CVSS: 8.8EPSS: 4%CPEs: 78EXPL: 0CVE-2013-6385 – Debian Security Advisory 2828-1
https://notcve.org/view.php?id=CVE-2013-6385
27 Nov 2013 — The form API in Drupal 6.x before 6.29 and 7.x before 7.24, when used with unspecified third-party modules, performs form validation even when CSRF validation has failed, which might allow remote attackers to trigger application-specific impacts such as arbitrary code execution via application-specific vectors. La API de formularios en Drupal 6.x anteriores a 6.29 y 7.x anteriores a 7.24, cuando es utilizada con módulos no especificados de terceros, ejecuta validación del formulario incluso cuando la valida... • http://secunia.com/advisories/56148 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.1EPSS: 0%CPEs: 78EXPL: 0CVE-2013-6386 – Debian Security Advisory 2828-1
https://notcve.org/view.php?id=CVE-2013-6386
27 Nov 2013 — Drupal 6.x before 6.29 and 7.x before 7.24 uses the PHP mt_rand function to generate random numbers, which uses predictable seeds and allows remote attackers to predict security strings and bypass intended restrictions via a brute force attack. Drupal 6.x anteriores a 6.29 y 7.x anteriores a 7.24 utilizan la función de PHP mt_rand para generar números aleatorios, la cual usa semillas predecibles y permite a atacantes remotos predecir cadenas de seguridad y sortear restricciones intencionadas a través de ata... • http://secunia.com/advisories/56148 • CWE-310: Cryptographic Issues •
CVSS: 5.4EPSS: 0%CPEs: 40EXPL: 0CVE-2013-6387 – Mandriva Linux Security Advisory 2013-287-1
https://notcve.org/view.php?id=CVE-2013-6387
27 Nov 2013 — Cross-site scripting (XSS) vulnerability in the Image module in Drupal 7.x before 7.24 allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via the description field. Vulnerabilidad de cross-site scripting (XSS) en el módulo Image en Drupal 7.x anteriores a 7.24 permite a usuarios autenticados remotamente con ciertos permisos inyectar scripts web o HTML arbitrarios a través del campo de descripción. Drupal core's Image module allows for the on-demand generation o... • http://www.debian.org/security/2013/dsa-2804 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 40EXPL: 0CVE-2013-6388 – Mandriva Linux Security Advisory 2013-287-1
https://notcve.org/view.php?id=CVE-2013-6388
27 Nov 2013 — Cross-site scripting (XSS) vulnerability in the Color module in Drupal 7.x before 7.24 allows remote attackers to inject arbitrary web script or HTML via vectors related to CSS. Vulnerabilidad de cross-site scripting (XSS) en el módulo Color en Drupal 7.x anteriores a 7.24 permite a atacantes remotos inyectar scripts web o HTML arbitrarios a través de vectores relacionados con CSS. Drupal core's Image module allows for the on-demand generation of image derivatives. This capability can be abused by requestin... • http://www.debian.org/security/2013/dsa-2804 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 40EXPL: 0CVE-2013-6389 – Mandriva Linux Security Advisory 2013-287-1
https://notcve.org/view.php?id=CVE-2013-6389
27 Nov 2013 — Open redirect vulnerability in the Overlay module in Drupal 7.x before 7.24 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors. Vulnerabilidad de redirección abierta en el módulo Overlay de Drupal 7.x anterior a la versión 7.24 permite a atacantes remotos redirigir a usuarios hacia sitios web arbitrarios y llevar a cabo ataques de phishing a través de vectores no especificados. Drupal core's Image module allows for the on-demand generation o... • http://www.debian.org/security/2013/dsa-2804 • CWE-20: Improper Input Validation •
CVSS: 6.5EPSS: 0%CPEs: 27EXPL: 0CVE-2012-0827
https://notcve.org/view.php?id=CVE-2012-0827
28 Oct 2013 — The File module in Drupal 7.x before 7.11, when using unspecified field access modules, allows remote authenticated users to read arbitrary private files that are associated with restricted fields via unspecified vectors. El módulo de archivos en Drupal 7.x antes de 7.11, al utilizar campos de acceso no especificados a los modulos, permitiendo a usuarios remotos autenticados leer archivos privados arbitrarios que se asocian con campos restringidos a través de vectores no especificados. • https://drupal.org/node/1425084 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 6.1EPSS: 0%CPEs: 72EXPL: 0CVE-2013-0244 – Debian Security Advisory 2776-1
https://notcve.org/view.php?id=CVE-2013-0244
11 Oct 2013 — Cross-site scripting (XSS) vulnerability in Drupal 6.x before 6.28 and 7.x before 7.19, when running with older versions of jQuery that are vulnerable to CVE-2011-4969, allows remote attackers to inject arbitrary web script or HTML via vectors involving unspecified Javascript functions that are used to select DOM elements. Cross-site scripting (XSS) en Drupal 6.x anterior a 6.28 y 7.x anterior a 7.19, cuando se ejecuta con versiones anteriores de jQuery que son vulnerables a CVE-2011-4969, que permite a ata... • http://osvdb.org/89306 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.8EPSS: 0%CPEs: 54EXPL: 0CVE-2012-0825 – Debian Security Advisory 2776-1
https://notcve.org/view.php?id=CVE-2012-0825
11 Oct 2013 — Drupal 6.x before 6.23 and 7.x before 7.11 does not verify that Attribute Exchange (AX) information is signed, which allows remote attackers to modify potentially sensitive AX information without detection via a man-in-the-middle (MITM) attack. Drupal 6.x anterior a la versión 6.23 y 7.x anterior a 7.11 no verifica que la información Attribute Exchange (AX) se firme, lo que permite a atacantes remotos modificar información AX potencialmente sensible sin la detección a través de ataques man-in-the-middle (MI... • http://openid.net/2011/05/05/attribute-exchange-security-alert • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 8.8EPSS: 0%CPEs: 59EXPL: 0CVE-2012-0826 – Debian Security Advisory 2776-1
https://notcve.org/view.php?id=CVE-2012-0826
11 Oct 2013 — Cross-site request forgery (CSRF) vulnerability in the Aggregator module in Drupal 6.x before 6.23 and 7.x before 7.11 allows remote attackers to hijack the authentication of unspecified victims for requests that update feeds and possibly cause a denial of service (loss of updates due to rate limit) via unspecified vectors. Vulnerabilidad de Cross-site request forgery (CSRF) en el modulo Aggregator en Drupal 6.x anterior a 6.23 y 7.x anterior a 7.11 permite a atacantes remotos secuestrar la autenticación de... • http://www.debian.org/security/2013/dsa-2776 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.1EPSS: 0%CPEs: 20EXPL: 0CVE-2013-4384
https://notcve.org/view.php?id=CVE-2013-4384
09 Oct 2013 — Cross-site scripting (XSS) vulnerability in Google Site Search module 6.x-1.x before 6.x-1.4 and 7.x-1.x before 7.x-1.10 for Drupal allows remote attackers to inject arbitrary web script or HTML by causing crafted data to be returned by the Google API. Vulnerabilidad de XSS en el módulo Google Site Search 6.x-1.x anterior a la versión 6.x-1.4 y 7.x-1.x anterior a 7.x-1.10 para Drupal permite a atacantes remotos inyectar script web arbitrario o HTML, provocando que datos diseñados sean devueltos por la API d... • http://osvdb.org/97503 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •