CVSS: 8.1EPSS: 0%CPEs: 107EXPL: 0CVE-2016-3169
https://notcve.org/view.php?id=CVE-2016-3169
The User module in Drupal 6.x before 6.38 and 7.x before 7.43 allows remote attackers to gain privileges by leveraging contributed or custom code that calls the user_save function with an explicit category and loads all roles into the array. El módulo User en Drupal 6.x en versiones anteriores a 6.38 y 7.x en versiones anteriores a 7.43 permite a atacantes remotos obtener privilegios aprovechando código contribuido o personalizado que llama a la función user_save con una categoría explícita y carga todos los roles en el array. • http://www.debian.org/security/2016/dsa-3498 http://www.openwall.com/lists/oss-security/2016/02/24/19 http://www.openwall.com/lists/oss-security/2016/03/15/10 https://www.drupal.org/SA-CORE-2016-001 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 5.0EPSS: 0%CPEs: 26EXPL: 0CVE-2015-8095
https://notcve.org/view.php?id=CVE-2015-8095
The recycle bin feature in the Monster Menus module 7.x-1.21 before 7.x-1.24 for Drupal does not properly remove nodes from view, which allows remote attackers to obtain sensitive information via an unspecified URL pattern. La funcionalidad recycle bin en el módulo Monster Menus 7.x-1.21 en versiones anteriores a 7.x-1.24 para Drupal no elimina correctamente los nodos de la vista, lo que permite a atacantes remotos obtener información sensible a través de un patrón URL no especificado. • https://www.drupal.org/node/2608382 https://www.drupal.org/node/2608414 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 4.3EPSS: 0%CPEs: 99EXPL: 0CVE-2015-6658
https://notcve.org/view.php?id=CVE-2015-6658
Cross-site scripting (XSS) vulnerability in the Autocomplete system in Drupal 6.x before 6.37 and 7.x before 7.39 allows remote attackers to inject arbitrary web script or HTML via a crafted URL, related to uploading files. Vulnerabilidad de XSS en el sistema Autocomplete en Drupal 6.x en versiones anteriores a 6.37 y 7.x en versiones anteriores a 7.39, permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de una URL manipulada, relacionado con la carga de archivos. • http://lists.fedoraproject.org/pipermail/package-announce/2015-August/165061.html http://lists.fedoraproject.org/pipermail/package-announce/2015-September/165690.html http://lists.fedoraproject.org/pipermail/package-announce/2015-September/165704.html http://lists.fedoraproject.org/pipermail/package-announce/2015-September/165723.html http://lists.fedoraproject.org/pipermail/package-announce/2015-September/165733.html http://lists.fedoraproject.org/pipermail/package-announce/2015-September/165840.html http://www.debian.org&# • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 53EXPL: 0CVE-2015-6659
https://notcve.org/view.php?id=CVE-2015-6659
SQL injection vulnerability in the SQL comment filtering system in the Database API in Drupal 7.x before 7.39 allows remote attackers to execute arbitrary SQL commands via an SQL comment. Vulnerabilidad de inyección SQL en el sistema de filtrado de comentarios en la API Database en Drupal 7.x en versiones anteriores a 7.39, permite a atacantes remotos ejecutar comandos SQL arbitrarios a través de un comentario SQL. • http://lists.fedoraproject.org/pipermail/package-announce/2015-August/165061.html http://lists.fedoraproject.org/pipermail/package-announce/2015-September/165690.html http://lists.fedoraproject.org/pipermail/package-announce/2015-September/165704.html http://lists.fedoraproject.org/pipermail/package-announce/2015-September/165723.html http://lists.fedoraproject.org/pipermail/package-announce/2015-September/165733.html http://lists.fedoraproject.org/pipermail/package-announce/2015-September/165840.html http://www.debian.org&# • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.8EPSS: 0%CPEs: 99EXPL: 0CVE-2015-6660
https://notcve.org/view.php?id=CVE-2015-6660
The Form API in Drupal 6.x before 6.37 and 7.x before 7.39 does not properly validate the form token, which allows remote attackers to conduct CSRF attacks that upload files in a different user's account via vectors related to "file upload value callbacks." Vulnerabilidad en la API Form en Drupal 6.x en versiones anteriores a 6.37 y 7.x en versiones anteriores a 7.39, no valida correctamente el token form, lo cual permite a atacantes remotos realizar ataques CSRF que cargan archivos en diferentes cuentas de usuario a través de vectores relacionados con 'valores devueltos en la carga de archivo'. • http://lists.fedoraproject.org/pipermail/package-announce/2015-August/165061.html http://lists.fedoraproject.org/pipermail/package-announce/2015-September/165690.html http://lists.fedoraproject.org/pipermail/package-announce/2015-September/165704.html http://lists.fedoraproject.org/pipermail/package-announce/2015-September/165723.html http://lists.fedoraproject.org/pipermail/package-announce/2015-September/165733.html http://lists.fedoraproject.org/pipermail/package-announce/2015-September/165840.html http://www.debian.org&# • CWE-352: Cross-Site Request Forgery (CSRF) •