CVE-2012-2707
https://notcve.org/view.php?id=CVE-2012-2707
The Hostmaster (Aegir) module 6.x-1.x before 6.x-1.9 for Drupal does not properly exit when users do not have access to package/task nodes, which allows remote attackers to bypass intended access restrictions and edit unauthorized nodes. El módulo Hostmaster (Aegir) v6.x-1.x anterior a v6.x-1.9 para Drupal no se cierra de forma adecuada cuando los usuarios no han accedido a nodos paquete/tarea (package/task), lo que permite a atacantes remotos evitar las restricciones de acceso impuesto y modificar nodos no autorizados. • http://community.aegirproject.org/1.9 http://drupal.org/node/1585658 http://drupal.org/node/1585678 http://drupalcode.org/project/hostmaster.git/commitdiff/8a61101 http://www.openwall.com/lists/oss-security/2012/06/14/3 http://www.securityfocus.com/bid/53588 https://exchange.xforce.ibmcloud.com/vulnerabilities/75715 • CWE-264: Permissions, Privileges, and Access Controls •
CVE-2012-2708
https://notcve.org/view.php?id=CVE-2012-2708
Cross-site scripting (XSS) vulnerability in the _hosting_task_log_table function in modules/hosting/task/hosting_task.module in the Hostmaster (Aegir) module 6.x-1.x before 6.x-1.9 for Drupal allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via a Drush log message in a provision task log. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en la función modules/hosting/task/hosting_task.module en el Hostmaster (Aegir) módulo v6.x-1.x anterior a v6.x-1.9 para Drupal permite a usuarios remotos autenticados con cierta permisos para inyectar secuencias de comandos web o HTML a través de un mensaje de registro Drush en un registro de tareas de provisión • http://community.aegirproject.org/1.9 http://drupal.org/node/1585658 http://drupal.org/node/1585678 http://drupalcode.org/project/hostmaster.git/commitdiff/9476561 http://www.openwall.com/lists/oss-security/2012/06/14/3 http://www.securityfocus.com/bid/53588 https://exchange.xforce.ibmcloud.com/vulnerabilities/75714 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •