6 results (0.003 seconds)

CVSS: 6.5EPSS: 0%CPEs: 5EXPL: 0

The entity_access API in the Entity API module 7.x-1.x before 7.x-1.3 for Drupal might allow remote authenticated users to bypass intended access restrictions and read unpublished comments via unspecified vectors. La API entity_access en el módulo Entity API, en versiones 7.x-1.x anteriores a la 7.x-1.3 para Drupal, podría permitir que usuarios autenticados remotos omitan las restricciones de acceso planeadas y lean comentarios no publicados mediante vectores sin especificar. • http://lists.fedoraproject.org/pipermail/package-announce/2014-January/126811.html http://lists.fedoraproject.org/pipermail/package-announce/2014-January/126816.html http://www.openwall.com/lists/oss-security/2014/01/09/3 http://www.securityfocus.com/bid/64729 https://bugzilla.redhat.com/show_bug.cgi?id=1050802 https://exchange.xforce.ibmcloud.com/vulnerabilities/90396 https://www.drupal.org/node/2169595 • CWE-284: Improper Access Control •

CVSS: 6.5EPSS: 0%CPEs: 5EXPL: 0

The entity wrapper access API in the Entity API module 7.x-1.x before 7.x-1.3 for Drupal might allow remote authenticated users to bypass intended access restrictions on referenced entities via unspecified vectors. La API de acceso al contenedor de entidad en el módulo Entity API, en versiones 7.x-1.x anteriores a la 7.x-1.3 para Drupal, podría permitir que usuarios autenticados remotos omitan las restricciones de acceso planeadas en las entidades referenciadas mediante vectores sin especificar. • http://lists.fedoraproject.org/pipermail/package-announce/2014-January/126811.html http://lists.fedoraproject.org/pipermail/package-announce/2014-January/126816.html http://www.openwall.com/lists/oss-security/2014/01/09/3 http://www.securityfocus.com/bid/64729 https://bugzilla.redhat.com/show_bug.cgi?id=1050802 https://exchange.xforce.ibmcloud.com/vulnerabilities/90216 https://www.drupal.org/node/2169595 • CWE-284: Improper Access Control •

CVSS: 6.5EPSS: 0%CPEs: 5EXPL: 0

The entity wrapper access API in the Entity API module 7.x-1.x before 7.x-1.3 for Drupal might allow remote authenticated users to bypass intended access restrictions on comment, user and node statistics properties via unspecified vectors. La API de acceso al contenedor de entidad en el módulo Entity API, en versiones 7.x-1.x anteriores a la 7.x-1.3 para Drupal, podría permitir que usuarios autenticados remotos omitan las restricciones de acceso planeadas en las propiedades comment, user y node statistics mediante vectores sin especificar. • http://lists.fedoraproject.org/pipermail/package-announce/2014-January/126811.html http://lists.fedoraproject.org/pipermail/package-announce/2014-January/126816.html http://www.openwall.com/lists/oss-security/2014/01/09/3 http://www.securityfocus.com/bid/64729 https://bugzilla.redhat.com/show_bug.cgi?id=1050802 https://exchange.xforce.ibmcloud.com/vulnerabilities/90215 https://www.drupal.org/node/2169595 • CWE-284: Improper Access Control •

CVSS: 3.5EPSS: 0%CPEs: 1EXPL: 0

Cross-site scripting (XSS) vulnerability in the Entity API module before 7.x-1.6 for Drupal allows remote authenticated users to inject arbitrary web script or HTML via a field label in the Token API. Vulnerabilidad de XSS en el módulo Entity API anterior a 7.x-1.6 para Drupal permite a usuarios remotos autenticados inyectar secuencias de comandos web arbitrarios o HTML a través de una etiqueta de campo en la API Token. • http://www.securityfocus.com/bid/72806 https://www.drupal.org/node/2437885 https://www.drupal.org/node/2437905 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 5.0EPSS: 0%CPEs: 16EXPL: 0

The Entity API module 7.x-1.x before 7.x-1.2 for Drupal, when using the (a) Views field or (b) area plugins, allows remote attackers to read restricted entities via the (1) field, (2) header, or (3) footer of a View. NOTE: this identifier was SPLIT from CVE-2013-4273 per ADT5 due to different researcher organizations. El módulo Entity API 7.x-1.x anterior a 7.x-1.2 para Drupal, cuando utilice (a) el campo Views o (b) los plugins de área, permite a atacantes remotos leer entidades restringidos a través de (1) el campo, (2) la cabecera o (3) el pie de un View. NOTA: este identificador fue dividido (SPLIT) del CVE-2013-4273 por ADT5 debido a organizaciones diferentes de investigadores. • http://www.openwall.com/lists/oss-security/2013/08/22/2 https://drupal.org/node/2065197 https://drupal.org/node/2065207 • CWE-264: Permissions, Privileges, and Access Controls •