos no autorizados. • http://community.aegirproject.org/1.9 http://drupal.org/node/1585658 http://drupal.org/node/1585678 http://drupalcode.org/project/hostmaster.git/commitdiff/8a61101 http://www.openwall.com/lists/oss-security/2012/06/14/3 http://www.securityfocus.com/bid/53588 https://exchange.xforce.ibmcloud.com/vulnerabilities/75715 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 5.8EPSS: 0%CPEs: 3EXPL: 0CVE-2012-2727
https://notcve.org/view.php?id=CVE-2012-2727
Open redirect vulnerability in the Janrain Capture module 6.x-1.0 and 7.x-1.0 for Drupal, when synchronizing user data, allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the destination parameter. Vulnerabilidad de redirección en el módulo Janrain Capture v6.x-1.0 y 7.x-1.0 para Drupal, al sincronizar los datos del usuario, permite a atacantes remotos redirigir a los usuarios a sitios web arbitrarios y llevar a cabo ataques de phishing a través de una URL en el parámetro destination • http://drupal.org/node/1632702 http://drupal.org/node/1632704 http://drupal.org/node/1632734 http://secunia.com/advisories/49480 http://www.openwall.com/lists/oss-security/2012/06/14/3 http://www.osvdb.org/82958 http://www.securityfocus.com/bid/53992 https://exchange.xforce.ibmcloud.com/vulnerabilities/76292 • CWE-20: Improper Input Validation •
CVSS: 4.3EPSS: 1%CPEs: 9EXPL: 2CVE-2012-2722
https://notcve.org/view.php?id=CVE-2012-2722
The node selection interface in the WYSIWYG editor (CKEditor) in the Node Embed module 6.x-1.x before 6.x-1.5 and 7.x-1.x before 7.x-1.0 for Drupal does not properly check permissions, which allows remote attackers to bypass intended access restrictions and read node titles. La interfaz de selección de nodos en el editor WYSIWYG (CKEditor) en Node Embed module v6.x-1.x anterior a v6.x-1.5 y v7.x-1.x, anterior a v7.x-1.0 para Drupal no comprueba correctamente los permisos y permite a atacantes remotos eludir restricciones de acceso y destinados a leer los títulos de los nodos. • http://drupal.org/node/1618428 http://drupal.org/node/1618430 http://drupal.org/node/1619824 http://drupalcode.org/project/node_embed.git/commitdiff/7a2296c http://drupalcode.org/project/node_embed.git/commitdiff/d06f022 http://secunia.com/advisories/48348 http://www.openwall.com/lists/oss-security/2012/06/14/3 http://www.osvdb.org/82735 http://www.securityfocus.com/bid/53835 https://exchange.xforce.ibmcloud.com/vulnerabilities/76148 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 2.6EPSS: 0%CPEs: 14EXPL: 1CVE-2012-2712
https://notcve.org/view.php?id=CVE-2012-2712
Multiple cross-site scripting (XSS) vulnerabilities in the Search API module 7.x-1.x before 7.x-1.1 for Drupal, when supporting manual entry of field identifiers, allow remote attackers to inject arbitrary web script or HTML via vectors related to thrown exceptions and logging errors. Mútiples vulnerabilidades de secuencias de comandos en sitios cruzados (XSS) en el módulo Search API v7.x-1.x anterior a v7.x-1.1 para Drupal, cuando el apoyo a la introducción manual de los identificadores de campo, permite a atacantes remotos inyectar secuencias de comandos web o HTML a través de vectores relacionado con las excepciones producidas y los errores de registro • http://drupal.org/node/1596524 http://drupal.org/node/1597364 http://drupalcode.org/project/search_api.git/commitdiff/5a18c8c http://secunia.com/advisories/49236 http://www.openwall.com/lists/oss-security/2012/06/14/3 http://www.osvdb.org/82230 http://www.securityfocus.com/bid/53672 https://exchange.xforce.ibmcloud.com/vulnerabilities/75868 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •