CVSS: 9.8EPSS: 94%CPEs: 2EXPL: 24CVE-2014-3704 – Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Add Admin User)
https://notcve.org/view.php?id=CVE-2014-3704
16 Oct 2014 — The expandArguments function in the database abstraction API in Drupal core 7.x before 7.32 does not properly construct prepared statements, which allows remote attackers to conduct SQL injection attacks via an array containing crafted keys. La función expandArguments en la API de la base de datos de abstracción para Drupal core 7.x anterior a 7.32 no construye correctamente las declaraciones, lo que permite a atacantes remotos inducir a ataques de inyección SQL a través de un array que contiene claves mani... • https://packetstorm.news/files/id/128720 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.5EPSS: 0%CPEs: 88EXPL: 0CVE-2014-5267
https://notcve.org/view.php?id=CVE-2014-5267
30 Sep 2014 — modules/openid/xrds.inc in Drupal 6.x before 6.33 and 7.x before 7.31 allows remote attackers to have unspecified impact via a crafted DOCTYPE declaration in an XRDS document. modules/openid/xrds.inc en Drupal 6.x anterior a 6.33 y 7.x anterior a 7.31 permite a atacantes remotos tener un impacto no especificado a través de una declaración DOCTYPE manipulada en un documento XRDS. • http://cgit.drupalcode.org/drupal/diff/modules/openid/xrds.inc?id=1849830 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 7.5EPSS: 7%CPEs: 122EXPL: 0CVE-2014-5265 – WordPress Core < 3.9.2 - Denial of Service via XML
https://notcve.org/view.php?id=CVE-2014-5265
06 Aug 2014 — The Incutio XML-RPC (IXR) Library, as used in WordPress before 3.9.2 and Drupal 6.x before 6.33 and 7.x before 7.31, permits entity declarations without considering recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564. La librería Incutio XML-RPC (IXR), utilizada en WordPress anterior a 3.9.2 y Drupal 6.x anterior a 6.33 y 7.... • http://cgit.drupalcode.org/drupal/diff/includes/xmlrpc.inc?id=1849830 • CWE-399: Resource Management Errors CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.5EPSS: 77%CPEs: 122EXPL: 2CVE-2014-5266 – WordPress Core < 3.9.2 - Denial of Service via XML #2
https://notcve.org/view.php?id=CVE-2014-5266
06 Aug 2014 — The Incutio XML-RPC (IXR) Library, as used in WordPress before 3.9.2 and Drupal 6.x before 6.33 and 7.x before 7.31, does not limit the number of elements in an XML document, which allows remote attackers to cause a denial of service (CPU consumption) via a large document, a different vulnerability than CVE-2014-5265. La libraría Incutio XML-RPC (IXR) , utilizado en WordPress anterior a 3.9.2 y Drupal 6.x anterior a 6.33 y 7.x anterior a 7.31, no limita el número de elementos en un documento XML, lo que per... • https://packetstorm.news/files/id/180506 • CWE-399: Resource Management Errors CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.5EPSS: 0%CPEs: 86EXPL: 0CVE-2014-5019 – Mandriva Linux Security Advisory 2015-181
https://notcve.org/view.php?id=CVE-2014-5019
22 Jul 2014 — The multisite feature in Drupal 6.x before 6.32 and 7.x before 7.29 allows remote attackers to cause a denial of service via a crafted HTTP Host header, related to determining which configuration file to use. La funcionalidad múltisitios en Drupal 6.x anterior a 6.32 y 7.x anterior a 7.29 permite a atacantes remotos causar una denegación de servicio a través de una cabecera HTTP Host manipulada, relacionado con determinar qué fichero de configuración utilizar. Updated drupal packages fix multiple security v... • http://www.debian.org/security/2014/dsa-2983 • CWE-20: Improper Input Validation •
CVSS: 9.8EPSS: 0%CPEs: 45EXPL: 0CVE-2014-5020 – Mandriva Linux Security Advisory 2015-181
https://notcve.org/view.php?id=CVE-2014-5020
22 Jul 2014 — The File module in Drupal 7.x before 7.29 does not properly check permissions to view files, which allows remote authenticated users with certain permissions to bypass intended restrictions and read files by attaching the file to content with a file field. El módulo File en Drupal 7.x anterior a 7.29 no comprueba debidamente los permisos para ver ficheros, lo que permite a usuarios remotos autenticados con ciertos permisos evadir las restricciones y leer ficheros al adjuntar el fichero al contenido con un c... • http://www.debian.org/security/2014/dsa-2983 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 5.4EPSS: 0%CPEs: 86EXPL: 0CVE-2014-5021 – Mandriva Linux Security Advisory 2015-181
https://notcve.org/view.php?id=CVE-2014-5021
22 Jul 2014 — Cross-site scripting (XSS) vulnerability in the Form API in Drupal 6.x before 6.32 and possibly 7.x before 7.29 allows remote authenticated users with the "administer taxonomy" permission to inject arbitrary web script or HTML via an option group label. Vulnerabilidad de XSS en la API Form en Drupal 6.x anterior a 6.32 y posiblemente 7.x anterior a 7.29 permite a usuarios remotos autenticados con el permiso 'administrar taxonomía' inyectar secuencias de comandos web o HTML arbitrarios a través de una etique... • http://www.debian.org/security/2014/dsa-2983 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 45EXPL: 0CVE-2014-5022 – Mandriva Linux Security Advisory 2015-181
https://notcve.org/view.php?id=CVE-2014-5022
22 Jul 2014 — Cross-site scripting (XSS) vulnerability in the Ajax system in Drupal 7.x before 7.29 allows remote attackers to inject arbitrary web script or HTML via vectors involving forms with an Ajax-enabled textfield and a file field. Vulnerabilidad de XSS en el sistema Ajax en Drupal 7.x anterior a 7.29 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de vectores involucrando formas con un campo de texto habilitado por Ajax y un campo de fichero. Updated drupal packages fi... • http://www.debian.org/security/2014/dsa-2983 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.0EPSS: 0%CPEs: 5EXPL: 0CVE-2014-2983 – Debian Security Advisory 2913-1
https://notcve.org/view.php?id=CVE-2014-2983
23 Apr 2014 — Drupal 6.x before 6.31 and 7.x before 7.27 does not properly isolate the cached data of different anonymous users, which allows remote anonymous users to obtain sensitive interim form input information in opportunistic situations via unspecified vectors. Drupal 6.x anterior a 6.31 y 7.x anterior a 7.27 no aísla debidamente los datos en caché de usuarios anónimos diferentes, lo que permite a usuarios remotos anónimos obtener información sensible de entradas de formularios parciales en situaciones oportunista... • http://www.debian.org/security/2014/dsa-2913 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.8EPSS: 5%CPEs: 6EXPL: 1CVE-2005-2106 – Drupal 4.5.3 < 4.6.1 - Comments PHP Injection
https://notcve.org/view.php?id=CVE-2005-2106
01 Jul 2005 — Unknown vulnerability in Drupal 4.5.0 through 4.5.3, 4.6.0, and 4.6.1 allows remote attackers to execute arbitrary PHP code via a public comment or posting. • https://www.exploit-db.com/exploits/1088 •