CVSS: 8.1EPSS: 0%CPEs: 107EXPL: 0CVE-2016-3169
https://notcve.org/view.php?id=CVE-2016-3169
The User module in Drupal 6.x before 6.38 and 7.x before 7.43 allows remote attackers to gain privileges by leveraging contributed or custom code that calls the user_save function with an explicit category and loads all roles into the array. El módulo User en Drupal 6.x en versiones anteriores a 6.38 y 7.x en versiones anteriores a 7.43 permite a atacantes remotos obtener privilegios aprovechando código contribuido o personalizado que llama a la función user_save con una categoría explícita y carga todos los roles en el array. • http://www.debian.org/security/2016/dsa-3498 http://www.openwall.com/lists/oss-security/2016/02/24/19 http://www.openwall.com/lists/oss-security/2016/03/15/10 https://www.drupal.org/SA-CORE-2016-001 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 5.0EPSS: 0%CPEs: 26EXPL: 0CVE-2015-8095
https://notcve.org/view.php?id=CVE-2015-8095
The recycle bin feature in the Monster Menus module 7.x-1.21 before 7.x-1.24 for Drupal does not properly remove nodes from view, which allows remote attackers to obtain sensitive information via an unspecified URL pattern. La funcionalidad recycle bin en el módulo Monster Menus 7.x-1.21 en versiones anteriores a 7.x-1.24 para Drupal no elimina correctamente los nodos de la vista, lo que permite a atacantes remotos obtener información sensible a través de un patrón URL no especificado. • https://www.drupal.org/node/2608382 https://www.drupal.org/node/2608414 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2015-7876
https://notcve.org/view.php?id=CVE-2015-7876
The escapeLike function in sqlsrv/database.inc in the Drupal 7 driver for SQL Server and SQL Azure 7.x-1.x before 7.x-1.4 does not properly escape certain characters, which allows remote attackers to execute arbitrary SQL commands via vectors involving a module using the db_like function. La función escapeLike en sqlsrv/database.inc en el controlador de Drupal 7 para SQL Server y SQL Azure 7.x-1.x en versiones anteriores a 7.x-1.4 no escapa adecuadamente ciertos carácteres, lo que permite a atacantes remotos ejecutar comandos SQL arbitrarios a través de vectores que implican un módulo que usa la función db_like. • http://cgit.drupalcode.org/sqlsrv/commit/?id=2ea0da8 https://www.drupal.org/node/2569003 https://www.drupal.org/node/2569005 https://www.drupal.org/node/2569577 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 4.3EPSS: 0%CPEs: 99EXPL: 0CVE-2015-6658
https://notcve.org/view.php?id=CVE-2015-6658
Cross-site scripting (XSS) vulnerability in the Autocomplete system in Drupal 6.x before 6.37 and 7.x before 7.39 allows remote attackers to inject arbitrary web script or HTML via a crafted URL, related to uploading files. Vulnerabilidad de XSS en el sistema Autocomplete en Drupal 6.x en versiones anteriores a 6.37 y 7.x en versiones anteriores a 7.39, permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de una URL manipulada, relacionado con la carga de archivos. • http://lists.fedoraproject.org/pipermail/package-announce/2015-August/165061.html http://lists.fedoraproject.org/pipermail/package-announce/2015-September/165690.html http://lists.fedoraproject.org/pipermail/package-announce/2015-September/165704.html http://lists.fedoraproject.org/pipermail/package-announce/2015-September/165723.html http://lists.fedoraproject.org/pipermail/package-announce/2015-September/165733.html http://lists.fedoraproject.org/pipermail/package-announce/2015-September/165840.html http://www.debian.org&# • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 53EXPL: 0CVE-2015-6659
https://notcve.org/view.php?id=CVE-2015-6659
SQL injection vulnerability in the SQL comment filtering system in the Database API in Drupal 7.x before 7.39 allows remote attackers to execute arbitrary SQL commands via an SQL comment. Vulnerabilidad de inyección SQL en el sistema de filtrado de comentarios en la API Database en Drupal 7.x en versiones anteriores a 7.39, permite a atacantes remotos ejecutar comandos SQL arbitrarios a través de un comentario SQL. • http://lists.fedoraproject.org/pipermail/package-announce/2015-August/165061.html http://lists.fedoraproject.org/pipermail/package-announce/2015-September/165690.html http://lists.fedoraproject.org/pipermail/package-announce/2015-September/165704.html http://lists.fedoraproject.org/pipermail/package-announce/2015-September/165723.html http://lists.fedoraproject.org/pipermail/package-announce/2015-September/165733.html http://lists.fedoraproject.org/pipermail/package-announce/2015-September/165840.html http://www.debian.org&# • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •