CVSS: 7.5EPSS: 0%CPEs: 39EXPL: 0CVE-2015-7875
https://notcve.org/view.php?id=CVE-2015-7875
ctools 6.x-1.x before 6.x-1.14 and 7.x-1.x before 7.x-1.8 in Drupal does not verify the "edit" permission for the "content type" plugins that are used on Panels and similar systems to place content and functionality on a page. ctools 6.x-1.x en versiones anteriores a la 6.x-1.14 y 7.x-1.x en versiones anteriores a la 7.x-1.8 en Drupal no verifica el permiso "edit" para los plugins "content type" que se utilizan en Panels y sistemas similares para colocar contenido y funcionalidades en una página. • http://www.openwall.com/lists/oss-security/2015/10/21/2 http://www.securityfocus.com/bid/76441 https://www.drupal.org/node/2554145 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 4.3EPSS: 0%CPEs: 78EXPL: 0CVE-2015-6665
https://notcve.org/view.php?id=CVE-2015-6665
Cross-site scripting (XSS) vulnerability in the Ajax handler in Drupal 7.x before 7.39 and the Ctools module 6.x-1.x before 6.x-1.14 for Drupal allows remote attackers to inject arbitrary web script or HTML via vectors involving a whitelisted HTML element, possibly related to the "a" tag. Vulnerabilidad de XSS en el manejador Ajax en Drupal 7.x en versiones anteriores a la 7.39 y el módulo Ctools 6.x-1.x en versiones anteriores a 6.x-1.14 para Drupal, permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de vectores implicando un elemento HTML en la lista blanca, posiblemente relacionado con la etiqueta 'a'. • http://lists.fedoraproject.org/pipermail/package-announce/2015-August/165061.html http://lists.fedoraproject.org/pipermail/package-announce/2015-September/165674.html http://lists.fedoraproject.org/pipermail/package-announce/2015-September/165690.html http://lists.fedoraproject.org/pipermail/package-announce/2015-September/165695.html http://lists.fedoraproject.org/pipermail/package-announce/2015-September/165704.html http://lists.fedoraproject.org/pipermail/package-announce/2015-September/165723.html http://lists.fedoraproject& • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.8EPSS: 0%CPEs: 8EXPL: 0CVE-2015-4398
https://notcve.org/view.php?id=CVE-2015-4398
Open redirect vulnerability in the Chaos tool suite (ctools) module before 6.x-1.12 and 7.x-1.x before 7.x-1.7 for Drupal allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors involving processing confirmation delete pages. Vulnerabilidad de redirección abierta en el módulo Chaos tool suite (ctools) anterior a 6.x-1.12 y 7.x-1.x anterior a 7.x-1.7 para Drupal permite a atacantes remotos redirigir usuarios hacia sitios web arbitrarios y realizar ataques de phishing a través de vectores no especificados que involucra las páginas de la eliminación de de confirmaciones en proceso. • http://www.openwall.com/lists/oss-security/2015/03/22/35 http://www.openwall.com/lists/oss-security/2015/04/25/6 http://www.securityfocus.com/bid/73224 https://www.drupal.org/node/2454883 https://www.drupal.org/node/2454885 https://www.drupal.org/node/2454909 •
CVSS: 4.3EPSS: 0%CPEs: 8EXPL: 0CVE-2015-4375
https://notcve.org/view.php?id=CVE-2015-4375
The Chaos tool suite (ctools) module 7.x-1.x before 7.x-1.7 for Drupal allows remote attackers to obtain sensitive node titles via (1) an autocomplete search on custom entities without an access query tag or (2) leveraging knowledge of the ID of an entity. El módulo Chaos tool suite (ctools) 7.x-1.x anterior a 7.x-1.7 para Drupal permite a atacantes remotos obtener títulos de nodos a través (1) de una búsqueda de autocompletado en entidades personalizadas sin indicador de consulta de acceso o (2) del aprovechamiento de conocimiento de un identificador de una entidad. • http://www.openwall.com/lists/oss-security/2015/03/22/35 http://www.openwall.com/lists/oss-security/2015/04/25/6 https://www.drupal.org/node/2454883 https://www.drupal.org/node/2454909 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 3.5EPSS: 0%CPEs: 11EXPL: 0CVE-2013-1925
https://notcve.org/view.php?id=CVE-2013-1925
The Chaos Tool Suite (ctools) module 7.x-1.x before 7.x-1.3 for Drupal does not properly restrict node access, which allows remote authenticated users with the "access content" permission to read restricted node titles via an autocomplete list. El módulo Chaos Tool Suite (ctools) 7.x-1.x anterior a 7.x-1.3 para Drupal no restringe adecuadamente el acceso a los nodos, lo que permite a usuarios autenticados remotamente con permisos de "acceso al contenido" la lectura de nodos restringidos a través de una lista que se autocompleta. • http://osvdb.org/91986 http://packetstormsecurity.com/files/121072/Drupal-Chaos-Tool-Suite-7.x-Access-Bypass.html http://seclists.org/fulldisclosure/2013/Apr/8 https://drupal.org/node/1960406 https://drupal.org/node/1960424 https://exchange.xforce.ibmcloud.com/vulnerabilities/83254 • CWE-264: Permissions, Privileges, and Access Controls •